MuSig

MuSig is a protocol for aggregating public keys and signatures for the schnorr digital signature algorithm.

MuSig allows multiple users each with their own private key to create a combined public key that’s indistinguishable from any other schnorr pubkey, including being the same size as a single-user pubkey. It further describes how the users who created the pubkey can work together to securely create a multisignature corresponding to the pubkey. Like the pubkey, the signature is indistinguishable from any other schnorr signature.

Compared to traditional script-based multisig, MuSig uses less block space and is more private, but it also requires more interactivity between the participants. As of August 2021, there are three protocols in the MuSig family:

• ● MuSig (also called MuSig1), which should be simple to implement but which requires three rounds of communication during the signing process.

• ● MuSig2, also simple to implement. It eliminates one round of communication and allows another round to be combined with key exchange. That can allow using a somewhat similar signing process to what we use today with script-based multisig. This does require storing extra data and being very careful about ensuring your signing software or hardware can’t be tricked into unknowingly repeating part of the signing session.

• ● MuSig-DN (Deterministic Nonce), significantly more complex to implement. Its communication between participants can’t be combined with key exchange, but it has the advantage that it’s not vulnerable to the repeated session attack.

Primary code and documentation

• MuSig paper
• MuSig2 paper
• MuSig-DN paper
• Original MuSig2 implementation (experimental)
• MuSig2 implementation in Libsecp256k1

Optech newsletter and website mentions

2024

• Libsecp256k1 adds MuSig2 BIP340-compatible multisig as specified in BIP327
• BIPs 328, 390, and 373 added with specifications for MuSig2 key derivation, descriptors, and PSBTs
• PSBTs for multiple concurrent MuSig2 signing sessions

2023

• Proposed BIP for MuSig2 fields in PSBTs
• LND #7994 adds RPC support for remote signing with the MuSig2 protocol
• LND #7904 adds experimental support for taproot channels based on MuSig2
• Field Report: Implementing MuSig2 by Brandon Black from BitGo
• Discussion about blind MuSig2 signing for statechains
• Taproot and MuSig2 LN channels
• Munstr wallet performing MuSig2 communication using the nostr protocol
• Lightning Lab’s Loop now uses MuSig2 by default for lower fees and improved privacy
• BIPs #1372 assigns BIP327 to the MuSig2 protocol for creating multisignatures
• LND #7171 upgrades the signrpc RPC to support the latest draft BIP for MuSig2

2022

• 2022 year-in-review: MuSig2
• Disclosure of security vulnerability in MuSig2 as described in a draft BIP
• Discussion about designing LN upgrades to support recursive MuSig2
• MuSig2 implementation notes
• LND #6361 adds support for MuSig2 signing
• Proposed BIP for MuSig2
• Proposal to use MuSig2 in the LN gossip protocol

2021

• Summary of LN developer conference, including discussion of MuSig2
• Overview of MuSig1, MuSig2, and MuSig-DN
• Benchmark: 1 million signers with MuSig

2020

• 2020 year in review: MuSig2
• MuSig2 paper published
• Presentations and discussions about musig-style multiparty signatures

2019

• Composable MuSig—concerns about safely using signer sub-groups
• MuSig and attacks based on Wagner’s algorithm
• Schnorr signatures and musig
• LN gossip update proposal to use MuSig
• Breaking Bitcoin presentation: secure protocols on bip-taproot
• Optech executive briefing: the next soft fork
• Extensions to PSBTs to help make them compatible with advanced protocols
• Libsecp256k1-zkp supports MuSig key and signature aggregation

2018

• 2018 year-in-review: publication of MuSig protocol
• BLS signatures based on the MuSig construction

See also

• Scriptless multisignatures

• Schnorr signatures

  
  

Previous Topic:
Scriptless multisignatures

Next Topic:
Offers

Edit page
Report Issue