Boneh, D., Drijvers, M., Neven, G. (2018). Compact Multi-signatures for Smaller Blockchains. In: Peyrin, T., Galbraith, S. (eds) Advances in Cryptology – ASIACRYPT 2018. ASIACRYPT 2018. Lecture Notes in Computer Science(), vol 11273. Springer, Cham. https://doi.org/10.1007/978-3-030-03329-3_15
多签名聚合
总结
这篇文章涉及到的方案:
- MSP:一种Multi-Signature(基于双线性对),将多个签名合成一个,用合成公钥 a p k apk apk可验证。(用全部的 a p k i apk_i apki可以批量验证一组multi-Signatures)
- AMSP:MSP的聚合版本,把多个multi-Signatures聚合成一个,并给出对应的验证方法
- ASM:部分子集的multi-signature,用总的合成公钥apk可以验证,用 m k i mk_i mki可追责
- MSDL:基于离散对数的Multi-Signature方案
以及以上方案的PoP版本(用PoP对抗 Rogue public-key attack)
Preliminaries
概念:
- M u l t i s i g n a t u r e : ( P g , K g , S i g n , K A g , V f ) {\rm Multisignature:( Pg, Kg, Sign, KAg, Vf}) Multisignature:(Pg,Kg,Sign,KAg,Vf):签名算法的输入包括公钥集合 P K \mathcal{PK} PK,每个签名方各自生成签名。 K A g {\rm KAg} KAg将公钥集合聚合成一个聚合公钥,可用于验证任何一个签名。
- Aggregate Multi-Signatures:将多个Multisignature聚合成一个签名,扩展两个算法:
- S A g ( ( a p k , m , σ ) , . . . ) → Σ {\rm SAg}((apk,m,\sigma),...)\rightarrow\Sigma SAg((apk,m,σ),...)→Σ
- A V f ( ( a p k , m ) , . . . , Σ ) → 0 / 1 {\rm AVf}((apk,m),...,\Sigma)\rightarrow0/1 AVf((apk,m),...,Σ)→0/1
构造Aggregate Multi-Signatures的目标并非简单的聚合,而是构造远小于独立Multi-Signatures集合的规模,理想状态下是常数规模。
BLS签名
这个签名支持简单的聚合:
验证聚合签名:所有
(
p
k
i
,
m
i
)
i
=
1
n
(pk_i,m_i)_{i=1}^n
(pki,mi)i=1n
如果所有被签名的message都一样:
m
1
=
.
.
.
=
m
n
m_1=...=m_n
m1=...=mn,验证关系(2)归约成简单的形式:
以及一个短的聚合公钥
a
p
k
:
=
p
k
1
.
.
.
p
k
n
∈
G
2
apk:=pk_1...pk_n\in\mathbb{G}_2
apk:=pk1...pkn∈G2
Simple Schnorr Multi-Signatures with Applications to Bitcoin
- K e y G e n ( ) : x ← Z p , X = g x {\rm KeyGen}():x\leftarrow\mathbb{Z}_p,X=g^x KeyGen():x←Zp,X=gx
- S i g n ( ( s k , p k ) , L = { p k 1 , . . . , p k n } , m ) → σ {\rm Sign}( (sk, pk),L=\{pk_1,...,pk_n\},m)\rightarrow \sigma Sign((sk,pk),L={pk1,...,pkn},m)→σ. L = { X 1 , . . . , X n } L=\{X_1,...,X_n\} L={X1,...,Xn},签名者密钥 ( x 1 , X 1 ) (x_1,X_1) (x1,X1)
- 对 i ∈ { 1 , . . . , n } i\in\{1,...,n\} i∈{1,...,n},计算 a i = H 0 ( L , X i ) a_i=H_0(L,X_i) ai=H0(L,Xi),聚合公钥 X ~ = ∏ i = 1 n X i a i \widetilde{X}=\prod_{i=1}^nX_i^{a_i} X =∏i=1nXiai
- 随机 r i ← Z p r_i\leftarrow\mathbb{Z}_p ri←Zp,计算 R 1 = g r 1 R_1=g^{r_1} R1=gr1,将 R 1 R_1 R1发送给其他参与方
- 收到其他所有 R 2 , . . . , R n R_2,...,R_n R2,...,Rn后,计算: R = ∏ i = 1 n R i , c = H 1 ( X ~ , R , m ) , s 1 = r 1 + c ⋅ a 1 ⋅ x 1 m o d p R=\prod_{i=1}^nR_i,c=H_1(\widetilde{X},R,m),s_1=r_1+c\cdot a_1\cdot x_1~mod~p R=∏i=1nRi,c=H1(X ,R,m),s1=r1+c⋅a1⋅x1 mod p,将 s 1 s_1 s1发送给其他参与方
- 收到所有其他 s 2 , . . . , s n s_2,...,s_n s2,...,sn后,计算: s = ∑ i = 1 n s i m o d p s=\sum_{i=1}^ns_i~mod~p s=∑i=1nsi mod p,签名 σ = ( R , s ) \sigma=(R,s) σ=(R,s)
- V e r ( L , m , σ ) → 0 / 1 {\rm Ver}(L, m, \sigma)\rightarrow0/1 Ver(L,m,σ)→0/1
- 计算 a i = H 0 ( L , X i ) , i ∈ { 1 , . . . , n } , X ~ = ∏ i = 1 n X i a i , c = H 1 ( X ~ , R , m ) a_i=H_0(L,X_i),i\in\{1,...,n\},\widetilde{X}=\prod_{i=1}^nX_i^{a_i},c=H_1(\widetilde{X},R,m) ai=H0(L,Xi),i∈{1,...,n},X =∏i=1nXiai,c=H1(X ,R,m)
- 如果
g
s
=
R
⋅
∏
i
=
1
n
X
i
a
i
⋅
c
=
R
⋅
X
~
c
g^{s}=R\cdot \prod_{i=1}^{n} X_{i}^{a_{i}\cdot c}=R\cdot \widetilde{X}^{c}
gs=R⋅∏i=1nXiai⋅c=R⋅X
c
推导: g s = ∏ i = 1 n g s i = ∏ i = 1 n g r i + c ⋅ a i ⋅ x i = R ⋅ ∏ i = 1 n X i c ⋅ a i = R ⋅ X ~ c g^{s}=\prod_{i=1}^{n}g^{s_i}=\prod_{i=1}^{n}g^{r_i+c\cdot a_i\cdot x_i}=R\cdot\prod_{i=1}^{n}{X_i}^{c\cdot a_i}=R\cdot \widetilde{X}^{c} gs=∏i=1ngsi=∏i=1ngri+c⋅ai⋅xi=R⋅∏i=1nXic⋅ai=R⋅X c
Rogue public-key attack
(1)中简单聚合的不安全之处:
- 假设恶意敌手注册了一个非法公钥 p k 2 : = g 2 α ⋅ ( p k 1 ) − 1 ∈ G 2 pk_2:=g_2^\alpha\cdot(pk_1)^{-1}\in\mathbb{G}_2 pk2:=g2α⋅(pk1)−1∈G2,其中 p k 1 pk_1 pk1是某个不知情用户Bob的公钥, α ← Z p \alpha\leftarrow\mathbb{Z}_p α←Zp是随机选择的
- 敌手可以通过呈现聚合签名 σ : = H 0 ( m ) α \sigma:=H_0(m)^\alpha σ:=H0(m)α声称自己和Bob都签署了同一个消息 m ∈ M m\in\mathcal{M} m∈M
- 这个签名作为两个签名的聚合进行验证,一个来自
p
k
1
pk_1
pk1,另一个来自
p
k
2
pk_2
pk2,因为
e ( σ , g 2 ) = e ( H 0 ( m ) α , g 2 ) = e ( H 0 ( m ) , g 2 α ) = e ( H 0 ( m ) , p k 1 ⋅ p k 2 ) e(\sigma,g_2)=e(H_0(m)^\alpha,g_2)=e(H_0(m),g_2^\alpha)=e(H_0(m),pk_1\cdot pk_2) e(σ,g2)=e(H0(m)α,g2)=e(H0(m),g2α)=e(H0(m),pk1⋅pk2)
所以攻击者伪造了一个Bob对消息m的签名,但Bob从未签署过。
解决方案
- 要求每个用户证明知道或拥有相应的密钥,但这在实践中很难实施,并且不适合加密货币的应用。
- 要求被聚合的消息是不同的。可以通过在签名之前始终将公钥放在每条消息前面来强制执行消息的特殊性。但是,因为现在所有消息都是不同的,所以在聚合公共消息m上的签名时,不能像(3)中那样简化公钥聚合
(A)MSP: Multi-Signatures with Key Aggregation from Pairings
MSP:pairing-based multi-signature with public-key aggregation
基于BLS signature scheme构造的Multi-Signatures with Key Aggregation方案
H
0
:
{
0
,
1
}
∗
→
G
2
,
H
1
:
{
0
,
1
}
∗
→
Z
q
.
H_0:\{0,1\}^*\rightarrow\mathbb{G}_2,H_1:\{0,1\}^∗\rightarrow\mathbb{Z}_q.
H0:{0,1}∗→G2,H1:{0,1}∗→Zq.
S
i
g
n
(
p
a
r
,
{
p
k
1
,
.
.
.
,
p
k
n
}
,
s
k
i
,
m
)
→
σ
{\bf Sign}(par,\{pk_1,...,pk_n\},sk_i,m)\rightarrow \sigma
Sign(par,{pk1,...,pkn},ski,m)→σ
- s i ← H 0 ( m ) a i ⋅ s k i s_i\leftarrow H_0(m)^{a_i\cdot sk_i} si←H0(m)ai⋅ski,其中 a i ← H 1 ( p k i , { p k 1 , . . . , p k n } ) a_i\leftarrow H_1(pk_i,\{pk_1,...,pk_n\}) ai←H1(pki,{pk1,...,pkn}),将 s i s_i si发送给指定的合成器
- 合成器计算合成签名
σ
←
∏
j
=
1
n
s
j
\sigma\leftarrow\prod_{j=1}^ns_j
σ←∏j=1nsj。合成器可以是其中某一个signer或某个额外的参与方
注: s i s_i si可以看作是multi signature,而生成的 s i g m a sigma sigma是多个multi signature聚合成的。
推导过程:验证总体签名
e
(
σ
,
g
2
−
1
)
⋅
e
(
H
0
(
m
)
,
a
p
k
)
=
e
(
∏
j
=
1
n
s
j
,
g
2
−
1
)
⋅
e
(
H
0
(
m
)
,
∏
i
=
1
n
p
k
i
H
1
(
p
k
i
,
{
p
k
1
,
.
.
.
,
p
k
n
}
)
)
=
e
(
H
0
(
m
)
∑
j
=
1
n
a
j
⋅
s
k
j
,
g
2
−
1
)
⋅
e
(
H
0
(
m
)
,
g
2
∑
i
=
1
n
s
k
i
⋅
a
i
)
=
1
G
t
\begin{aligned} e(\sigma,g_2^{-1})\cdot e(H_0(m),apk)&=e(\prod_{j=1}^ns_j,g_2^{-1})\cdot e(H_0(m),\prod_{i=1}^npk_i^{H_1(pk_i,\{pk_1,...,pk_n\})})\\ &=e(H_0(m)^{\sum_{j=1}^n a_j\cdot sk_j},g_2^{-1})\cdot e(H_0(m),g_2^{\sum_{i=1}^n sk_i\cdot a_i})\\ &=1_{\mathbb{G}_t} \end{aligned}
e(σ,g2−1)⋅e(H0(m),apk)=e(j=1∏nsj,g2−1)⋅e(H0(m),i=1∏npkiH1(pki,{pk1,...,pkn}))=e(H0(m)∑j=1naj⋅skj,g2−1)⋅e(H0(m),g2∑i=1nski⋅ai)=1Gt
B
a
t
c
h
v
e
r
i
f
i
c
a
t
i
o
n
(
m
i
,
σ
i
,
a
p
k
i
)
i
=
1
b
{\bf Batch~verification}(m_i,\sigma_i,apk_i)_{i=1}^b
Batch verification(mi,σi,apki)i=1b
一组
b
b
b个multi-signature可以批量验证,如果每个
m
1
,
.
.
.
,
m
b
m_1,...,m_b
m1,...,mb都不同,我们可以像(1)那样使用签名聚合来批量验证所有这些三元组:
- 计算聚合签名 σ ~ : = σ 1 . . . σ b ∈ G 2 \widetilde{\sigma}:=\sigma_1...\sigma_b\in\mathbb{G}_2 σ :=σ1...σb∈G2
- 接受所有bmulti-signature 元组为有效,如果 e ( σ ~ , g 2 ) = e ( H 0 ( m 1 ) , a p k 1 ) . . . e ( H 0 ( m b ) , a p k b ) e(\widetilde{\sigma},g_2)=e(H_0(m_1),apk_1)...e(H_0(m_b),apk_b) e(σ ,g2)=e(H0(m1),apk1)...e(H0(mb),apkb)
这样的聚合签名只需要验证 b + 1 b+1 b+1个双线性对计算而不是 2 b 2b 2b个
如果有一些消息是重复的,可以通过预先引入随机指数 ρ 1 , . . . , ρ b ← { 1 , . . . , 2 κ } \rho_1,...,\rho_b\leftarrow\{1,...,2^\kappa\} ρ1,...,ρb←{1,...,2κ}来保证安全性: σ ~ : = σ 1 ρ 1 . . . σ b ρ b ∈ G 2 \widetilde{\sigma}:=\sigma_1^{\rho_1}...\sigma_b^{\rho_b}\in\mathbb{G}_2 σ :=σ1ρ1...σbρb∈G2,验证 e ( σ ~ , g 2 ) = e ( H 0 ( m 1 ) , a p k 1 ρ 1 ) . . . e ( H 0 ( m b ) , a p k b ρ b ) e(\widetilde{\sigma},g_2)=e(H_0(m_1),apk_1^{\rho_1})...e(H_0(m_b),apk_b^{\rho_b}) e(σ ,g2)=e(H0(m1),apk1ρ1)...e(H0(mb),apkbρb)
AMSP:Aggregating Multi-Signatures
可通过将MSP乘起来聚合它们,只要被聚合的签名的消息是不同的。保证消息不同最简单的办法是在消息中包括聚合公钥
AMSP和MSP:
- 相同: P g , K g , K A g {\rm Pg, Kg,KAg} Pg,Kg,KAg
- 改进:
S
i
g
n
,
V
f
{\rm Sign,Vf }
Sign,Vf:将
a
p
k
apk
apk包含在签名的消息中
- 增加:
S
A
g
,
A
V
f
{\rm SAg,AVf }
SAg,AVf
ASM: Accountable-Subgroup Multi-signatures
ASM
P
g
→
p
a
r
{\rm Pg}\rightarrow par
Pg→par
K
g
→
(
p
k
,
s
k
)
{\rm Kg}\rightarrow(pk,sk)
Kg→(pk,sk)
G
S
e
t
u
p
(
s
k
,
P
K
)
→
m
k
,
P
K
=
{
p
k
1
,
.
.
.
,
p
k
n
}
{\rm GSetup}(sk,\mathcal{PK})\rightarrow mk,\mathcal{PK}=\{pk_1,...,pk_n\}
GSetup(sk,PK)→mk,PK={pk1,...,pkn},
m
k
mk
mk:membership key
S
i
g
n
(
p
a
r
,
P
K
,
S
,
s
k
,
m
k
,
m
)
→
σ
{\rm Sign}(par,\mathcal{PK},S,sk,mk,m)\rightarrow\sigma
Sign(par,PK,S,sk,mk,m)→σ,
S
⊆
{
1
,
.
.
.
,
∣
P
K
∣
}
S\subseteq\{1,...,|\mathcal{PK}|\}
S⊆{1,...,∣PK∣}
K
A
g
(
P
K
)
→
a
p
k
{\rm KAg}(\mathcal{PK})\rightarrow apk
KAg(PK)→apk
V
f
(
p
a
r
,
a
p
k
,
S
,
m
,
σ
)
→
0
/
1
{\rm Vf}(par,apk,S,m,\sigma)\rightarrow 0/1
Vf(par,apk,S,m,σ)→0/1
Scheme
Parameter generation, key generation, key aggregation 三个算法与MSP相同
G
S
e
t
u
p
(
s
k
i
,
P
K
)
→
m
k
{\rm GSetup}(sk_i,\mathcal{PK})\rightarrow mk
GSetup(ski,PK)→mk
- Signer i i i计算 a p k ← K A g ( P K ) apk\leftarrow{\rm KAg}(\mathcal{PK}) apk←KAg(PK), a i ← H 1 ( p k i , P K ) a_i\leftarrow H_1(pk_i,\mathcal{PK}) ai←H1(pki,PK)
- 计算 μ j , i = H 2 ( a p k , j ) a i ⋅ s k i \mu_{j,i}=H_2(apk,j)^{a_i\cdot sk_i} μj,i=H2(apk,j)ai⋅ski并发送给所有 j ≠ i j\neq i j=i的signer
- 收到所有 j ≠ i j\neq i j=i的 μ i , j \mu_{i,j} μi,j,计算 μ i , i = H 2 ( a p k , i ) a i ⋅ s k i \mu_{i,i}=H_2(apk,i)^{a_i\cdot sk_i} μi,i=H2(apk,i)ai⋅ski
- 返回
m
k
i
←
∏
j
=
1
n
μ
i
,
j
mk_i\leftarrow\prod_{j=1}^n\mu_{i,j}
mki←∏j=1nμi,j
注意如果所有的signer诚实,有: e ( g 2 , m k i ) = e ( g 2 , ∏ j = 1 n H 2 ( a p k , i ) a j ⋅ s k j ) = e ( g 2 ∑ j = 1 n a j ⋅ s k j , H 2 ( a p k , i ) ) = e ( a p k , H 2 ( a p k , i ) ) e(g_2,mk_i) = e(g_2,\prod_{j=1}^nH_2(apk,i)^{a_j\cdot sk_j}) = e(g_2^{\sum_{j=1}^na_j\cdot sk_j},H_2(apk,i)) =e(apk,H_2(apk,i)) e(g2,mki)=e(g2,∏j=1nH2(apk,i)aj⋅skj)=e(g2∑j=1naj⋅skj,H2(apk,i))=e(apk,H2(apk,i))
S i g n ( p a r , P K , S , s k i , m k i , m ) {\rm Sign}(par,\mathcal{PK},S,sk_i,mk_i,m) Sign(par,PK,S,ski,mki,m)
- 计算 a p k ← K A g ( P K ) apk\leftarrow{\rm KAg}(\mathcal{PK}) apk←KAg(PK), s i ← H 0 ( a p k , m ) s k i ⋅ m k i s_i\leftarrow H_0(apk,m)^{sk_i}\cdot mk_i si←H0(apk,m)ski⋅mki
- 将 ( p k i , s i ) (pk_i,s_i) (pki,si)发送给指定的合成器( S S S的某个参与方或额外的第三方),合成器计算: p k ← ∏ j ∈ S p k j , s ← ∏ j ∈ S s j pk\leftarrow\prod_{j\in S}pk_j,s\leftarrow\prod_{j\in S}s_j pk←∏j∈Spkj,s←∏j∈Ssj,输出multi签名: σ : = ( p k , s ) \sigma:=(pk,s) σ:=(pk,s)
V f ( p a r , a p k , S , m , σ ) → 0 / 1 {\rm Vf}(par,apk,S,m,\sigma)\rightarrow 0/1 Vf(par,apk,S,m,σ)→0/1
- 解析签名
σ
\sigma
σ为
(
p
k
,
s
)
(pk,s)
(pk,s),验证:
e ( H 0 ( a p k , m ) , p k ) ⋅ e ( ∏ j ∈ S H 2 ( a p k , j ) , a p k ) = ? e ( s , g 2 ) e\left(\mathrm{H}_{0}(a p k, m), p k\right) \cdot e\left(\prod_{j \in S} \mathrm{H}_{2}(a p k, j), a p k\right) \stackrel{?}{=} e\left(s, g_{2}\right) e(H0(apk,m),pk)⋅e(∏j∈SH2(apk,j),apk)=?e(s,g2)
通过则返回1.
推导:
e
(
H
0
(
a
p
k
,
m
)
,
p
k
)
⋅
e
(
∏
j
∈
S
H
2
(
a
p
k
,
j
)
,
a
p
k
)
=
e
(
H
0
(
a
p
k
,
m
)
,
∏
j
∈
S
p
k
j
)
⋅
e
(
∏
j
∈
S
H
2
(
a
p
k
,
j
)
,
∏
i
=
1
n
p
k
i
a
i
)
=
∏
j
∈
S
e
(
H
0
(
a
p
k
,
m
)
s
k
j
,
g
2
)
⋅
∏
i
=
1
n
e
(
∏
j
∈
S
H
2
(
a
p
k
,
j
)
a
i
⋅
s
k
i
,
g
2
)
=
e
(
∏
j
∈
S
H
0
(
a
p
k
,
m
)
s
k
j
,
g
2
)
⋅
e
(
∏
i
,
∈
[
1
,
n
]
,
j
∈
S
μ
j
,
i
,
g
2
)
=
e
(
∏
i
=
1
n
s
i
,
g
2
)
=
e
(
s
,
g
2
)
\begin{aligned} &e\left(\mathrm{H}_{0}(a p k, m), p k\right) \cdot e\left(\prod_{j \in S} \mathrm{H}_{2}(a p k, j), a p k\right) \\ &=e\left(\mathrm{H}_{0}(a p k, m), \prod_{j\in S}pk_j\right) \cdot e\left(\prod_{j \in S} \mathrm{H}_{2}(a p k, j), \prod_{i=1}^n pk_i^{a_i}\right)\\ &=\prod_{j\in S}e\left(\mathrm{H}_{0}(a p k, m)^{sk_j}, g_2\right) \cdot \prod_{i=1}^ne\left(\prod_{j \in S} \mathrm{H}_{2}(a p k, j)^{a_i\cdot sk_i}, g_2\right)\\ &=e\left(\prod_{j\in S}\mathrm{H}_{0}(a p k, m)^{sk_j}, g_2\right) \cdot e\left(\prod_{i,\in[1,n],j \in S} \mu_{j,i}, g_2\right)\\ &=e\left(\prod_{i=1}^ns_i, g_2\right) =e\left(s, g_2\right) \end{aligned}
e(H0(apk,m),pk)⋅e⎝⎛j∈S∏H2(apk,j),apk⎠⎞=e⎝⎛H0(apk,m),j∈S∏pkj⎠⎞⋅e⎝⎛j∈S∏H2(apk,j),i=1∏npkiai⎠⎞=j∈S∏e(H0(apk,m)skj,g2)⋅i=1∏ne⎝⎛j∈S∏H2(apk,j)ai⋅ski,g2⎠⎞=e⎝⎛j∈S∏H0(apk,m)skj,g2⎠⎞⋅e⎝⎛i,∈[1,n],j∈S∏μj,i,g2⎠⎞=e(i=1∏nsi,g2)=e(s,g2)
MSDL:A Scheme from Discrete Logarithms
H
0
,
H
1
,
H
2
:
{
0
,
1
}
∗
→
Z
q
H_0,H_1,H_2:\{0,1\}^*\rightarrow\mathbb{Z}_q
H0,H1,H2:{0,1}∗→Zq
S
i
g
n
(
p
a
r
,
{
p
k
1
,
.
.
.
,
p
k
n
}
,
s
k
,
m
)
{\rm Sign}(par,\{pk_1,...,pk_n\},sk,m)
Sign(par,{pk1,...,pkn},sk,m)
- Round 1. r i ⟵ r a n Z q r_{i} \stackrel{ran}{\longleftarrow} \mathbb{Z}_{q} ri⟵ranZq, R i ← g r i , t i ← H 2 ( R i ) R_{i} {\leftarrow}g^{r_i},t_i{\leftarrow}H_2(R_i) Ri←gri,ti←H2(Ri)。将 t i t_i ti发送给其他对应参与方,并等待接收所有 t j , j ≠ i t_j,j\neq i tj,j=i
- Round 2. 广播发送 R i R_i Ri给 p k 1 , . . . , p k n pk_1,...,pk_n pk1,...,pkn中的其他参与方,并等待接收所有 R j , j ≠ i R_j,j\neq i Rj,j=i,分别查验 t j = H 2 ( R j ) , j = 1 , . . . , n t_j=H_2(R_j),j=1,...,n tj=H2(Rj),j=1,...,n
- Round 3. 计算
a
p
k
←
K
A
g
(
{
p
k
1
,
.
.
.
,
p
k
n
}
)
apk\leftarrow KAg(\{pk_1,...,pk_n\})
apk←KAg({pk1,...,pkn}),令
a
i
←
H
1
(
p
k
i
,
{
p
k
1
,
.
.
.
,
p
k
n
}
)
a_i\leftarrow H_1(pk_i,\{pk_1,...,pk_n\})
ai←H1(pki,{pk1,...,pkn}).
注意,当使用同一组签名者对多个消息进行签名时, a p k apk apk和 a i a_i ai可以被存储而不是重新计算。
计算: R ˉ ← ∏ j = 1 n R j , c ← H 0 ( R ˉ , a p k , m ) . s i ← r i + c ⋅ s k i ⋅ a i m o d q \bar{R}\leftarrow\prod_{j=1}^nR_j,c\leftarrow H_0(\bar{R},apk,m).s_i\leftarrow r_i+c\cdot sk_i\cdot a_i~mod~q Rˉ←∏j=1nRj,c←H0(Rˉ,apk,m).si←ri+c⋅ski⋅ai mod q。广播发送 s i s_i si并收集其他所有 s j , j ≠ i s_j,j\neq i sj,j=i。计算 s ← ∑ j = 1 n s j s\leftarrow\sum_{j=1}^n s_j s←∑j=1nsj并输出 σ ← ( R ˉ , s ) \sigma\leftarrow(\bar{R},s) σ←(Rˉ,s).
V f ( p a r , a p k , m , σ ) → 0 / 1 {\rm Vf}(par,apk,m,\sigma)\rightarrow 0/1 Vf(par,apk,m,σ)→0/1
- 解析签名
(
R
ˉ
,
s
)
∈
G
×
Z
q
(\bar{R},s)\in\mathbb{G}\times\mathbb{Z}_q
(Rˉ,s)∈G×Zq,计算
c
←
H
0
(
R
ˉ
,
a
p
k
,
m
)
c\leftarrow H_0(\bar{R},apk,m)
c←H0(Rˉ,apk,m)并输入1如果满足:
g
s
⋅
a
p
k
−
c
=
?
R
ˉ
g^s\cdot apk^{-c}\stackrel{?}{=}\bar{R}
gs⋅apk−c=?Rˉ
推导: g s ⋅ a p k − c = g ∑ j = 1 n s j ⋅ ( ∏ i = 1 n p k i a i ) − c = g ∑ j = 1 n r j + c ⋅ s k j ⋅ a j ⋅ ( g ∑ i = 1 n − c ⋅ s k i ⋅ a i ) = g ∑ j = 1 n r j = R ˉ g^s\cdot apk^{-c}=g^{\sum_{j=1}^n s_j}\cdot(\prod_{i=1}^npk_i^{a_i})^{-c}=g^{\sum_{j=1}^n r_j+c\cdot sk_j\cdot a_j}\cdot(g^{\sum_{i=1}^n-c\cdot sk_i\cdot a_i})=g^{\sum_{j=1}^n r_j}=\bar{R} gs⋅apk−c=g∑j=1nsj⋅(∏i=1npkiai)−c=g∑j=1nrj+c⋅skj⋅aj⋅(g∑i=1n−c⋅ski⋅ai)=g∑j=1nrj=Rˉ
批量验证:该方案允许更有效的批量验证,允许验证者用一个3n次幂而不是n个2次幂来检查n个签名的有效性。
- 验证n个签名list:
{
(
a
p
k
i
,
m
i
,
(
R
ˉ
i
,
s
i
)
)
}
i
=
1
n
\{(apk_i,m_i,(\bar{R}_i,s_i))\}_{i=1}^n
{(apki,mi,(Rˉi,si))}i=1n,计算
c
i
←
H
0
(
R
ˉ
i
,
a
p
k
i
,
m
i
)
c_i\leftarrow H_0(\bar{R}_i,apk_i,m_i)
ci←H0(Rˉi,apki,mi),
α
i
⟵
r
a
n
Z
q
f
o
r
i
=
1
,
.
.
.
,
n
\alpha_{i} \stackrel{ran}{\longleftarrow} \mathbb{Z}_{q}~for~i=1,...,n
αi⟵ranZq for i=1,...,n,如果满足以下条件,accept:
∏ i = 1 n g α i s i a p k i − α i c i R ˉ i − α i = ? 1 G \prod_{i=1}^{n} g^{\alpha_{i} s_{i}} a p k_{i}^{-\alpha_{i} c_{i}} \bar{R}_{i}^{-\alpha_{i}} \stackrel{?}{=} 1_{\mathbb{G}} i=1∏ngαisiapki−αiciRˉi−αi=?1G
(推导过程同上,仅加入了随机性 α i \alpha_i αi)
Schemes with Proofs of Possession
Rogue-key attacks in multi-signatures 可以通过让签名者向他们的公钥添加所谓的拥有证明(PoP)来阻止,即对他们自己的公钥的签名。
PoP的缺陷:导致公钥规模的增长。
But! 在某些情况下,单个公钥的大小并不重要:
- Multisig地址原则上不需要显示所有签名者的单个公钥,只要聚合公钥是已知的,并被所有签名者同意。在创建Multisig钱包时,签名者可以通过交换和验证彼此的pop来建立对聚合密钥的信任,但只向外界发布聚合密钥。
- 在分布式账本(例如,区块链)中,Signers可能是一个相对较小的静态节点集,其公钥可以被验证一次,然后以任意组合进行聚合。
(A)MSP-pop:Pairing-Based Schemes with PoPs
一个额外的hash
H
1
:
{
0
,
1
}
∗
→
G
1
H_1:\{0,1\}^*\rightarrow\mathbb{G}_1
H1:{0,1}∗→G1
Key generation:
y
←
g
2
s
k
y\leftarrow g_2^{sk}
y←g2sk,PoP:
π
←
H
1
(
y
)
x
,
p
k
←
(
y
,
π
)
\pi\leftarrow H_1(y)^x,pk\leftarrow(y,\pi)
π←H1(y)x,pk←(y,π)
KAg:验证
e
(
H
1
(
y
i
)
,
y
i
)
=
?
e
(
π
i
,
g
2
)
,
i
=
1
,
.
.
.
,
n
e(H_1(y_i),y_i)\stackrel{?}{=}e(\pi_i,g_2),i=1,...,n
e(H1(yi),yi)=?e(πi,g2),i=1,...,n,输出
a
p
k
←
∏
i
=
1
n
y
i
apk\leftarrow\prod_{i=1}^n y_i
apk←∏i=1nyi
(MSP-pop)Sign:计算部分签名
s
i
←
H
0
(
m
)
s
k
i
s_i\leftarrow H_0(m)^{sk_i}
si←H0(m)ski
(AMSP-pop)Sign:计算部分签名
s
i
←
H
0
(
a
p
k
,
m
)
s
k
i
s_i\leftarrow H_0(apk,m)^{sk_i}
si←H0(apk,m)ski
签名组合、聚合和验证与MSP、AMSP完全相同。
ASM-pop:Accountable-Subgroup Scheme with PoPs
Key generation:与上面(A)MSP-pop中相同
KAg:一组密钥
P
K
=
{
(
y
1
,
π
1
)
,
.
.
.
,
(
y
n
,
π
n
)
}
\mathcal{PK}=\{(y_1,\pi_1),...,(y_n,\pi_n)\}
PK={(y1,π1),...,(yn,πn)}聚合不仅包含
Y
←
∏
i
=
1
n
y
i
Y\leftarrow\prod_{i=1}^ny_i
Y←∏i=1nyi,还包含
h
←
H
3
(
P
K
)
h\leftarrow H_3(\mathcal{PK})
h←H3(PK),其中
H
3
{
0
,
1
}
∗
→
Z
q
H_3\{0,1\}^*\rightarrow\mathbb{Z}_q
H3{0,1}∗→Zq。
a
p
k
←
(
Y
,
h
)
apk\leftarrow(Y,h)
apk←(Y,h).包含这个散列的原因是,当模拟对
H
2
(
a
p
k
,
i
)
H_2(apk,i)
H2(apk,i)的响应时,模拟器必须能够判断
i
i
i是否是集合
P
K
\mathcal{PK}
PK中目标签名者的索引.
Group setup
- 计算 a p k ← ( Y , h ) apk\leftarrow(Y,h) apk←(Y,h)并发送 μ j , i = H 2 ( a p k , j ) s k i \mu_{j,i}=H_2(apk,j)^{sk_i} μj,i=H2(apk,j)ski给签名方 j j j
- 收到所有 μ i , j , i ≠ j \mu_{i,j},i\neq j μi,j,i=j后,签名方 i i i计算 μ i , i ← H 2 ( a p k , i ) s k i \mu_{i,i}\leftarrow H_2(apk,i)^{sk_i} μi,i←H2(apk,i)ski
- 输出 m k i ← ∏ j = 1 n μ i , j mk_i\leftarrow\prod_{j=1}^n\mu_{i,j} mki←∏j=1nμi,j
- 如果所有的签名方都诚实,有
e ( g 2 , m k i ) = e ( g 2 , ∏ j = 1 n μ i , j ) = e ( g 2 , ∏ j = 1 n H 2 ( a p k , i ) s k j ) = e ( ∏ j = 1 n g 2 s k j , H 2 ( a p k , i ) ) = e ( Y , H 2 ( a p k , i ) ) e(g_2,mk_i) = e(g_2,\prod_{j=1}^n\mu_{i,j}) = e(g_2,\prod_{j=1}^nH_2(apk,i)^{sk_j})=e(\prod_{j=1}^ng_2^{sk_j},H_2(apk,i))=e(Y,H_2(apk,i)) e(g2,mki)=e(g2,∏j=1nμi,j)=e(g2,∏j=1nH2(apk,i)skj)=e(∏j=1ng2skj,H2(apk,i))=e(Y,H2(apk,i))
签名和验证与ASM相同,除了公钥的乘积 p k ← ∏ j ∈ S p k j pk\leftarrow\prod_{j\in S}pk_j pk←∏j∈Spkj被 y ← ∏ j ∈ S y j y\leftarrow\prod_{j\in S}y_j y←∏j∈Syj代替
MSDL-pop:Schemes from Discrete Logarithms with PoPs
Key generation:
- 选择 s k ⟵ r a n Z q sk\stackrel{ran}{\longleftarrow}\mathbb{Z}_q sk⟵ranZq,计算 y ← g s k y\leftarrow g^{sk} y←gsk.
- 并使用 H 1 H_1 H1作为哈希函数在 y y y上添加PoP,这是一个Schnorr签名: r ⟵ r a n Z q , t ← g r , c ← H 1 ( t , y ) , s ← r + c ⋅ s k m o d q r\stackrel{ran}{\longleftarrow}\mathbb{Z}_q,t\leftarrow g^r,c\leftarrow H_1(t,y),s\leftarrow r+c\cdot sk~mod~q r⟵ranZq,t←gr,c←H1(t,y),s←r+c⋅sk mod q
- 公钥 p k ← ( y , c , s ) pk\leftarrow(y,c,s) pk←(y,c,s)
KAg:聚合密钥 { ( y 1 , c 1 , s 1 ) , . . . , ( y n , c n , s n ) } \{(y_1,c_1,s_1),...,(y_n,c_n,s_n)\} {(y1,c1,s1),...,(yn,cn,sn)}
- 查验
c
i
=
?
H
1
(
g
s
y
i
−
c
i
,
y
i
)
,
i
=
1
,
.
.
.
,
n
c_i\stackrel{?}{=}H_1(g^sy_i^{-c_i},y_i),i=1,...,n
ci=?H1(gsyi−ci,yi),i=1,...,n
( H 1 ( g s y i − c i , y i ) = H 1 ( g r i + c i ⋅ s k i y i − c i , y i ) = c i ) (H_1(g^sy_i^{-c_i},y_i)=H_1(g^{ r_i+c_i\cdot sk_i}y_i^{-c_i},y_i)=c_i) (H1(gsyi−ci,yi)=H1(gri+ci⋅skiyi−ci,yi)=ci) - 计算 a p k ← ∏ i = 1 n y i apk\leftarrow\prod_{i=1}^ny_i apk←∏i=1nyi
签名协议与MSDL相同,除了第三轮计算 s i ← r i + c i ⋅ s k i m o d q s_i\leftarrow r_i+c_i\cdot sk_i~mod~q si←ri+ci⋅ski mod q