Schnorr Public Keys & BIP 340 (Taproot)

Introduced in the Taproot soft fork upgrade in November 2021, Schnorr Signatures and BIP 340 Public Keys represent the state of the art in Bitcoin cryptography.

By refining the mathematical rules of public keys, Schnorr signatures significantly improve transaction efficiency, privacy, and smart contract scalability.

🔵 Dropping the Parity Byte (32-Byte Keys)

Under the legacy ECDSA standard, compressed public keys require exactly 33 bytes: a 1-byte prefix (0x02 or 0x03) to indicate the parity of the $y$-coordinate, followed by the 32-byte $x$-coordinate.

BIP 340 introduces a brilliant mathematical optimization that eliminates this prefix byte entirely, shrinking all Taproot public keys to exactly 32 bytes of raw $x$-coordinate.

            ECDSA vs. SCHNORR PUBLIC KEY SERIALIZATION
┌────────────────────────────────────────────────────────┐
│  ECDSA Compressed Key (33 Bytes)                       │
├─────┬──────────────────────────────────────────────────┤
│0x02 │               x-coordinate (32 Bytes)            │
└─────┴──────────────────────────────────────────────────┘

┌────────────────────────────────────────────────────────┐
│  BIP 340 Schnorr Key (32 Bytes)                         │
├──────────────────────────────────────────────────┬─────┤
│               x-coordinate (32 Bytes)            │ NO  │
└──────────────────────────────────────────────────┴─────┘ PREFIX!

🧮 The Implicit Parity Negation Rule

To drop the parity byte without creating ambiguity, BIP 340 establishes an implicit even parity rule:

Every valid Schnorr public key on the blockchain is mathematically forced to have an even $y$-coordinate.

When a wallet derives a public key point $K(x, y)$ from a private key $k$ ($K = k \cdot G$):

1. Check Parity: The wallet checks the parity of the $y$-coordinate.
2. If $y$ is already even: The wallet does nothing. The public key is the 32-byte $x$-coordinate.
3. If $y$ is odd: The wallet mathematically negates (reflects) the point to the opposite side of the curve:

$$-K = (x, p - y)$$

Because the prime modulus $p$ is an odd number, subtracting an odd $y$-coordinate from $p$ is mathematically guaranteed to result in an even coordinate ($p - y$).

To match this reflected public point, the wallet simply negates the private key scalar as well:

$$\text{Negated Private Key} = n - k \pmod n$$

Because of this simple algebraic reflection, the public key's $y$-coordinate is always even, allowing nodes to reconstruct $y$ from $x$ with 100% confidence, completely eliminating the need for a prefix byte!

---

⚡ The Key Benefits of Schnorr Cryptography

Chaining the implicit even parity rule with the linear nature of Schnorr mathematics provides three massive benefits to the Bitcoin network:

1. Mathematical Linearity (Key Aggregation)

Unlike ECDSA, Schnorr signatures are mathematically linear. This allows multiple distinct public keys to be added together to create a single, combined public key:

$$K_{\text{joint}} = K_1 + K_2 + K_3$$

Using MuSig2, a multi-signature wallet (e.g., a 3-of-3 setup) can combine their keys into a single 32-byte public key on-chain. When spending, they can construct a single joint signature that verifies against $K_{\text{joint}}$.

2. Radical Fee Reductions

Because multi-signature transactions are compressed into a single public key and a single signature, they take up the exact same amount of blockspace as a standard single-signature transaction. This significantly reduces transaction fees for multi-sig users and businesses.

3. Ultimate Spending Privacy

On the blockchain ledger, a joint MuSig2 Taproot transaction looks completely identical to a standard single-signature transaction. An outside observer or chain analysis firm cannot determine whether a Taproot spend was authorized by a single individual, a 2-of-3 escrow, or a 100-person multi-sig consortium!