MuSig2 (BIP327)

MuSig2, standardized in BIP327 (merged March 2023), is a multi-signature scheme that lets several parties combine their public keys into one aggregate key and then cooperatively produce a single ordinary Schnorr signature valid under that key. To the Bitcoin network, a MuSig2 spend is indistinguishable from a payment made by one person.

n-of-n, not threshold

MuSig2 is an n-of-n scheme: every participant must sign. It is not a t-of-n threshold scheme on its own, though it pairs naturally with Taproot script paths to express richer policies. Its headline improvement over the earlier MuSig1 is reducing signing from three communication rounds to two, which matters when signers coordinate over slow or anonymous links such as Tor.

Security and benefits

MuSig2 is proven existentially unforgeable under the algebraic one-more discrete-logarithm (AOMDL) assumption. Because the on-chain footprint of a MuSig2 Taproot (BIP341) output is just one BIP340 public key, it delivers two wins for self-custody: privacy, since a coordinated wallet hides the number of signers, and lower fees, since only one signature and one key hit the chain. It also avoids the naive-nonce-reuse pitfalls by using carefully constructed nonce pairs.

For sovereign Bitcoiners running collaborative custody, MuSig2 makes shared control cheap and invisible. It is authored by Jonas Nick, Tim Ruffing, and Elliott Jin, building on a long line of Schnorr multisig research. See also the entry on the underlying key agreement in Elliptic Curve Diffie-Hellman (ECDH).