musig2-linearity-insight

Wed Apr 01 2026

MuSig2 has two things to get right: induce linearity in Schnorr signatures, and preserve the already existing relation c=f(x,k)c = f(x, k). If we can make partial signatures linear, summing them gives a valid single Schnorr signature, indistinguishable from a normal one.

Schnorr signatures are partially linear

A Schnorr signature resembles the function f(x,y,z)=x+yzf(x, y, z) = x + y \cdot z. This function is not linear overall (with respect to all xx, yy, zz), but it is linear with respect to xx and yy when zz is constant, and with respect to xx and zz when yy is constant.

The actual signature equation is s=k+cxs = k + c \cdot x. By keeping cc constant across multiple partial signatures, we induce linearity. Summing the partial signatures then produces a valid Schnorr signature.

How to keep c constant

The challenge value is computed as c=Hnon(RPmsg)c = H_{\text{non}}(R \| P \| \text{msg}). To make cc constant across signers, we need RR, PP, and msg\text{msg} to all be the same for every partial signature.

Preserving the relation between c, k, and x

In f(x,y,z)=x+yzf(x, y, z) = x + y \cdot z, all three variables are independent. But in Schnorr signatures they are not. The challenge cc depends on kk and xx through the relation:

c=Hnon(gkgxmsg)c = H_{\text{non}}(g^k \| g^x \| \text{msg})

We also need to preserve this relation when combining signatures. For nn signers:

R=gk1+k2++knR = g^{k_1 + k_2 + \cdots + k_n} P=gx1+x2++xnP = g^{x_1 + x_2 + \cdots + x_n}

The aggregate RR and PP must correspond to the sums of individual nonces and secret keys respectively. Then cc is consistent across all partial signatures, and their sum is valid under the aggregate key.

Why aggregate coefficients exist

The aggregate public key depends on the order of the individual public keys because of the aggregate coefficient ai=Hagg(L,Xi)a_i = H_{\text{agg}}(L, X_i). If the order changes, aia_i changes, so the aggregate key changes. Without these coefficients, a malicious signer could pick their public key as a function of honest signers' keys to cancel them out. That's the rogue key attack, and the aggregate coefficients are what block it.

Open question

How is linearity defined when the domain is mod prime, instead of real numbers? The partial linearity argument above is stated over the reals, but Schnorr signatures operate in Zp\mathbb{Z}_p. The same algebraic structure holds because Zp\mathbb{Z}_p is a field and the linearity argument only uses addition and multiplication, which are well-defined in any field.