ECDSA (Elliptic Curve Digital Signature Algorithm)

ECDSA is Bitcoin's original digital signature scheme. It's how the network has verified, since 2009, that the person spending a UTXO is the one who actually controls the private key it was sent to.

The mechanism is built on the secp256k1 elliptic curve. Roughly:

1. A signer with private key k produces a signature (r, s) that depends on k, the message being signed, and a randomly-chosen nonce.
2. Anyone with the corresponding public key can verify the signature is mathematically consistent - meaning whoever signed must have known k.
3. The verifier learns nothing about k in the process.

Production ECDSA implementations also have to follow strict constant-time discipline: the modular multiplication step in signing leaks key bits through timing if implemented naively. Bitcoin Core's libsecp256k1 is one of the more carefully-engineered constant-time signers in production cryptography.

ECDSA works, but it has some annoyances:

• Signature malleability. A given signature (r, s) can be trivially massaged into (r, n - s), where n is the curve order. Both verify against the same key for the same message. This caused real headaches for transaction-ID stability and was partly fixed by SegWit.
• No native aggregation. Five cosigners on a multisig output produce five separate signatures, each occupying space on-chain. There's no clean way to compress them.
• Slightly awkward proofs. Provable security results for ECDSA are messier than for Schnorr.

Schnorr signatures, activated with Taproot in November 2021, address all three issues. ECDSA is still used for legacy address types (P2PKH, P2SH, P2WPKH, P2WSH) and remains the most-tested signature scheme in production Bitcoin. New Taproot outputs use Schnorr by default.

ECDSA's security rests on the elliptic-curve discrete logarithm problem being computationally hard. That assumption is broken by Shor's algorithm on a sufficiently powerful quantum computer. See Post-Quantum Bitcoin for the migration framework.