TECHNICAL_DOC // CRYPTOGRAPHY / MUSIG2
MUSIG2
MuSig2 is a multi-party Schnorr signature scheme that aggregates multiple
signers' public keys and partial signatures into a single key and single 64-byte signature.
On-chain, an n-of-n MuSig2 multisig is completely indistinguishable from a single-key
transaction. It is specified in BIP 327 and enabled by Taproot's Schnorr signatures.
KEY_AGGREGATION
THREE SIGNERS — KEY AGGREGATION
Signer 1: private key x1, public key P1 = x1×G
Signer 2: private key x2, public key P2 = x2×G
Signer 3: private key x3, public key P3 = x3×G
Key aggregation coefficient (prevents rogue key attack):
a1 = H(L || P1) where L = H(P1 || P2 || P3)
a2 = H(L || P2)
a3 = H(L || P3)
Aggregate public key:
P_agg = a1×P1 + a2×P2 + a3×P3
P_agg appears on-chain as a single P2TR key.
Observers cannot tell 1 signer vs N signers from the address.
SIGNING — 2 ROUNDS
2-ROUND SIGNING PROTOCOL
Round 1 — Nonce commitment:
Each signer generates 2 nonce pairs (r1i, r2i) → publishes R1i, R2i
(Two nonces per signer prevent Wagner's algorithm attacks)
Round 2 — Partial signature:
Aggregate nonce: R = R1_agg + b×R2_agg (b = H(R1_agg||R2_agg||P_agg||msg))
Each signer computes: si = ri + ai×xi×challenge
Aggregate signature: s = Σsi (mod n)
Final signature: (R, s) ← standard 64-byte Schnorr signature
Indistinguishable from single-key Schnorr on-chain
MUSIG2_VS_LEGACY_MULTISIG
LEGACY OP_CHECKMULTISIG
2-of-3 multisig: 3 public keys + 2 signatures on-chain.
~300 bytes. Reveals N signers, reveals M threshold.
Everyone can see it's a multisig.
MUSIG2 (TAPROOT)
n-of-n aggregate: 1 public key + 1 signature on-chain.
64 bytes. Indistinguishable from single-key.
Maximum privacy.
MuSig2 vs FROST — Threshold Signatures
COMPARISON
MuSig2 requires ALL n signers to participate (n-of-n). FROST (Flexible Round-Optimized Schnorr Threshold) allows t-of-n threshold signing.
MuSig2:
Scheme: n-of-n (all signers must participate)
Rounds: 2 rounds of communication
BIP: BIP 327
Use: Collaborative custody, Lightning channel funding
FROST:
Scheme: t-of-n (any t of n signers can sign)
Rounds: 2 rounds (same as MuSig2)
BIP: BIP 340-compatible (no dedicated BIP yet)
Use: Distributed key management, corporate treasury
Both produce a single Schnorr signature — identical on-chain appearance.
TERMINOLOGY_INDEX
MuSig2
n-of-n Schnorr key and signature aggregation scheme. Produces single on-chain signature. Specified in BIP 327.
Key Aggregation
Combining multiple public keys into a single aggregate key via weighted elliptic curve point addition.
Rogue Key Attack
A malicious signer claiming a public key designed to cancel out honest signers' keys. Prevented by key aggregation coefficients.
FROST
Flexible Round-Optimized Schnorr Threshold scheme. Enables t-of-n threshold Schnorr signatures.
BIP 327
The BIP specifying the MuSig2 protocol for multi-party Schnorr key and signature aggregation.
INTERACTIVE — TRY IT YOURSELF
SCHNORR / MUSIG2
MuSig2
MuSig2 (BIP327) is a 2-round multi-signature protocol where n signers each hold a private key and together produce a single Schnorr signature valid for their aggregated public key. On-chain it looks identical to a single-signer Schnorr transaction — no multisig script, no extra data. The two rounds are: nonce-commitment-musig2-round-1/">nonce commitment exchange, then partial signature exchange.
PROTOCOL OVERVIEW
MuSig2 is designed to eliminate the need for a third round by having each signer contribute two nonces. The key insight is the key aggregation step, which prevents rogue-key attacks by hashing all keys together.
PHASE 0 — KEY AGGREGATION (one-time setup)
1.
Each signer i has private key
x_i and public key P_i = x_i · G.2.
Compute key list hash:
L = H(P_1 || P_2 || … || P_n)3.
Compute coefficient for each signer:
a_i = H(L || P_i)4.
Aggregate key:
P_agg = a_1·P_1 + a_2·P_2 + … + a_n·P_n5.
If P_agg has odd y, negate all coefficients (BIP340 even-y requirement).
PHASE 1 — NONCE GENERATION & EXCHANGE (round 1)
1.
Each signer generates two secret nonces:
(r_i1, r_i2).2.
Each signer computes two public nonces:
R_i1 = r_i1·G, R_i2 = r_i2·G.3.
Signers exchange
(R_i1, R_i2) pairs (public nonce commitments).PHASE 2 — SIGNING (round 2)
1.
Aggregate nonces:
R_1 = Σ R_i1, R_2 = Σ R_i22.
Compute binding factor:
b = H(R_1 || R_2 || P_agg || msg)3.
Final nonce:
R = R_1 + b·R_2 (if R has odd y, negate both)4.
Challenge:
e = H_BIP340(R_x || P_agg_x || msg)5.
Each signer:
s_i = r_i1 + b·r_i2 + e·a_i·x_i (mod n)6.
Aggregate:
s = Σ s_i (mod n)7.
Final signature:
(R_x, s) — 64 bytes, standard BIP340 Schnorr.Security: The binding factor
b prevents Wagner's algorithm attack. The key aggregation with coefficients a_i prevents rogue-key attacks. Two nonces per signer (instead of one) eliminate the need for round 1 commitment proofs, making MuSig2 truly 2-round.KEY AGGREGATION DEMO
AGGREGATE N PUBKEYS → MUSIG2 KEYuses simplified MuSig2 hash
FULL 2-ROUND SIGNING DEMO
2-PARTY MUSIG2 SIGNINGsimplified — educational only
MUSIG2 VS ALTERNATIVES
| SCHEME | ROUNDS | ON-CHAIN SIZE | NOTES |
|---|---|---|---|
| OP_CHECKMULTISIG | 1 | m sigs + n pubkeys | reveals m, n on-chain; higher fees |
| MuSig1 | 3 | 64 bytes | requires commitment round to avoid Wagner attack |
| MuSig2 | 2 | 64 bytes | two nonces eliminate commitment round; BIP327 |
| FROST | 2 | 64 bytes | threshold t-of-n (not all-of-n); requires DKG |