On the Security of Two-Round Multi-Signatures · • Smaller signatures • Non-interactive...

On the Security of Two-Round Multi-Signatures Manu Drijvers1, Kasra Edalatnejad2, Bryan Ford2, Eike Kiltz3, Julian Loss3, Gregory Neven1, Igors Stepanovs4

1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD

Multi-signatures

↔

Verify((pk1,pk2,pk3),m,σ)=1

Everysignermustagreetosignm

Goal: shortsignature (preferably≈singlesignature,efficientlyverifiable definitely<<Nsignatures)

(pk1,sk1)←Kg

Sign((pk1,pk2,pk3),sk1,m)→σ

(pk2,sk2)←Kg


(pk3,sk3)←Kg


↔

Multi-signatures

↔

Keyaggregation:apk←KAgg(pk1,pk2,pk3)

Verify(apk,m,σ)=1

Everysignermustagreetosignm

Goal: shortsignature (preferably≈singlesignature,efficientlyverifiable definitely<<Nsignatures)

(pk1,sk1)←Kg


(pk2,sk2)←Kg


(pk3,sk3)←Kg


↔

Applications of multi-signatures •  ImproveBitcointhroughput/reduceblockchainsize

•  ”multisig”transactionsassmallasothertransactions•  Reducesizeofmulti-inputmulti-outputtransactions

• Collectivesigningbyco-thorities(e.g.,CoSi[STV+16])

• Distributedrandombeacons(e.g.,RandHound[SJK+17])

• Blockcertificationinproof-of-stake/permissionedblockchains

•  e.g.,Dfinity,OmniLedger,Ziliqa,Harmony,Algorand,…

Existing multi-signatures

Schnorr signatures

pk=gsk

r←RZqt←gr

c←H(t,m)

s←r+c·skmodqσ←(c,s)

Verification:

c=H(gs·pk-c,m)

Efficient&Provablysecure•  underdiscrete-logassumption•  intherandom-oraclemodel:

modelhashfunctionasidealrandomfunction

“Plain” Schnorr multi-signatures

↔

pk1=gsk1

r1←RZqt1←gr1

t←t1·t2·t3c←H(t,m)

s1←r1+c·sk1modq

s←s1+s2+s3modqσ←(c,s)

pk2=gsk2

r2←RZqt2←gr2


s2←r2+c·sk2modq


pk3=gsk3

r3←RZqt3←gr3


s3←r3+c·sk3modq


↔

↔

↔

apk←pk1·pk2·pk3Checkc=H(gs·apk-c,m)

Problem 1: Rogue-key attacks

pk1=gsk1 pk2=gsk2/pk1

apk=pk1·pk2=gsk2

cancomputesignaturesunderapkbyhimself!

Knownremedies:• Per-signerchallenges[BN06]• Proofsofpossessionaddedtopk[RY07,BCJ08]• MuSigkeyaggregation:apk←ΠpkiH(pki,{pk1,…,pkN}[MPSW18]

Problem 2: Signature simulation

pk1

c,s1←RZqt1←gs1pk1-c

t←t1·t2c←H(t,m)

pk2

←t2StandardSchnorrprooftechniquedoesnotwork

(cannotprogramrandomoracle,becauseadversaryknowstbeforesimulatordoes)

→t1

Multi-signatures from discrete logarithms Scheme Rounds Roguekeys Signaturesimulation

BN[BN06] 3 per-signerchallenges preliminaryroundH(ti) BCJ - 1[BCJ08] 2 per-signerchallenges homomorphicequivocable(HE)

commitments BCJ - 2[BCJ08] 2 proofsofpossession

MWLD[MWLD10] 2 per - signerchallenges witness-indinstinguishablekeys CoSi [STV+16] 2 proofsofpossession (nosecurityproof) MuSig - 1[MPSW18a] 2 MuSig keyaggregation DLoracleinone-moreDLassumption

mBCJ [thiswork] 2 proofsofpossession per-messageHEcommitments BDN-DL,MuSig-2 [BDN18,MPSW19]

3 MuSig keyaggregation preliminaryroundH(ti)

BDN-DLpop[BDN18] 3 proofsofpossession preliminaryroundH(ti) BLS[Bol03,RY07] 1 proofsofpossession

BDN-P[BDN18] 1 MuSigkeyaggregation pairingspairings

Attacks and non-provability

Wagner’s generalized birthday attack [W02] k-sumprobleminZq:GivenklistsofrandomelementsinZqFind(c1,…,ck)inlistssuchthatc1+…+ck=0modq

Subexponentialsolution:Solvedfork=2√nintimeO(22√n)wheren=|q|.

c1

…

List1

c2

…

List2

ck …

Listk…

Application to “plain” Schnorr and CoSi

…

H(*,m)

H(*,m)

H(*,m)

…

H(*,m)

H(*,m)

H(*,m)

…

-H(t*,m1)

-H(t*,m2)

-H(t*,mL)

…

t1←gr1 tk-1←grk-1 t*←t1·…·tk-1

c1+…+ck-1=c*

•  skonlyappearsinsignatureins=r+c*sk,withc=H(gr,m)•  Ifwehavesignatureswithc1+…+ck-1=H(t*,m),wecan

forgeasignatureonm*!

Attacks on two-round multi-signature schemes • Attackappliestoallpreviously*knowntwo-roundschemes

•  BCJ-1andBCJ-2•  MWLD•  CoSi•  MuSig-1

•  Sub-exponentialbutpractical(for256-bitq)•  15parallelsigningqueries:262steps•  127parallelsigningqueries:245steps

• Preventedbyincreasing|q|…anyhopeforprovable(asymptotic)security?

*beforefirstversionofthispaper

Non-provability of two-round schemes Theorem:One-morediscretelogarithmproblemishard

BCJ/MWLD/CoSi/MuSig-1cannotbeprovedsecure

underone-morediscretelogarithm(throughalgebraicblack-boxreductionsinrandom-oraclemodel)

Essentiallyexcludesallknownprooftechniques(includingrewinding)

underlikelyassumptions.

SubtleflawsinproofsofBCJ/MWLD/MuSig-1(CoSiwasneverprovedsecure)

⇒

Secure schemes

Modified BCJ multi-signature •  2round,secureunderdiscretelogarithm,sameefficiencyasBCJ•  Largescaledeployment:

•  16,384signersgeneratesignaturewithin2seconds•  20%bandwidth,75%computationincreasecomparedtoCoSi(plainschnorr)

Other secure schemes •  Three-roundscheme[BDN18,MPSW19]

•  Secureunderdiscrete-logassumption

• Non-interactiveschemefromBLS[BLS01,Bol03,RY07,BDN18]

•  Smallersignatures•  Non-interactiveaggregation•  Requiresbilinearpairings

Lessons learned

Lessons learned • Cryptographicschemesneedsecurityproofs

•  Don’tdropstepsthatlooklikethey’re“justtomaketheproofwork”

•  Securityproofsmustbereviewed•  Proofscanbesubtle,especiallywithrewindingarguments•  Toolsupportforcheckingproofs?

• Provablesecurityisnotperfect,butbesttoolwehave

Thank you!

ia.cr/2018/417

References [BN06]Bellare,Neven:Multi-signaturesintheplainpublic-Keymodelandageneralforkinglemma.CCS2006

[BCJ08]Bagherzandi,Cheon,Jarecki:Multisignaturessecureunderthediscretelogarithmassumptionandageneralizedforkinglemma.CCS2008

[MWLD10]Ma,Weng,Li,Deng:Efficientdiscretelogarithmbasedmulti-signatureschemeintheplainpublickeymodel.Design,CodesandCryptography2010

[STV+16]Sytaetal.:KeepingAuthorities"HonestorBust"withDecentralizedWitnessCosigning.IEEES&P2016

[MPSW18a]Maxwell,Poelstra,Soerin,Wuille:SimpleSchnorrMulti-SignatureswithApplicationstoBitcoin.ePrintreport/2018/068/20180118:124757

[MPSW19]Maxwell,Poelstra,Soerin,Wuille:SimpleSchnorrMulti-SignatureswithApplicationstoBitcoin.Design,CodesandCryptography2019

[BDN18]Boneh,Drijvers,Neven:CompactMulti-signaturesforSmallerBlockchains.ASIACRYPT2018

[RY07]Ristenpart,Yilek:ThePowerofProofs-of-Possession:SecuringMultipartySignaturesagainstRogue-KeyAttacks.EUROCRYPT2007

Modified BCJ multi-signatures

(g2,h1,h2)← H'(m)r,α1,α2←RZqti,1←g1α1h1α2

ti,2←g2α1h2α2g1rt1←Πti,1;t2←Πti,2c←H(t1,t2,Πpki,m)

si←r+c·ski+Σsimodqs←Σsimodq

α1←Σαi,1modqα2←Σαi,2modqσ←(t1,t2,s,α1,α2)

pki=gski+PoP

ti,1,ti,2

si,αi,1,αi,2

KAgg:CheckPoPs,apk←Πpki

Verify:c←H(t1,t2,apk,m)Checkt1=g1α1h1α2

andt2=g2α1h2α2g1sapk-c

EfficiencySign:1mexp2+1mexp3plainSchnorr:1expVerify:3mexp2

plainSchnorr:1mexp2Signaturesize:160BplainSchnorr:64B


Queryonm1

r1←RZqt1←gr1

c1←H(t1,m1)s1←r1+c1·skσ1←(c1,s1)

Queryonm2

r2←RZqt2←gr2

c2←H(t2,m2)s2←r2+c2·skσ2←(c2,s2)

Forgeryonm3

t3←t1·t2

c3←H(t3,m3)suchthatc3=c1+c2s3←s1+s2σ3←(c3,s3)

Lessons learned • Provablesecurity!• Reviewsecurityproofs!

• Proofscanbesubtle,especiallyforking•  Toolsupportforcheckingproofs?• Don’tdropstepsthatlooklikethey’re“justtomaketheproofwork”

• Provablesecurityisnotperfect,butbesttoolwehave

• Provablesecurity!🤔• Reviewsecurityproofs!🤔


s1←r1+c1·sk*modq

t*←t1·…·tk-1

s*←s1+…+sk-1modq

sk-1←rk-1+ck-1·sk*modq

…

H(*,m)

H(*,m)

H(*,m)

…

H(*,m)

H(*,m)

H(*,m)

…

-H(t*,m1)

-H(t*,m2)

-H(t*,mL)

…

gs*=gΣsi=gΣri+Σci·sk*=Πti·pk*c*=t·pk*c*

t1←gr1 tk-1←grk-1 t*←t1·…·tk-1

c1+…+ck-1=c*modq

pk*=gsk*

Multi-signatures from discrete logarithms Scheme Rounds RogueKeys Signaturesimulation

BN[BN06] 3 per-signerchallenges preliminaryroundH(ti)

BCJ-1[BCJ08] 2 per-signerchallenges homomorphicequivocable(HE)com.

BCJ-2[BCJ08] 2 proofsofpossession homomorphicequivocable(HE)com.

MWLD[MWLD10] 2 per-signerchallenges witnessindistinguishablekeys

CoSi[STV+16] 2 proofsofpossession (nosecurityproof)

MuSig1[MPSW18] 2 MuSigkeyaggregation DLoracleinone-moreDLassumption

mBCJ(thiswork) 2 proofsofpossession per-messageHEcommitments

BDN-DL,MuSig2[BDN18,MPSW19]

3 MuSigkeyaggregation preliminaryroundH(ti)

BDN-DLpop[BDN18] 3 proofsofpossession preliminaryroundH(ti)

BLS-PoP[RY07] 1 proofsofpossession pairings

BDN-P[BDN18] 1 MuSigkeyaggregation pairings

On the Security of Two-Round Multi-Signatures · • Smaller signatures • Non-interactive...

Documents

Transcript of On the Security of Two-Round Multi-Signatures · • Smaller signatures • Non-interactive...