Schnorr Signatures: Making Bitcoin More Efficient one Signature at a Time
Ever since the release of Segregated Witness last year, there have been a number of important improvements on the Bitcoin wish list to help with scaling.
Prime among these was the implementation of Schnorr signatures. This unique cryptographic signature algorithm has been touted as one of the most efficient ways to improve the scalability of Bitcoin. This was recently explained in a research paper.
The hope is that these signatures will replace the existing signature technology by mashing a whole host of signatures together and thereby reducing the amount of data that must be included in the transactions. Some estimates see a 25-30% boost in transaction capacity
Before we take a look at exactly how batching with Schnorr signatures will improve capacity, we need go over some signature fundamentals.
Public and Private Keys
Bitcoin transactions are fundamentally driven by public key cryptography. These are inextricably linked to a corresponding private key and for each private key, there can only by one public key. This public key is derived from the private key.
While it is pretty easy to produce a public key from a private one, it is mathematically near impossible to do this the other way around. Hence, producing a public key from a private key is known as a one way function. This security is what underlies the Bitcoin network.
In order for someone to spend Bitcoin, they have to prove that they are indeed the owner of a particular address. This is done through use of their private key that will correspond to the public key of that address. However, in order to use this private key without revealing it, a cryptographic signature is required.
This is what allows Bitcoin transactions to be processed. The owner can very easily sign a transaction and send funds to someone else without ever having to reveal the all-important private key. This signature is also only used one time and is valid for that particular transaction.
Sending Bitcoin from one address to another with one signature is straightforward enough. However, the issue comes in when a number of transactions with multiple signatures are sent to a single destination address.
Given that each of these are viewed as "separate" transactions, they will each have their own signature. This is where the capacity concerns have come in as all of these signatures will have to be included as separate inputs into the individual transactions.
Apart from slowing down the network, these transactions will increase the cost of of a standard transaction. This is because there is only a certain amount of mining hash power around that can validate them and as demand for hash power increases so does price. Below is a graph of average transaction costs.
This is why many in the community have viewed batching as the most effective way to reduce congestion. Including multiple signature inputs as only one will have a marked impact.
However, how do you safely batch a combination of different signatures?
Enter Schnorr Signatures
Schnorr signatures are a series of mathematical rules that are able to link the public key, private key and signature together. Schnorr signatures are viewed as the most advanced in the cryptography field for a number of reasons. However, the most important of these is their support for multiple signatures.
Schnorr algorithms can combine all of these signatures into only one signature and hence one input to the transaction. This batching of the multiple signatures is seen as one of the most important ways to save space and hence reduce congestion.
This was always known by Bitcoin developers but Schnorr signatures only really became a reality after the SegWit activation. One of the core contributors at Bitcoin, Jameson Lopp tweeted the below estimation of they could reduce the blocksizes over time.
Apart from reducing the cost and time of individual transactions, there are a number of other benefits that come from combining multiple signatures into one signature.
Reduction in Spam Attacks
The Bitcoin network often undergoes spam attacks. These are essentially when a whole host of low value transactions are stuffed into Bitcoin blocks that slow down the network. These were particularly acute last year during the SegWit2X debacle.
These spam attacks are often launched by those individuals who want to drive a particular narrative or profit from high transactions fees. Many have blamed these spam attacks on large mining pools that are located in China.
Apart from increasing the transaction fees, these spam attacks also reduce transaction times and lead to a large amount of unconfirmed transactions being stuck in the Bitcoin memepool. You can see exactly how acute this was in the size of the Bitcoin memepool as it spiked in November / December last year.
The goal of these spam attacks is to no doubt drive users away from the Bitcoin network to other less expensive blockchains. Many have speculated that miners were trying to drive those users to Bitcoin cash in the immediate aftermath of the SegWit2X failure.
In order to run a successful spam attack, these actors will usually include a number of these low value transactions from numerous different addresses. Hence, it is relatively easy to identify these spam attacks for what they are.
How does Schnorr signatures reduce spamming?
Given that multiple signatures will now be combined into one, there will be a great deal more space in the Blocks. This will mean that in order to make the blocks full with junk transactions, the bad actors must spend a great deal more money.
Hence, as mutli-signature transactions are combined into a single signature, the cost of attacking the network increases signifigantly and becomes economically unfeasible. The hope is that this will have the effect of discouraging these actions.
One of the Bitcoin core developers, Gregory Maxwell, had suggested a privacy enhancing trick that would allow users to combine their transactions into a single transaction. The trick was called CoinJoin and allowed for transaction obfuscation.
As a simplified example, combining transactions with CoinJoin is akin to placing all of your funds into a pool for purchasing particular goods. The pooled funds will then be used to purchase all goods including your product.
Although you will get the good that you wanted, due to the fact that the funds were combined no one can trace your input to the particular output. The result is an added level of privacy for the user.
Despite how advantageous this sounds, there was not that much demand for it initially. This was due to the complexity that was involved in combining the transactions. Moreover, as less people used the method, those that did immediately raised a certain amount of suspicion.
However, with the implementation of Schnorr signatures not only will the transactions be combined but so will the signatures. This will markedly decrease the size of transactions to the point where it is even smaller than all of them combined.
The hope is that these Schnorr enabled CoinJoin transactions will be much cheaper to process and hence provide an added incentive to use them. The result would be more implement CoinJoin for transaction pooling.
This is seen as double win for Schnorr signatures and CoinJoin. Users will get lower fees as well as an enhancement in privacy.
Potential Implementation Issues
Schnorr has been in development since 2012 and hence is a long time coming. This is mainly due to the complications involved in Schnorr itself. Currently, there are not enough developers who are skilled enough in the underlying cryptography.
Moreover, given the large amount of money at stake on the Bitcoin network a great deal of testing needs to be completed before they can be used on any large scale.
There were also a number of other concerns that have cropped up and slowed the progress of Schnorr signatures. For example, last year the co-founder of blockstream, Pieter Wuille, gave a speech at Stanford where he mentioned "non standard challenges".
One of these was a possible "Rouge attack" in the particular Schnorr implementation. This was brought to the attention of Pieter Wuille by ANSSI cryptographer Seurin. He stated that
I noticed that the specific signature aggregation scheme they were thinking of didn't have a proper security analysis at the time
There was also another subtle attack vector that was discovered by a Blockstream engineer called Russel O'Conner that would allow actors to steal Bitcoin with the particular signature theme. This was quite aptly called "Russel's attack".
Although most of these attack vectors have been addressed, work is still progressing on the technology as there is quite a bit to be done.
Bitcoin Improvements Continue
Given the recent tumultuous year that Bitcoin has been through, any technology that helps Bitcoin scale will no doubt be seized upon by the community. A prime example of this is the lightning network, an off-chain scaling solution.
However, on chain scaling is also improving markedly as adoption of SegWit addresses is increasing. Businesses such as Coinbase have decided that the benefits of these transactions cannot be ignored and have included support for them.
Now, with the impending release of Schnorr signatures, multi-sig SegWit transactions will be greatly reduced in size. This means a more efficient and cost effective Bitcoin ecosystem for all.
Disclaimer: These are the writer’s opinions and should not be considered investment advice. Readers should do their own research.