MuSig - Max Fang's Notes

# MuSig ## General ### Notes from Signatures panel in [[Bitcoin 2022]] - FFull aggregation - Interactive - Open problem preserving the properties of multiple signatures - Half-aggregation - Aggregate half of the signatures - Non-interactive - Frost: threshold signatures on top of [[Schnorr Signatures|Schnorr]] - To keep people from stealing the group secret once coming together to reform the eg 2-of-3 secret share, each participant generates a partial signature based on their secret share, which can be aggregated together to form the combined signature. ## [MuSig: A New Multisignature Standard](https://blog.blockstream.com/en-musig-a-new-multisignature-standard/) Blog post by [[Andrew Poelstra]] for [[Blockstream]] on [[2019-02-18]] ## [Musig2: Multisig with Schnorr](https://popeller.io/schnorr-musig2) Good high-level explanation with illustrations - Musig allows creating a shared public key that looks indistinguishable from other 1-of-1 transactions - Musig + Schnorr allows for signature aggregation which allows for space savings - Single signature multiple outputs requires [[Taproot]] ## [MuSig2: Simple Two-Round Schnorr Multisignatures](https://medium.com/blockstream/musig2-simple-two-round-schnorr-multisignatures-bf9582e99295) *An update to our [[Taproot]]-compatible multisignature scheme* By [[Jonas Nick]] and [[Tim Ruffing]] at [[Blockstream]], [[2020-11-04]] ### Main points - Implemented in [[secp256k1]] - https://github.com/ElementsProject/secp256k1-zkp/blob/master/include/secp256k1_musig.h - Improves over MuSig1 by making the signing process non-interactive ### Enables - [[Scriptless Script Lightning]] - [[Threshold Signatures]] ### MuSig-DN A few weeks ago, we discussed [MuSig-DN](https://medium.com/blockstream/musig-dn-schnorr-multisignatures-with-verifiably-deterministic-nonces-27424b5df9d6), which is also a two-round protocol but uses zero-knowledge proofs that are very complex compared to the simplicity of MuSig2. The advantage of MuSig-DN is its support for deterministic nonces, which avoids the need to keep state between signing sessions and rounds. ![[Screen Shot 2022-01-20 at 6.02.19 PM.png]] This raises the question of which scheme to use in a given application. The table above demonstrates that there is no reason to prefer MuSig1 over MuSig2. In practice, we expect that most applications will choose MuSig2 over MuSig-DN because simplicity is a dominant factor for adoption. This is especially true when creating interoperable implementations since all signers must agree on using the same protocol. Moreover, support for non-interactive signing increases usability significantly. On the other hand, if open signing sessions need to be stored on a persistent medium, the statelessness property of MuSig-DN is beneficial. To demonstrate the risk with MuSig2 in that scenario, imagine we perform the following sequence of events: 1. Start a MuSig2 signing session. 2. Save the session to a hard drive. 3. Perform a hard drive backup. 4. Finish the signing session. 5. Restore the backup. 6. Complete the session again. The result is that we create two signatures with the same nonce, which can be used to steal our secret key. Therefore, implementers of MuSig2 must be careful and make sure that the above scenario can not occur. In contrast, MuSig-DN is robust against this attack.