Multisignature
Also covering 2pECDSA and Two-Party ECDSA (2pECDSA)
Multisignatures are digital signatures created using two or more private keys which can be verified using only a single public key and a single signature.
Multisignatures can be compared with multisig, the use of public
keys and signatures with Bitcoin’s OP_CHECKMULTISIG
and
OP_CHECKMULTISIGVERIFY
opcodes (and the OP_CHECKSIGADD
opcode
proposed for tapscript). Multisignatures have the
advantage that only a single key and a single signature are published
onchain when they are used in a Bitcoin transaction, allowing an
unlimited number of signers to pay the same amount of transaction fee
that a single signer would pay for an otherwise identical transaction.
Multisignature payments being indistinguishable from single-signature
payments also gives the creators of both types of payments greater privacy.
It’s possible to create multisignatures for the ECDSA algorithm supported by all versions of Bitcoin, although it’s easier to create multisignatures for schnorr signatures and several algorithms for that are known, with MuSig having been specifically created for the needs of Bitcoin users.
Terminology: the following table summarizes the differences between multisignature and related terms.
Term | Private keys | Messages (e.g. tx inputs) |
Published pubkeys | Signatures | Signers required | Notes |
---|---|---|---|---|---|---|
Multisig | m |
1 |
m |
k where k<=m |
k |
Uses Bitcoin Script multisig opcodes |
Multisignature | m |
1 |
1 |
1 |
m |
Indistinguishable onchain from single-sig |
Threshold signature | m |
1 |
1 |
1 |
k where k<=m |
Indistinguishable onchain from single-sig |
Optech newsletter and website mentions
2022
2021
- Preparing for taproot: challenges with multisignature nonces
- Preparing for taproot: multisignature overview
- Signature adaptors without requiring support for multisignatures
2020
- Discussion of multisignatures and threshold signatures
- Warning about using 160-bit addresses for naive multiparty multisignatures
- Alternative to ECDSA multisignatures for signature adaptors
- Mitigating power analysis attacks, including against multisignature schemes
- Implementing statechains for ECDSA using multisignatures
- BIPs #876 assigns BIP340 to new multisignature compatible scheme
2019
- Discussion about nested and composable multisignature schemes
- Work on schnorr multisignature schemes that require reduced interactivity
- Talk about how taproot enables scaling when used with multisignatures
2018
- Two papers published on fast ECDSA multisignatures
- ECDSA multisignatures for scriptless Lightning Network payment channels
See also
Previous Topic:
Multipath payments
Next Topic:
MuSig