Alice wishes to donate to Bob anonymously.
Alice wants to create a bitcoin “stealth” address for Bob (which cannot be associated to Bob on the blockchain explorer) using shnorr signatures.
Alice has Bob’s Schnorr PublicKey1 from his donation website.
Alice produces on her laptop a new (privateKey2, publicKey2) pair.
Alice creates aggregated PubKey1 + PubKey2 using Schnorr’s aggregated public keys feature.
Alice sends bitcoins to the aggregated address(PubKey1 + PubKey2).
Alice shares the privKey2 with Bob via a secure end-to-end channel.
Later, Bob logs in and retrieves the PrivKey2 that Alice shared.
Bob then calculates aggregated PrivKey1 + PrivKey2 and spends the unspent transaction.
I was able to achieve PubKey1 + PubKey2 with the Musig2 aggregation function that uses tags.
import * as musig2 from '@scure/btc-signer/musig2.js'
import {randomBytes} from "@noble/ciphers/utils.js"
import {schnorr} from "@noble/curves/secp256k1.js"
//alice pair
privateKey2 = randomBytes(32)
publicKey2 = musig2.IndividualPubkey(privateKey1)
const individualsPublicKeys = [publicKey1, publicKey2]; // Collect all individual public keys
const sortedPublicKeys = musig2.sortKeys(individualsPublicKeys); // Sort public keys lexicographically (as required by MuSig2)
const aggregatePublicKey = musig2.keyAggregate(sortedPublicKeys).aggPublicKey.toBytes(true) // Extract aggregate public key (33 bytes)
console.log(aggregatePublicKey)//PublicKey1 + PublicKey2
//...
//Alice send coins to address(aggregatePublicKey)
//...
how to compute aggregate privateKey1 + privateKey2 to spend the coins ?
signature = schnorr.sign(msg, aggregatePrivateKey)
schnorr.verify(signature, msg, aggregatePublicKey);
But how does Bob compute the aggregated private key in JavaScript using the @scure/btc-signer @noble/curves/secp256k1 libraries? Is there a vulnerability while computing the aggregated private key? Bob distrusts Alice because she could be an awful adversary who could try to steal Bob’s private key.
I know Bob can implement musig2 partial signature, but my whole code already uses musig2 partial signature, thus this would result in a two-step recursion. In this scenario, I am unsure how to use musig2 partial signature.
LE:
I believe I’ve worked it out. To aggregate private keys, I believe Bob has to just add them using the Point.Fn.
Bob can generate the merged private key
var aggrPriv = schnorr.Point.Fn.create( schnorr.Point.Fn.fromBytes(Priv1) + schnorr.Point.Fn.fromBytes(Priv2) )
console.log( 'aggrPriv', schnorr.Point.Fn.toBytes( aggrPriv ) )
Alice can generate the merged public Key
var aggrPub = schnorr.Point.ZERO;
aggrPub = aggrPub.add(schnorr.Point.fromBytes(Pub1.bytes))
aggrPub = aggrPub.add(schnorr.Point.fromBytes(Pub2.bytes))
console.log('aggrPub', aggrPub.toBytes(true) )
console.log( equalBytes( schnorrGetPoint(aggrPriv).bytes, aggrPub.toBytes(true)) )
both matches in console. Bob now can use aggrPriv to spends the coins he received from Alice.
Is the aggregation of Schnorr private keys secure? Do I have to perform any more verifications?
