BitcoinMachine
TECHNICAL_DOC // CRYPTOGRAPHY / SCHNORR
SCHNORR
SIGNATURES
schnorr-signatures/">Schnorr signatures (BIP 340) are Bitcoin's second signature algorithm, activated with Taproot in November 2021 for P2TR outputs. Compared to ECDSA, Schnorr signatures are 64 bytes (vs 71–72 for ECDSA DER), provably secure, non-malleable, and support linear signature aggregation — enabling efficient multi-party signing schemes like MuSig2.
SCHNORR_ALGORITHM
BIP 340 SCHNORR — SIGNING
Inputs: privkey = x (32 bytes) pubkey = P = x×G (x-only, 32 bytes) message = msg (32 bytes, any data) Signing: 1. k = H_BIP0340/nonce(x || P || msg) (deterministic nonce) (if k even: k = k; if k odd: k = n-k → negate) 2. R = k×G (only x-coordinate used) 3. e = H_BIP0340/challenge(R.x || P || msg) mod n 4. s = k + e × x mod n Output: sig = R.x || s = 64 bytes total Note: BIP 340 uses x-only public keys (32 bytes, not 33) Even y-coordinate is assumed; negate x if needed.
Schnorr vs ECDSA
BIP 340
Schnorr signatures offer several advantages over ECDSA while maintaining the same security guarantees on secp256k1.
Comparison: ECDSA Schnorr (BIP 340) Size: 71–72 bytes DER 64 bytes Pubkey: 33 bytes compressed 32 bytes (x-only) Provably secure: No (random oracle) Yes Malleable: Yes (low-s rule) No Aggregatable: No Yes (MuSig2, FROST) Batch verify: No Yes (~30% speedup) Used in: P2PKH,P2WPKH,P2SH P2TR (Taproot) Verification equation: s×G = R + e×P (linear in both R and P → enables aggregation)
Batch Verification
PERFORMANCE
Schnorr's linear structure allows verifying multiple signatures simultaneously — faster than verifying each signature individually.
Individual ECDSA verification: 2 scalar mults per sig Individual Schnorr verification: 2 scalar mults per sig Batch Schnorr verification (n sigs): Pick random scalars a1...an Check: (Σ ai × si) × G = Σ ai × (Ri + ei × Pi) Uses multi-scalar multiplication ≈ 0.5 mults per sig At 1000 signatures: ~2× faster than individual ECDSA Applied during IBD (Initial Block Download): → Faster chain sync for new nodes
TERMINOLOGY_INDEX
Schnorr
BIP 340 signature algorithm for P2TR. 64 bytes, provably secure, supports aggregation.
x-only Pubkey
32-byte public key used in Schnorr/Taproot. Only the x-coordinate is stored; y-parity implied even.
Linear Aggregation
Multiple Schnorr signatures can be combined: s_agg = Σsi, enabling MuSig2 key and sig aggregation.
Batch Verification
Verifying multiple Schnorr signatures simultaneously, ~2× faster using multi-scalar multiplication.
Tagged Hash
BIP 340 uses domain-separated hashes (H_tag) to prevent cross-context hash collisions.
INTERACTIVE — TRY IT YOURSELF
CRYPTOGRAPHY / TAPROOT
Schnorr Signatures
Schnorr signatures (BIP 340, active since Taproot activation Nov 2021) replace ECDSA for Taproot outputs. They're simpler, provably secure, and support native key aggregation — multiple signers can produce a single signature that looks identical to a single-signer output. A Schnorr signature is exactly 64 bytes: the x-coordinate of the nonce point R, and a scalar s.
SCHNORR SIGN & VERIFY
Sign: choose nonce k, compute R = k·G. If R.y is odd, negate k and R so R.y is even. Compute challenge e = H(R.x || P.x || msg). Then s = k + e·d mod n. Signature is (R.x, s) — 64 bytes.

Verify: compute R' = s·G − e·P. Check R'.x = R.x and R'.y is even.
SCHNORR SIGN & VERIFY (BIP 340)secp256k1 BigInt arithmetic
KEY AGGREGATION — MUSIG2 CONCEPT
With Schnorr, two signers with keys P₁ and P₂ can combine their public keys into an aggregate key P = H(P₁,P₂,P₁)·P₁ + H(P₁,P₂,P₂)·P₂. The aggregated key looks like a normal single-signer key on-chain — no one can tell it's a 2-of-2 multisig. This dramatically improves privacy and reduces fees.
KEY AGGREGATION DEMOtwo keys → one aggregate
SCHNORR vs ECDSA
COMPARISON TABLE
PROPERTYECDSASCHNORR (BIP 340)
SIGNATURE SIZE70-72 bytes (DER)64 bytes (fixed)
LINEARITYNon-linear (no native aggregation)Linear — key/sig aggregation possible
SECURITY PROOFRandom Oracle Model onlyProvably secure in ROM
BATCH VERIFYNot possibleO(n) batch verification
ADAPTOR SIGSPartial supportNative support
USED INPre-Taproot (P2PKH, P2SH, P2WPKH)P2TR (Taproot, SegWit v1+)
STANDARDSEC (industry)BIP 340 (Bitcoin)
Batch verification: With Schnorr, a block validator can verify all N signatures in a block simultaneously in a single multi-scalar multiplication, which is faster than N individual verifications. This has significant throughput implications for full node validation during IBD (Initial Block Download).