Schnorr Signatures

Bitcoin currently supports two signature schemes side by side: ECDSA and Schnorr. ECDSA is the original, in use since the Genesis block in 2009, while Schnorr (BIP-340) was introduced with the Taproot upgrade activated in November 2021. Both are built on the secp256k1 curve. ECDSA was invented to sidestep the Schnorr patent and is notoriously awkward to reason about. Now that the Schnorr patent has expired, we can skip ECDSA and go straight to the real thing.

secp256k1

secp256k1 is an elliptic curve defined over a finite field, given by:

$$y^2 = x^3 + 7 \pmod p$$

where $p = 2^{256} - 2^{32} - 977$. The modulus forces both $x$ and $y$ to be integers, so secp256k1 is not a continuous curve but rather a collection of discrete points.

A scatter plot, however, is hard to build intuition from. The image below shows the curve before the modulo — drawn over the real numbers $\mathbb{R}$ (i.e. plain $y^2 = x^3 + 7$ without the $\bmod\, p$). The real secp256k1 is what you get by “plucking points mod $p$” from this curve, but when reasoning about point addition, tangents, and symmetry, the continuous picture is good enough.

y² = x³ + 7secp256k1

a0

b7

At this point you might wonder: why is it called an elliptic curve? The general form is the Weierstrass equation $y^2 = x^3 + ax + b$. Drag $a$ to the left in the figure above and you’ll see exactly where the name comes from.

Point Addition

Point addition is the central operation of elliptic curve cryptography. Everything that follows — keys, signatures, verification — is built on top of it. The geometric definition goes like this:

Given two points $P$ and $Q$ on the curve, $P + Q$ is computed in three steps:

1. Draw a straight line through $P$ and $Q$.
2. This line intersects the curve at a third point $R$.
3. Reflect $R$ across the $x$-axis. The reflected point is $P + Q$.

Three special cases

• $P = Q$: when the two points coincide, “the line through both points” degenerates into “the tangent line at $P$”. Reflect the tangent’s third intersection with the curve and you get $2P$.
• $P$ and $-P$: define $-P$ as the reflection of $P$ across the $x$-axis. The line through them is vertical and meets the curve only at those two points. Mathematicians take “the third intersection lies at infinity” as a convention here, written $\mathcal{O}$ (the point at infinity); reflecting $\mathcal{O}$ still gives $\mathcal{O}$. So $P + (-P) = \mathcal{O}$.
• Adding $\mathcal{O}$: $\mathcal{O}$ is the identity element — for any point $P$, $P + \mathcal{O} = P$.

It forms an abelian group

Including $\mathcal{O}$, every point on the curve satisfies the following under this addition:

• Closure: the sum of two points is still on the curve
• Associativity: $(P + Q) + R = P + (Q + R)$
• Identity: $\mathcal{O}$
• Inverses: the inverse of $P$ is $-P$
• Commutativity: $P + Q = Q + P$

Five boxes ticked → an abelian group. This means all the familiar properties of everyday addition carry over to points on the curve.

Key Pairs

secp256k1 has a special point $G$ called the base point (generator point), with fixed, publicly agreed coordinates. Adding $G$ to itself $n$ times returns $\mathcal{O}$ (the point at infinity). $n$ is a large prime close to $2^{256}$, called the order of the base point.

Pick a random integer $d$ between $1$ and $n-1$, and the point $P = dG$ obtained by adding $G$ to itself $d$ times is your public key; $d$ is the private key.

For the relationship between public key $P$ and private key $d$ to be useful, it has to be cheap to compute $P$ given $d$, but hard to recover $d$ given $P$. This asymmetry is what elliptic curve cryptography rests on.

When I first saw this equation, my immediate question was: if $P$ is $G$ added to itself $d$ times, doesn’t computing $P$ from $d$ also take $d$ additions? Wouldn’t that be just as slow as brute-forcing? Not at all. When you know $d$ exactly, you can use the binary-expansion trick (double-and-add) to compute $P$ efficiently.

Suppose $d = 13$. The double-and-add procedure looks like this:

1. The binary representation of $13$ is $1101$.
2. Starting from $G$, compute $2G = G + G$, $4G = 2G + 2G$, $8G = 4G + 4G$.
3. Reading off the binary digits, $13G = G + 4G + 8G$.

Just four additions — $G$, $2G$, $4G$, $8G$ — and you have $13G$, rather than thirteen separate additions. At most you need around $256$ additions (since $d$ can be as large as $n-1$, close to $2^{256}$). The intermediate doublings $2G$, $4G$, $8G$, … can also be cached for further speedups. An attacker who doesn’t know $d$, on the other hand, has no shortcut: they’re stuck computing $G$, $2G$, $3G$, … from scratch until they hit $P$.

Schnorr Signatures

Setup: generate a key pair $(d, P)$ with $P = dG$. We want to sign a message $m$.

Signing

The signing procedure is:

1. Pick a random number $k$ and compute $R = kG$.
2. Compute the hash $e = H(R \| P \| m)$, where $m$ is the message and $\|$ denotes concatenation.
3. Compute the signature value $s = k + ed \pmod n$.
4. The signature is $(R, s)$.

Verification

Let’s first take stock of what’s public:

• The public key $P$
• The message $m$
• The signature $(R, s)$
• The hash $e$ (anyone can recompute it from $R$, $P$, $m$)

Going back to the signing equation $s = k + ed \pmod n$, multiply both sides by $G$:

$$sG = kG + edG \pmod n$$

Substituting the public values $R = kG$ and $P = dG$, this becomes:

$$sG = R + eP \pmod n$$

Every term in this equation is public. The verifier just needs to check whether $sG$ and $R + eP$ are equal to decide if the signature is valid. Only someone who knows both $k$ and $d$ can produce a matching $s$, which proves the signer holds the private key $d$.

The random number $k$ is what protects the private key $d$. The equation $s = k + ed \pmod n$ has only two unknowns, $k$ and $d$, so if $k$ leaks, $d$ falls out directly. And if the same $k$ is ever reused across two signatures, an attacker doesn’t even need to know its value: subtracting the two signature equations cancels $k$ out and yields $d$. Making sure every signature uses a fresh, distinct random $k$ is therefore critical.