Simple Schnorr multi-signatures with applications to Bitcoin

  • Gregory Maxwell
  • Andrew Poelstra
  • Yannick SeurinEmail author
  • Pieter Wuille


We describe a new Schnorr-based multi-signature scheme (i.e., a protocol which allows a group of signers to produce a short, joint signature on a common message) called \(\mathsf {MuSig}\), provably secure under the Discrete Logarithm assumption and in the plain public-key model (meaning that signers are only required to have a public key, but do not have to prove knowledge of the private key corresponding to their public key to some certification authority or to other signers before engaging the protocol). \(\mathsf {MuSig}\) improves over the state-of-art scheme of Bellare and Neven (ACM Conference on Computer and Communications Security-CCS 2006) and its variants by Bagherzandi et al. (ACM Conference on Computer and Communications Security-CCS 2008) and Ma et al. (Des Codes Cryptogr 54(2):121–133, 2010) in two respects: (i) it is simple and efficient, having the same key and signature size as standard Schnorr signatures; (ii) it allows key aggregation, which informally means that the joint signature can be verified exactly as a standard Schnorr signature with respect to a single “aggregated” public key which can be computed from the individual public keys of the signers. To the best of our knowledge, this is the first multi-signature scheme provably secure under the Discrete Logarithm assumption in the plain public-key model which allows key aggregation. As an application, we explain how our new multi-signature scheme could improve both performance and user privacy in Bitcoin.


Multi-signatures Schnorr signatures Key aggregation Discrete logarithm problem Forking lemma Bitcoin 

Mathematics Subject Classification




  1. 1.
    Accredited Standards Committee X9. American National Standard X9.62-2005, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA) (2005).Google Scholar
  2. 2.
    Andresen G.: M-of-N standard transactions. Bitcoin Improvement Proposal. (2011).
  3. 3.
    Bagherzandi A., Cheon J.H., Stanislaw J.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM Conference on Computer and Communications Security-CCS 2008, pp. 449–458. ACM (2008).Google Scholar
  4. 4.
    Bernstein D.J.: Multi-user Schnorr security, revisited. IACR Cryptology ePrint Archive, Report 2015/996 (2015).
  5. 5.
    Bernstein D.J., Duif N., Lange T., Schwabe P., Yang B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems-CHES 2011, LNCS, vol. 6917, pp. 124–142. Springer, Berlin (2011).Google Scholar
  6. 6.
    Boneh D., Gentry C., Lynn B., Shacham H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) Advances in Cryptology-EUROCRYPT 2003, LNCS, vol. 2656, pp. 416–432. Springer, Berlin (2003).Google Scholar
  7. 7.
    Boneh D., Lynn B., Shacham H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004).MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Boneh D., Drijvers M., Neven G.: Compact multi-signatures for smaller blockchains. In: Peyrin, T., Galbraith, S.D. (eds.) Advances in Cryptology-ASIACRYPT 2018 (Proceedings, Part II), LNCS, vol. 11273, pp. 435–464. Springer, Berlin (2018).Google Scholar
  9. 9.
    Bellare M., Neven G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM Conference on Computer and Communications Security-CCS 2006, pp. 390–399. ACM (2006).Google Scholar
  10. 10.
    Bellare M., Palacio A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) Advances in Cryptology-CRYPTO 2002, LNCS, vol. 2442, pp. 162–177. Springer, Berlin (2002).Google Scholar
  11. 11.
    Bellare M., Namprempre C., Pointcheval D., Semanko M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003).MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Bellare M., Namprempre C., Neven G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdzinski, T., Tarlecki, A. (eds.) Automata, Languages and Programming-ICALP 2007, LNCS, vol. 4596, pp. 411–422. Springer, Berlin (2007).Google Scholar
  13. 13.
    Boldyreva A.: Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-Group Signature Scheme. In: Desmedt, Y. (ed.) Public Key Cryptography-PKC 2003, LNCS, vol. 2567, pp. 31–46. Springer, Berlin (2003).Google Scholar
  14. 14.
    Certicom Research: SEC 2: recommended elliptic curve domain parameters, v2.0 (2010).
  15. 15.
    Drijvers M., Edalatnejad K., Ford B., Neven G.: On the provable security of two-round multi-signatures. IACR Cryptology ePrint Archive, Report 2018/417 (2018).
  16. 16.
    El Bansarkhani R., Jan S.: An efficient lattice-based multisignature scheme with applications to bitcoins. In: Foresti, S., Persiano, G. (eds.) Cryptology and Network Security-CANS 2016, LNCS, vol. 10052, pp. 140–155. Springer, Berlin (2016).Google Scholar
  17. 17.
    Garg S., Bhaskar R., Lokam S.V.: Improved bounds on security reductions for discrete log based signatures. In: Wagner, D. (ed.) Advances in Cryptology-CRYPTO 2008, LNCS, vol. 5157, pp. 93–107. Springer, Berlin (2008).Google Scholar
  18. 18.
    Gennaro R., Goldfeder S., Narayanan A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) Applied Cryptography and Network Security-ACNS 2016, LNCS, vol. 9696, pp. 156–174. Springer, Berlin (2016).Google Scholar
  19. 19.
    Goldfeder S., Bonneau J., Gennaro R., Narayanan A.: Escrow protocols for cryptocurrencies: how to buy physical goods using Bitcoin. In: Financial Cryptography and Data Security-FC 2017 (2017).
  20. 20.
    Harn L.: Group-oriented \((t, n)\) threshold digital signature scheme and digital multisignature. IEE Proc. Comput. Digit. Tech. 141(5), 307–313 (1994).CrossRefzbMATHGoogle Scholar
  21. 21.
    Horster P., Michels M., Petersen H.: Meta-multisignature schemes based on the discrete logarithm problem. In: IFIP/Sec ’95, IFIP Advances in Information and Communication Technology, pp. 128–142. Springer, Berlin (1995).Google Scholar
  22. 22.
    Itakura K., Nakamura K.: A public-key cryptosystem suitable for digital multisignatures. NEC Res. Dev. 71, 1–8 (1983).Google Scholar
  23. 23.
    Kiltz E., Masny D., Pan J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) Advances in Cryptology-CRYPTO 2016 (Proceedings, Part II), LNCS, vol. 9815, pp. 33–61. Springer, Berlin (2016).Google Scholar
  24. 24.
    Langford S.K.: Weakness in some threshold cryptosystems. In: Koblitz, N. (ed.) Advances in Cryptology-CRYPTO ’96, LNCS, vol. 1109, pp. 74–82. Springer, Berlin (1996).Google Scholar
  25. 25.
    Li C.-M., Hwang T., Lee N.-Y.: Threshold-multisignature schemes where suspected forgery implies traceability of adversarial shareholders. In: De Santis, A. (ed.), Advances in Cryptology - EUROCRYPT ’94, LNCS, vol. 950, pp. 194–204. Springer, Berlin (1994).Google Scholar
  26. 26.
    Lindell Y.: Fast secure two-party ECDSA signing. In: Katz, J., Shacham, H. (eds.) Advances in Cryptology-CRYPTO 2017 (Proceedings, Part II), LNCS, vol. 10402, pp. 613–644. Springer, Berlin (2017).Google Scholar
  27. 27.
    Lu S., Ostrovsky R., Sahai A., Shacham H., Waters B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) Advances in Cryptology-EUROCRYPT 2006, LNCS, vol. 4004, pp. 465–485. Springer, Berlin (2006).Google Scholar
  28. 28.
    Lysyanskaya A., Micali S., Reyzin L., Shacham H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J. (eds.) Advances in Cryptology - EUROCRYPT 2004, LNCS, vol. 3027, pp. 74–90. Springer, Berlin (2004).Google Scholar
  29. 29.
    Ma C., Weng J., Li Y., Deng R.H.: Efficient discrete logarithm based multi-signature scheme in the plain public key model. Des. Codes Cryptogr. 54(2), 121–133 (2010).MathSciNetCrossRefzbMATHGoogle Scholar
  30. 30.
    MacKenzie P.D., Reiter M.K.: Two-party generation of DSA signatures. In: Kilian, J. (ed.), Advances in Cryptology-CRYPTO 2001, LNCS, vol. 2139, pp. 137–154. Springer, Berlin (2001).Google Scholar
  31. 31.
    Maxwell G.: CoinJoin: Bitcoin privacy for the real world. (2013). BitcoinTalk post.
  32. 32.
    Merkle R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) Advances in Cryptology-CRYPTO ’87, LNCS, vol. 293, pp. 369–378. Springer, Berlin (1987).Google Scholar
  33. 33.
    Michels M., Horster P.: On the risk of disruption in several multiparty signature schemes. In: Kim, K., Matsumoto, T. (eds.) Advances in Cryptology-ASIACRYPT ’96, LNCS, vol. 1163, pp. 334–345. Springer, Berlin (1996).Google Scholar
  34. 34.
    Micali S., Ohta K., Reyzin L.: Accountable-subgroup multisignatures. In: Reiter, M.K., Samarati, P. (eds.) ACM Conference on Computer and Communications Security-CCS 2001, pp. 245–254. ACM (2001).Google Scholar
  35. 35.
    Nakamoto S.: Bitcoin: a peer-to-peer electronic cash system (2008).
  36. 36.
    National Institute of Standards and Technology. FIPS 186-4: digital signature standard (DSS) (2013).
  37. 37.
    Okamoto T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) Advances in Cryptology-CRYPTO’92, LNCS, vol. 740, pp. 31–53. Springer, Berlin (1992).Google Scholar
  38. 38.
    Ohta K., Okamoto T.: A digital multisignature scheme based on the Fiat-Shamir scheme. In: Imai, H., Rivest, R. L., Matsumoto, T. (eds.) Advances in Cryptology-ASIACRYPT ’91, LNCS, vol. 739, pp. 139–148. Springer, Berlin (1991).Google Scholar
  39. 39.
    Ohta K., Okamoto T.: Multi-signature schemes secure against active insider attacks. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E82–A(1), 21–31 (1999).Google Scholar
  40. 40.
    Paillier P., Vergnaud D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B.K. (ed.) Advances in Cryptology-ASIACRYPT 2005, LNCS, vol. 3788, pp. 1–20. Springer, Berlin (2005).Google Scholar
  41. 41.
    Pointcheval D., Stern J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000).CrossRefzbMATHGoogle Scholar
  42. 42.
    Pornin T.: Deterministic usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). RFC 6979 (2013).
  43. 43.
    Ristenpart T., Yilek S.: The power of proofs-of-possession: securing multiparty signatures against rogue-key attacks. In: Naor, M. (ed.) Advances in Cryptology-EUROCRYPT 2007, LNCS, vol. 4515, pp. 228–245. Springer, Berlin (2007).Google Scholar
  44. 44.
    Schnorr C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991).CrossRefzbMATHGoogle Scholar
  45. 45.
    Seurin Y.: On the exact security of Schnorr-type signatures in the random oracle model. In: Pointcheval, D., Johansson, T. (eds.) Advances in Cryptology-EUROCRYPT 2012, LNCS, vol. 7237, pp. 554–571. Springer, Berlin (2012).Google Scholar
  46. 46.
    Syta E., Tamas I., Visher D., Wolinsky D.I., Jovanovic P., Gasser L., Gailly N., Khoffi I., Ford B.: Keeping authorities ”Honest or Bust” with decentralized witness cosigning. In: IEEE Symposium on Security and Privacy, SP 2016, pp. 526–545. IEEE Computer Society (2016).Google Scholar
  47. 47.
    Wagner D.A.: A generalized birthday problem. In: Yung, M. (ed.) Advances in Cryptology-CRYPTO 2002, LNCS, vol. 2442, pp. 288–303. Springer, Berlin (2002).Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.San FranciscoUSA
  2. 2.BlockstreamMountain ViewUSA
  3. 3.ANSSIParisFrance

Personalised recommendations