Firstly, it’s value emphasizing that each basic MuSig (referred to right here as “MuSig”) and MuSig-DN are comparatively new cryptographic schemes and the paper for MuSig-DN is recent off the presses on the time of writing (September 2020) with no present implementation. So use each at your individual danger however much more so for MuSig-DN. The MuSig paper wanted to be revised and it’s actually attainable that the MuSig-DN paper might want to undergo revision(s).

There are such a lot of trade-offs with multisignature schemes that’s exhausting to be exact and weigh all of them up in opposition to one another. I’ll define a number of the key trade-offs that Pieter Wuille talked about on IRC (any errors are my very own).

Presently, MuSig-DN has a excessive computational value with roughly a 1 second signing time on a contemporary desktop CPU. It’s attainable that this could possibly be lowered however this could possible affect the existence of a safety proof. On computational value MuSig signing is clearly preferable. (Verification value is an identical.)

The motivation for MuSig-DN within the first place is that it has two communication rounds moderately than MuSig’s three. On communication rounds MuSig-DN is preferable.

MuSig-DN gives stateless signing which implies the signer does not want to recollect the rounds he/she has already participated in or bear in mind nonces from one spherical to the following. In distinction MuSig wants randomly generated nonces at signing time and former state have to be saved securely. On stateless signing and randomness necessities MuSig-DN is preferable.

Each MuSig and MuSig-DN have a safety proof below comparable assumptions.

As you may inform from the above on a number of dimensions MuSig-DN is superior to MuSig. Nonetheless, the computational value of MuSig-DN arguably outweighs all the advantages for sensible use instances and one would count on basic MuSig to typically be used over the present iteration of MuSig-DN.

(As an apart there’s a strict enchancment of basic MuSig being labored on, let’s name it “MuSig2”, which has two communication rounds and would permit for personal nesting. You can have a number of ranges of MuSig aggregation and never inform your sibling members that you’ve got baby members. Nonetheless, this scheme has not been finalized on the time of writing in September 2020.)

For extra data on MuSig-DN see this blog post from Jonas Nick and Tim Ruffing.

Source link


Please enter your comment!
Please enter your name here