Traditionally, using CHECKMULTISIG to generate n-of-n multi-signatures means publishing a proportional number of signatures and public keys on the blockchain to the signers of the transaction. Not only does this approach reveal the total number of participants in the transaction, but transaction fees become progressively higher as the number of signatories increases. MuSig, on the other hand, allows a group of users to jointly generate a single signature and public key to verify transactions, increasing privacy and lowering transaction costs for all signers involved.
When MuSig was first introduced in 2018, its main drawback compared to CHECKMULTISIG was the user experience, particularly the requirement for three-level interactive communication between signers. With the 2020 introduction of MuSig2 (BIP 327), the successor to 2018’s MuSig (also known as MuSig1), we have made significant progress in non-interactive signing, delivering a much more desirable experience.
How it works
Mirroring the functionality of previous versions, MuSig2 reduces the required communication rounds from three to two. MuSig2’s wallet setup begins with collecting all participants’ extended public keys (xpubs) and configuring each wallet’s descriptor. All of this is consistent with existing multi-signature approaches.
MuSig2 signing steps include:
- Primary Message: During wallet setup, a nonce is created, added to a PSBT (Partially Signed Bitcoin Transaction), and shared with other signers.
- Secondary message: The nonce received is used to generate a partial signature and is sent back to each of the other signers.
Instead of having each signer directly communicate their nonce and partial signature to all other signers, you can streamline the communication process by introducing a third-party coordinator.
In the signing process, each signer’s nonce consists of two elliptic curve points. These points are transferred to other signers through Partially Signed Bitcoin Transactions (PSBT). These nonces must be handled carefully to ensure the accuracy and integrity of the process, but since they are not confidential information, they do not require secure storage. If every individual’s partial signature is valid, the generated Schnorr signature is also valid.
Next steps for implementation
last month, Andy Chow We are submitting two draft BIPs: MuSig2 PSBT and MuSig2 Descriptor, steps required for MuSig2 adoption and wallet integration. The first BIP adds fields for the PSBT’s nonce, public key, and partial signature, while the second BIP provides a way to describe transaction outputs controlled by the MuSig2 wallet. These BIPs and specifications are all you need to integrate your MuSig2 wallet!
Many wallet developers and shared custody solutions have long called for standardization of the MuSig2 protocol. Now that we have a formal BIP in place, it is up to the community to review, provide feedback, and help raise awareness. Blockstream looks forward to engaging in public discussion and a formal BIP review process.
This is a guest post by Kiara Bickers. The opinions expressed are solely personal and do not necessarily reflect the opinions of BTC Inc or Bitcoin Magazine.