On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , - - PowerPoint PPT Presentation

on the security of two round multi signatures
SMART_READER_LITE
LIVE PREVIEW

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , - - PowerPoint PPT Presentation

Aug 10, 2023 358 likes •636 views

On the Security of Two-Round Multi-Signatures Manu Drijvers 1 , Kasra Edalatnejad 2 , Bryan Ford 2 , Eike Kiltz 3 , Julian Loss 3 , Gregory Neven 1 , Igors Stepanovs 4 1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD Multi-signatures (pk 1 ,sk

slide-1
SLIDE 1

On the Security of Two-Round Multi-Signatures

Manu Drijvers1, Kasra Edalatnejad2, Bryan Ford2, Eike Kiltz3, Julian Loss3, Gregory Neven1, Igors Stepanovs4

1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD

slide-2
SLIDE 2

Multi-signatures

↔ Verify((pk1,pk2,pk3), m, σ) = 1 Every signer must agree to sign m Goal: short signature (preferably ≈ single signature, efficiently verifiable definitely << N signatures) (pk1,sk1) ← Kg Sign((pk1,pk2,pk3), sk1, m) → σ (pk2,sk2) ← Kg Sign((pk1,pk2,pk3), sk2, m) → σ (pk3,sk3) ← Kg Sign((pk1,pk2,pk3), sk3, m) → σ ↔

slide-3
SLIDE 3

Multi-signatures

↔ Key aggregation: apk ← KAgg(pk1,pk2,pk3) Verify(apk, m, σ) = 1 Every signer must agree to sign m Goal: short signature (preferably ≈ single signature, efficiently verifiable definitely << N signatures) (pk1,sk1) ← Kg Sign((pk1,pk2,pk3), sk1, m) → σ (pk2,sk2) ← Kg Sign((pk1,pk2,pk3), sk2, m) → σ (pk3,sk3) ← Kg Sign((pk1,pk2,pk3), sk3, m) → σ ↔

slide-4
SLIDE 4

Applications of multi-signatures

  • Improve Bitcoin throughput / reduce blockchain size
  • ”multisig” transactions as small as other transactions
  • Reduce size of multi-input multi-output transactions
  • Collective signing by co-thorities (e.g., CoSi [STV+16])
  • Distributed random beacons (e.g., RandHound [SJK+17])
  • Block certification in proof-of-stake / permissioned

blockchains

  • e.g., Dfinity, OmniLedger, Ziliqa, Harmony, Algorand, …
slide-5
SLIDE 5

Existing multi-signatures

slide-6
SLIDE 6

Schnorr signatures

pk = gsk r ←R Zq t ← gr c ← H(t,m) s ← r + c · sk mod q σ ← (c, s) Verification: c = H(gs · pk-c , m) Efficient & Provably secure

  • under discrete-log assumption
  • in the random-oracle model:

model hash function as ideal random function

slide-7
SLIDE 7

“Plain” Schnorr multi-signatures

pk1 = gsk1 r1 ←R Zq t1 ← gr1 t ← t1·t2·t3 c ← H(t,m) s1 ← r1 + c·sk1 mod q s ← s1+s2+s3 mod q σ ← (c, s) pk2 = gsk2 r2 ←R Zq t2 ← gr2 t ← t1·t2·t3 c ← H(t,m) s2 ← r2 + c·sk2 mod q s ← s1+s2+s3 mod q σ ← (c, s) pk3 = gsk3 r3 ←R Zq t3 ← gr3 t ← t1·t2·t3 c ← H(t,m) s3 ← r3 + c·sk3 mod q s ← s1+s2+s3 mod q σ ← (c, s)

↔ ↔ ↔

apk ← pk1 · pk2 · pk3 Check c = H( gs · apk-c , m )

slide-8
SLIDE 8

Problem 1: Rogue-key attacks

pk1 = gsk1 pk2 = gsk2 / pk1 apk = pk1 · pk2 = gsk2 can compute signatures under apk by himself! Known remedies:

  • Per-signer challenges [BN06]
  • Proofs of possession added to pk [RY07,BCJ08]
  • MuSig key aggregation: apk ← Π pki

H(pki, {pk1,…,pkN} [MPSW18]

slide-9
SLIDE 9

Problem 2: Signature simulation

pk1 c, s1 ←R Zq t1 ← gs1 pk1

  • c

t ← t1·t2 c ← H(t,m) pk2

← t2

Standard Schnorr proof technique does not work (cannot program random oracle, because adversary knows t before simulator does)

→ t1

slide-10
SLIDE 10

Multi-signatures from discrete logarithms

Scheme Rounds Rogue keys Signature simulation BN [BN06] 3 per-signer challenges preliminary round H(ti) BCJ

  • 1 [BCJ08]

2 per-signer challenges homomorphic equivocable (HE) commitments BCJ

  • 2 [BCJ08]

2 proofs of possession MWLD [MWLD10] 2 per

  • signer challenges

witness-indinstinguishable keys CoSi [STV+16] 2 proofs of possession (no security proof) MuSig

  • 1 [MPSW18a] 2

MuSig key aggregation DL oracle in one-more DL assumption mBCJ [this work] 2 proofs of possession per-message HE commitments BDN-DL, MuSig-2 [BDN18, MPSW19] 3 MuSig key aggregation preliminary round H(ti) BDN-DLpop [BDN18] 3 proofs of possession preliminary round H(ti) BLS [Bol03,RY07] 1 proofs of possession BDN-P [BDN18] 1 MuSig key aggregation pairings pairings

slide-11
SLIDE 11

Attacks and non-provability

slide-12
SLIDE 12

Wagner’s generalized birthday attack [W02]

k-sum problem in Zq: Given k lists of random elements in Zq Find (c1,…,ck) in lists such that c1 + … + ck = 0 mod q Subexponential solution: Solved for k = 2√n in time O(22√n) where n = |q|.

c1

… List 1

c2

… List 2

ck

… List k …

slide-13
SLIDE 13

Application to “plain” Schnorr and CoSi

H(*,m) H(*,m) H(*,m)

H(*,m) H(*,m) H(*,m)

  • H(t*,m1)
  • H(t*,m2)
  • H(t*,mL)

… t1 ← gr1 tk-1 ← grk-1 t* ← t1·…·tk-1 c1 + … + ck-1 = c*

  • sk only appears in signature in s = r + c *sk, with c = H(gr, m)
  • If we have signatures with c1 + … + ck-1 = H(t*, m), we can

forge a signature on m*!

slide-14
SLIDE 14

Attacks on two-round multi-signature schemes

  • Attack applies to all previously* known two-round schemes
  • BCJ-1 and BCJ-2
  • MWLD
  • CoSi
  • MuSig-1
  • Sub-exponential but practical

(for 256-bit q)

  • 15 parallel signing queries: 262 steps
  • 127 parallel signing queries: 245 steps
  • Prevented by increasing |q|

…any hope for provable (asymptotic) security?

* before first version of this paper

slide-15
SLIDE 15

Non-provability of two-round schemes

Theorem: One-more discrete logarithm problem is hard BCJ/MWLD/CoSi/MuSig-1 cannot be proved secure under one-more discrete logarithm

(through algebraic black-box reductions in random-oracle model)

Essentially excludes all known proof techniques (including rewinding) under likely assumptions. Subtle flaws in proofs of BCJ/MWLD/MuSig-1 (CoSi was never proved secure) ⇒

slide-16
SLIDE 16

Secure schemes

slide-17
SLIDE 17

Modified BCJ multi-signature

  • 2 round, secure under discrete logarithm, same efficiency as BCJ
  • Large scale deployment:
  • 16,384 signers generate signature within 2 seconds
  • 20% bandwidth, 75% computation increase compared to CoSi (plain schnorr)
slide-18
SLIDE 18

Other secure schemes

  • Three-round scheme [BDN18, MPSW19]
  • Secure under discrete-log assumption
  • Non-interactive scheme from BLS [BLS01,Bol03,RY07,BDN18]
  • Smaller signatures
  • Non-interactive aggregation
  • Requires bilinear pairings
slide-19
SLIDE 19

Lessons learned

slide-20
SLIDE 20

Lessons learned

  • Cryptographic schemes need security proofs
  • Don’t drop steps that look like they’re “just to make the proof work”
  • Security proofs must be reviewed
  • Proofs can be subtle, especially with rewinding arguments
  • Tool support for checking proofs?
  • Provable security is not perfect, but best tool we have
slide-21
SLIDE 21

Thank you!

ia.cr/2018/417

slide-22
SLIDE 22

References

[BN06] Bellare, Neven: Multi-signatures in the plain public-Key model and a general forking lemma. CCS 2006 [BCJ08] Bagherzandi, Cheon, Jarecki: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. CCS 2008 [MWLD10] Ma, Weng, Li, Deng: Efficient discrete logarithm based multi-signature scheme in the plain public key model. Design, Codes and Cryptography 2010 [STV+16] Syta et al.: Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning. IEEE S&P 2016 [MPSW18a] Maxwell, Poelstra, Soerin, Wuille: Simple Schnorr Multi-Signatures with Applications to Bitcoin. ePrint report /2018/068/20180118:124757 [MPSW19] Maxwell, Poelstra, Soerin, Wuille: Simple Schnorr Multi-Signatures with Applications to Bitcoin. Design, Codes and Cryptography 2019 [BDN18] Boneh, Drijvers, Neven: Compact Multi-signatures for Smaller Blockchains. ASIACRYPT 2018 [RY07] Ristenpart, Yilek: The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks. EUROCRYPT 2007

slide-23
SLIDE 23

Modified BCJ multi-signatures

(g2,h1,h2) ← H'(m) r,α1,α2 ←R Zq ti,1 ← g1

α1 h1 α2

ti,2 ← g2

α1 h2 α2 g1 r

t1 ← Πti,1 ; t2 ← Πti,2 c ← H(t1,t2,Πpki,m) si ← r + c·ski + Σsi mod q s ← Σsi mod q α1 ← Σαi,1 mod q α2 ← Σαi,2 mod q σ ← (t1,t2,s,α1,α2) pki = gski + PoP ti,1, ti,2 si, αi,1, αi,2 KAgg: Check PoPs, apk ← Πpki Verify: c ← H(t1,t2,apk,m) Check t1 = g1

α1 h1 α2

and t2 = g2

α1 h2 α2 g1 s apk-c

Efficiency Sign: 1 mexp2 + 1 mexp3 plain Schnorr: 1 exp Verify: 3 mexp2 plain Schnorr: 1 mexp2 Signature size: 160 B plain Schnorr: 64 B

slide-24
SLIDE 24

Application to “plain” Schnorr and CoSi

Query on m1 r1 ←R Zq t1 ← gr1 c1 ← H(t1,m1) s1 ← r1 + c1·sk σ1 ← (c1, s1) Query on m2 r2 ←R Zq t2 ← gr2 c2 ← H(t2,m2) s2 ← r2 + c2·sk σ2 ← (c2, s2) Forgery on m3 t3 ← t1 · t2 c3 ← H(t3,m3) such that c3 = c1 + c2 s3 ← s1 + s2 σ3 ← (c3, s3)

slide-25
SLIDE 25

Lessons learned

  • Provable security!
  • Review security proofs!
  • Proofs can be subtle, especially forking
  • Tool support for checking proofs?
  • Don’t drop steps that look like they’re “just to make the proof work”
  • Provable security is not perfect, but best tool we have
  • Provable security! 🤕
  • Review security proofs! 🤕
slide-26
SLIDE 26

Application to “plain” Schnorr and CoSi

s1 ← r1 + c1·sk* mod q t* ← t1·…·tk-1 s* ← s1 + … + sk-1 mod q sk-1 ← rk-1 + ck-1·sk* mod q …

H(*,m) H(*,m) H(*,m)

H(*,m) H(*,m) H(*,m)

  • H(t*,m1)
  • H(t*,m2)
  • H(t*,mL)

… gs* = gΣsi = gΣri + Σci·sk* = Πti · pk*c* = t · pk*c* t1 ← gr1 tk-1 ← grk-1 t* ← t1·…·tk-1 c1 + … + ck-1 = c* mod q pk* = gsk*

slide-27
SLIDE 27

Multi-signatures from discrete logarithms

Scheme Rounds Rogue Keys Signature simulation BN [BN06] 3 per-signer challenges preliminary round H(ti) BCJ-1 [BCJ08] 2 per-signer challenges homomorphic equivocable (HE) com. BCJ-2 [BCJ08] 2 proofs of possession homomorphic equivocable (HE) com. MWLD [MWLD10] 2 per-signer challenges witness indistinguishable keys CoSi [STV+16] 2 proofs of possession (no security proof) MuSig1 [MPSW18] 2 MuSig key aggregation DL oracle in one-more DL assumption mBCJ (this work) 2 proofs of possession per-message HE commitments BDN-DL, MuSig2 [BDN18, MPSW19] 3 MuSig key aggregation preliminary round H(ti) BDN-DLpop [BDN18] 3 proofs of possession preliminary round H(ti) BLS-PoP [RY07] 1 proofs of possession pairings BDN-P [BDN18] 1 MuSig key aggregation pairings