The Quest for Practical Threshold Schnorr Signatures
Tim Ruffing
@real_or_random
Disclaimer
This is work in progress.
Threshold Signatures
Unforgeability
t−1 malicious peers
cannot produce
a valid signature.
Robustness
t honest peers
can produce
a valid signature.
t-of-n
n-of-n: Multisignatures
Why Threshold/Multi Signatures?
- 2-of-2: Payment channels
- 2-of-2: two-factor authentication
- 3-of-6: Bitfinex cold wallet
- 11-of-15: Liquid watchmen
- ...
Threshold signatures should look like ordinary signatures!
Goal
Taproot
pk=gx+H(gx,script)
\textit{pk} = g^{x+H(g^x,\textit{script})}
Key-path spending
- produce signature, valid under pk
Script-path spending
- reveal gx and script
- fulfill script
- script not revealed at all
- looks like ordinary spend
Schnorr Signatures
Sign(sk=x,pk=gx,m)
r←$
R=gr
c=H(pk,R,m)
s=x⋅c+r
return (R,s)
Verify(pk=X,(R,s),m)
r←$
R=gr
c=H(pk,R,m)
return gs=Xc⋅R
sk=x
pk=gx
Draft for Bitcoin Improvement Proposal (BIP)
https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
- by Pieter Wuille and many more
- Full technical specification
- Detailed design rationale
- Reference code and test vectors
We need more eyeballs!
Naive Multisignatures
xr==x1r1++x2r2++……++xnrn
\begin{matrix}
x\!\!\!\! &=\!\!\!\! &x_1\!\!\!\! &+\!\!\!\! &x_2\!\!\!\! &+\!\!\!\! &\dotsc\!\!\!\! &+\!\!\!\! &x_n\\[1ex]
r\!\!\!\! &=\!\!\!\! &r_1\!\!\!\! &+\!\!\!\! &r_2\!\!\!\! &+\!\!\!\! &\dotsc\!\!\!\! &+\!\!\!\! &r_n
\end{matrix}
⋯
\dotsm
X1=gx1
R1=gr1
X2=gx2
R2=gr2
X3=gx3
R3=gr3
⋯
\dotsm
Full Solutions
MSDL-pop
[Boneh, Drijvers, Neven (2018)]
From Multi To Threshold
Secret Sharing (simplified)
Threshold Secret Sharing
a
a1
a2
a3
2-of-3
a
Distributed Key Generation (DKG)
x=x1+x2+x3
\begin{matrix}
x\!\!\!\! &=\!\!\!\! &x_1\!\!\!\! &+\!\!\!\! &x_2\!\!\!\! &+\!\!\!\! &x_3
\end{matrix}
DKG
DKG for Secret Key (n=3, simplified)
DKG for Key and Nonce
x=x1+x2+x3
\begin{matrix}
x\!\!\!\! &=\!\!\!\! &x_1\!\!\!\! &+\!\!\!\! &x_2\!\!\!\! &+\!\!\!\! &x_3
\end{matrix}
r=r1+r2+r3
\begin{matrix}
r\!\!\!\! &=\!\!\!\! &r_1\!\!\!\! &+\!\!\!\! &r_2\!\!\!\! &+\!\!\!\! &r_3
\end{matrix}
O(f) rounds
O(1) rounds
DKG for Key and Nonce
DKG for Secret Key and Nonce (n=3, simplified)
History of DKG for DLog
-
Pedersen (1991):
Here is a DKG scheme for DLog. It uses Feldman's VSS. -
Everybody:
Cool, let's use it. -
Gennaro, Jarecki, Krawcyz, Rabin (1999):
The attacker can bias the key.
Here is a better DKG scheme using Pedersen's VSS. -
Gennaro, Jarecki, Krawcyz, Rabin (2002):
The 1991 scheme is good enough for Schnorr threshold signatures.
What's the Point?
Why do these Schemes Fail in Practice?
Issue #1: Trust Assumption
t−1<2n
(Honest majority)
Counterexample
Unforgeability
5 malicious peers
cannot produce
a valid signature.
Robustness
6 honest peers
can produce
a valid signature.
6-of-9
Assumption Ignores Good Cases
worst
case
better
case
Drop the Assumption?
Security Reduction
No,
reduction relies on honest majority
to extract secrets of the attacker.
Idea: Use other commitments in verifiable secret sharing.
Issue #2: Broadcast Channel
Broadcast Channel
- Reasonable assumption for robustness
- Unreasonable assumption for unforgeability
Fail gracefully:
Give up liveness but never give up safety!
Attack on Unforgeability
reconstruct r1,r2
reconstruct r3,r4
1
2
3
4
4
3
1
2
Attack on Unforgeability
Malicious broadcast channel learns
the nonce r=r1+r2+r3+r4 and
the signature (R,s).
Combined secret key is x=(s−r)/c.
Malicious vs. Offline
Idea: Reconstruct only partial signature si.
Theory vs. Practice
Just because a peer appears offline,
we cannot simply reconstruct his secrets in public!
Wish List
- Produces ordinary Schnorr signatures
- No restrictions on t
- Unforgeability against malicious broadcast
- Robustness in O(1) rounds
- Reasonable message complexity
- Secure in parallel sessions
Bonus List
- Asynchrony
- Deterministic nonces
- Look at setup algorithm
- Adaptive security
- Accountability
Don’t Trust. Verify.
The Quest for Practical Threshold Schnorr Signatures Tim Ruffing @real_or_random
The Quest for Practical Threshold Schnorr Signatures
By real-or-random
The Quest for Practical Threshold Schnorr Signatures
CES Summit 2019, MIT Media Lab, 2019-10-06, Tim Ruffing
- 2,351
