BIP340: Schnorr for Taproot
BIP340: Schnorr for Taproot
BIP340 is the technical specification that brought Schnorr signatures to Bitcoin. It defines exactly how a signature is encoded and verified on the secp256k1 curve.
1. 64-Byte Fixed Length
Unlike ECDSA signatures, which are variable length (~70 to 72 bytes) due to DER encoding, BIP340 signatures are always 64 bytes.
-
$r$ (32 bytes): The nonce point's X-coordinate.
-
$s$ (32 bytes): The signature value. This predictability makes transaction size estimation easier for wallets.
2. X-Only Public Keys
In Compressed Public Keys, we store the X-coordinate (32 bytes) plus a 1-byte "Parity Prefix" (02 or 03) to know if $y$ is even or odd.
-
BIP340 Change: It completely removes the parity prefix. It assumes $y$ is always even (or follows a specific rule).
-
Result: Taproot public keys are only 32 bytes. This saves 1 byte per key in every transaction.
3. Tagged Hashes
To prevent a signature meant for one purpose from being valid for another (e.g., using a signature from a different blockchain), BIP340 uses Tagged Hashes.
Instead of SHA256(data), it uses:
SHA256(SHA256("BIP340/challenge") + SHA256("BIP340/challenge") + data)
This ensures that the "Challenge" hash used in the signature is unique to the BIP340 standard and cannot be reused in other protocols.
4. Deterministic Nonces
Just like RFC6979 for ECDSA, BIP340 mandates that the random nonce ($k$) must be generated deterministically from the private key and the message. This prevents the "Nonce Reuse" catastrophe that has historically led to the theft of millions of dollars in Bitcoin.
5. Public Key Tweakability
BIP340 was designed specifically to support the Taproot (BIP341) tweak. It allows a public key to be modified to commit to a script, while still being signable by the original owner.
| Component | Size | Impact |
|---|---|---|
| Public Key | 32 bytes | Saves space / Cleaner |
| Signature | 64 bytes | Predictable / Compact |
| Challenge | Tagged Hash | Cross-protocol safety |
In the final section, we will build a Python Schnorr Auditor.
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: