1. 引言

Blockstream团队2018年论文《Simple Schnorr Multi-Signatures with Applications to Bitcoin》。
对应的代码实现:
https://github.com/KZen-networks/multi-party-schnorr
https://github.com/lovesh/signature-schemes

论文要点:

  • MuSig——new Schnorr-based multi-signature scheme:即一群签名者对同一消息进行联合签名,最终的签名长度要短。
  • MuSig方案在plain public-key model下是安全的:即signers are only required to have a public key, but do not have to prove knowledge of the private key corresponding to their public key to some certificate authority or to other signers before engaging the protocol。
  • MuSig的主要优势为:
    1)Simple and efficient,具有与标准Schnorr签名相同的key size 和 signature size。
    2)允许key aggregation,即最终的联合签名可采用与标准验签方式类似的方式来验证,使用的是a single “aggregated” public key——可computed from the individual public keys of the signers。
  • 提出了a simple (yet non black-box) way to turn the BN multi-signautre scheme into a secure IAS scheme。

1.1 What is Multi-Signature?

Itakura和Nakamura 1983年论文《[A public-key cryptosystem suitable for digital multisignatures]》中首次提出了Multi-Signature概念:
Allow a group of signers (each possessing its own private/public key pair) to produce a single signature σ \sigma σ on a message m m m.
Verification of the validity of a purported signature σ \sigma σ can be publicly performed given the message and the set of public keys of all signers.

直观的方式是采用标准签名的方式,每个签名者用自己的私钥对消息 m m m进行签名,将所有的独立签名拼接在一起。存在的问题是该方式最终产生的签名长度过长,且与签名者数量成正比。

多重签名要求最终的签名长度应与签名者数量无关,且尽量接近标准签名的长度。

1.2 多重签名中的rogue-key attacks

rogue-key attacks即流氓密钥攻击,详见博客 ECDSA VS Schnorr signature VS BLS signature 2.2.2节。

避免rogue-key attacks的方法有:

  • 要求签名者prove knowledge of the secret key during public key registration with a certification authority,即knowledge of secret key(KOSK) assumption。该方案存在问题,详情参见[BN06, RY07]。

1.3 What is key aggregation?

Key aggregation是指根据参与多重签名的所有签名者的public keys,生成一个新的aggregated key,利用该aggregated key可对多重签名进行验签。
Key aggregation的好处有:

  • a group of n n n signers want to authorize an action (say, spend some bitcoins) only if all of them agree, but do not necessarily wish to reveal their individual public keys. Then, they can privately compute the aggregated key X ~ \tilde{X} X~ corresponding to their multiset of public keys and publish it as an ordinary (non-aggregated) key. Signers are ensured that all of them will need to cooperate to produce a signature which is valid under X ~ \tilde{X} X~, whereas verifiers will not even learn that X ~ \tilde{X} X~ is in fact an aggregated key.
  • aggregated key也可由知道所有public keys的第三方(如someone sending bitcoins to the group of signers)直接计算。

1.5 DL-based多重签名方案对比


[BCJ08](2008年论文《Multisignatures Secure Under the Discrete Logarithm Assumption and a Generalized Forking Lemma》)利用了homomorphic commitment scheme,将number of rounds由3减为2,代价是增加了签名的长度以及签名过程和验签过程的计算负担。不支持key aggregation。
[MWLD10](2010年论文《Efficient discrete logarithm based multi-signature scheme in the plain public key model》)基于Okamoto’s signature机制和double hashing(组合hash,而不是2个hash运算相乘)技术,在保证round数为2的同时,相比于[BCJ08],减少了签名长度。不支持key aggregation。

1.6 interactive aggregate signature

与多重签名不同,多重签名是对同一消息 m m m,由多个签名者进行签名。
当每个签名者has its own message m i m_i mi​时,然后joint signature proves that the i i i-th signer has signed m i m_i mi​,则称为an interactive aggregate signature (IAS) scheme。

IAS schemes are more general than multi-signature schemes, but less flexible than non-interactive aggregate signatures [BGLS03,BNN07] and sequential aggregate signatures [LMRS04].
[BN06] 中指出了a generic (i.e., black-box) way to turn any multi-signature scheme an IAS scheme:
the signers simply run the multi-signature protocol using as message the tuple of all public key/message pairs involved in the IAS protocol.

1.7 Musig的优点

详细参见博客 ECDSA VS Schnorr signature VS BLS signature。。
相比于Bitcoin现在采用的ECDSA签名方案,基于Schnorr signature的Musig具有以下两个优点:

  • The availability of key aggregation removes the need for verifiers to see all the involved keys, improving bandwidth, privacy, and validation cost.
  • Security under the plain public-key model enables multi-signature across multiple inputs of a transaction, where the choice of signers cannot be committed to in advance. This greatly increases the number of situations in which multi-signatures are beneficial.

2. Musig多重签名方案

2.1 Musig的相关安全假设

定义 G \mathbb{G} G为a cyclic group of order p p p,其中 p p p为a k k k-bit integer, and g g g be a generator of G \mathbb{G} G。 ( G , p , g ) (\mathbb{G},p,g) (G,p,g)称为group parameters。

security要求为:it’s infeasible to forge multi-signatures involving at least one honest signer.

2.1.1 Discrete Logarithm (DL) problem

2.1.2 Generalized Forking Lemma


2.2 Musig算法实现

包含三大类算法KeyGenSignVer
要求setup phase结果可被checked efficiently,从而不需要依赖可信第三方来运行。

  • KeyGen:每个签名者生成公私钥对 ( x , X = g x ) (x,X=g^x) (x,X=gx)。
  • Sign:待签名消息 m m m,所有签名者公钥 L = { X 1 , ⋯ , X n } L=\{X_1,\cdots,X_n\} L={X1​,⋯,Xn​},对于 i ∈ { 1 , ⋯ , n } i\in\{1,\cdots,n\} i∈{1,⋯,n},签名者计算 a i = H a g g ( L , X i ) a_i=H_{agg}(L,X_i) ai​=Hagg​(L,Xi​),然后计算aggregated public key X ~ = ∏ i = 1 n X i a i \tilde{X}=\prod_{i=1}^{n}X_i^{a_i} X~=∏i=1n​Xiai​​;选择随机数 r 1 ← Z q r_1\leftarrow \mathbb{Z}_q r1​←Zq​,计算 R 1 = G r 1 , t 1 = H c o m ( R 1 ) R_1=G^{r_1},t_1=H_{com}(R_1) R1​=Gr1​,t1​=Hcom​(R1​),将 t 1 t_1 t1​发送给所有其它签名者;当收齐其它签名者发来的 t 2 , ⋯ , t n t_2,\cdots,t_n t2​,⋯,tn​时,将 R 1 R_1 R1​发送给所有其它签名者;当收到其它签名者发来的 R 2 , ⋯ , R n R_2,\cdots,R_n R2​,⋯,Rn​时,验证 t i = H c o m ( R i ) ) t_i=H_{com}(R_i)) ti​=Hcom​(Ri​))是否成立(for all i ∈ { 2 , ⋯ , n } i\in\{2,\cdots,n\} i∈{2,⋯,n}),若不成立则停止,否则继续计算 R = ∏ i = 1 n R i , c = H s i g ( X ~ , R , m ) , s 1 = r 1 + c a 1 x 1 m o d p R=\prod_{i=1}^{n}R_i,c=H_{sig}(\tilde{X},R,m),s_1=r_1+ca_1x_1\mod p R=∏i=1n​Ri​,c=Hsig​(X~,R,m),s1​=r1​+ca1​x1​modp,将 s 1 s_1 s1​发送给其它所有签名者;当收到了所有的签名信息 s 2 , ⋯ , s n s_2,\cdots,s_n s2​,⋯,sn​时,计算 s = ∑ i = 1 n s i m o d p s=\sum_{i=1}^{n}s_i\mod p s=∑i=1n​si​modp,最终的签名信息为 σ = ( R , s ) \sigma=(R,s) σ=(R,s)。
  • Ver:Given L = { X 1 , ⋯ , X n } , m , σ = ( R , s ) L=\{X_1,\cdots,X_n\},m,\sigma=(R,s) L={X1​,⋯,Xn​},m,σ=(R,s),验签者计算 a i = H a g g ( L , X i ) , X ~ = ∏ i = 1 n X i a i , c = H s i g ( X ~ , R , m ) a_i=H_{agg}(L,X_i),\tilde{X}=\prod_{i=1}^{n}X_i^{a_i},c=H_{sig}(\tilde{X},R,m) ai​=Hagg​(L,Xi​),X~=∏i=1n​Xiai​​,c=Hsig​(X~,R,m),验证 g s = R ∏ i = 1 n X i a i c = R X ~ c g^s=R\prod_{i=1}^{n}X_i^{a_ic}=R\tilde{X}^c gs=R∏i=1n​Xiai​c​=RX~c是否成立,若成立则签名验证成功。

注意Musig中的随机数 r i r_i ri​因为strong random number,不能是类似RFC6979( f ( x i , m ) f(x_i,m) f(xi​,m))这种确定性的值,在不同的签名过程中应使用不同的随机值,否则会存在私钥泄露的问题,详细流程如下:

2.3 Musig安全性证明

Musig中使用了3个hash函数 H c o m H_{com} Hcom​, H a g g H_{agg} Hagg​和 H s i g H_{sig} Hsig​。

详见该论文第4章的证明。

参考资料:
[1] 博客 Key Aggregation for Schnorr Signatures
[2] A Survey of Two Signature Aggregation Techniques
[3] 2018年论文Compact Multi-Signatures for Smaller Blockchains
[4] 2018年论文BLS Multi-Signatures With Public-Key Aggregation,Full Version改名为:Compact Multi-Signatures for Smaller Blockchains

Simple Schnorr Multi-Signatures with Applications to Bitcoin 学习笔记相关推荐

  1. ZKAttest: Ring and Group Signatures for existing ECDSA keys 学习笔记

    1. 引言 来自于Cloudflare和Cornell Tech的Armando Faz-Hern´andez等人,2021年论文<ZKAttest: Ring and Group Signat ...

  2. Vector Commitment Techniques and Applications to Verifiable Decentralized Storage学习笔记

    1. 引言 Campanelli等人 2020年论文<Vector Commitment Techniques and Applications to Verifiable Decentrali ...

  3. A (Zero-Knowledge) Vector Commitment with Sum Binding and its Applications学习笔记

    1. 引言 Qiang Wang等人2019年发表于Oxford University Press on behalf of the Institute of Mathematics and its ...

  4. 联邦学习笔记-《Federated Machine Learning: Concept and Applications》论文翻译个人笔记

    联邦学习笔记-<Federated Machine Learning: Concept and Applications>论文翻译个人笔记 摘要 今天的人工智能仍然面临着两大挑战.一是在大 ...

  5. ElasticSearch 学习笔记:Multi Search

    本文目录 1 简介 2 格式 3 header格式 4 body格式 5 返回格式 6 性能 7 相关文章 1 简介 批量查询接口(Multi Search API)允许在一次请求中执行多个查询操作, ...

  6. 【从零开始】CS224W-图机器学习-2021冬季学习笔记8.1 Applications of Graph Neural Networks

    课程主页:CS224W | Home 课程视频链接:斯坦福CS224W<图机器学习>课程(2021) by Jure Leskovec 文章目录 1  前言 2  对GNN进行图增强 2. ...

  7. Witness Encryption for Succinct Functional Commitments and Applications学习笔记

    1. 引言 前序博客有: Functional Commitment Schemes: From Polynomial Commitments to Pairing-Based Accumulator ...

  8. 易安卓 html5,Developing a Multi Platforms Web Applications for Mobile Device Using HTML5

    摘要: As the mobile phone has become more mature, the continuous development of both hardware and soft ...

  9. 『Discrete Mathematics and Its Applications』离散数学及其应用学习笔记

    教材是Discrete Mathematics and Its Applications 7th,做了一些简单的翻译和简单的笔记. 1. The Foundations: Logic and Proo ...

最新文章

  1. 中采购订单批导的bapi_跟着团子学SAP PS—项目中的物料组件
  2. 静态反调试技术(2)
  3. (转)区间合并pushup函数模板
  4. 前端用sql 还是mysql_前端小白安装MySQL的踩坑路
  5. 艾特肯法方程解matlab程序,牛顿迭代法matlab代码
  6. java版电子商务spring cloud分布式微服务b2b2c社交电商(十一)springboot集成swagger2,构建优雅的Restful API...
  7. 机器学习如何帮助Caesars大涨邮件绩效
  8. 不要找我了,我要去盘核桃了!
  9. java简单学生成绩系统_JAVA 实现简单的学生成绩管理系统
  10. 服务器上的服务一直自动关闭,关于服务器老是自动关闭
  11. SVN“不知道这样的主机”
  12. 鉴源实验室丨汽车电子架构和CAN网络基础
  13. FPGA(九)RTL代码之五(基本电路设计2)
  14. 平庸和优秀的距离,我要得不仅仅是土豆
  15. 经历不可抗力是一种什么体验
  16. 黑马VUE电商管理后台笔记记录
  17. gdut极路由破解教程
  18. 阿里旺旺发送文件以保存服务器,使用阿里旺旺收发文件
  19. Varnish 详解
  20. 华尔街日报中文网络版

热门文章

  1. 个人作业:天津地铁项目的理解和设计思路
  2. QQ功能测试(个人信息)
  3. 昨天晚上看到的几个简短小笑话:)
  4. 做你想要成为的那个人《本杰明·巴顿奇事》
  5. 磷矿系列:全国磷矿储量排行榜
  6. 全新第九代智能英特尔(R)酷睿(TM) i9-9900K处理器发布
  7. Maya Vray 环境光的渐变设置
  8. 【技术】还在找 BootStrap 的API?
  9. 大数据产业核心产业环节_产业实力自然语言处理
  10. HTML 读写txt文件与转换base64编码