1 Introduction
1.1 Overview and our contributions
1.2 Review of Schnorr and BLS signatures, notation
Schnorr [19] | BLS [7] | |
---|---|---|
S
e
t
u
p
|
G = 〈g〉, prime order p
|
G
1 = 〈g
1〉, G
2 = 〈g
2〉, G
T
, prime order p
|
\(\mathsf {H}: \{0,1\}^{*} \rightarrow \mathbb {Z}_{p}\), full-domain |
\(\mathsf {H}:\{0,1\}^{*} \rightarrow G_{1}\), full-domain | |
\(e:G_{1} \times G_{2} \rightarrow G_{T}\), bilinear | ||
K
e
y
G
e
n
|
\(x \leftarrow _{\$}\mathbb {Z}_{p}\)
|
\(x \leftarrow _{\$}\mathbb {Z}_{p}\)
|
\(\textsf {sk} = x \in \mathbb {Z}_{p}\)
|
\(\textsf {sk} = x \in \mathbb {Z}_{p}\)
| |
pk = g
x
∈ G
| pk = (y
1, y
2) = (g
1
x
, g
2
x
) ∈ G
1 × G
2
| |
S
i
g
n(sk,m) |
\(k \leftarrow _{\$} \mathbb {Z}_{p}\)
|
σ =H(m)sk ∈ G
1
|
σ = (h, s) | ||
= (H(g
k
||m),sk⋅h + k) | ||
\(\phantom {\sigma =}\in \mathbb {Z}_{p} \times \mathbb {Z}_{p}\)
| ||
V
e
r(pk,σ, m) |
\(h \overset {?}{=} \mathsf {H}(g^{s}{\cdot }\textsf {pk}^{-h} \vert \vert m)\)
|
\(e(\mathsf {H}(m),y_{2}) \overset {?}{=} e(\sigma , g_{2})\)
|
1.3 Standard and strong unforgeability
1.4 Single-user and multi-user settings
1.5 A brief history of multi-user schnorr signature security and related work
2 BLS signatures
S
e
t
u
p, K
e
y
G
e
n
| Same as BLS (Table 1) |
S
i
g
n(s
k, m) |
σ =H(p
k||m)
s
k
∈ G
1
|
V
e
r(p
k, σ, m) |
\(e(\mathsf {H}(\mathsf {pk}\vert \vert m), {y_{2}}) \overset {?}{=} e(\sigma , g_{2})\)
|
3 Aggregate signatures
3.1 General aggregate signature security model
-
When a forger requests a signature on a message from a signing oracle, it has already obtained the hash of this message from the hashing oracle.
-
A forger never makes the same query twice.
-
When a forger outputs a signature on a message (or messages), every message was previously hashed.
3.2 BGLS and key-prefixing
S
e
t
u
p
|
G
1 = 〈g
1〉, G
2 = 〈g
2〉, G
T
, prime order p
|
\(\mathsf {H}:\{0,1\}^{*} \rightarrow G_{1}\), full-domain | |
\(e:G_{1} \times G_{2} \rightarrow G_{T}\), bilinear | |
K
e
y
G
e
n
|
\(x \leftarrow _{\$} \mathbb {Z}_{p}\)
|
\(\mathsf {sk} = x \in \mathbb {Z}_{p}\)
| |
p
k = (y
1, y
2) = (g
1
x
, g
2
x
) ∈ G
1 × G
2
| |
S
i
g
n(s
k, m) |
σ =H(m)
s
k
∈ G
1
|
A
g
g(σ
1,…,σ
k
) |
\(\sigma _{A} = {\prod }_{i=1}^{k} \sigma _{i} \in G_{1}\)
|
A
g
g
V
e
r(σ
A
, (p
k
1, m
1),…, (p
k
k
, m
k
)) |
\({\prod }_{i=1}^{k} e(\mathsf {H}(m_{i}), y_{2,i}) \overset {?}{=} e(\sigma _{A}, g_{2})\)
|
-
Require users to prove knowledge of their private keys (e.g., by disclosing their private keys to a trusted party).
-
Require users to prove possession of their private keys (e.g., by signing random messages that will never be used in practice).
-
Require all of the messages in one aggregate signature to be distinct.
S
e
t
u
p, K
e
y
G
e
n, A
g
g
| Same as BGLS (Table 3) |
S
i
g
n(s
k, m) | Same as BLS-KP (Table 2) |
A
g
g
V
e
r(σ
A
, (p
k
1, m
1),…, (p
k
k
, m
k
)) |
\({\prod }_{i=1}^{k} e(\mathsf {H}(\mathsf {pk}_{i} \vert \vert m_{i}), y_{2,1}) \overset {?}{=} e(\sigma _{A}, g_{2})\)
|
S
e
t
u
p, K
e
y
G
e
n
| Same as BGLS (Table 3) |
S
i
g
n(s
k, m) | (σ =H(b||p
k||m)
s
k
, b) ∈ G
1 ×{0, 1} |
A
g
g((σ
1, b
1),…, (σ
n
, b
k
)) |
\((\sigma _{A}={\prod }_{i=1}^{k} \sigma _{i}, b_{1}, \ldots , b_{k}) \in G_{1} \times \{0,1\}^{k}\)
|
A
g
g
V
e
r(σ
A
, (p
k
1, m
1),…, (p
k
k
, m
k
),b
1,…,b
k
) |
\({\prod }_{i=1}^{k} e(\mathsf {H}(b_{i} \vert \vert \mathsf {pk}_{i} \vert \vert m_{i}),y_{2,i}) \overset {?}{=} e(\sigma _{A}, g_{2})\)
|
3.3 BGLS security in a truly multi-user setting
-
\(I_{D} := \{i \in [k] : m^{*}_{i} = m^{*}_{1} \text { and} \ \mathsf {pk}^{\prime }_{i} = \mathsf {pk}^{\prime }_{1} \}\)
-
\(I_{NK} := \{i \in [k] : \mathsf {pk}^{\prime }_{i} \notin \{\mathsf {pk}_{1},\ldots ,\mathsf {pk}_{n}\} \}\)
-
\(I_{GK} := \{i \in [k]\setminus I_{D} : \mathsf {pk}^{\prime }_{i} = \mathsf {pk}_{gk_{i}} \text { for some} \ gk_{i} \in [n] \}\)
-
\(I_{NK} := \{i \in [k] : \mathsf {pk}^{\prime }_{i} \notin \{\mathsf {pk}_{1},\ldots ,\mathsf {pk}_{n}\} \}\)
-
\(I_{RH} := \{i \in [k] \setminus I_{NK} : \mathsf {pk}^{\prime }_{i} = \mathsf {pk}_{gk_{i}} \text { for some } gk_{i} \in [n]\) and \(b^{*}_{i} = b_{m^{*}_{i},i} \}\)
-
\(I_{HH} := \{i \in [k] \setminus I_{NK} : \mathsf {pk}^{\prime }_{i} = \mathsf {pk}_{gk_{i}} \text { for some } gk_{i} \in [n]\) and \(b^{*}_{i} \neq b_{m^{*}_{i},i} \}\)