Skip to content

NUT-11: SIG_ALL sign aggregated message all inputs and ouptuts#149

Merged
callebtc merged 7 commits intomainfrom
nut11-sigall
Aug 19, 2025
Merged

NUT-11: SIG_ALL sign aggregated message all inputs and ouptuts#149
callebtc merged 7 commits intomainfrom
nut11-sigall

Conversation

@callebtc
Copy link
Contributor

@callebtc callebtc commented Jul 13, 2024
edited by thesimplekid
Loading

This PR specifies the signature flag SIG_ALL for swap and for melt transactions involving P2PK-locked or HTLC-locked inputs. It also adds a new tag for P2PK (also used in HTLC) called n_sigs_refund that specifies the signature threshold for the refund pubkeys (enforced after a timelock).

SIG_ALL means that the witness of the first input must be a signature on an concatenated message of the form proof.secret_n.. . || output.B'_n... in the case of a swap covering all of the inputs' secret fields and all of the outputs' blinded message fields B_. In the case of a melt, we also need to include the quote_id in the signed message.

Aggregation for swap

If a swap transaction has n inputs and m outputs, the message to sign becomes:

msg = secret_0 || ... || secret_n || B_0 || ... || B_m
Aggregation for melt

For a melt transaction, the message to sign is composed of all the inputs, the quote ID being paid, and the [NUT-08][08] blank outputs.

If a melt transaction has n inputs, m blank outputs, and a quote ID quote_id, the message to sign becomes:

msg = secret_0 || ... || secret_n || B_0 || ... || B_m || quote_id

Here, || denotes string concatenation. The B_ of each output is a hex string.

Changes:

  • fix SIG_ALL
  • add n_sigs_refund
  • remove BlindedMessage.witness output witness

Todo:

  • specify if only valid for /swap or also for /melt (for both signature flags)
  • SIG_ALL test vectors
  • explicit error if no outputs are provided for SIG_ALL.

Tracking:

@callebtc callebtc changed the title SIG_ALL: sign aggregated message all inputs and ouptuts NUT-11: SIG_ALL sign aggregated message all inputs and ouptuts Jul 13, 2024
@callebtc callebtc marked this pull request as ready for review April 15, 2025 09:24
gudnuf
gudnuf approved these changes Apr 15, 2025
View reviewed changes
@callebtc @gudnuf
Update 11.md
6a77e1f 
Co-authored-by: gudnuf <108303703+gudnuf@users.noreply.github.com>
robwoodgate

This comment was marked as resolved.

Sign in to view

@cashubtc cashubtc deleted a comment from robwoodgate Apr 18, 2025
@cashubtc cashubtc deleted a comment from robwoodgate Apr 18, 2025
@callebtc
Copy link
Contributor Author

callebtc commented Apr 18, 2025

While this NUT is under review, it might be a good idea to codify the maximum secret length as many mints are enforcing 512 bytes

I think we should do that in NUT-0

robwoodgate
robwoodgate reviewed Apr 22, 2025
View reviewed changes
11.md Outdated
### Multisig

If the tag `n_sigs` is a positive integer, the mint will also consider signatures from public keys specified in the `pubkeys` tag additional to the public key in `Secret.data`. If the number of valid signatures is greater or equal to the number specified in `n_sigs`, the transaction is valid.
If the tag `n_sigs` is a positive integer, the mint will require valid signatures from `n_sigs` public keys contained in the `Secret.data` field and the `pubkeys` tag.

This comment was marked as resolved.

Sign in to view

This comment was marked as resolved.

Sign in to view

robwoodgate
robwoodgate suggested changes Apr 23, 2025
View reviewed changes
Copy link
Contributor

@robwoodgate robwoodgate left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have made some suggestions to clarify the multisig logic.
EDIT: Have PR'd these suggestions (#272)

11.md

If the `locktime` is in the past and a tag `refund` is present, the `Proof` is spendable only if a valid signature by one of the the `refund` pubkeys is provided in `Proof.witness.signatures` and, depending on the signature flag, in `BlindedMessage.witness.signatures`.
If the `locktime` is in the past and a tag `refund` is present, the `Proof` is spendable only if valid signatures are given by the `refund` pubkeys. The

This comment was marked as resolved.

Sign in to view

11.md Outdated
### Multisig

If the tag `n_sigs` is a positive integer, the mint will also consider signatures from public keys specified in the `pubkeys` tag additional to the public key in `Secret.data`. If the number of valid signatures is greater or equal to the number specified in `n_sigs`, the transaction is valid.
If the tag `n_sigs` is a positive integer, the mint will require valid signatures from `n_sigs` public keys contained in the `Secret.data` field and the `pubkeys` tag.

This comment was marked as resolved.

Sign in to view

11.md Outdated
#### Complex Example

This is an example `secret` that locks a `Proof` with a Pay-to-Pubkey (P2PK) condition that requires 2-of-3 signatures from the public keys in the `data` field and the `pubkeys` tag. If the `timelock` has passed, the `Proof` becomes spendable with a single signature from the public key in the `refund` tag. The signature flag `sigflag` indicates that signatures are necessary on the `inputs` and the `outputs` of a transaction.
This is an example `Secret` that locks a `Proof` with a Pay-to-Pubkey (P2PK) condition that requires 2-of-3 signatures from the public keys in the `data` field and the `pubkeys` tag. If the `timelock` has passed, the `Proof` becomes spendable with a single signature from the public key in the `refund` tag. The signature flag `sigflag` indicates that signatures are necessary on the `inputs` and the `outputs` of the transaction this `Proof` is spent by.
Copy link
Contributor

@robwoodgate robwoodgate Apr 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to add a second refund public key to make it clear the tag supports multiple keys.

Suggestion:

... becomes spendable with a single signature from one of the two public keys in the refund tag.

@robwoodgate robwoodgate mentioned this pull request Apr 23, 2025
Closed
3 tasks
@a1denvalu3
Copy link
Contributor

a1denvalu3 commented Apr 26, 2025

NOTE: maybe it would be convenient to include a limit of len(pubkeys) + len(refund) == NUT11_LIMIT, since we already discussed it.

@robwoodgate robwoodgate mentioned this pull request May 8, 2025
Merged
3 tasks
@thesimplekid
Copy link
Collaborator

thesimplekid commented May 16, 2025
edited
Loading

Closes #148 and #180

@robwoodgate robwoodgate mentioned this pull request Jun 23, 2025
Merged
@thesimplekid
Copy link
Collaborator

thesimplekid commented Jun 29, 2025

CDK PR: cashubtc/cdk#862

@thesimplekid thesimplekid mentioned this pull request Jul 9, 2025
Open
@robwoodgate
Clarifications to multisig (#272)
26ffa2e 
* Clarifications to multisig

* Distinguish between Locktime MultiSig and Refund MultiSig
@callebtc callebtc merged commit 76c631f into main Aug 19, 2025
2 checks passed
@callebtc callebtc deleted the nut11-sigall branch August 19, 2025 22:48
@ye0man ye0man added this to nuts Jan 13, 2026
@ye0man ye0man added this to nuts Jan 13, 2026
@github-project-automation github-project-automation bot moved this to Done in nuts Jan 13, 2026
@ye0man ye0man removed this from nuts Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thesimplekid thesimplekid thesimplekid approved these changes

@gudnuf gudnuf gudnuf approved these changes

+1 more reviewer

@robwoodgate robwoodgate robwoodgate approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@callebtc @a1denvalu3 @thesimplekid @robwoodgate @gudnuf