MuSig2 Explained

Schnorr multisignatures in 2 rounds instead of 3 -> no malleability, DoS-resistant, and secure against rogue-key attacks.

If you missed the previous post about the 3-round MuSig Schnorr signature, check it out here: #1253021

Reminder: MuSig1

MuSig1 required 3 rounds of communication between signers:

Share public keys
Exchange nonce commitments
Exchange partial signatures

➡️ MuSig2 reduces this to only 2 rounds

MuSig2 Flow

ROUND 1

Each participant generates:

Private key p
Two nonces r', r''
Nonce commitments R', R''

They exchange:

Public keys
Nonce commitments

At the end of Round 1, both compute:

P = a₁P₁ + a₂P₂

Where a₁ and a₂ prevent rogue-key attacks (see previous post: #1251429)

🔐 ROUND 2: Signing

The signers compute the aggregated nonce:

R₁ = R₁′ + b·R₁″
R₂ = R₂′ + b·R₂″
R = R₁ + R₂

Where the coefficient b is: b = H(P || R′ || R″ || m)

❓ Why do we use b and two nonces?

Answer:
The hash coefficient b prevents a signer from cheating by changing their nonce after seeing others’.
Because b depends on all public nonces + the message, any modification breaks the final signature.

In short:

2 nonces = protection against nonce tampering
b = binds all signers to their nonce choice (via hashing)

Now each signer creates their partial signature:

s₁ = r₁′ + b·r₁″ + H·a₁p₁
s₂ = r₂′ + b·r₂″ + H·a₂p₂

Final sig: (R, s = s₁ + s₂)

✅ Verification

sG = R + H*P

If this holds → signature valid.

TLDR

MuSig2 keeps security of MuSig1, but reduces interaction from 3 rounds → 2 rounds.