SESSION ID: CRYP-R03C Non-interactive Half-aggregation Of EdDSA And Variants Of Schnorr Signatures Yashvanth Kondi PhD Candidate Northeastern University Joint work with: Konstantinos Chalkias, François Garillot, Valeria Nikolaenko (Novi/Facebook) #RSAC #RSAC In This Work, We: Study non-interactive aggregation of Schnorr/EdDSA signatures using methods that are blackbox in the hash function and the group Design and implement two constructions: 50% compression, loose security, no computation overhead 50-e% compression, tight security, high computation overhead Show that 50% compression is optimal for blackbox techniques 2 #RSAC Schnorr Signatures Recap of characteristics #RSAC #RSAC Schnorr Signatures 4 #RSAC Schnorr Signatures What’s good: 4 #RSAC Schnorr Signatures What’s good: Security under conservative, well-studied assumption (Discrete Logarithm problem) 4 #RSAC Schnorr Signatures What’s good: Security under conservative, well-studied assumption (Discrete Logarithm problem) Individual signatures are compact, fast to generate and verify 4 #RSAC Schnorr Signatures What’s good: Security under conservative, well-studied assumption (Discrete Logarithm problem) Individual signatures are compact, fast to generate and verify Linear structure allows efficient interactive aggregation (i.e. threshold/multisignature friendly) 4 #RSAC Schnorr Signatures What’s good: Security under conservative, well-studied assumption (Discrete Logarithm problem) Individual signatures are compact, fast to generate and verify Linear structure allows efficient interactive aggregation (i.e. threshold/multisignature friendly) However, no native non-interactive aggregation procedure (unlike BLS) 4 #RSAC Aggregate Signatures What are they? #RSAC #RSAC Signature Aggregation Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 m1 Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 m1 pk2 m2 Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 m1 pk2 m2 pk3 m3 Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 m1 pk2 m2 pk3 pk4 m3 m4 Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 pk2 pk3 pk4 m1 m2 m3 m4 Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 pk2 pk3 pk4 m1 m2 m3 m4 pk4 pk3 pk2 m4 pk1 m3 m2 m1 Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 pk2 pk3 pk4 m1 m2 m3 m4 Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 pk2 pk3 pk4 m1 m2 m3 m4 Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 pk2 pk3 pk4 m1 m2 m3 m4 Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 pk2 pk3 pk4 m1 m2 m3 m4 pk4 3 pk 4 2 m pk 3 1 m pk m2 m1 Presenter’s Company Logo – replace or delete on master slide #RSAC Signature Aggregation pk1 pk2 pk3 pk4 m1 m2 m3 m4 Presenter’s Company Logo – replace or delete on master slide #RSAC Application: CoMpressing Blockchains Presenter’s Company Logo – replace or delete on master slide #RSAC Problem Scope 15 #RSAC Problem Scope We formulate the problem as constructing a “proof of knowledge” (PoK) for the language of Schnorr signatures 15 #RSAC Problem Scope We formulate the problem as constructing a “proof of knowledge” (PoK) for the language of Schnorr signatures i.e. Aggregate signature is a (non-interactive) proof that the aggregator has seen corresponding Schnorr signatures 15 #RSAC Problem Scope We formulate the problem as constructing a “proof of knowledge” (PoK) for the language of Schnorr signatures i.e. Aggregate signature is a (non-interactive) proof that the aggregator has seen corresponding Schnorr signatures Drop-in replacement in any larger protocol 15 #RSAC Problem Scope We formulate the problem as constructing a “proof of knowledge” (PoK) for the language of Schnorr signatures i.e. Aggregate signature is a (non-interactive) proof that the aggregator has seen corresponding Schnorr signatures Drop-in replacement in any larger protocol Nice composition guarantees: don’t have to re-prove security of larger protocol upon replacement by PoK 15 #RSAC Problem Scope 16 #RSAC Problem Scope We already know how to build compressing Proofs of Knowledge: eg. IOPs, Bulletproofs, etc. 16 #RSAC Problem Scope We already know how to build compressing Proofs of Knowledge: eg. IOPs, Bulletproofs, etc. Establishes feasibility, but too slow for most applications 16 #RSAC Problem Scope We already know how to build compressing Proofs of Knowledge: eg. IOPs, Bulletproofs, etc. Establishes feasibility, but too slow for most applications Bottleneck for such techniques: standard hash functions (eg. SHA2 for EdDSA) and elliptic curve group operations have huge circuit representations 16 #RSAC Problem Scope We already know how to build compressing Proofs of Knowledge: eg. IOPs, Bulletproofs, etc. Establishes feasibility, but too slow for most applications Bottleneck for such techniques: standard hash functions (eg. SHA2 for EdDSA) and elliptic curve group operations have huge circuit representations Constraint: must be blackbox in hash function and curve group (i.e. use them like oracles) 16 #RSAC Our Techniques Sigma protocols and non-interactive proofs #RSAC #RSAC Quick recap: SigMa Protocol for relation R X V(X) P(X, w) Presenter’s Company Logo – replace or delete on master slide #RSAC Quick recap: SigMa Protocol for relation R X a V(X) P(X, w) Presenter’s Company Logo – replace or delete on master slide #RSAC Quick recap: SigMa Protocol for relation R X a V(X) P(X, w) e Presenter’s Company Logo – replace or delete on master slide #RSAC Quick recap: SigMa Protocol for relation R X a V(X) P(X, w) e z Presenter’s Company Logo – replace or delete on master slide #RSAC Quick recap: SigMa Protocol for relation R X a V(X) P(X, w) e z n-special soundness: ���(X, a, (e , z ), ⋯, (e , z )) outputs w s.t. R(X, w) = 1 Presenter’s Company 1 1 n n Logo – replace or delete on master slide #RSAC Sigma Protocol for PoK of Schnorr Signature �� = x ⋅ G R = r ⋅ G e = H(��, R, m) s = xe + r Presenter’s Company Logo – replace or delete on master slide #RSAC Sigma Protocol for PoK of Schnorr Signature �� = x ⋅ G R = r ⋅ G e = H(��, R, m) s = xe + r ������(��, R, s) : Compute S = e ⋅ �� + R ? Output S = s ⋅ G Presenter’s Company Logo – replace or delete on master slide #RSAC Sigma Protocol for PoK of Schnorr Signature �� = x ⋅ G R = r ⋅ G e = H(��, R, m) s = xe + r ������(��, R, s) : Compute S = e ⋅ �� + R ? Output S = s ⋅ G Presenter’s Company Logo – replace or delete on master slide #RSAC Sigma Protocol for PoK of Schnorr Signature �� = x ⋅ G R = r ⋅ G e = H(��, R, m) s = xe + r ������(��, R, s) : Compute S = e ⋅ �� + R ? Output S = s ⋅ G PoK of Schnorr signature of m under pk, R is equivalent to PoK of Presenter’s Company Logo – replacediscrete or delete logarithm of S on master slide #RSAC Compressing PoKs for n discrete logarithm instances [Gennaro, Leigh, Sundaram, Yerazunis ’04] X1, X2, ⋯Xn x1, x2, ⋯, xn Presenter’s Company Logo – replace or delete on master slide #RSAC Compressing PoKs for n discrete logarithm instances [Gennaro, Leigh, Sundaram, Yerazunis ’04] X1, X2, ⋯Xn x1, x2, ⋯, xn e ∈ ℤq Presenter’s Company Logo – replace or delete on master slide #RSAC Compressing PoKs for n discrete logarithm instances [Gennaro, Leigh, Sundaram, Yerazunis ’04] X1, X2, ⋯Xn x1, x2, ⋯, xn e ∈ ℤq i−1 z = ∑ xi ⋅ e i∈[n] Presenter’s Company Logo – replace or delete on master slide #RSAC Compressing PoKs for n discrete logarithm instances [Gennaro, Leigh, Sundaram, Yerazunis ’04] X1, X2, ⋯Xn x1, x2, ⋯, xn e ∈ ℤq i−1 z = ∑ xi ⋅ e z i∈[n] Presenter’s Company Logo – replace or delete on master slide #RSAC Compressing PoKs for n discrete logarithm instances [Gennaro, Leigh, Sundaram, Yerazunis ’04] X1, X2, ⋯Xn x1, x2, ⋯, xn e ∈ ℤq i−1 z = ∑ xi ⋅ e z i∈[n] ? i−1 z ⋅ G = ∑ e ⋅ Xi Presenter’s Company i∈[n] Logo – replace or delete on master slide #RSAC Compressing PoKs for n discrete logarithm instances [Gennaro, Leigh, Sundaram, Yerazunis ’04] n special soundness: X1, X2, ⋯Xn x1, x2, ⋯, xn e ∈ ℤq Values (e1, z1), ⋯, (en, zn) i−1 z = ∑ xi ⋅ e z i∈[n] ? i−1 z ⋅ G = ∑ e ⋅ Xi i∈[n] Characterise n linearly independent combinations of xis Solve for each xi Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs (��1, m1), ⋯, (��n, mn) (R1, s1), ⋯, (Rn, sn) Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs (��1, m1), ⋯, (��n, mn) R1, ⋯, Rn (R1, s1), ⋯, (Rn, sn) Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs (��1, m1), ⋯, (��n, mn) R1, ⋯, Rn ∀i ∈ [n], (R1, s1), ⋯, (Rn, sn) H(��,Ri,mi) Si = ��i + Ri Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs (��1, m1), ⋯, (��n, mn) R1, ⋯, Rn ∀i ∈ [n], (R1, s1), ⋯, (Rn, sn) H(��,Ri,mi) Si = ��i + Ri e ∈ ℤq Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs (��1, m1), ⋯, (��n, mn) R1, ⋯, Rn ∀i ∈ [n], (R1, s1), ⋯, (Rn, sn) H(��,Ri,mi) Si = ��i + Ri e ∈ ℤq i−1 z = ∑ si ⋅ e i∈[n] Presenter’s Company Logo – replace or delete on master slide #RSAC Compressed Sigma Protocol for PoK of n Schnorr Sigs (��1, m1),