Accountability Andrew Poelstra Director of Research, Blockstream 4 - - PowerPoint PPT Presentation

accountability
SMART_READER_LITE
LIVE PREVIEW

Accountability Andrew Poelstra Director of Research, Blockstream 4 - - PowerPoint PPT Presentation

Nov 16, 2022 139 likes •372 views

Threshold Signatures and Accountability Andrew Poelstra Director of Research, Blockstream 4 February 2019 1 / 23 Schnorr Signatures P = xG R = kG e = H ( P , R , m ) sG = kG + exG 2 / 23 Schnorr Signatures P = xG R = kG e = H ( P , R , m )

slide-1
SLIDE 1

Threshold Signatures and Accountability

Andrew Poelstra

Director of Research, Blockstream

4 February 2019

1 / 23

slide-2
SLIDE 2

Schnorr Signatures

P = xG R = kG e = H(P, R, m) sG = kG + exG

2 / 23

slide-3
SLIDE 3

Schnorr Signatures

P = xG R = kG e = H(P, R, m) sG = kG + exG

3 / 23

slide-4
SLIDE 4

Sign-to-Contract

P = xG R0 = kG R = R0 + H(R0c)G e = H(P, R, m) sG = (k + H(R0c))G + exG

4 / 23

slide-5
SLIDE 5

Sign-to-Contract

P = xG R0 = kG R = R0 + H(R0c)G e = H(P, R, m) sG = (k + H(R0c))G + exG

5 / 23

slide-6
SLIDE 6

Sign-to-Contract Replay Attack

Suppose k = H(xm). s = (k + H(R0c)) + ex − s = (k + H(R0c′)) + e′x 0 = H(R0c) − H(R0c′) + (e − e′)x So we’d better have k = H(xmc)!

6 / 23

slide-7
SLIDE 7

Sign-to-Contract as an Anti-Nonce-Sidechannel Measure

If the hardware device knows c before producing R0 it can grind k so that (k + H(R0c)) has detectable bias. If it doesn’t know c how can it prevent replay attacks? Send hardware device H(c) and receive R0 before giving it c. Then k = H(xmH(c)).

7 / 23

slide-8
SLIDE 8

Schnorr Multisignatures

µi= H [H(P1P2 · · · Pn)i] Pi = µixiG P =

  • Pi

Ri = kiG R =

  • Ri

e = H(P, R, m) siG = kiG + eµixiG sG =

  • kiG +
  • µiexiG

8 / 23

slide-9
SLIDE 9

Schnorr Multisignatures

µi= H [H(P1P2 · · · Pn)i] Pi = µixiG P =

  • Pi

Ri = kiG R =

  • Ri

e = H(P, R, m) siG = kiG + eµixiG sG =

  • kiG +
  • µiexiG

9 / 23

slide-10
SLIDE 10

Schnorr Multisignatures

µi = H [H(P1P2 · · · Pn)i] Pi = µixiG P =

  • Pi

Ri = kiG R =

  • Ri

e = H(P, R, m) siG = kiG + eµixiG sG =

  • kiG +
  • µiexiG

10 / 23

slide-11
SLIDE 11

Verifiable Secret Sharing

Suppose a party with secret xi wants to split her secret such that k parties may produce a signature with it. pi(X) = xi + γi,1X + γi,2X 2 + · · · + γi,kX k−1 ζi,jG = pi(j)G = xiG + jγi,1G + j2γi,2G + · · · + jk−1γi,k−1G pi(0) = xi =

  • j∈signers

λi,jζi,j

11 / 23

slide-12
SLIDE 12

Verifiable Secret Sharing

Suppose a party with secret xi wants to split her secret such that k parties may produce a signature with it. pi(X) = xi + γi,1X + γi,2X 2 + · · · + γi,kX k−1 ζi,jG = pi(j)G = xiG + jγi,1G + j2γi,2G + · · · + jk−1γi,k−1G pi(0) = xi =

  • j∈signers

λi,jζi,j

12 / 23

slide-13
SLIDE 13

Verifiable Secret Sharing

xG =

  • i∈everyone

µixiG =

  • i∈everyone

µipi(0)G =

  • i∈everyone

µi

  • j∈signers

λi,jζi,jG =

  • j∈signers

 

  • i∈everyone

λi,jµiζi,jG   =

  • j∈signers

. . . . . .

  • j

13 / 23

slide-14
SLIDE 14

Signing With VSS

µi= H [H(P1P2 · · · Pn)i] P =

  • j

. . . . . .

  • j

G Rj = kjG R =

  • Rj

e = H(P, R, m) sjG = kjG + e . . . . . .

  • j

G sG =

  • kjG +
  • e

. . . . . .

  • j

G

14 / 23

slide-15
SLIDE 15

Signing With VSS

µi= H [H(P1P2 · · · Pn)i] P =

  • j

. . . . . .

  • j

G Rj = kjG R =

  • Rj

e = H(P, R, m) sjG = kjG + e . . . . . .

  • j

G sG =

  • kjG +
  • e

. . . . . .

  • j

G

15 / 23

slide-16
SLIDE 16

Accountability

Recall the equation P =

j∈signers

. . . . . .

  • j

. What is this set “signers”? In fact any set will do; λi,j depends on the particular set but nothing else does. Importantly the signature does not depend on this set. Such signatures are unaccountable.

16 / 23

slide-17
SLIDE 17

Accountability

What does an accountable signature look like? Satoshi-style “concatenate individual signatures” threshold signatures, for one. Can we get a constant-size accountable signature? I doubt it.

17 / 23

slide-18
SLIDE 18

Accountability

µi= H [H(P1P2 · · · Pn)i] P =

  • j

. . . . . .

  • j

G Rj = kjG R0 =

  • Rj

R = R0 + H(R0c)G e = H(P, R, m) sjG = kjG + e . . . . . .

  • j

G sG =

  • kjG +
  • e

. . . . . .

  • j

G

18 / 23

slide-19
SLIDE 19

Accountability

µi= H [H(P1P2 · · · Pn)i] P =

  • j

. . . . . .

  • j

G Rj = kjG R0 =

  • Rj

R = R0 + H(R0c)G e = H(P, R, m) sjG = kjG + e . . . . . .

  • j

G sG =

  • kjG +
  • e

. . . . . .

  • j

G

19 / 23

slide-20
SLIDE 20

Semi-Accountability

Suppose that c commits to an accountable threshold signature. Then we have an unaccountable signature that commits to an accountable signature. Signers can refuse to participate if this commitment is missing

  • r invalid; hardware enforced.

20 / 23

slide-21
SLIDE 21

Semi-Accountability

Then assuming at least one party in the signature is honest and will publish the committed accountable signature, the result is “accountable”. (Of course, this doesn’t help if nobody is honest, which is

  • ften what you need accountability for. . . )

21 / 23

slide-22
SLIDE 22

Open Questions

Can we construct a commitment that can be reconstructed or brute-forced by third parties? Can we get deniability, i.e. can a non-participant prove non-participation without help? Extension to BLS which has no space for committing data?

22 / 23

slide-23
SLIDE 23

Thank you. Andrew Poelstra clauspschnorr@wpsoftware.net

23 / 23