Bitcoin Q&A: Schnorr signatures and the privacy roadmap

[AUDIENCE] I [want to] ask you about
privacy in general with blockchains. I know we have Zcash and Monero. Do you see a second layer protocol for Bitcoin
that will render those [unnecessary]? [Which] one of those protocols is the most promising
for obfuscation and keeping your transactions private? [ANDREAS] That is a great question. I think privacy
is one of the most [important characteristics]… that needs to be in the base protocol of Bitcoin. It is on the roadmap. I have made some controversial statements before
and I will make a controversial statement now: privacy before scaling. Because you can do scaling in [second layers]; you can’t
do privacy [as effectively] if [the base layer] isn’t private. We learned that lesson the hard way with the internet,
[which] has been a disaster from a privacy perspective. IPv4 did not incorporate privacy features; as a result, the economic incentives were there to
turn the internet into a giant surveillance machine. There are parts of it that are encrypted [and
anonymised], but most of us don’t use those parts… and we all suffer. Privacy is so important that it [must] be done first.
Fortunately, there is a lot of research being done. Bitcoin can also benefit from research
that is happening in other systems. That is the beauty of big open-source ecosystems;
we can all dip into the ideas of other teams and learn, if we are not too caught up in the screaming of
cryptocurrency tribalism, which is one of the risks. There is also privacy technology [in] the second layers. The Lightning Network significantly
improves the privacy profile of Bitcoin. It is getting better. The combination of [optimisation
in both layers] I think will give us better privacy. Furthermore, I expect we will see the second layers
eventually become multi-currency routing networks, meaning [multiple] blockchains will be connected and
you [could] move between [coins] in milliseconds. [Securely], for [little] or no fees at all. At that point, a [more private or anonymous] cryptocurrency is just one swap away. It becomes very easy to be fungible. I would prefer to see privacy in every currency.
In fact, I think currency without privacy is a bug. It is a dangerous bug which, if it is
not fixed, will have consequences. Frank asks about Schnorr signatures: “After a quick reminder of what doors
Schnorr signatures will open for Bitcoin, could there be any reason not to
want them implemented into Bitcoin?” “Can you also tell us how you think this
would be rolled out, in a soft fork or a hard fork?” “Is there any timeline for these changes?” If you are interested in the technical information around
[Schnorr signatures], I would strongly suggest that… you watch a video produced by Pieter Wuille for
the San Francisco Bitcoin Developers meetup, which I was the founder of a long time ago. I’m no longer involved in that [meetup], but they seem to [produce] some very
high-level, quality technical seminars. Pieter Wuille talked about Schnorr signatures,
signature aggregation, as well as upcoming changes… to the SIGHASH opcode within Bitcoin. It is a fascinating presentation. Very technical,
but you will still learn a lot about Schnorr signatures. What are Schnorr signatures? They are actually a predecessor to the
Elliptic Curve Digital Signature Algorithm (ECDSA). In fact, as Pieter Wuille talked about in his presentation, DSA was invented in order to overcome some of
the patent encumbrances of Schnorr signatures. Schnorr signatures fell out of patent
[about ten years ago in February 2008]. Since then, people can [freely] use Schnorr signatures.
They have some significant advantages. On a security level, Schnorr signatures are equivalent to
ECDSA. They have the same fundamental assumptions, which is the difficulty of solving the discrete
logarithm problem over [an elliptic curve group]. That discrete logarithm problem is the
basis of [ECDSA] and elliptic curve cryptography. [With the discrete logarithm problem over a prime-order
field], you can do multiplication but not division. [They are both] ‘hard’ problems, meaning [there is
no known polynomial time algorithm to solve it]. Schnorr signatures and ECDSA depend
on the same basic security assumption. However, Schnorr signatures have some
very interesting properties, one of [which] is… the sum of a set of Schnorr signatures [can be made]
equivalent to a signature on the sum of messages… made with the sum of the public keys. [In short], you can do signature aggregation. If you have a series of messages (transactions), and you
have a series of public keys to sign those transactions, instead of signing each message with each
public key and having a series of signatures, you can add all the public keys and all the
messages together, then sign the whole thing. With the sum of the public keys
signing the sum of the messages. This produces a sum signature, which is the same as
the sum if you had signed each message independently. I am using the word “sum” in a slightly broader
context than simple arithmetic addition. [For now], let’s just assume that it is
an equivalent arithmetic operation. The bottom line is that you could do some
interesting things [with Schnorr signatures]. For example, if you have a bitcoin transaction that
has five inputs, instead of having five signatures… you could provide one aggregate signature, that can be
evaluated in a fraction of the time, for all of the inputs. Theoretically, you could take that one step further. If you have a thousand transactions in a block
that are all based on Schnoor signatures, [with] one signature aggregating the transaction inputs,
you [could] aggregate all signatures in the block… and have one signature per block that is stored. It means you can do aggregate verification. You could take the sum of all signatures,
and verify it once against the sum of all messages. The verification algorithm [will] tell you they are
either all correct, or [at least] one is wrong… but it doesn’t know which one, and you
could test each one of them independently. This is useful. In Bitcoin, when [a node]
receives a block with all of its signatures, the assumption is that it will be valid. It is very rare that you reject a block
because it has an invalid signature; it’s unlikely that block would reach you because
the previous node has already done validation… and [won’t] forward the block if it fails. If a block reaches your node, 99.99% of the time
or some very probability, that block will [be valid]. So if you just validate the sum of
all signatures and it says ‘valid,’ you don’t have to waste time checking each signature. That is a very interesting [advancement]. The other [capability you have] with Schnorr
signatures, which is even more interesting, is the aggregation of signatures across signers. If we have a multi-signature, an ‘M’ of ‘N’ structure,
where three of fifteen people have to sign for example, with Schnorr signatures [you can make it appear as]
a single signature on a single public key. That allows you to make multi-sig look like a single-
signature payments, a great privacy improvement. You could take a complex multi-sig and make it look like
a single-signature payment from one person to another. They could be indistinguishable. The proposed strucutre is an ingenious mechanism… created by Greg Maxwell, Pieter Wuille,
Andrew Poelstra, and a few others. It is called Taproot and there is an
additional aspect called Graftroot. These are some very exciting cryptography innovations. The combination of Schnorr signatures, Taproot,
Graftroot, and signature aggregation with multi-sig, which was called “Mu-sig” for Schnorr signatures… This is a package of upgrades. It is likely they will be
[added to Bitcoin together], or as many as possible. Pieter Wuille explained the logic behind
[adding] all of these upgrades as one. One reason is, you get the maximum privacy benefit. If you can do one but not the other, then
someone could differentiate between… [those who use it for] privacy
from those who are not; that puts a target on the back
of people [using it for] privacy. Whereas, if suddenly all the transactions can do this
and it looks indistinguishable from a single signature, that is a great tool which gives you privacy
without showing that you’re trying to get privacy. This can be done by soft fork. It doesn’t require a
hard fork [due to] SegWit’s script versioning upgrade, [which] allows you to introduce new signature
mechanisms and SIGHASH types in an opt-in soft fork. Given the past history of soft forks, I will go out on a
limb and say this will not be activated by miner voting. Due to the disaster of the UASF BIP-9 miner vote
for SegWit, I expect this [will] be an opt-in change. Meaning: “As of [some date], any node
which has updated to the last version… of the client, and chooses to
turn on this feature, can use it.” It is as simple as that. There will be a soft fork
with a specific date. As for the possible timeline… The BIPs have been written,
specifications are being finalized, Wuille and others have written implementation code,
so the first prototype has been [created]. I expect we could see this as soon as six months
from now as an implemented feature. Then we have to wait until
wallets start supporting it. It will become broadly available very
similar to how SegWit was rolled out. The next question comes from Kino, who asks about
privacy crypto in parallel to transparency crypto. “If people will have an untraceable, anonymous
cryptocurrency with a high degree of privacy, don’t we also need a traceable and transparent
cryptocurrency for states, NGOs, and politicians?” “Could you do atomic swaps between them?” That’s a really interesting question.
This is one of the big conundrums in this space. People are afraid that if you have a private and
anonymous currency, those in power will abuse it… [for] money laundering, influence
peddling, and political corruption. Of course, if you look carefully at the history
of our species and pretty much every country, the powerful already have access to [ways
of financing crime and political corruption]. It’s called banking. With the appropriate license,
you can do as much money laundering as you want. As long as regulators are well coddled
and paid off, nobody goes to jail. Political corruption happens today
with fiat currencies, very effectively. It doesn’t take an anonymous cryptocurrency
to introduce political corruption. Of course, corrupt politicians [can] use anonymous
cryptocurrencies, but so will everybody else. The masses will gain the benefit of
[financial] privacy they don’t have today. It is a strange situation where people in power,
who should be accountable, have complete secrecy, while regular people, who are either innocent or have
not been charged with any [crime], are surveilled… and have no privacy at all in financial systems. That is getting reversed with cryptocurrencies.
We will live in a world where individuals have privacy. Hopefully, those in power [won’t] have the ability
to maintain secrecy as much as they [do now]. How would you do that? It does not [require] two
cryptocurrencies, a private and transparent one. You can achieve transparency in a private
cryptocurrency by [requiring] those who… work for the state [to be] accountable
for their actions by revealing / providing… records of transactions they have done
as part of their official business. You can have transparency in a private system easily; what you can’t do easily is add privacy
on to a system that doesn’t have it. A private system can be [made] transparent,
but a transparent system can’t be private. Therefore, if we have a cryptocurrency that works
for both situations, it will be a cryptocurrency… that has privacy, and then through
legislation, policy, even constitutional law, [politicians and those with public accountability] will
[be obligated] to be transparent in their transactions. That doesn’t mean they [won’t try to] evade those rules,
do private transactions for bribery and corruption. Of course that [may] be violating the
law and you punish that accordingly. You can’t stop people from
breaking the law, with the law. Even if you have a transparent cryptocurrency, people
can choose to use the private cryptocurrency instead. You can’t force everybody only uses the transparent
cryptocurrency; that leads to totalitarian surveillance. That is something [which will] be imposed on
the least powerful, rather than the most powerful. I’m more interested in how we
gain privacy for the masses. Whether we have transparency for governments
or not is a completely different problem. It is not a technical problem, it is a political problem;
you can’t solve it just by adding a new technology.

37 thoughts on “Bitcoin Q&A: Schnorr signatures and the privacy roadmap”

  1. With coinjoin being cheaper than regular transactions with Schnorr sigs, will wallets implement as the default transaction type bringing greater privacy to all?

  2. A question about bitcoin upgrade history: were there upgrades in bitcoin that required hard forks but since there was consensus everybody upgraded and the network didn't fork? When did this happened? Is there a next one scheduled?

  3. It's quite simple, anyone who thinks there's no innovation in Bitcoin obviously doesn't watch these videos – it's their loss.

  4. You inspire me to learn more…so so so disappointed I missed you in Denver for your talk because I got in a car wreck.

  5. What operating system/s and privacy/security software/browsers/add-on’s do you suggest people learn to use for maximum financial security…for instance your obviously not a fan of solely using a windows machine 🙂 what other options do you suggest people move to to be sufficiently private/secure? Linux Mint/Ubuntu, QubesOS etc? thanks

  6. Cisco was worth half the entire .com market cap at its peak, because it enabled ‘inter connectivity’ of all internet protocols that were previously isolated on their own networks
    What coin/s (BTC?) are likely to be the coin/s that show promise as being the interconnecting coin?

  7. That's exciting stuff. One of my major problems with BTC at the moment is the lack of privacy. I can image there will be some resistance to this…

  8. Hi Andreas, I wanted to take a moment to let you know that you've informed not only my Bitcoin / crypto knowledge pool, but my world view in enriching, transformative ways. Using the principles of open source technology, to then extrapolate a global understanding of adversity and diversity building the most secure, robust, collaborative derivative. Thank you!

  9. Technical correction: the security of ECDSA and EC-Schnorr is based on the discrete log problem over an elliptic curve group; not the discrete log problem over a prime field.

    Schnorr signatures were claimed to be covered by U.S. Patent 4,995,082 which expired in February 2008.

    The video that Andreas mentions around 3 minutes in is .

  10. Crypto solutions for supply chains can force transparency if the end retailer demands all incoming stock to be traceable to source on the blockchain. Either as a differentiation for their customers at first or as a regulatory requirement. When the use case is established this forced transparency can be applied to other sectors of business or politics.

  11. Here is a question that I would love to hear your thoughts on, and hopefully there are more people interested to poke your brain on this one! So if you never read this, hopefully some one wants to post this question to your Q&A on patreon!

    If Bitcoin becomes widely adopted in the future, could a debate be started over code changes to introduce inflation?
    For example: They could convince a lot of people that we need inflation because a lot of coins are hoarded by a small group of people. Other arguments could be made ofcourse, and I fear a lot of people could easily be convinced by this.

    Do you think it is likely that this will happen eventually, and what do you think the outcome would be?

    Sorry if the question is long, but this is something I think about a lot. Perhaps right now we have a fixed supply, but what if the majority of the world gets convinced that we need to change that in the future…

  12. My coverage on this:

  13. +aantonop Hi thanks for your content I have a question please take time to answer ! When you say that Bitcoin can use Schnorr signatures to make multisig look like a normal public address. I don't understand how it makes Bitcoin a privacy coin. Do you mean that all transactions will be passed as multisig by wallets as a new standard ? As far as I am concerned hiding multisig does not make Bitcoin a privacy coin like Monero. I ve read your book for developpers so don't hesitate to be very specific. Thanks a lot !

  14. Privacy is more important than scalability? Good one, block rewards halve next year… Clocks ticking. Good luck retaining miners on your shitty BTC network when rewards half again

Leave a Reply

Your email address will not be published. Required fields are marked *