²ANSSI, France
¹
₿
shared ownership of Bitcoin
Applications
Schnorr signatures
multi-signatures
threshold sigs
blind signatures
...
on-chain
off-chain
SchnorrVerify(pk,sig,m)
ordinary Schnorr public key
obtained via non-interactive public algorithm
pk=AggKey(pk1,…,pkn)
ordinary Schnorr signature
obtained via interactive signing protocol with
n signers
Sign(sk=x,pk=gx,m)
r←$; R=gr
c=H(pk,R,m)
s=x⋅c+r
return (R,s)
Verify(pk=X,(R,s),m)
r←$;R=gr
c=H(pk,R,m)
return gs==Xc⋅R
sk=x
pk=gx
pk1
pk2
R1
R2
s1
s2
c=H(pk,R1R2,m)
return (R1R2,s1+s2)
pk=pk1⋅pk2
pk1
pk2
R1
R2
s1
s2
H(R2)
c=H(pk,R1R2,m)
return (R1R2,s1+s2)
H(R1)
pk=pk1a1⋅pk2a2
ai=H(i,pk1,pk2)
[Maxwell, Poelstra, Seurin, Wuille 2018]
pk1
pk2
R1′,R1′′
R2′,R2′′
s1
s2
Ri=Ri′(Ri′′)b
b=H(pk,R1′R2′,R1′′R2′′,m)
c=H(pk,R1R2,m)
return (R1R2,s1+s2)
pk=pk1a1⋅pk2a2
ai=H(i,pk1,pk2)
Concurrent work: