Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Merits 28 from 14 users
MuSig: Schnorr Multisig and signature aggregation
by
achow101
on 25/01/2018, 01:38:56 UTC
⭐ Merited by dbshck (10) ,ranochigo (2) ,xdrpx (2) ,DooMAD (2) ,LeGaulois (2) ,fruit (2) ,ETFbitcoin (1) ,exstasie (1) ,Samarkand (1) ,HCP (1) ,vokain (1) ,nullius (1) ,chimk (1) ,hugeblack (1)
Pieter Wuille, Andrew Poelstra, Greg Maxwell, and Yannick Seurin recently published a new multisignature and key aggregation scheme called MuSig. This new scheme uses Schnorr signatures.

The MuSig paper can be found here: https://eprint.iacr.org/2018/068.pdf

A high level overview of MuSig is available here: https://blockstream.com/2018/01/23/musig-key-aggregation-schnorr-signatures.html


MuSig is a secure non-interactive key aggregation and multisig scheme. It builds upon the Bellare-Nevan multisignature scheme which allows for multiple public keys to be used to create just one signature. This contrasts the traditional multisignature scheme used by Bitcoin where there are multiple signatures.

MuSig builds upon Bellare-Nevan by allowing for key aggregation. Key aggregation means that multiple public keys are combined into one public key. By combining this key aggregation scheme and the Bellare-Nevan multisig scheme, MuSig allows for a multisignature spend to contain only one public key and one signature (both of which can only be constructed with the multiple parties). This means that MuSig allows for additional privacy (an outside observer only sees the one signature and combined public key so they don't know how many people are involved and what the threshold is) and reduces the size of a multisig signature (instead of multiple public keys and multiple signatures, only the combined public key and signature are used). This reduces the size of transactions which means that more transactions could fit into a block thus increasing Bitcoin's capacity.

Furthermore, the multisig aspect of MuSig (aka the Bellare-Nevan part) lets transactions to have only one signature which verifies for all of the public keys involved in a transaction. That means that a transaction with multiple inputs will only have one signature which signs for all inputs. This further reduces the size of a transaction and allows for more transactions to fit in a block and thus increasing Bitcoin's capacity.


It is important to note that MuSig is just the signature scheme and is applicable to more things than just Bitcoin. For actual use in Bitcoin, additional changes will need to be made to support it such as new script opcodes. For that to happen, there will need to be a BIP which is several months off (perhaps a year or more away).