Compact Multi-signatures for Smaller Blockchains

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)


We construct new multi-signature schemes that provide new functionality. Our schemes are designed to reduce the size of the Bitcoin blockchain, but are useful in many other settings where multi-signatures are needed. All our constructions support both signature compression and public-key aggregation. Hence, to verify that a number of parties signed a common message m, the verifier only needs a short multi-signature, a short aggregation of their public keys, and the message m. We give new constructions that are derived from Schnorr signatures and from BLS signatures. Our constructions are in the plain public key model, meaning that users do not need to prove knowledge or possession of their secret key.

In addition, we construct the first short accountable-subgroup multi-signature (ASM) scheme. An ASM scheme enables any subset \( S \) of a set of n parties to sign a message m so that a valid signature discloses which subset generated the signature (hence the subset \( S \) is accountable for signing m). We construct the first ASM scheme where signature size is only \(O(\kappa )\) bits over the description of \( S \), where \(\kappa \) is the security parameter. Similarly, the aggregate public key is only \(O(\kappa )\) bits, independent of n. The signing process is non-interactive. Our ASM scheme is very practical and well suited for compressing the data needed to spend funds from a t-of-n Multisig Bitcoin address, for any (polynomial size) t and n.



Boneh was supported by NSF, DARPA, a grant from ONR, the Simons Foundation, and a Google faculty fellowship. Drijvers and Neven were supported by the ERC under Grant PERCY #321310.


  1. 1.
    Ahn, J.H., Green, M., Hohenberger, S.: Synchronized aggregate signatures: new definitions, constructions and applications. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM CCS 10: 17th Conference on Computer and Communications Security, Chicago, Illinois, USA, 4–8 Oct 2010, pp. 473–484. ACM Press (2010)Google Scholar
  2. 2.
    Andresen, G.: \(m\)-of-\(n\) standard transactions. Bitcoin improvement proposal (BIP) 0011 (2011)Google Scholar
  3. 3.
    Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM CCS 08: 15th Conference on Computer and Communications Security, Alexandria, Virginia, USA, 27–31 Oct 2008, pp. 449–458. ACM Press (2008)Google Scholar
  4. 4.
    Bagherzandi, A., Jarecki, S.: Multisignatures using proofs of secret key possession, as secure as the Diffie-Hellman problem. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 218–235. Springer, Heidelberg (2008). Scholar
  5. 5.
    El Bansarkhani, R., Sturm, J.: An efficient lattice-based multisignature scheme with applications to bitcoins. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 140–155. Springer, Cham (2016). Scholar
  6. 6.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: On the selection of pairing-friendly groups. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 17–25. Springer, Heidelberg (2004). Scholar
  7. 7.
    Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdziński, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 411–422. Springer, Heidelberg (2007). Scholar
  8. 8.
    Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., Vimercati, S. (eds.) ACM CCS 06: 13th Conference on Computer and Communications Security, Alexandria, Virginia, USA, Oct 30–Nov 3 2006, pp. 390–399. ACM Press (2006)Google Scholar
  10. 10.
    Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-Group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). Scholar
  11. 11.
    Boldyreva, A., Gentry, C., O’Neill, A., Yum, D.H.: Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing. In: Ning, P., di Vimercati, S.D.C., Syverson, P.F. (eds.) ACM CCS 07: 14th Conference on Computer and Communications Security, Alexandria, Virginia, USA, 28–31 Oct 2007, pp. 276–285. ACM Press (2007)Google Scholar
  12. 12.
    Boneh, D., Drijvers, M., Neven, G.: Compact multi-signatures for smaller blockchains. Cryptology ePrint Archive, Report 2018/483 (2018).
  13. 13.
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003). Scholar
  14. 14.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). Scholar
  15. 15.
    Brogle, K., Goldberg, S., Reyzin, L.: Sequential aggregate signatures with lazy verification from trapdoor permutations. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 644–662. Springer, Heidelberg (2012). Scholar
  16. 16.
    Budroni, A., Pintore, F.: Efficient hash maps to \(\mathbb{{G}}_2\) on BLS curves. Cryptology ePrint Archive, Report 2017/419 (2017).
  17. 17.
    Burmester, M., et al.: A Structured ElGamal-type multisignature scheme. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 466–483. Springer, Heidelberg (2000). Scholar
  18. 18.
    Castelluccia, C., Jarecki, S., Kim, J., Tsudik, G.: A robust multisignature scheme with applications to acknowledgement aggregation. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 193–207. Springer, Heidelberg (2005). Scholar
  19. 19.
    Certicom Research: Sec 2: Recommended elliptic curve domain parameters. Technical report, Certicom Research (2010)Google Scholar
  20. 20.
    Chang, C.-C., Leu, J.-J., Huang, P.-C., Lee, W.-B.: A scheme for obtaining a message from the digital multisignature. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 154–163. Springer, Heidelberg (1998). Scholar
  21. 21.
    Coron, J.-S., Naccache, D.: Boneh et al.’s k-element aggregate extraction assumption is equivalent to the Diffie-Hellman assumption. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 392–397. Springer, Heidelberg (2003). Scholar
  22. 22.
    Drijvers, M., Edalatnejad, K., Ford, B., Neven, G.: On the provable security of two-round multi-signatures. Cryptology ePrint Archive, Report 2018/417 (2018).
  23. 23.
    Fuentes-Castañeda, L., Knapp, E., Rodríguez-Henríquez, F.: Faster hashing to \({\mathbb{G}}_2\). In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 412–430. Springer, Heidelberg (2012). Scholar
  24. 24.
    Gentry, C., O’Neill, A., Reyzin, L.: A unified framework for trapdoor-permutation-based sequential aggregate signatures. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10770, pp. 34–57. Springer, Cham (2018). Scholar
  25. 25.
    Gentry, C., Ramzan, Z.: Identity-based aggregate signatures. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 257–273. Springer, Heidelberg (2006). Scholar
  26. 26.
    Hardjono, T., Zheng, Y.: A practical digital multisignature scheme based on discrete logarithms (extended abstract). In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 122–132. Springer, Heidelberg (1993). Scholar
  27. 27.
    Harn, L.: Group-oriented (t, n) threshold digital signature scheme and digital multisignature. IEE Proc.-Comput. Digit. Tech. 141(5), 307–313 (1994)CrossRefGoogle Scholar
  28. 28.
    Horster, P., Michels, M., Petersen, H.: Meta-multisignature schemes based on the discrete logarithm problem. Information Security — the Next Decade. IFIP AICT, pp. 128–142. Springer, Boston (1995). Scholar
  29. 29.
    Itakura, K., Nakamura, K.: A public-key cryptosystem suitable for digital multisignatures. Technical report, NEC Research and Development (1983)Google Scholar
  30. 30.
    Komano, Y., Ohta, K., Shimbo, A., Kawamura, S.: Formal security model of multisignatures. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 146–160. Springer, Heidelberg (2006). Scholar
  31. 31.
    Le, D.-P., Bonnecaze, A., Gabillon, A.: Multisignatures as secure as the Diffie-hellman problem in the plain public-key model. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 35–51. Springer, Heidelberg (2009). Scholar
  32. 32.
    Li, C.-M., Hwang, T., Lee, N.-Y.: Threshold-multisignature schemes where suspected forgery implies traceability of adversarial shareholders. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 194–204. Springer, Heidelberg (1995). Scholar
  33. 33.
    Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006). Scholar
  34. 34.
    Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74–90. Springer, Heidelberg (2004). Scholar
  35. 35.
    Ma, C., Weng, J., Li, Y., Deng, R.: Efficient discrete logarithm based multi-signature scheme in the plain public key model. Des. Codes Cryptogr. 54(2), 121–133 (2010)MathSciNetCrossRefGoogle Scholar
  36. 36.
    Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple Schnorr multi-signatures with applications to bitcoin. Cryptology ePrint Archive, Report 2018/068 (2018).
  37. 37.
    Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple Schnorr multi-signatures with applications to bitcoin. Cryptology ePrint Archive, Report 2018/068 (2018).
  38. 38.
    Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988). Scholar
  39. 39.
    Micali, S., Ohta, K., Reyzin, L.: Accountable-subgroup multisignatures: extended abstract. In: ACM CCS 01: 8th Conference on Computer and Communications Security, Philadelphia, PA, USA, 5–8 Nov 2001, pp. 245–254. ACM Press (2001)Google Scholar
  40. 40.
    Michels, M., Horster, P.: On the risk of disruption in several multiparty signature schemes. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 334–345. Springer, Heidelberg (1996). Scholar
  41. 41.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008).
  42. 42.
    Neven, G.: Efficient sequential aggregate signed data. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 52–69. Springer, Heidelberg (2008). Scholar
  43. 43.
    Ohta, K., Okamoto, T.: A digital multisignature scheme based on the Fiat-Shamir scheme. In: Imai, H., Rivest, R.L., Matsumoto, T. (eds.) ASIACRYPT 1991. LNCS, vol. 739, pp. 139–148. Springer, Heidelberg (1993). Scholar
  44. 44.
    Ohta, K., Okamoto, T.: Multi-signature schemes secure against active insider attacks. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 82(1), 21–31 (1999)Google Scholar
  45. 45.
    Park, S., Park, S., Kim, K., Won, D.: Two efficient RSA multisignature schemes. In: Han, Y., Okamoto, T., Qing, S. (eds.) ICICS 1997. LNCS, vol. 1334, pp. 217–222. Springer, Heidelberg (1997). Scholar
  46. 46.
    Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)CrossRefGoogle Scholar
  47. 47.
    Ristenpart, T., Yilek, S.: The power of proofs-of-possession: securing multiparty signatures against rogue-key attacks. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 228–245. Springer, Heidelberg (2007). Scholar
  48. 48.
    Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)CrossRefGoogle Scholar
  49. 49.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: Fast hashing to \({g}_{2}\) on pairing-friendly curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 102–113. Springer, Heidelberg (2009). Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Stanford UniversityStanfordUSA
  2. 2.DFINITYZurichSwitzerland
  3. 3.ETH ZurichZurichSwitzerland

Personalised recommendations