Advertisement

Compact Multi-signatures for Smaller Blockchains

  • Dan BonehEmail author
  • Manu DrijversEmail author
  • Gregory NevenEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)

Abstract

We construct new multi-signature schemes that provide new functionality. Our schemes are designed to reduce the size of the Bitcoin blockchain, but are useful in many other settings where multi-signatures are needed. All our constructions support both signature compression and public-key aggregation. Hence, to verify that a number of parties signed a common message m, the verifier only needs a short multi-signature, a short aggregation of their public keys, and the message m. We give new constructions that are derived from Schnorr signatures and from BLS signatures. Our constructions are in the plain public key model, meaning that users do not need to prove knowledge or possession of their secret key.

In addition, we construct the first short accountable-subgroup multi-signature (ASM) scheme. An ASM scheme enables any subset \( S \) of a set of n parties to sign a message m so that a valid signature discloses which subset generated the signature (hence the subset \( S \) is accountable for signing m). We construct the first ASM scheme where signature size is only \(O(\kappa )\) bits over the description of \( S \), where \(\kappa \) is the security parameter. Similarly, the aggregate public key is only \(O(\kappa )\) bits, independent of n. The signing process is non-interactive. Our ASM scheme is very practical and well suited for compressing the data needed to spend funds from a t-of-n Multisig Bitcoin address, for any (polynomial size) t and n.

Notes

Acknowledgments

Boneh was supported by NSF, DARPA, a grant from ONR, the Simons Foundation, and a Google faculty fellowship. Drijvers and Neven were supported by the ERC under Grant PERCY #321310.

References

  1. 1.
    Ahn, J.H., Green, M., Hohenberger, S.: Synchronized aggregate signatures: new definitions, constructions and applications. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 10: 17th Conference on Computer and Communications Security, Chicago, Illinois, USA, 4–8 Oct 2010, pp. 473–484. ACM Press (2010)Google Scholar
  2. 2.
    Andresen, G.: \(m\)-of-\(n\) standard transactions. Bitcoin improvement proposal (BIP) 0011 (2011)Google Scholar
  3. 3.
    Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM CCS 08: 15th Conference on Computer and Communications Security, Alexandria, Virginia, USA, 27–31 Oct 2008, pp. 449–458. ACM Press (2008)Google Scholar
  4. 4.
    Bagherzandi, A., Jarecki, S.: Multisignatures using proofs of secret key possession, as secure as the Diffie-Hellman problem. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 218–235. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85855-3_15CrossRefGoogle Scholar
  5. 5.
    El Bansarkhani, R., Sturm, J.: An efficient lattice-based multisignature scheme with applications to bitcoins. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 140–155. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-48965-0_9CrossRefGoogle Scholar
  6. 6.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: On the selection of pairing-friendly groups. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 17–25. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24654-1_2CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 411–422. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-73420-8_37CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., Vimercati, S. (eds.) ACM CCS 06: 13th Conference on Computer and Communications Security, Alexandria, Virginia, USA, Oct 30–Nov 3 2006, pp. 390–399. ACM Press (2006)Google Scholar
  10. 10.
    Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-Group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36288-6_3CrossRefGoogle Scholar
  11. 11.
    Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing. In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) ACM CCS 07: 14th Conference on Computer and Communications Security, Alexandria, Virginia, USA, 28–31 Oct 2007, pp. 276–285. ACM Press (2007)Google Scholar
  12. 12.
    Boneh, D., Drijvers, M., Neven, G.: Compact multi-signatures for smaller blockchains. Cryptology ePrint Archive, Report 2018/483 (2018). https://eprint.iacr.org/2018/483
  13. 13.
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-39200-9_26CrossRefGoogle Scholar
  14. 14.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-45682-1_30CrossRefGoogle Scholar
  15. 15.
    Brogle, K., Goldberg, S., Reyzin, L.: Sequential aggregate signatures with lazy verification from trapdoor permutations. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 644–662. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34961-4_39CrossRefGoogle Scholar
  16. 16.
    Budroni, A., Pintore, F.: Efficient hash maps to \(\mathbb{{G}}_2\) on BLS curves. Cryptology ePrint Archive, Report 2017/419 (2017). http://eprint.iacr.org/2017/419
  17. 17.
    Burmester, M., et al.: A Structured ElGamal-type multisignature scheme. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 466–483. Springer, Heidelberg (2000).  https://doi.org/10.1007/978-3-540-46588-1_31CrossRefGoogle Scholar
  18. 18.
    Castelluccia, C., Jarecki, S., Kim, J., Tsudik, G.: A robust multisignature scheme with applications to acknowledgement aggregation. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 193–207. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30598-9_14CrossRefGoogle Scholar
  19. 19.
    Certicom Research: Sec 2: Recommended elliptic curve domain parameters. Technical report, Certicom Research (2010)Google Scholar
  20. 20.
    Chang, C.-C., Leu, J.-J., Huang, P.-C., Lee, W.-B.: A scheme for obtaining a message from the digital multisignature. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 154–163. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0054022CrossRefGoogle Scholar
  21. 21.
    Coron, J.-S., Naccache, D.: Boneh et al.’s k-element aggregate extraction assumption is equivalent to the Diffie-Hellman assumption. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 392–397. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-40061-5_25CrossRefGoogle Scholar
  22. 22.
    Drijvers, M., Edalatnejad, K., Ford, B., Neven, G.: On the provable security of two-round multi-signatures. Cryptology ePrint Archive, Report 2018/417 (2018). https://eprint.iacr.org/2018/417
  23. 23.
    Fuentes-Castañeda, L., Knapp, E., Rodríguez-Henríquez, F.: Faster hashing to \({\mathbb{G}}_2\). In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 412–430. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28496-0_25CrossRefGoogle Scholar
  24. 24.
    Gentry, C., O’Neill, A., Reyzin, L.: A unified framework for trapdoor-permutation-based sequential aggregate signatures. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 34–57. Springer, Cham (2018).  https://doi.org/10.1007/978-3-319-76581-5_2CrossRefGoogle Scholar
  25. 25.
    Gentry, C., Ramzan, Z.: Identity-based aggregate signatures. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 257–273. Springer, Heidelberg (2006).  https://doi.org/10.1007/11745853_17CrossRefGoogle Scholar
  26. 26.
    Hardjono, T., Zheng, Y.: A practical digital multisignature scheme based on discrete logarithms (extended abstract). In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 122–132. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-57220-1_56CrossRefGoogle Scholar
  27. 27.
    Harn, L.: Group-oriented (t, n) threshold digital signature scheme and digital multisignature. IEE Proc.-Comput. Digit. Tech. 141(5), 307–313 (1994)CrossRefGoogle Scholar
  28. 28.
    Horster, P., Michels, M., Petersen, H.: Meta-multisignature schemes based on the discrete logarithm problem. Information Security — the Next Decade. IFIP AICT, pp. 128–142. Springer, Boston (1995).  https://doi.org/10.1007/978-0-387-34873-5_11CrossRefGoogle Scholar
  29. 29.
    Itakura, K., Nakamura, K.: A public-key cryptosystem suitable for digital multisignatures. Technical report, NEC Research and Development (1983)Google Scholar
  30. 30.
    Komano, Y., Ohta, K., Shimbo, A., Kawamura, S.: Formal security model of multisignatures. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 146–160. Springer, Heidelberg (2006).  https://doi.org/10.1007/11836810_11CrossRefzbMATHGoogle Scholar
  31. 31.
    Le, D.-P., Bonnecaze, A., Gabillon, A.: Multisignatures as secure as the Diffie-hellman problem in the plain public-key model. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 35–51. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03298-1_3CrossRefGoogle Scholar
  32. 32.
    Li, C.-M., Hwang, T., Lee, N.-Y.: Threshold-multisignature schemes where suspected forgery implies traceability of adversarial shareholders. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 194–204. Springer, Heidelberg (1995).  https://doi.org/10.1007/BFb0053435CrossRefGoogle Scholar
  33. 33.
    Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_28CrossRefGoogle Scholar
  34. 34.
    Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-24676-3_5CrossRefGoogle Scholar
  35. 35.
    Ma, C., Weng, J., Li, Y., Deng, R.: Efficient discrete logarithm based multi-signature scheme in the plain public key model. Des. Codes Cryptogr. 54(2), 121–133 (2010)MathSciNetCrossRefGoogle Scholar
  36. 36.
    Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple Schnorr multi-signatures with applications to bitcoin. Cryptology ePrint Archive, Report 2018/068 (2018). https://eprint.iacr.org/2018/068/20180118:124757
  37. 37.
    Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple Schnorr multi-signatures with applications to bitcoin. Cryptology ePrint Archive, Report 2018/068 (2018). https://eprint.iacr.org/2018/068/20180520:191909
  38. 38.
    Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988).  https://doi.org/10.1007/3-540-48184-2_32CrossRefGoogle Scholar
  39. 39.
    Micali, S., Ohta, K., Reyzin, L.: Accountable-subgroup multisignatures: extended abstract. In: ACM CCS 01: 8th Conference on Computer and Communications Security, Philadelphia, PA, USA, 5–8 Nov 2001, pp. 245–254. ACM Press (2001)Google Scholar
  40. 40.
    Michels, M., Horster, P.: On the risk of disruption in several multiparty signature schemes. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 334–345. Springer, Heidelberg (1996).  https://doi.org/10.1007/BFb0034859CrossRefzbMATHGoogle Scholar
  41. 41.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). http://bitcoin.org/bitcoin.pdf
  42. 42.
    Neven, G.: Efficient sequential aggregate signed data. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 52–69. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-78967-3_4CrossRefGoogle Scholar
  43. 43.
    Ohta, K., Okamoto, T.: A digital multisignature scheme based on the Fiat-Shamir scheme. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 139–148. Springer, Heidelberg (1993).  https://doi.org/10.1007/3-540-57332-1_11CrossRefGoogle Scholar
  44. 44.
    Ohta, K., Okamoto, T.: Multi-signature schemes secure against active insider attacks. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 82(1), 21–31 (1999)Google Scholar
  45. 45.
    Park, S., Park, S., Kim, K., Won, D.: Two efficient RSA multisignature schemes. In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 217–222. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0028477CrossRefGoogle Scholar
  46. 46.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)CrossRefGoogle Scholar
  47. 47.
    Ristenpart, T., Yilek, S.: The power of proofs-of-possession: securing multiparty signatures against rogue-key attacks. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 228–245. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-72540-4_13CrossRefGoogle Scholar
  48. 48.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefGoogle Scholar
  49. 49.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: Fast hashing to \({g}_{2}\) on pairing-friendly curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 102–113. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03298-1_8CrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Stanford UniversityStanfordUSA
  2. 2.DFINITYZurichSwitzerland
  3. 3.ETH ZurichZurichSwitzerland

Personalised recommendations