MuSig多重签名for Schnorr signature及Key Cancellation攻击和replay攻击数学原理

来源

一、直观的多重签名（有安全问题）

Elliptic curves have the multiplicative property. So if you have two scalars x,y with corresponding points X,Y the following holds:

(x+y)G=xG+yG=X+Y

Schnorr signatures are of the form s=r+e.k. This construction is linear too, so it fits nicely with the linearity of elliptic curve math.

1.1 construct a two-of-two multi-signature.

Alice and Bob want to cosign something (a Tari transaction, say) without having to trust each other; i.e. they need to be able to prove ownership of their respective keys, and the aggregate signature is only valid if both Alice and Bob provide their part of the signature.
Assuming private keys are denoted ki and public keys Pi. If we ask Alice and Bob to each supply a nonce, we can try:

Pagg=Pa+Pb e=H(Ra||Rb||Pa||Pb||m) sagg=ra+rb+(ka+kb)e=(ra+kae)+(rb+kae)=sa+sb So it looks like Alice and Bob can supply their own RR, and anyone can construct the two-of-two signature from the sum of the RsRs and public keys.

1.2 Key Cancellation Attack

针对1.1的签名方式，存在Key Cancellation攻击问题，具体原理如下：
Bob knows Alice’s public key and nonce ahead of time, by waiting until she reveals them.
Now Bob lies and says that his public key is P′b=Pb−Pa and public nonce is R′b=Rb−Ra.
Note that Bob doesn’t know the private keys for these faked values, but that doesn’t matter.
Everyone assumes that sagg=Ra+R′b+e(Pa+P′b) as per the aggregation scheme.
But Bob can create this signature himself:

In the Key Cancellation Attack, Bob didn’t know the private keys for his published R and P values. We could defeat Bob by asking him to sign a message proving that he does know the private keys.This works, but it requires another round of messaging between parties, which is not conducive to a great user experience.

A better approach would be one that incorporates one or more of the following features:

1. It must be provably secure in the plain public-key model, without having to prove knowledge of secret keys, as we might have asked Bob to do in the naïve approach.
2. It should satisfy the normal Schnorr equation, i.e. the resulting signature can be verified with an expression of the form R+eX.
3. It allows for Interactive Aggregate Signatures (IAS), where the signers are required to cooperate.
4. It allows for Non-interactive Aggregate Signatures (NAS), where the aggregation can be done by anyone.It allows each signer to sign the same message, m.
5. It allows each signer to sign their own message, mi.

二、MuSig

MuSig is a recently proposed simple signature aggregation scheme that satisfies all of the properties in the preceding section.

2.1 MuSig原理说明

Demonstrate the interactive MuSig scheme here, where each signatory signs the same message. The scheme works as follows:

1. Each signer has a public-private key pair, as before.
2. Each signer shares a commitment to their public nonce (we’ll skip this step in this demonstration). This step is necessary to prevent certain kinds of rogue key attacks On the Security of Two-round Multi-signatures.
3. Each signer publishes the public key of their nonce, Ri.
4. Everyone calculates the same “shared public key”, X as follows:（其中的Xi为各singer的Pubkey)
   

Note that in the preceding ordering of public keys, some deterministic convention should be used, such as the lexicographical order of the serialized keys.
1）Everyone also calculates the shared nonce, R=∑Ri.
2）The challenge, ee is H(R||X||m).
3）Each signer provides their contribution to the signature as:

Notice that the only departure here from a standard Schnorr signature is the inclusion of the factor ai.
The aggregate signature is the usual summation, s=∑si.
Verification is done by confirming that as usual:

sG≡R+eX

证明过程如下：

2.2 MuSig抗Key Cancellation攻击说明

Bob has provided fake values for his nonce and public keys:
Rf=Rb−Ra
Xf=Xb−Xa

This leads to both Alice and Bob calculating the following “shared” values:

Bob then tries to construct a unilateral signature following MuSig:
sb=rb+kse
Let’s assume for now that ksks doesn’t need to be Bob’s private key, but that he can derive it using information he knows. For this to be a valid signature, it must verify to R+eX. So therefore:

In the previous attack, Bob had all the information he needed on the right-hand side of the analogous calculation. In MuSig, Bob must somehow know Alice’s private key(ka) and the faked private key(kf corresponding with Xf?) (the terms don’t cancel anymore) in order to create a unilateral signature, and so his cancellation attack is defeated.

2.3 MuSig不能抵抗Replay攻击

在每一次签名时，必须使用新的nonce值。
It’s critical that a new nonce be chosen for every signing ceremony. The best way to do this is to make use of a cryptographically secure (pseudo-)random number generator (CSPRNG).
let’s say an attacker can trick us into signing a new message by “rewinding” the signing ceremony to the point where partial signatures are generated. At this point, the attacker provides a different message, e′=H(…||m′) to sign. Not suspecting any foul play, each party calculates their partial signature:

However, the attacker still has access to the first set of signatures: si=ri+aikie. He now simply subtracts them:

Everything on the right-hand side of the final equation is known by the attacker and thus he can trivially extract everybody’s private key. It’s difficult to protect against this kind of attack. One way to is make it difficult (or impossible) to stop and restart signing ceremonies. If a multi-sig ceremony gets interrupted, then you need to start from step one again. This is fairly unergonomic, but until a more robust solution comes along, it may be the best we have!

重放攻击会泄露各方的私钥，目前没有特别有效的方法来抵抗重放攻击。在多方签名中若有中断，必须从第一步开始重新开始新一轮的多方签名。

参考资料：
[1] Introduction to Schnorr Signatures