crypto::schnorr::multisig< G1, HashRegNon, HashSig > Class Template Reference

Implements the SpeedyMuSig protocol; a secure 2-round interactive multisignature scheme whose signature outputs can be verified by a regular Schnorr verification algorithm. More...

#include <multisig.hpp>

Classes
struct	MultiSigPublicKey
	MultiSigPublicKey wraps a signer's public key g1::affine_element along with a proof of posession: a signature whose message is the public key, signed by the corresponding private key. More...
struct	RoundOnePrivateOutput
struct	RoundOnePublicOutput

Public Types
using	Fq = typename G1::coordinate_field
using	Fr = typename G1::subgroup_field
using	affine_element = typename G1::affine_element
using	element = typename G1::element
using	key_pair = crypto::schnorr::key_pair< Fr, G1 >
using	RoundTwoPublicOutput = Fr

Static Public Member Functions
static std::optional< affine_element >	validate_and_combine_signer_pubkeys (const std::vector< MultiSigPublicKey > &signer_pubkeys)
	Computes the sum of all signer pubkeys. Output is the public key of the public-facing schnorr multisig "signer".
static std::pair< RoundOnePublicOutput, RoundOnePrivateOutput >	construct_signature_round_1 ()
	First round of SpeedyMuSig. Signers generate random nonce keypairs R = {r, [R]}, S = {s, [S]}.
static std::optional< RoundTwoPublicOutput >	construct_signature_round_2 (const std::string &message, const key_pair &signer, const RoundOnePrivateOutput &signer_round_1_private_output, const std::vector< MultiSigPublicKey > &signer_pubkeys, const std::vector< RoundOnePublicOutput > &round_1_nonces)
	Second round of SpeedyMuSig. Given the signer pubkeys and the output of round 1, round 2 has each signer compute a share of the Schnorr signature scheme's s parameter.
static std::optional< signature >	combine_signatures (const std::string &message, const std::vector< MultiSigPublicKey > &signer_pubkeys, const std::vector< RoundOnePublicOutput > &round_1_nonces, const std::vector< RoundTwoPublicOutput > &round_2_signature_shares)
	the final step in the SpeedyMuSig multisig scheme. Can be computed by an untrusted 3rd party. Combines the message, signer pubkeys and round1 outputs to compute the Schnorr signature parameter e. Combines the outputs of round 2 to compose the total Schnorr signature parameter s

Detailed Description

template<typename G1, typename HashRegNon, typename HashSig = Blake2sHasher>
class crypto::schnorr::multisig< G1, HashRegNon, HashSig >

Implements the SpeedyMuSig protocol; a secure 2-round interactive multisignature scheme whose signature outputs can be verified by a regular Schnorr verification algorithm.

Template Parameters

G1	The elliptic curve group being used to generate the multisignature
HashRegNon	Hash function used to model H_reg and H_non. It must be different from H_sig for proper domain separation.
HashSig	Hash function used generate the Fiat-Shamir challenge for the signature (H_sig).

SpeedyMuSig paper at https://eprint.iacr.org/2021/1375.pdf

Member Function Documentation

combine_signatures()

template<typename G1 , typename HashRegNon , typename HashSig = Blake2sHasher>

static std::optional< signature > crypto::schnorr::multisig< G1, HashRegNon, HashSig >::combine_signatures ( const std::string &  message, const std::vector< MultiSigPublicKey > &  signer_pubkeys, const std::vector< RoundOnePublicOutput > &  round_1_nonces, const std::vector< RoundTwoPublicOutput > &  round_2_signature_shares  )

inlinestatic

the final step in the SpeedyMuSig multisig scheme. Can be computed by an untrusted 3rd party. Combines the message, signer pubkeys and round1 outputs to compute the Schnorr signature parameter e. Combines the outputs of round 2 to compose the total Schnorr signature parameter s

Parameters

message
signer_pubkeys
round_1_nonces	The outputs of round 1
round_2_signature_shares	The outputs of round 2

Returns

signature it's a Schnorr signature! Looks identical to a regular non-multisig Schnorr signature.

std::nullopt if any of the signature shares are invalid

construct_signature_round_1()

template<typename G1 , typename HashRegNon , typename HashSig = Blake2sHasher>

static std::pair< RoundOnePublicOutput, RoundOnePrivateOutput > crypto::schnorr::multisig< G1, HashRegNon, HashSig >::construct_signature_round_1 ( )

inlinestatic

First round of SpeedyMuSig. Signers generate random nonce keypairs R = {r, [R]}, S = {s, [S]}.

Parameters

message

Returns

RoundOnePublicOutput group elements [R_user], [S_user]

RoundOnePrivateOutput field elements [r_user], [s_user]

construct_signature_round_2()

template<typename G1 , typename HashRegNon , typename HashSig = Blake2sHasher>

static std::optional< RoundTwoPublicOutput > crypto::schnorr::multisig< G1, HashRegNon, HashSig >::construct_signature_round_2 ( const std::string &  message, const key_pair &  signer, const RoundOnePrivateOutput &  signer_round_1_private_output, const std::vector< MultiSigPublicKey > &  signer_pubkeys, const std::vector< RoundOnePublicOutput > &  round_1_nonces  )

inlinestatic

Second round of SpeedyMuSig. Given the signer pubkeys and the output of round 1, round 2 has each signer compute a share of the Schnorr signature scheme's s parameter.

Parameters

message
signer
signer_round_1_private_output	the signer's secreet nonce values r, s
signer_pubkeys
round_1_nonces	the output fro round 1

Returns

std::optional<RoundTwoPublicOutput> signer's share of s, if round 2 succeeds

validate_and_combine_signer_pubkeys()

template<typename G1 , typename HashRegNon , typename HashSig = Blake2sHasher>

static std::optional< affine_element > crypto::schnorr::multisig< G1, HashRegNon, HashSig >::validate_and_combine_signer_pubkeys ( const std::vector< MultiSigPublicKey > &  signer_pubkeys )

inlinestatic

Computes the sum of all signer pubkeys. Output is the public key of the public-facing schnorr multisig "signer".

Parameters

signer_pubkeys

Returns

std::optional<affine_element> the Schnorr aggregate "signer" public key, if all keys are valid.

---

The documentation for this class was generated from the following file:

• src/barretenberg/crypto/schnorr/multisig.hpp