Basic principles of Musig2
The multi-signature scheme enables a group of signers to generate a joint signature on a message. Musig2 is a multi-signature scheme and a new variant of the MuSig signature scheme. MuSig allows multiple signers to create an aggregate public key from their respective private keys, and then jointly create a valid signature for the public key. The aggregate public key created in this way is indistinguishable from other public keys. The original MuSig requires three rounds of signatures, but the new MuSig2 scheme implements a simple signature protocol that only requires two rounds and does not require zero-knowledge proofs. MuSig2 is a simple and highly practical two-round multi-signature scheme with advantages: i) it is secure under concurrent signing sessions, ii) supports key aggregation, iii) outputs ordinary Schnorr signatures, iv) only requires two rounds of communication , V) has signer complexity similar to ordinary Schnorr signatures. At the same time, Taproot is upgraded to be compatible with the Musig2 multi-signature scheme. In our new ChainX cross-chain scheme, the Musig2 signature scheme will be used to complete the process of aggregating signatures.
The above picture is from the original paper and describes the basic process of Musig2 signature. Musig2 signature first requires the participants to generate public and private keys through
KeyGen() and temporary public and private keys (i.e. nonce) through
Sign(). Then the first round of communication is carried out, and the temporary public key (i.e.
out_i in the figure above) is passed to others. After getting the temporary public keys of other parties, the signature fragment
out'_i can be generated through the two functions
Sign'(). Finally, the second round of communication is carried out, and the signature fragments
out'_i are passed to others. After getting the signature fragments of other parties, the final result can be generated by
σ. In the figure,
KeyAgg() represents the public key aggregation function, and
Ver represents the Musig2 signature verification function. The final form of Musig2 aggregate signature is the same as that of Schnorr's ordinary signature, which can be expressed as (R, s). The following shows part of the implementation of the rust version of Musig2.
- Generate key: Each party generates a random private key and calculates the corresponding public key
- Generate nonce: All parties generate temporary public and private keys. In the function
create_vec_from_private_key(), Musig2 will generate a temporary public and private key of
Nvfor two rounds of communication to complete the aggregation signature. The return value of the
msgcontains all the temporary public keys, which can be passed to others through the p2p network. In the code below, the process is simulated by
- Generate signature fragments: The following code uses the
sign_prime()function to complete the functions of the two functions
Sign'()in the paper. Among the parameters,
messagerepresents the message to be signed,
pksrepresents an ordered list of all public keys of each participant, and
party_indexrepresents the index of the public key of the current participant in
sign_prime()function mainly uses the
c, R, b_coefficientsaggregated by the private key
self.keypairand the temporary public key
msg_vecto generate the signature fragment
crepresents the message digest generated by hash generation by
Ris the first item of the final result of Musig2 aggregated signature, and
b_coefficientsis the coefficient for generating signature fragments. Pass the signature fragment
s_ito others through the p2p network. In the code below, the process is simulated by
- Aggregate signature fragments: After collecting signature fragments from other parties, generate the second item of the Musig2 aggregation signature through
sign_double_prime(). This function mainly accumulates signature fragments.
s_total_2represent the aggregate signature fragments generated by the participating parties. Normally, the two are the same.
The above figure shows the verification process of Musig2 through the
verify() function. In the parameter
r_x, signature corresponds to the (R, s) of the Musig2 aggregated signature,
X_tilde represents the aggregated public key, and
c is consistent with the previous text, indicating the message digest generated by the hash generated by
In general, Musig2 only needs to pass two rounds of communication to complete the process of aggregating signatures. Compared to Musig, the main difference lies in the nonce generation process. Among them, each participant of Musig2 generates multiple pairs of temporary public and private keys, while Musig only generates a pair of temporary public and private keys. This is also the fundamental reason why Musig2 only needs two rounds of communication. At the same time, Musig2 is a multi-signature scheme based on the basic principles of Schnoor signatures, which can be well compatible with Taproot upgrades and applied to our new ChainX cross-chain upgrade scheme.