Enumeration

P256K.MuSig

MuSig2 multi-signature namespace for secp256k1 (BIP-327): aggregate signer public keys with aggregate(_:), coordinate nonce generation, collect partial signatures, and aggregate into a final 64-byte P256K.MuSig.AggregateSignature.

iOS 13.0+
macCatalyst 13.0+
macOS 10.15+
tvOS 13.0+
visionOS 1.0+
watchOS 6.0+

enum MuSig

Overview

MuSig2 allows N parties to collaboratively produce a single BIP-340 Schnorr signature that verifies against an aggregated public key (secp256k1_musig_pubkey_agg), without revealing each signer’s individual key. The aggregate key is indistinguishable from a regular secp256k1 public key, making multi-signatures compatible with all Schnorr verifiers including Taproot (BIP-341).

Key aggregation requires no trusted dealer — every signer runs the aggregation locally and arrives at the same result by deterministic protocol. The upstream C implementation (Vendor/secp256k1-zkp/include/secp256k1_musig.h) is the normative reference for every method here; the Swift surface wraps those functions with type-safe session state.

Signing Protocol Order

The upstream secp256k1_musig.h mandates a strict protocol order. Deviating from this order may produce invalid or insecure signatures:

Key aggregation: Call aggregate(_:) once with all signers’ public keys.
Nonce generation: Each signer calls generate(secretKey:publicKey:msg32:extraInput32:) with a unique session ID.
Nonce aggregation: Collect all P256K.Schnorr.Nonce values; any party calls init(aggregating:).
Partial signing: Each signer calls partialSignature(for:pubnonce:secureNonce:publicNonceAggregate:xonlyKeyAggregate:).
Signature aggregation: Any party calls aggregateSignatures(_:).

Nonce Reuse

Nonce reuse leaks the secret signing key. The P256K.Schnorr.SecureNonce type is ~Copyable to prevent accidental duplication. The underlying secp256k1_musig_secnonce struct is zeroed by secp256k1_musig_partial_sign after use; never copy or serialize the secret nonce bytes. Always provide a unique sessionID per signing session.

Taproot Compatibility

The aggregate public key’s xonly form is directly usable as a BIP-341 Taproot internal key, and the aggregate signature is a valid BIP-340 Schnorr signature over the aggregate x-only key. Consumers can therefore MuSig-aggregate N cosigners and plug the result into any Taproot-compatible wallet or script-path without a custom verifier.

Topics

Aggregation

struct PublicKey
secp256k1 MuSig2 aggregate public key produced by aggregate(_:) via secp256k1_musig_pubkey_agg, used for partial signature verification and Taproot tweaking.
struct XonlyKey
The 32-byte x-only form of a MuSig2 aggregate public key, used for BIP-340 Schnorr signature verification and Taproot tweaking via add(_:).
static func aggregate([P256K.Schnorr.PublicKey]) throws -> P256K.MuSig.PublicKey
Aggregates N secp256k1 public keys into a single BIP-327 MuSig2 aggregate public key via secp256k1_musig_pubkey_agg, sorting keys first with secp256k1_ec_pubkey_sort so the result is order-independent. Upstream reference: Vendor/secp256k1-zkp/include/secp256k1_musig.h.
static func aggregateSignatures([P256K.Schnorr.PartialSignature]) throws -> P256K.MuSig.AggregateSignature
Combines all signers’ partial signatures into a final 64-byte P256K.MuSig.AggregateSignature via secp256k1_musig_partial_sig_agg.

Session Types

struct AggregateSignature
64-byte BIP-340 Schnorr signature produced by aggregateSignatures(_:) from all signers’ P256K.Schnorr.PartialSignature values; verifiable against the MuSig2 aggregate public key.

Structures

struct Nonce
66-byte aggregated MuSig2 public nonce produced by secp256k1_musig_nonce_agg from all signers’ individual public nonces, required before any partial signing can occur.
struct NonceResult
The output of generate(secretKey:publicKey:msg32:extraInput32:): a public nonce to share with co-signers and a secret nonce to consume exactly once when signing.

Type Properties

static let aggregatedNonceByteCount: Int
The byte length of a serialized MuSig2 aggregated nonce: 66 bytes (two 33-byte compressed points in BIP-327 wire format).