TL;DR: Schnorr signatures are the hottest subject in Bitcoin; We release a Rust open-source implementation of MultiSig Schnorr. It seems like Schnorr signatures are all the rage in the cryptocurrency community, and announced to be the biggest thing since sliced bread (or at least ). SegWit In this blog post we will explain one of the main advantages of Schnorr signatures’: its native support for Multi-Signatures (MultiSig). Since MultiSig is one of the most important mechanisms available for users to protect their account against the theft of their private key and given the high number of such hacks, it’s clear why this subject gets so much attention from the cryptocurrency community. We will describe the mathematics behind Schnorr MultiSig in a layman’s terms. On top of that, we will share an open-source implementation of Schnorr MultiSig. MultiSig “Multisignature (often called ) is a form of technology used to add additional security for cryptocurrency transactions. Multisignature addresses require another user or users sign a transaction before it can be broadcast onto the blockchain.” multisig https://en.wikipedia.org/wiki/Multisignature Currently, most of blockchains implement this multiple locking mechanism with actual multiple signatures and some scripting or smart contract to verify that indeed everything is signed. However this design has a few drawbacks: : Scripting is prone to errors. In , Parity’s MultiSig contact suffered from vulnerabilities, resulting more than $100M losses. Security Ethereum two different : Having multiple explicit signature bloats the size of the transactions and the fees that are associated with them. Efficiency : Explicit multiple signatures gives away the fact that this address is MultiSig, and may garner unnecessary attention to it. Privacy Schnorr signatures (named after , whose mathematical work laid the foundations for this signature) solve all these problems as they allow to aggregate multiple signatures and their corresponding keys into a single one. As a result, Schnorr MultiSig transactions are indistinguishable from regular (“MonoSig”) transactions and therefore does not impact privacy or transaction size and fees. The MultiSig verification is done in the cryptography layer and not in the scripting layer, which eliminates the security concerns scripting bugs. Claus Schnorr The main difference between Schnorr signatures and Bitcoin current signatures (ECDSA) is that Schnorr signatures are while ECDSA signatures are not. Linear , The most relevant property of for our purpose, is that when you add two (or more) Schnorr signatures together, the result is a valid Schnorr signature too! linearity When adding two line equation together, the result is another line equation , where the new slope and the new y-intercept is . This is practically the same for Schnorr signatures. y1=a1*X + b1 , y2=a2*X + b2 y3= y1+y2= (a1+a2)* X + (b1+b2) a3= (a1 + a2) b3 = (b1+b2) Adding the red and blue lines creates the green line (created with ) Desmos We will use Stepan’s formulation to explain: excellent post Schnorr signatures use a point and a scalar . Similar to ECDSA, is a random point on elliptic curve ( ). Second part of the signature is calculated slightly differently: . Here is your private key, is your public key, is the message. Then one can verify this signature by checking that . R s R R = k×G s = k + hash(P,R,m) ⋅ x x P = x×G m s×G = R + hash(P,R,m)×P In the basic MultiSig scenario, we have 2 parties, each has its own key pair. With Schnorr signatures we can use a pair of private keys and generate a shared signature corresponding to a shared public key . To generate this signature each party need to choose a random number , generate a random point , add them up to calculate a common and then get and from every party ( ). By adding up these signatures and using the a pair as their (multi-)signature for the shared public key . (x1,x2) P=P1+P2=x1×G+x2×G (k1,k2) Ri=ki×G hash(P,R1+R2,m) s1 s2 si = ki + hash(P,R,m) ⋅ xi (R, s) = (R1+R2, s1+s2) P A word of caution: the algorithm described above is too naïve and it needs to be harden in order sustain real world attacks. Luckily, some cryptography experts did just that. One of the most current papers on the matter is a work led by the Blockstream team called “ ”. Simple Schnorr Multi-Signatures with Applications to Bitcoin One of the authors of this work, Pieter Wuillie, had created a Bitcoin Improvement Proposal (BIP), , which is a fairly technical proposal on how to standardize Schnorr signatures as part of bitcoin. bip-schnorr Schnorr MultiSig Open Source Project To support the community and encourage the adoption of Schnorr MultiSig we (mostly & ) , created a project for experimenting with Schnorr MultiSigs, based on the aforementioned article and BIP. Omer Shlomovits Gary Benattar _multisig-schnorr - This project is a Rust implementation of multi-party Schnorr signatures over elliptic curves._github.com KZen-networks/multisig-schnorr The project is implemented in Rust for performance and security. it currently supports Bitcoin’s elliptic curve ( ) and can be used for : secp256k1 Key generation Simple schnorr signing based on the BIP specifications. Creating multi-signature for n participants. Verify signature based on the BIP specification which is the same for one or more signers. Examples for all the above can be founds in the file. We also included a that explains the protocol in a step by step manner. test wiki page We hope that you will experiment with this project and even consider contributing to it. After all, it can help upgrading cryptocurrencies security, by helping users better protect the keys for their account, which is one of cryptocurrencies’ biggest problems and limits their wider adoption.