-
Notifications
You must be signed in to change notification settings - Fork 42
Aggregated Schnorr Signatures
In this section we describe a multiparty Schnorr signature scheme for elliptic curves based on the work of Boneh et al. (Compact Multi-Signatures for Smaller Blockchains section 5.1). The same protocol can be found also in the MuSig paper (Simple Schnorr Multi-Signatures with Applications to Bitcoin).
We first start by presenting Schnorr signature algorithm:
The public parameters are (πΎ,βq,βG) where πΎ is a group defined by elliptic curve, q is the order of the groups and G is the generator of the group. To generate a key pair Alice chooses a private signing key x from the allowed set and the corresponding public key will be Yβ=βxβ β β G. To sign a message m Alice chooses a random number k from the allowed set β€q.
Let Rβ=βkβ β β G, cβ=βH(Y||R||m) where H is a cryptographic hash function Hβ:β{0,β1}*ββββ€q. Alice calculates sβ=βkβ +β xc and outputs the signature (R,βs). Validation is checked simply by:
(1) sβ β β Gβ=βRβ +β cβ β β Y
This is a key-prefixed variant of the scheme where the public key is hashed together with R,βm.
Multiparty Schnorr signature scheme, also called multi-signature scheme is a set of protocols between n parties such that they can jointly sign a message. The specific protocol we describe uses hash functions H0,βH1,βH2β:β{0,β1}*ββββ€q. These hash functions can be constructed from a single one using proper domain separation The parameters are the same as in the case of single signer signature: (πΎ,βq,βG).
Key Generation: Each party chooses x and computes
Yβ=βxβ
β
β
G.
Key Aggregation: Compute
apk β H1(Yj,β{Y1,β...,βYn})β
β
β
Yj
Signing: Signing is an interactive three round protocol:
Round 1: This is a commitment round. Party i chooses ri at random and compute Riβ=βriβ β β G. Let tiβββH2(Ri). Send ti to all other signers corresponding to Y1,β...,βYn and wait to receive tjβ=βH2(Ri) from all other signers jββ βi.
Round 2: Send Ri to all other signers corresponding to Yi,β...,βYn and wait to receive Rj from all other signers jββ βi. Check that tjβ=βH2(Rj) for all jβ=β1,β...,βn.
Round 3: each party:
-
Compute apk - Key Aggregation with public keys Yi,β..Yn.
-
Compute aiβ=βH1(Yi,β{Y1,β...,βYn}).
-
Compute RΜ β Rj and cβββH0(RΜ,βapk,βm).
-
Compute siβββriβ +β cβ β β xiβ β β aimodβq.
-
Send si to all other signers and wait to receive sj from other signers jββ βi.
-
Compute s β sj and output (RΜ,βs) as the final signature
Validation is the same as in simple Schnorr (eq. 1). Conventions and preferred encodings of points and scalars can be found in https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki. Specifically pay attention that in the proposal βk is not chosen in random but derived from the private key: kβ=βH(x||m)modβq
Copyright 2018 by Kzen Networks.