Taproot and
Schnorr Multisignatures
Tim Ruffing
@real_or_random
UTXOs in Bitcoin
OP_DUP OP_HASH160 <Public KeyHash> OP_EQUAL OP_CHECKSIG
- Spending condition encoded as a script.
- Typically: you need to provide a signature of the desired transaction under a given public key
- current: public key inside a script
- Taproot: script inside a public key
Elliptic Curve Public Keys
can serve as Commitments
pk=gx+H(gx, data)
\textit{pk} = g^{x+H(g^x,\ \textit{data})}
sk=x+H(gx, data)
\textit{sk} = x+H(g^x,\ \textit{data})
Taproot
pk=gx+H(gx, script)
\textit{pk} = g^{x+H(g^x,\ \textit{script})}
Key-path spending
- produce Schnorr signature valid under public key pk
Script-path spending
- reveal gx and script
- fulfill script
- script can actually be a Merkle tree of scripts
Smart Contracts
sk=x1+x2+H(gx1+x2, script)
\textit{sk} = x_1 + x_2 +H(g^{x_1+x_2},\ \textit{script})
x1
x_1
x2
x_2
Parties can cooperate to produce a multi-signature,
i.e., a single Schnorr signature valid under gx1+x2
Taproot is Cool
- All UTXOs look the same: just a public key
- All UTXOs are short: 32 bytes
- Most spends look the same: just a signature
- Most spends are short: 64 bytes
- Only exception:
Uncooperative parties in a smart contract
Applications
Schnorr Signature Verification
Multisignatures
Threshold Sigs
Blind Signatures
...
Consensus
Contracts
- Contracts are hidden from verifiers
- Consensus layer is kept simple
Taproot BIPs
- BIP340: Schnorr Signatures for secp256k1
- BIP341: Taproot: SegWit version 1 spending rules
- BIP342: Validation of Taproot Scripts
Research Agenda
- Multi-signatures...
- Threshold signatures...
- Blind signatures...
- ? signatures...
...that look like ordinary Schnorr signatures.
Schnorr Multisignatures
Schnorr Signatures
Sign(sk=x,pk=gx,m)
r←$; R=gr
c=H(pk,R,m)
s=x⋅c+r
return (R,s)
Verify(pk=X,(R,s),m)
r←$;R=gr
c=H(pk,R,m)
return gs==Xc⋅R
sk=x
pk=gx
Deterministic Randomness
Sign(sk=x,pk=gx,m)
r=Hnon(x,pk,m,rand); R=gr
c=H(pk,R,m)
s=x⋅c+r
return (R,s)
s=c⋅x+r
s′=c′⋅x+r
s−s′=x(c−c′)
x=(s−s′)/(c−c′)
Naive Multisignatures (Insecure!)
xr==x1r1++x2r2++……++xnrn
\begin{matrix}
x\!\!\!\! &=\!\!\!\! &x_1\!\!\!\! &+\!\!\!\! &x_2\!\!\!\! &+\!\!\!\! &\dotsc\!\!\!\! &+\!\!\!\! &x_n\\[1ex]
r\!\!\!\! &=\!\!\!\! &r_1\!\!\!\! &+\!\!\!\! &r_2\!\!\!\! &+\!\!\!\! &\dotsc\!\!\!\! &+\!\!\!\! &r_n
\end{matrix}
⋯
\dotsm
X1=gx1
R1=gr1
X2=gx2
R2=gr2
X3=gx3
R3=gr3
⋯
\dotsm
Naive Multisignatures (Insecure!)
BrokenMultiSign(ski=xi,pk=gx,m)
ri←$; Ri=gri
broadcast Ri;R=∏Ri
c=H(pk,R,m)
broadcast si=xi⋅c+ri; s=∑si
return (R,s)
Sign(sk=x,pk=gx,m)
r←$;R=gr
c=H(pk,R,m)
s=x⋅c+r
return (R,s)
Issue 1: Rogue-Key Attack
pk1pk2pk3=gx1=gx2=gx3/(pk1⋅pk2)
\begin{aligned}
pk_1 &= g^{x_1}\\
pk_2 &= g^{x_2}\\
\phantom{\color{#e06666}pk_3} &\phantom{\color{#e06666}= g^{x_3}/(pk_1\cdot pk_2)}
\end{aligned}
pk=∏pki=gx1+x2+(x3−x1−x2)=gx3
pk = \prod pk_i = g^{x_1+x_2+(x_3-x_1-x_2)} = g^{x_3}
pk1pk2=gx1=gx2pk3=gx3/(pk1⋅pk2)
\begin{aligned}
pk_1 &= g^{x_1}\\
pk_2 &= g^{x_2}\\
&\phantom{pk_3 = g^{x_3}/(pk_1\cdot pk_2)}
\end{aligned}
pk1pk2pk3=gx1=gx2=gx3/(pk1⋅pk2)
\begin{aligned}
\phantom{pk_1} &\phantom{= g^{x_1}}\\
\phantom{pk_2} &\phantom{= g^{x_2}}\\
\color{#e06666}pk_3 &\color{#e06666}= g^{x_3}/(pk_1\cdot pk_2)
\end{aligned}
Avoiding Rogue-Key Attacks
MSDL-pop
[Boneh, Drijvers, Neven (2018)]:
proofs of possesion ("pop")
MuSig
[Maxwell, Poelstra, Seurin, Wuille (2018)]
key-aggregation with tweak
MuSig Key Aggregation
pk=∏pkiai=ga1x1+a2x2+a3x3
pk = \prod pk_i^{a_i} = g^{a_1x_1+a_2x_2+a_3x_3}
where
ai=Hagg(i,pk1,pk2,pk3)
a_i = H_\textit{agg}(i, pk_1, pk_2, pk_3)
Issue 2: Parallel Security
Can we run multiple signing sessions in parallel?
Wagner's Algorithm
Find m0,m1:
H(m0)=H(m1)
Find m0,m1,…,m100:
H(m0)=H(m1)+…+H(m100)
Hard
Easy
Attack Using Wagner's Algorithm
- Let pk=gx+x′ with x belonging to victim and x′ to attacker.
- Open 100 sessions with victim with messages m1,…,m100.
- Victim sends nonces R1,…,R100.
- Set R=R1⋅…⋅R100 .
- Find reply nonces R1′,…,R100′ using Wagner's Algorithm:
H(pk,R,m)=H(pk,R1⋅R1′,m1)+…+H(pk,R100⋅R100′,m100) - Obtain partial signatures s1,…,s100.
- s=s1+…+s100 is a partial signature on m with nonce R.
- (R,s+x′⋅H(pk,R,m)) is a forgery on m.
Parallel Security
- Attacker controls hash value (because it controls its nonce R′)
- Reduction must know R=∏Ri before the attacker.
- Required for programming the random oracle on H(pk,R,m)
- Required for simulating signatures
Let every signer i send a commitment H(Ri) upfront.
Resulting protocol needs 3 rounds.
MuSig
MuSigSign(ski=xi,pk=∏pkiai,m)
ri←$;Ri=gri;
broadcast hi=H(Ri)
broadcast Ri;R=∏Ri
fail if H(Ri)=hi for some i
c=H(pk,R,m)
broadcast si=xiaic+ri; s=∑si
return (R,s)
Sign(sk=x,pk=gx,m)
r←$;R=gr
c=H(pk,R,m)
s=x⋅c+r
return (R,s)
Extensions to MuSig
MuSig-DN
- Schnorr/ECDSA signature generation needs randomness ("nonce")
- Lesson from history: True randomness is broken, leads to catastrophic failures
- Best practice: Use pseudorandom generator (seeded by secret key)
- If you apply this to multi-signatures: catastrophic failure
- MuSig-DN fixes this using (expensive?) zero-knowledge proofs
- On the way, we get a 2-round signing protocol (instead of 3 rounds)
- (Paper accepted at CCS conference this year)
- Joint work with Jonas Nick, Yannick Seurin, Pieter Wuille
Disclaimer
The following is work in progress.
(Simple) 2-round MuSig
- MuSig story:
- First revision of MuSig paper had a 2-round scheme
- Security proven under OMDL assumption
-
Drijvers, Edalatnejad, Ford, Kiltz, Loss, Neven, Stepanovs (2019): The proof is broken, here is an attack
- Reverted paper to 3-round variant
- Now we have a new (very simple) idea for 2-round scheme
- Hopefully will enable also "nested MuSig"
- Joint work with Jonas Nick, Yannick Seurin, Duc Le
Threshold MuSig
- Multisignatures: n-of-n, Threshold signatures: t-of-n
- When we started to write the Schnorr signature BIP,
we believed that Threshold Schnorr signatures are solved - Many papers in the literature using secret sharing
- Restrictions of those existing solutions
- honest majority assumption (e.g., can't do 7-of-10)
- assume broadcast channel (broken otherwise)
- parallel security?
- Future work. We believe this becomes easier with 2-round MuSig.
- Watch my talk at CES Summit 2019 for more background.
Don’t Trust. Verify.
Taproot and Schnorr Multisignatures Tim Ruffing @real_or_random
Taproot and Schnorr Multisignatures
By real-or-random
Taproot and Schnorr Multisignatures
London Bitcoin Devs 0.24, 2020-06-17
- 2,175
