Fact-checked by Grok 2 weeks ago

Schnorr signature

A Schnorr signature is a scheme invented by mathematician and cryptographer Claus-Peter Schnorr in 1989, designed for efficient identification and signing on resource-constrained devices like smart cards. The scheme was patented, limiting its adoption until the patent expired in 2008. It operates in a group where the problem is hard, typically using a large prime p with a of prime q (around 140-256 bits), and a generator α such that αq ≡ 1 (mod p). The scheme produces compact signatures of approximately 212 bits—roughly half the length of comparable or Fiat-Shamir signatures—through a mechanism derived from an interactive identification protocol. Its security relies on the intractability of computing , ensuring that forging a signature is computationally infeasible without the private key. The Schnorr scheme's key innovation lies in its preprocessing step, which randomizes and precomputes exponentiations during idle time, reducing signature generation to about 12 modular multiplications—minimal computational overhead suitable for low-power hardware. This efficiency, combined with linear properties allowing signature aggregation (where multiple signatures can be combined into one without revealing individual signers), makes it particularly advantageous over earlier schemes like or ECDSA, which lack native aggregation support. Unlike malleable signatures in ECDSA, Schnorr signatures are non-malleable, preventing unauthorized alterations that could lead to transaction malleability issues in contexts. These features enable enhanced through techniques like multi-signature aggregation, where a single signature verifies multiple keys as if from one, obscuring the number of signers involved. In modern applications, Schnorr signatures have gained prominence in protocols, notably Bitcoin's upgrade. Standardized in Bitcoin Improvement Proposal (BIP) 340 for 64-byte signatures over the secp256k1 , they were activated alongside BIPs 341 and 342 at 709,632 on November 14, 2021. This integration improves 's scalability, privacy, and efficiency by enabling more complex smart contracts with reduced on-chain data and better Schnorr-based multisig support, without altering the network's consensus rules in a hard . Beyond , variants of Schnorr signatures appear in other blockchains and privacy-focused systems, such as threshold signatures for distributed , underscoring their role in advancing secure, efficient digital .

Introduction

Overview

A Schnorr signature is a digital signature scheme based on the hardness of the discrete logarithm problem in a cyclic group of prime order, where a signer proves knowledge of a secret key corresponding to a public key without revealing it. The scheme produces compact signatures typically in the form of a pair (r, s), or variants such as (R, e, s), consisting of a commitment and a response value derived via a hash function applied to the message and public elements. This construction leverages the Fiat-Shamir heuristic to transform an interactive identification protocol into a non-interactive signature, ensuring properties like completeness, soundness, and zero-knowledge. Key advantages of Schnorr signatures include their non-malleability, which prevents unauthorized modification of valid signatures, and their algebraic , enabling efficient aggregation of multiple signatures into a single compact one without interactive proofs. They offer superior efficiency in both signature size—often around 64 bytes for elliptic curve variants providing 128-bit security—and computational cost, requiring only one for signing and two for , outperforming in speed and ECDSA in simplicity. This linearity also facilitates batch of multiple signatures and schemes, where t-out-of-n parties can collaboratively generate a indistinguishable from an individual one. In comparison to the (ECDSA), Schnorr signatures support more straightforward threshold and multi-party protocols due to their additive structure, avoiding ECDSA's complexities in nonce management and malleability issues. Named after cryptographer Claus Schnorr, the scheme was first detailed in his 1989 U.S. patent application, granted as U.S. Patent 4,995,082 in 1991, which covered methods for identification and signature generation and expired on February 19, 2008, allowing widespread adoption thereafter.

History

The Schnorr signature scheme was developed by German mathematician and cryptographer Claus-Peter Schnorr during the late 1980s as part of research into efficient authentication and methods suitable for resource-constrained devices like smart cards. It was first publicly detailed in his seminal paper, "Efficient Identification and Signatures for Smart Cards," presented at the CRYPTO '89 conference and published in the proceedings in 1990. This work introduced a probabilistic identification protocol based on the problem, which was transformed into a signature scheme using the Fiat-Shamir heuristic, offering advantages in computational efficiency and short signature lengths compared to contemporaries like . Schnorr filed a U.S. patent application for the scheme on February 9, 1989 (application number 07/308,813), which was granted as U.S. 4,995,082 on February 19, 1991, covering methods for subscriber identification and generation/verification in data exchange systems. The , held by Public Key Partners under exclusive license, restricted royalty-free implementation until its expiration on February 19, 2008 (under the pre-1995 U.S. patent term of 17 years from issuance). During the patent period, the scheme influenced the U.S. National Institute of Standards and Technology's (NIST) development of the Digital Signature Standard (DSS) proposed in 1991; however, to avoid potential infringement claims—Schnorr had asserted that the initial DSS design overlapped with his patented method—NIST modified the algorithm into the (DSA), which was finalized in FIPS PUB 186 in 1994. In the post-patent era, Schnorr signatures saw broader standardization and adaptation. They were incorporated into the ISO/IEC 14888 series, with discrete logarithm-based mechanisms including Schnorr variants specified in Part 3 (certificate-based digital signatures with appendix) starting from the 1998 edition. The 2000s marked a rise in elliptic curve adaptations, driven by the adoption of (ECC) for its superior efficiency; standards like the BSI's Guideline TR-03111 (first issued in 2007 as version 1.00 and updated including in 2009 and 2012) defined EC-Schnorr signatures, influencing protocols in smart cards and secure communications. A significant modern adoption milestone came with the network's soft fork upgrade, activated on November 14, 2021, at block height 709,632. This integrated Schnorr signatures via BIP-340 (defining the signature format), BIP-341 (Taproot transactions), and BIP-342 (opcodes), enabling key aggregation and more efficient, privacy-preserving multi-signature transactions without altering the network's security model.

Mathematical Background

Problem

The Problem (DLP) is the core computational hardness assumption underpinning the security of Schnorr signatures, providing the necessary for and signature operations in group-based . Formally, in a G of prime order q with generator g, the DLP is defined as follows: given g, y = g^x \mod p (or the group operation in general), and q, compute the integer x \in \{0, 1, \dots, q-1\}. This problem is believed to be intractable, ensuring that private keys remain hidden from public keys while allowing efficient verification of exponentiations. In the original Schnorr scheme, the DLP is instantiated over the \mathbb{Z}_p^* of a , where p is a large prime and q divides p-1, with g (denoted a in the paper) having order q. The computational difficulty of the DLP stems from the absence of any known polynomial-time to solve it in general cyclic groups of prime order, particularly when the group order q is sufficiently large. algorithms, such as the or Pollard's rho methods, require O(\sqrt{q}) time and space, which is in the bit length of q. Subexponential attacks, like the , exist for the DLP in finite fields \mathbb{Z}_p^*, achieving running times of the form L_p[1/2, c] = \exp(c (\log p)^{1/2} (\log \log p)^{1/2}) for some constant c, but these rely on the field's and do not generalize efficiently to other groups. In contrast, no subexponential algorithms are known for the problem (ECDLP) in groups of the form E(\mathbb{F}_p), where E is an over a \mathbb{F}_p, due to the lack of a comparable smooth factorization or embedding into a that index calculus exploits. Originally proposed over \mathbb{Z}_p^* for efficiency on smart cards with parameters like 512-bit p and 140-bit q, modern Schnorr implementations favor groups, such as secp256k1, which offer smaller key sizes (e.g., 256-bit public keys) while maintaining equivalent security, as the ECDLP resists the subexponential attacks applicable to s. The security parameter for the DLP in these contexts is tied to the bit length of q, the group . For 128-bit security against generic attacks (and higher against specialized ones in finite fields), q is chosen to be approximately $2^{256}, as in secp256k1 where the n is a 256-bit prime, ensuring that exhaustive or square-root attacks require about $2^{128} operations. This level balances computational efficiency with cryptographic strength, making Schnorr signatures practical for applications like transactions.

Fiat-Shamir Transform

The Schnorr identification protocol is an interactive three-move allowing a prover to demonstrate knowledge of a secret without revealing it. The prover, holding private key x and corresponding public key y = g^x \mod p where g generates a of order q in the modulo prime p, selects a random k \in \{1, \dots, q-1\} and computes the r = g^k \mod p, which is sent to the verifier. The verifier then responds with a random e \in \{0, 1, \dots, 2^t - 1\} for some security parameter t. Upon receiving e, the prover computes and sends the response s = k + x e \mod q. Finally, the verifier accepts the proof if g^s \equiv r y^e \pmod{p}. The Fiat-Shamir heuristic, introduced in , transforms this interactive protocol into a non-interactive by replacing the verifier's random challenge with a deterministic value derived from a . Specifically, the prover selects random k, computes r = g^k \mod p, sets e = H(r || M) where H is a and M is the message to be signed, then computes s = k + x e \mod q; the signature consists of the pair (e, s). Verification recomputes r' = g^s y^{-e} \pmod{p} and accepts if e = H(r' || M). This heuristic applies generally to public-coin interactive proofs like Schnorr's, enabling efficient non-interactive versions suitable for digital signatures. The security of the resulting Schnorr signature scheme relies on modeling the hash function H as a , which allows for a from the scheme's unforgeability to the of the problem (DLP) in the underlying group. Under this model, the scheme is provably secure against existential forgery under chosen-message attacks if the original identification protocol is honest-verifier zero-knowledge, statistically sound, and secure against passive impersonation.

Core Algorithm

Parameters and Notation

The Schnorr signature scheme operates over a G of prime order q, generated by an element g \in G with |G| = q. A secure H: \{0,1\}^* \to \mathbb{Z}_q is also required, which maps arbitrary strings to elements in \mathbb{Z}_q and must be collision-resistant to ensure . Standard notation includes the private x \in \mathbb{Z}_q, from which the public key is derived as y = g^x. Some variants, such as those used in certain implementations, define the public key as y = g^{-x} to facilitate batch verification or other optimizations. The message to be signed is denoted M; the nonce (ephemeral secret) is k \in \mathbb{Z}_q; the commitment is r = g^k; the challenge is e = H(r \| M); and the response is s = k + x e \pmod{q}. The scheme's relies on the hardness of the problem (DLP) in G. Originally defined over multiplicative subgroups of finite fields \mathbb{Z}_p^*, modern deployments of Schnorr signatures predominantly use groups for efficiency, as they provide comparable security with smaller key sizes. A prominent example is the secp256k1 curve employed in , defined over the prime field \mathbb{F}_p where p = 2^{256} - 2^{32} - 977, with curve equation y^2 = x^3 + 7 (i.e., a = 0, b = 7), prime order q \approx 2^{256}, and generator g at coordinates (x_G, y_G) = (0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798, 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFFB10D4B8). For 128-bit security against DLP attacks, the subgroup order must satisfy q \geq 2^{256}, ensuring that exhaustive search or requires approximately $2^{128} operations.

In the Schnorr signature scheme, the key generation process begins with selecting the private key x, which is chosen uniformly at random from the set \mathbb{Z}_q^*, where q is a large prime denoting the of the cyclic generated by the base point g in a group of prime q (with cofactor 1). This ensures the private key's randomness and security against attacks. The public key y is then computed as y = g^x, typically using efficient algorithms such as binary to perform the scalar multiplication in the underlying group (e.g., modular in \mathbb{Z}_p^* or point multiplication on an ). For practical implementations on s like secp256k1, the private x is a 256-bit , and the resulting public y is an point that can be represented in 512 bits (uncompressed affine coordinates) or up to 1024 bits depending on encoding and security parameters, though compressed forms are often used to reduce size. In such systems, the computation of y = x \cdot G (where G is the standard base point) leverages optimized arithmetic for efficiency. Deterministic variants of exist as an optional approach, deriving the private key from a using methods like those in RFC 6979 to ensure reproducibility without relying on runtime randomness.

Signing Process

The signing process in the Schnorr signature scheme generates a for a given M using the signer's private key x \in \mathbb{Z}_q and a fresh , producing a compact pair that can later be verified against the corresponding public key y = g^x. To create the signature \sigma = (r, s), the signer follows these steps:
  1. Select a random k \in \mathbb{Z}_q^*, which must be chosen uniformly at random and uniquely for each to ensure .
  2. Compute the commitment r = g^k, where g is the of the subgroup of q.
  3. Calculate the e = H(r \parallel M), where H is a mapping to \mathbb{Z}_q and \parallel denotes (typically, r is serialized as a point on the curve).
  4. Compute the response s = k + x \cdot e \mod q. This equation binds the nonce to the message via the private key, ensuring the 's authenticity.
The resulting \sigma = (r, s) is the pair of values output by the algorithm. In common implementations using the secp256k1 (where points are 32 bytes and scalars are 32 bytes), the signature size is typically 64 bytes (32 bytes for r and 32 bytes for s).

Verification Process

The verification process confirms the validity of a Schnorr signature \sigma = (r, s) on a message M using the corresponding public key y = g^x, where g is a generator of a subgroup of order q, without disclosing the private key x. The verifier first recomputes the challenge value e' = H(r \parallel M), where H is a cryptographic hash function mapping to \{0, 1\}^{t} with t bits (typically 256 in modern implementations), and \parallel denotes concatenation. The verifier then checks whether the equation g^{s} = r \cdot y^{e'} holds (using the group operation). If the equality is satisfied, the signature is accepted as authentic; otherwise, it is rejected. This verification equation arises directly from the signing construction, where r = g^{k} for a random nonce k \in \mathbb{Z}_{q} and s = k + x e \pmod{q} with e = H(r \parallel M), implying g^{s} = g^{k + x e} = g^{k} \cdot (g^{x})^{e} = r \cdot y^{e}. In (ECC) adaptations, such as those over the secp256k1 curve, the verification uses point operations: given public key point P = x G (with G the base point) and signature components (R, s) where R is a point, compute e' = H(R \parallel M) (note: some variants like BIP340 include the public key as H(R \parallel P \parallel M) for key binding) and check s G = R + e' P. This replaces with and point addition, maintaining equivalent security under the problem. The process is efficient, requiring approximately one full (or two scalar multiplications in ) per signature, along with a computation and a few modular operations, which is faster than many alternatives like due to the structure of the problem. Schnorr signatures also enable batch verification of multiple signatures (r_i, s_i) on messages M_i with public keys y_i, by randomly weighting the equations and aggregating into a single group operation \sum a_i g^{s_i} \stackrel{?}{=} \sum a_i r_i \cdot y_i^{e_i'} (or equivalent in ), leveraging the additive of the group to verify u signatures in roughly the cost of two exponentiations plus linear overhead, providing probabilistic against invalid batches.

Security Analysis

Correctness Proof

The correctness of the Schnorr signature scheme ensures that any signature generated according to the signing algorithm will verify successfully under the verification algorithm. Consider a signature (r, s) produced honestly for a message M using private key x and corresponding public key y = g^x, where g is a generator of the . The signer selects a random k, computes r = g^k, derives the challenge e = H(r \parallel M) (with H denoting the ), and sets s = k + x e \mod q, where q is the order of the group. During verification, the receiver computes g^s \mod p and checks if it equals r \cdot y^e \mod p, while also recomputing e' = H(r \parallel M). Substituting the expression for s yields: \begin{align*} g^s &= g^{k + x e} \\ &= g^k \cdot g^{x e} \\ &= r \cdot (g^x)^e \\ &= r \cdot y^e, \end{align*} so the equality holds. Furthermore, since e' is computed using the same hash inputs as e, it follows that e' = e by the determinism of the hash function. Thus, the verification equation is satisfied if and only if the signature components are correctly formed from an honest signing process, with no false positives arising solely from hash collisions (which are negligible under standard hash assumptions).

Security Reduction

The Schnorr signature scheme is existentially unforgeable under chosen-message attacks (EUF-CMA) in the model, assuming the hardness of the problem (DLP). This security property ensures that no probabilistic polynomial-time adversary, given access to a signing , can produce a valid signature on a new with non-negligible probability. The proof proceeds via a from the EUF-CMA of Schnorr signatures to the DLP, leveraging the Fiat-Shamir transform applied to the underlying honest-verifier zero-knowledge . The Fiat-Shamir heuristic converts the interactive zero-knowledge protocol into a non-interactive signature by replacing the verifier's challenge with a of the commitment and message. In the random oracle model, formalized by Bellare and Rogaway, the is idealized as a that produces uniformly random outputs for distinct inputs while remaining consistent for repeated queries. The security argument employs a forking lemma: upon a , a simulator rewinds the adversary and forks the execution by querying the oracle differently to obtain two transcripts with the same but distinct challenges, from which the secret can be extracted as the solution to the DLP. This reduction is tight, incurring only an O(1) factor in the loss relative to the number of signing queries, ensuring that the inherits the full of the DLP (for instance, approximately 128 bits of for parameters resistant to known attacks).

Nonce Reuse Risks

In the Schnorr , the k—a secret random value generated during the signing process—must be unique and unpredictable for each to maintain . If the same k is reused across two signatures on different messages M and M', resulting in distinct challenges e \neq e', an attacker can recover the signer's private x through simple . Specifically, from the equations s = k + e x \mod q and s' = k + e' x \mod q, subtracting yields s - s' = x (e - e') \mod q, so x = (s - s') (e - e')^{-1} \mod q. This nonce reuse attack leads to complete compromise of the private key, enabling an adversary to forge signatures on any message, far beyond mere existential forgery. A historical parallel occurred in 2010 with the Sony PlayStation 3, where nonce reuse in an ECDSA implementation (structurally similar to Schnorr) allowed hackers to extract Sony's private signing key, compromising verification and enabling unauthorized code execution. The same vulnerability would arise in Schnorr implementations lacking proper . To mitigate these risks, implementations must generate k using a cryptographically secure generator that ensures high and uniqueness. As an alternative, deterministic generation—deriving k pseudorandomly from the private key and via HMAC-based methods, as specified in RFC 6979 and adapted for Schnorr—prevents reuse while eliminating reliance on system .

Variants and Extensions

Shortened Signatures

Standard Schnorr signatures consist of two components: a point R on the (typically represented by its x-coordinate, approximately \log q bits) and a scalar s (also \log q bits), resulting in a total size of approximately $2 \log q bits, such as 512 bits for a 256-bit group order q. To reduce this size, shortened variants truncate the challenge value e, which is derived from the H(R \| m), to t bits where t < \log q, yielding signatures of size roughly t + \log q bits. In the shortened scheme, the signing process samples e from the first t bits of the hash output, effectively truncating H(R \| m) to t bits and interpreting it as an in \{0, 1, \dots, 2^t - 1\}, which is then used in the scalar computation s = k - e \cdot sk \mod q. Verification proceeds similarly to the standard : compute R' = g^s \cdot y^{e} \mod p, then check if \operatorname{trunc}_t(H(R' \| m)) = e, where \operatorname{trunc}_t denotes truncation to t bits. This adjustment maintains compatibility with the core signing process while halving the hash component's size. Security proofs for these shortened signatures rely on the model and weaker properties, such as random-prefix preimage resistance, rather than full . For instance, a 384-bit signature (128-bit e plus 256-bit s) can achieve 128-bit when using a 256-bit , though the proof introduces a minor security loss factor due to the , resulting in a forgery advantage bound of approximately O(q_s^2 / q) + \epsilon_{rpp}, where q_s is the number of signing queries and \epsilon_{rpp} is the preimage advantage. More precisely, Neven, Smart, and Warinschi recommend a group order q with bit length \log_2 q \geq 3b for b-bit to account for the quadratic loss in the reduction, ensuring the overall security level remains b bits despite the truncation. The primary trade-off is a slightly elevated probability compared to full-length hashes, stemming from the reduced in e, which could enable attacks if the hash lacks additional like second-preimage . Nonetheless, this approach is practical for resource-constrained devices, such as sensors, where and limitations prioritize smaller signatures over marginal overheads, provided the underlying meets the required resistances.

Multi-Signature Protocols

Schnorr signatures possess a linearity property in their structure, where the signature component s = k + x e (with k as the nonce, x as the private key, and e as the challenge) allows for homomorphic addition across multiple parties. Specifically, for a group of signers with private keys x_i and nonces k_i, a combined signature s' = \sum k_i + (\sum x_i) e can be computed, corresponding to a shared public key y = \sum y_i where y_i = g^{x_i} for generator g. This property underpins multi-signature protocols by enabling the aggregation of individual contributions into a single, compact signature indistinguishable from a standard Schnorr signature. The MuSig protocol, introduced in 2018, leverages this to construct an n-of-n multi-signature requiring all signers to participate. It operates in two interactive rounds: a first round for commitments and a second for partial signature shares, which are combined into a final signature verifiable against the aggregated public key. With pre-processing of , MuSig can achieve one-round signing, reducing communication overhead. A variant adapted for Bitcoin's BIP-340 Schnorr signatures is standardized in BIP-327, supporting key tweaking for hierarchical deterministic wallets and integration with outputs. To address limitations in the original MuSig, such as vulnerability to certain concurrent attacks, MuSig2 was proposed in 2020 as an efficient two-round n-of-n scheme with provable security in the model under the one-more assumption. It maintains the same signature size and key aggregation benefits while simplifying computations and eliminating the need for proofs of possession in . For general settings where only t-out-of-n signers are required, protocol, also from 2020, extends Schnorr linearity using additive and a two-round (or one-round with pre-processing) design that minimizes bandwidth and protects against rogue-key and forgery attacks. FROST employs Lagrange interpolation for partial signature combination and includes mechanisms to identify and exclude malicious participants during signing. FROST was standardized as RFC 9591 in June 2024. These multi-signature protocols offer key advantages, including a constant signature size regardless of the number of signers—matching that of a single —and enhanced privacy through key aggregation, which hides individual public keys from the verifier and prevents linkage to specific signers. This linearity-based aggregation also supports multi-signer shortening, as explored in signature optimization techniques.

Applications

Blockchain Integration

Schnorr signatures were integrated into through the upgrade, activated in November 2021, via Bitcoin Improvement Proposal 340 (BIP-340), which standardizes 64-byte Schnorr signatures over the secp256k1 previously used for ECDSA. This upgrade enables key aggregation, where multiple public keys in Merkleized Abstract Syntax Trees (MAST) scripts can be combined into a single aggregated key, allowing complex scripts to appear as simple single-signature spends. By facilitating signature aggregation, reduces the size of transactions involving multisignatures or scripts by up to 30% compared to ECDSA-based equivalents, optimizing block space and lowering fees. A key advantage of Schnorr signatures in this context is their inherent non-malleability, which prevents unauthorized alterations to signatures—a in ECDSA that could lead to transaction replacement or denial-of-service attacks. further enhances privacy by committing to structures under a single Schnorr public key, concealing the underlying script complexity and making multisignature or conditional transactions indistinguishable from simple payments on the . Beyond , Schnorr signatures have been adopted in other UTXO-based blockchains, such as Litecoin's Mimblewimble Extension Blocks (MWEB) upgrade in May 2022, which supports Schnorr for confidential transactions to improve and while coexisting with the main . In , which primarily uses account-based models, Schnorr signatures remain under exploration through recent research on efficient multi-signature implementations (as of 2025), though no core protocol integration has occurred. By late 2025, Schnorr signatures have also seen adoption in Cardano for efficient threshold signing in decentralized applications, enhancing interoperability with UTXO models. Generally, Schnorr's linearity allows for batch verification of multiple signatures in UTXO systems, reducing computational overhead during block validation by verifying aggregates in constant time relative to the number of inputs. Since the 2021 activation, Schnorr signatures via have seen growing adoption in , particularly for DeFi applications involving multisignature wallets, with protocols like Flexible Round-Optimized Schnorr Threshold () enabling private multisig setups on by 2025. This has facilitated efficient threshold schemes in DeFi, such as those requested for enhanced privacy in cross-chain wallets, contributing to broader use in institutional and contexts.

Software Implementations

Libsodium, a modern and easy-to-use cryptographic written and serving as a successor to NaCl, provides support for (ECC) Schnorr signatures through its implementation of the Ed25519 variant. This enables developers to perform signing and verification operations with high performance and constant-time guarantees to mitigate side-channel attacks. OpenSSL version 3.0 and later, a widely used open-source C for SSL/TLS and general released starting in 2021 with major updates post-2022, allows Schnorr signatures via its extensible provider , where third-party modules can implement custom schemes including secp256k1-based variants. This flexibility supports integration in applications requiring Schnorr without native core implementation, though providers like those for Bitcoin's BIP-340 must be loaded separately. Bouncy Castle, a comprehensive Java cryptographic library, supports Schnorr-based EdDSA signatures over curves like Ed25519 through its provider classes and low-level API, with ongoing development for additional variants such as secp256k1-based Schnorr signatures. Developers can generate keys, sign messages, and verify signatures using classes like SchnorrDigestSigner for efficient implementation in enterprise and blockchain applications. Key standards formalizing Schnorr signatures include RFC 8032, published in 2017 by the IETF, which defines the Edwards-Curve Digital Signature Algorithm (EdDSA) as a Schnorr variant optimized for twisted Edwards curves like Ed25519 and Ed448, emphasizing security against side-channel attacks and small key/signature sizes. Additionally, Bitcoin Improvement Proposal 340 (BIP-340), finalized in 2021, specifies a 64-byte Schnorr signature scheme over the secp256k1 curve tailored for Bitcoin, enabling non-malleable signatures and efficient batch verification. Hardware support for Schnorr signatures is available in Trusted Platform Modules (TPMs) , introduced in 2014 by the Trusted Computing Group, which includes a flexible signing primitive capable of producing EC Schnorr signatures alongside other schemes like ECDSA, ensuring secure key storage and operation within tamper-resistant hardware. Secure enclaves such as Intel's (SGX) facilitate protected generation for Schnorr signing by isolating and ephemeral key computations from the host OS, reducing risks of leakage in multi-tenant environments. By 2025, Schnorr signatures have seen integration into for FIDO2 authentication at level 3 certification, where compatible authenticators support variants for phishing-resistant, passwordless logins, enhancing web security with hardware-bound keys and efficient signature verification.