Author Topic: Great news! RPC API for Monero's Multisig exists.  (Read 176 times)


  • Administrator
  • Newbie
  • *****
  • Posts: 13
    • View Profile
Great news! RPC API for Monero's Multisig exists.
« on: September 27, 2017, 11:02:27 PM »
So, after serhack had updated the older dilapidated bitwasp software into the Annularius Marketplace software and fixed a bunch of issues, we decided that the best approach was to wait until Monero had an RPC API for multisignature addresses and transactions. 

This is because doing a PHP library for monero multisig would be too complicated and have some interesting security risks if it weren't implemented properly.

Well, thanks to the amazing work of MoneroMoo, the RPC API  for multisig now exists so what we'll need to do now is integrate that and we'll have a MVP for Annularis as a monero multisg marketplace! :D

So, the multisig works as described here:

Multisig for RingCT on Monero

    2 of 2

    User A (coordinator):
    Spendkey b,B
    Viewkey a,A (shared)

    User B:
    Spendkey c,C
    Viewkey a,A (shared)

    Public Address: C+B, A

    Both have their own watch only wallet via C+B, a

    A will coordinate spending process (though B could easily as well, coordinator is more needed for more participants)

    A and B watch for incoming outputs

    B creates "half" key images for discovered output D:
    I2_D = (Hs(aR)+c) * Hp(D)

    B also creates 1.5 random keypairs (one scalar and 2 pubkeys; one on base G and one on base Hp(D)) for each output, storing the scalar(k) (linked to D),
    and sending the pubkeys with I2_D.

    A also creates "half" key images:
    I1_D = (Hs(aR)+b) * Hp(D)

    Then I_D = I1_D + I2_D

    Having I_D allows A to check spent status of course, but more importantly allows A to actually build a transaction prefix (and thus transaction).

    A builds the transaction until most of the way through MLSAG_Gen, adding the 2 pubkeys (per input) provided with I2_D
    to his own generated ones where they are needed (secret row L, R).

    At this point, A has a mostly completed transaction (but with an invalid/incomplete signature). A sends over the tx and includes r,
    which allows B (with the recipient's address) to verify the destination and amount (by reconstructing the stealth address and decoding ecdhInfo).

    B then finishes the signature by computing ss[secret_index][0] = ss[secret_index][0] + k - cc[secret_index]*c (secret indices need to be passed as well).

    B can then broadcast the tx, or send it back to A for broadcasting. Once B has completed the signing (and verified the tx to be valid), he can add the full I_D
    to his cache, allowing him to verify spent status as well.

    A and B *must* present key A and B to each other with a valid signature proving they know a and b respectively.
    Otherwise, trickery like the following becomes possible:
    A creates viewkey a,A, spendkey b,B, and sends a,A,B to B.
    B creates a fake key C = zG - B. B sends C back to A.
    The combined spendkey C+B then equals zG, allowing B to spend funds at any time!
    The signature fixes this, because B does not know a c corresponding to C (and thus can't produce a signature).

The seller will join, and create a spendkey (c,C) on their own. They'll give C to the annularis marketplace implementation.
The buyer will join, and create a spendkey (b,B) on their own. They'll give B to the annularis marketplace implementation as well.
The marketplace will combine them to form the multisig address: C+B, A.
The buyer will recieve this multisig address and pay to it.
The seller will then sign this transaction to recieve the funds
The buyer will only sign it if they have recieved the products and are happy with it: otherwise, they'll have to work it out or no one will get any money.

I'm going to talk to serhack, he's probably pretty busy with all that he does for monero and the monero integrations, but hopefully this project will begin moving forward again soon. :)


  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Great news! RPC API for Monero's Multisig exists.
« Reply #1 on: February 04, 2018, 12:10:47 PM »
Looks like this will have amazing functionality. Any updates about this project, Vespco?