multi signature – Does MuSig have the same security as 2-2 multisig?


Yes or no, depending on your definition.

You are right that the expected time to forge a 2-of-2 multisignature is twice that of a single signature, because you obviously need to use your forger algorithm twice.

However, in practice such constant factors are ignored when describing security levels. For example, typically ed25519 and secp256k1 are placed in the same group of 128-bit security, despite the fact that secp256k1 needs on average 4x more iterations of Pollard’s rho algorithm to break the DLP. On the other hand, due to secp256k1’s efficiently computable endomorphism, individual iterations of that algorithm are 1.7x faster than what would be expected otherwise.

Furthermore, the unit they’re specified in is vague. When talking about ECDLP, the security levels is usually specified in terms of the number of elliptic curve multiplications. But an EC multiplication is not a trivial thing, nor is its performance identical across curves. However, when talking about things in the order of 2^128 a factor 10 here or there only changes the exponent by 3.3. It gets even fuzzier when you take into account specialized hardware that could be built for certain tasks, making it even hard to compare.

The point is that we don’t care how long things take for an attacker. We only care that they’re so long that no attacker could conceivably use them to pose a real threat.

If it takes too long to forge two signatures, it very likely also takes too long to break one.