TeachMeBitcoin

Schnorr vs. ECDSA: Cryptographic Evolution

From TeachMeBitcoin, the free encyclopedia Reading time: 3 min

Schnorr vs. ECDSA: Cryptographic Evolution

With the activation of the Taproot soft fork (BIP 340), Bitcoin expanded its cryptographic engine from legacy ECDSA signatures to include modern Schnorr signatures.

Let's compare the underlying mathematics of both schemes and explore why Schnorr represents a monumental leap forward in speed, privacy, and security.


Comparing the Mathematical Formulations

The differences in how signatures are constructed and validated reveal why Schnorr is mathematically superior:

1. The Signing Equation

$$s = k_{\text{ephemeral}}^{-1} \cdot (z + r \cdot k) \pmod n$$

$$s = k_{\text{ephemeral}} + e \cdot k \pmod n$$

(where $e = SHA256(R_x \parallel K \parallel m)$, combining the ephemeral point $R$, public key $K$, and message $m$)

2. The Verification Equation

$$\text{x-coordinate of } (u_1 \cdot G + u_2 \cdot K) \equiv r \pmod n$$

$$s \cdot G = R + e \cdot K$$

Proof of Schnorr Verification

To prove why $s \cdot G = R + e \cdot K$ holds:

$$s \cdot G = (k_{\text{ephemeral}} + e \cdot k) \cdot G$$

$$s \cdot G = k_{\text{ephemeral}} \cdot G + e \cdot (k \cdot G)$$

$$s \cdot G = R + e \cdot K$$


Feature Comparison Matrix

Security & Efficiency Metric Legacy ECDSA Schnorr (BIP 340)
Signature Size 70 - 72 bytes (DER format) 64 bytes (Fixed size)
Public Key Size 33 bytes (Compressed) 32 bytes (Compressed)
Linearity No (Non-linear) Yes (Perfect Linearity)
Native Multi-Signature No (Requires script validation) Yes (MuSig2 key aggregation)
Malleability Naturally malleable Provably non-malleable
Batch Verification No (Must verify individually) Yes (Speed-aggregates block validation)

⚡ Key Architectural Advantages of Schnorr

The algebraic simplicity of Schnorr's formulation resolves several long-standing limitations of ECDSA:

1. Elimination of Signature Malleability

ECDSA signatures are naturally malleable:

2. Batch Verification Speedups

In ECDSA, verifying a block containing 1,000 transactions requires executing 1,000 individual, slow coordinate-inversion operations.

$$\sum (s_i \cdot G) = \sum (R_i + e_i \cdot K_i)$$

Nodes can validate block signatures simultaneously, accelerating block validation speeds by up to 2.5x and lowering full node system overhead.

☕ Help support TeachMeBitcoin

TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation:

Ethereum: 0x578417C51783663D8A6A811B3544E1f779D39A85
Bitcoin: bc1q77k9e95rn669kpzyjr8ke9w95zhk7pa5s63qzz
Solana: 4ycT2ayqeMucixj3wS8Ay8Tq9NRDYRPKYbj3UGESyQ4J
Address copied to clipboard!