P256K.Schnorr

BIP-340 Schnorr signatures over secp256k1: sign with P256K.Schnorr.PrivateKey, verify against P256K.Schnorr.XonlyKey, using a fixed 64-byte P256K.Schnorr.SchnorrSignature encoding.

iOS 13.0+
macCatalyst 13.0+
macOS 10.15+
tvOS 13.0+
visionOS 1.0+
watchOS 6.0+

enum Schnorr

Mentioned In

Choosing Between P256K and ZKP

Overview

BIP-340 Schnorr signatures are used by Bitcoin Taproot (BIP-341, activated at block 709632 in November 2021) and by Nostr for event signing. Compared to ECDSA, Schnorr signatures are linear — they combine additively, which is what makes MuSig2 aggregation (BIP-327) possible — and verify against a 32-byte x-only public key instead of the 33-byte compressed form ECDSA requires.

All signing operations call secp256k1_schnorrsig_sign_custom (declared in Vendor/secp256k1/include/secp256k1_schnorrsig.h) with the default BIP-340 nonce function secp256k1_nonce_function_bip340. Verification uses secp256k1_schnorrsig_verify against the x-only public key.

Nonce Generation

BIP-340 uses a deterministic nonce derived from the private key and message hash via tagged SHA-256 (BIP0340/nonce). Unlike ECDSA’s RFC 6979 nonce, the BIP-340 scheme also mixes an auxiliary random value if one is provided, which strengthens resistance to fault-injection attacks on the signing device. The swift-secp256k1 wrapper uses the upstream default auxiliary randomness drawn from the Swift-side RNG.

X-Only Keys

Verification uses the 32-byte X-coordinate of the public key rather than the full 33-byte compressed encoding. BIP-340 defines the “implicit Y” to be the even Y-coordinate, which saves one byte on the wire and simplifies the verification equation. See P256K.Schnorr.XonlyKey for conversion to/from the full public-key forms.

Topics