Signature Aggregation
Signature aggregation combines multiple cryptographic signatures into a single compact signature, reducing transaction size and fees.
Key Takeaways
- Signature aggregation combines multiple digital signatures into a single compact signature, reducing transaction size and on-chain fees. It works because Schnorr signatures have a mathematical linearity property that ECDSA lacks.
- Key aggregation is live today: protocols like MuSig2 and FROST let multiple signers produce a single 64-byte signature via Taproot, indistinguishable from a regular single-signer transaction on-chain.
- Cross-input aggregation is a proposed future upgrade that would let all inputs in a transaction share one signature. A CoinJoin with 100 inputs could shrink from 6,400 bytes of signatures down to 64, but this requires a soft fork.
What Is Signature Aggregation?
Signature aggregation is a cryptographic technique that combines multiple signatures into a single, compact signature. Instead of each signer producing a separate signature that must be individually verified and stored on-chain, aggregation merges them into one. The result is smaller transactions, lower fees, and improved privacy.
In Bitcoin, every transaction input requires a digital signature to prove the spender controls the funds. A simple payment has one input and one signature. But complex transactions like multisig setups, CoinJoins, or batch consolidations can have dozens or hundreds of inputs, each carrying its own signature. Signature aggregation addresses this scalability bottleneck by collapsing those signatures into fewer (or ideally, one).
There are two distinct levels of signature aggregation in Bitcoin: key aggregation (live today) and cross-input aggregation (a proposed future upgrade). Understanding the difference is essential for grasping where Bitcoin scaling stands and where it is headed.
How It Works
Why Schnorr Enables Aggregation
Signature aggregation is possible because of a mathematical property unique to Schnorr signatures: linearity. A Schnorr signature consists of a pair (R, s) where R is a nonce point and s is a scalar. The verification equation is:
s * G = R + e * P
where:
G = generator point on secp256k1
P = public key
e = hash(R, P, message)
s = r + e * x (r = nonce, x = private key)Because this equation is linear, two valid signatures can be combined through simple addition. If signer A produces (R₁, s₁) and signer B produces (R₂, s₂), then (R₁ + R₂, s₁ + s₂) is a valid signature under the aggregate public key P₁ + P₂. The math works because elliptic curve point addition distributes across the verification equation.
ECDSA, Bitcoin's original signature scheme, cannot do this. ECDSA verification involves a modular inverse operation that breaks linearity. There is no known efficient way to add two ECDSA signatures and get a valid aggregate. This is why signature aggregation only became possible after the Taproot upgrade activated BIP 340 Schnorr signatures in November 2021.
Key Aggregation (Live Today)
Key aggregation allows multiple signers to combine their public keys into a single aggregate key and collaboratively produce one signature. On-chain, the result looks identical to a standard single-signer transaction: one 32-byte public key and one 64-byte signature.
Two protocols implement this today:
- MuSig2 (BIP 327): an n-of-n multi-signature protocol where all participants must sign. It requires two rounds of communication: a nonce exchange round and a partial signature exchange round. The aggregate public key and signature are indistinguishable from a solo key-path spend, giving multisig users the same privacy and fee cost as single-sig users.
- FROST (Flexible Round-Optimized Schnorr Threshold Signatures): a t-of-n threshold signature protocol where any t out of n participants can produce a valid signature. Like MuSig2, the output is a single standard Schnorr signature. FROST was standardized in IETF RFC 9591 (2024) and is usable with Taproot key-path spends today.
The practical impact is significant. A traditional 3-of-5 multisig using OP_CHECKMULTISIG requires 3 separate signatures and 5 public keys on-chain. With FROST key aggregation, the same setup needs only 1 signature and 1 public key: a savings of roughly 200 bytes per input.
Cross-Input Aggregation (Proposed)
Cross-input signature aggregation takes the concept further: instead of aggregating signatures within a single input, it would aggregate all signatures across every input in a transaction into one. A transaction with 100 inputs would carry just one 64-byte signature instead of 100 separate ones.
This is not yet possible because different inputs in a transaction are typically signed by unrelated parties who do not coordinate. Full cross-input aggregation would require interaction between all signers, which is impractical. Researchers have proposed an alternative called half-aggregation:
- Full aggregation: combines all (R, s) pairs into one (R, s) pair, requiring interaction between signers
- Half-aggregation: a non-interactive scheme where anyone can compress N signatures after they are created. The individual R values are preserved, but the s values merge into one. Space savings are roughly 50% instead of ~99%, but no coordination is needed
Either form of cross-input aggregation would change how transaction validity is verified and therefore requires a Bitcoin soft fork. As of mid-2026, no formal BIP has advanced to community consensus, and development focus has been on other proposals like OP_CAT and OP_CTV.
Space Savings
The efficiency gains from signature aggregation scale with the number of participants or inputs:
| Scenario | Without aggregation | With aggregation | Savings |
|---|---|---|---|
| 2-of-2 multisig (MuSig2) | 128 bytes (2 sigs) + 2 pubkeys | 64 bytes (1 sig) + 1 pubkey | ~97 bytes |
| 3-of-5 multisig (FROST) | 192 bytes (3 sigs) + 5 pubkeys | 64 bytes (1 sig) + 1 pubkey | ~256 bytes |
| CoinJoin, 100 inputs (cross-input) | 6,400 bytes (100 sigs) | 64 bytes (1 sig) | ~6,336 bytes (99%) |
| 100 inputs (half-aggregation) | 6,400 bytes (100 sigs) | ~3,232 bytes | ~3,168 bytes (50%) |
For context, a standard BIP 340 Schnorr signature is exactly 64 bytes (32-byte R point + 32-byte s scalar), compared to 71-72 bytes for a typical DER-encoded ECDSA signature. The aggregation savings compound on top of this per-signature improvement.
These savings directly translate to lower transaction fees because Bitcoin fees are proportional to transaction weight. Signature data lives in the witness, which receives the witness discount from SegWit, but eliminating signatures entirely is still the most effective optimization.
Use Cases
Private Multisig
Key aggregation via MuSig2 or FROST makes multisig wallets indistinguishable from single-sig wallets on-chain. A corporate treasury using a 3-of-5 signing policy appears identical to an individual spending from a personal wallet. This eliminates the privacy leak that traditional multisig creates, where the number of signers and the signing threshold are visible to anyone analyzing the blockchain. For a deeper look at how MuSig2 achieves this, see the MuSig2 research article.
Efficient CoinJoin
CoinJoin transactions combine inputs from multiple users to improve fungibility. Today, a CoinJoin with 50 participants requires 50 separate signatures, making these transactions large and expensive. Cross-input aggregation would collapse all 50 into one, dramatically reducing fees and making privacy-preserving transactions economically competitive with standard payments.
Layer 2 Protocols
Protocols like Spark and the Lightning Network use multi-party signing extensively. Key aggregation reduces the on-chain footprint of channel opens, closes, and settlement transactions. FROST threshold signatures are particularly valuable for protocols requiring flexible signing quorums, such as Fedimint federations and distributed custody systems.
Transaction Batching
Exchanges and payment processors that batch many outputs into a single transaction benefit from key aggregation on their input side. With cross-input aggregation, a batched transaction consolidating 200 UTXOs into a handful of outputs would carry one signature instead of 200, saving thousands of bytes in block space.
Risks and Considerations
Coordination Complexity
Key aggregation protocols like MuSig2 and FROST require multiple rounds of communication between signers before a signature can be produced. Signers must exchange nonces and partial signatures in a specific order. If any participant goes offline during the signing session, the process must restart. This adds latency and complexity compared to simple single-key signing, particularly for protocols with many participants or unreliable network connections.
Nonce Management
Schnorr-based aggregation schemes are critically sensitive to nonce handling. Reusing a nonce across signing sessions can leak the private key, and the deterministic nonce generation used in single-signer Schnorr becomes dangerous in multi-party settings. MuSig2 addresses this with a specific nonce protocol requiring fresh random nonces per session. Implementations must be carefully audited to prevent nonce reuse vulnerabilities.
Rogue Key Attacks
In naive key aggregation, a malicious participant can choose their "public key" as a function of other participants' keys, effectively canceling them out and gaining sole control of the aggregate key. MuSig2 prevents this through a key aggregation coefficient derived from all participants' keys, ensuring no single party can manipulate the aggregate. FROST handles this through its distributed key generation ceremony. Using unvetted aggregation schemes without these protections is dangerous.
Cross-Input Aggregation Challenges
Beyond requiring a soft fork, cross-input aggregation introduces verification complexity. Validators can no longer check individual input signatures independently: they must verify the aggregate against all inputs simultaneously. This changes the transaction validation model and has implications for parallel verification, transaction relay policies, and mempool handling. These open design questions are part of why no formal proposal has advanced to consensus.
Why It Matters
Signature aggregation represents one of the most impactful scaling improvements available to Bitcoin. Key aggregation through MuSig2 and FROST is already making multisig cheaper, more private, and more practical: every Taproot key-path spend can leverage it today. Cross-input aggregation, if activated in a future soft fork, would deliver even larger gains by compressing entire transactions.
For layer 2 protocols like Spark that rely on multi-party signing, these techniques are foundational. FROST threshold signatures enable flexible custody models where a subset of operators can authorize transactions without exposing the signing structure on-chain. As Bitcoin's block space becomes more scarce, signature aggregation will play an increasingly important role in keeping transactions affordable. To learn more about the underlying signature scheme, see the Taproot and Schnorr signatures research article.
This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.