Last month, the Bitcoin Improvement Proposals (BIPs) pertaining to the integration of Taproot and Schnorr signatures were merged into the Bitcoin Core Github. As the BTC Times reported, 150 Bitcoin Core developers approved the merge after seven weeks of review following a merge request first created by Pieter Wuille.
Schnorr and Taproot are cryptographic technologies that will improve on-chain scalability and privacy for Bitcoin and further boost Bitcoin's ability to facilitate smart contracts.
While the upgrade is not yet integrated, Blockstream researchers Jonas Nick and Tim Ruffing on Wednesday unveiled a Taproot-compatible Bitcoin multisignature standard: MuSig2.
In Bitcoin, a multisignature system is one where multiple private keys must sign a transaction for it to be authorized and broadcast. Multisignature is often seen as more secure than single signature schemes due to transactions requiring multiple parties to agree.
Solving MuSig's Key Issue
In 2018, Blockstream unveiled MuSig, a multisignature standard for Bitcoin inspired by related exchange in the #bitcoin-wizards IRC channel in 2013. MuSig focuses on offering "provable security" to counteract "colluding subsets of malicious signers," as Blockstream's Andrew Poelstra explained.
From its first release onwards, MuSig built on Blockstream's conviction that Bitcoin would eventually switch from its current signature scheme ECDSA to the more efficient Schnorr signatures. In combination with Schnorr signatures, MuSig multisignature transactions would be indistinguishable from transactions using a single signature.
MuSig2 is an iteration of MuSig and removes one of the pain points of the original system. MuSig requires three rounds of communication between signers, which means higher transaction fees and longer transaction times are incurred. As the researchers explain:
If MuSig1 were used to forward payments in the Lightning Network, privacy would be improved but the payment would take noticeably longer. This problem gets worse as communication latency increases. A MuSig1 signing device stored in a safety deposit box requires two visits from its owner before it can create a signature.
With each Bitcoin transaction taking approximately ten minutes to receive one confirmation, such process of sending a transaction with MuSig becomes arduous for those involved.
MuSig2 fixes this: by introducing non-interactive signing, signers of a MuSig2 transaction need only two rounds of communication to create a signature. One round of communication does not need to take place as long as the signers know what they want a transaction to contain.
“It offers the same functionality and security as MuSig1 but makes it possible to eliminate almost all interaction between signers. With MuSig2, signers need only two rounds of communication to create a signature, and crucially, one of these rounds can be preprocessed before signers know the message that they want to be signed,” the researchers wrote.
"MuSig2 matches the ease of use of today's ECDSA multisig, but is smaller, faster to verify, more private, and efficient for hardware wallets," Blockstream CEO Dr. Adam Back told the BTC Times.
A paper outlining the security of MuSig2 is undergoing peer review. Cryptographer Yannick Seurin from the French National Cybersecurity Agency (ANSSI) contributed to this paper, along with the two aforementioned researchers.
Waiting on Taproot Activation
Again, this standard cannot be adopted by users of multisignature schemes until Schnorr and Taproot are officially activated in Bitcoin Core.
It may be a number of months until Taproot is activated. Matt Corallo, a former Blockstream employee now working for Square Crypto, pioneered a BIP implementation process called Modern Softfork Activation. It involves a 12-month signaling period, a six-month discussion period, and a second signaling period if there are miners that contend the activation. The idea with this method is to give developers an opportunity to implement BIPs without widespread miner support. The downside is that it requires multiple years of waiting.
There is also the more lax BIP8 implementation, which involves a signaling period for miners. BIP8 is adapted from BIP9, which would require a 95% supermajority amongst miners to be activated.
UPDATE (Nov 8, 15:15 UTC): A previous iteration of this article misdescribed the Modern Softfork Activation. The inaccuracy has been rectified.