The Quest for Practical Threshold Schnorr Signatures
Tim Ruffing
@real_or_random
Disclaimer
This is work in progress.
Threshold Signatures
Unforgeability
\(t-1\) malicious peers
cannot produce
a valid signature.
Robustness
\(t\) honest peers
can produce
a valid signature.
\(t\)-of-\(n\)
\(n\)-of-\(n\): Multisignatures
Why Threshold/Multi Signatures?
- 2-of-2: Payment channels
- 2-of-2: two-factor authentication
- 3-of-6: Bitfinex cold wallet
- 11-of-15: Liquid watchmen
- ...
Threshold signatures should look like ordinary signatures!
Goal
Taproot
Key-path spending
- produce signature, valid under \(pk\)
Script-path spending
- reveal \(g^x\) and \(\textit{script}\)
- fulfill script
- script not revealed at all
- looks like ordinary spend
Schnorr Signatures
\( \textsf{Sign}(\textit{sk} = x, \textit{pk} = g^x, m) \)
\( r \leftarrow \$ \)
\( R = g^r \)
\( c = H(\textit{pk}, R, m) \)
\( s = x\cdot c + r \)
\( \text{return}\ (R, s) \)
\( \textsf{Verify}(\textit{pk} = X, (R, s), m) \)
\(\phantom{r \leftarrow \$ }\)
\(\phantom{ R = g^r }\)
\( c = H(\textit{pk}, R, m) \)
\(\text{return}\ g^s = X^c \cdot R \)
\(\textit{sk}=x\)
\(\textit{pk}=g^x\)
Draft for Bitcoin Improvement Proposal (BIP)
https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
- by Pieter Wuille and many more
- Full technical specification
- Detailed design rationale
- Reference code and test vectors
We need more eyeballs!
Naive Multisignatures
\(X_1=g^{x_1}\)
\(R_1 = g^{r_1}\)
\(X_2=g^{x_2}\)
\(R_2 = g^{r_2}\)
\(X_3=g^{x_3}\)
\(R_3 = g^{r_3}\)
Full Solutions
MSDL-pop
[Boneh, Drijvers, Neven (2018)]
From Multi To Threshold
Secret Sharing (simplified)
Threshold Secret Sharing
\(a\)
\(a_1\)
\(a_2\)
\(a_3\)
2-of-3
\(a\)
Distributed Key Generation (DKG)
DKG
DKG for Secret Key (\(n=3\), simplified)
DKG for Key and Nonce
\(O(f)\) rounds
\(O(1)\) rounds
DKG for Key and Nonce
DKG for Secret Key and Nonce (\(n=3\), simplified)
History of DKG for DLog
-
Pedersen (1991):
Here is a DKG scheme for DLog. It uses Feldman's VSS. -
Everybody:
Cool, let's use it. -
Gennaro, Jarecki, Krawcyz, Rabin (1999):
The attacker can bias the key.
Here is a better DKG scheme using Pedersen's VSS. -
Gennaro, Jarecki, Krawcyz, Rabin (2002):
The 1991 scheme is good enough for Schnorr threshold signatures.
What's the Point?
Why do these Schemes Fail in Practice?
Issue #1: Trust Assumption
\(t - 1 < \frac{n}{2}\)
(Honest majority)
Counterexample
Unforgeability
5 malicious peers
cannot produce
a valid signature.
Robustness
6 honest peers
can produce
a valid signature.
6-of-9
Assumption Ignores Good Cases
worst
case
better
case
Drop the Assumption?
Security Reduction
No,
reduction relies on honest majority
to extract secrets of the attacker.
Idea: Use other commitments in verifiable secret sharing.
Issue #2: Broadcast Channel
Broadcast Channel
- Reasonable assumption for robustness
- Unreasonable assumption for unforgeability
Fail gracefully:
Give up liveness but never give up safety!
Attack on Unforgeability
reconstruct \(r_1, r_2\)
reconstruct \(r_3, r_4\)
1
2
3
4
4
3
1
2
Attack on Unforgeability
Malicious broadcast channel learns
the nonce \(r = r_1 + r_2 + r_3 + r_4\) and
the signature \((R, s)\).
Combined secret key is \(x=(s - r)/c.\)
Malicious vs. Offline
Idea: Reconstruct only partial signature \(s_i\).
Theory vs. Practice
Just because a peer appears offline,
we cannot simply reconstruct his secrets in public!
Wish List
- Produces ordinary Schnorr signatures
- No restrictions on \(t\)
- Unforgeability against malicious broadcast
- Robustness in \(O(1)\) rounds
- Reasonable message complexity
- Secure in parallel sessions
Bonus List
- Asynchrony
- Deterministic nonces
- Look at setup algorithm
- Adaptive security
- Accountability