Collective Edwards-Curve Digital Signature Algorithm

Similar documents
Keeping Authorities Honest or Bust with Decentralized Witness Cosigning

Decentralizing Authorities into Scalable Strongest-Link Cothorities

Scalable Bias-Resistant Distributed Randomness

Intended status: Informational. EPFL June 30, Collective Edwards-Curve Digital Signature Algorithm draft-ford-cfrg-cosi-00

Using Chains for what They re Good For

Blockchain. CS 240: Computing Systems and Concurrency Lecture 20. Marco Canini

Problem: Equivocation!

Scalable Bias-Resistant Distributed Randomness

SCP: A Computationally Scalable Byzantine Consensus Protocol for Blockchains

The ZILLIQA Technical Whitepaper

ECDSA_CFRG: Schnorr Kravitz Vanstone

SOME OF THE PROBLEMS IN BLOCKCHAIN TODAY

Bitcoin and Blockchain

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Discreet Log Contracts

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Upgrading Bitcoin: Segregated Witness. Dr. Johnson Lau Bitcoin Core Contributor Co-author of Segregated Witness BIPs March-2016

Digital Signature. Raj Jain

A Lightweight Blockchain Consensus Protocol

The Blockchain. Josh Vorick

Digital Multi Signature Schemes Premalatha A Grandhi

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

Cryptanalysis of the Lee-Hwang Group-Oriented Undeniable Signature Schemes

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

SpaceMint Overcoming Bitcoin s waste of energy

Viacoin Whitepaper. Viacoin Dev Team September 12, Abstract

Cryptographic hash functions and MACs

Catena: Preventing Lies with

RapidChain: Scaling Blockchain via Full Sharding

Bitcoin (Part I) Ken Calvert Keeping Current Seminar 22 January Keeping Current 1

Hash-based Signatures

Introduction to Bitcoin I

Speed-ups of Elliptic Curve-Based

The Not-So-Short ZILLIQA Technical FAQ

Efficient Quantum-Immune Keyless Signatures with Identity

Introducing. Bitcoin. A dilettante s guide to Bitcoin scalability. BIP-9000 (self-assigned) Quote It s kind of fun to do the impossible.

Chapter 9 Public Key Cryptography. WANG YANG

CONTENT. 1 Cryptography Overview Elliptic Curve Cryptography Introduction Digital Signature Algorithm 5

Resource-Efficient Mining (REM) with Proofs of Useful Work (PoUW)

University of Duisburg-Essen Bismarckstr Duisburg Germany HOW BITCOIN WORKS. Matthäus Wander. June 29, 2011

Blind Signatures in Scriptless Scripts

CONIKS: Bringing Key Transparency to End Users

Cryptographic protocols

Reliable Collective Cosigning to Scale Blockchain with Strong Consistency

EECS 498 Introduction to Distributed Systems

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

Lecture 3.4: Public Key Cryptography IV

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Reminder: Homework 4. Due: Friday at the beginning of class

BBc-1 : Beyond Blockchain One - An Architecture for Promise-Fixation Device in the Air -

Cryptographic proof of custody for incentivized file-sharing

Cypherium: A Scalable and Permissionless Smart Contract Platform

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

ENEE 457: E-Cash and Bitcoin

Public Key Infrastructures

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

Public Key Algorithms

Security Analysis of the Lightning Network

Cryptography V: Digital Signatures

Cryptography V: Digital Signatures

DTB001: Decred Technical Brief

Concurrency and Privacy with Payment Channel Networks

UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering. Introduction to Cryptography ECE 597XX/697XX

From One to Many: Synced Hash-Based Signatures

Scriptless Scripts. Scriptless Scripts. Andrew Poelstra. March 4, 2017

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

ICS 421 & ICS 690. Bitcoin & Blockchain. Assoc. Prof. Lipyeow Lim Information & Computer Sciences Department University of Hawai`i at Mānoa

Public Key Cryptography

Blockchain Certification Protocol (BCP)

Digital Signatures. Sven Laur University of Tartu

Formal Expression of BBc-1 Mechanism and Its Security Analysis

Biomedical and Healthcare Applications for Blockchain. Tiffany J. Callahan Computational Bioscience Program Hunter/Kahn Labs

IEEE Std and IEEE Std 1363a Ashley Butterworth Apple Inc.

1. Digital Signatures 2. ElGamal Digital Signature Scheme 3. Schnorr Digital Signature Scheme 4. Digital Signature Standard (DSS)

Bitcoin. CS6450: Distributed Systems Lecture 20 Ryan Stutsman

Identification Schemes

BlockFin A Fork-Tolerant, Leaderless Consensus Protocol April

Applied cryptography

Digital Signatures Do Not Guarantee Exclusive Ownership

CSC/ECE 774 Advanced Network Security

Part VI. Public-key cryptography

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Efficient identity-based GQ multisignatures

Internet Research Task Force (IRTF) Category: Informational April 2017 ISSN:

hard to perform, easy to verify

Distributed Concurrence Ledgers 16 May, 2016

Cryptography and Network Security. Sixth Edition by William Stallings

Security (and finale) Dan Ports, CSEP 552

Public-key Cryptography: Theory and Practice

Lecture 6. Mechanics of Bitcoin

ENHANCING BITCOIN SECURITY AND PERFORMANCE WITH STRONG CONSISTENCY VIA COLLECTIVE SIGNING

Accountable-Subgroup Multisignatures

Indistinguishable Proofs of Work or Knowledge

What is Proof of Work?

BitBill: Scalable, Robust, Verifiable Peer-to-Peer Billing for Cloud Computing

Transcription:

Collective Edwards-Curve Digital Signature Algorithm draft-ford-cfrg-cosi-00 Nicolas Gailly, Phillip Jovanovic, Linus Gasser, Bryan Ford Decentralized/Distributed Systems (DEDIS) IETF 99 Prague July 18, 2017

Goal: Efficient, Scalable Trust Splitting Weakest-link security: T=1 Strongest-link security: T = 2-10 Collective security: T = 100s,1000s

A Basic Tool: Collective Signing Multiple independent parties collaborate to validate and sign a single message or statement Often a threshold of a predefined group (t-of-n) Ensure transparency (many witnesses) Eliminate single points of failure Schnorr signatures easy & efficient to aggregate Many signatures compressed into space of ~1 Verifier incurs CPU cost of only ~1 verification

Basic Schnorr Signature (e.g., Ed25519) Generator g of prime order q group Public/private key pair: (K=g k, k) Signer Challenger Commitment Challenge Response V=g v c r = (v kc) Signature on M: (c, r) V c = H(M V) r Commitment recovery Challenge recovery Decision V' = g r K c = g v-kc g kc = g v = V c = H(M V ) c = c? Note: Ed25519/Ed448 use slightly different but equivalent (R,S) signature format

Schnorr Multisignature Generator g of prime order q group Public/private key pair: (K=g k, k) Signer 1 Signer 2 Challenger Commitment V 1 =g v1 V 2 =g v2 V = V 1 *V 2 Challenge c = H(M V) Response r 1 = (v 1 k 1 c) r 2 = (v 2 k 2 c) r = r1 + r2 Classic Schnorr multisignature on M: (c, r) Commitment recovery Challenge recovery Decision V' = g r K c = g v-kc g kc = g v = V c = H(M V ) c = c? Note: draft-ford-cfrg-cosi-00 uses (R,S) format for consistency with Ed25519/Ed448 specs

Formal Background, Analysis, Proofs Based on well-established body of formal work Horster et al, "Meta-Multisignature schemes based on the discrete logarithm problem" Michels et al, "On the risk of disruption in several multiparty signature schemes" Ohta/Okamoto, "Multi-Signature Schemes Secure against Active Insider Attacks" Micali et al, "Accountable-Subgroup Multisignatures" Bellare/Neven, "Multi-signatures in the plain public-key model and a general forking lemma" (delinearization approach)

Use-Case: Scalable Collective Signing [Syta et al, IEEE Security&Privacy 16] The time is 3PM. Amazon s public key is X. Authority Bob's public key is Y. The hash of latest ios is Z. Witnesses Alice Verification: signed by authority and T witnesses? Public Logs

Results: Collective Signing Time

Results: Verification Cost

Results: Collective Signature Size Ed25519: up to 512x smaller than N signatures

Optional: Higher Scalability via Trees 1. Announcement Phase 2. Commitment Phase 3. Challenge Phase 4. Response Phase

Use-Case: Bitcoin Transactions Schnorr Multisignatures for Bitcoin [Wuille] Compress many signatures on a transaction (or many transactions) into space of one Yield ~25% transaction space savings

Use-Case: Fast, Scalable Blockchains ByzCoin blockchain presented in [USENIX Security 16] Permanent transaction commitment in seconds 700+ TPS demonstrated (100x Bitcoin, ~PayPal) Low-power verification on light mobile devices 1 2 3 1 2 3 4 5 6... Key-Block 5-10 sec Bitcoin Cothority Miner Witnesses Micro-Block Co-Signature depends on

Use-Case: Offline-Verifiable Histories SkipChains: part of Chainiac [USENIX Sec 17] Efficiently prove existence+correctness of a transaction anywhere forward or back in time

draft-ford-cfrg-cosi-00 Starting-point draft (only) Intended to be consistent with & extension to Ed25519/Ed448 specified by RFC 8032 Structure summary: Basic signing/verification algorithms Simple 4-phase protocol for collective signing Optional more scalable tree-based protocol Message formats (currently protobuf-based) Security considerations, issues for discussion

Issues to be Discussed (if Adopted) Many design/implementation tradeoffs, e.g.: Strict Non-Malleability versus DoS Resistance Include participant mask in hash for non-malleability Precludes defense against O(N)-time restart attacks Best defense(s) against related-key attacks At group formation via self-signed keys (e.g., PGP) In signing/verification via delinearization (Bitcoin) Minimizing verifier state (Merkle pubkey trees) Probably many more

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback