Yunlei Zhao
ABSTRACT
Aggregate signature (AS) allows non-interactively condensing multiple individual signatures into a compact one. Besides faster verification, it is useful to reduce storage and bandwidth, and is especially attractive for blockchain and cryptocurrency. In this work, we first demonstrate the subtlety of achieving AS from general groups, by a concrete attack that actually works against the natural implementations of AS based on almost all the variants of DSA and Schnorr's. Then, we show that aggregate signature can be de- rived from the -signature scheme proposed by Yao, et al. To the best of our knowledge, this is the first aggregate signature scheme from general elliptic curves without bilinear maps (in particular, the secp256k1 curve used by Bitcoin). The security of aggregate -signature is proved based on a new assumption proposed and justified in this work, referred to as non-malleable discrete-logarithm (NMDL), which might be of independent interest. When applying the resultant aggregate -signature to Bitcoin, the storage volume of signatures reduces about 49.8%, and the signature verification time can even reduce about 72%. Finally, we specify in detail the application of the proposed AS scheme to Bitcoin, with the goal of maximizing performance and compatibility. We adopt a Merkle-Patricia tree based implementation, and the resulting system is also more friendly to segregated witness and provides better protection against transaction malleability attacks.
- M. Abe and S. Fehr. Perfect NIZK with Adaptive Soundness. TCC 2007: 118--136. Google Scholar
Digital Library
- A. M. Antonopoulos. Mastering Bitcoin. Available at https://github.com/bitcoinbook/bitcoinbookGoogle Scholar
- A. M. Antonopoulos. Mastering Bitcoin. Section: Base58. Available at https://github.com/bitcoinbook/bitcoinbookGoogle Scholar
- A. Bagherzandi, J.H. Cheon, and S. Jarecki.MultisignaturesSecure Under the Discrete Logarithm Assumption and a GeneralizedForking Lemma. ACM Conference on Computer and Communications Security 2008: 449--458. Google ScholarDigital Library
- B. Barak. How to Go Beyond the Black-Box Simulation Barrier. FOCS 2001: 106--1 Google ScholarDigital Library
- R. Barbulescu and S. Duquesne. Updating key size estimations for pairings. Journal of Cryptology, 2018: 1--39.Google Scholar
- Base58Check Encoding. Available at https://en.bitcoin.it/wiki/Base58Check_encodingGoogle Scholar
- M. Bellare, C. Namprempre and G. Neven. Unrestricted Aggregate Signatures. ICALP 2007: 411--422. Google ScholarDigital Library
- M. Bellare and G. Neven. Multi-Signatures in the Plain Public-Key Model and a General Forking Lemma. ACM Conference on Computer and Communications Security 2006: 390--399. Google ScholarDigital Library
- M. Bellare and A. Palacio. Towards Plaintext-Aware Public-Key Encryption without Random Oracles. ASIACRYPT 2004: 48--62.Google Scholar
- M. Bellare and A. Palacio. The Knowledge-of-Exponent Assumptions and 3-Round Zero-Knowledge Protocols. CRYPTO 2004: 273--289.Google Scholar
- M. Bellare and P. Rogaway.Random Oracles Are Practical: A Paradigmfor Designing Efficient Protocols. ACM CCS 1993: 62--73. Google ScholarDigital Library
- Bethencourt, J., Sahai, A., Waters, B. Ciphertext-Policy Attribute-BasedEncryption. IEEE Symposium on Security and Privacy (S$&$P) 2007, 321--334. Google ScholarDigital Library
- A. Boldyreva.Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme. PKC 2003, LNCS 2567, Springer-Verlag. Google ScholarDigital Library
- A. Boldyreva, C. Gentry, A. O'Neill and D. H. Yum.Ordered Multisignatures and Identity-Based Sequential Aggregate Signatures, with Applications to Secure Routing. CCS 2007: 276--285. Google ScholarDigital Library
- N. Bitansky, R. Canetti, A. Chiesa, and E. Tromer. From Extractable Collision Resistance to Succinct Non-Interactive Arguments of Knowledge, and Back Again. ITCS 2012: 326--349. Google ScholarDigital Library
- D. Boneh, M. Drijvers, and G. Neven. Compact Multi-Signatures for Smaller Blockchains. ASIACRYPT 2018, to appear.Google Scholar
- D. Boneh, C. Gentry, B. Lynn and H. Shacham. Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. EUROCRYPT 2003: 416--432. Google ScholarDigital Library
- D. Boneh, B. Lynn and H. Shacham. Short Signatures from the Weil Pairing. ASIACRYPT 2001: 514--532. Google ScholarDigital Library
- D. Bradbury. What the 'Bitcoin Bug' Means: A Guide to Transaction Malleability. Available at https://www.coindesk.com/bitcoin-bug-guide-transaction-malleabilityGoogle Scholar
- R. Canetti and R. R. Dakdouk. Extractable Perfectly One-Way Functions. ICALP (2) 2008: 449--460. Google ScholarDigital Library
- R. Canetti and R. R. Dakdouk. Towards a Theory of Extractable Functions. TCC 2009: 595--613. Google ScholarDigital Library
- C. Research. SEC 2: Recommended Elliptic Curve Domain Parameters 2010. Available at http://www.secg.org/sec2-v2.pdfGoogle Scholar
- I. Damgå rd. Towards Practical Public Key Systems Secure Against Chosen Ciphertext Attacks. CRYPTO 1991: 445--456. Google ScholarDigital Library
- I. Damgå rd, S. Faust and C. Hazay. Secure Two-Party Computation with Low Communication. TCC 2012: 54--74. Google ScholarDigital Library
- A. W. Dent. The Cramer-Shoup Encryption Scheme is Plaintext Aware in the Standard Model. EUROCRYPT 2006: 289--307. Google ScholarDigital Library
- V. S. Dimitrov, G. A. Jullien, and W. C. Miller. Complexity and Fast Algorithms for Multiexponentiations. IEEE Trans. Computers (2) 2000: 141--147. Google ScholarDigital Library
- A. Fiat and A. Shamir. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. CRYPTO 1986: 186--194. Google ScholarDigital Library
- R. Gennaro, H. Krawczyk, and T. Rabin. Okamoto-Tanaka Revisited: Fully Authenticated Diffie-Hellman with Minimal Overhead. ACNS 2010: 309--328. Google ScholarDigital Library
- S. Goldwasser, H. Lin, and A. Rubinstein. Delegation of Computation without Rejection Problem from Designated Verifier CS-Proofs. IACR Cryptology ePrint Archive 2011: 456.Google Scholar
- D. M. Gordon. A Survey of Fast Exponentiation Methods. J. Algorithms 27(1) 1998: 129--146. Google ScholarDigital Library
- J. Groth. Short Pairing-Based Non-Interactive Zero-Knowledge Arguments. ASIACRYPT 2010: 321--340.Google Scholar
- S. Hada and T. Tanaka. On the Existence of 3-Round Zero-Knowledge Protocols. CRYPTO 1998: 408--423. Google ScholarDigital Library
- D. Hankerson, A. Menezes and S. Vanstone. Guide to Elliptic Curve Cryptography. Springer 2004. Google ScholarDigital Library
- S. Hohenberger, B. Waters.Synchronized Aggregate Signatures from the RSA Assumption. EUROCRYPT 2018: 197--229.Google Scholar
- K. Itakura and K. Nakamura.A Public-KeyCryptosystem Suitable for Digital Multisignatures. NECResearch $&$ Development, 71:1--8, 1983.Google Scholar
- T. Jager and J. Schwenk.On the Equivalence of Generic Group Models. ProvSec 2008: 200--209. Google ScholarDigital Library
- D. Johnson, A. Menezes and S. Vanstone. The Elliptic Curve Digital Signature Algorithm (EC-DSA). Int. J. Inf. Sec 1(1) 2001: 36--63. Google ScholarDigital Library
- H. Krawczyk. HMQV: A High-Performance Secure Diffie-Hellman Protocol. CRYPTO 2005: 546--566. Google ScholarDigital Library
- C.M. Li, T. Hwang, and N.Y. Lee.Threshold Multisignature Schemes where SuspectedForgery Implies Traceability of Adversarial Shareholders. EUROCRYPT 1994, LNCS 950, Springer-Verlag.Google Scholar
- S. Lu, R. Ostrovsky, A. Sahai, H. Shacham, andB. Waters.Sequential Aggregate Signatures and Multisignatures without Random Oracles. EUROCRYPT 2006, LNCS 4004, Springer-Verlag. Google ScholarDigital Library
- A. Lysyanskaya, S. Micali, L. Reyzin, andH. Shacham. Sequential Aggregate Signatures fromTrapdoor Permutations. EUROCRYPT 2004, LNCS 3027, Springer-Verlag.Google ScholarCross Ref
- C. Ma, J. Weng, Y. Li and R. H. Deng. Efficient Discrete Logarithm Based Multi-Signature Scheme in the Plain Public Key Model. Codes Cryptography 54(2) 2010: 121--133. Google ScholarDigital Library
- W. Mao. Modern Cryptography: Theory and Practice. CRC 200 Google ScholarDigital Library
- U. Maurer. Abstract Models of Computation in Cryptography. IMA Cryptography and Coding 2005: 1--12. Google ScholarDigital Library
- U. Maurer and S. Wolf.Lower Bounds on Generic Algorithms in Groups. EUROCRYPT 1998: 72--84.Google Scholar
- G. Maxwell. Signature Aggregation for Improved Scalablity. Available at https://bitcointalk.org/index.php?topic=1377298.0Google Scholar
- G. Maxwell, A. Poelstra, Y. Seurin and P. Wuille. Simple Schnorr Multi-Signatures with Applications to Bitcoin. IACR Cryptology ePrint Archive 2018: 68.Google Scholar
- S. Micali, K. Ohta, and L. Reyzin.Accountable-Subgroup Multisignatures. ACM CCS2001, ACM Press. Google ScholarDigital Library
- T. Mie. Polylogarithmic Two-Round Argument Systems. J. Mathematical Cryptology 2(4) 2008: 343--363.Google ScholarCross Ref
- S. Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. 2008. Available at http://bitcoin.org/bitcoin.pdfGoogle Scholar
- K. Ohta and T. Okamoto. A Digital Multisignature Scheme Based on the Fiat-Shamir Scheme. ASIACRYPT 1991, LNCS 739, Springer-Verlag. Google ScholarDigital Library
- L. Parker. Bitcoin 'Spam Attack' Stressed Network for at least 18 Months, Claims Software Developer. Available at https://bravenewcoin.com/news/bitcoin-spam-attack-stressed-network-for-at-least-18-months-claims-software-developer/Google Scholar
- Patricia Tree. Available at https://github.com/ethereum/wiki/wiki/Patricia-TreeGoogle Scholar
- D. Pointcheval and J. Stern. Security Arguments for Digital Signatures and Blind Signatures. Journal of Cryptology, 13(2) 2000: 36--396. Google ScholarDigital Library
- M. D. Raimondo and R. Gennaro. New Approaches for Deniable Authentication. ACM Conference on Computer and Communications Security 2005: 112--121. Google ScholarDigital Library
- M. D. Raimondo, R. Gennaro, and H. Krawczyk. Deniable Authentication and Key Exchange. ACM Conference on Computer and Communications Security 2006: 400--409. Google ScholarDigital Library
- T. Ristenpart and S. Yilek. The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks. EUROCRYPT 2007: 228--245. Google ScholarDigital Library
- E. B. Sasson, A. Chiesay, C. Garmanz, M. Greenz, I. Miersz, E. Tromerx and M. Virza. Zerocash: Decentralized Anonymous Payments from Bitcoin. IEEE Symposium on Security and Privacy 2014: 459--474. Google ScholarDigital Library
- E. B. Sasson, A. Chiesa, E. Tromer and M. Virz. Succinct Non-Interactive Zero Knowledge for a Von Neumann Architecture. USENIX Security 2014: 781--79 Google ScholarDigital Library
- C. P. Schnorr. Efficient Identification and Signatures for Smart Cards. CRYPTO 1989: 239--252. Google ScholarDigital Library
- C. P. Schnorr. Security of Blind Discrete Log Signatures against Interactive Attacks. ICICS 2001: 1--12. Google ScholarDigital Library
- C. P. Schnorr. Small Generic Hardcore Subsets for the Discrete Logarithm. Information processing Letters 79(2): 93--98, 2001. Google ScholarDigital Library
- C. P. Schnorr, M. Jakobsson. Security of Signed El Gamal Encryption. ASIACRYPT 2000: 73--89. Google ScholarDigital Library
- J. T. Schwartz. Fast Probabilistic Algorithms for Verifications of Polynomial Identities. Journal of the ACM, 27(3): 701--717, 1980. Google ScholarDigital Library
- . Shoup. Lower Bounds for Discrete Logarithms and Related Problems. EUROCRYPT 1997: 256--266. Google ScholarDigital Library
- A. V. Wirdum. Scriptless Scripts: How Bitcoin Can Support Smart Contracts Without Smart Contracts. Available at https://bitcoinmagazine.com/articles/scriptless-scripts-how-bitcoin-can-support-smart-contracts-without-smart-contracts/Google Scholar
- A. C.-C. Yao and Y. Zhao. Deniable Internet Key Exchange. ACNS 2010: 329--348. Google ScholarDigital Library
- A. C.-C. Yao and Y. Zhao. OAKE: A New Family of Implicitly Authenticated Diffie-Hellman Protocols. ACMCCS 2013: 1113--1128. Full version available at https://eprint.iacr.org/2011/035 Google ScholarDigital Library
- A. C.-C. Yao and Y. Zhao. Online/Offline Signatures for Low-Power Devices. IEEE Trans Information Forensics and Security 8(2) 2013: 283--294. Google ScholarDigital Library
- A. C.-C. Yao and Y. Zhao. Privacy-Preserving Authenticated Key-Exchange Over Internet. IEEE Trans Information Forensics and Security 9(1) 2014: 125--140. Google ScholarDigital Library
- Practical Aggregate Signature from General Elliptic Curves, and Applications to Blockchain
Recommendations
Insecurity of an efficient certificateless aggregate signature with constant pairing computations
Recently, Xiong et al. [H. Xiong, Z. Guan, Z. Chen, F. Li, An efficient certificateless aggregate signature with constant pairing computations, Information Science 219 (2013) 225-235] proposed a certificateless signature (CLS) scheme and used it to ...
Cryptanalysis and improvement of a certificateless aggregate signature scheme
Aggregate signature can combine n signatures on n messages from n users into a single short signature, and the resulting signature can convince the verifier that the n users indeed signed the n corresponding messages. This feature makes aggregate ...
Cryptanalysis of a certificateless aggregate signature scheme
An aggregate signature refers to a signature, by which n signatures ï ź1,...,ï źn corresponding to n messages m1,...,mn and n users u1,...,un can be transformed into a single short signature ï ź~. Besides, anyone can be convinced by the single short ...
Comments