# Ring Multisignature

In this blog post I explain $Ring Multisignature$ -of- $Ring Multisignature$ anonymous threshold ring signatures, “Ring Multisignatures”. This technique is a straight-forward generalization of a method for n-of-n Schnorr multisignature described to me last summer by Monero Developer TacoTime.

Suppose that a group of $Ring Multisignature$ users wants to create a multisignature address requiring $Ring Multisignature$ of the group to sign in order to spend any funds received, and in such a way that any observer will be unable to determine for certain whether funds have been sent from this address or not, but in such a way that spending funds twice is impossible.

3.1. Setup Phase

First create a shared key for each $Ring Multisignature$ sized subset of the $Ring Multisignature$ users. For a running example suppose $Ring Multisignature$ and $Ring Multisignature$ , I will say that $Ring Multisignature$ are users, and denote their shared keys $Ring Multisignature$ . Now the destination multisignature address $Ring Multisignature$ will be the sum of all of these shared keys. So in our example, $Ring Multisignature$ . Note that at least two users of $Ring Multisignature$ are required to know the private keys belonging to each of the summands, so this results in a $Ring Multisignature$ -of- $Ring Multisignature$ multisignature address.

3.2. Ring Signing

How does one create a ring signature with this type of addresses? Suppose that $Ring Multisignature$ of the $Ring Multisignature$ signers (say $Ring Multisignature$ and $Ring Multisignature$ in the above example) wish to sign a transaction. The shared key in this case is the sum of all $Ring Multisignature$ subset-shared keys, and thus, since $Ring Multisignature$ , each summand in the shared key:

$Ring Multisignature$

has a private key $Ring Multisignature$ known by at least one of the signers.

Let $Ring Multisignature$ and $Ring Multisignature$ denote cryptographic hash functions returning a scalar and curve point respectively. If signer $Ring Multisignature$ knows the private key $Ring Multisignature$ to summand $Ring Multisignature$ , $Ring Multisignature$ in the above shared key, then to start the signature, they generate a random scalar $Ring Multisignature$ and share $Ring Multisignature$ to the other signers (keeping $Ring Multisignature$ secret). As in a usual ring signature, the signers decide on $Ring Multisignature$ other unspent public keys $Ring Multisignature$ from the block-chain to be partners in the ring with. Furthermore, signer $Ring Multisignature$ will compute $Ring Multisignature$ and the key image of the signature will be $Ring Multisignature$ .

Now, supposing the signers decide on putting their multisignature key at secret index $Ring Multisignature$ , they start the ring signature by computing:

$Ring Multisignature$

$Ring Multisignature$

(in the MLSAG setting of RingCT these computation are carried out in each row of the signature) with $Ring Multisignature$ and

$Ring Multisignature$

The ring signature proceeds as in the usual MLSAG fashion (c.f. RingCT ), for each index $Ring Multisignature$ the signers choose a random scalar $Ring Multisignature$ and compute

$Ring Multisignature$

$Ring Multisignature$

and

$Ring Multisignature$

stopping after $Ring Multisignature$ has been computed.

Finally, using the relation:

$Ring Multisignature$

each signer computes (without revealing $Ring Multisignature$ )

$Ring Multisignature$

where $Ring Multisignature$ is the order of the underlying field. The final $Ring Multisignature$ is then the sum of the $Ring Multisignature$ ,

$Ring Multisignature$

If there are other inputs, the MLSAG apparatus allows for these other inputs in other rows of the MLSAG with no changes from RingCT , and verification of the above signature, which consists of the key-image $Ring Multisignature$ , the scalars $Ring Multisignature$ , and the $Ring Multisignature$ -th index hash $Ring Multisignature$ proceeds exactly as in RingCT , since the pubkey $Ring Multisignature$ is indistinguishable, to an observer, from any other pubkey.

Note that the Schnorr multisignature described by TacoTime is a special case of the above, with a ring of size $Ring Multisignature$ (having no additional public keys), and in that case, if $Ring Multisignature$ , the shared keys belonged to one user only, or in the case that $Ring Multisignature$ , the shared keys belong to $Ring Multisignature$ users. Thus the above, is really a straight-forward generalization. Furthermore, since $Ring Multisignature$ is chosen randomly, the probablility that $Ring Multisignature$ will be the same in two different signatures is negligible. Thus we avoid the repeated nonce attack which must be specially taken care of in other threshold signature schemes.

Claim 1 In the above scheme describing Ring Multisignature, at least $Ring Multisignature$ of $Ring Multisignature$ signers are needed for a given transaction, and conversely, $Ring Multisignature$ of $Ring Multisignature$ signers can sign a given transaction.

Proof: This is fairly simple: suppose that there are $Ring Multisignature$ signers in the given transaction. If the claim holds for $Ring Multisignature$ , then it clearly holds for smaller $Ring Multisignature$ , so without loss of generality, assume $Ring Multisignature$ . We may clearly assume that $Ring Multisignature$ is at least two. Note that given a set of $Ring Multisignature$ integers, there is clearly a subset of size $Ring Multisignature$ elements not containing any given $Ring Multisignature$ elements (namely the complement of those $Ring Multisignature$ elements). Thus it follows that at least $Ring Multisignature$ signers are needed, since each summand in the pubkey is a shared key among $Ring Multisignature$ signers.

Conversely, if there are at least $Ring Multisignature$ distinct signers, then any subset of the $Ring Multisignature$ signers size $Ring Multisignature$ distinct must clearly intersect with the signers, so all of the summands have a secret key known to the signers. $Ring Multisignature$