Monero multisignatures explained – Hacker Noon

This text opens a new series in which we will explore the inner workings of various blockchains currently being used by the industry. Today, I’m glad to present you with our first research subject: Monero, the blockchain behind XMR, a fairly well-known, privacy-centered cryptocurrency. Being anonymous, the network implements a number of interesting algorithmic and cryptographic solutions, including multisignature (or simply multisig), a digital signature scheme allowing multiple users to sign documents together as a group.

Figure 1. Creating a 2/2 multisig wallet

Firstly, the participants share all their private view and public spend keys, and then calculate their respective sums. The sum of the private view keys becomes the private view key for the new wallet, with its public view key being derived from the private one. Then, the public spent key is calculated the same way. If the N/N scheme was chosen, that’s all of it. The wallet is now created.

If users opt for the N-1/N scheme, they would still have to share their private view and public spend keys with each other, but then each participant must multiply all public spend keys received by their own private spend key. Thus, a new set of private spend keys is created, which is called “multisignature keys,” as shown in Figure 2.

Figure 2. Creating a 2/3 multisig wallet

You might have noticed that in the figure above, the keys of the same color have the same value. This is because such multisignature keys have one important property expressed by the following equality:

Figure 3. Simplified representation of a transaction

On the right are the transaction outputs, or the money which the transaction generates, and on the left are the inputs, or the money being destroyed when said transaction is complete.

So, when Alice wants to send 1 XMR to Bob, she takes 1 XMR, plus the necessary commission, from her unspent outputs, puts it to her inputs, calculates a key image for each of them, and finally generates outputs for 1 XMR and an output key for each of them.

To complete the transaction, Bob uses his private view and public spend keys to restore the output keys for each output generated by Alice, and if there’s a match between the restored and the incoming keys, he will consider this output as intended for him.

From the network’s point of view, a multisig transaction isn’t in any sense different, although it’s a little bit more complicated to initiate. It’s usually done in several steps:

  • Participants exchange partial key images for all known outputs;
  • Participants re-synchronize their wallets in order to learn its accurate balance taking into account the key images;
  • The sender prepares the transaction, signs it, and sends it over to one of his counterparts;
  • Each subsequent participant adds its own part of the RingCT signature;
  • The last signer completes the creation of RingCT.

Generating key images and sharing outputs

When scanning the blockchain (i.e. during the synchronization), a wallet is unable to determine whether some of the inputs are targeting its outputs, since it does not have the data to calculate key images for them, so it’s safe to say that it only accounts for incoming transactions.

In order to run a transaction correctly, a user needs to restore the key image for each of the outputs, then synchronize with the blockchain to determine which outputs have been spent, and then proceed to generating the transaction. In Figure 4, the process of restoring key images is shown as in case of a 2/3 wallet.

Figure 4. Restoring key images as in case of a 2/3 wallet

Again, to put it simply, the key image for each output is calculated by summing the distinct values of all partial key images. As can be seen from the figure above, this can be done by any two participants out of three, and, most importantly, their private keys remain undisclosed during the transaction, making it impossible for a third party to restore the complete spend key and to seize control over their funds.

With this data, the initiating party can finalize the transaction, which is then sent to all confirmed participants to generate a Ring CT signature. Then, at the final stage, the transaction is signed and broadcast to the network.

Data exchange automation

The above are procedures for exchanging key parts and key images that need to be performed either once, or after each transaction is sent. In the current release of the Monero Core Wallet, these procedures are supposed to be performed manually by exchanging the necessary data on the secure communication channels (i.e. exporting the necessary data from the wallet and sending them via messengers or otherwise).

Here is an example of the procedures required to create a 2/3 wallet and sign a transaction. Each participant performs the following commands using the monero-wallet-cli utility:

[wallet 9uKCgo]: prepare_multisig
MultisigV1baCWviNomMXe271W8HW4imh8SsnNEWP2bCswQfoB9MGzNZ8FUG3e8UCNm5toKQzSQH2e8rUWUCGazaCcvej1ToCQYBMovJZYaYiYWQvzsvyWruXycZdVDSsyugjEzwQNK3FUEkug2LXiH91NmekGb7kp9gK9kuoxDDhGn1nLKXUpnXR5

Send this multisig info to all other participants, then use make_multisig […] with others’ multisig info.

This includes the PRIVATE view key, so needs to be disclosed only to that multisig wallet’s participants:

[wallet 9uKCgo]: make_multisig 2 MultisigV1XQugvU4JwcwTQbKdH5qGFnavxUX54wGxNis2iN6zoLD94DahnXbyNxH1NQBp2rYRFFJCT2uiJbssHLJYEAb8X1tS5UCqTXYu3FkgRNSZt5mRNgE58iXZHPj839Pbm3ozGcXmRT6GcRMMxMjRonfYKpnPq1UyZSMN7Qr9AYin1gYyoJSh MultisigV1HVqTW8P4UNWUE8QfBaEdwDWJuXBWEPnTrKqVJiUudGG14cHREk9TKmeR9xzSs4wf4jd22mV94C2ehSViApawnpp2SpRqp19eKXLHz2JmNp7eGR6TJMt4VsDTqANRwb1FtD9weef342f5KXDRZK7iQT1MTubyHhEcFyV5aLCjjQ8owMkH
Another step is needed
MultisigxV1PQwytRuYGkB6UEVJ7v2S7q492cwNTdwySXyasToAuQQq73TvM1rBrog5bcYz5w2P6Z4jwKtzrHr7shRGo5mAShvLVbYtBdQNhQsizMb51K7iaWQB4te5mQaiB1cok84CbvA9WKnVpTJGyb7SbS7NwAgmpEhU812RTdzrdHp5sD41duYtRNW6qna5mTMYmtTjAEdKpKCvM6EwhV4ncWscpvoBfyYP

Send this multisig info to all other participants, then use finalize_multisig […] with others’ multisig info:

[wallet 9uKCgo]: finalize_multisig MultisigxV1PdeMJo5rxcWTXDJ7rbyuacBseugsn2djZKKEdwvFYVmz73TvM1rBrog5bcYz5w2P6Z4jwKtzrHr7shRGo5mAShvLUxykuq5gho7gGQBCEa3JmBaY7rNHqqUaCUs1WWQi9tojZTMmCJJ4evwJzcXEDqcAd7ShwxsJtJtXdiATs54BbBfyCbwXbnDRKAtagJF36z74KJA58NgEmnHv23ZQeePCoacM MultisigxV1RTwyE53FjKPQaAn4ZMWM5hc8C92eJndpyKby4L9HpF2TUxykuq5gho7gGQBCEa3JmBaY7rNHqqUaCUs1WWQi9tojVbYtBdQNhQsizMb51K7iaWQB4te5mQaiB1cok84CbvA928U2yJFK86jNxtMopxHkcnYjjeYfp8TAB53Y1CukBiHfL2M4EztDALXLReXjJxkMry65Jw6vVePJp2T5CW8T8QE5

Before sending a transaction, all parties must exchange partial key images:

[wallet 9uKCgo]: export_multisig_info ki1
Multisig info exported to ki1.
[wallet 9uKCgo]: import_multisig_info ki2 ki3
Height 1103873, txid , 2.000000000000, idx 0/0
Height 1103882, txid <2e3a5591c741c0943a47a2bcbd1ec26493158088c88308bcbfc97423ea95c491>, 0.009000000000, idx 0/0
Multisig info imported

Then the wallet is re-synchronized to account for the complete keys. After having received data on outgoing payments, one of the participants can set up the transaction:

[wallet 9uKCgo]: transfer 9vUnTucAioDHD4ZqrFHXAgfLqrsC3LkZ6JFr5axBLhDiFMaHuEk33aqXimoZEMtQh5ibdYxcNSBw2hBZLAsCnuw4B4rBeZX 1
No payment id is included with this transaction. Is this okay? (Y/Yes/N/No): Y
There is currently a 2 block backlog at that fee level. Is this okay? (Y/Yes/N/No)Y
Transaction 1/1:
Spending from address index 0
Sending 1.000000000000. The transaction fee is 0.012000000000
Is this okay? (Y/Yes/N/No): Y
Unsigned transaction(s) successfully written to file: multisig_monero_tx

Then the generated file is transferred to another participant to be signed and broadcast to the network:

[wallet 9twQxU]: sign_multisig multisig_monero_tx
Loaded 1 transactions, for 1.031762770000, fee 0.012000000000, sending 1.000000000000 to 9vUnTucAioDHD4ZqrFHXAgfLqrsC3LkZ6JFr5axBLhDiFMaHuEk33aqXimoZEMtQh5ibdYxcNSBw2hBZLAsCnuw4B4rBeZX, 0.019762770000 change to 9uKCgopHzXrQLnph1ZNFQgdxZZyGhKRLfaNv7EEgWc1f3LQPSZR7BP4ZZn4oH7kAbX3kCd4oDYHg6hE541rQTKtHB7ufnmk, with min ring size 7, no payment ID. Is this okay? (Y/Yes/N/No): Y
Transaction successfully signed to file multisig_monero_tx, txid 1d28af64bc78d05b625c4f7af7c321d4c8943c4c2692f57aa53e303387f40db6
[wallet 9twQxU]: submit_multisig multisig_monero_tx
Loaded 1 transactions, for 1.031762770000, fee 0.012000000000, sending 1.000000000000 to 9vUnTucAioDHD4ZqrFHXAgfLqrsC3LkZ6JFr5axBLhDiFMaHuEk33aqXimoZEMtQh5ibdYxcNSBw2hBZLAsCnuw4B4rBeZX, 0.019762770000 change to 9uKCgopHzXrQLnph1ZNFQgdxZZyGhKRLfaNv7EEgWc1f3LQPSZR7BP4ZZn4oH7kAbX3kCd4oDYHg6hE541rQTKtHB7ufnmk, with min ring size 7, no payment ID. Is this okay? (Y/Yes/N/No): Y
Transaction successfully submitted, transaction <1d28af64bc78d05b625c4f7af7c321d4c8943c4c2692f57aa53e303387f40db6>

You can check its status by using the show_transfers command.

Obviously, with a great desire to use multisig wallets, it’s possible, but this approach is unlikely to suit beginners or mobile users.

Therefore, we are developing our own solution that would allow us to automate the exchange of such data without violating the privacy of the parties and the security of transactions, making multisig applications on Monero accessible to more people. Our solution is being designed to support both standard and multisig wallets, and is being run on an open server that provides the exchange and transfer of data to corresponding wallets.

More information on our contribution to Monero can be found at https://exan.tech/en/projects/monero/, as well as at the project’s page at https://wallet.exan.tech.

Resume

Currently, only a limited set of signature schemes is supported, but the developers plan to extend the list to allow for arbitrary values such as 2/5, etc. The only supported way to exchange necessary data is rather inconvenient, but thanks to the Monero’s open ecosystem the community puts high hopes on third-party solutions being developed to improve the situation.

Later in this series, we will talk about other aspects of the Monero blockchain, such as RingCT and ring signatures, wallets architecture and the libwallet library, as well as the network’s future prospects.

Please ask your questions in the comment section, suggest topics for new cryptocurrency-related articles, and subscribe to our blog to stay abreast of our upcoming events and valuable publications.

read original article here