`@hyperdivision/shielded-multisig`

![Build Status](https://travis-ci.com/hyperdivision/vhs-tape)

> Shielded Bitcoin Multisig using Public Key Tweaking

Create multisig wallets based on a set of public keys without access to secret
keys or revealing public keys.

Usage

``js const shield = require('@hyperdivision/shielded-multisig')

// secp256k1 master keys used to redeem. Here we construct a 2-of-3 address const threshold = 2 const masterKeys = [ Buffer.from('...', 'hex'), Buffer.from('...', 'hex'), Buffer.from('...', 'hex') ]

// id must be 32-byte Buffer. // Could for example be a 256 bit hash of some user string const id = Buffer.alloc(32) id.writeUInt32LE(1) // Just use the Uint32LE value of1 for this example

// Save the tweak somewhere, and give out the hash. The countermay be // incremented internally if a specific value causes an invalid tweaked key const { tweakData, address } = shield.address({ id, counter: 0 }, masterKeys, threshold)

// deepEqual(tweakDataS, tweakData) === true const { tweakData: tweakDataS, script } = shield.redeemScript(tweakData, masterKeys, threshold)`

Signing using bcoin:

`js const shield = require('@hyperdivision/shielded-multisig') const { tweakPrivate } = require('@hyperdivision/shielded-multisig/tweak')

const threshold = 2 const masterKeys = [ Buffer.from('...', 'hex'), Buffer.from('...', 'hex'), Buffer.from('...', 'hex') ]

const { tweakData, script } = shield.redeemScript({ / ... / }, masterKeys, threshold)

const privateKey = Buffer.from('...', 'hex')

// bcoin part const { MTX, KeyRing } = require('bcoin') const spend = MTX.fromJSON(/ transaction data /)

const ring = KeyRing.fromPrivate(tweakPrivate(tweakData, privateKey)) ring.witness = true ring.script = script

var signed = spend.sign(ring) if (signed !== spend.inputs.length) throw new Error('Did not sign all inputs')

// now spend is signed`

`API`

`$3`

Generate a new address from { id, counter }, masterKeys and threshold. The inputs uniquely and deterministically determine theaddress.

id must be a 32-byte Bufferand could be eg. a username, account number, persisted random buffer or hash of some user information. The counter can be used to generate multiple addresses for a single user or can be left at0. Note thattweakDatamay return a counter different from the one passed, if the details of the algorithm results in an invalid public key. This is extremely rare, but do not rely on the passed counter actually being the one that is used.

masterKeys must be an array of valid secp256k1public keys encoded asBuffers. Threshold must be an integer less than or equal to the number of master keys.

Returns a tweakDataobject, that you should persist for future use, andaddress which is a bcoin Address of a P2SH(P2WSH(m of n))script that can be encoded as desired.

`$3`

Exactly the same as above, but return a bcoin Script instead of an Address.

`$3`

Validate masterKeys for being points on the curve (ie valid keys)

`$3`

Low-level facility to compute the tweaked public key. Note that you must provide the fulltweakData as returned by the above functions. Returns a Buffer

`$3`

Low-level facility to compute the tweaked private key. Note that you must provide the fulltweakDataas returned by the above functions. Returns aBuffer

`$3`

Compute a non-reduced scalar from tweakDataas a 32 byte Buffer. Used internally bytweakPublic and tweakPrivate

`Algorithm`

This module uses key tweaking based on Diffie-Hellman and hash functions. A given master key pair is tweaked using a hash oftweakData, which works as follows:

1. The tweakDatais hashed using keyed BLAKE2b, as followstweak = BLAKE2b-256( 32-byte id || U32LE(counter) || U8(threshold), key = nonce). Thenonceis computed as the hash of the set of master keys sorted lexicographically, and then concatenated:nonce = BLAKE2b-256(CONCAT(SORT(masterKeys)))2. The tweaked key pair can now be computed asPK' = [tweak]·PKandSK' = tweak * SK, where [x]·Edenotes scalar multiplication of group elementE with scalar x, and x * ydenotes field multiplication. The reason this works is becausesecp256k1is a prime order group, so every element of the group is a generator. Private/Secret keys are simply scalars over the finite field, while public keys arePK = [SK]·G, where Gis the predefined base point of the group. However since any element of the group is a generator we can use the public key as a generator for a new derived key. Since scalar multiplication is associative,[tweak]·[SK]·G = [tweak * SK]·G, so we can recover the derived private key when we need to sign with for the tweaked public key, by applying our tweak to our private key. 3. If the above[tweak]·PKresults in the invalid public key we increment the counter from step 1 and try again.

`Install`

`sh npm install @hyperdivision/shielded-multisig``

License

ISC

`@hyperdivision/shielded-multisig`

![Build Status](https://travis-ci.com/hyperdivision/vhs-tape)

> Shielded Bitcoin Multisig using Public Key Tweaking

Create multisig wallets based on a set of public keys without access to secret
keys or revealing public keys.

Usage

``js const shield = require('@hyperdivision/shielded-multisig')

// id must be 32-byte Buffer. // Could for example be a 256 bit hash of some user string const id = Buffer.alloc(32) id.writeUInt32LE(1) // Just use the Uint32LE value of1 for this example

// deepEqual(tweakDataS, tweakData) === true const { tweakData: tweakDataS, script } = shield.redeemScript(tweakData, masterKeys, threshold)`

Signing using bcoin:

`js const shield = require('@hyperdivision/shielded-multisig') const { tweakPrivate } = require('@hyperdivision/shielded-multisig/tweak')

const threshold = 2 const masterKeys = [ Buffer.from('...', 'hex'), Buffer.from('...', 'hex'), Buffer.from('...', 'hex') ]

const { tweakData, script } = shield.redeemScript({ / ... / }, masterKeys, threshold)

const privateKey = Buffer.from('...', 'hex')

// bcoin part const { MTX, KeyRing } = require('bcoin') const spend = MTX.fromJSON(/ transaction data /)

const ring = KeyRing.fromPrivate(tweakPrivate(tweakData, privateKey)) ring.witness = true ring.script = script

var signed = spend.sign(ring) if (signed !== spend.inputs.length) throw new Error('Did not sign all inputs')

// now spend is signed`

`API`

`$3`

Generate a new address from { id, counter }, masterKeys and threshold. The inputs uniquely and deterministically determine theaddress.

masterKeys must be an array of valid secp256k1public keys encoded asBuffers. Threshold must be an integer less than or equal to the number of master keys.

Returns a tweakDataobject, that you should persist for future use, andaddress which is a bcoin Address of a P2SH(P2WSH(m of n))script that can be encoded as desired.

`$3`

Exactly the same as above, but return a bcoin Script instead of an Address.

`$3`

Validate masterKeys for being points on the curve (ie valid keys)

`$3`

Low-level facility to compute the tweaked public key. Note that you must provide the fulltweakData as returned by the above functions. Returns a Buffer

`$3`

Low-level facility to compute the tweaked private key. Note that you must provide the fulltweakDataas returned by the above functions. Returns aBuffer

`$3`

Compute a non-reduced scalar from tweakDataas a 32 byte Buffer. Used internally bytweakPublic and tweakPrivate

`Algorithm`

This module uses key tweaking based on Diffie-Hellman and hash functions. A given master key pair is tweaked using a hash oftweakData, which works as follows:

`Install`

`sh npm install @hyperdivision/shielded-multisig``

License

ISC