Compact Multi-Signatures for Smaller Blockchains Dan Boneh 1 , Manu - PowerPoint PPT Presentation

Compact Multi-Signatures for Smaller Blockchains Dan Boneh 1 , Manu Drijvers 2 , Gregory Neven 2 1 Stanford University 2 DFINITY

Bitcoin Blockchain and transactions Input 1 Output 1 Witness Input 2 Output 2 Witness Pointer to previous recipient address & Witness data for output with amount all transactions addr in = H(pk) addr out = H(pk’) pk, 𝞽 under pk amount in = 1 BTC amount out = 1 BTC

Saving space is important • Larger transactions mean higher network and storage requirements • Current Bitcoin blockchain is almost 200 GB • Block size is limited • Limits transaction throughput • Smaller transactions can mean higher throughput • Goal: minimize total witness size Input 1 Output 1 Witness using multisignatures Input 2 Output 2 Witness

Multi-Signature Schemes 𝑡𝑙 ( , 𝑞𝑙 ( ← KGen(1 = ) 𝑡𝑙 + , 𝑞𝑙 + ← KGen(1 = ) 𝑡𝑙 * , 𝑞𝑙 * ← KGen(1 = ) Sign 𝑞𝑙 ( , 𝑞𝑙 * , 𝑞𝑙 + , 𝑡𝑙 ( , 𝑛 ↔ Sign 𝑞𝑙 ( , 𝑞𝑙 * , 𝑞𝑙 + , 𝑡𝑙 * , 𝑛 ↔ Sign 𝑞𝑙 ( , 𝑞𝑙 * , 𝑞𝑙 + , 𝑡𝑙 + , 𝑛 σ σ σ • Ver {𝑞𝑙 ( , 𝑞𝑙 * , 𝑞𝑙 + }, σ, 𝑛 = 1/0 • Every signer must agree to signing m • Key aggregation : 𝑏𝑞𝑙 = KAgg({𝑞𝑙 ( , 𝑞𝑙 * , 𝑞𝑙 + }) • Ver 𝑏𝑞𝑙, σ, 𝑛 = 1/0

Recap: Boneh-Lynn-Shacham signatures Let 𝐻 ( = 𝑕 ( , 𝐻 * = 𝑕 * , 𝐻 C = 𝑕 C , with bilinear pairing 𝑓 FG • KGen : 𝑞𝑙 = 𝑕 * • Sign(sk, m) : 𝜏 = 𝐼 𝑛 FG • Verify(pk, σ, m) : 𝑓 𝜏, 𝑕 * = 𝑓(𝐼 𝑛 , 𝑞𝑙)

�� �� Naïve BLS Multi-signatures Let 𝐻 ( = 𝑕 ( , 𝐻 * = 𝑕 * , 𝐻 C = 𝑕 C , with bilinear pairing 𝑓 FG K • KGen : 𝑞𝑙 J = 𝑕 * • KAgg(pk 1 , …, pk n ) : 𝑏𝑞𝑙 = ∏ 𝑞𝑙 J • Sign(pk 1 , …, pk n , sk i , m) : 𝑡 J = 𝐼 𝑛 FG K , 𝜏 = ∏ 𝑡 J • Verify(apk, σ, m) : 𝑓 𝜏, 𝑕 * = 𝑓(𝐼 𝑛 , 𝑏𝑞𝑙) PQ Rogue-Key Attack: Adversary chooses 𝑞𝑙 = N O RG ∗ , Adversary can sign for {𝑞𝑙, 𝑞𝑙 ∗ } by setting 𝜏 = 𝐼 𝑛 FG Can be mitigated using “proofs-of-possession” [RY07]

�� �� New BLS Multi-signatures without PoPs Let 𝐻 ( = 𝑕 ( , 𝐻 * = 𝑕 * , 𝐻 C = 𝑕 C , with bilinear pairing 𝑓 FG K • KGen : 𝑞𝑙 J = 𝑕 * T K • KAgg(pk 1 , …, pk n ) : 𝑏𝑞𝑙 = ∏ 𝑞𝑙 J , with 𝑏 J = 𝐼 ( (𝑞𝑙 J , {𝑞𝑙 ( , … , 𝑞𝑙 V }) T K • Sign(pk 1 , …, pk n , sk i , m) : 𝑡 J = 𝐼 W 𝑛 FG K , 𝜏 = ∏ 𝑡 J • Verify(apk, σ, m) : 𝑓 𝜏, 𝑕 * = 𝑓(𝐼 W 𝑛 , 𝑏𝑞𝑙) Uses trick from [Maxwell-PSW18] Thm: secure multi-signature scheme under co-CDH in ROM

Bitcoin Multisig address Bitcoin with multiple ECDSA signatures Bitcoin using our BLS multi-signatures Witness Input Output Witness Input Output Pointer to Pointer to addr in = H(apk) addr in = H(pk 1 , …, pk n ) amount in = 1 BTC amount in = 1 BTC apk , 𝞽 pk 1 , …, pk n, 𝞽 1 , ..., 𝞽 n 2 group elements 3n group elements

�� �� �� Aggregatable Multi-Signatures Extend multi-signature definition with two additional algorithms • SigAgg({apk i , m i , σ i }): Aggregate a set of multi-signatures into a single object • AggVerify({apk i , m i }, Σ): Verify that the aggregate multi-signature For our BLS multisignature scheme T K • Sign(pk 1 , …, pk n , sk i , m) : 𝑡 J = 𝐼 W 𝑏𝑞𝑙, 𝑛 FG K , 𝜏 = ∏ 𝑡 J • SigAgg({apk i , m i , σ i }): Σ = ∏ 𝜏 J • AggVerify({apk i , m i }, Σ): 𝑓 Σ, 𝑕 * = ∏ 𝑓(𝐼 W 𝑛 J , 𝑏𝑞𝑙 J ) Thm: secure aggregatable multisignature scheme under 𝜔 -co-CDH in ROM

Aggregatable Multi-Signatures in Bitcoin Block of m transactions, each spending from an n -multisig address Bitcoin with multiple ECDSA signatures Bitcoin using aggregatable multi-signatures Input Output Input Output Witness Input Output Input Output Witness Witness m m Input Output Input Output Witness ⋮ ⋮ ⋮ ⋮ ⋮ ⋮ Combined witness contains Combined witness contains 𝑜 ⋅ 𝑛 public keys 𝑛 (aggregate) public keys • • 𝑜 ⋅ 𝑛 signatures 1 aggregate multi-signature • • 1296 KB 216 KB

t -out-of- n wallets • Multi-signatures always require n -out-of- n , what about other policies? • Typical threshold wallets have addr = 𝐼(𝑞𝑙 ( , … , 𝑞𝑙 V , 𝑢) • Need to reveal n keys and t signatures • For small V C , use multi-signatures • Exhaustively list apk of all t-size subsets root apk 1 apk 2 apk 3 apk 4 apk 5 apk 6

Can we handle arbitrary t, n? Yes! Using a new Accountable Subgroup Multi-signature (ASM) • Aggregate public key 𝑏𝑞𝑙 ∈ 𝐻 * • Any subset 𝑇 = [1, 1, 0, … ] can sign in an accountable way • Signature 𝜏 ∈ 𝐻 ( ×𝐻 * • Thm : under 𝜔 -co-CDH in ROM • t-out-of-n Bitcoin transaction • Reveal 𝑏𝑞𝑙 , 𝜏 , 𝑇 • Almost constant: 3 group elements + n bits

�� � Our ASM Scheme Alice Bob Charlie FG f FG O FG g 𝑞𝑙 ( = 𝑕 * 𝑞𝑙 * = 𝑕 * 𝑞𝑙 + = 𝑕 * T K = 𝑕 * TFG Key aggregation: 𝑏𝑞𝑙 = ∏ 𝑞𝑙 J Membership keys: 𝑛𝑙 ( = 𝐼 * 𝑏𝑞𝑙, 1 TFG 𝑛𝑙 * = 𝐼 * 𝑏𝑞𝑙, 2 TFG 𝑛𝑙 + = 𝐼 * 𝑏𝑞𝑙, 3 TFG Sign: 𝑡 ( = 𝐼 W 𝑏𝑞𝑙, 𝑛 FG f ⋅ 𝑛𝑙 ( 𝑡 * = 𝐼 W 𝑏𝑞𝑙, 𝑛 FG O ⋅ 𝑛𝑙 * Combine: (𝑙 = 𝑞𝑙 ( ⋅ 𝑞𝑙 * , 𝑡 = 𝑡 ( ⋅ 𝑡 * ) 3 pairings Verify(apk, S=[1,1,0], (k, s)) : 𝑓 𝑡, 𝑕 ( = 𝑓(∏ 𝐼 * 𝑏𝑞𝑙, 𝑗 , 𝑏𝑞𝑙) ⋅ 𝑓(𝐼 * 𝑏𝑞𝑙, 𝑛 , 𝑙) J∈k

Conclusion • BLS multi-signatures without PoPs • Support key aggregation • Support aggregation of multi-signatures • Accountable Subgroup Multi-signatures • Key aggregation • Any subgroup can create constant size accountable multi-signature • Supports partial aggregation • Schnorr multi-signatures without PoPs • All schemes with PoPs

Thanks! ia.cr/2018/483

Can we handle arbitrary t, n? Yes! Using a new Accountable Subgroup Multi-signature (ASM) • Aggregate public key 𝑏𝑞𝑙 ∈ 𝐻 * • Any subset 𝑇 = [1, 1, 0, … ] can sign in an accountable way • Signature 𝜏 ∈ 𝐻 ( ×𝐻 * • Thm : under 𝜔 -co-CDH in ROM Input Output Witness Pointer to apk, t, 𝞽 , S addr in = H(apk,t) approx. 3 group elements amount in = 1 BTC