• \(n\) signers produce a single signature
    on a single message
  • classification
    • multi-signatures: \(n\)-of-\(n\)
    • threshold signatures: \(t\)-of-\(n\)

Multi-Signatures in Bitcoin

shared ownership of Bitcoin


  • secure storage of coins
  • payment channels (Lightning Network)
  • federated sidechains
  • ...

Schnorr Signatures in Bitcoin

Schnorr signatures


threshold sigs

blind signatures




  • On-chain consensus layer is kept simple
  • Off-chain protocols are hidden from verifiers

Multi-Signatures That Look Like Ordinary Schnorr Signatures

\(\textsf{SchnorrVerify}(pk,\textit{sig}, m)\)

ordinary Schnorr public key
obtained via non-interactive public algorithm

\(pk=\mathsf{AggKey}(pk_1, \dotsc, pk_n)\)

ordinary Schnorr signature
obtained via interactive signing protocol with
\(n\) signers

(Ordinary) Schnorr Signatures

\( \textsf{Sign}(\textit{sk} = x, \textit{pk} = g^x, m) \)

\( r \leftarrow \$ ;  R = g^r \)
\( c = H(\textit{pk}, R, m) \)
\( s = x\cdot c + r \)
\( \text{return}\ (R, s) \)

\( \textsf{Verify}(\textit{pk} = X, (R, s), m) \)

\(\phantom{r \leftarrow \$; R = g^r }\)
\( c = H(\textit{pk}, R, m) \)
\(\text{return}\ g^s == X^c \cdot R \)



Strawman Multi-Signatures







\( c = H(\textit{pk}, R_1R_2, m) \)

\(\text{return}\ (R_1R_2,s_1+s_2)\)

\(pk=pk_1^{\textcolor{#00c3ff}{}{}}\cdot pk_2^{\textcolor{#00c3ff}{}{}}\)








\(\color{#00c3ff} H(R_2)\)

\( c = H(\textit{pk}, R_1R_2, m) \)

\(\text{return}\ (R_1R_2,s_1+s_2)\)

\( \color{#00c3ff} H(R_1)\)

\(pk=pk_1^{\textcolor{#00c3ff}{a_1}}\cdot pk_2^{\textcolor{#00c3ff}{a_2}}\)

\(\color{#00c3ff} a_i = H(i, \textit{pk}_1, \textit{pk}_2)\)

[Maxwell, Poelstra, Seurin, Wuille 2018]

This Work: MuSig2



\(\color{#00c3ff} R_1', R_1''\)

\(\color{#00c3ff} R_2',R_2''\)



\(\color{#00c3ff} R_i=R_i'(R_i'')^b\)

\( \color{#00c3ff} b = H(\textit{pk}, R_1'R_2', R_1''R_2'', m) \)

\( c = H(\textit{pk}, R_1R_2, m) \)

\(\text{return}\ (R_1R_2,s_1+s_2)\)

\(pk=pk_1^{\textcolor{#00c3ff}{}{a_1}}\cdot pk_2^{\textcolor{#00c3ff}{}{a_2}}\)

\( a_i = H(i, \textit{pk}_1, \textit{pk}_2)\)

Almost Non-Interactive Signing

  • Why bother with 2 vs. 3 rounds if this is interactive anyway?
  • First round can be performed without knowing \(m\)
  • Signing effectively non-interactive
    • Preshare the prenonces
    • When a message to sign arrives,
      signing is only round on the network
  • Novelty in a DL-setting without pairings
  • You (probably) can't do better without pairings (BLS)

Concurrent work:

  • Komlo, Goldberg: FROST [SAC'20]
  • Alper, Burdges [ePrint '20]

Every signer uses a
random linear combination of multiple pre-nonces as a nonce.

Key Technical Idea


  • Signatures look like ordinary Schnorr signatures
    • compact
    • fast verification
  • Very practical and simple two-round signing protcol
  • First round can be precomputed without knowing \(m\)
    • Signing almost non-interactive
  • Concurrent security in ROM+AGM+OMDL or ROM+OMDL
  • Preprint: