This nonlinearity prevents attacker from constructing a bad public key like in rogue key attack. The adversary issues adaptive chosen message queries m_1, m_2, ldots in MM and receives back the bitcoin signature aggregation signatures sigma_i textSign(SK, m_i) for i1,2,ldots from the challenger. Then (X,Y,Z) are the random values given to adv in the first run, and (X,Y Z are the random values given to adv in the second run. This single signature can then be verified by anyone who also knows the message and the public keys of the signers. We sign the same transaction with our hardware wallet again and bring values (R2, s2 back to our hacked computer. I really liked the paper, the MuSig scheme is smart and the paper itself is very easy to read. We conclude with the following remark: the proof of security for BLS aggregation for distinct messages makes use of an isomorphism psi: G_1 to G_0. If he does so, others will assume that XA XB is the aggregated key that Alice and Bob need to cooperate in order to sign for. Theorem 3: Let adv be an adversary attacking cal S'. A set of b multi-signatures can be verified as a batch faster than verifying them one by one. We say that the scheme cal S is secure if for all efficient adversaries the advantage is negligible.
While in many pairing instantiations this psi exists naturally, in some instantiations it does not. And there is a third important problem. In Lars Arge, Christian Cachin, Tomasz Jurdzinski, and Andrzej Tarlecki, editors, Automata, Languages and Programming - icalp 2007, volume 4596 of lncs, pages 411422. The same analysis applies if we allow PK to appear elsewhere. Then there exists an adversary bdv attacking cal S that makes no chosen message queries and whose running time is about the same as adv, such that beginequation labeleq:final textSIGadvadv, cal S qsig, qHm, qHpk leq (e cdot. The goal is to aggregate signatures and public keys from several parties/devices to a single one but without proving that you have a private key corresponding to the public key. In this attack hacker gets a pair of valid signatures for the same transaction: (R1, s1, R2, s2) and (R1 s1 R2,. Then we transfer this data to the cold wallet and sign. This brings us to several nice features of Schnorr signatures that we can use.
Let X and Y, Y' and Z, Z' be mutually independent random variables, where X takes values in the set S, the variables Y and Y' are each uniformly distributed over R, and Z and Z' take values in the set. Moreover, in the case of n-of-n multisig, one can further aggregate all n public keys into a single aggregate public key that is used to derive the multisig address. Technically, in order to combine all the transaction inputs signatures into one, we dont need a multi-signature scheme, but an aggregate signature scheme. This means that the hacker can calculate our second private key: and. Details Notation: x, x1, x2, are private keys with corresponding public keys X, X1, X2, ( Xi xiG, with G the generator) The message being signed is m H is a cryptographic hash function Schnorr signatures As a refresher. Key aggregation cant be used across multiple inputs, as the public keys are committed to by the outputs, and those can be spent independently. This signature verifies as an aggregate of two signatures, one from PK_1 and one from PK_2, because e(g_1,sigma) ebig(g_1, Hm(m)beta big) ebig(g_1beta, Hm(m)big) ebig(PK_1 cdot PK_2, Hm(m)big). The scheme supports fast verification as in eqrefeq:aggsame and does not require users to prove knowledge of their secret key. Otherwise, bdv outputs (h_1, ldots, h_n, m, sigma) as a valid forgery. If b_i 1 then bdv forwards the query to its challenger and sends the response Hm(m_i) to adv. We can make a tree with any public keys we want.
To address this, bdv will answer all of adv's queries to Hpk by generating random responses itself. Reiter and Pierangela Samarati, editors, ACM Conference on Computer and Communications Security - CCS 2001, pages 245254. For example, if we use a 2-of-3 multisig with public keys P1, P2 and P3, then we need to construct a Merkle tree of aggregated public keys for all combinations we can use: (P1, P2), (P2. MuSig This is where MuSig comes. Comparison to Schnorr multi-signatures. We can assume that the public keys in the forgery are the public keys in the query to Hpk, since otherwise the forgery cannot be valid. Output the multi-signature sigma gets sigma_1t_1 cdots sigma_nt_n in G_0. MuSig, a multi-signature scheme based on Schnorr signatures.
Transaction validation caching is compatible with signature aggregation across multiple transactions in a block. Security in the plain public-key model means that no such caveats exist. In this case it would probably be better to stay with separate signatures without aggregation then only one round is necessary. We feel safe as our bitcoins require an aggregated signature from both pk1 and pk2. We stress that this simple batching procedure can only be used when all the messages m_1,ldots, m_b are distinct. The paper and this post primarily discuss the cryptographic properties of MuSig, and arent directly a proposal for Bitcoin. So when one of them is compromised we still have control over our bitcoins. Furthermore, when an IAS is desired (where each signer has their own message appendix A of our paper suggests using L H(X1,m1 X2,m2 instead, and si ri H(L,R,i)xi for signing (and analoguous for verification).
First, signature verification includes inversion ( 1/s ) and two points multiplications and these operations are very computationally heavy. In Bitcoin every node has to verify all the transactions. First, bdv receives a public key PK big(h g_1alpha, hath g_0alphabig) from its challenger, which it forwards to adv. We prove security of this scheme in Section. Key aggregation We want to keep our bitcoins safe, so we might want to use at least two different private keys to control bitcoins.
MuSig is a simple multi-signature scheme that is novel in combining: support for key aggregation security in the plain public-key model. Specifically, we need co-CDH to hold even if the adversary has access to an oracle for psi. Also such transaction will take a huge amount of space in the block and you will have to pay large fees for that. In BLS, aggregation can take place publicly by a simple multiplication, even long after all the signatures have been generated and the signers are no longer available. Of course the pairings on the right hand side can be coalesced for repeated messages. The node can identify all the transactions in this new block that are already marked as validated in its mempool, and divide sigma by the signatures associated with these pre-validated transactions. We show than an attacker adv_3 on cal S' that makes no chosen message queries and only one query to Hpk, can be used to break co-CDH. The rewinding lemma now gives the bounds stated in the theorem, and completes the proof. Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. There are two versions bitcoin signature aggregation of MuSig, which vary based on the number of communication rounds. Bdv relays all messages between its challenger and adv.
This is already a factor of 3 improvement we need to compute roughly one heavy operation per signature. No non-interactive aggregation schemes are known that only rely on the DL assumption, but interactive ones are trivial to construct: take a multi-signature scheme and have every participant sign the concatenation of all messages. Aggregate signatures can be classified as interactive or non-interactive: interactive aggregate signatures (IAS) require the signers to cooperate, while non-interactive schemes allow the aggregation to be done by anyone. Then transfer back (R2, s2) and something happened to our online wallet and it fails to sign and broadcast. One we will use on a laptop or a phone and another one on a hardware wallet / bitcoin signature aggregation cold wallet. Compatibility with transaction validation caching.
The original public keys are not needed for verifying the multi-signature. For example, transaction with 7-of-11 multisig input will contain 7 signatures and require from 7 to 11 signature verifications on every node in the network. RY07 Thomas Ristenpart and Scott Yilek. The adversary must have issued a query for Hm(m say query number. For t-of-n multisig, where n choose t is of moderate size, one can generate a Merkle tree from all n choose t aggregate public keys, and derive the multisig address from the short Merkle root. Endequation Next, bitcoin signature aggregation bdv rewinds adv to the point where it issued the query to Hpk(h, h_1, ldots, h_n). Merkle Multisig As you may have noticed, MuSig and key aggregation require all signers to sign a transaction.
Multi-Signatures in the Plain Public Key Model and a General Forking Lemma. This is pretty much similar to what we have now, but as soon as you add a third private key everything becomes more complicated. One can set things up so that all signatures are computed over the same message, namely the transaction data (see mpsw18 for the details). To generate this signature we need to choose a random number on every device (k1,k2), generate a random point RikiG, add them up to calculate a common hash(P,R1R2,m) and then bitcoin signature aggregation get s1 and s2 from every device ( si ki hash(P,R,m) pki ). We also need a random or random-looking number. In total for a block with 1000 transactions we need to verify that: Here we have a bunch of point additions (almost free in sense of computational power) and 1001 point multiplication.
We note that the security proof in this writeup does not make use of psi, and therefore this issue does not come. Algorithm bdv is a given a co-CDH instance (h g_1alpha, u g_0beta, hath g_0alpha) in G_1 times G_02. Here R2 is the same, but R R1R2 and R'R1'R2 are different. So we are trying to make a transaction as usual, prepare an unsigned transaction and R1 value, transfer them to our hardware wallet and sign there. Our paper shows that this is not always a desirable construction, and gives an IAS variant of BN with better properties instead. In Moni Naor, editor, Advances in Cryptology - eurocrypt 2007, volume 4515 of lncs, pages 228245. If all the messages m_1,ldots, m_b are distinct then we can use signature aggregation as in eqrefeq:agg to verify all these triples as a batch: Compute an aggregate signature tildesigma sigma_1 cdots sigma_b in G_1, Accept all b multi-signature tuples as valid.
Endequation Verifying an aggregate signature sigma in G_0 is done by checking that beginequation labeleq:aggdiff e(g_1, sigma) ebig(PK_1, Hm(m_1)big) cdots ebig(PK_n, Hm(m_n)big). However, this is difficult to enforce in practice, and does not fit well with applications to crypto currencies. RFC6979 to calculate deterministic k based on our secret and the message we are signing. LOS06 Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters. Here Lhash(P1,Pn) a common number depending on all public keys.
Some features of the Schnorr signatures I found really great and convenient, but others are pretty annoying. The third step is the most interesting so we present that step first, then the second step, and finally the general result in the first step. Springer, 2007 Bol03 Alexandra Boldyreva. The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks. With Schnorr signatures we can add up all the signature verification equations and save some computational power.
Both are provably secure, but three-round MuSig only relies on the Discrete Logarithm (DL) assumption, which ecdsa also relies. Here is how it works: Call L H(X1,X2 Each signer chooses a random nonce ri, and shares Ri riG with the other signers Call R the sum of the Ri points Each signer computes si ri H(L,Xi, R,m)xi. This requires two separate signatures to be included in the transaction. When using BLS multi-signatures, anyone can aggregate all these signatures into a single multi-signature. Then, using our public key. Wright, and Sabrina De Capitani di Vimercati, editors, ACM Conference on Computer and Communications Security - CCS 2006, pages 390399. Then there exists an adversary bdv attacking cal S that makes only a single query to Hpk, and whose running time is about the same as adv, such that textSIGadvadv, cal S 0, qHm, qHpk leq qHpk cdot textSIGadvbdv, cal S 0, qHm,. If e(g_1,sigma) e(APK, Hm(m) output "accept otherwise output "reject". The aggregated signature is (R, s R1Rn, s1sn) and verification equation is the same as before: sG R hash(P,R,m)P. Here pk is your private key, P pkG is your public key, m is the message. Rewinding lemma : Let S, R, and T be finite, non-empty sets, and let f : S times R times T rightarrow 0, 1 be a function. Instead of two scalars (r,s) we use a point, r and a scalar. Attack looks like this: someone hacked our laptop and has a complete control over one of two private keys (say, pk1 ).
I DO NOT trade OR ACT AS escrow ON this forum ever. Acknowledgements Were very grateful to Yannick Seurin for his interest in reviewing MuSigs security, writing its security proof, as well as coming up with the name. The most obvious use case for multi-signatures bitcoin signature aggregation in the context of Bitcoin is as a more efficient replacement for n -of- n multisig scripts, and other policies that permit a number of possible combinations of keys (including. First one from UI point of view. We use textSIGadvadv, cal S; qsig, qHm, qHpk to denote the adversary's advantage in attacking the scheme cal S, for an adversary that makes at most qsig signature queries, at most qHm queries to Hm, and at most qHpk queries to Hpk. However, adv can make qHpk queries to Hpk whereas bdv can only make a single Hpk query to its challenger. If a user does not aggregate the signatures, the miner mining the transaction can do it on their behalf. Effectively, the pre-validated signatures are removed from the aggregate signature sigma. M, sigmabig to verify a multi-signature sigma on m do compute (t_1,ldots, t_n) gets Hpk(PK_1,ldots, PK_n). 3.1 Proving security of multi-sig BLS We prove security of the scheme cal S from Section 2 without requiring signers to prove knowledge of their secret key. This is currently not possible just with OP_checkmultisig only if you construct much more complicated script with branches and stuff.