Traditionally, creating an n-of-n multisignature using CHECKMULTISIG means that you will publish a proportional number of signatures and public keys on the blockchain to the signers of the transaction. This approach not only reveals the total number of participants in the transaction, but also results in progressively higher transaction fees as the number of signatories grows. MuSig, on the other hand, allows a group of users to collectively generate a unique signature and public key to validate a transaction, improving privacy and reducing transaction costs for all signers involved.
When MuSig was initially introduced in 2018, its main shortcoming compared to CHECKMULTISIG was the user experience, specifically the requirement for three rounds of interactive communication between signers. With the introduction of MuSig2 (BIP 327) in 2020, as a successor to MuSig 2018 (also called MuSig1), we made significant progress in non-interactive signing, giving us a much more desirable experience.
How does it work
Mirroring the functionality of its predecessor, MuSig2 reduces the required communication rounds from three to two. Wallet setup for MuSig2 begins with collecting all extended public keys (xpubs) from all participants and constructing descriptors for each of the wallets, all of which is consistent with existing multi-signature practices.
The MuSig2 signing phase includes:
- First round message: During wallet setup, nonces are generated, added to Partially Signed Bitcoin Transactions (PSBT), and shared among other signers.
- Second round message: The received nonces are used to create a partial signature and sent back to each of the other signers.
An alternative to each signer directly communicating their nonce and partial signature to all other signers is to introduce an external coordinator to streamline the communication process.
In the signing process, the nonce of each signer is composed of two elliptic curve points. These points are transmitted to other signers through partially signed Bitcoin transactions (PSBT). This data requires careful handling to ensure the accuracy and integrity of the process, but secure storage is not necessary as it is not sensitive information. If all partial signatures of the individuals are valid, then the Schnorr signatures produced are valid.
Next steps for implementation
Last month, Andy Chow presented two BIP drafts, MuSig2 PSBT and MuSig2 Descriptors, which are a necessary step in MuSig2 adoption and wallet integration. The first BIP adds fields for nonces, public keys, and partial signatures in PSBTs, and the second BIP provides a method to describe the results of transactions that are controlled by a MuSig2 wallet. Together, these BIPs and specifications are all we need for the integration of MuSig2 wallets!
Many developers of wallets and collaborative custody solutions have been requesting this standardization of the MuSig2 protocol for some time. Now, with formalized BIPs in place, it is up to the community to review them, provide feedback, and help raise awareness. At Blockstream, we look forward to participating in public discussions and allowing the formal BIP review process to take place.
This is a guest post by Kiara Bickers. The opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.
