efficiency and privacy improvements for bitcoin with
play

Efficiency and Privacy Improvements for Bitcoin with Schnorr - PowerPoint PPT Presentation

Nov 25, 2023 •106 likes •1.82k views

Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on joint work with G. Maxwell, A. Poelstra, and P. Wuille)

  1. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security sk A pk A m 1 • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  2. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security sk A pk A m 1 σ 1 • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  3. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security sk A pk A m 1 σ 1 . . . m q • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  4. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security sk A pk A m 1 σ 1 . . . m q σ q • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  5. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security pk A pk A m 1 σ 1 . . . m q ( m ∗ , σ ∗ ) σ q • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  6. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security pk A pk A m 1 σ 1 . . . m q ( m ∗ , σ ∗ ) σ q m ∗ � = m 1 , . . . , m q Ver ( pk A , m ∗ , σ ∗ ) = 1 • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  7. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security pk A pk A m 1 σ 1 . . . m q ( m ∗ , σ ∗ ) σ q m ∗ � = m 1 , . . . , m q Ver ( pk A , m ∗ , σ ∗ ) = 1 • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  8. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Signature scheme: security pk A pk A m 1 σ 1 . . . m q ( m ∗ , σ ∗ ) σ q m ∗ � = m 1 , . . . , m q Ver ( pk A , m ∗ , σ ∗ ) = 1 • “gold” security notion: Existential Unforgeability against Chosen Message Attacks (EUF-CMA) • strong-EUF-CMA: ( m ∗ , σ ∗ ) � = ( m 1 , σ 1 ) , . . . , ( m q , σ q ) • strong-EUF-CMA ⇔ EUF-CMA + non-malleability Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 9 / 43

  9. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Provable security • security proof = proving that breaking a cryptosystem is at least as hard as solving a hard problem P (factoring, discrete log, etc.) • one assumes there exists an algorithm A breaking the cryptosystem • one builds an algorithm solving P using A as an oracle • also called reduction (solving P is reduced to breaking the cryptosystem) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 10 / 43

  10. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Provable security • security proof = proving that breaking a cryptosystem is at least as hard as solving a hard problem P (factoring, discrete log, etc.) • one assumes there exists an algorithm A breaking the cryptosystem • one builds an algorithm solving P using A as an oracle • also called reduction (solving P is reduced to breaking the cryptosystem) pk ( m ∗ , σ ∗ ) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 10 / 43

  11. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Provable security • security proof = proving that breaking a cryptosystem is at least as hard as solving a hard problem P (factoring, discrete log, etc.) • one assumes there exists an algorithm A breaking the cryptosystem • one builds an algorithm solving P using A as an oracle • also called reduction (solving P is reduced to breaking the cryptosystem) Algorithm solving P P instance solution pk ( m ∗ , σ ∗ ) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 10 / 43

  12. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Provable security • security proof = proving that breaking a cryptosystem is at least as hard as solving a hard problem P (factoring, discrete log, etc.) • one assumes there exists an algorithm A breaking the cryptosystem • one builds an algorithm solving P using A as an oracle • also called reduction (solving P is reduced to breaking the cryptosystem) Algorithm solving P P instance solution pk ( m ∗ , σ ∗ ) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 10 / 43

  13. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Mathematical background (1/2) Abelian group An abelian group is a set G with a binary operation + : G × G → G such that the following holds: • (associativity): ∀ A , B , C ∈ G , ( A + B ) + C = A + ( B + C ) • (identity element): ∃ E ∈ G such that E + A = A + E = A for all A ∈ G • (inverse): ∀ A ∈ G , ∃ B ∈ G such that A + B = B + A = E • (commutativity): ∀ A , B ∈ G , A + B = B + A Notation: for n ∈ N , nA = A + · · · + A (with 0 A = E ) � �� � n times Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 11 / 43

  14. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Mathematical background (2/2) Cyclic group and generator Let G be an abelian group of order p . An element G ∈ G is called a generator if def � G � = { 0 G , 1 G , 2 G , . . . } = G . If G is a generator, then for any X ∈ G , there exists a unique x ∈ { 0 , . . . , p − 1 } such that X = xG . Discrete logarithm problem Given X ∈ G , find x ∈ { 0 , . . . , p − 1 } such that X = xG . NB: with multiplicative notation, xG ∼ G x Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 12 / 43

  15. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Mathematical background (2/2) Cyclic group and generator Let G be an abelian group of order p . An element G ∈ G is called a generator if def � G � = { 0 G , 1 G , 2 G , . . . } = G . If G is a generator, then for any X ∈ G , there exists a unique x ∈ { 0 , . . . , p − 1 } such that X = xG . Discrete logarithm problem Given X ∈ G , find x ∈ { 0 , . . . , p − 1 } such that X = xG . NB: with multiplicative notation, xG ∼ G x Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 12 / 43

  16. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr authentication protocol [Sch89, Sch91] Public parameters: a cyclic group G of prime order p , a generator G of G � sk Alice = x ← $ Z p pk Alice = X pk Alice = xG = X R r ← $ Z p , R = rG c c ← $ Z p s s = r + cx mod p ? Check sG = R + cX Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 13 / 43

  17. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr’s protocol is a “proof of knowledge” Theorem Schnorr’s protocol is secure against impersonation under the discrete logarithm assumption. Proof. • assume there exists an attacker A which is able to authenticate with good probability • we run A on public key X : it sends R = rG , we answer with c 1 , and A returns the correct answer s 1 = r + c 1 x mod p • we rewind A and run it again: it sends R = rG , we answer with c 2 � = c 1 , and A returns the correct answer s 2 = r + c 2 x mod p • we compute x = ( s 1 − s 2 )( c 1 − c 2 ) − 1 mod p Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 14 / 43

  18. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  19. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  20. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  21. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  22. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  23. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  24. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  25. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  26. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion The Fiat-Shamir transform [FS86] • it is easy to obtain a valid transcript ( R , c , s ) without knowledge of the secret key x by computing “backwards”: • choose s ← $ Z p • choose c ← $ Z p • compute R = sG − cX • what convinces Bob is that he knows that c was chosen after R was committed by Alice • how could we make the protocol non-interactive? • answer: replace the verifier (Bob) by a hash function H • Alice computes the challenge by herself as c = H ( X , R ) • assuming H “behaves randomly”, this can be proved secure (random oracle model) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 15 / 43

  27. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 16 / 43

  28. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 16 / 43

  29. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 16 / 43

  30. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 16 / 43

  31. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 16 / 43

  32. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Public key-prefixing and BIP 32 (HD wallets) • Schnorr signatures usually don’t include the public key in the hash, i.e., the challenge is c = H ( R , m ) rather than c = H ( X , R , m ) • Schnorr signatures without key-prefixing are secure in the strong-EUF-CMA model • BIP 32 (Hierarchical Deterministic wallets) allows to generate child key pairs from a master key pair ( x , X = xG ) as x i = x + H ′ ( i , X ) mod p , X i = X + H ′ ( i , X ) G • without key-prefixing, any signature ( R , s ) valid under X can be turned into a valid signature for X i : since c = H ( R , m ), sG = R + cX ⇒ ( s + cH ′ ( i , X )) G = R + cX i • key-prefixing avoids this problem Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 17 / 43

  33. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Public key-prefixing and BIP 32 (HD wallets) • Schnorr signatures usually don’t include the public key in the hash, i.e., the challenge is c = H ( R , m ) rather than c = H ( X , R , m ) • Schnorr signatures without key-prefixing are secure in the strong-EUF-CMA model • BIP 32 (Hierarchical Deterministic wallets) allows to generate child key pairs from a master key pair ( x , X = xG ) as x i = x + H ′ ( i , X ) mod p , X i = X + H ′ ( i , X ) G • without key-prefixing, any signature ( R , s ) valid under X can be turned into a valid signature for X i : since c = H ( R , m ), sG = R + cX ⇒ ( s + cH ′ ( i , X )) G = R + cX i • key-prefixing avoids this problem Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 17 / 43

  34. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Public key-prefixing and BIP 32 (HD wallets) • Schnorr signatures usually don’t include the public key in the hash, i.e., the challenge is c = H ( R , m ) rather than c = H ( X , R , m ) • Schnorr signatures without key-prefixing are secure in the strong-EUF-CMA model • BIP 32 (Hierarchical Deterministic wallets) allows to generate child key pairs from a master key pair ( x , X = xG ) as x i = x + H ′ ( i , X ) mod p , X i = X + H ′ ( i , X ) G • without key-prefixing, any signature ( R , s ) valid under X can be turned into a valid signature for X i : since c = H ( R , m ), sG = R + cX ⇒ ( s + cH ′ ( i , X )) G = R + cX i • key-prefixing avoids this problem Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 17 / 43

  35. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Public key-prefixing and BIP 32 (HD wallets) • Schnorr signatures usually don’t include the public key in the hash, i.e., the challenge is c = H ( R , m ) rather than c = H ( X , R , m ) • Schnorr signatures without key-prefixing are secure in the strong-EUF-CMA model • BIP 32 (Hierarchical Deterministic wallets) allows to generate child key pairs from a master key pair ( x , X = xG ) as x i = x + H ′ ( i , X ) mod p , X i = X + H ′ ( i , X ) G • without key-prefixing, any signature ( R , s ) valid under X can be turned into a valid signature for X i : since c = H ( R , m ), sG = R + cX ⇒ ( s + cH ′ ( i , X )) G = R + cX i • key-prefixing avoids this problem Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 17 / 43

  36. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Public key-prefixing and BIP 32 (HD wallets) • Schnorr signatures usually don’t include the public key in the hash, i.e., the challenge is c = H ( R , m ) rather than c = H ( X , R , m ) • Schnorr signatures without key-prefixing are secure in the strong-EUF-CMA model • BIP 32 (Hierarchical Deterministic wallets) allows to generate child key pairs from a master key pair ( x , X = xG ) as x i = x + H ′ ( i , X ) mod p , X i = X + H ′ ( i , X ) G • without key-prefixing, any signature ( R , s ) valid under X can be turned into a valid signature for X i : since c = H ( R , m ), sG = R + cX ⇒ ( s + cH ′ ( i , X )) G = R + cX i • key-prefixing avoids this problem Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 17 / 43

  37. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Generic” DSA signatures • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • a “conversion” function f : G → Z p • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = f ( R ) and s = r − 1 ( H ( m ) + cx ) mod p • output σ = ( c , s ) • verification: on input X , m and σ = ( c , s ), • compute u = H ( m ) s − 1 mod p , v = cs − 1 mod p , and R = uG + vX ? • check whether f ( R ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 18 / 43

  38. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Generic” DSA signatures • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • a “conversion” function f : G → Z p • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = f ( R ) and s = r − 1 ( H ( m ) + cx ) mod p • output σ = ( c , s ) • verification: on input X , m and σ = ( c , s ), • compute u = H ( m ) s − 1 mod p , v = cs − 1 mod p , and R = uG + vX ? • check whether f ( R ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 18 / 43

  39. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Generic” DSA signatures • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • a “conversion” function f : G → Z p • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = f ( R ) and s = r − 1 ( H ( m ) + cx ) mod p • output σ = ( c , s ) • verification: on input X , m and σ = ( c , s ), • compute u = H ( m ) s − 1 mod p , v = cs − 1 mod p , and R = uG + vX ? • check whether f ( R ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 18 / 43

  40. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Generic” DSA signatures • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • a “conversion” function f : G → Z p • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = f ( R ) and s = r − 1 ( H ( m ) + cx ) mod p • output σ = ( c , s ) • verification: on input X , m and σ = ( c , s ), • compute u = H ( m ) s − 1 mod p , v = cs − 1 mod p , and R = uG + vX ? • check whether f ( R ) = c Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 18 / 43

  41. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion (EC)DSA signatures DSA and ECDSA are instantiations of the “generic” DSA scheme: • for DSA: • G = cyclic subgroup of prime order p of Z ∗ q for some large prime q ( | q | ≥ 3072 bits) • conversion function: f ( X ) = X mod p • for ECDSA: • G = cyclic subgroup of prime order p of an elliptic curve group over some finite field ( F q for q prime or q = 2 n ) • for q prime, group elements are pairs of integers ( x , y ) ∈ F 2 q satisfying the curve equation E : y 2 = x 3 + ax + b • conversion function: f ( X ) = x mod p where X = ( x , y ) • Bitcoin uses curve secp256k1 [SEC10] (not a NIST curve!) (Standards for Efficient Cryptography, Koblitz curve over prime field F q where q = 2 256 − 2 32 − 977, a = 0, b = 7) • Schnorr can be based on any group where DL is hard, in part. on any secure elliptic curve group (Ed25519 [BDL + 11]?) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 19 / 43

  42. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion (EC)DSA signatures DSA and ECDSA are instantiations of the “generic” DSA scheme: • for DSA: • G = cyclic subgroup of prime order p of Z ∗ q for some large prime q ( | q | ≥ 3072 bits) • conversion function: f ( X ) = X mod p • for ECDSA: • G = cyclic subgroup of prime order p of an elliptic curve group over some finite field ( F q for q prime or q = 2 n ) • for q prime, group elements are pairs of integers ( x , y ) ∈ F 2 q satisfying the curve equation E : y 2 = x 3 + ax + b • conversion function: f ( X ) = x mod p where X = ( x , y ) • Bitcoin uses curve secp256k1 [SEC10] (not a NIST curve!) (Standards for Efficient Cryptography, Koblitz curve over prime field F q where q = 2 256 − 2 32 − 977, a = 0, b = 7) • Schnorr can be based on any group where DL is hard, in part. on any secure elliptic curve group (Ed25519 [BDL + 11]?) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 19 / 43

  43. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion (EC)DSA signatures DSA and ECDSA are instantiations of the “generic” DSA scheme: • for DSA: • G = cyclic subgroup of prime order p of Z ∗ q for some large prime q ( | q | ≥ 3072 bits) • conversion function: f ( X ) = X mod p • for ECDSA: • G = cyclic subgroup of prime order p of an elliptic curve group over some finite field ( F q for q prime or q = 2 n ) • for q prime, group elements are pairs of integers ( x , y ) ∈ F 2 q satisfying the curve equation E : y 2 = x 3 + ax + b • conversion function: f ( X ) = x mod p where X = ( x , y ) • Bitcoin uses curve secp256k1 [SEC10] (not a NIST curve!) (Standards for Efficient Cryptography, Koblitz curve over prime field F q where q = 2 256 − 2 32 − 977, a = 0, b = 7) • Schnorr can be based on any group where DL is hard, in part. on any secure elliptic curve group (Ed25519 [BDL + 11]?) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 19 / 43

  44. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion (EC)DSA signatures DSA and ECDSA are instantiations of the “generic” DSA scheme: • for DSA: • G = cyclic subgroup of prime order p of Z ∗ q for some large prime q ( | q | ≥ 3072 bits) • conversion function: f ( X ) = X mod p • for ECDSA: • G = cyclic subgroup of prime order p of an elliptic curve group over some finite field ( F q for q prime or q = 2 n ) • for q prime, group elements are pairs of integers ( x , y ) ∈ F 2 q satisfying the curve equation E : y 2 = x 3 + ax + b • conversion function: f ( X ) = x mod p where X = ( x , y ) • Bitcoin uses curve secp256k1 [SEC10] (not a NIST curve!) (Standards for Efficient Cryptography, Koblitz curve over prime field F q where q = 2 256 − 2 32 − 977, a = 0, b = 7) • Schnorr can be based on any group where DL is hard, in part. on any secure elliptic curve group (Ed25519 [BDL + 11]?) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 19 / 43

  45. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  46. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  47. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  48. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  49. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  50. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  51. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion ECDSA signature malleability • ECDSA is not strongly EUF-CMA • given a valid signature ( c , s ) for message m , it is possible to “maul” a different signature which is also valid, namely ( c , − s mod p ) • verification equations: ( c , s ) ( c , − s ) u = H ( m ) s − 1 mod p u ′ = − H ( m ) s − 1 mod p = − u v = cs − 1 mod p v ′ = − cs − 1 mod p = − v R ′ = − uG − vX = − R R = uG + vX f ( R ) ? f ( − R ) ? = c = c • verification succeeds in both cases because: • if R = ( x , y ) then − R = ( x , − y mod q ) • f only depends on the first coordinate: f ( x , y ) = x mod p • fixed by requiring a canonical “low- s ” encoding (Bitcoin PR #6769) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 20 / 43

  52. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  53. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  54. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  55. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  56. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  57. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  58. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  59. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  60. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  61. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA • Schnorr security: • Schnorr signatures have a security proof under the Discrete Logarithm assumption in the Random Oracle Model for H [PS96] • no known attacks against Schnorr based on H collisions • ECDSA security: • security analysis of (EC)DSA is much more brittle [Bro05] (uses generic group model, proves non-malleability!) • the conversion function f in ECDSA is too “simple” to be realistically modeled as a random oracle • collisions on H directly give forgery attacks • efficiency: • Schnorr signatures verification slightly more efficient • Schnorr allows efficient batch verification Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 21 / 43

  62. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA: Summary Schnorr: σ = ( R , s ) ECDSA: σ = ( c , s ) � � ? ? H ( m ) s − 1 G + cs − 1 X sG = R + H ( R , m ) X f = c Ver Fiat-Shamir � × sec. proof � × H 2nd preimage collision non-mall. � × batch ver. � × Reminder: • computing two signatures with the same r leaks the private key! • even minor weaknesses in the generation of r can leak the private key after a few hundreds of signatures [NS03] • practical attacks (Sony PlayStation 3 hack, Android RNG) • solution: derandomization (RFC 6979) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 22 / 43

  63. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Schnorr versus ECDSA: Summary Schnorr: σ = ( R , s ) ECDSA: σ = ( c , s ) � � ? ? H ( m ) s − 1 G + cs − 1 X sG = R + H ( R , m ) X f = c Ver Fiat-Shamir � × sec. proof � × H 2nd preimage collision non-mall. � × batch ver. � × Reminder: • computing two signatures with the same r leaks the private key! • even minor weaknesses in the generation of r can leak the private key after a few hundreds of signatures [NS03] • practical attacks (Sony PlayStation 3 hack, Android RNG) • solution: derandomization (RFC 6979) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 22 / 43

  64. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Outline Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 23 / 43

  65. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion What is a multi-signature protocol? • assume n signers with public keys { pk 1 , . . . , pk n } want to sign the same message (e.g., spending from an n -of- n multisig address) • trivial solution: compute one signature for each pk i and output Σ = ( σ 1 , . . . , σ n ) • problem: the length of Σ grows linearly with the number of signers. Can we do better? (Ideally, the size of the “multi-signature” should be independent from the number of signers) • well-studied problem in cryptography originally tackled in [IN83] • hard to achieve for ECDSA due to its complex algebraic structure (modular division) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 24 / 43

  66. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion What is a multi-signature protocol? • assume n signers with public keys { pk 1 , . . . , pk n } want to sign the same message (e.g., spending from an n -of- n multisig address) • trivial solution: compute one signature for each pk i and output Σ = ( σ 1 , . . . , σ n ) • problem: the length of Σ grows linearly with the number of signers. Can we do better? (Ideally, the size of the “multi-signature” should be independent from the number of signers) • well-studied problem in cryptography originally tackled in [IN83] • hard to achieve for ECDSA due to its complex algebraic structure (modular division) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 24 / 43

  67. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion What is a multi-signature protocol? • assume n signers with public keys { pk 1 , . . . , pk n } want to sign the same message (e.g., spending from an n -of- n multisig address) • trivial solution: compute one signature for each pk i and output Σ = ( σ 1 , . . . , σ n ) • problem: the length of Σ grows linearly with the number of signers. Can we do better? (Ideally, the size of the “multi-signature” should be independent from the number of signers) • well-studied problem in cryptography originally tackled in [IN83] • hard to achieve for ECDSA due to its complex algebraic structure (modular division) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 24 / 43

  68. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion What is a multi-signature protocol? • assume n signers with public keys { pk 1 , . . . , pk n } want to sign the same message (e.g., spending from an n -of- n multisig address) • trivial solution: compute one signature for each pk i and output Σ = ( σ 1 , . . . , σ n ) • problem: the length of Σ grows linearly with the number of signers. Can we do better? (Ideally, the size of the “multi-signature” should be independent from the number of signers) • well-studied problem in cryptography originally tackled in [IN83] • hard to achieve for ECDSA due to its complex algebraic structure (modular division) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 24 / 43

  69. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion What is a multi-signature protocol? • assume n signers with public keys { pk 1 , . . . , pk n } want to sign the same message (e.g., spending from an n -of- n multisig address) • trivial solution: compute one signature for each pk i and output Σ = ( σ 1 , . . . , σ n ) • problem: the length of Σ grows linearly with the number of signers. Can we do better? (Ideally, the size of the “multi-signature” should be independent from the number of signers) • well-studied problem in cryptography originally tackled in [IN83] • hard to achieve for ECDSA due to its complex algebraic structure (modular division) Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 24 / 43

  70. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  71. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  72. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  73. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  74. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  75. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  76. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  77. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  78. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  79. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  80. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion “Naive” Schnorr multi-signatures • Alice’s public key X 1 = x 1 G , Bob’s public key X 2 = x 2 G • signature protocol: • Alice draws R 1 = r 1 G , Bob draws R 2 = r 2 G • they both compute R = R 1 + R 2 = ( r 1 + r 2 ) G • they both compute c = H ( X 1 , X 2 , R , m ) • Alice computes s 1 = r 1 + cx 1 mod p • Bob computes s 2 = r 2 + cx 2 mod p • they both compute s = s 1 + s 2 mod p = ( r 1 + r 2 )+ c ( x 1 + x 2 ) mod p • the multi-signature is σ = ( R , s ) • verification: a multi-signature σ = ( R , s ) is valid if sG = R + c ( X 1 + X 2 ) where c = H ( X 1 , X 2 , R , m ) � �� � aggregated key � X • can be generalized to n > 2 signers Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 25 / 43

  81. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Wait! Rogue-key attacks • assume that signers can claim whatever public key they want (plain public key model) • Bob knows Alice’s public key X 1 • he can “choose” public key X 2 = x ′ G − X 1 • Bob can forge a valid multi-signature ( R , s ) on his own with x ′ : sG = R + H ( X 1 , X 2 , R , m ) ( X 1 + X 2 ) = ( r + cx ′ ) G � �� � � �� � c x ′ G • note that Bob does not know the private key for X 2 = ( x ′ − x 1 ) G • this can thwarted using a key setup procedure [MOR01] or by requiring signers to prove knowledge of their private key (with a zero-knowledge proof) [RY07] Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 26 / 43

  82. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Wait! Rogue-key attacks • assume that signers can claim whatever public key they want (plain public key model) • Bob knows Alice’s public key X 1 • he can “choose” public key X 2 = x ′ G − X 1 • Bob can forge a valid multi-signature ( R , s ) on his own with x ′ : sG = R + H ( X 1 , X 2 , R , m ) ( X 1 + X 2 ) = ( r + cx ′ ) G � �� � � �� � c x ′ G • note that Bob does not know the private key for X 2 = ( x ′ − x 1 ) G • this can thwarted using a key setup procedure [MOR01] or by requiring signers to prove knowledge of their private key (with a zero-knowledge proof) [RY07] Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 26 / 43

  83. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Wait! Rogue-key attacks • assume that signers can claim whatever public key they want (plain public key model) • Bob knows Alice’s public key X 1 • he can “choose” public key X 2 = x ′ G − X 1 • Bob can forge a valid multi-signature ( R , s ) on his own with x ′ : sG = R + H ( X 1 , X 2 , R , m ) ( X 1 + X 2 ) = ( r + cx ′ ) G � �� � � �� � c x ′ G • note that Bob does not know the private key for X 2 = ( x ′ − x 1 ) G • this can thwarted using a key setup procedure [MOR01] or by requiring signers to prove knowledge of their private key (with a zero-knowledge proof) [RY07] Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 26 / 43

  84. Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Wait! Rogue-key attacks • assume that signers can claim whatever public key they want (plain public key model) • Bob knows Alice’s public key X 1 • he can “choose” public key X 2 = x ′ G − X 1 • Bob can forge a valid multi-signature ( R , s ) on his own with x ′ : sG = R + H ( X 1 , X 2 , R , m ) ( X 1 + X 2 ) = ( r + cx ′ ) G � �� � � �� � c x ′ G • note that Bob does not know the private key for X 2 = ( x ′ − x 1 ) G • this can thwarted using a key setup procedure [MOR01] or by requiring signers to prove knowledge of their private key (with a zero-knowledge proof) [RY07] Y. Seurin (ANSSI) Schnorr Signatures for Bitcoin 14/03/2018 — Cryptofinance 26 / 43

Recommend

Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher

Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher

Privacy : Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher Independent investigative journalist Research focus: Bitcoin / cryptocurrencies, information security, privacy, surveillance, and

1.3k views • 85 slides
Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Cryptocurrency Technologies Mechanics of Bitcoin Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin Scripts Bitcoin Blocks The Bitcoin Network Limitations and Improvements Mechanics of

695 views • 33 slides
Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's

Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's

Zerocash: addressing Bitcoin's privacy problem Alessandro Chiesa UC Berkeley 1 Bitcoin's Privacy Problem 2 Would you like a new credit card? You will pay almost no fees! Sure! Any fine print? We will publicly broadcast every payment that

473 views • 34 slides
On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan

On the Privacy Provisions of Bloom Filters in Lightweight Bitcoin Clients Arthur Gervais, Ghassan O. Karame, Damian Gruber, Srdjan apkun ETH Zurich, NEC Research ACSAC 2014 Bitcoin Bitcoin Peer-to-peer decentralized currency

1.06k views • 74 slides
Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio

Privacy-Enhancing Overlays in Bitcoin Sarah Meiklejohn (University College London) Claudio Orlandi (Aarhus University) 1 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin 2 Anonymity in Bitcoin

1.23k views • 90 slides
Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in

Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in

Bitcoin Clustering P2P wallet leak Analysis Conclusion Privacy in Bitcoin On the Effectiveness of Clustering Jonas Nick March 15, 2016 Privacy in Bitcoin Jonas Nick 1/34 Bitcoin Clustering P2P wallet leak Analysis Conclusion Privacy

1.22k views • 96 slides
Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin work? The characteris5cs of Bitcoin WHAT IS BITCOIN Bitcoin is a form of digital currency, created and held electronically. No one controls it.

839 views • 17 slides
Provisions Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016

Provisions Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016

Provisions Privacy-preserving proofs of solvency for Bitcoin exchanges Real World Crypto 2016 eprint.iacr.org/2015/1008.pdf github.com/bbuenz/provisions Jeremy Clark Dan Boneh Gaby Dagher Benedikt Bnz Joseph Bonneau Many users use Bitcoin

768 views • 28 slides
Efficiency and Growth T. Gutowski 2.83 and 2.813 1 Efficiency and Growth Can efficiency

Efficiency and Growth T. Gutowski 2.83 and 2.813 1 Efficiency and Growth Can efficiency

Efficiency and Growth T. Gutowski 2.83 and 2.813 1 Efficiency and Growth Can efficiency improvements out run growth? Historical review of 10 activities including materials and electricity production and consumer services (Dahmus &

647 views • 62 slides
Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim , Jinwoo Shin*, Yongdae Kim* *KAIST, Sungkyunkwan University 1 Governance conflict The number of Bitcoin transaction per month Bad scala bility

731 views • 46 slides
Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in Bitcoin MimbleWimble cryptocurrency ECC math Schnorrs signatures scheme Pedersen Commitments Motivation Bitcoin is decentralized

430 views • 40 slides
Heat of the Moment: Heating Improvements and Support from Efficiency Maine E2Tech Forum

Heat of the Moment: Heating Improvements and Support from Efficiency Maine E2Tech Forum

Heat of the Moment: Heating Improvements and Support from Efficiency Maine E2Tech Forum September 12, 2014 Portland, Maine Michael D. Stoddard Executive Director Efficiency Maine Trust The Efficiency Maine Trust The independent

374 views • 22 slides
Energy Efficiency improvements in Commercial Buildings UNDP-GEF-BEE Augmenting Nature by Green

Energy Efficiency improvements in Commercial Buildings UNDP-GEF-BEE Augmenting Nature by Green

THIS PRESENTATION WAS SHARED BY Mr. Abdullah Nisar Siddiqui Technical Expert, IGEN-EERB, GIZ FOR THE SESSION: Policy Implementation and Enforcement DURING ANGAN 2019 Energy Efficiency improvements in Commercial Buildings UNDP-GEF-BEE

1.18k views • 52 slides
Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli

Current state and the future of wallets Building On Bitcoin 3th of July 2018 dev@ jonasschnelli .ch PGP: CA1A2908DCE2F13074C62CDE1EB776BB03C7922D Privacy Security Trust Privacy Transaction / scripts privacy Security Trust No-trust

700 views • 43 slides
Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Cryptocurrency Technologies Bitcoin as a Platform Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments Token tracking Multiparty lotteries Public randomness Prediction markets A fine stew

714 views • 38 slides
Encana Oil & Gas (USA) Inc. Facility Efficiency Improvements Justin Lisowski | Rotating

Encana Oil & Gas (USA) Inc. Facility Efficiency Improvements Justin Lisowski | Rotating

take a closer look Encana Oil & Gas (USA) Inc. Facility Efficiency Improvements Justin Lisowski | Rotating Equipment Engineer Tom Ripper | Facilities Operations Coordinator CIEC Networking Event | October 05 | 2012 Future oriented

577 views • 22 slides
Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed

Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed

Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed Computing Group www.disco.ethz.ch What is Bitcoin? What is Bitcoin? + What is Bitcoin? = + Whats it worth? USD / Bitcoin exchange price 300

752 views • 48 slides
Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption &

Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption &

Cryptocurrency Technologies Bitcoin Mining Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption & Ecology Mining Pools Mining Incentives and Strategies Recap: Bitcoin Miners Bitcoin depends on

821 views • 35 slides
Bitcoin Tom Anderson Bitcoin Network of bitcoin peers (servers) run by volunteers Peers

Bitcoin Tom Anderson Bitcoin Network of bitcoin peers (servers) run by volunteers Peers

Bitcoin Tom Anderson Bitcoin Network of bitcoin peers (servers) run by volunteers Peers are not trusted: may be greedy or corrupt Each peer knows about all bitcoins and transactions Transaction (sender -> receiver): sender

958 views • 23 slides
Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers

Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers

Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers Joseph Bonneau CITP, Princeton Thanks to Andrew Miller, Arvind Narayanan, Jeremy Clark, Joshua Kroll, Ed Felten Part I: Bitcoin in 6 easy steps

752 views • 32 slides
Todays Building Infrastructure Needs and the Efficiency Improvements Of Tomorrow John Maso

Todays Building Infrastructure Needs and the Efficiency Improvements Of Tomorrow John Maso

Wayne Township Public Schools Todays Building Infrastructure Needs and the Efficiency Improvements Of Tomorrow John Maso Director of Facilities October 2014 1 Our buildings require a certain amount of key internal and external

490 views • 20 slides
Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Cryptocurrency Technologies Bitcoin and Anonymity Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing Decentralized Mixing Zerocoin and Zerocash Tor and the Silk Road Bitcoin and Anonymity

524 views • 39 slides
Accelerating Energy-Efficiency Improvements in Room Air Conditioners in India: Potential,

Accelerating Energy-Efficiency Improvements in Room Air Conditioners in India: Potential,

Accelerating Energy-Efficiency Improvements in Room Air Conditioners in India: Potential, Costs-Benefits, and Policies Nikit Abhyankar Nihar Shah Won Young Park Amol Phadke Lawrence Berkeley National Laboratory April 2017 This work was

488 views • 23 slides
Blockchain, GDPR & cryptography zkSNARKs for scaling and privacy. Alexandre Poltorak

Blockchain, GDPR & cryptography zkSNARKs for scaling and privacy. Alexandre Poltorak

Blockchain, GDPR & cryptography zkSNARKs for scaling and privacy. Alexandre Poltorak Blockchain, Sustainable Development and Privacy 26-27 November 2019 Berlin, Germany The problem with GDPR and blockchains : Bitcoin & Privacy

395 views • 7 slides

More recommend