MuSig2 ExplainedMuSig2 Explained

Schnorr multisignatures in 2 rounds instead of 3 -> no malleability, DoS-resistant, and secure against rogue-key attacks.

If you missed the previous post about the 3-round MuSig Schnorr signature, check it out here: #1253021

Reminder: MuSig1Reminder: MuSig1

MuSig1 required 3 rounds of communication between signers:

1. Share public keys
2. Exchange nonce commitments
3. Exchange partial signatures

➡️ MuSig2 reduces this to only 2 rounds

MuSig2 FlowMuSig2 Flow

ROUND 1ROUND 1

Each participant generates:

• Private key p
• Two nonces r', r''
• Nonce commitments R', R''

They exchange:

• Public keys
• Nonce commitments

At the end of Round 1, both compute:

P = a₁P₁ + a₂P₂

Where a₁ and a₂ prevent rogue-key attacks (see previous post: #1251429)

🔐 ROUND 2: Signing🔐 ROUND 2: Signing

The signers compute the aggregated nonce:

R₁ = R₁′ + b·R₁″
R₂ = R₂′ + b·R₂″
R = R₁ + R₂

Where the coefficient b is:
b = H(P || R′ || R″ || m)

❓ Why do we use b and two nonces?❓ Why do we use b and two nonces?

Answer:
The hash coefficient b prevents a signer from cheating by changing their nonce after seeing others’.
Because b depends on all public nonces + the message, any modification breaks the final signature.

In short:

• 2 nonces = protection against nonce tampering
• b = binds all signers to their nonce choice (via hashing)

Now each signer creates their partial signature:

s₁ = r₁′ + b·r₁″ + H·a₁p₁
s₂ = r₂′ + b·r₂″ + H·a₂p₂

Final sig:
(R, s = s₁ + s₂)

✅ Verification✅ Verification

sG = R + H*P

If this holds → signature valid.

TLDRTLDR

MuSig2 keeps security of MuSig1, but reduces interaction from 3 rounds → 2 rounds.