## Multi-Signatures

• $$n$$ signers produce a single signature
on a single message
• classification
• multi-signatures: $$n$$-of-$$n$$
• threshold signatures: $$t$$-of-$$n$$

## Multi-Signatures in Bitcoin

shared ownership of Bitcoin

Applications

• secure storage of coins
• payment channels (Lightning Network)
• federated sidechains
• ...

## Schnorr Signatures in Bitcoin

Schnorr signatures

multi-signatures

threshold sigs

blind signatures

...

on-chain

off-chain

• On-chain consensus layer is kept simple
• Off-chain protocols are hidden from verifiers

## Multi-Signatures That Look Like Ordinary Schnorr Signatures

$$\textsf{SchnorrVerify}(pk,\textit{sig}, m)$$

ordinary Schnorr public key
obtained via non-interactive public algorithm

$$pk=\mathsf{AggKey}(pk_1, \dotsc, pk_n)$$

ordinary Schnorr signature
obtained via interactive signing protocol with
$$n$$ signers

## (Ordinary) Schnorr Signatures

$$\textsf{Sign}(\textit{sk} = x, \textit{pk} = g^x, m)$$

$$r \leftarrow \ ; R = g^r$$
$$c = H(\textit{pk}, R, m)$$
$$s = x\cdot c + r$$
$$\text{return}\ (R, s)$$

$$\textsf{Verify}(\textit{pk} = X, (R, s), m)$$

$$\phantom{r \leftarrow \; R = g^r }$$
$$c = H(\textit{pk}, R, m)$$
$$\text{return}\ g^s == X^c \cdot R$$

$$\textit{sk}=x$$

$$\textit{pk}=g^x$$

## Strawman Multi-Signatures

$$pk_1$$

$$pk_2$$

$$R_1$$

$$R_2$$

$$s_1$$

$$s_2$$

$$c = H(\textit{pk}, R_1R_2, m)$$

$$\text{return}\ (R_1R_2,s_1+s_2)$$

$$pk=pk_1^{\textcolor{#00c3ff}{}{}}\cdot pk_2^{\textcolor{#00c3ff}{}{}}$$

## MuSig(1)

$$pk_1$$

$$\textcolor{#cc0000}{}pk_2$$

$$R_1$$

$$R_2$$

$$s_1$$

$$s_2$$

$$\color{#00c3ff} H(R_2)$$

$$c = H(\textit{pk}, R_1R_2, m)$$

$$\text{return}\ (R_1R_2,s_1+s_2)$$

$$\color{#00c3ff} H(R_1)$$

$$pk=pk_1^{\textcolor{#00c3ff}{a_1}}\cdot pk_2^{\textcolor{#00c3ff}{a_2}}$$

$$\color{#00c3ff} a_i = H(i, \textit{pk}_1, \textit{pk}_2)$$

[Maxwell, Poelstra, Seurin, Wuille 2018]

## This Work: MuSig2

$$pk_1$$

$$pk_2$$

$$\color{#00c3ff} R_1', R_1''$$

$$\color{#00c3ff} R_2',R_2''$$

$$s_1$$

$$s_2$$

$$\color{#00c3ff} R_i=R_i'(R_i'')^b$$

$$\color{#00c3ff} b = H(\textit{pk}, R_1'R_2', R_1''R_2'', m)$$

$$c = H(\textit{pk}, R_1R_2, m)$$

$$\text{return}\ (R_1R_2,s_1+s_2)$$

$$pk=pk_1^{\textcolor{#00c3ff}{}{a_1}}\cdot pk_2^{\textcolor{#00c3ff}{}{a_2}}$$

$$a_i = H(i, \textit{pk}_1, \textit{pk}_2)$$

## Almost Non-Interactive Signing

• Why bother with 2 vs. 3 rounds if this is interactive anyway?
• First round can be performed without knowing $$m$$
• Signing effectively non-interactive
• Preshare the prenonces
• When a message to sign arrives,
signing is only round on the network
• Novelty in a DL-setting without pairings
• You (probably) can't do better without pairings (BLS)

Concurrent work:

• Komlo, Goldberg: FROST [SAC'20]
• Alper, Burdges [ePrint '20]

## MuSig2

• Signatures look like ordinary Schnorr signatures
• compact
• fast verification
• Very practical and simple two-round signing protcol
• First round can be precomputed without knowing $$m$$
• Signing almost non-interactive
• Concurrent security in ROM+AGM+OMDL or ROM+OMDL
• Preprint: https://eprint.iacr.org/2020/1261

#### MuSig2: Simple Two-Round Schnorr Multi-Signatures

By real-or-random

# MuSig2: Simple Two-Round Schnorr Multi-Signatures

RWC 2021, 2021-01-12

• 1,329