One Step Closer to Schnorr Signatures
Get into a conversation about Bitcoin improvements, and before long, someone will inevitably bring up Schnorr signatures, the Holy Grail of Bitcoin upgrades poised to solve two major threats to Bitcoin’s longevity: privacy and scalability.
From the very beginning, Bitcoin has used ECDSA signatures for creating keys and verifying transactions. The alternative (and more efficient) Schnorr signature scheme existed at the time Satoshi was working on the project, but was patented up until 2008 and therefore was not standardised across the board. As Pieter Wuille points out, DSA was specifically designed to circumvent Schnorr’s patent).
Insofar as security, both ECDSA and Schnorr schemes rely on similar assumptions, but Schnorr-based ones boast a number of advantages over the incumbent scheme — notably, signature aggregation and native multisig support.
What this means for scalability is a reduction in the size of any given transaction: for every transaction you create, you combine multiple inputs, each of which must be signed. With signature aggregation, however, one signature can be provided for all the inputs, reducing the size of the transaction considerably (according to a talk by Pieter Wuille in 2017, this would be in the region of a 25–30% decrease in size).
Now, this is interesting for your average transaction made by an individual (not to mention easier for peers to validate), but it also offers valuable improvements to multisig structures (see our recent recap on these here). In the case of an n-of-n multisig address, funds can only be spent if all possible signers are onboard – making transactions both significantly longer and costlier than regular ones.
Again, though, signature aggregation means that the signatures provided by all of the signers can be swapped out with a single one, cutting down on both size and cost. Another byproduct of this is privacy. It’s fairly obvious to onlookers when a multisig transaction is being made, but by aggregating the signatures of co-signers, they’re effectively indistinguishable from single-party transactions.
Getting there…
The excitement around Schnorr signatures is certainly picking up (particularly since Segwit activation, which would allow it to be presented as an opt-in soft fork). In early 2018, authors Gregory Maxwell, Andrew Poelstra, Yannick Seurin and Pieter Wuille published a paper describing MuSig, which outlined a new Schnorr-based scheme. Wuille later published a BIP proposing a standard for these.
And most recently, Poelstra penned a post on the Blockstream blog announcing that himself and his co-authors had been hard at work to turn their paper into usable code, merging it into a fork of the cryptographic library used by Bitcoin Core.
It’s unclear when the upgrade will be incorporated into the Bitcoin protocol, but many hope to see it adopted within the year (it should be relatively pain-free to roll out). It’s likely that it will be bundled in with other enhancements (i.e. Taproot) in order to boost Bitcoin’s scalability, privacy and smart contract capabilities.
Cover image by the author.
