Traditionally, creating an n-of-n multisig with CHECKMULTISIG means publishing a proportional number of signatures and public keys on the blockchain for signers of the transaction. This approach not only discloses the total number of participants in the transaction, but also incurs increasingly higher transaction fees as the number of signatories grows. MuSig, on the other hand, allows a group of users to jointly generate a single signature and public key to validate a transaction, increasing privacy and reducing transaction costs for all signatories involved.
When MuSig was first introduced in 2018, its main shortcoming compared to CHECKMULTISIG was the user experience, specifically the requirement for three rounds of interactive communication between signers. With the introduction of MuSig2 (BIP 327) in 2020, succeeding 2018’s MuSig (also called MuSig1), we have made significant progress in non-interactive signing, giving us a much more desirable experience.
How it works
MuSig2 mirrors the functionality of its predecessor and reduces the required communication rounds from three to two. Setting up the wallet for MuSig2 starts with collecting all extended public keys (xpubs) from the participants and constructing descriptors by each of the wallets, all of which is consistent with existing multisig practices.
The MuSig2 signing phase then includes:
- First round message: During wallet setup, nonces are generated, added to the partially signed Bitcoin transactions (PSBTs) and shared with the other signers.
- Second round message: The nonces received are used to create a partial signature and are sent back to each of the other signers.
An alternative to requiring each signer to pass their nonce and partial signature directly to every other signer is to introduce an external coordinator to streamline the communication process.
During the signing process, each signer’s nonce consists of two elliptic curve points. These points are sent to other signers via the Partially Signed Bitcoin Transactions (PSBTs). These nonces require careful handling due to the accuracy and integrity of the process, but secure storage is not necessary because they are not confidential information. If all partial signatures of individuals are valid, the Schnorr signatures produced are valid.
Next steps for implementation
Last month, Andy Chow presented two BIP concepts, MuSig2 PSBTs and MuSig2 Descriptors, which are a necessary step in MuSig2 adoption and wallet integration. The first BIP adds fields for the nonces, public keys, and partial signatures in the PSBTs, and the second BIP provides a method for describing transaction output managed by a MuSig2 wallet. Together, these BIPs and specifications are all we need for MuSig2 wallet integration!
Many wallet developers and collaborative custody solutions have long requested this standardization of the MuSig2 protocol. Now that formalized BIPs are in place, it is up to the community to review them, provide feedback and help raise awareness. At Blockstream, we look forward to participating in the public discussions and allowing the formal BIP review process to take place.
This is a guest post by Kiara Bickers. The opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.
