Influential developer Pieter Wuille recently proposed a consensus change for a new signature type for bitcoin transactions called Schnorr to the Bitcoin Improvement Proposal (BIP) Github. The 64-byte Schnorr signatures would be used over the elliptic curve secp256k1 to sign transactions.
This upgrade would be the biggest to bitcoin since Segregated Witness (SegWit), though small upgrades occur every day. It gives bitcoin users a new way to generate cryptographic keys and can contribute to solving many of the scaling and privacy issues that have plagued bitcoin. One estimate, for example, foresees a 20 percent reduction in transaction storage burdens on the Bitcoin network.
The main points outlined in Wuille’s post for why the Schnorr signatures were an improvement to the Elliptic Curve Digital Signature Algorithm (ECDSA) currently used to create signatures over the secp256k1 curve were:
- Security proof: The security of Schnorr signatures is easily provable in the random oracle model assuming the elliptic curve discrete logarithm problem (ECDLP) is hard. Such a proof does not exist for ECDSA.
- Non-malleability: ECDSA signatures are inherently malleable; a third party without access to the private key can alter an existing valid signature for a given public key and message into another signature that is valid for the same key and message. This issue is discussed in BIP62. On the other hand, Schnorr signatures are provably non-malleable.
- Linearity: Schnorr signatures have the remarkable property that multiple parties can collaborate to produce a signature that is valid for the sum of their public keys. This is the building block for various higher-level constructions that improve efficiency and privacy, such as multisignatures and others (see Applications below).
- Signature encoding: Instead of DER-encoding for signatures (which are variable size, and up to 72 bytes), we can use a simple fixed 64-byte format.
- Batch validation: The specific formulation of ECDSA signatures that is standardized cannot be validated more efficiently in batch compared to individually, unless additional witness data is added. Changing the signature scheme offers an opportunity to avoid this.
The rest of the proposal goes deep into the mathematical and technical logic underlying the idea. Co-authored by many other top bitcoin developers such as Johnson Lau and Gregory Maxwell, this is certainly significant. As such, the veterans of bitcoin improvements know the work ahead as Wuille outlined the path ahead to CoinDesk:
“Like any consensus change, it will be a long process involving fully fleshing out a draft for integration, publishing it, gathering comments from the technical community and ecosystem, writing implementations of both consensus rules and integration in wallet software, proposing a deployment plan, and if all goes well, get it activated”