Schnorr signatures

Schnorr signatures are digital signatures that provide similar security to the ECDSA scheme used since Bitcoin’s original implementation and which can use Bitcoin’s same elliptic curve parameters, but which can provide other benefits.

Schnorr is secure under the same cryptographic assumptions as ECDSA and it is easier and faster to create secure multiparty signatures using schnorr with protocols such as MuSig. A new signature type also provides an opportunity to change the signature serialization format from BER/DER to something that’s more compact and simpler to implement.

Primary code and documentation

• BIP340

Optech newsletter and website mentions

2024

• Explanation for why BIP340 uses secp256k1 instead of a different curve

2023

• BIPs #1446 makes a small change and a number of additions to the BIP340 specification

2022

• BDK #718 begins verifying schnorr signatures immediately after the wallet creates them
• LND #6722 adds support for signing arbitrary messages with schnorr signatures
• Why isn’t OP_CHECKMULTISIG compatible with batch verification of schnorr signatures?

2021

• Libsecp256k1 #844 updates schnorr API to allow signing arbitrary length messages
• Rust Bitcoin #589 starts implementing support for taproot and schnorr signatures
• Comparison of SSS to OP_CHECKMULTISIG to schnorr multisignatures

2020

• 2020 year in review: Taproot, tapscript, and schnorr signatures
• Bitcoin Core #19953 merged with consensus implementation of BIP340
• Libsecp256k1 #558 implements schnorr signature verification and signing
• BIPs #982 updates BIP340 to consistently use evenness tiebreaker
• Proposal to update BIP340 schnorr signatures to use evenness tiebreaker
• Presentations and discussions about schnorr signatures
• RFC6979 nonce generation versus BIP340’s recommended procedure
• BIP340 schnorr updated with alternative tiebreaker & nonce recommendation
• Mitigating differential power analysis in schnorr signatures
• Implementing statechains without schnorr signatures
• Proposed update to schnorr key selection and signature generation
• BIP340 schnorr signature recommendations updated for improved security
• Discussion about taproot versus other schnorr-enabling proposals
• Safety of precomputed public keys used with schnorr signatures
• BIP340 alternative x-only pubkey tiebreaker and tagged hash

2019

• Blog post about x-only pubkeys for use in schnorr signature schemes
• Bitcoin Optech schnorr/taproot workshop
• Announcement of structured taproot review (including schnorr)
• Update on changes to schnorr, taproot, and tapscript
• Talk summary: the quest for practical threshold Schnorr signatures
• Proposed change to schnorr pubkeys
• Executive briefing: the next soft fork

2018

• Continued bip-schnorr discussion
• Proposed schnorr BIP

See also

• Will a schnorr soft fork introduce a new address format?
• Taproot

• Scriptless multisignatures

  
  

Previous Topic:
Responsible disclosures

Next Topic:
Segregated witness

Edit page
Report Issue