Schnorr signatures
Schnorr signatures are digital signatures that provide similar security to the ECDSA scheme used since Bitcoin’s original implementation and which can use Bitcoin’s same elliptic curve parameters, but which can provide other benefits.
Schnorr is secure under the same cryptographic assumptions as ECDSA and it is easier and faster to create secure multiparty signatures using schnorr with protocols such as MuSig. A new signature type also provides an opportunity to change the signature serialization format from BER/DER to something that’s more compact and simpler to implement.
Primary code and documentation
Optech newsletter and website mentions
2022
- BDK #718 begins verifying schnorr signatures immediately after the wallet creates them
- LND #6722 adds support for signing arbitrary messages with schnorr signatures
- Why isn’t
OP_CHECKMULTISIG
compatible with batch verification of schnorr signatures?
2021
- Libsecp256k1 #844 updates schnorr API to allow signing arbitrary length messages
- Rust Bitcoin #589 starts implementing support for taproot and schnorr signatures
- Comparison of SSS to
OP_CHECKMULTISIG
to schnorr multisignatures
2020
- 2020 year in review: Taproot, tapscript, and schnorr signatures
- Bitcoin Core #19953 merged with consensus implementation of BIP340
- Libsecp256k1 #558 implements schnorr signature verification and signing
- BIPs #982 updates BIP340 to consistently use evenness tiebreaker
- Proposal to update BIP340 schnorr signatures to use evenness tiebreaker
- Presentations and discussions about schnorr signatures
- RFC6979 nonce generation versus BIP340’s recommended procedure
- BIP340 schnorr updated with alternative tiebreaker & nonce recommendation
- Mitigating differential power analysis in schnorr signatures
- Implementing statechains without schnorr signatures
- Proposed update to schnorr key selection and signature generation
- BIP340 schnorr signature recommendations updated for improved security
- Discussion about taproot versus other schnorr-enabling proposals
- Safety of precomputed public keys used with schnorr signatures
- BIP340 alternative x-only pubkey tiebreaker and tagged hash
2019
- Blog post about x-only pubkeys for use in schnorr signature schemes
- Bitcoin Optech schnorr/taproot workshop
- Announcement of structured taproot review (including schnorr)
- Update on changes to schnorr, taproot, and tapscript
- Talk summary: the quest for practical threshold Schnorr signatures
- Proposed change to schnorr pubkeys
- Executive briefing: the next soft fork
2018
See also
Previous Topic:
Responsible disclosures
Next Topic:
Segregated witness