efficiency and privacy improvements for bitcoin with
play

Efficiency and Privacy Improvements for Bitcoin with Schnorr - PowerPoint PPT Presentation

Nov 25, 2023 •106 likes •1.82k views

Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on joint work with G. Maxwell, A. Poelstra, and P. Wuille)

  1. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security sk A pk A m 1 • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  2. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security sk A pk A m 1 σ 1 • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  3. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security sk A pk A m 1 σ 1 . . . m q • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  4. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security sk A pk A m 1 σ 1 . . . m q σ q • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  5. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security pk A pk A m 1 σ 1 . . . m q ( m ∗ , σ ∗ ) σ q • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  6. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security pk A pk A m 1 σ 1 . . . m q ( m ∗ , σ ∗ ) σ q m ∗ � = m 1 , . . . , m q Ver ( pk A , m ∗ , σ ∗ ) = 1 • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  7. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security pk A pk A m 1 σ 1 . . . m q ( m ∗ , σ ∗ ) σ q m ∗ � = m 1 , . . . , m q Ver ( pk A , m ∗ , σ ∗ ) = 1 • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  8. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security pk A pk A m 1 σ 1 . . . m q ( m ∗ , σ ∗ ) σ q m ∗ � = m 1 , . . . , m q Ver ( pk A , m ∗ , σ ∗ ) = 1 • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  9. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Provable security • security proof = proving that breaking a cryptosystem is at least as hard as solving a hard problem P (factoring, discrete log, etc.) • one assumes there exists an algorithm A breaking the cryptosystem • one builds an algorithm solving P using A as an oracle • also called reduction (solving P is reduced to breaking the cryptosystem) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 10 / 43

  10. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Provable security • security proof = proving that breaking a cryptosystem is at least as hard as solving a hard problem P (factoring, discrete log, etc.) • one assumes there exists an algorithm A breaking the cryptosystem • one builds an algorithm solving P using A as an oracle • also called reduction (solving P is reduced to breaking the cryptosystem) pk ( m ∗ , σ ∗ ) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 10 / 43

  11. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Provable security • security proof = proving that breaking a cryptosystem is at least as hard as solving a hard problem P (factoring, discrete log, etc.) • one assumes there exists an algorithm A breaking the cryptosystem • one builds an algorithm solving P using A as an oracle • also called reduction (solving P is reduced to breaking the cryptosystem) Algorithm solving P P instance solution pk ( m ∗ , σ ∗ ) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 10 / 43

  12. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Provable security • security proof = proving that breaking a cryptosystem is at least as hard as solving a hard problem P (factoring, discrete log, etc.) • one assumes there exists an algorithm A breaking the cryptosystem • one builds an algorithm solving P using A as an oracle • also called reduction (solving P is reduced to breaking the cryptosystem) Algorithm solving P P instance solution pk ( m ∗ , σ ∗ ) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 10 / 43

  13. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Mathematical background (1/2) Abelian group An abelian group is a set G with a binary operation + : G × G → G such that the following holds: • (associativity): ∀ A , B , C ∈ G , ( A + B ) + C = A + ( B + C ) • (identity element): ∃ E ∈ G such that E + A = A + E = A for all A ∈ G • (inverse): ∀ A ∈ G , ∃ B ∈ G such that A + B = B + A = E • (commutativity): ∀ A , B ∈ G , A + B = B + A Notation: for n ∈ N , nA = A + · · · + A (with 0 A = E ) � �� � n times Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 11 / 43

  14. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Mathematical background (2/2) Cyclic group and generator Let G be an abelian group of order p . An element G ∈ G is called a generator if def � G � = { 0 G , 1 G , 2 G , . . . } = G . If G is a generator, then for any X ∈ G , there exists a unique x ∈ { 0 , . . . , p − 1 } such that X = xG . Discrete logarithm problem Given X ∈ G , find x ∈ { 0 , . . . , p − 1 } such that X = xG . NB: with multiplicative notation, xG ∼ G x Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 12 / 43

  15. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Mathematical background (2/2) Cyclic group and generator Let G be an abelian group of order p . An element G ∈ G is called a generator if def � G � = { 0 G , 1 G , 2 G , . . . } = G . If G is a generator, then for any X ∈ G , there exists a unique x ∈ { 0 , . . . , p − 1 } such that X = xG . Discrete logarithm problem Given X ∈ G , find x ∈ { 0 , . . . , p − 1 } such that X = xG . NB: with multiplicative notation, xG ∼ G x Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 12 / 43

  16. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr authentication protocol [Sch89, Sch91] Public parameters: a cyclic group G of prime order p , a generator G of G � sk Alice = x ← $ Z p pk Alice = X pk Alice = xG = X R r ← $ Z p , R = rG c c ← $ Z p s s = r + cx mod p ? Check sG = R + cX Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 13 / 43

  17. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr’s protocol is a “proof of knowledge” Theorem Schnorr’s protocol is secure against impersonation under the discrete logarithm assumption. Proof. • assume there exists an attacker A which is able to authenticate with good probability • we run A on public key X : it sends R = rG , we answer with c 1 , and A returns the correct answer s 1 = r + c 1 x mod p • we rewind A and run it again: it sends R = rG , we answer with c 2 � = c 1 , and A returns the correct answer s 2 = r + c 2 x mod p • we compute x = ( s 1 − s 2 )( c 1 − c 2 ) − 1 mod p Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 14 / 43

  18. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  19. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  20. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  21. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  22. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  23. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  24. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  25. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  26. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  27. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 16 / 43

  28. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 16 / 43

  29. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 16 / 43

  30. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 16 / 43

  31. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 16 / 43

  32. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Public key-prefixing and BIP 32 (HD wallets) • Schnorr signatures usually don’t include the public key in the hash, i.e., the challenge is c = H ( R , m ) rather than c = H ( X , R , m ) • Schnorr signatures without key-prefixing are secure in the strong-EUF-CMA model • BIP 32 (Hierarchical Deterministic wallets) allows to generate child key pairs from a master key pair ( x , X = xG ) as x i = x + H ′ ( i , X ) mod p , X i = X + H ′ ( i , X ) G • without key-prefixing, any signature ( R , s ) valid under X can be turned into a valid signature for X i : since c = H ( R , m ), sG = R + cX ⇒ ( s + cH ′ ( i , X )) G = R + cX i • key-prefixing avoids this problem Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 17 / 43

  33. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Public key-prefixing and BIP 32 (HD wallets) • Schnorr signatures usually don’t include the public key in the hash, i.e., the challenge is c = H ( R , m ) rather than c = H ( X , R , m ) • Schnorr signatures without key-prefixing are secure in the strong-EUF-CMA model • BIP 32 (Hierarchical Deterministic wallets) allows to generate child key pairs from a master key pair ( x , X = xG ) as x i = x + H ′ ( i , X ) mod p , X i = X + H ′ ( i , X ) G • without key-prefixing, any signature ( R , s ) valid under X can be turned into a valid signature for X i : since c = H ( R , m ), sG = R + cX ⇒ ( s + cH ′ ( i , X )) G = R + cX i • key-prefixing avoids this problem Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 17 / 43

  34. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Public key-prefixing and BIP 32 (HD wallets) • Schnorr signatures usually don’t include the public key in the hash, i.e., the challenge is c = H ( R , m ) rather than c = H ( X , R , m ) • Schnorr signatures without key-prefixing are secure in the strong-EUF-CMA model • BIP 32 (Hierarchical Deterministic wallets) allows to generate child key pairs from a master key pair ( x , X = xG ) as x i = x + H ′ ( i , X ) mod p , X i = X + H ′ ( i , X ) G • without key-prefixing, any signature ( R , s ) valid under X can be turned into a valid signature for X i : since c = H ( R , m ), sG = R + cX ⇒ ( s + cH ′ ( i , X )) G = R + cX i • key-prefixing avoids this problem Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 17 / 43

  35. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Public key-prefixing and BIP 32 (HD wallets) • Schnorr signatures usually don’t include the public key in the hash, i.e., the challenge is c = H ( R , m ) rather than c = H ( X , R , m ) • Schnorr signatures without key-prefixing are secure in the strong-EUF-CMA model • BIP 32 (Hierarchical Deterministic wallets) allows to generate child key pairs from a master key pair ( x , X = xG ) as x i = x + H ′ ( i , X ) mod p , X i = X + H ′ ( i , X ) G • without key-prefixing, any signature ( R , s ) valid under X can be turned into a valid signature for X i : since c = H ( R , m ), sG = R + cX ⇒ ( s + cH ′ ( i , X )) G = R + cX i • key-prefixing avoids this problem Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 17 / 43

  36. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Public key-prefixing and BIP 32 (HD wallets) • Schnorr signatures usually don’t include the public key in the hash, i.e., the challenge is c = H ( R , m ) rather than c = H ( X , R , m ) • Schnorr signatures without key-prefixing are secure in the strong-EUF-CMA model • BIP 32 (Hierarchical Deterministic wallets) allows to generate child key pairs from a master key pair ( x , X = xG ) as x i = x + H ′ ( i , X ) mod p , X i = X + H ′ ( i , X ) G • without key-prefixing, any signature ( R , s ) valid under X can be turned into a valid signature for X i : since c = H ( R , m ), sG = R + cX ⇒ ( s + cH ′ ( i , X )) G = R + cX i • key-prefixing avoids this problem Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 17 / 43

  37. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Generic” DSA signatures • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • a “conversion” function f : G → Z p • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = f ( R ) and s = r − 1 ( H ( m ) + cx ) mod p • output σ = ( c , s ) • verification: on input X , m and σ = ( c , s ), • compute u = H ( m ) s − 1 mod p , v = cs − 1 mod p , and R = uG + vX ? • check whether f ( R ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 18 / 43

  38. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Generic” DSA signatures • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • a “conversion” function f : G → Z p • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = f ( R ) and s = r − 1 ( H ( m ) + cx ) mod p • output σ = ( c , s ) • verification: on input X , m and σ = ( c , s ), • compute u = H ( m ) s − 1 mod p , v = cs − 1 mod p , and R = uG + vX ? • check whether f ( R ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 18 / 43

  39. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Generic” DSA signatures • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • a “conversion” function f : G → Z p • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = f ( R ) and s = r − 1 ( H ( m ) + cx ) mod p • output σ = ( c , s ) • verification: on input X , m and σ = ( c , s ), • compute u = H ( m ) s − 1 mod p , v = cs − 1 mod p , and R = uG + vX ? • check whether f ( R ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 18 / 43

  40. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Generic” DSA signatures • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • a “conversion” function f : G → Z p • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = f ( R ) and s = r − 1 ( H ( m ) + cx ) mod p • output σ = ( c , s ) • verification: on input X , m and σ = ( c , s ), • compute u = H ( m ) s − 1 mod p , v = cs − 1 mod p , and R = uG + vX ? • check whether f ( R ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 18 / 43

  41. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion (EC)DSA signatures DSA and ECDSA are instantiations of the “generic” DSA scheme: • for DSA: • G = cyclic subgroup of prime order p of Z ∗ q for some large prime q ( | q | ≥ 3072 bits) • conversion function: f ( X ) = X mod p • for ECDSA: • G = cyclic subgroup of prime order p of an elliptic curve group over some finite field ( F q for q prime or q = 2 n ) • for q prime, group elements are pairs of integers ( x , y ) ∈ F 2 q satisfying the curve equation E : y 2 = x 3 + ax + b • conversion function: f ( X ) = x mod p where X = ( x , y ) • Bitcoin uses curve secp256k1 [SEC10] (not a NIST curve!) (Standards for Efficient Cryptography, Koblitz curve over prime field F q where q = 2 256 − 2 32 − 977, a = 0, b = 7) • Schnorr can be based on any group where DL is hard, in part. on any secure elliptic curve group (Ed25519 [BDL + 11]?) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 19 / 43

  42. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion (EC)DSA signatures DSA and ECDSA are instantiations of the “generic” DSA scheme: • for DSA: • G = cyclic subgroup of prime order p of Z ∗ q for some large prime q ( | q | ≥ 3072 bits) • conversion function: f ( X ) = X mod p • for ECDSA: • G = cyclic subgroup of prime order p of an elliptic curve group over some finite field ( F q for q prime or q = 2 n ) • for q prime, group elements are pairs of integers ( x , y ) ∈ F 2 q satisfying the curve equation E : y 2 = x 3 + ax + b • conversion function: f ( X ) = x mod p where X = ( x , y ) • Bitcoin uses curve secp256k1 [SEC10] (not a NIST curve!) (Standards for Efficient Cryptography, Koblitz curve over prime field F q where q = 2 256 − 2 32 − 977, a = 0, b = 7) • Schnorr can be based on any group where DL is hard, in part. on any secure elliptic curve group (Ed25519 [BDL + 11]?) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 19 / 43

  43. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion (EC)DSA signatures DSA and ECDSA are instantiations of the “generic” DSA scheme: • for DSA: • G = cyclic subgroup of prime order p of Z ∗ q for some large prime q ( | q | ≥ 3072 bits) • conversion function: f ( X ) = X mod p • for ECDSA: • G = cyclic subgroup of prime order p of an elliptic curve group over some finite field ( F q for q prime or q = 2 n ) • for q prime, group elements are pairs of integers ( x , y ) ∈ F 2 q satisfying the curve equation E : y 2 = x 3 + ax + b • conversion function: f ( X ) = x mod p where X = ( x , y ) • Bitcoin uses curve secp256k1 [SEC10] (not a NIST curve!) (Standards for Efficient Cryptography, Koblitz curve over prime field F q where q = 2 256 − 2 32 − 977, a = 0, b = 7) • Schnorr can be based on any group where DL is hard, in part. on any secure elliptic curve group (Ed25519 [BDL + 11]?) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 19 / 43

  44. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion (EC)DSA signatures DSA and ECDSA are instantiations of the “generic” DSA scheme: • for DSA: • G = cyclic subgroup of prime order p of Z ∗ q for some large prime q ( | q | ≥ 3072 bits) • conversion function: f ( X ) = X mod p • for ECDSA: • G = cyclic subgroup of prime order p of an elliptic curve group over some finite field ( F q for q prime or q = 2 n ) • for q prime, group elements are pairs of integers ( x , y ) ∈ F 2 q satisfying the curve equation E : y 2 = x 3 + ax + b • conversion function: f ( X ) = x mod p where X = ( x , y ) • Bitcoin uses curve secp256k1 [SEC10] (not a NIST curve!) (Standards for Efficient Cryptography, Koblitz curve over prime field F q where q = 2 256 − 2 32 − 977, a = 0, b = 7) • Schnorr can be based on any group where DL is hard, in part. on any secure elliptic curve group (Ed25519 [BDL + 11]?) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 19 / 43

  45. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  46. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  47. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  48. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  49. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  50. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  51. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  52. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  53. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  54. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  55. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  56. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  57. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  58. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  59. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  60. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  61. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  62. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA: Summary Schnorr: σ = ( R , s ) ECDSA: σ = ( c , s ) � � ? ? H ( m ) s − 1 G + cs − 1 X sG = R + H ( R , m ) X f = c Ver Fiat-Shamir � × sec. proof � × H 2nd preimage collision non-mall. � × batch ver. � × Reminder: • computing two signatures with the same r leaks the private key! • even minor weaknesses in the generation of r can leak the private key after a few hundreds of signatures [NS03] • practical attacks (Sony PlayStation 3 hack, Android RNG) • solution: derandomization (RFC 6979) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 22 / 43

  63. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA: Summary Schnorr: σ = ( R , s ) ECDSA: σ = ( c , s ) � � ? ? H ( m ) s − 1 G + cs − 1 X sG = R + H ( R , m ) X f = c Ver Fiat-Shamir � × sec. proof � × H 2nd preimage collision non-mall. � × batch ver. � × Reminder: • computing two signatures with the same r leaks the private key! • even minor weaknesses in the generation of r can leak the private key after a few hundreds of signatures [NS03] • practical attacks (Sony PlayStation 3 hack, Android RNG) • solution: derandomization (RFC 6979) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 22 / 43

  64. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Outline Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 23 / 43

  65. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion What is a multi-signature protocol? • assume n signers with public keys { pk 1 , . . . , pk n } want to sign the same message (e.g., spending from an n -of- n multisig address) • trivial solution: compute one signature for each pk i and output Σ = ( σ 1 , . . . , σ n ) • problem: the length of Σ grows linearly with the number of signers. Can we do better? (Ideally, the size of the “multi-signature” should be independent from the number of signers) • well-studied problem in cryptography originally tackled in [IN83] • hard to achieve for ECDSA due to its complex algebraic structure (modular division) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 24 / 43

  66. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion What is a multi-signature protocol? • assume n signers with public keys { pk 1 , . . . , pk n } want to sign the same message (e.g., spending from an n -of- n multisig address) • trivial solution: compute one signature for each pk i and output Σ = ( σ 1 , . . . , σ n ) • problem: the length of Σ grows linearly with the number of signers. Can we do better? (Ideally, the size of the “multi-signature” should be independent from the number of signers) • well-studied problem in cryptography originally tackled in [IN83] • hard to achieve for ECDSA due to its complex algebraic structure (modular division) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 24 / 43

  67. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion What is a multi-signature protocol? • assume n signers with public keys { pk 1 , . . . , pk n } want to sign the same message (e.g., spending from an n -of- n multisig address) • trivial solution: compute one signature for each pk i and output Σ = ( σ 1 , . . . , σ n ) • problem: the length of Σ grows linearly with the number of signers. Can we do better? (Ideally, the size of the “multi-signature” should be independent from the number of signers) • well-studied problem in cryptography originally tackled in [IN83] • hard to achieve for ECDSA due to its complex algebraic structure (modular division) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 24 / 43

  68. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion What is a multi-signature protocol? • assume n signers with public keys { pk 1 , . . . , pk n } want to sign the same message (e.g., spending from an n -of- n multisig address) • trivial solution: compute one signature for each pk i and output Σ = ( σ 1 , . . . , σ n ) • problem: the length of Σ grows linearly with the number of signers. Can we do better? (Ideally, the size of the “multi-signature” should be independent from the number of signers) • well-studied problem in cryptography originally tackled in [IN83] • hard to achieve for ECDSA due to its complex algebraic structure (modular division) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 24 / 43

  69. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion What is a multi-signature protocol? • assume n signers with public keys { pk 1 , . . . , pk n } want to sign the same message (e.g., spending from an n -of- n multisig address) • trivial solution: compute one signature for each pk i and output Σ = ( σ 1 , . . . , σ n ) • problem: the length of Σ grows linearly with the number of signers. Can we do better? (Ideally, the size of the “multi-signature” should be independent from the number of signers) • well-studied problem in cryptography originally tackled in [IN83] • hard to achieve for ECDSA due to its complex algebraic structure (modular division) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 24 / 43

  70. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  71. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  72. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  73. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  74. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  75. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  76. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  77. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  78. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  79. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  80. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  81. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Wait! Rogue-key attacks • assume that signers can claim whatever public key they want (plain public key model) • Bob knows Alice’s public key X 1 • he can “choose” public key X 2 = x ′ G − X 1 • Bob can forge a valid multi-signature ( R , s ) on his own with x ′ : sG = R + H ( X 1 , X 2 , R , m ) ( X 1 + X 2 ) = ( r + cx ′ ) G � �� � � �� � c x ′ G • note that Bob does not know the private key for X 2 = ( x ′ − x 1 ) G • this can thwarted using a key setup procedure [MOR01] or by requiring signers to prove knowledge of their private key (with a zero-knowledge proof) [RY07] Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 26 / 43

  82. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Wait! Rogue-key attacks • assume that signers can claim whatever public key they want (plain public key model) • Bob knows Alice’s public key X 1 • he can “choose” public key X 2 = x ′ G − X 1 • Bob can forge a valid multi-signature ( R , s ) on his own with x ′ : sG = R + H ( X 1 , X 2 , R , m ) ( X 1 + X 2 ) = ( r + cx ′ ) G � �� � � �� � c x ′ G • note that Bob does not know the private key for X 2 = ( x ′ − x 1 ) G • this can thwarted using a key setup procedure [MOR01] or by requiring signers to prove knowledge of their private key (with a zero-knowledge proof) [RY07] Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 26 / 43

  83. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Wait! Rogue-key attacks • assume that signers can claim whatever public key they want (plain public key model) • Bob knows Alice’s public key X 1 • he can “choose” public key X 2 = x ′ G − X 1 • Bob can forge a valid multi-signature ( R , s ) on his own with x ′ : sG = R + H ( X 1 , X 2 , R , m ) ( X 1 + X 2 ) = ( r + cx ′ ) G � �� � � �� � c x ′ G • note that Bob does not know the private key for X 2 = ( x ′ − x 1 ) G • this can thwarted using a key setup procedure [MOR01] or by requiring signers to prove knowledge of their private key (with a zero-knowledge proof) [RY07] Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 26 / 43

  84. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Wait! Rogue-key attacks • assume that signers can claim whatever public key they want (plain public key model) • Bob knows Alice’s public key X 1 • he can “choose” public key X 2 = x ′ G − X 1 • Bob can forge a valid multi-signature ( R , s ) on his own with x ′ : sG = R + H ( X 1 , X 2 , R , m ) ( X 1 + X 2 ) = ( r + cx ′ ) G � �� � � �� � c x ′ G • note that Bob does not know the private key for X 2 = ( x ′ − x 1 ) G • this can thwarted using a key setup procedure [MOR01] or by requiring signers to prove knowledge of their private key (with a zero-knowledge proof) [RY07] Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 26 / 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher

Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher

Privacy : Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher Independent investigative journalist Research focus: Bitcoin / cryptocurrencies, information security, privacy, surveillance, and

1.3k views • 85 slides
Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Cryptocurrency Technologies Mechanics of Bitcoin Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin Scripts Bitcoin Blocks The Bitcoin Network Limitations and Improvements Mechanics of

695 views • 33 slides
Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's

Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's

Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's Privacy Problem 2 Would you like a new credit card? You will pay almost no fees! Sure! Any fine print? We will publicly broadcast every payment that

473 views • 34 slides
On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan O. Karame, Damian Gruber, Srdjan apkun ETH Zurich, NEC Research ACSAC 2014 Bitcoin Bitcoin Peer-to-peer decentralized currency

1.06k views • 74 slides
Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio Orlandi (Aarhus University) 1 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin

1.23k views • 90 slides
Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in

Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in

Bitcoin Clustering P2P wallet leak Analysis Conclusion Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in Bitcoin Jonas Nick 1/34 Bitcoin Clustering P2P wallet leak Analysis Conclusion Privacy

1.22k views • 96 slides
Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin work? The characteris5cs of Bitcoin WHAT IS BITCOIN Bitcoin is a form of digital currency, created and held electronically. No one controls it.

839 views • 17 slides
Provisions Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016

Provisions Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016

Provisions Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016 eprint.iacr.org/2015/1008.pdf github.com/bbuenz/provisions Jeremy Clark Dan Boneh Gaby Dagher Benedikt Bnz Joseph Bonneau Many users use Bitcoin

768 views • 28 slides
Efficiency and Growth T. Gutowski 2.83 and 2.813 1 Efficiency and Growth Can efficiency

Efficiency and Growth T. Gutowski 2.83 and 2.813 1 Efficiency and Growth Can efficiency

Efficiency and Growth T. Gutowski 2.83 and 2.813 1 Efficiency and Growth Can efficiency improvements out run growth? Historical review of 10 activities including materials and electricity production and consumer services (Dahmus &

647 views • 62 slides
Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim , Jinwoo Shin*, Yongdae Kim* *KAIST, Sungkyunkwan University 1 Governance conflict The number of Bitcoin transaction per month Bad scala bility

731 views • 46 slides
Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in Bitcoin MimbleWimble cryptocurrency ECC math Schnorrs signatures scheme Pedersen Commitments Motivation Bitcoin is decentralized

430 views • 40 slides
Heat of the Moment: Heating Improvements and Support from Efficiency Maine E2Tech Forum

Heat of the Moment: Heating Improvements and Support from Efficiency Maine E2Tech Forum

Heat of the Moment: Heating Improvements and Support from Efficiency Maine E2Tech Forum September 12, 2014 Portland, Maine Michael D. Stoddard Executive Director Efficiency Maine Trust The Efficiency Maine Trust The independent

374 views • 22 slides
Energy Efficiency improvements in Commercial Buildings UNDP-GEF-BEE Augmenting Nature by Green

Energy Efficiency improvements in Commercial Buildings UNDP-GEF-BEE Augmenting Nature by Green

THIS PRESENTATION WAS SHARED BY Mr. Abdullah Nisar Siddiqui Technical Expert, IGEN-EERB, GIZ FOR THE SESSION: Policy Implementation and Enforcement DURING ANGAN 2019 Energy Efficiency improvements in Commercial Buildings UNDP-GEF-BEE

1.18k views • 52 slides
Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli .ch PGP: CA1A2908DCE2F13074C62CDE1EB776BB03C7922D Privacy Security Trust Privacy Transaction / scripts privacy Security Trust No-trust

700 views • 43 slides
Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Cryptocurrency Technologies Bitcoin as a Platform Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments Token tracking Multiparty lotteries Public randomness Prediction markets A fine stew

714 views • 38 slides
Encana Oil & Gas (USA) Inc. Facility Efficiency Improvements Justin Lisowski | Rotating

Encana Oil & Gas (USA) Inc. Facility Efficiency Improvements Justin Lisowski | Rotating

take a closer look Encana Oil & Gas (USA) Inc. Facility Efficiency Improvements Justin Lisowski | Rotating Equipment Engineer Tom Ripper | Facilities Operations Coordinator CIEC Networking Event | October 05 | 2012 Future oriented

577 views • 22 slides
Combining L A T EX with Python Uwe Ziegenhagen August 9, 2019 Dante e. V. Heidelberg 1 About

Combining L A T EX with Python Uwe Ziegenhagen August 9, 2019 Dante e. V. Heidelberg 1 About

Combining L A T EX with Python Uwe Ziegenhagen August 9, 2019 Dante e. V. Heidelberg 1 About me Uwe Ziegenhagen, from Cologne, Germany In-house analyst in banking and private equity Responsible for developing and maintaining

447 views • 41 slides
61A Lecture 34 ! There will be a screencast of live lecture (as always) ! Screencasts:

61A Lecture 34 ! There will be a screencast of live lecture (as always) ! Screencasts:

Announcements Recursive art contest entries due Monday 12/2 @ 11:59pm Guerrilla section about logic programming on Monday 12/2 1pm-3:30pm in 273 Soda Homework 11 due Thursday 12/5 @ 11:59pm No video of lecture on Friday 12/6 ! Come

217 views • 4 slides
Understanding simhwrt Output Nevember 22, 2011 CS6965 Fall 11 Simulator Updates You may or

Understanding simhwrt Output Nevember 22, 2011 CS6965 Fall 11 Simulator Updates You may or

Understanding simhwrt Output Nevember 22, 2011 CS6965 Fall 11 Simulator Updates You may or may not want to grab the latest update If you have changed the simulator code for your project, it might conflict Updates include small

551 views • 32 slides
A Linearised Input-Output Representation for Control Synthesis in Flexible Multibody System A

A Linearised Input-Output Representation for Control Synthesis in Flexible Multibody System A

12.3 & paper ES A Linearised Input-Output Representation for Control Synthesis in Flexible Multibody System A Linearised Input-Output Representation for Dynamics Control Synthesis in Flexible Multibody System Layout Dynamics Finite

313 views • 9 slides
Adapton: Composable Demand-Driven Incremental Computation Matthew A. Hammer Khoo Yit Phang,

Adapton: Composable Demand-Driven Incremental Computation Matthew A. Hammer Khoo Yit Phang,

Adapton: Composable Demand-Driven Incremental Computation Matthew A. Hammer Khoo Yit Phang, Michael Hicks and Jeffrey S. Foster Incremental Computation Input Output Application Application Code IC IC Framework Framework

980 views • 80 slides
CS162: Introduction to Computer Science II Streams 1 Streams A stream is a flow of data

CS162: Introduction to Computer Science II Streams 1 Streams A stream is a flow of data

CS162: Introduction to Computer Science II Streams 1 Streams A stream is a flow of data Input stream: a stream going into your program (eg. from a keyboard or file) cin is an input stream from the keyboard Output stream: a

351 views • 16 slides
Writing M ATLAB C/MEX Code Pascal Getreuer Pascal Getreuer (UCLA) MATLAB C/MEX 1 / 21 What is

Writing M ATLAB C/MEX Code Pascal Getreuer Pascal Getreuer (UCLA) MATLAB C/MEX 1 / 21 What is

Writing M ATLAB C/MEX Code Pascal Getreuer Pascal Getreuer (UCLA) MATLAB C/MEX 1 / 21 What is MEX? MEX-functions are programs written in C, C++, or Fortran code that are callable from Matlab . We will focus on C. MEX provides C functions

347 views • 23 slides
Logistic Regression using OLS1D in Excel 2013 XL4D: V0H XL4D: V0H XL4D: V0H 2015 Schield

Logistic Regression using OLS1D in Excel 2013 XL4D: V0H XL4D: V0H XL4D: V0H 2015 Schield

Logistic Regression using OLS1D in Excel 2013 XL4D: V0H XL4D: V0H XL4D: V0H 2015 Schield Logistic Regression using OLS1D in Excel2013 1 2015 Schield Logistic Regression using OLS1D in Excel2013 2 Logistic Regression Background & Goals

224 views • 21 slides

More recommend