MuSig2: Simple Two-Round Schnorr Multi-Signatures
Tim Ruffing¹
@real_or_random
Yannick Seurin²
@yannickseurin
²ANSSI, France
¹
Multi-Signatures
- \(n\) signers produce a single signature
on a single message - classification
- multi-signatures: \(n\)-of-\(n\)
- threshold signatures: \(t\)-of-\(n\)
Multi-Signatures in Bitcoin
₿
shared ownership of Bitcoin
Applications
- secure storage of coins
- payment channels (Lightning Network)
- federated sidechains
- ...
Schnorr Signatures in Bitcoin
Schnorr signatures
multi-signatures
threshold sigs
blind signatures
...
on-chain
off-chain
- On-chain consensus layer is kept simple
- Off-chain protocols are hidden from verifiers
Multi-Signatures That Look Like Ordinary Schnorr Signatures
\(\textsf{SchnorrVerify}(pk,\textit{sig}, m)\)
ordinary Schnorr public key
obtained via non-interactive public algorithm
\(pk=\mathsf{AggKey}(pk_1, \dotsc, pk_n)\)
ordinary Schnorr signature
obtained via interactive signing protocol with
\(n\) signers
(Ordinary) Schnorr Signatures
\( \textsf{Sign}(\textit{sk} = x, \textit{pk} = g^x, m) \)
\( r \leftarrow \$ ; R = g^r \)
\( c = H(\textit{pk}, R, m) \)
\( s = x\cdot c + r \)
\( \text{return}\ (R, s) \)
\( \textsf{Verify}(\textit{pk} = X, (R, s), m) \)
\(\phantom{r \leftarrow \$; R = g^r }\)
\( c = H(\textit{pk}, R, m) \)
\(\text{return}\ g^s == X^c \cdot R \)
\(\textit{sk}=x\)
\(\textit{pk}=g^x\)
Strawman Multi-Signatures
\(pk_1\)
\(pk_2\)
\(R_1\)
\(R_2\)
\(s_1\)
\(s_2\)
\( c = H(\textit{pk}, R_1R_2, m) \)
\(\text{return}\ (R_1R_2,s_1+s_2)\)
\(pk=pk_1^{\textcolor{#00c3ff}{}{}}\cdot pk_2^{\textcolor{#00c3ff}{}{}}\)
MuSig(1)
\(pk_1\)
\(\textcolor{#cc0000}{}pk_2\)
\(R_1\)
\(R_2\)
\(s_1\)
\(s_2\)
\(\color{#00c3ff} H(R_2)\)
\( c = H(\textit{pk}, R_1R_2, m) \)
\(\text{return}\ (R_1R_2,s_1+s_2)\)
\( \color{#00c3ff} H(R_1)\)
\(pk=pk_1^{\textcolor{#00c3ff}{a_1}}\cdot pk_2^{\textcolor{#00c3ff}{a_2}}\)
\(\color{#00c3ff} a_i = H(i, \textit{pk}_1, \textit{pk}_2)\)
[Maxwell, Poelstra, Seurin, Wuille 2018]
This Work: MuSig2
\(pk_1\)
\(pk_2\)
\(\color{#00c3ff} R_1', R_1''\)
\(\color{#00c3ff} R_2',R_2''\)
\(s_1\)
\(s_2\)
\(\color{#00c3ff} R_i=R_i'(R_i'')^b\)
\( \color{#00c3ff} b = H(\textit{pk}, R_1'R_2', R_1''R_2'', m) \)
\( c = H(\textit{pk}, R_1R_2, m) \)
\(\text{return}\ (R_1R_2,s_1+s_2)\)
\(pk=pk_1^{\textcolor{#00c3ff}{}{a_1}}\cdot pk_2^{\textcolor{#00c3ff}{}{a_2}}\)
\( a_i = H(i, \textit{pk}_1, \textit{pk}_2)\)
Almost Non-Interactive Signing
- Why bother with 2 vs. 3 rounds if this is interactive anyway?
- First round can be performed without knowing \(m\)
- Signing effectively non-interactive
- Preshare the prenonces
- When a message to sign arrives,
signing is only round on the network
- Novelty in a DL-setting without pairings
- You (probably) can't do better without pairings (BLS)
Concurrent work:
- Komlo, Goldberg: FROST [SAC'20]
- Alper, Burdges [ePrint '20]
Every signer uses a
random linear combination of multiple pre-nonces as a nonce.
Key Technical Idea
MuSig2
- Signatures look like ordinary Schnorr signatures
- compact
- fast verification
- Very practical and simple two-round signing protcol
- First round can be precomputed without knowing \(m\)
- Signing almost non-interactive
- Concurrent security in ROM+AGM+OMDL or ROM+OMDL
- Preprint: https://eprint.iacr.org/2020/1261