Multi-signatures for ECDSA and Its Applications in Blockchain

Abstract

Multi-signatures enable a group of t signers to sign a message jointly and obtain a single signature. Multi-signatures help validating blockchain transactions, such as transactions with multiple inputs or transactions from multisig addresses. However, multi-signatures schemes are always realised naively in most blockchain systems by directly concatenating t ECDSA signatures.

In this paper, we give the first multi-signature scheme for ECDSA. Technically, we design a new ephemeral group public key for the set of signers and introduce an interactive signing protocol to output a single ECDSA signature. The signature can be validated by the ephemeral group public key. Then, we instantiate the ECDSA multi-signature scheme with class group, for which we design a secret exchanging mechanism that ensures the hiding content is well-constructed. Moreover, our scheme is able to identify the malicious party in the signing phase and help to minimize unnecessary resource consumption. This ECDSA multi-signatures can be used in blockchain to reduce the transaction cost and provide accountability for signers and backward compatibility with existing ECDSA addresses.

Appendices

A Definition for Building Blocks

1.1 A.1 ECDSA

ECDSA is a variant of DSA scheme over elliptic curve. It contains a tuple of 4 algorithms \((\textsf{Setup}, \textsf{KeyGen}, \textsf{Sign}, \textsf{Verify})\). \(\textsf{Setup}(1^\lambda ) \rightarrow \textsf{params}\) generates parameters and calls \(\textsf{GGen}_\textrm{ECC}= (\mathbb {G}, G, q)\) and picks a hash function \(\textsf{H}: \{0,1\}^* \rightarrow \mathbb {Z}_q\). It returns \(\textsf{params}= (\mathbb {G}, G, q, \textsf{H})\). \(\textsf{KeyGen}(\textsf{params}) \rightarrow (\textsf{sk}, \textsf{pk})\) takes security parameter \(\textsf{params}\) as input and returns a secret key with a public key \(\textsf{pk}= xG\). \(\textsf{Sign}(\textsf{sk}, m) \rightarrow \sigma \) computes \(R = {k ^ {-1}}G\) and takes the x coordinate of R mod q as r. It computes \(s = k(\textsf{H}(m) + xr)\) mod q and returns signature \(\sigma = (r, s)\). \(\textsf{Verify}(\textsf{pk}, \sigma ) \rightarrow b\) outputs the verification result \(b \in \{0,1\}\) according to whether \(R' = {\textsf{H}(m) \cdot s ^ {-1}}G + {r s ^ {-1}}\textsf{pk}\) and the x coordinate of \(R'\) mod q is r.

1.2 A.2 Additive Homomorphic Encryption

An additive homomorphic encryption allows users to compute the sum of two message in ciphertext. It contains \((\textsf{Setup}, \textsf{KeyGen}, \textsf{Enc}, \textsf{Dec}, \textsf{EvalSum},\textsf{EvalScal}) \). \(\textsf{Setup}(1^\lambda ) \rightarrow \textsf{params}\) takes security parameters and outputs the system parameter \(\textsf{params}\). \(\textsf{KeyGen}(\textsf{params}) \rightarrow (\textsf{ek}, \textsf{dk})\) computes an encryption key and a decryption key from the system parameters. \(\textsf{Enc}_\textsf{ek}(m) \rightarrow C\) gets the encryption of a message m under the encryption key \(\textsf{ek}\) as the ciphertext C. \(\textsf{Dec}_\textsf{dk}(C) \rightarrow m\) recovers the plaintext m from the decryption key \(\textsf{dk}\). \(\textsf{EvalSum}_\textsf{ek}(C, C') \rightarrow \hat{C}\) evaluates the ciphertext \(\hat{C} = \textsf{Enc}_\textsf{ek}(a + b)\) for \(C = \textsf{Enc}_\textsf{ek}(a)\) and \(C' = \textsf{Enc}_\textsf{ek}(b)\). \(\textsf{EvalScal}_\textsf{ek}(C, s) \rightarrow C'\) scales \(C = \textsf{Enc}_\textsf{ek}(a)\) to \(C' = \textsf{Enc}_\textsf{ek}(s \cdot a)\).

The security of the additive homomorphic encryption follows the standard definition of indistinguishability against chosen plaintext attack (IND-CPA).

1.3 A.3 Trapdoor Commitment

A commitment scheme contains a algorithms tuple as \((\textsf{KeyGen}, \textsf{Com}, \textsf{Decom})\). \(\textsf{KeyGen}(1^\lambda ) \rightarrow \textsf{pk}\) generates a public key \(\textsf{pk}\). \(\textsf{Com}(\textsf{pk}, M) \rightarrow (C, D)\) takes the public key \(\textsf{pk}\) with a message M then outputs the commitment string C and decommitment string D. \(\textsf{Decom}(\textsf{pk}, C, D) \rightarrow \left\{ {M, \perp } \right\} \) takes the public key \(\textsf{pk}\), the commitment string C, the decommitment string D as input and outputs M if it succeeds and \(\perp \) otherwise.

A commitment scheme is considered secure if it fulfills the correctness, hiding and binding properties. For correctness, it requires that for all messages M and \(\textsf{pk}\leftarrow \textsf{KeyGen}(1^\lambda )\), then \(M \leftarrow \textsf{Decom}(\textsf{pk}, \textsf{Com}(\textsf{pk}, M))\). Hiding means that every message \(M_1\) and \(M_2\) and \(\textsf{pk}\leftarrow \textsf{KeyGen}(1^\lambda )\), \(\textsf{Com}(\textsf{pk}, M_1)\) and \(\textsf{Com}(\textsf{pk}, M_2)\) is statistically indistinguishable. The binding property holds if adversary \(\mathcal {A}\) wins the game with probability \(\textrm{Pr}[{\mathcal {A}\text { wins binding game}}] \le \textsf{negl}{(\lambda )}\).

Trapdoor Commitment with Efficient ZK Proof. A commitment scheme has the additional algorithms \((\textsf{KeyGen}', \textsf{TCom}, \textsf{TDecom})\) fulfilling the following. \(\textsf{KeyGen}'(1^\lambda ) \rightarrow (\textsf{pk}, \textsf{tk})\) generates a public key \(\textsf{pk}\) and a trapdoor \(\textsf{tk}\). \(\textsf{TCom}(\textsf{pk}, \textsf{tk}) \rightarrow (C, \textrm{aux})\) gives commitment C and auxiliary information \(\textrm{aux}\) such that \(\textsf{TDecom}\) could open it with any message specified. \(\textsf{TDecom}(C, \textrm{aux}, M) \rightarrow D\) give out the decommitment D by using \(\textrm{aux}\).

The additional algorithm is required to be trapdoorness. We say a commitment scheme fulfilling the trapdoorness property if for all messages M, the following distributions: \( \{(\textsf{pk}, M, C, D): \textsf{pk}\leftarrow \textsf{KeyGen}(1^\lambda ), (C, D) \leftarrow \textsf{Com}(\textsf{pk}, M)\} \) and \( \{(\textsf{pk}, M, C, D): (\textsf{pk}, \textsf{tk}) \leftarrow \textsf{KeyGen}'(1^\lambda ), (C, \textrm{aux}) \leftarrow \textsf{TCom}(\textsf{pk}, \textsf{tk}); D \leftarrow \textsf{TDecom}(C, \textrm{aux}, M)\} \) are computationally indistinguishable.

Non-malleable Equivocable Commitment Scheme. The equivocable commitment scheme additionally contains \(\textsf{KeyGen}'\) and \(\textsf{Equiv}\). \(\textsf{KeyGen}'(1^\lambda ) \rightarrow (\textsf{pk}, \textsf{tk})\) generates a public key \(\textsf{pk}\) and a trapdoor \(\textsf{tk}\). \(\textsf{Equiv}(\textsf{pk}, \textsf{tk}, C, M') \rightarrow D'\) generates decommitment string \(D'\) using trapdoor \(\textsf{tk}\) such that \(\textsf{Decom}(\textsf{pk}, C, D') = M'\).

The additional algorithm is required to be equivocable and non-malleable. A commitment scheme is called for equivocable if for all messages \(M, M'\), \((\textsf{pk}, \textsf{tk}) \leftarrow \textsf{KeyGen}'(1^\lambda )\), \((C, D) \leftarrow \textsf{Com}(\textsf{pk}, M)\) and \(D' \leftarrow \textsf{Equiv}(\textsf{pk}, \textsf{tk}, C\), \(M')\), then \(M' \leftarrow \textsf{Decom}(\textsf{pk}, C, D')\). Non-malleable means that no adversary \(\mathcal {A}\) could generate \(C'\) related to C such that the decommitment of \(C'\) is computed from M.

B Trapdoor Commitments and Its ZK Proofs

We instantiate the trapdoor commitment \(\textsf{Com}_z\) as the Pedersen commitment \(\textsf{Com}(\textsf{pk}, m) \rightarrow (C, D)\) for \(C = mG + rH\) and \(D = (m, r)\). The ZK proof in Phase 5 could be instantiated directly following the Algorithm 6 of [22]. The ZK proofs in Phase 7 and 8 follow the ZK proof in Sect. 3.3 of [15].

C Zero-Knowledge Proof for MtA(wc)

We give an informal description of assumptions used in HSM group here and refer to [22] for the complete definition. These hard assumptions are defined on prime number \(q > 2 ^ \lambda \) and HSM group \({\mathcal {G}_\textrm{HSM}}= (\mathbb {G}, \mathbb {G}^q, \mathbb {F}, g, g_q, f, \tilde{s}, q)\) for \({\mathcal {G}_\textrm{HSM}}\leftarrow \textsf{GGen}_\textrm{HSM}(1^\lambda )\). If we denote H as a generator in the ECC group with prime order q, then

We have 2 important facts in HSM group. The first one if Adaptive root subgroup hardness. Given q and HSM group \({\mathcal {G}_\textrm{HSM}}\), it’s hard to find \(u ^ \ell = w\) and \(w ^ q \ne 1\) for specific \(\ell \leftarrow \textsf{Primes}(\lambda )\). The other one is Non-trivial order hardness, which states that given q and \({\mathcal {G}_\textrm{HSM}}\), it’s hard to find \(h \ne 1 \in \mathbb {G}\) such that \(h ^ d = 1\) and \(d < q\).

Theorem 2

The protocol is an argument of knowledge in the generic group model.

Proof

We rewind the adversary on fresh challenges \(\ell \) so that each accepting transcript outputs an \((Q_1, Q_2, R_1, R_2,{P_1}, r_\rho , r_\gamma , \ell )\). Recall that we have \(C_2 \in G^q\). By the PoKRepS protocol in [22], with overwhelming probability there exists \(\rho ^*, \gamma ^* \in \mathbb {Z}\) s.t. \(\rho ^* = r_\rho \) mod \(\ell \) and \(\gamma ^* = r_\gamma \) mod \(\ell \), and \(g_q^{\rho ^*} C_2^{\gamma ^*} = S_2 \tilde{C}_2^c \). Since \(S_2 \tilde{C}_2^c = (D_2 E_2)^{q} g_q^{e_\rho } C^{e_\gamma }_2\), it implies \(\rho ^* = e_\rho \) mod q and \(\gamma ^* = e_\gamma \) mod q. Considering 2 cases, \(\textsf{pk}^{\rho ^*} C_1^{\gamma ^*} f^{u_\beta } = S_1 \tilde{C}_1^c\) is at overwhelming probability.

Next we consider the rewinding of c. The extractor obtains a pair of accepting transcripts with \((\rho ^*, \gamma ^*, u_\beta , c)\) and \((\rho ', \gamma ', u'_\beta , c')\). The extractor can compute \(\varDelta _{\rho } = \rho ^* - \rho '\), \(\varDelta _{\gamma } = \gamma ^* - \gamma '\) and \(\varDelta _{u_\beta } = u_\beta - u'_\beta \) mod q. We denote \(\rho = \frac{\varDelta _{\rho }}{\varDelta _{c}}, \gamma = \frac{\varDelta _{\gamma }}{\varDelta {c}}\) and \(\beta = \frac{\varDelta _{u_\beta }}{\varDelta _c}\) mod q. Hence we have \( \tilde{C}_1^{\varDelta _c} = (\textsf{pk}^\rho C^{\gamma }_1 f^\beta )^{\varDelta _c}. \) If \(\tilde{C}_1 \ne \textsf{pk}^\rho C^{\gamma }_1 f^\beta \), then \(\frac{\textsf{pk}^\rho f^\beta C^{\gamma }_1}{\tilde{C}_1}\) is a non-trivial element of order \(\varDelta _c < q\) which contradicts with the non-trivial element and its order in the generic group model.

As our scheme includes a sub-protocol ZKPoKRepS on input \(\tilde{C}_2\) w.r.t. bases \(g_q \in G \setminus F\). Since ZKPoKRepS is an argument of knowledge, there exists an extractor to extract the same \((\gamma , \rho )\) such that \(\tilde{C}_2 = C^\gamma _2 g^\rho _q\).  Hence the extractor can output such that , .    \(\square \)

Theorem 3

The protocol is an honest-verifier statistically zero-knowledge argument of knowledge for relation in the generic group model.

Proof

The simulator Sim randomly picks a challenge \(c' \in [0,q-1]\) and a prime \(\ell ' \in \textsf{Prime}(\lambda )\). It picks a random \(u'_\beta \in \mathbb {Z}_q\), \(q'_\rho , q'_\gamma \in [0, B-1]\) and \(r'_\rho , r'_\gamma \in [0, \ell '-1]\).

It finds \(d'_\rho ,d'_\gamma \in \mathbb {Z}\) and \(e'_\rho ,e'_\gamma \in [0, q-1]\) such that \( d'_\rho q + e'_\rho = q'_\rho \ell ' + r'_\rho ,\quad d'_\gamma q + e'_\gamma = q'_\gamma \ell ' + r'_\gamma . \)

It computes:

$$\begin{aligned} D'_1&= \textsf{pk}^{d'_\rho }, \quad D'_2 = g^{d'_\rho }_q, \quad E'_1 = C^{d'_\gamma }_1, \quad E'_2 = C^{d'_\gamma }_2, \quad \\ Q'_1&= \textsf{pk}^{q'_\rho }, \quad Q'_2 = g_q^{q'_\rho },\quad R'_1 = C^{q'_\gamma }_1, \quad R'_2 = C^{q'_\gamma }_2, \quad \underline{P'_1 = {q'_\gamma }H},\\ S'_1&= {(Q'_1 R'_1)}^{\ell '} \textsf{pk}^{r'_\rho } C^{r'_\gamma }_1 f^{u_\beta '} \tilde{C}_1^{-c'}, \quad S'_2 = ({Q'_2 R'_2)}^{\ell '} g_q^{r'_\rho } C^{r'_\gamma }_2 \tilde{C}_2^{-c'},\\ \underline{S'_3}&\underline{= {\ell '}{P'_1} + {r'_\gamma }H + {-c'}H'}. \end{aligned}$$

We argue that The simulated transcript is indistinguishable from a real one \((S_1, S_2, \underline{S_3}\), \(c, u_\beta , D_1, D_2, E_1,E_2, e_\rho , \ell , Q_1, Q_2,R_1,R_2, \underline{P_1}, r_\rho , r_\gamma )\) between a prover and a verifier. Sim chooses \((\ell ', c')\) identically to the honest verifier. Both \(u_\beta \) and \(u'_\beta \) are uniformly distributed in \(\mathbb {Z}_q\). \((S'_1, S'_2, \underline{S'_3}, D'_1, D'_2,E'_1, E'_2, e'_\rho , e'_\gamma )\) is uniquely defined by the other values such that the verification holds.

We compare the simulated transcript \((Q'_1, Q'_2,R'_1, R'_2,\underline{P'_1}, r'_\rho , r'_\gamma )\) and the real transcript \((Q_1, Q_2,R_1,R_2,\underline{P_1}, r_\rho , r_\gamma )\). We need to prove that, in the real protocol, independent of \(\ell \) and c, the either \(r_\rho \) or \(r_\gamma \) has a negligible statistical distance from the uniform distribution over \([0, \ell -1]\) and each one of \(\textsf{pk}^{q_\rho }, g_q^{q_\rho }, C^{q_\gamma }_1, C^{q_\gamma }_2, \underline{{q_\gamma }H}\) has negligible statistical from uniform over \( G_k =\langle \textsf{pk}\rangle , G^q\), \(G_1=\langle C_1 \rangle ,G_2 =\langle C_2 \rangle , \langle h \rangle \) respectively. In addition, each of \(Q_1, Q_2, R_1,R_2,\underline{P_1},r_\rho \), \(r_\gamma \) are independent from others. Then, the simulator produces statistically indistinguishable transcripts. The complete proof is as follows.

Consider fixed values of \(c, \rho \) and \(\ell \). In the real protocol, the prover computes \(u_\rho = c \rho + s_\rho \) where \(s_\rho \) is uniform in \([-B, B]\) and sets \(r_\rho = u_\rho \) mod \(\ell \). By Fact 1, the value of \(u_\rho \) is distributed uniformly over a range of \(2B+ 1\) consecutive integers, thus \(r_\rho \) has a statistical distance at most \(\ell /(2B + 1)\) from uniform over \([0, \ell -1]\). This bounds the distance between the real \(r_\rho \) and the simulated \(r'_\rho \), which is uniform over \([0, \ell -1]\). Similarly, \(\ell /(2B + 1)\) also bounds the distance between \(r_\gamma \) and \(r'_\gamma \)

Next, \(g_q^{q_\rho }\) is statistically indistinguishable from uniform in \(G^q\). By the triangle inequality, the statistical distance of \(q_\rho \) mod \(|G^q|\) from uniform is at most \(\frac{2^{\lambda +1}}{B} + \frac{2^{\lambda -1}|G^q|}{B+1-2^\lambda }\). We consider the joint distribution of \((\textsf{pk}^{q_\rho }, g_q^{q_\rho })\) and \(r_\rho \). Consider the conditional distribution of \(q_\rho |r_\rho \). Note that \(q_\rho = z\) if \((s_\rho - r_\rho )/\ell = z\). We repeat a similar argument as above for bounding the distribution of \(q_\rho \) from uniform. For each possible value of z, there always exists a unique value of \(s_\rho \) such that \(\left\lfloor {\frac{s_\rho }{\ell }}\right\rfloor = z\) and \(s_\rho = 0\) mod \(\ell \), except possibly at the two endpoints \(E_1, E_2\) of the range of \(q_\rho \). When \(r_\rho \) disqualifies the two points \(E_1\) and \(E_2\), then each of the remaining points \(z \notin \{E_1, E_2\}\) still have equal probability mass, and thus the probability \(\Pr (q_\rho = z|r_\rho )\) increases by at most \(\frac{1}{|Y|} - \frac{\ell }{2B+1}\), which also applies to the variable \((\textsf{pk}^{q_\rho }, g_q^{q_\rho }) |r_\rho \). Similarly, the probability \(\Pr (q_\gamma = z|r_\gamma )\) increases by at most \(\frac{1}{|Y|} - \frac{\ell }{2B+1}\), which also applies to the variable \((\textsf{pk}^{q_\gamma }, g_q^{q_\gamma }, \underline{h^{q_\gamma }}) |r_\gamma \).

We can compare the joint distributions \(X'_\rho = (\textsf{pk}^{q_\rho }, g_q^{q_\rho }, r_\rho )\) to the simulated distribution \(Y'_\rho = (\textsf{pk}^{q'_\rho }, g_q^{q'_\rho }, r'_\rho )\) using Fact 3.