MuSig2: Simple Two-Round Schnorr Multi-Signatures

Multi-Signatures

• $n$ signers produce a single signature
  on a single message
• classification
  • multi-signatures: $n$-of-$n$
  • threshold signatures: $t$-of-$n$

Multi-Signatures in Bitcoin

₿

shared ownership of Bitcoin

Schnorr Signatures in Bitcoin

Multi-Signatures That Look Like Ordinary Schnorr Signatures

$\textsf{SchnorrVerify}(pk,\textit{sig}, m)$

(Ordinary) Schnorr Signatures

Strawman Multi-Signatures

$pk_1$

$pk_2$

$pk=pk_1^{\textcolor{#00c3ff}{}{}}\cdot pk_2^{\textcolor{#00c3ff}{}{}}$

MuSig(1)

$pk_1$

$\textcolor{#cc0000}{}pk_2$

$R_1$

$R_2$

$s_1$

$s_2$

$c = H(\textit{pk}, R_1R_2, m)$

$\text{return}\ (R_1R_2,s_1+s_2)$

$pk=pk_1^{\textcolor{#00c3ff}{a_1}}\cdot pk_2^{\textcolor{#00c3ff}{a_2}}$

$\color{#00c3ff} a_i = H(i, \textit{pk}_1, \textit{pk}_2)$

[Maxwell, Poelstra, Seurin, Wuille 2018]

This Work: MuSig2

$pk_1$

$pk_2$

$pk=pk_1^{\textcolor{#00c3ff}{}{a_1}}\cdot pk_2^{\textcolor{#00c3ff}{}{a_2}}$

$a_i = H(i, \textit{pk}_1, \textit{pk}_2)$

Almost Non-Interactive Signing

• Why bother with 2 vs. 3 rounds if this is interactive anyway?
• First round can be performed without knowing $m$
• Signing effectively non-interactive
  • Preshare the prenonces
  • When a message to sign arrives,
    signing is only round on the network
• Novelty in a DL-setting without pairings
• You (probably) can't do better without pairings (BLS)

Every signer uses a
random linear combination of multiple pre-nonces as a nonce.
 

Key Technical Idea

MuSig2

• Signatures look like ordinary Schnorr signatures
  • compact
  • fast verification
• Very practical and simple two-round signing protcol
• First round can be precomputed without knowing $m$
  • Signing almost non-interactive
• Concurrent security in ROM+AGM+OMDL or ROM+OMDL
• Preprint: https://eprint.iacr.org/2020/1261