Blockstream announced on their blog a paper they published, introducing MuSig a multi-signature scheme based on Schnorr signatures.

While this work is a result of our research into Schnorr signatures for Bitcoin, MuSig is a cryptographic construction that may be useful for other applications. The paper and this post primarily discuss the cryptographic properties of MuSig, and aren’t directly a proposal for Bitcoin.

MuSig is a multi-signature scheme based on Schnorr signatures, it has two versions, the three-round MuSig that relies on Discrete Logarithm DL assumption, which is also used in ECDSA that is used in Bicoin, and the two-round MuSig that relies on the stronger One-More Discrete Logarithm OMDL assumption, a multi-signature jointly signs a single message by multiple users and users who wish to verify the message can do so by knowing the message and the public key of the signers.

There is also key aggregations, this means that instead of having public keys of all signers sent, a key is aggregated by applying a function to all the signer’s keys and then this key is used for all verificiation, this leads to better privacy as the public keys of the signers are no longer exposed and leads to better performance as well as the number of public keys sent is always reduced to one. MuSig is a key aggregation scheme for Schnorr signatures.

The most interesting use case for MuSig in Bitcoin is as a more efficient replacement for the multisig scripts, having one signature per transaction input, a key aggregations scheme allows us to reduce the public keys per input to one, this decreases the size of the chain, increases the validation speed and leads to more privacy. An even more interesting case is that we can get one signature for the entire transaction through an aggregate signature scheme.