shielded K-of-N multisig using a tree of K-choose-N MultiRedDSA keys #3946
Labels
A-circuit
Area: zk-SNARK circuits
A-consensus
Area: Consensus rules
A-crypto
Area: Cryptography
C-research
Category: Engineering notes in support of design choices
I-performance
Problems and improvements with respect to performance
I-SECURITY
Problems and improvements related to security.
M-going-fully-shielded
This advances our objective of deprecating t-addresses and going fully-shielded.
M-requires-nu
A network upgrade is required to implement this.
M-requires-zip
This change would need to be specified in a ZIP.
Projects
Someone asked how we proposed to do shielded K-of-N multisig, and I realised that my idea for how to do that hadn't been written up yet. #782 describes a complicated and inefficient approach using "partial spends", but there's a much better approach.
Assume that we've already implemented N-of-N shielded multisig using MultiRedDSA, as described in #3729.
To generate a K-of-N multisig address:
The Spend circuit is modified to allow akm to be used in place of ak in the input to CRHivk. That is, add a Merkle tree check that akm is the root of a tree of fixed depth m containing ak. For compatibility, there is an extra private boolean input is_multisig that determines whether to use this Merkle check, or just directly check akm = ak. We also include is_multisig as input (probably in the personalization) to CRHivk.
Signing is essentially the same as for K-of-K. Verification of spend authorization signatures is oblivious to whether the key is multisig: you verify with a randomized key in the same way as in Sapling.
Advantages:
Disadvantages:
The text was updated successfully, but these errors were encountered: