Skip to main content

Schnorr Multi Signatures

We implement the SpeedyMuSig protocol by E. Crites, C. Komlo and M. Maller described in ePrint 2021/1375 in Fig. 7. Given a group of nn signers with public/private key pairs (pki,ski)i\\{ (\mathsf{pk}_i,\mathsf{sk}_i) \\}_i, the protocol allows the group to generate a Schnorr signature for an aggregate public key pk\mathsf{pk} derived from the group's public keys. We use it to generate Schnorr signatures over aggregated spending keys, which are used inside of circuits to validate the public inputs.

The Schnorr signatures produced are defined over the Grumpkin curve, using BLAKE2s as random-oracle to derive Fiat-Shamir challenges.

Protocol description

SpeedyMuSig is a two round multi-party computation.

Setup

Each user PiP_i with signing key-pair (pki,ski)(\mathsf{pk}_i,\mathsf{sk}_i) generates a Proof of Possession πi\pi_i which is a variant of a Schnorr proof of knowledge of the discrete logarithm of a group element. Its purpose is to attest that PiP_i actually knows the secret key ski\mathsf{sk}_i associated to the public key pkiG\mathsf{pk}_i \in \mathbb{G} such that pki=skiG\mathsf{pk}_i = \mathsf{sk}_i \cdot G.

The users share their public keys and associated proofs (pki,πi)(\mathsf{pk}_i, \pi_i), and verify the proofs. If all checks succeed, the aggregated public key can be computed as pk=ipki\mathsf{pk} = \sum_{i} \mathsf{pk}_i.

The proof of possession implementation follows the specification in the paper and can be instantiated over any curve and hash function used as random oracle. We deviate slightly from the paper since we implement the signature variant where we send (cˉ,zˉ)(\bar{c},\bar{z}) (defined as (e,s) in the code) instead of (Rˉ,zˉ)(\bar{R},\bar{z}). These representations are equivalent.

We disallow the usage of the same hash function for both the signature scheme and the proof of knowledge (and later the nonce generation). This is done to ensure that all three hash functions Hreg,Hnon,HsigH_{reg}, H_{non}, H_{sig} are properly domain separated. To maintain compatibility with the existing circuits, we use BLAKE2s for HsigH_{sig} without domain separation. This means that we cannot use the same function for the other two hash functions, even if we include prefixes for the latter ones. We therefore use the Keccak function, with proper domain separation strings, for HregH_{reg} and HnonH_{non}. In both functions, we also pass in the group generator GG as first argument. We do not apply this to the HsigH_{sig} function as we maintain backwards compatibility with the existing circuit.

Proofs of possession are deterministic, with the nonce kk derived in a similar was as in our Schnorr implementation using HMAC.

There is a slight bias in the generation of the Fiat-Shamir challenge ee due to the modular reduction by F|\mathbb{F}|.

Round 1

Each party PiP_i generates a random secret nonce pair (ri,si)F2(r_i,s_i) \in \mathbb{F}^2 which is saves in its private state. The parties broadcast the corresponding commitments (Ri,Si)(R_i,S_i) where Ri=riGR_i = r_i \cdot G and Si=siGS_i = s_i \cdot G.

This round can be performed in advance and multiple times in order to generate several sets of commitments, so that subsequent signing can be done faster.

Round 2

After receiving a list of commitments (Ri,Si)i\\{(R_i,S_i)\\}_i from all parties, each party computes their additive share ziz_i of the final signature's ss component.

The nonce challenge aa is computed slightly differently as in the paper, in order to prevent accidental collisions. Indeed, since the length of the message is variable, we add both a fixed prefix and suffix so that the message cannot be interpreted as the nonce from another signing session. We have a=Hnon(pk  "m_start"  m  "m_end"  (R1,S1)    (Rn,Sn))a = H_{non}\Big(\mathsf{pk} \ \vert\vert\ \mathtt{"m\_start"} \ \vert\vert\ m \ \vert\vert\ \mathtt{"m\_end"} \ \vert\vert\ (R_1,S_1)\ \vert\vert\ \cdots \ \vert\vert\ (R_n,S_n)\Big) (we interpret aa as a field element by reducing modulo F|\mathbb{F}|, noting the slight bias from the uniform distribution).

The Schnorr challenge RR is then computed as R=i(Ri+aSi)=(iRi)+a(iSi)R = \sum_{i} (R_i + a \cdot S_i) = \Big(\sum_{i} R_i \Big) + a \cdot \Big( \sum_{i} S_i \Big), which is used to derive the final signature's Fiat-Shamir challenge ee (using the different hash function).

Each user then computes zi=ri+asiskiez_i = r_i + a\cdot s_i - \mathsf{sk}_i \cdot e. At this point, these shares can simply be sent to a single trusted "signature coordinator", along with the public outputs from the first two rounds, who can compute the final signature (s,e)(s,e).

Signature Aggregation

Once all parties have produced their round 2 output ziz_i, they can either broadcast this value to all other parties so that everyone can produce the final signature, or they can send it to a central coordinator who will produce the final signature.

Given the set of round 1 nonce commitments (Ri,Si)i\\{ (R_i,S_i)\\}_i, and the signature shares zii\\{z_i\\}_i, the final signature is computed as follows:

  • validate all public keys with their proofs of possession.
  • validate round 1 and round 2 messages
  • recompute aggregate public key
  • recompute values a,Ra, R and derive the signature's Fiat-Shamir challenge ee
  • compute the ss component of the signature as s=izis = \sum_i z_i.

The final signature is (s,e)(s, e) as defined by the single party Schnorr signature algorithm implementation.

Known issues

Bias in Fiat-Shamir challenges

When the protocol is instantiated over an elliptic curve whose subgroup's order is far from 225612^{256}-1 (the range of the output of our hash functions), the field element we obtain from the Fiat-Shamir transform will not exactly follow the uniform distribution over F\mathbb{F}. Applying the modular reduction over the 256-bit hash output (which we assume is uniform) induces a small bias in favor of "smaller" field elements. Therefore, the field element ee does not actually follow a uniform distribution over F\mathbb{F}.

Since fixing this issue would require circuit changes, we chose to accept this slight bias.

Usage notes

Non-deterministic signatures

Signatures produced with this protocol cannot be made deterministic as there is no easy way of ensuring that all participants are generating their shares of the nonce deterministically. While deterministic signatures are handy in the single party case where the signer may not have access to strong randomness (in the browser for example), multisignature nonces essentially combine each signer's randomness using the unpredictable output of a hash function.

Message ordering

When the parties are broadcasting the round 1 nonce commitements (Ri,Si)(R_i,S_i), the signature will only succeed if all parties agree on the same ordering. Otherwise, parties would end up with different aa values.