INTRODUCING DFINITY Crypto Techniques
V1 - 19th May 2017 Threshold Relay Produce randomness that is incorruptible, unmanipulable and unpredictable BACKGROUNDER Explain “unique deterministic” threshold signatures… Usually a signer creates a signature on message data
Shared seed data (“message”)
01010101010 11010111011 01010101010 10101001010
Verifier Signature SIGN 10101010101 Private 00101101010 Key 10010101010 10010101001 Verifier Signer’s identity Public Key Signer Verifier
AUTHORIZED SIGNER SIGNATURE VERIFIERS That can be verified using the signer’s public key
Shared seed data (“message”)
01010101010 11010111011 01010101010 10101001010
Verifier Signature
SIGN 10101010101 Private 00101101010 Key 10010101010 10010101001 VERIFY Verifier Signer’s identity Public Key Signer Verifier
AUTHORIZED SIGNER SIGNATURE VERIFIERS If scheme unique and deterministic then only 1 correct signature
Shared seed data THE SIGNATURE IS A RANDOM NUMBER, AS IF (“message”) IT WERE PREDICTABLE, THE SIGNATURE SCHEME WOULD NOT BE SECURE 01010101010 11010111011 01010101010 10101001010
Verifier Signature
SIGN 10101010101 DETERMINISTIC Private 00101101010 RANDOM Key 10010101010 10010101001 VERIFY NUMBER Verifier Signer’s identity Public Key Signer Verifier
AUTHORIZED SIGNER SIGNATURE VERIFIERS Unique and deterministic threshold signature scheme possible
GROUP MEMBERS INDEPENDENTLY SIGN THE Shared seed data MESSAGE TO CREATE “SIGNATURE SHARES”. (“message”) A THRESHOLD NUMBER ARE COMBINED TO CREATE THE OUTPUT SIGNATURE 01010101010 11010111011 01010101010 10101001010
Verifier Signature
SIGN SIGN SIGN COMBINE 10101010101 DETERMINISTIC 00101101010 RANDOM 10010101010 10010101001 VERIFY NUMBER Share 1 Share 3 Share 2 Verifier Group’s identity Public Key Signer Signer Signer Verifier
THRESHOLD GROUP SIGNATURE VERIFIERS Whatever subset (threshold) of group sign still same signature
Shared seed data (“message”)
Share 1 01010101010 Share 3 11010111011 01010101010 Signer Signer Signer 10101001010 Verifier Signature Share 4 Share 5 COMBINE 10101010101 DETERMINISTIC 00101101010 RANDOM Signer Signer Signer 10010101010 10010101001 VERIFY NUMBER Verifier Group’s identity Share 7 Share 9 Public Key Signer Signer Signer Verifier
THRESHOLD GROUP SIGNATURE VERIFIERS Important observations of powerful magic
1. A group identified by its threshold public key can only produce a single valid output signature on given seed data
Verifier
DETERMINISTIC RANDOM NUMBER Verifier
Verifier Important observations of powerful magic
1. A group identified by its threshold public key can only produce a single valid output signature on given seed data
2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature Verifier
DETERMINISTIC RANDOM NUMBER Verifier
Verifier Important observations of powerful magic
1. A group identified by its threshold public key can only produce a single valid output signature on given seed data
2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature Verifier 3. The resulting threshold signature can be validated by anyone who has the group’s public key and the seed data DETERMINISTIC RANDOM NUMBER Verifier
Verifier Important observations of powerful magic
1. A group identified by its threshold public key can only produce a single valid output signature on given seed data
2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature Verifier 3. The resulting threshold signature can be validated by anyone who has the group’s public key and the seed data DETERMINISTIC RANDOM 4. The signature is a deterministically produced random number NUMBER Verifier
Verifier Important observations of powerful magic
1. A group identified by its threshold public key can only produce a single valid output signature on given seed data
2. A group is fault tolerant and any subset of threshold size can distribute signature shares for combination into the signature Verifier 3. The resulting threshold signature can be validated by anyone who has the group’s public key and the seed data DETERMINISTIC RANDOM 4. The signature is a deterministically produced random number NUMBER Verifier 5. Given a group’s public key and the input seed data the verifiers reach immediate consensus on the random number produced without running a consensus protocol… Verifier A unique deterministic threshold signature scheme Boneh-Lynn-Shacham signatures (BLS)
TIP 1 Ben Lynn is a full time member of the Key Generation DFINITY team - Secret key: x mod r - Public key: P = xQ G TIP 2 You don’t need to understand this 2 2 2 crypto to understand the remaining slides… Signing - Message hashed to H (m) G Parameters 2 1 - Signature: s = xH(m) G1 - Two groups G 1 ,G 2 of prime order r 2 (on two elliptic curves) Verification e ( s, Q 2 )= e ( H ( m ) ,P ) ? - Generators Q1 G1,Q2 G2 2 2 - Bi-linear pairing e : G1 G2 GT ⇥ 7! BLS, 2001 (Stanford University) DECENTRALIZED VERIFIABLE RANDOM FUNCTION Relay between groups to create a random sequence A vast peer-to-peer broadcast network of mining clients… Whose public keys are registered on a supporting ledger
PUBKEY 0x1bd1ccf169d755306e077b38cb9aeae28e245351 DEPOSIT: 1000 DFN
PUBKEY 0x9a197453dcface85be2fbe32c8cc19bd30576ee1 DEPOSIT: 1000 DFN PUBKEY 0x2b197453dcfabe85be2fbe31c8cc19bd30576ed0 DEPOSIT: 1000 DFN Each client (“process”) belongs to threshold groups Whose public keys are also registered on the supporting ledger
… GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY GRP PUBKEY 0x7de4ac5… 0x8fb251b… 0x1a7234e… 0x2b197453… 0xb6e1a33… At each height in the sequence, there is a current group…
h That signs the previous group’s signature…
BLS Signature Scheme Their random number selects the next group (the “relay”)
Gh+1 = [ h mod ] G |G| The relaying between groups is unmanipulable and infinite This is what Threshold Relay looks like h 1
SIGNATURE
h 1 The signature created at h-1 selects the group at h
h
=) h h 1 G = [ mod ] G |G| Group members at h broadcast signature shares
h
BROADCAST