Multi-Signatures

• \(n\) signers produce a single signature
  on a single message
• classification
  • multi-signatures: \(n\)-of-\(n\)
  • threshold signatures: \(t\)-of-\(n\)

Multi-Signatures in Bitcoin

₿

shared ownership of Bitcoin

Schnorr Signatures in Bitcoin

Multi-Signatures That Look Like Ordinary Schnorr Signatures

\(\textsf{SchnorrVerify}(pk,\textit{sig}, m)\)

(Ordinary) Schnorr Signatures

Strawman Multi-Signatures

\(pk_1\)

\(pk_2\)

\(pk=pk_1^{\textcolor{#00c3ff}{}{}}\cdot pk_2^{\textcolor{#00c3ff}{}{}}\)

MuSig(1)

\(pk_1\)

\(\textcolor{#cc0000}{}pk_2\)

\(R_1\)

\(R_2\)

\(s_1\)

\(s_2\)

\( c = H(\textit{pk}, R_1R_2, m) \)

\(\text{return}\ (R_1R_2,s_1+s_2)\)

\(pk=pk_1^{\textcolor{#00c3ff}{a_1}}\cdot pk_2^{\textcolor{#00c3ff}{a_2}}\)

\(\color{#00c3ff} a_i = H(i, \textit{pk}_1, \textit{pk}_2)\)

[Maxwell, Poelstra, Seurin, Wuille 2018]

This Work: MuSig2

\(pk_1\)

\(pk_2\)

\(pk=pk_1^{\textcolor{#00c3ff}{}{a_1}}\cdot pk_2^{\textcolor{#00c3ff}{}{a_2}}\)

\( a_i = H(i, \textit{pk}_1, \textit{pk}_2)\)

Almost Non-Interactive Signing

• Why bother with 2 vs. 3 rounds if this is interactive anyway?
• First round can be performed without knowing \(m\)
• Signing effectively non-interactive
  • Preshare the prenonces
  • When a message to sign arrives,
    signing is only round on the network
• Novelty in a DL-setting without pairings
• You (probably) can't do better without pairings (BLS)

Every signer uses a
random linear combination of multiple pre-nonces as a nonce.
 

Key Technical Idea

MuSig2

• Signatures look like ordinary Schnorr signatures
  • compact
  • fast verification
• Very practical and simple two-round signing protcol
• First round can be precomputed without knowing \(m\)
  • Signing almost non-interactive
• Concurrent security in ROM+AGM+OMDL or ROM+OMDL
• Preprint: https://eprint.iacr.org/2020/1261