BitcoinMachine
TERM_DEF // KEYS_CRYPTOGRAPHY / SIGNATURE
SIGNATURE
Signature. The byte string produced by signing; in Bitcoin it is appended with a sighash flag indicating what parts of the tx it commits to.

This page sits in the Keys & Cryptography section — Elliptic curves, hashes, and signatures — the math that lets a 32-byte secret control billions of dollars. Read on for what it is, why it exists, how it works under the hood, and what to watch out for.
WHAT_SIGNATURE_IS
Signature — at a glance
KEYS
A Bitcoin signature is a cryptographic proof that whoever produced it knew the private key — without ever revealing the private key. In every signed transaction, the signature commits to specific bytes of the transaction (governed by the SIGHASH flag), so the same signature cannot be reused on a different tx.
Why it exists
DESIGN
Every spend has to prove ownership of the inputs being consumed. Signatures are how that proof gets made without trusting an authority: the signer combines their private key with the transaction hash, produces a few dozen bytes of data, and anyone with the public key can verify in microseconds. No identity, no log-in, no central registry.
HOW_IT_WORKS
Mechanism
HOW IT WORKS
Bitcoin uses two signature schemes: ECDSA (legacy, ~71 bytes, DER-encoded (r, s) pair) and Schnorr (Taproot, exactly 64 bytes, linearly aggregatable). Both rely on the elliptic-curve discrete logarithm problem (ECDLP) on secp256k1. To sign: pick a deterministic nonce-k-signing-scalar/">nonce k (RFC-6979 for ECDSA, BIP-340 for Schnorr), compute the signature components, append the 1-byte SIGHASH flag, and place into scriptSig/witness.
1. Generate or receive the input bytes (a private key, a message, a public key, a signature — depending on the operation). 2. Apply the cryptographic primitive — typically built on SHA-256, RIPEMD-160, secp256k1, or Schnorr/ECDSA. 3. Encode the result in the expected form: 32-byte hash, 33-byte compressed pubkey, 64-byte Schnorr signature, ~71-byte DER ECDSA signature, etc. 4. Verifiers worldwide re-run the same computation against the public inputs to confirm authenticity — no shared secret required.
WORKED_EXAMPLE
ECDSA vs Schnorr — same security, different shape
EXAMPLE
ECDSA signature (legacy, used since 2009): encoding : DER-encoded (r, s) integers + 1-byte SIGHASH flag size : 70–72 bytes typical format : 0x30 ||len|| 0x02 ||len|| r || 0x02 ||len|| s malleable : YES historically (BIP-66 tightened); use low-S form Schnorr signature (Taproot, BIP-340, active since 2021): encoding : 64 bytes flat — R (32) || s (32) (+ 1 byte SIGHASH if non-default) size : 64 bytes EXACTLY (65 with non-default SIGHASH) format : R || s — just two 32-byte values, no DER wrapping malleable : NO — strict encoding rules aggregatable: YES — multiple signers can produce a single 64-byte sig (MuSig2) SIGHASH flags (1 byte at the end of the signature): 0x01 SIGHASH_ALL (default — sign all inputs + all outputs) 0x02 SIGHASH_NONE (sign all inputs, no outputs — outputs swappable) 0x03 SIGHASH_SINGLE (sign all inputs + output at same index) 0x80 SIGHASH_ANYONECANPAY (sign only your input; others can be added)
KEY_PROPERTIES
ONE-WAY
Easy to compute forward in microseconds; infeasible to reverse even with planetary compute resources.
DETERMINISTIC
Same input → identical output on every machine, forever. No randomness sneaks in.
COLLISION-RESISTANT
Finding two distinct inputs that produce the same output requires more work than has ever been done on Earth.
PUBLIC-VERIFIABLE
Anyone can check a signature/hash against public data — no shared secret needed for verification.
COMMON_PITFALLS
Things that catch people out
PITFALLS
  • Reusing a nonce k across two signatures with the same private key reveals the private key. Always use deterministic nonces (RFC-6979 / BIP-340).
  • Pre-BIP-66 signatures had encoding malleability — a third party could rebroadcast a tx with a tweaked signature and a different txid. SegWit fixed this fully.
  • SIGHASH flags can be combined; misusing SIGHASH_SINGLE without a matching output is a classic bug that bricks transactions.
  • Schnorr signatures (64 bytes) are slightly smaller than ECDSA but more importantly aggregatable — MuSig2 lets N signers produce one signature that's indistinguishable from a single signer's.
WHERE_YOU'LL_SEE_IT
Pages on this site that cover Signature in more depth:
Digital Signatures
Adaptor Signatures
Schnorr Signatures
Signature
RELATED_CONCEPTS
Other terms from Keys & Cryptography — click any to read its page:
Private Key Public Key Key Pair Elliptic Curve secp256k1 Generator Point (G) Curve Order (n) Field Prime (p)
TERMINOLOGY_INDEX
TERMINOLOGY
Signature
The byte string produced by signing; in Bitcoin it is appended with a sighash flag indicating what parts of the tx it commits to.
Private Key
A random 256-bit number that gives full spending authority over the coins locked to its derived public key.
Public Key
A point on the secp256k1 curve, derived from a private key, that others use to verify signatures you produce.
Key Pair
A private key paired with its mathematically-linked public key; one signs, the other verifies.
Elliptic Curve
A curve defined by y² = x³ + ax + b; "adding" two points produces a third, and that operation is easy forward but practically impossible to reverse.
secp256k1
The specific elliptic curve Bitcoin uses, chosen for its lack of suspicious constants and high-performance arithmetic.
Generator Point (G)
A fixed agreed-upon point on secp256k1; multiplying G by your private key gives your public key.
Curve Order (n)
The number of distinct points on secp256k1 reachable from G; private keys are integers modulo n.