- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
Implements the SpeedyMuSig protocol; a secure 2-round interactive multisignature scheme whose signature outputs can be verified by a regular Schnorr verification algorithm. More...
#include <multisig.hpp>
Classes | |
| struct | MultiSigPublicKey |
| MultiSigPublicKey wraps a signer's public key g1::affine_element along with a proof of posession: a signature whose message is the public key, signed by the corresponding private key. More... | |
| struct | RoundOnePrivateOutput |
| struct | RoundOnePublicOutput |
Public Types | |
| using | Fq = typename G1::Fq |
| using | Fr = typename G1::Fr |
| using | affine_element = typename G1::affine_element |
| using | element = typename G1::element |
| using | key_pair = crypto::schnorr_key_pair< Fr, G1 > |
| using | RoundTwoPublicOutput = Fr |
Static Public Member Functions | |
| static std::optional< affine_element > | validate_and_combine_signer_pubkeys (const std::vector< MultiSigPublicKey > &signer_pubkeys) |
| Computes the sum of all signer pubkeys. Output is the public key of the public-facing schnorr multisig "signer". | |
| static std::pair< RoundOnePublicOutput, RoundOnePrivateOutput > | construct_signature_round_1 () |
| First round of SpeedyMuSig. Signers generate random nonce keypairs R = {r, [R]}, S = {s, [S]}. | |
| static std::optional< RoundTwoPublicOutput > | construct_signature_round_2 (const std::string &message, const key_pair &signer, const RoundOnePrivateOutput &signer_round_1_private_output, const std::vector< MultiSigPublicKey > &signer_pubkeys, const std::vector< RoundOnePublicOutput > &round_1_nonces) |
Second round of SpeedyMuSig. Given the signer pubkeys and the output of round 1, round 2 has each signer compute a share of the Schnorr signature scheme's s parameter. | |
| static std::optional< schnorr_signature > | combine_signatures (const std::string &message, const std::vector< MultiSigPublicKey > &signer_pubkeys, const std::vector< RoundOnePublicOutput > &round_1_nonces, const std::vector< RoundTwoPublicOutput > &round_2_signature_shares) |
the final step in the SpeedyMuSig multisig scheme. Can be computed by an untrusted 3rd party. Combines the message, signer pubkeys and round1 outputs to compute the Schnorr signature parameter e. Combines the outputs of round 2 to compose the total Schnorr signature parameter s | |
Static Private Member Functions | |
| static bool | valid_round1_nonces (const std::vector< RoundOnePublicOutput > &round1_public_outputs) |
| given a list of commitments to nonces produced in round 1, we check that all points are valid and that the list does not contain duplicates | |
| static Fr | generate_nonce_challenge (const std::string &message, const affine_element &aggregate_pubkey, const std::vector< RoundOnePublicOutput > &round_1_nonces) |
Generates the Fiat-Shamir challenge a that is used to create a Schnorr signature nonce group element [R], where [R] is a uniformly randomly distributed combination of the signer nonces. | |
| static affine_element | construct_multisig_nonce (const Fr &a, const std::vector< RoundOnePublicOutput > &round_1_nonces) |
Compute the Schnorr signature scheme's nonce group element [R], given each signer's public nonces [R_user], [S_user] and the nonce challenge a | |
| template<typename T > | |
| static std::vector< size_t > | duplicated_indices (const std::vector< T > &input) |
| Returns a vector of indices of elements in input that are included more than once. | |
Implements the SpeedyMuSig protocol; a secure 2-round interactive multisignature scheme whose signature outputs can be verified by a regular Schnorr verification algorithm.
| G1 | The elliptic curve group being used to generate the multisignature |
| HashRegNon | Hash function used to model H_reg and H_non. It must be different from H_sig for proper domain separation. |
| HashSig | Hash function used generate the Fiat-Shamir challenge for the signature (H_sig). |
SpeedyMuSig paper at https://eprint.iacr.org/2021/1375.pdf
Definition at line 34 of file multisig.hpp.
| using bb::crypto::schnorr_multisig< G1, HashRegNon, HashSig >::affine_element = typename G1::affine_element |
Definition at line 44 of file multisig.hpp.
| using bb::crypto::schnorr_multisig< G1, HashRegNon, HashSig >::element = typename G1::element |
Definition at line 45 of file multisig.hpp.
| using bb::crypto::schnorr_multisig< G1, HashRegNon, HashSig >::Fq = typename G1::Fq |
Definition at line 42 of file multisig.hpp.
| using bb::crypto::schnorr_multisig< G1, HashRegNon, HashSig >::Fr = typename G1::Fr |
Definition at line 43 of file multisig.hpp.
| using bb::crypto::schnorr_multisig< G1, HashRegNon, HashSig >::key_pair = crypto::schnorr_key_pair<Fr, G1> |
Definition at line 46 of file multisig.hpp.
| using bb::crypto::schnorr_multisig< G1, HashRegNon, HashSig >::RoundTwoPublicOutput = Fr |
Definition at line 115 of file multisig.hpp.
|
inlinestatic |
the final step in the SpeedyMuSig multisig scheme. Can be computed by an untrusted 3rd party. Combines the message, signer pubkeys and round1 outputs to compute the Schnorr signature parameter e. Combines the outputs of round 2 to compose the total Schnorr signature parameter s
| message | |
| signer_pubkeys | |
| round_1_nonces | The outputs of round 1 |
| round_2_signature_shares | The outputs of round 2 |
Definition at line 400 of file multisig.hpp.
|
inlinestaticprivate |
Compute the Schnorr signature scheme's nonce group element [R], given each signer's public nonces [R_user], [S_user] and the nonce challenge a
| a | the nonce challenge |
| round_1_nonces | the public outputs of round 1 from all signers |
Definition at line 216 of file multisig.hpp.
|
inlinestatic |
First round of SpeedyMuSig. Signers generate random nonce keypairs R = {r, [R]}, S = {s, [S]}.
| message |
Definition at line 317 of file multisig.hpp.
|
inlinestatic |
Second round of SpeedyMuSig. Given the signer pubkeys and the output of round 1, round 2 has each signer compute a share of the Schnorr signature scheme's s parameter.
| message | |
| signer | |
| signer_round_1_private_output | the signer's secreet nonce values r, s |
| signer_pubkeys | |
| round_1_nonces | the output fro round 1 |
s, if round 2 succeeds Definition at line 348 of file multisig.hpp.
|
inlinestaticprivate |
Returns a vector of indices of elements in input that are included more than once.
| T | implements operator< |
| input | list of elements possibly containing duplicates |
Definition at line 238 of file multisig.hpp.
|
inlinestaticprivate |
Generates the Fiat-Shamir challenge a that is used to create a Schnorr signature nonce group element [R], where [R] is a uniformly randomly distributed combination of the signer nonces.
N.B. a is message and signer dependent and cannot be pre-generated prior to knowing the message being signed over
| message | |
| aggregate_pubkey | the output of combine_signer_pubkeys |
| round_1_nonces | the public outputs of round 1 from all signers |
a = int(H_non(G, X_agg, "m_start", m.size(), m, "m_end" {(R1, S1), ..., (Rn, Sn)})) % r where r is the field order Definition at line 160 of file multisig.hpp.
|
inlinestaticprivate |
given a list of commitments to nonces produced in round 1, we check that all points are valid and that the list does not contain duplicates
| round1_public_outputs | a list of pairs of points {(R1,S1), ...., (Rn,Sn)} |
Definition at line 125 of file multisig.hpp.
|
inlinestatic |
Computes the sum of all signer pubkeys. Output is the public key of the public-facing schnorr multisig "signer".
| signer_pubkeys |
Definition at line 271 of file multisig.hpp.
1.9.8