I recently found myself taking a closer look at transaction validation for Bitcoin signatures. This led me to BIP-66 which declares that all signatures follow the DAS, I mean DER format. Here’s what I learned:
If that feels a little complicated and over engineered, that’s because it probably is. Some of the downfalls include excessive padding and overly long length descriptors.
And more than one person is happy to share how they really feel about the DER format.
The good news is, Schnorr signatures do not use DER! They use the signature’s raw 64 bytes (a 32 byte R value, and a 32 byte S value), allowing for a more compact and less verbose representation. Now it’s just a matter of getting Schnorr merged to Bitcoin Core (at the time of this writing, July 2020, there have been some exciting new discussions on activating Taproot/Schnorr).
Acknowledgements
It’s no secret I was inspired by Julia Evans and Amiti to create this content. Check out their work! It’s fun, educational, and easy to digest.
Shoutout to Matthew Zipkin for catching an error on the description of the first 0x30 byte, James Prestwich for providing more context around the minimal signed integer requirement for R and S, Kalle Rosenbaum and @benthecarman for pointing out that Schnorr will not use DER, and Tim Ruffing, Pieter Wuille, and Rusty Russell for giving the final say on why DER should DIE!