Struct schnorr_fun::musig::MuSig
source · pub struct MuSig<H, NG> {
pub schnorr: Schnorr<H, NG>,
/* private fields */
}
Expand description
The MuSig context.
Fields§
§schnorr: Schnorr<H, NG>
The instance of the underlying Schnorr context.
Implementations§
source§impl<H, NG> MuSig<H, NG>
impl<H, NG> MuSig<H, NG>
sourcepub fn new_keypair(&self, secret_key: Scalar) -> KeyPair
pub fn new_keypair(&self, secret_key: Scalar) -> KeyPair
Create a new keypair.
A shorthand for KeyPair::new
.
sourcepub fn gen_nonce<R: RngCore>(&self, nonce_rng: &mut R) -> NonceKeyPair
pub fn gen_nonce<R: RngCore>(&self, nonce_rng: &mut R) -> NonceKeyPair
Generate nonces for creating signatures shares.
⚠ You must use a CAREFULLY CHOSEN nonce rng, see MuSig::seed_nonce_rng
source§impl<H: Digest<OutputSize = U32> + Clone, NG> MuSig<H, NG>
impl<H: Digest<OutputSize = U32> + Clone, NG> MuSig<H, NG>
sourcepub fn new_agg_key(&self, keys: Vec<Point>) -> AggKey<Normal>
pub fn new_agg_key(&self, keys: Vec<Point>) -> AggKey<Normal>
Generates a new aggregated key from a list of individual keys.
Each party can be local (you know the secret key) or remote (you only know the public key).
§Example
use schnorr_fun::{
fun::{Point, Scalar},
musig::MuSig,
nonce::Deterministic,
Schnorr,
};
use sha2::Sha256;
let musig = MuSig::<Sha256, Deterministic<Sha256>>::default();
let my_keypair = musig.new_keypair(my_secret_key);
let my_public_key = my_keypair.public_key();
// Note the keys have to come in the same order on the other side!
let agg_key = musig.new_agg_key(vec![their_public_key, my_public_key]);
source§impl<H, NG> MuSig<H, NG>
impl<H, NG> MuSig<H, NG>
sourcepub fn seed_nonce_rng<R: SeedableRng<Seed = [u8; 32]>>(
&self,
agg_key: &AggKey<impl Normalized>,
secret: &Scalar,
session_id: &[u8]
) -> R
pub fn seed_nonce_rng<R: SeedableRng<Seed = [u8; 32]>>( &self, agg_key: &AggKey<impl Normalized>, secret: &Scalar, session_id: &[u8] ) -> R
Seed a random number generator to be used for MuSig nonces.
** ⚠ WARNING ⚠**: This method is unstable and easy to use incorrectly. The seed it uses for the Rng will change without warning between minor versions of this library.
Parameters:
agg_key
: the joint public key we are signing under. This can be anXOnly
orNormal
. It will return the same nonce regardless.secret
: you’re secret key as part ofagg_key
. This must be the secret key you are going to sign with. It cannot be an “untweaked” version of the signing key. It must be exactly equal to the secret key you pass tosign
(the MuSig specification requires this).session_id
: a string of bytes that is unique for each signing attempt.
The application should decide upon a unique session_id
per call to this function. If the
NonceGen
of this MuSig instance is Deterministic
then the session_id
must be
unique per signing attempt – even if the signing attempt fails to produce a signature you
must not reuse the session id, the resulting rng or anything derived from that rng again.
💡 Before using this function write a short justification as to why your beleive your session id will be unique per signing attempt. Perhaps include it as a comment next to the call. Note it must be unique even across signing attempts for the same or different messages.
The rng returned can be used to create many nonces. For example, when signing a Bitcoin
transaction you may need to sign several inputs each with their own signature. It is
intended here that you call seed_nonce_rng
once for the transaction and pull several nonces
out of the resulting rng.
source§impl<H: Digest<OutputSize = U32> + Clone, NG> MuSig<H, NG>
impl<H: Digest<OutputSize = U32> + Clone, NG> MuSig<H, NG>
sourcepub fn start_sign_session(
&self,
agg_key: &AggKey<EvenY>,
nonces: Vec<Nonce>,
message: Message<'_, Public>
) -> SignSession
pub fn start_sign_session( &self, agg_key: &AggKey<EvenY>, nonces: Vec<Nonce>, message: Message<'_, Public> ) -> SignSession
Start a signing session.
You must provide the public nonces for this signing session in the correct order.
§Return Value
Returns None
in the case that the remote_nonces
have been (maliciously) selected to
cancel out your local nonces.
This is not a security issue – we just can’t continue the protocol if this happens.
§Panics
Panics if number of nonces does not align with the keys in agg_key
.
sourcepub fn start_encrypted_sign_session(
&self,
agg_key: &AggKey<EvenY>,
nonces: Vec<Nonce>,
message: Message<'_, Public>,
encryption_key: &Point<impl PointType, impl Secrecy, impl ZeroChoice>
) -> Option<SignSession<Adaptor>>
pub fn start_encrypted_sign_session( &self, agg_key: &AggKey<EvenY>, nonces: Vec<Nonce>, message: Message<'_, Public>, encryption_key: &Point<impl PointType, impl Secrecy, impl ZeroChoice> ) -> Option<SignSession<Adaptor>>
Start an encrypted signing session.
i.e. a session to produce an adaptor signature under encryption_key
.
See adaptor
for a more general description of adaptor signatures.
You must provide the public nonces (where your public portions must be shared with the other signer(s)).
§Return Value
Returns None
in the case that the remote_nonces
have been (maliciously) selected to
cancel out your local nonces.
This is not a security issue – we just can’t continue the protocol if this happens.
§Panics
Panics if number of local or remote nonces passed in does not align with the keys in
agg_key
.
sourcepub fn sign<T>(
&self,
agg_key: &AggKey<EvenY>,
session: &SignSession<T>,
my_index: usize,
keypair: &KeyPair,
local_secret_nonce: NonceKeyPair
) -> Scalar<Public, Zero>
pub fn sign<T>( &self, agg_key: &AggKey<EvenY>, session: &SignSession<T>, my_index: usize, keypair: &KeyPair, local_secret_nonce: NonceKeyPair ) -> Scalar<Public, Zero>
Generates a partial signature (or partial encrypted signature depending on T
) for the local_secret_nonce.
sourcepub fn verify_partial_signature<T>(
&self,
agg_key: &AggKey<EvenY>,
session: &SignSession<T>,
index: usize,
partial_sig: Scalar<Public, Zero>
) -> bool
pub fn verify_partial_signature<T>( &self, agg_key: &AggKey<EvenY>, session: &SignSession<T>, index: usize, partial_sig: Scalar<Public, Zero> ) -> bool
Verifies a partial signature (or partial encrypted signature depending on T
).
You must provide the index
of the party (the index of the key in agg_key
).
§Panics
Panics when index
is equal to or greater than the number of keys in the agg_key.
sourcepub fn combine_partial_signatures(
&self,
agg_key: &AggKey<EvenY>,
session: &SignSession<Ordinary>,
partial_sigs: impl IntoIterator<Item = Scalar<Public, Zero>>
) -> Signature
pub fn combine_partial_signatures( &self, agg_key: &AggKey<EvenY>, session: &SignSession<Ordinary>, partial_sigs: impl IntoIterator<Item = Scalar<Public, Zero>> ) -> Signature
Combines all the partial signatures into a single Signature
.
Note this does not check the validity of any of the partial signatures. You should either check
each one using verify_partial_signature
or use verify
on the returned Signature
to check validity.
sourcepub fn combine_partial_encrypted_signatures(
&self,
agg_key: &AggKey<EvenY>,
session: &SignSession<Adaptor>,
partial_encrypted_sigs: impl IntoIterator<Item = Scalar<Public, Zero>>
) -> EncryptedSignature
pub fn combine_partial_encrypted_signatures( &self, agg_key: &AggKey<EvenY>, session: &SignSession<Adaptor>, partial_encrypted_sigs: impl IntoIterator<Item = Scalar<Public, Zero>> ) -> EncryptedSignature
Combines all the partial encrypted signatures into one encrypted signature.
Note this does not check the validity of any of the partial signatures. You should either check
each one using verify_partial_signature
or use verify_encrypted_signature
on the returned Signature
to check validity.