on the security of two-round multi-signatures · • smaller signatures • non-interactive...
TRANSCRIPT
On the Security of Two-Round Multi-Signatures Manu Drijvers1, Kasra Edalatnejad2, Bryan Ford2, Eike Kiltz3, Julian Loss3, Gregory Neven1, Igors Stepanovs4
1 DFINITY, 2 EPFL , 3 Ruhr-University Bochum, 4 UCSD
Multi-signatures
↔
Verify((pk1,pk2,pk3),m,σ)=1
Everysignermustagreetosignm
Goal: shortsignature (preferably≈singlesignature,efficientlyverifiable definitely<<Nsignatures)
(pk1,sk1)←Kg
Sign((pk1,pk2,pk3),sk1,m)→σ
(pk2,sk2)←Kg
Sign((pk1,pk2,pk3),sk2,m)→σ
(pk3,sk3)←Kg
Sign((pk1,pk2,pk3),sk3,m)→σ
↔
Multi-signatures
↔
Keyaggregation:apk←KAgg(pk1,pk2,pk3)
Verify(apk,m,σ)=1
Everysignermustagreetosignm
Goal: shortsignature (preferably≈singlesignature,efficientlyverifiable definitely<<Nsignatures)
(pk1,sk1)←Kg
Sign((pk1,pk2,pk3),sk1,m)→σ
(pk2,sk2)←Kg
Sign((pk1,pk2,pk3),sk2,m)→σ
(pk3,sk3)←Kg
Sign((pk1,pk2,pk3),sk3,m)→σ
↔
Applications of multi-signatures • ImproveBitcointhroughput/reduceblockchainsize
• ”multisig”transactionsassmallasothertransactions• Reducesizeofmulti-inputmulti-outputtransactions
• Collectivesigningbyco-thorities(e.g.,CoSi[STV+16])
• Distributedrandombeacons(e.g.,RandHound[SJK+17])
• Blockcertificationinproof-of-stake/permissionedblockchains
• e.g.,Dfinity,OmniLedger,Ziliqa,Harmony,Algorand,…
Existing multi-signatures
Schnorr signatures
pk=gsk
r←RZqt←gr
c←H(t,m)
s←r+c·skmodqσ←(c,s)
Verification:
c=H(gs·pk-c,m)
Efficient&Provablysecure• underdiscrete-logassumption• intherandom-oraclemodel:
modelhashfunctionasidealrandomfunction
“Plain” Schnorr multi-signatures
↔
pk1=gsk1
r1←RZqt1←gr1
t←t1·t2·t3c←H(t,m)
s1←r1+c·sk1modq
s←s1+s2+s3modqσ←(c,s)
pk2=gsk2
r2←RZqt2←gr2
t←t1·t2·t3c←H(t,m)
s2←r2+c·sk2modq
s←s1+s2+s3modqσ←(c,s)
pk3=gsk3
r3←RZqt3←gr3
t←t1·t2·t3c←H(t,m)
s3←r3+c·sk3modq
s←s1+s2+s3modqσ←(c,s)
↔
↔
↔
apk←pk1·pk2·pk3Checkc=H(gs·apk-c,m)
Problem 1: Rogue-key attacks
pk1=gsk1 pk2=gsk2/pk1
apk=pk1·pk2=gsk2
cancomputesignaturesunderapkbyhimself!
Knownremedies:• Per-signerchallenges[BN06]• Proofsofpossessionaddedtopk[RY07,BCJ08]• MuSigkeyaggregation:apk←ΠpkiH(pki,{pk1,…,pkN}[MPSW18]
Problem 2: Signature simulation
pk1
c,s1←RZqt1←gs1pk1-c
t←t1·t2c←H(t,m)
pk2
←t2StandardSchnorrprooftechniquedoesnotwork
(cannotprogramrandomoracle,becauseadversaryknowstbeforesimulatordoes)
→t1
Multi-signatures from discrete logarithms Scheme Rounds Roguekeys Signaturesimulation
BN[BN06] 3 per-signerchallenges preliminaryroundH(ti) BCJ - 1[BCJ08] 2 per-signerchallenges homomorphicequivocable(HE)
commitments BCJ - 2[BCJ08] 2 proofsofpossession
MWLD[MWLD10] 2 per - signerchallenges witness-indinstinguishablekeys CoSi [STV+16] 2 proofsofpossession (nosecurityproof) MuSig - 1[MPSW18a] 2 MuSig keyaggregation DLoracleinone-moreDLassumption
mBCJ [thiswork] 2 proofsofpossession per-messageHEcommitments BDN-DL,MuSig-2 [BDN18,MPSW19]
3 MuSig keyaggregation preliminaryroundH(ti)
BDN-DLpop[BDN18] 3 proofsofpossession preliminaryroundH(ti) BLS[Bol03,RY07] 1 proofsofpossession
BDN-P[BDN18] 1 MuSigkeyaggregation pairingspairings
Attacks and non-provability
Wagner’s generalized birthday attack [W02] k-sumprobleminZq:GivenklistsofrandomelementsinZqFind(c1,…,ck)inlistssuchthatc1+…+ck=0modq
Subexponentialsolution:Solvedfork=2√nintimeO(22√n)wheren=|q|.
c1
…
List1
c2
…
List2
ck …
Listk…
Application to “plain” Schnorr and CoSi
…
H(*,m)
H(*,m)
H(*,m)
…
H(*,m)
H(*,m)
H(*,m)
…
-H(t*,m1)
-H(t*,m2)
-H(t*,mL)
…
t1←gr1 tk-1←grk-1 t*←t1·…·tk-1
c1+…+ck-1=c*
• skonlyappearsinsignatureins=r+c*sk,withc=H(gr,m)• Ifwehavesignatureswithc1+…+ck-1=H(t*,m),wecan
forgeasignatureonm*!
Attacks on two-round multi-signature schemes • Attackappliestoallpreviously*knowntwo-roundschemes
• BCJ-1andBCJ-2• MWLD• CoSi• MuSig-1
• Sub-exponentialbutpractical(for256-bitq)• 15parallelsigningqueries:262steps• 127parallelsigningqueries:245steps
• Preventedbyincreasing|q|…anyhopeforprovable(asymptotic)security?
*beforefirstversionofthispaper
Non-provability of two-round schemes Theorem:One-morediscretelogarithmproblemishard
BCJ/MWLD/CoSi/MuSig-1cannotbeprovedsecure
underone-morediscretelogarithm(throughalgebraicblack-boxreductionsinrandom-oraclemodel)
Essentiallyexcludesallknownprooftechniques(includingrewinding)
underlikelyassumptions.
SubtleflawsinproofsofBCJ/MWLD/MuSig-1(CoSiwasneverprovedsecure)
⇒
Secure schemes
Modified BCJ multi-signature • 2round,secureunderdiscretelogarithm,sameefficiencyasBCJ• Largescaledeployment:
• 16,384signersgeneratesignaturewithin2seconds• 20%bandwidth,75%computationincreasecomparedtoCoSi(plainschnorr)
Other secure schemes • Three-roundscheme[BDN18,MPSW19]
• Secureunderdiscrete-logassumption
• Non-interactiveschemefromBLS[BLS01,Bol03,RY07,BDN18]
• Smallersignatures• Non-interactiveaggregation• Requiresbilinearpairings
Lessons learned
Lessons learned • Cryptographicschemesneedsecurityproofs
• Don’tdropstepsthatlooklikethey’re“justtomaketheproofwork”
• Securityproofsmustbereviewed• Proofscanbesubtle,especiallywithrewindingarguments• Toolsupportforcheckingproofs?
• Provablesecurityisnotperfect,butbesttoolwehave
Thank you!
ia.cr/2018/417
References [BN06]Bellare,Neven:Multi-signaturesintheplainpublic-Keymodelandageneralforkinglemma.CCS2006
[BCJ08]Bagherzandi,Cheon,Jarecki:Multisignaturessecureunderthediscretelogarithmassumptionandageneralizedforkinglemma.CCS2008
[MWLD10]Ma,Weng,Li,Deng:Efficientdiscretelogarithmbasedmulti-signatureschemeintheplainpublickeymodel.Design,CodesandCryptography2010
[STV+16]Sytaetal.:KeepingAuthorities"HonestorBust"withDecentralizedWitnessCosigning.IEEES&P2016
[MPSW18a]Maxwell,Poelstra,Soerin,Wuille:SimpleSchnorrMulti-SignatureswithApplicationstoBitcoin.ePrintreport/2018/068/20180118:124757
[MPSW19]Maxwell,Poelstra,Soerin,Wuille:SimpleSchnorrMulti-SignatureswithApplicationstoBitcoin.Design,CodesandCryptography2019
[BDN18]Boneh,Drijvers,Neven:CompactMulti-signaturesforSmallerBlockchains.ASIACRYPT2018
[RY07]Ristenpart,Yilek:ThePowerofProofs-of-Possession:SecuringMultipartySignaturesagainstRogue-KeyAttacks.EUROCRYPT2007
Modified BCJ multi-signatures
(g2,h1,h2)← H'(m)r,α1,α2←RZqti,1←g1α1h1α2
ti,2←g2α1h2α2g1rt1←Πti,1;t2←Πti,2c←H(t1,t2,Πpki,m)
si←r+c·ski+Σsimodqs←Σsimodq
α1←Σαi,1modqα2←Σαi,2modqσ←(t1,t2,s,α1,α2)
pki=gski+PoP
ti,1,ti,2
si,αi,1,αi,2
KAgg:CheckPoPs,apk←Πpki
Verify:c←H(t1,t2,apk,m)Checkt1=g1α1h1α2
andt2=g2α1h2α2g1sapk-c
EfficiencySign:1mexp2+1mexp3plainSchnorr:1expVerify:3mexp2
plainSchnorr:1mexp2Signaturesize:160BplainSchnorr:64B
Application to “plain” Schnorr and CoSi
Queryonm1
r1←RZqt1←gr1
c1←H(t1,m1)s1←r1+c1·skσ1←(c1,s1)
Queryonm2
r2←RZqt2←gr2
c2←H(t2,m2)s2←r2+c2·skσ2←(c2,s2)
Forgeryonm3
t3←t1·t2
c3←H(t3,m3)suchthatc3=c1+c2s3←s1+s2σ3←(c3,s3)
Lessons learned • Provablesecurity!• Reviewsecurityproofs!
• Proofscanbesubtle,especiallyforking• Toolsupportforcheckingproofs?• Don’tdropstepsthatlooklikethey’re“justtomaketheproofwork”
• Provablesecurityisnotperfect,butbesttoolwehave
• Provablesecurity!🤔• Reviewsecurityproofs!🤔
Application to “plain” Schnorr and CoSi
s1←r1+c1·sk*modq
t*←t1·…·tk-1
s*←s1+…+sk-1modq
sk-1←rk-1+ck-1·sk*modq
…
H(*,m)
H(*,m)
H(*,m)
…
H(*,m)
H(*,m)
H(*,m)
…
-H(t*,m1)
-H(t*,m2)
-H(t*,mL)
…
gs*=gΣsi=gΣri+Σci·sk*=Πti·pk*c*=t·pk*c*
t1←gr1 tk-1←grk-1 t*←t1·…·tk-1
c1+…+ck-1=c*modq
pk*=gsk*
Multi-signatures from discrete logarithms Scheme Rounds RogueKeys Signaturesimulation
BN[BN06] 3 per-signerchallenges preliminaryroundH(ti)
BCJ-1[BCJ08] 2 per-signerchallenges homomorphicequivocable(HE)com.
BCJ-2[BCJ08] 2 proofsofpossession homomorphicequivocable(HE)com.
MWLD[MWLD10] 2 per-signerchallenges witnessindistinguishablekeys
CoSi[STV+16] 2 proofsofpossession (nosecurityproof)
MuSig1[MPSW18] 2 MuSigkeyaggregation DLoracleinone-moreDLassumption
mBCJ(thiswork) 2 proofsofpossession per-messageHEcommitments
BDN-DL,MuSig2[BDN18,MPSW19]
3 MuSigkeyaggregation preliminaryroundH(ti)
BDN-DLpop[BDN18] 3 proofsofpossession preliminaryroundH(ti)
BLS-PoP[RY07] 1 proofsofpossession pairings
BDN-P[BDN18] 1 MuSigkeyaggregation pairings