The Taproot upgrade in 2021 brought greater privacy, scalability, and composability to the Bitcoin network, so more and more people have become interested in MuSig, a multi-signature scheme that uses the Schnorr digital signature algorithm to aggregate public keys and signatures.
MuSig allows a group to collectively own some Bitcoin and create a single signature to authorize a payment. Due to MuSig's innovative key aggregation feature, this signature is a regular Schnorr signature that can be processed by Bitcoin once Taproot is activated. When used to create multi-signature wallets, MuSig reduces transaction fees and increases privacy compared to traditional n-signatures using the CHECKMULTISIG opcode, which requires n public keys and n ECDSA signatures on the blockchain.
1. Multi-signature scheme
A multi-signature scheme is a combination of a signing and verification algorithm where multiple signers (each with their own private/public key) jointly sign a message, resulting in a single signature. This single signature can then be verified by anyone who knows the message and the signer's public key. Note that in the context of Bitcoin, the term "multisig" usually refers to a k-of-n strategy, where k may be different from n. In cryptography, multi-signatures actually only involve n-of-n strategies, although we can easily construct k-of-n on the n-of-n case.
2. MuSig
MuSig is a multi-signature scheme that applies the Schnorr digital signature algorithm to aggregate public keys and signatures. MuSig allows multiple users to use their respective private keys to create a combined public key that is the same size and indistinguishable from any other Schnorr public key, including the public key of a single user. It further describes how users who create a public key can jointly and securely create a signature corresponding to the public key. Like the public key, this signature is no different from any other Schnorr signature. Compared to traditional script-based multisig, MuSig uses less block space and has more private space, but it may also require more interactivity between participants.
3.MuSig supports key aggregation
MuSig supports key aggregation. Key aggregation refers to multi-signatures that look like single-key signatures, but are aggregated public keys relative to the functions of only the public keys of the participants. Therefore, the verifier does not need to know the public keys of the original participants, but only needs to give them an aggregated key. MuSig can generate short, fixed-size signatures that look the same to the verifier no matter how many signers there are or how they sign. In blockchain systems, verification efficiency is the most important factor, and there is no need to provide more details about the signers to the verifier unless more security is really needed. One obvious benefit of doing this is that it can improve privacy because it can hide the information of specific signers. Therefore, MuSig is actually a key aggregation scheme for Schnorr signatures.
4. MuSig has provable security in the ordinary public key model
MuSig has provable security in the normal public key model. There are already many multi-signature schemes that provide key aggregation for Schnorr signatures, but they have some limitations, such as the need to verify that the participants actually have the private key corresponding to the public key they claim to have. It can be proven that there are no restrictions in the normal public key model, and participants only need to provide their public keys. This means that signers can use ordinary key pairings to participate in multi-signatures without providing any information about the specific way these keys are produced and controlled. In some Bitcoin usage scenarios, individual signers have different and limited key management policies, which makes it difficult to obtain information about key generation, which greatly enhances user privacy.
5. MuSig interaction issues
While achieving the above advantages, it also brings some problems. One of the more obvious problems is that MuSig requires more interactions between signers. More precisely, creating a signature requires three rounds of communication, each of which consists of messages passed back and forth. The following figure shows the process of three rounds of communication. You can imagine that one signer is a desktop wallet and the other is a Blockstream Green co-signer, or the signers share a Lightning channel that they are trying to close.
In contrast, wallets using CHECKMULTISIG require only one round of communication: they receive a transaction and return a signature. For example, if a payment is forwarded in the Lightning Network using MuSig, privacy will be improved, but payment times will be significantly longer. This problem becomes more severe as communication latency increases. A MuSig signing device stored in a safe requires its owner to access it twice before creating a signature.
6.MuSig2
As the name implies, MuSig2 is the successor to MuSig. It provides the same functionality and security as MuSig, but eliminates almost all interactions between signers. With MuSig2, signers only need two rounds of communication to create a signature, and crucially, one of the rounds can be pre-processed before the signer knows the message they want to sign. Once there is some message to sign, for example, a Bitcoin transaction, the process is the same as it is with current checkmultisigns-based wallets: transmit the transaction to the signer, and then receive a signed reply. MuSig2 retains the simplicity and efficiency of MuSig, adding only a small amount of additional computation.
7. Concurrent Session Security
MuSig2 is secure under concurrent sessions. In MuSig, each signer creates one nonce, in MuSig2, each signer creates two more nonces R_i,1, R_i,2 and sends them to other signers in the first round, effectively replacing the previous nonce R_i with a random linear combination R_i = R_i,1 + b*R_i,2. The coefficient b is the output of a hash function applied to all signers' non-parametric, aggregated public keys and messages. As with MuSig, the aggregation is R = R_1 + ... + R_n. If any signer changes any of their non-messages, every other signer will use a different, random linear combination of their two non-messages. This avoids attacks discovered on other two-round multi-signature schemes.
Summarize
With MuSig2, some protocols will benefit greatly, such as "scriptless script Lightning" and threshold signatures. Among other applications of decentralized multi-signatures, the BTC Layer2 project BEVM is also one of the typical representatives.
In the BEVM system, each validator holds a BTC private key for Schnorr signatures, and uses the characteristics of Schnorr signatures to achieve efficient signature aggregation, thereby improving the security and efficiency of the system. BEVM actually uses Musig2 aggregation multi-signature technology to allow BTC to cross-chain to BTC Layer2, and the entire process is completely decentralized. In addition, the project also integrates technologies such as Bitcoin light nodes to ensure a trustless and secure environment.
