Multiple Signers and Key Aggregation with Schnorr

Let’s say that Bob and Wendy want to purchase a house from Alice, but where Alice wants a joint digital signature on the transaction…

Multiple Signers and Key Aggregation with Schnorr

Let’s say that Bob and Wendy want to purchase a house from Alice, but where Alice wants a joint digital signature on the transaction. Normally for digital signatures, we would get Bob and Wendy to each digitally sign for the transaction, and add their public kes and their signatures. This becomes inefficient as we scale the number of signers. With the Schnorr signature method, we can simply aggregate signers together, and also aggregate public keys, in order to produce a single signature and public key.

With the Schnorr signature method, we can simply perform an add operation. Let’s first abstract the process, and then I will explain it. In this case, Bob and Wendy want to sign off a transaction (M) they have created:

In most signature methods, we would have to add an ECDSA signature for each of the signers, but with the Schnorr signature method, we can simply add the Schnorr signatures together, and also add the public keys together. With this, Bob will generate his private key (sk_1) and derive his public key from:

He will then generate:

and where H() is the hash of the associated byte values, and (P||M||R) is appended byte values from M and R. The overall public key (P) will be computed by the adding of Bob and Wendy’s public key. Wendy will generate her private key (sk2) and derive her public key from:

She will then generate:

and where the public key to sign the message will be:

Bob and Wendy then sends the message (M) and the signature (R,s) to Alice. The signature (R,s) becomes:

When Alice received the signature (R,s) and the message (M), she checks:

If they are the same, the signature checks out. Here is the proof:

The implementation of this is given here:

https://asecuritysite.com/schnorr/schnorr_test

The method of aggregating signatures is used within Bitcoin transactions — known as MuSig. This allows for multiple signers to sign-off on a transaction, and use a single public key, and a single signature for the transaction. This considerably reduces the amount of space required to same the transaction in a block. The method was roll-out in August 2021 and has three main flavours: MuSig, MuSig2 and MuSig-DN.