Key Aggregation

What Is Key Aggregation?

Key aggregation is a cryptographic technique that combines multiple public keys into a single aggregate public key. When the corresponding private key holders cooperate, they produce one aggregate signature that validates against the aggregate key. To anyone inspecting the blockchain, the transaction looks exactly like a standard single-key spend.

This property is made possible by the linearity of Schnorr signatures, which Bitcoin adopted through the BIP-340 and Taproot (BIP-341) upgrades activated in November 2021. Unlike ECDSA, where combining keys and signatures requires complex workarounds, Schnorr's algebraic structure makes aggregation natural: the sum of valid signatures is itself a valid signature under the sum of the corresponding public keys.

Key aggregation represents a fundamental improvement over traditional Bitcoin multisig (OP_CHECKMULTISIG), which required listing every public key and every signature on-chain. With key aggregation, the number of participants is completely hidden, and the on-chain cost is constant regardless of how many signers are involved.

How It Works

The mathematical foundation of key aggregation relies on a property of elliptic curve cryptography: point addition is homomorphic. If Alice has public key P_A and Bob has public key P_B, their aggregate public key P_agg = P_A + P_B corresponds to a private key that is the sum of their individual private keys. Neither party ever learns the other's private key, but together they can produce a valid signature for P_agg.

Schnorr Signature Linearity

A Schnorr signature consists of two values (R, s) where s = k + e·x. Here k is a random nonce, x is the private key, and e is a challenge hash derived from the message. Because this equation is linear, partial signatures from multiple signers can be summed:

# Individual Schnorr signatures
s_A = k_A + e · x_A
s_B = k_B + e · x_B

# Aggregate signature
s_agg = s_A + s_B = (k_A + k_B) + e · (x_A + x_B)

# Verification uses the aggregate public key
P_agg = P_A + P_B
R_agg = R_A + R_B

# Verifier checks: s_agg · G == R_agg + e · P_agg
# This holds because of the linearity property

The verifier sees only P_agg (one 32-byte key) and (R_agg, s_agg) (one 64-byte signature). There is no way to determine whether the signature came from one signer or a hundred.

The Key Aggregation Process

In practice, secure key aggregation follows these steps:

1. Each participant generates their own key pair and shares their public key with the group
2. Each participant proves knowledge of their private key (to prevent rogue-key attacks)
3. A deterministic algorithm computes per-key coefficients from the full set of public keys
4. The aggregate public key is computed as the weighted sum of all individual keys: P_agg = c_1·P_1 + c_2·P_2 + ... + c_n·P_n
5. When signing, each participant produces a partial signature using their private key and a coordinated nonce
6. Partial signatures are combined into a single aggregate signature

The Rogue-Key Attack

Naive key aggregation (simply summing public keys) is vulnerable to the rogue-key attack, also known as the key cancellation attack. This attack allows a malicious participant to forge signatures for the entire group.

Consider a two-party scenario: Alice publishes her public key P_A. A malicious Bob, instead of publishing his real public key, computes and announces P_B' = P_B - P_A. The resulting aggregate key becomes:

# Honest aggregation
P_agg = P_A + P_B'
P_agg = P_A + (P_B - P_A)
P_agg = P_B

# Bob now controls the aggregate key alone
# He can sign for the "group" without Alice's participation

Bob has effectively canceled Alice's key contribution. He can now produce valid signatures for P_agg using only his own private key, completely bypassing Alice.

Defenses Against Rogue Keys

Two primary defenses exist:

• Proof-of-knowledge: each participant must prove they know the private key corresponding to their announced public key, typically through a Schnorr proof (a zero-knowledge proof based on the Schnorr identification protocol). A rogue key like P_B - P_A has no known private key, so the attacker cannot produce a valid proof.
• Coefficient-based aggregation: instead of naive summation, each key is multiplied by a coefficient derived from a hash of all participant keys. This is the approach used by MuSig2 (BIP-327). Because the coefficient for each key depends on the entire set of keys, an attacker cannot predict what coefficient their rogue key will receive, breaking the algebraic cancellation.

Protocols for Key Aggregation

MuSig2: n-of-n Aggregation

MuSig2, specified in BIP-327, is a two-round multi-signature protocol for producing BIP-340-compatible aggregate Schnorr signatures. It requires all n participants to cooperate (n-of-n), meaning every signer must be online and available to produce a valid signature.

The protocol works in two rounds:

1. Nonce exchange: each signer generates random nonces and shares commitments with the group
2. Signing: each signer computes a partial signature using their private key, nonces, and the aggregate nonce. Partial signatures are summed to produce the final aggregate signature.

MuSig2 defends against rogue-key attacks through its KeyAgg algorithm, which multiplies each public key by a coefficient derived from a tagged hash of all participant keys. This eliminates the need for a separate proof-of-knowledge round, keeping the protocol to just two rounds. For a detailed walkthrough, see the MuSig2 multisignatures research article.

FROST: t-of-n Threshold Aggregation

FROST (Flexible Round-Optimized Schnorr Threshold Signatures), standardized as RFC 9591, extends key aggregation to threshold signatures. Any t of n participants can produce a valid aggregate signature without the remaining n - t signers being present.

FROST achieves this through distributed key generation based on Shamir's Secret Sharing. Each participant holds a share of the group private key, and no single participant (or group smaller than t) ever learns the full private key. During signing, participants produce partial signatures from their shares, and the aggregator combines them using Lagrange interpolation to produce a standard Schnorr signature.

The resulting signature is indistinguishable from both a single-signer Schnorr signature and a MuSig2 aggregate signature. A verifier cannot determine whether a 3-of-5 threshold group or a single individual signed the transaction. For a full technical breakdown, see the FROST threshold signatures research article.

Key Aggregation and Taproot

Taproot (BIP-341) is the Bitcoin protocol upgrade that makes key aggregation practical on-chain. A Taproot output (P2TR) encodes a single 32-byte tweaked public key that commits to both a key path and an optional script tree.

When all signers cooperate, they spend via the key path: the aggregate key and aggregate signature are all that appears on-chain. The transaction is identical in size and structure to a single-signer Taproot spend (34-byte output, 64-byte signature). Fallback conditions (such as timelocks or alternative spending paths) are hidden in the Tapscript tree and only revealed if the key path fails.

This design creates a strong privacy incentive: cooperative spending is the cheapest and most private option, while script-path spending reveals only the specific branch used.

Use Cases

Privacy-Preserving Multisig

Traditional multisig wallets using OP_CHECKMULTISIG expose all public keys and signatures on-chain, making multisig transactions trivially identifiable via chain analysis. Key aggregation eliminates this fingerprint entirely. A corporate treasury secured by five key holders appears identical to an individual's personal wallet on the blockchain.

Efficient Multi-Party Custody

Key aggregation dramatically reduces transaction costs for multi-party custody arrangements. A traditional 3-of-5 multisig requires three ECDSA signatures (~216 bytes) plus five public keys (~165 bytes). With key aggregation via Taproot, the same arrangement requires one signature (64 bytes) and one key (32 bytes): roughly a 75% reduction in witness data. This translates directly to lower transaction fees.

Lightning Network Channel Management

Lightning channels are fundamentally 2-of-2 multisig contracts. With simple Taproot channels, the two channel partners use MuSig2 key aggregation so that cooperative channel opens, closes, and splices appear as ordinary single-signature transactions. This improves both privacy and on-chain efficiency for the Lightning Network.

Scriptless Scripts and Adaptor Signatures

Key aggregation enables scriptless scripts and adaptor signatures, where contract conditions are enforced through the signature itself rather than through on-chain script logic. This moves complexity off-chain while maintaining trustless guarantees, and it is a building block for protocols like PTLCs and discreet log contracts.

Layer 2 Protocols

Layer 2 systems like Spark leverage key aggregation and threshold signatures for their security model. FROST-based threshold signing allows operator sets to jointly control funds without any single party having unilateral access, while keeping on-chain footprints minimal.

Risks and Considerations

Liveness Requirements

MuSig2 requires all n signers to participate in every signing session. If a single key holder is unavailable (lost key, offline, uncooperative), the group cannot sign at all. This is a strict limitation compared to traditional m-of-n multisig, where missing signers beyond the threshold do not block operations. FROST addresses this by supporting t-of-n thresholds, but it requires a more complex distributed key generation setup.

Setup Complexity

Secure key aggregation demands careful implementation of the key generation and nonce coordination protocols. Nonce reuse in Schnorr signing is catastrophic: if a signer reuses a nonce across two signing sessions, their private key can be extracted algebraically. MuSig2 mitigates this with deterministic nonce derivation, but implementers must follow the specification precisely.

No Post-Hoc Accountability

Because the aggregate signature is indistinguishable from a single-signer signature, there is no on-chain record of which participants signed a particular transaction. This is a privacy benefit, but it also means organizations cannot use the blockchain as an audit trail for signing activity. Internal logging must be maintained separately.

Incompatibility with ECDSA

Key aggregation relies on Schnorr signature linearity and is not possible with ECDSA, the signature scheme used by legacy and SegWit v0 Bitcoin addresses. Only P2TR (Taproot) outputs support Schnorr-based key aggregation natively. Wallets and applications must adopt Taproot to benefit from these properties.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.