MuSig2 Is Ready Pending Two New BIPs: Introducing A New Era Of Multisig Privacy

Traditionally, creating an n-of-n multisig using CHECKMULTISIG means you’ll publish a proportional number of signatures and public keys on the blockchain to signers in the transaction. This approach not only reveals the total number of participants in the transaction, but also incurs progressively higher transaction fees as the number of signers grow. MuSig, on the other hand, allows a group of users to collectively generate a single signature and public key to validate a transaction, which enhances privacy and lowers the transaction costs for all the signers involved.

When MuSig was initially introduced in 2018, its main shortcoming compared to CHECKMULTISIG was user experience, specifically the requirement for three rounds of interactive communication between signers. With the introduction of MuSig2 (BIP 327) in 2020, as the successor to the 2018 MuSig (also called MuSig1), we made significant progress in non-interactive signing, bringing us a much more desired experience.

How it Works

Mirroring the functionality of its predecessor, MuSig2 reduces the required communication rounds from three to two. The wallet setup for MuSig2 begins by collecting all of the participants’ extended public keys (xpubs), and the construction of descriptors by each of the wallets, all of which is consistent with existing multisig practices.

The MuSig2 signing phase then includes:

First-Round Message: During the wallet setup, nonces are generated, added to the Partially Signed Bitcoin Transactions (PSBTs), and shared amongst the other signers.Second-Round Message: The nonces received are used to create a partial signature and are sent back to each of the other signers.

An alternative to having each signer directly communicate their nonce and partial signature to every other signer is to introduce a third-party coordinator to streamline the communication process.

In the signing process, each signer’s nonce is composed of two elliptic curve points. These points are transmitted to other signers through the Partially Signed Bitcoin Transactions (PSBTs). These nonces require careful handling for accuracy and integrity in the process, but secure storage is not necessary since they are not confidential information. If all the individuals partial signatures are valid, then the produced Schnorr signatures are valid.

Next Steps for Implementation

Last month, Andy Chow put forward two BIP drafts, MuSig2 PSBTs and MuSig2 Descriptors, which are a necessary step in MuSig2 adoption and wallet integration. The first BIP adds fields for the nonces, public keys, and partial signatures in the PSBTs, and the second BIP provides a method for describing transaction outputs that are controlled by a MuSig2 wallet. Together, these BIPs and specifications are all we need for integration of MuSig2 wallets!

Many wallet developers and collaborative custody solutions have long requested this standardization of the MuSig2 protocol. Now, with the formalized BIPs in place, it’s in the community’s hands to review, give feedback, and help raise awareness. At Blockstream, we look forward to participating in the public discussions and letting the formal BIP review process take place.

This is a guest post by Kiara Bickers. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.