How Does Monero XMR Multisig Work?

Mila Mostovaya

Monero XMR
How Does Monero XMR Multisig Work?

Monero multisig lets a group share one wallet, so funds move only when enough members agree. There are no on-chain scripts behind it, just some elegant cryptography. As a regular user, you can use it as well to make a deal with a stranger or store your savings.

Here’s how it works, step by step, in plain language.

💡Thanks to Monero Konferenco (“MoneroKon”) and Vasilii Rogin. We prepared this article based on their expertise and the report materials. All the images in this article were collected from Vasilii Rogin's presentation at MoneroKon, which is open source.

What Is Digital Sign in Crypto?

A digital signature is how you prove a transaction is really yours without ever revealing your private key.

Every wallet has two keys: a private key (your secret, like a password) and a public key (your address, which you can share). It’s easy to turn the private key into the public key, but you can’t go backward and work out the private key from the public one.

💡Read more: How to Work with Private Keys: The Ultimate Guide

When you want to move funds, you “sign” the transaction with your private key. Anyone can then take your public key and check that the signature is valid. They learn that the owner approved this exact transaction, but they never see your private key, and they can’t forge your signature.

How Is Digital Sign Created in a Wallet?

In practice, you don’t sign anything by hand because the wallet does it for you. You paste the recipient’s address, type the amount, and hit Send. Behind the scenes, the wallet takes two ingredients (the transaction details and your private key) and runs them through a math function (a hash function) that produces the signature.

CoinSpace

It sends the transaction and its signature to the network, while your private key never leaves your device. The network then verifies the signature against your public key and, if everything matches, records the transfer on the blockchain.

CoinSpace

Why Does Digital Sign Need You?

The signature needs your private key because that’s the one thing only you have. No one else can produce a valid signature for your funds.

It also ties the signature to the exact transaction: if anyone changes a single detail, like the amount or the address, the signature stops matching, and the network rejects it.

So one signature proves two things at once: that it’s really you, and that the transaction wasn’t changed along the way.

What Is MultiSig?

Multisig (short for “multi-signature”) means a transaction needs more than one signature to go through. Instead of one person signing alone, a group shares a wallet, and a set number of them must sign before funds can move. For example, two out of three.

The classic example is a deal between a seller and a buyer, plus a third person who helps them negotiate if something goes wrong. With a 2-of-3 wallet, no single person can move the money alone, but any two together can. If the deal goes smoothly, the buyer and seller sign. If there’s a dispute, the third party steps in and signs with whoever is in the right.

How Does Digital Sign Work in the Bitcoin Network? Just as an Example

In Bitcoin, multisig is fairly simple because Bitcoin has a special opcode called OP_CHECKMULTISIG, and it’s visible in the blockchain. It’s basically a rule that says these funds can be spent only if some conditions are met.

For example, two valid signatures out of three, and then they can be spent. It’s pretty easy to set up: you just need the public keys of the participants, and then you can configure the multisig.

CoinSpace

In Monero, it’s a little different story.

What Is MultiSig in Monero?

Monero has no scripts, so there’s no built-in multisig rule like Bitcoin’s. But multisig is still possible, and implemented, thanks to advanced cryptography. It works because Monero is based on the ED25519 / Schnorr signature scheme, and these signatures are aggregatable.

What does “aggregatable” mean? As soon as we have public keys for Alice and Bob, for example, we can simply add those public keys together. That's, we get one key from two keys.

CoinSpace

Adding Alice’s and Bob’s public keys gives a new public key (Apub + Bpub). It’s just an elliptic-curve sum, and each key is 32 bytes.

The same trick works for spending. When Alice and Bob want to spend or just sign a message, using this combined public key, they each sign with their own private key.

Alice signs with A-private, Bob signs with B-private, and when you combine the two parts (again, just a sum: A + B), you get a valid signature for the combined public key A-pub + B-pub. This is how funds are spent in Monero.

Alice signs with Apriv, Bob signs with Bpriv, and the combined result is a valid signature for (Apub Bpub).
Alice signs with [Apriv], Bob signs with [Bpriv], and the combined result is a valid signature for (Apub + Bpub).

💡A SMALL SUBTLETY: THE KEY CANCELLATION ATTACK
In theory, Bob could claim his key is “B-pub minus A-pub,” so the sum would cancel out to just Bob’s key, handing him control.

To prevent this, Monero adds coefficients: the keys are hashed, coefficients are derived from those hashes, and then they’re multiplied in before the keys are added. So when we say “A + B,” it isn’t a plain A + B, but you can still think of it that way, just with a little extra protection built in.

For an N-of-N multisig (we'll talk about that in detail below), say 3-of-3 or 10-of-10, this is easy: each participant contributes a key, and all the keys are aggregated. No one knows the private key that matches the combined public key, because it’s an aggregation of everyone’s private keys. But everyone knows the combined public key, so a wallet address can be generated.

The public spend key has no known private key, while the matching private view key is known by all members. The wallet address contains both keys.
The public spend key has no known private key, while the matching private view key is known by all members. The wallet address contains both keys.

This is also why Monero addresses are so long: the address actually contains two public keys: a public spend key and a public view key. That’s two 32-byte keys instead of one.

How Does Monero XMR Multisig Work?

Threshold setups, where only some members need to sign, take a bit more work. Setting up a multisig wallet includes a few rounds of key exchange, and all members have to be present for it.

For a 2-of-3 Wallet, There are 3 Steps (Rounds)

  1. Alice, Bob, and Carol share their own public keys (and the view-key secret).
  2. Each pair calculates a shared secret from those public keys. In Monero, it’s derived using Diffie-Hellman, then shares the resulting public key with everyone else.
  3. Everyone calculates the wallet address and shares it, just to verify that everyone ended up with the same wallet.

Share public keys, calculate a Diffie-Hellman secret per pair, then share the wallet address for verification.

The setup formula for an N-of-M wallet. The final round is a verification round optional in theory, but required by the Monero key-exchange protocol.
The setup formula for an N-of-M wallet. The final round is a verification round optional in theory, but required by the Monero key-exchange protocol.

For example, if 10 people set up a wallet where any 5 can spend (a 5-of-10 wallet), that’s 10 − 5 + 2 = 7 rounds. For our 2-of-3 case, it’s 3 − 2 + 2 = 3 rounds. Now let’s look at the three most common threshold models.

Model 1. 2-of-3 Multisig

You can’t just add Alice’s, Bob’s, and Carol’s keys together, because then you’d need all three. Instead, each pair of participants generates its own shared secret, known only to that pair: Alice and Bob know AB, Alice and Carol know AC, Carol and Bob know BC. From these private secrets, public keys are derived, and the public spend key is the sum of all three: AB + BC + AC.

CoinSpace

2-of-3: each pair shares a secret (ab, ac, bc). The spend key is AB + BC + AC, so any two members together cover all three secrets.

That’s why any two people are enough. If Alice is absent, Carol knows AC and BC, and Bob knows AB and BC. So together they cover all three secrets (AB, AC, BC) and can rebuild the spend key. One person alone never has all three, so one person can’t spend.

Model 2. 3-of-4 Multisig

A 3-of-4 wallet works the same way: for each possible pair among Alice, Bob, Carol, and Dave, the pair generates a shared secret. Three people are enough, because if one person is missing, no secret is lost: every pair is still covered by someone present.

Two people aren’t enough: if a pair like Carol and Dave is missing, only Carol and Dave knew their shared secret, so Alice and Bob alone can’t sign.

Same idea, each pair has its own secret. Three signers cover everything, with only two present, a missing pair takes its shared secret with them.
Same idea, each pair has its own secret. Three signers cover everything, with only two present, a missing pair takes its shared secret with them.

Model 3. 2-of-4 multisig

A 2-of-4 wallet is almost the same, except now we work with triples instead of pairs. For each possible triple, Alice-Bob-Carol, Alice-Bob-Dave, Alice-Carol-Dave, and so on, the group generates its own shared secret, derives a public key, and those are aggregated into the spend key.

The same construction as before, except secrets are shared across every possible triple of members instead of every pair.
The same construction as before, except secrets are shared across every possible triple of members instead of every pair.

How Secure is Monero MultiSig?

A few things make Monero multisig secure.

No single member ever holds the wallet's private key. It only exists as the combination of everyone’s parts, so you always need the agreed threshold to spend. With 2-of-3, two members can sign and one can’t, with 3-of-4, you truly need three.

Then there’s Monero’s privacy. The setup gives you a public spend key plus key images, which are used to tell whether a transaction has been spent. Every member knows the private view key, so each one has a view of the wallet, but that view works exactly like a view-only wallet. You can see incoming transactions, but you can’t see spending transactions without exchanging key-image information first.

Example a 2-of-3 Wallet in Practice

Alice, Bob, and Carol share a 2-of-3 wallet, and a wild incoming transaction of 0.2 XMR appears. All three see +0.2 XMR, but none of them has the key image yet. Alice and Bob exchange key-image info, confirm the funds weren’t spent, and agree to spend. They send 0.2 XMR and get 0.1 back as change in a second transaction.

Carol, meanwhile, sat out and exchanged nothing. She sees both movements (+0.2 and +0.1) but, without the key images, she doesn’t realize the first one was already spent.

That’s Monero’s privacy in action: even a co-owner doesn’t see more than they should until information is shared.

Key images in action. Alice and Bob exchange key-image info and spend; Carol, who exchanged nothing, can’t tell that the first transaction was already spent.
Key images in action. Alice and Bob exchange key-image info and spend; Carol, who exchanged nothing, can’t tell that the first transaction was already spent.

The Takeaway

After reading all this complex stuff, you might think it isn't for you. But if you want to keep your privacy and funds secure, you should know how these intricate tools work. Unfortunately, this is the price of privacy.

Bitcoin solves the multi-signature problem head-on by writing the rule directly into the blockchain. Monero, on the other hand, has chosen to avoid such rules to maintain privacy; therefore, it has had to achieve the same result through a more indirect approach, using the mathematics of signatures themselves (which can be added together).

This is the key takeaway: the multisig feature in Monero is not a feature that was "added" by someone, but rather a consequence of the way its cryptography works. From the outside, this wallet appears to be identical to a regular wallet, and this is a direct extension of its privacy philosophy.