Skip to main content
SpringerLink
Log in

Simple Schnorr multi-signatures with applications to Bitcoin

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

We describe a new Schnorr-based multi-signature scheme (i.e., a protocol which allows a group of signers to produce a short, joint signature on a common message) called \(\mathsf {MuSig}\), provably secure under the Discrete Logarithm assumption and in the plain public-key model (meaning that signers are only required to have a public key, but do not have to prove knowledge of the private key corresponding to their public key to some certification authority or to other signers before engaging the protocol). \(\mathsf {MuSig}\) improves over the state-of-art scheme of Bellare and Neven (ACM Conference on Computer and Communications Security-CCS 2006) and its variants by Bagherzandi et al. (ACM Conference on Computer and Communications Security-CCS 2008) and Ma et al. (Des Codes Cryptogr 54(2):121–133, 2010) in two respects: (i) it is simple and efficient, having the same key and signature size as standard Schnorr signatures; (ii) it allows key aggregation, which informally means that the joint signature can be verified exactly as a standard Schnorr signature with respect to a single “aggregated” public key which can be computed from the individual public keys of the signers. To the best of our knowledge, this is the first multi-signature scheme provably secure under the Discrete Logarithm assumption in the plain public-key model which allows key aggregation. As an application, we explain how our new multi-signature scheme could improve both performance and user privacy in Bitcoin.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

Notes

  1. Since we do not impose any constraint on the key setup, the adversary can choose corrupted public keys arbitrarily, hence the same public key can appear multiple times in L.

  2. All Bitcoin transactions have at least one input except coinbase transactions which reward miners when they validate blocks and bootstrap the currency supply.

  3. If the scheme relies on several random oracles, we assume that \(\mathcal {F}\) makes at most \(q_h\) queries to each of them.

  4. Hash function \(H_{\mathrm {com}}\) is used in the commitment phase, \(H_{\mathrm {agg}}\) to compute the aggregated key, and \(H_{\mathrm {sig}}\) to compute the signature. These hash functions can be constructed from a single one using proper domain separation.

  5. As in [9], indices \(1,\ldots ,n\) are local references to cosigners, defined within the specific signer instance at hand.

  6. In fact, it is easy to see that the forger can only guess the value of the aggregated public key \(\widetilde{X}\) corresponding to L at random before making the relevant queries \(H_{\mathrm {agg}}(L,X_i)\) for \(X_i\in L\), so that the query \(H_{\mathrm {sig}}(\widetilde{X},R,m)\) can only come after the relevant queries \(H_{\mathrm {agg}}(L,X_i)\) except with negligible probability.

  7. In particular, we must exclude the case where the adversary is able to find two distinct multisets of public keys L and \(L'\) such that the corresponding aggregated public keys are equal, since when this happens the forger can make a signature query for (Lm) and return the resulting signature \(\sigma \) as a forgery for \((L',m)\). Jumping ahead, this will correspond to bad event \(\mathsf {KeyColl}\) defined in the proof of Lemma 2.

  8. Strings \(h_{0,i}\), resp. \(h_{1,i}\) will be used to answers queries to \(H_{\mathrm {agg}}\), resp. \(H_{\mathrm {sig}}\). We need \(q_h+q_s+1\) answers for each random oracle because one query to \(H_{\mathrm {agg}}\) and one query to \(H_{\mathrm {sig}}\) may be incurred by each signature query and by the final verification of the validity of the forgery.

  9. This holds iffL never appeared in a previous query to \(H_{\mathrm {agg}}\) or a previous signature query.

  10. In general, we cannot assume that the forger has made the random oracle queries corresponding to its forgery attempt, even though the forgery is valid only with negligible probability in this case.

  11. Note that for this argument to go through, we rely on \(\widetilde{X}\) being included in the call to \(H_{\mathrm {sig}}\). As already said in introduction, we do not know how to prove the security for the variant without “aggregate key-prefixing” where \(\widetilde{X}\) is omitted from the call to \(H_{\mathrm {sig}}\), even though we are not aware of any attack.

  12. While temporary disagreement between nodes is possible about which chain is to be accepted, we use the blockchain to refer to the chain that an individual node currently considers its best one.

  13. UTXO is an abbreviation of Unspent Transaction (TX) Output.

  14. Specifically, a function is used that takes a public key and a signature, and requires that the hash of the public key is a fixed constant and that the signature verifies with that key.

  15. Note that the term “multisig” in the context of Bitcoin is used to refer to any spending policy that requires signatures with m out of n public keys.

  16. The size of predicates is even more important, as they are part of the UTXO set that is maintained by every node.

  17. See https://bitcoin.org/en/developer-reference#term-op-checksig for more information.

References

  1. Accredited Standards Committee X9. American National Standard X9.62-2005, Public Key Cryptography for the Financial Services Industry, The Elliptic Curve Digital Signature Algorithm (ECDSA) (2005).

  2. Andresen G.: M-of-N standard transactions. Bitcoin Improvement Proposal. https://github.com/bitcoin/bips/blob/master/bip-0011.mediawiki (2011).

  3. Bagherzandi A., Cheon J.H., Stanislaw J.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM Conference on Computer and Communications Security-CCS 2008, pp. 449–458. ACM (2008).

  4. Bernstein D.J.: Multi-user Schnorr security, revisited. IACR Cryptology ePrint Archive, Report 2015/996 (2015). http://eprint.iacr.org/2015/996.

  5. Bernstein D.J., Duif N., Lange T., Schwabe P., Yang B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) Cryptographic Hardware and Embedded Systems-CHES 2011, LNCS, vol. 6917, pp. 124–142. Springer, Berlin (2011).

  6. Boneh D., Gentry C., Lynn B., Shacham H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) Advances in Cryptology-EUROCRYPT 2003, LNCS, vol. 2656, pp. 416–432. Springer, Berlin (2003).

  7. Boneh D., Lynn B., Shacham H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004).

    Article  MathSciNet  MATH  Google Scholar 

  8. Boneh D., Drijvers M., Neven G.: Compact multi-signatures for smaller blockchains. In: Peyrin, T., Galbraith, S.D. (eds.) Advances in Cryptology-ASIACRYPT 2018 (Proceedings, Part II), LNCS, vol. 11273, pp. 435–464. Springer, Berlin (2018).

  9. Bellare M., Neven G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM Conference on Computer and Communications Security-CCS 2006, pp. 390–399. ACM (2006).

  10. Bellare M., Palacio A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) Advances in Cryptology-CRYPTO 2002, LNCS, vol. 2442, pp. 162–177. Springer, Berlin (2002).

  11. Bellare M., Namprempre C., Pointcheval D., Semanko M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003).

    Article  MathSciNet  MATH  Google Scholar 

  12. Bellare M., Namprempre C., Neven G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdzinski, T., Tarlecki, A. (eds.) Automata, Languages and Programming-ICALP 2007, LNCS, vol. 4596, pp. 411–422. Springer, Berlin (2007).

  13. Boldyreva A.: Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-Group Signature Scheme. In: Desmedt, Y. (ed.) Public Key Cryptography-PKC 2003, LNCS, vol. 2567, pp. 31–46. Springer, Berlin (2003).

  14. Certicom Research: SEC 2: recommended elliptic curve domain parameters, v2.0 (2010). http://www.secg.org/sec2-v2.pdf.

  15. Drijvers M., Edalatnejad K., Ford B., Neven G.: On the provable security of two-round multi-signatures. IACR Cryptology ePrint Archive, Report 2018/417 (2018). http://eprint.iacr.org/2018/417.

  16. El Bansarkhani R., Jan S.: An efficient lattice-based multisignature scheme with applications to bitcoins. In: Foresti, S., Persiano, G. (eds.) Cryptology and Network Security-CANS 2016, LNCS, vol. 10052, pp. 140–155. Springer, Berlin (2016).

  17. Garg S., Bhaskar R., Lokam S.V.: Improved bounds on security reductions for discrete log based signatures. In: Wagner, D. (ed.) Advances in Cryptology-CRYPTO 2008, LNCS, vol. 5157, pp. 93–107. Springer, Berlin (2008).

  18. Gennaro R., Goldfeder S., Narayanan A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) Applied Cryptography and Network Security-ACNS 2016, LNCS, vol. 9696, pp. 156–174. Springer, Berlin (2016).

  19. Goldfeder S., Bonneau J., Gennaro R., Narayanan A.: Escrow protocols for cryptocurrencies: how to buy physical goods using Bitcoin. In: Financial Cryptography and Data Security-FC 2017 (2017). http://www.jbonneau.com/doc/GBGN17-FC-physical_escrow.pdf.

  20. Harn L.: Group-oriented \((t, n)\) threshold digital signature scheme and digital multisignature. IEE Proc. Comput. Digit. Tech. 141(5), 307–313 (1994).

    Article  MATH  Google Scholar 

  21. Horster P., Michels M., Petersen H.: Meta-multisignature schemes based on the discrete logarithm problem. In: IFIP/Sec ’95, IFIP Advances in Information and Communication Technology, pp. 128–142. Springer, Berlin (1995).

  22. Itakura K., Nakamura K.: A public-key cryptosystem suitable for digital multisignatures. NEC Res. Dev. 71, 1–8 (1983).

    Google Scholar 

  23. Kiltz E., Masny D., Pan J.: Optimal security proofs for signatures from identification schemes. In: Robshaw, M., Katz, J. (eds.) Advances in Cryptology-CRYPTO 2016 (Proceedings, Part II), LNCS, vol. 9815, pp. 33–61. Springer, Berlin (2016).

  24. Langford S.K.: Weakness in some threshold cryptosystems. In: Koblitz, N. (ed.) Advances in Cryptology-CRYPTO ’96, LNCS, vol. 1109, pp. 74–82. Springer, Berlin (1996).

  25. Li C.-M., Hwang T., Lee N.-Y.: Threshold-multisignature schemes where suspected forgery implies traceability of adversarial shareholders. In: De Santis, A. (ed.), Advances in Cryptology - EUROCRYPT ’94, LNCS, vol. 950, pp. 194–204. Springer, Berlin (1994).

  26. Lindell Y.: Fast secure two-party ECDSA signing. In: Katz, J., Shacham, H. (eds.) Advances in Cryptology-CRYPTO 2017 (Proceedings, Part II), LNCS, vol. 10402, pp. 613–644. Springer, Berlin (2017).

  27. Lu S., Ostrovsky R., Sahai A., Shacham H., Waters B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) Advances in Cryptology-EUROCRYPT 2006, LNCS, vol. 4004, pp. 465–485. Springer, Berlin (2006).

  28. Lysyanskaya A., Micali S., Reyzin L., Shacham H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J. (eds.) Advances in Cryptology - EUROCRYPT 2004, LNCS, vol. 3027, pp. 74–90. Springer, Berlin (2004).

  29. Ma C., Weng J., Li Y., Deng R.H.: Efficient discrete logarithm based multi-signature scheme in the plain public key model. Des. Codes Cryptogr. 54(2), 121–133 (2010).

    Article  MathSciNet  MATH  Google Scholar 

  30. MacKenzie P.D., Reiter M.K.: Two-party generation of DSA signatures. In: Kilian, J. (ed.), Advances in Cryptology-CRYPTO 2001, LNCS, vol. 2139, pp. 137–154. Springer, Berlin (2001).

  31. Maxwell G.: CoinJoin: Bitcoin privacy for the real world. (2013). BitcoinTalk post. https://bitcointalk.org/index.php?topic=279249.0.

  32. Merkle R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) Advances in Cryptology-CRYPTO ’87, LNCS, vol. 293, pp. 369–378. Springer, Berlin (1987).

  33. Michels M., Horster P.: On the risk of disruption in several multiparty signature schemes. In: Kim, K., Matsumoto, T. (eds.) Advances in Cryptology-ASIACRYPT ’96, LNCS, vol. 1163, pp. 334–345. Springer, Berlin (1996).

  34. Micali S., Ohta K., Reyzin L.: Accountable-subgroup multisignatures. In: Reiter, M.K., Samarati, P. (eds.) ACM Conference on Computer and Communications Security-CCS 2001, pp. 245–254. ACM (2001).

  35. Nakamoto S.: Bitcoin: a peer-to-peer electronic cash system (2008). http://bitcoin.org/bitcoin.pdf.

  36. National Institute of Standards and Technology. FIPS 186-4: digital signature standard (DSS) (2013). http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf.

  37. Okamoto T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) Advances in Cryptology-CRYPTO’92, LNCS, vol. 740, pp. 31–53. Springer, Berlin (1992).

  38. Ohta K., Okamoto T.: A digital multisignature scheme based on the Fiat-Shamir scheme. In: Imai, H., Rivest, R. L., Matsumoto, T. (eds.) Advances in Cryptology-ASIACRYPT ’91, LNCS, vol. 739, pp. 139–148. Springer, Berlin (1991).

  39. Ohta K., Okamoto T.: Multi-signature schemes secure against active insider attacks. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E82–A(1), 21–31 (1999).

    Google Scholar 

  40. Paillier P., Vergnaud D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B.K. (ed.) Advances in Cryptology-ASIACRYPT 2005, LNCS, vol. 3788, pp. 1–20. Springer, Berlin (2005).

  41. Pointcheval D., Stern J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000).

    Article  MATH  Google Scholar 

  42. Pornin T.: Deterministic usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA). RFC 6979 (2013). https://rfc-editor.org/rfc/rfc6979.txt.

  43. Ristenpart T., Yilek S.: The power of proofs-of-possession: securing multiparty signatures against rogue-key attacks. In: Naor, M. (ed.) Advances in Cryptology-EUROCRYPT 2007, LNCS, vol. 4515, pp. 228–245. Springer, Berlin (2007).

  44. Schnorr C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991).

    Article  MATH  Google Scholar 

  45. Seurin Y.: On the exact security of Schnorr-type signatures in the random oracle model. In: Pointcheval, D., Johansson, T. (eds.) Advances in Cryptology-EUROCRYPT 2012, LNCS, vol. 7237, pp. 554–571. Springer, Berlin (2012).

  46. Syta E., Tamas I., Visher D., Wolinsky D.I., Jovanovic P., Gasser L., Gailly N., Khoffi I., Ford B.: Keeping authorities ”Honest or Bust” with decentralized witness cosigning. In: IEEE Symposium on Security and Privacy, SP 2016, pp. 526–545. IEEE Computer Society (2016).

  47. Wagner D.A.: A generalized birthday problem. In: Yung, M. (ed.) Advances in Cryptology-CRYPTO 2002, LNCS, vol. 2442, pp. 288–303. Springer, Berlin (2002).

Download references

Author information

Authors and Affiliations

  1. San Francisco, USA

    Gregory Maxwell

  2. Blockstream, Mountain View, USA

    Andrew Poelstra & Pieter Wuille

  3. ANSSI, Paris, France

    Yannick Seurin

Authors
  1. Gregory Maxwell
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrew Poelstra
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yannick Seurin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Pieter Wuille
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yannick Seurin.

Additional information

Communicated by S. D. Galbraith.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Maxwell, G., Poelstra, A., Seurin, Y. et al. Simple Schnorr multi-signatures with applications to Bitcoin. Des. Codes Cryptogr. 87, 2139–2164 (2019). https://doi.org/10.1007/s10623-019-00608-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-019-00608-x

Keywords

Mathematics Subject Classification

Search

Navigation