Signature

Bitcoin uses ECDSA and (since Taproot) Schnorr signatures over secp256k1. A signature commits to a message under a private key; anyone with the public key can verify it. Spending a Bitcoin output means producing a signature that satisfies that output's locking script.

The message being signed is a hash of the transaction's spending fields — inputs, outputs, locktime, and some metadata. SIGHASH flags let the signer commit to subsets: SIGHASH_ALL signs everything (the default), SIGHASH_NONE lets the signer authorize spending without committing to outputs, SIGHASH_ANYONECANPAY lets others add inputs. These compose into a small but powerful policy language.

A correctly designed signature scheme is non-forgeable: without the private key, producing a valid signature for an arbitrary message is computationally infeasible. ECDSA is non-malleable only by convention (BIP-66 fixed a wider class of malleability); Schnorr is non-malleable by construction, which is one of several reasons Taproot moved to it.