Compact Multi-Signatures for Smaller Blockchains Dan Boneh 1 , Manu - - PowerPoint PPT Presentation

Compact Multi-Signatures for Smaller Blockchains

Dan Boneh1, Manu Drijvers2, Gregory Neven2

1 Stanford University 2 DFINITY

Bitcoin Blockchain and transactions

Witness Input1 Output1 Input2 Output2

Pointer to previous

• utput with

addrin = H(pk) amountin = 1 BTC recipient address & amount addrout = H(pk’) amountout = 1 BTC Witness data for all transactions pk, 𝞽 under pk

Witness

Saving space is important

• Larger transactions mean higher network and storage requirements
• Current Bitcoin blockchain is almost 200 GB
• Block size is limited
• Limits transaction throughput
• Smaller transactions can mean higher throughput
• Goal: minimize total witness size

using multisignatures

Witness

Input1 Output1 Input2 Output2

Witness

Multi-Signature Schemes

• Ver {𝑞𝑙(, 𝑞𝑙*, 𝑞𝑙+}, σ, 𝑛 = 1/0
• Every signer must agree to signing m
• Key aggregation: 𝑏𝑞𝑙 = KAgg({𝑞𝑙(, 𝑞𝑙*, 𝑞𝑙+})
• Ver 𝑏𝑞𝑙, σ, 𝑛 = 1/0

𝑡𝑙(, 𝑞𝑙( ← KGen(1=) 𝑡𝑙*, 𝑞𝑙* ← KGen(1=)

Sign 𝑞𝑙(, 𝑞𝑙*, 𝑞𝑙+, 𝑡𝑙(, 𝑛 ↔ Sign 𝑞𝑙(, 𝑞𝑙*, 𝑞𝑙+, 𝑡𝑙*, 𝑛 ↔ Sign 𝑞𝑙(, 𝑞𝑙*, 𝑞𝑙+, 𝑡𝑙+, 𝑛

𝑡𝑙+, 𝑞𝑙+ ← KGen(1=)

σ σ σ

Recap: Boneh-Lynn-Shacham signatures

Let 𝐻( = 𝑕( , 𝐻* = 𝑕* , 𝐻C = 𝑕C , with bilinear pairing 𝑓

• KGen: 𝑞𝑙 = 𝑕*

FG

• Sign(sk, m): 𝜏 = 𝐼 𝑛 FG
• Verify(pk, σ, m): 𝑓 𝜏, 𝑕* = 𝑓(𝐼 𝑛 , 𝑞𝑙)

Naïve BLS Multi-signatures

Let 𝐻( = 𝑕( , 𝐻* = 𝑕* , 𝐻C = 𝑕C , with bilinear pairing 𝑓

• KGen: 𝑞𝑙J = 𝑕*

FGK

• KAgg(pk1 , …, pkn): 𝑏𝑞𝑙 = ∏ 𝑞𝑙J
• Sign(pk1 , …, pkn , ski, m): 𝑡J = 𝐼 𝑛 FGK, 𝜏 = ∏ 𝑡J
• Verify(apk, σ, m): 𝑓 𝜏, 𝑕* = 𝑓(𝐼 𝑛 , 𝑏𝑞𝑙)

Rogue-Key Attack: Adversary chooses 𝑞𝑙 = NO

PQ

RG∗ ,

Adversary can sign for {𝑞𝑙, 𝑞𝑙∗} by setting 𝜏 = 𝐼 𝑛 FG Can be mitigated using “proofs-of-possession” [RY07]

New BLS Multi-signatures without PoPs

Let 𝐻( = 𝑕( , 𝐻* = 𝑕* , 𝐻C = 𝑕C , with bilinear pairing 𝑓

• KGen: 𝑞𝑙J = 𝑕*

FGK

• KAgg(pk1 , …, pkn): 𝑏𝑞𝑙 = ∏ 𝑞𝑙J

TK

• , with 𝑏J = 𝐼((𝑞𝑙J, {𝑞𝑙(, … , 𝑞𝑙V})
• Sign(pk1 , …, pkn, ski, m): 𝑡J = 𝐼W 𝑛 FGK,

𝜏 = ∏ 𝑡J

TK

• Verify(apk, σ, m): 𝑓 𝜏, 𝑕* = 𝑓(𝐼W 𝑛 , 𝑏𝑞𝑙)

Uses trick from [Maxwell-PSW18] Thm: secure multi-signature scheme under co-CDH in ROM

Bitcoin Multisig address

Witness Input Output

Pointer to addrin = H(pk1, …, pkn) amountin = 1 BTC

Witness Input Output

pk1, …, pkn, 𝞽1, ..., 𝞽n 3n group elements Bitcoin with multiple ECDSA signatures Bitcoin using our BLS multi-signatures

Pointer to addrin = H(apk) amountin = 1 BTC

apk, 𝞽 2 group elements

Aggregatable Multi-Signatures

Extend multi-signature definition with two additional algorithms

• SigAgg({apki, mi, σi}): Aggregate a set of multi-signatures into a single object
• AggVerify({apki, mi}, Σ): Verify that the aggregate multi-signature

For our BLS multisignature scheme

• Sign(pk1 , …, pkn, ski, m): 𝑡J = 𝐼W 𝑏𝑞𝑙, 𝑛 FGK,

𝜏 = ∏ 𝑡J

TK

• SigAgg({apki, mi, σi}): Σ = ∏ 𝜏J
• AggVerify({apki, mi}, Σ): 𝑓 Σ, 𝑕* = ∏ 𝑓(𝐼W 𝑛J , 𝑏𝑞𝑙J)
• Thm: secure aggregatable multisignature scheme under 𝜔-co-CDH in ROM

Aggregatable Multi-Signatures in Bitcoin

Witness Input Output

Bitcoin with multiple ECDSA signatures Bitcoin using aggregatable multi-signatures

Witness Input Output Witness Input Output

⋮ ⋮ ⋮

m

Combined witness contains

• 𝑜 ⋅ 𝑛 public keys
• 𝑜 ⋅ 𝑛 signatures

Combined witness contains

• 𝑛 (aggregate) public keys
• 1 aggregate multi-signature

Input Output Input Output

Witness

Input Output

⋮ ⋮ ⋮

m

Block of m transactions, each spending from an n-multisig address 1296 KB 216 KB

t-out-of-n wallets

• Multi-signatures always require n-out-of-n, what about other policies?
• Typical threshold wallets have addr = 𝐼(𝑞𝑙(, … , 𝑞𝑙V, 𝑢)
• Need to reveal n keys and t signatures
• For small V

C , use multi-signatures

• Exhaustively list apk of all t-size subsets

apk1 apk2 apk3 apk4 apk5 apk6 root

Can we handle arbitrary t, n?

Yes! Using a new Accountable Subgroup Multi-signature (ASM)

• Aggregate public key 𝑏𝑞𝑙 ∈ 𝐻*
• Any subset 𝑇 = [1, 1, 0, … ] can sign in an accountable way
• Signature 𝜏 ∈ 𝐻(×𝐻*
• Thm: under 𝜔-co-CDH in ROM
• t-out-of-n Bitcoin transaction
• Reveal 𝑏𝑞𝑙, 𝜏, 𝑇
• Almost constant: 3 group elements + n bits

Our ASM Scheme

Alice 𝑞𝑙( = 𝑕*

FGf

Bob 𝑞𝑙* = 𝑕*

FGO

Charlie 𝑞𝑙+ = 𝑕*

FGg

Key aggregation: 𝑏𝑞𝑙 = ∏ 𝑞𝑙J

TK = 𝑕* TFG

• 𝑛𝑙( = 𝐼* 𝑏𝑞𝑙, 1 TFG

𝑛𝑙* = 𝐼* 𝑏𝑞𝑙, 2 TFG 𝑛𝑙+ = 𝐼* 𝑏𝑞𝑙, 3 TFG Membership keys: 𝑡( = 𝐼W 𝑏𝑞𝑙, 𝑛 FGf ⋅ 𝑛𝑙( 𝑡* = 𝐼W 𝑏𝑞𝑙, 𝑛 FGO ⋅ 𝑛𝑙* Combine: (𝑙 = 𝑞𝑙( ⋅ 𝑞𝑙*, 𝑡 = 𝑡( ⋅ 𝑡*) Sign: Verify(apk, S=[1,1,0], (k, s)) : 𝑓 𝑡, 𝑕( = 𝑓(∏ 𝐼* 𝑏𝑞𝑙, 𝑗 , 𝑏𝑞𝑙) ⋅ 𝑓(𝐼* 𝑏𝑞𝑙, 𝑛 , 𝑙)

• J∈k

3 pairings

Conclusion

• BLS multi-signatures without PoPs
• Support key aggregation
• Support aggregation of multi-signatures
• Accountable Subgroup Multi-signatures
• Key aggregation
• Any subgroup can create constant size accountable multi-signature
• Supports partial aggregation
• Schnorr multi-signatures without PoPs
• All schemes with PoPs

Thanks!

ia.cr/2018/483

Can we handle arbitrary t, n?

Yes! Using a new Accountable Subgroup Multi-signature (ASM)

• Aggregate public key 𝑏𝑞𝑙 ∈ 𝐻*
• Any subset 𝑇 = [1, 1, 0, … ] can sign in an accountable way
• Signature 𝜏 ∈ 𝐻(×𝐻*
• Thm: under 𝜔-co-CDH in ROM

Witness Input Output

Pointer to addrin = H(apk,t) amountin = 1 BTC

apk, t, 𝞽, S

• approx. 3 group elements