Packages

object MuSigUtil

Utilities for MuSig2 operations and BIP-0327-related behaviour.

This object implements nonce generation, nonce aggregation, partial signature generation and verification, and deterministic signing helpers used by the MuSig2 protocol. The implementation follows the BIP-0327 ("MuSig2") reference where applicable; see:

  • BIP-0327: https://github.com/bitcoin/bips/blob/master/bip-0327.mediawiki

Important details and conventions implemented here:

  • Nonces are represented as pairs (r1, r2) and are collapsed using a polynomial sum with a session scalar b as described in the BIP.
  • The point-at-infinity serialization is encoded as 33 zero bytes in MuSigNoncePub (see MuSigNoncePub.infPtBytes).
  • Parity handling for public keys and the aggregated nonce R is handled via ParityMultiplier and conditional negation when required. This matches the reference implementation behavior where sign adjustments are applied during both signing and verification so that stored original public keys remain unmodified.
  • The functions here are low-level helpers; higher-level session construction and key-aggregation logic is in MuSigSessionContext and KeySet.
Linear Supertypes
AnyRef, Any
Ordering
  1. Alphabetic
  2. By Inheritance
Inherited
  1. MuSigUtil
  2. AnyRef
  3. Any
  1. Hide All
  2. Show All
Visibility
  1. Public
  2. Protected

Value Members

  1. final def !=(arg0: Any): Boolean
    Definition Classes
    AnyRef → Any
  2. final def ##: Int
    Definition Classes
    AnyRef → Any
  3. final def ==(arg0: Any): Boolean
    Definition Classes
    AnyRef → Any
  4. def aggCoefHash(bytes: ByteVector): ByteVector

    Tagged hash used to derive the per-key coefficient in key aggregation (BIP-0327: "KeyAgg coefficient").

  5. def aggListHash(bytes: ByteVector): ByteVector

    Tagged hash for key aggregation list digest used when computing key aggregation coefficients (BIP-0327: "KeyAgg list").

  6. def aggregateNonces(nonces: Vector[MuSigNoncePub]): MuSigNoncePub

    Aggregate per-signer nonce pairs into a single aggregated nonce pair by point-wise addition.

    Aggregate per-signer nonce pairs into a single aggregated nonce pair by point-wise addition. The returned MuSigNoncePub contains the summed r1 and r2 values respectively.

  7. final def asInstanceOf[T0]: T0
    Definition Classes
    Any
  8. def auxHash(bytes: ByteVector): ByteVector

    Tagged hash for auxiliary randomness used in nonce generation (BIP-0327: "MuSig/aux").

  9. def clone(): AnyRef
    Attributes
    protected[lang]
    Definition Classes
    AnyRef
    Annotations
    @throws(classOf[java.lang.CloneNotSupportedException]) @native()
  10. def deterministicSign(secretKey: ECPrivateKey, aggOtherNonce: MuSigNoncePub, keySet: KeySet, message: ByteVector, auxRandOpt: Option[ByteVector]): (MuSigNoncePub, FieldElement)

    Deterministic signing helper that produces a deterministic nonce pair and corresponding partial signature following the reference deterministic construction in the BIP.

    Deterministic signing helper that produces a deterministic nonce pair and corresponding partial signature following the reference deterministic construction in the BIP. This is useful for reproducible tests or for deterministic wallets.

    Returns the public nonce pair and the scalar partial signature.

  11. final def eq(arg0: AnyRef): Boolean
    Definition Classes
    AnyRef
  12. def equals(arg0: AnyRef): Boolean
    Definition Classes
    AnyRef → Any
  13. def finalize(): Unit
    Attributes
    protected[lang]
    Definition Classes
    AnyRef
    Annotations
    @throws(classOf[java.lang.Throwable])
  14. final def getClass(): Class[_ <: AnyRef]
    Definition Classes
    AnyRef → Any
    Annotations
    @native()
  15. def hashCode(): Int
    Definition Classes
    AnyRef → Any
    Annotations
    @native()
  16. final def isInstanceOf[T0]: Boolean
    Definition Classes
    Any
  17. def muSigDeterministicNonceHash(bytes: ByteVector): ByteVector

    Deterministic nonce hash used by the deterministic signing helper (BIP-0327 reference tag "MuSig/deterministic/nonce").

  18. final def ne(arg0: AnyRef): Boolean
    Definition Classes
    AnyRef
  19. def nonCoefHash(bytes: ByteVector): ByteVector

    Tagged hash for nonce coefficient derivation (BIP-0327: "MuSig/noncecoef").

  20. def nonHash(bytes: ByteVector): ByteVector

    Tagged hash for MuSig nonce derivation (BIP-0327: "MuSig/nonce").

  21. def nonceGen(pk: ECPublicKey, privKeyOpt: Option[ECPrivateKey] = None, aggPubKeyOpt: Option[SchnorrPublicKey] = None, msgOpt: Option[ByteVector] = None, extraInOpt: Option[ByteVector] = None): MuSigNoncePriv

    Convenience overload of nonceGen that generates 32 bytes of randomness internally.

  22. def nonceGen(preRand: ByteVector, publicKey: ECPublicKey, privKeyOpt: Option[ECPrivateKey], aggPubKeyOpt: Option[SchnorrPublicKey], msgOpt: Option[ByteVector], extraInOpt: Option[ByteVector]): MuSigNoncePriv

    Generate a MuSig nonce private pair deterministically from the provided entropy and optional contextual inputs.

    Generate a MuSig nonce private pair deterministically from the provided entropy and optional contextual inputs.

    This function implements the nonce derivation described in BIP-0327 where the nonce generation input includes: per-signer randomness (preRand), the signer's compressed public key, optionally the aggregated public key, an optional message, and optional extra input. If a privKeyOpt is provided, aux hashing is XORed with the private key bytes to provide domain separation as in the reference.

    The returned MuSigNoncePriv contains two private nonces (k1,k2) and the signer's compressed public key (so the nonce packet is self-contained for verification/tweaks).

    preRand

    32 bytes of entropy (must be length 32)

    publicKey

    signer's compressed public key (must be compressed)

    privKeyOpt

    optional signer's private key used to mix into aux

    aggPubKeyOpt

    optional aggregated public key for session binding

    msgOpt

    optional message to bind to the nonce (encoded lengthwise)

    extraInOpt

    optional additional bytes (maximum length = 4294967295 bytes)

  23. val nonceNum: Int

    Number of nonce components used per signer.

    Number of nonce components used per signer. MuSig2 uses two independent ephemeral nonces per signer (r1, r2).

  24. final def notify(): Unit
    Definition Classes
    AnyRef
    Annotations
    @native()
  25. final def notifyAll(): Unit
    Definition Classes
    AnyRef
    Annotations
    @native()
  26. def partialSigAgg(sVals: Vector[FieldElement], ctx: MuSigSessionContext): SchnorrDigitalSignature

    Internal aggregation helper which computes the final Schnorr signature from individual s values and session context.

  27. def partialSigAgg(sVals: Vector[FieldElement], aggNoncePub: MuSigNoncePub, keySet: KeySet, message: ByteVector): SchnorrDigitalSignature

    Aggregate a set of signer partial signature scalars into a BIP340 Schnorr signature.

    Aggregate a set of signer partial signature scalars into a BIP340 Schnorr signature. This performs the final adjustments required by MuSig2 where the sum of partial s values is further adjusted by the aggregated tweak accumulator tacc multiplied by the session challenge e (and parity multiplier g).

  28. def partialSigVerify(partialSig: FieldElement, noncePub: MuSigNoncePub, aggNoncePub: MuSigNoncePub, pubKey: ECPublicKey, keySet: KeySet, message: ByteVector): Boolean

    Verify a single partial signature for a signer given the signer's nonce pair, the aggregated nonce, the signer's public key, the key-set and message.

    Verify a single partial signature for a signer given the signer's nonce pair, the aggregated nonce, the signer's public key, the key-set and message. This wraps to partialSigVerifyInternal.

  29. def partialSigVerify(partialSig: FieldElement, pubNonces: Vector[MuSigNoncePub], keySet: KeySet, message: ByteVector, signerIndex: Int): Boolean

    Verify a single signer partial signature with a vector of per-signer nonce public pairs.

    Verify a single signer partial signature with a vector of per-signer nonce public pairs. This convenience overload selects the signer's nonce pair using signerIndex from the provided pubNonces vector.

  30. def partialSigVerifyInternal(partialSig: FieldElement, noncePubs: Vector[MuSigNoncePub], pubKey: ECPublicKey, sessionCtx: MuSigSessionContext): Boolean

    Internal verification routine implementing the MuSig2 partial signature verification equation per BIP-0327.

    Internal verification routine implementing the MuSig2 partial signature verification equation per BIP-0327.

    The check performed is: G * s == RE + g' * (a * e * P) where:

    • s is the partial signature scalar (FieldElement)
    • RE is the (possibly parity-negated) aggregated nonce point
    • g' is the parity-multiplied group coefficient applied to the signer public key (matching the signer's adjusted private key)
    • a is the session key aggregation coefficient for the signer
    • e is the challenge scalar for the session
    • P is the signer's public key

    The implementation uses nonceSum to collapse the per-signer nonce pair and applies parity adjustments to both R and the public-key multiplier to match the sign() implementation.

  31. def sign(noncePriv: MuSigNoncePriv, privKey: ECPrivateKey, signingSession: MuSigSessionContext): FieldElement

    Core signing routine used by the deterministic and non-deterministic sign helpers.

    Core signing routine used by the deterministic and non-deterministic sign helpers. Implements the signing arithmetic from BIP-0327 while leaving session construction to the caller.

    Preconditions:

    • the provided noncePriv.publicKey must equal privKey.publicKey as the nonce must be bound to the signer key used for signing.
  32. def sign(noncePriv: MuSigNoncePriv, aggNoncePub: MuSigNoncePub, privKey: ECPrivateKey, message: ByteVector, keySet: KeySet): FieldElement

    Produce a MuSig partial signature for a given signer using the provided nonce pair, aggregate nonce, and private key.

    Produce a MuSig partial signature for a given signer using the provided nonce pair, aggregate nonce, and private key. Returns the scalar partial signature s (a FieldElement) corresponding to this signer's contribution.

    The function performs the parity and coefficient adjustments described in BIP-0327, including:

    • conditional negation of nonce private components when the final aggregated R requires it,
    • application of the session parity multiplier to the signer's private key contribution, and
    • verification of the generated partial signature via partialSigVerifyInternal as an internal consistency check.

    Note: this is a low-level helper that expects the aggNoncePub to be the aggregated public nonces for the session and keySet to represent the signers participating in the session.

  33. final def synchronized[T0](arg0: => T0): T0
    Definition Classes
    AnyRef
  34. def toString(): String
    Definition Classes
    AnyRef → Any
  35. final def wait(): Unit
    Definition Classes
    AnyRef
    Annotations
    @throws(classOf[java.lang.InterruptedException])
  36. final def wait(arg0: Long, arg1: Int): Unit
    Definition Classes
    AnyRef
    Annotations
    @throws(classOf[java.lang.InterruptedException])
  37. final def wait(arg0: Long): Unit
    Definition Classes
    AnyRef
    Annotations
    @throws(classOf[java.lang.InterruptedException]) @native()

Inherited from AnyRef

Inherited from Any

Ungrouped