SESSION ID: CRYP-R03C Non-interactive Half-aggregation Of EdDSA And Variants Of Schnorr Signatures

Yashvanth Kondi PhD Candidate Northeastern University

Joint work with: Konstantinos Chalkias, François Garillot, Valeria Nikolaenko (Novi/Facebook)

#RSAC #RSAC In This Work, We:

Study non-interactive aggregation of Schnorr/EdDSA signatures using methods that are blackbox in the hash function and the group Design and implement two constructions: 50% compression, loose security, no computation overhead 50-e% compression, tight security, high computation overhead Show that 50% compression is optimal for blackbox techniques

2 #RSAC

Schnorr Signatures

Recap of characteristics

#RSAC #RSAC Schnorr Signatures

4 #RSAC Schnorr Signatures

What’s good:

4 #RSAC Schnorr Signatures

What’s good: Security under conservative, well-studied assumption (Discrete Logarithm problem)

4 #RSAC Schnorr Signatures

What’s good: Security under conservative, well-studied assumption (Discrete Logarithm problem) Individual signatures are compact, fast to generate and verify

4 #RSAC Schnorr Signatures

What’s good: Security under conservative, well-studied assumption (Discrete Logarithm problem) Individual signatures are compact, fast to generate and verify Linear structure allows efficient interactive aggregation (i.e. threshold/multisignature friendly)

4 #RSAC Schnorr Signatures

What’s good: Security under conservative, well-studied assumption (Discrete Logarithm problem) Individual signatures are compact, fast to generate and verify Linear structure allows efficient interactive aggregation (i.e. threshold/multisignature friendly) However, no native non-interactive aggregation procedure (unlike BLS)

4 #RSAC

Aggregate Signatures

What are they?

#RSAC #RSAC Signature Aggregation

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1 m1

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1

m1 pk2 m2

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1

m1 pk2 m2

pk3 m3

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1

m1 pk2 m2

pk3 pk4 m3 m4

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1 pk2 pk3 pk4 m1 m2 m3 m4

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1 pk2 pk3 pk4 m1 m2 m3 m4

pk4 pk3 pk2 m4 pk1 m3 m2 m1

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1 pk2 pk3 pk4 m1 m2 m3 m4

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1 pk2 pk3 pk4 m1 m2 m3 m4

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1 pk2 pk3 pk4 m1 m2 m3 m4

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1 pk2 pk3 pk4 m1 m2 m3 m4

pk4 3 pk 4 2 m pk 3 1 m pk m2 m1

Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation

pk1 pk2 pk3 pk4 m1 m2 m3 m4

Presenter’s Company Logo – replace or delete on master slide #RSAC Application: Compressing Blockchains

Presenter’s Company Logo – replace or delete on master slide #RSAC Problem Scope

15 #RSAC Problem Scope

We formulate the problem as constructing a “proof of knowledge” (PoK) for the language of Schnorr signatures

15 #RSAC Problem Scope

We formulate the problem as constructing a “proof of knowledge” (PoK) for the language of Schnorr signatures i.e. Aggregate signature is a (non-interactive) proof that the aggregator has seen corresponding Schnorr signatures

15 #RSAC Problem Scope

We formulate the problem as constructing a “proof of knowledge” (PoK) for the language of Schnorr signatures i.e. Aggregate signature is a (non-interactive) proof that the aggregator has seen corresponding Schnorr signatures Drop-in replacement in any larger protocol

15 #RSAC Problem Scope

We formulate the problem as constructing a “proof of knowledge” (PoK) for the language of Schnorr signatures i.e. Aggregate signature is a (non-interactive) proof that the aggregator has seen corresponding Schnorr signatures Drop-in replacement in any larger protocol Nice composition guarantees: don’t have to re-prove security of larger protocol upon replacement by PoK

15 #RSAC Problem Scope

16 #RSAC Problem Scope

We already know how to build compressing Proofs of Knowledge: eg. IOPs, Bulletproofs, etc.

16 #RSAC Problem Scope

We already know how to build compressing Proofs of Knowledge: eg. IOPs, Bulletproofs, etc. Establishes feasibility, but too slow for most applications

16 #RSAC Problem Scope

We already know how to build compressing Proofs of Knowledge: eg. IOPs, Bulletproofs, etc. Establishes feasibility, but too slow for most applications Bottleneck for such techniques: standard hash functions (eg. SHA2 for EdDSA) and elliptic curve group operations have huge circuit representations

16 #RSAC Problem Scope

We already know how to build compressing Proofs of Knowledge: eg. IOPs, Bulletproofs, etc. Establishes feasibility, but too slow for most applications Bottleneck for such techniques: standard hash functions (eg. SHA2 for EdDSA) and elliptic curve group operations have huge circuit representations Constraint: must be blackbox in hash function and curve group (i.e. use them like oracles)

16 #RSAC

Our Techniques

Sigma protocols and non-interactive proofs

#RSAC #RSAC Quick recap: Sigma Protocol for relation R X

V(X) P(X, w)

Presenter’s Company Logo – replace or delete on master slide #RSAC Quick recap: Sigma Protocol for relation R X

a V(X) P(X, w)

Presenter’s Company Logo – replace or delete on master slide #RSAC Quick recap: Sigma Protocol for relation R X

a V(X) P(X, w) e

Presenter’s Company Logo – replace or delete on master slide #RSAC Quick recap: Sigma Protocol for relation R X

a V(X) P(X, w) e z

Presenter’s Company Logo – replace or delete on master slide #RSAC Quick recap: Sigma Protocol for relation R X

a V(X) P(X, w) e z

n-special soundness: ���(X, a, (e , z ), ⋯, (e , z )) outputs w s.t. R(X, w) = 1 Presenter’s Company 1 1 n n Logo – replace or delete on master slide #RSAC Sigma Protocol for PoK of Schnorr Signature

�� = x ⋅ G R = r ⋅ G e = H(��, R, m) s = xe + r

Presenter’s Company Logo – replace or delete on master slide #RSAC Sigma Protocol for PoK of Schnorr Signature

�� = x ⋅ G R = r ⋅ G e = H(��, R, m) s = xe + r ������(��, R, s) : Compute S = e ⋅ �� + R ? Output S = s ⋅ G

Presenter’s Company Logo – replace or delete on master slide #RSAC Sigma Protocol for PoK of Schnorr Signature

�� = x ⋅ G R = r ⋅ G e = H(��, R, m) s = xe + r ������(��, R, s) : Compute S = e ⋅ �� + R ? Output S = s ⋅ G

Presenter’s Company Logo – replace or delete on master slide #RSAC Sigma Protocol for PoK of Schnorr Signature

�� = x ⋅ G R = r ⋅ G e = H(��, R, m) s = xe + r ������(��, R, s) : Compute S = e ⋅ �� + R ? Output S = s ⋅ G PoK of Schnorr signature of m under pk, R is equivalent to PoK of

Presenter’s Company Logo – replacediscrete or delete logarithm of S on master slide #RSAC Compressing PoKs for n discrete logarithm instances

[Gennaro, Leigh, Sundaram, Yerazunis ’04]

X1, X2, ⋯Xn x1, x2, ⋯, xn

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressing PoKs for n discrete logarithm instances

[Gennaro, Leigh, Sundaram, Yerazunis ’04]

X1, X2, ⋯Xn x1, x2, ⋯, xn e ∈ ℤq

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressing PoKs for n discrete logarithm instances

[Gennaro, Leigh, Sundaram, Yerazunis ’04]

X1, X2, ⋯Xn x1, x2, ⋯, xn e ∈ ℤq i−1 z = ∑ xi ⋅ e i∈[n]

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressing PoKs for n discrete logarithm instances

[Gennaro, Leigh, Sundaram, Yerazunis ’04]

X1, X2, ⋯Xn x1, x2, ⋯, xn e ∈ ℤq i−1 z = ∑ xi ⋅ e z i∈[n]

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressing PoKs for n discrete logarithm instances

[Gennaro, Leigh, Sundaram, Yerazunis ’04]

X1, X2, ⋯Xn x1, x2, ⋯, xn e ∈ ℤq i−1 z = ∑ xi ⋅ e z i∈[n] ? i−1 z ⋅ G = ∑ e ⋅ Xi

Presenter’s Company i∈[n] Logo – replace or delete on master slide #RSAC Compressing PoKs for n discrete logarithm instances

[Gennaro, Leigh, Sundaram, Yerazunis ’04]

n special soundness: X1, X2, ⋯Xn x1, x2, ⋯, xn e ∈ ℤq Values (e1, z1), ⋯, (en, zn) i−1 z = ∑ xi ⋅ e z i∈[n] ? i−1 z ⋅ G = ∑ e ⋅ Xi i∈[n] Characterise n linearly independent combinations of xis

Solve for each xi

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs

(��1, m1), ⋯, (��n, mn)

(R1, s1), ⋯, (Rn, sn)

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs

(��1, m1), ⋯, (��n, mn)

R1, ⋯, Rn

(R1, s1), ⋯, (Rn, sn)

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs

(��1, m1), ⋯, (��n, mn)

R1, ⋯, Rn ∀i ∈ [n], (R1, s1), ⋯, (Rn, sn) H(��,Ri,mi) Si = ��i + Ri

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs

(��1, m1), ⋯, (��n, mn)

R1, ⋯, Rn ∀i ∈ [n], (R1, s1), ⋯, (Rn, sn) H(��,Ri,mi) Si = ��i + Ri e ∈ ℤq

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs

(��1, m1), ⋯, (��n, mn)

R1, ⋯, Rn ∀i ∈ [n], (R1, s1), ⋯, (Rn, sn) H(��,Ri,mi) Si = ��i + Ri e ∈ ℤq

i−1 z = ∑ si ⋅ e i∈[n]

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs

(��1, m1), ⋯, (��n, mn)

R1, ⋯, Rn ∀i ∈ [n], (R1, s1), ⋯, (Rn, sn) H(��,Ri,mi) Si = ��i + Ri e ∈ ℤq

i−1 z z = ∑ si ⋅ e i∈[n]

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs

(��1, m1), ⋯, (��n, mn)

R1, ⋯, Rn ∀i ∈ [n], (R1, s1), ⋯, (Rn, sn) H(��,Ri,mi) Si = ��i + Ri e ∈ ℤq

i−1 z ? z = si ⋅ e i−1 ∑ z ⋅ G = e ⋅ Si i∈[n] ∑ i∈[n]

Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs

(��1, m1), ⋯, (��n, mn)

R1, ⋯, Rn What have we accomplished? ∀i ∈ [n], (R1, s1), ⋯, (Rn, sn) S = ��H(��,Ri,mi) + R i i i Naive transmission: e ∈ ℤq

i−1 z ? z = si ⋅ e i−1 ∑ z ⋅ G = e ⋅ Si (R , s ), ⋯, (R , s ) i∈[n] ∑ 1 1 n n i∈[n] Compressed Sigma protocol:

z, (R1, ⋯, Rn)

i.e. ~50% compression!

Presenter’s Company Logo – replace or delete on master slide #RSAC From Sigma Protocol to Non-interactive PoK

28 #RSAC From Sigma Protocol to Non-interactive PoK

Sigma protocols are interactive, but our target is a non- interactive proof

28 #RSAC From Sigma Protocol to Non-interactive PoK

Sigma protocols are interactive, but our target is a non- interactive proof Standard compilers,

28 #RSAC From Sigma Protocol to Non-interactive PoK

Sigma protocols are interactive, but our target is a non- interactive proof Standard compilers, Fiat-Shamir: optimal efficiency, loose security proof

28 #RSAC From Sigma Protocol to Non-interactive PoK

Sigma protocols are interactive, but our target is a non- interactive proof Standard compilers, Fiat-Shamir: optimal efficiency, loose security proof Fischlin: reduced efficiency (compression approaches 50%), tight security proof

28 #RSAC Benchmarks

29 #RSAC Benchmarks

We measured the performance of both constructions using the Ed25519-dalek library

29 #RSAC Benchmarks

We measured the performance of both constructions using the Ed25519-dalek library Takeaway:

29 #RSAC Benchmarks

We measured the performance of both constructions using the Ed25519-dalek library Takeaway: Fiat-Shamir: aggregates 1024 sigs in <1ms, and verifying the aggregate signature costs the same as batch verifying the same number of signatures

29 #RSAC Benchmarks

We measured the performance of both constructions using the Ed25519-dalek library Takeaway: Fiat-Shamir: aggregates 1024 sigs in <1ms, and verifying the aggregate signature costs the same as batch verifying the same number of signatures Fischlin: 10s of seconds to aggregate 100s of sigs with >40% compression, order of magnitude slower verification

29 #RSAC Can we do better?

30 #RSAC Can we do better?

We show that 50% compression is optimal for any aggregation scheme that makes oracle use of the hash function in Schnorr

30 #RSAC Can we do better?

We show that 50% compression is optimal for any aggregation scheme that makes oracle use of the hash function in Schnorr Implication: compressing Schnorr sigs beyond 50% must depend on the code of the hash function. All known techniques are expensive, eg. Ed25519 will need SNARKs for n SHA2 pre-images

30 #RSAC See the paper for…

Discussions on how to use these constructions Optimisations for concrete efficiency Detailed proofs Detailed benchmarks Discussion on related work

31 #RSAC Apply these constructions

Identify protocols that involve transmitting or storing multiple Schnorr (eg. Ed25519) signatures in a batch Question if the exact bit representation is important for some reason (eg. having to un-batch the signatures later, or compare with a digest for an integrity check). Can the physical signatures be replaced by a proof-of-knowledge oracle? Consider cutting bandwidth/storage cost in half by aggregating the signatures

32 #RSAC

Thanks!

ia.cr/2021/350

github.com/novifinancial/ed25519-dalek-fiat/tree/half-aggregation

Thanks to Eysa Lee for Presenter’s Company Logo – replace or delete on master slide