Skip to content

Aggregated Schnorr Signatures

Jump to bottom
Omer Shlomovits edited this page Sep 3, 2018 · 1 revision

In this section we describe a multiparty Schnorr signature scheme for elliptic curves based on the work of Boneh et al. (Compact Multi-Signatures for Smaller Blockchains section 5.1). The same protocol can be found also in the MuSig paper (Simple Schnorr Multi-Signatures with Applications to Bitcoin).

Simple Schnorr Signature

We first start by presenting Schnorr signature algorithm:

The public parameters are (𝔾, q, G) where 𝔾 is a group defined by elliptic curve, q is the order of the groups and G is the generator of the group. To generate a key pair Alice chooses a private signing key x from the allowed set and the corresponding public key will be Y = xβ€…β‹…β€…G. To sign a message m Alice chooses a random number k from the allowed set β„€q.

Let R = kβ€…β‹…β€…G, c = H(Y||R||m) where H is a cryptographic hash function H : {0, 1}* → ℀q. Alice calculates s = kβ€…+β€…xc and outputs the signature (R, s). Validation is checked simply by:

(1) sβ€…β‹…β€…G = Rβ€…+β€…cβ€…β‹…β€…Y

This is a key-prefixed variant of the scheme where the public key is hashed together with R, m.

Multiparty Schnorr Signature

Multiparty Schnorr signature scheme, also called multi-signature scheme is a set of protocols between n parties such that they can jointly sign a message. The specific protocol we describe uses hash functions H0, H1, H2 : {0, 1}* → ℀q. These hash functions can be constructed from a single one using proper domain separation The parameters are the same as in the case of single signer signature: (𝔾, q, G).

Key Generation: Each party chooses x and computes Y = xβ€…β‹…β€…G.
Key Aggregation: Compute apk ← H1(Yj, {Y1, ..., Yn})β€…β‹…β€…Yj

Signing: Signing is an interactive three round protocol:

Round 1: This is a commitment round. Party i chooses ri at random and compute Ri = riβ€…β‹…β€…G. Let ti ← H2(Ri). Send ti to all other signers corresponding to Y1, ..., Yn and wait to receive tj = H2(Ri) from all other signers j ≠ i.

Round 2: Send Ri to all other signers corresponding to Yi, ..., Yn and wait to receive Rj from all other signers j ≠ i. Check that tj = H2(Rj) for all j = 1, ..., n.

Round 3: each party:

  1. Compute apk - Key Aggregation with public keys Yi, ..Yn.

  2. Compute ai = H1(Yi, {Y1, ..., Yn}).

  3. Compute RΜ‚ ← Rj and c ← H0(RΜ‚, apk, m).

  4. Compute si ← riβ€…+β€…cβ€…β‹…β€…xiβ€…β‹…β€…aimod q.

  5. Send si to all other signers and wait to receive sj from other signers j ≠ i.

  6. Compute s ← sj and output (RΜ‚, s) as the final signature

Validation is the same as in simple Schnorr (eq. 1). Conventions and preferred encodings of points and scalars can be found in https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki. Specifically pay attention that in the proposal  k is not chosen in random but derived from the private key: k = H(x||m)mod q

Copyright 2018 by Kzen Networks.

Clone this wiki locally