Threshold Signatures in the Multiverse
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Threshold Signatures in the Multiverse Leemon Baird‡ , Sanjam Garg∗§ , Abhishek Jain† , Pratyay Mukherjee¶ , Rohit Sinha‡‡ , Mingyuan Wang∗ , Yinuo Zhang∗ ∗ UC Berkeley † Johns Hopkins University ‡ Swirlds Labs § NTT Research ¶ Supra ‡‡ Meta Abstract—We introduce a new notion of multiverse trusted aggregator can combine them into a compact sig- threshold signatures (MTS). In an MTS scheme, multiple nature attesting that a threshold number of signers signed universes – each defined by a set of (possibly overlapping) m. Threshold signatures have seen widespread use in signers, their weights, and a specific security threshold – can co-exist. A universe can be (adaptively) created via a recent years, especially within the blockchain ecosys- non-interactive asynchronous setup. Crucially, each party tem [43]. Furthermore, efforts to standardize threshold in the multiverse holds constant-sized keys and releases cryptosystems have already begun [39]. compact signatures with size and computation time both Threshold signatures have traditionally been studied in independent of the number of universes. Given sufficient a static setting where the signers and the threshold are partial signatures over a message from the members of a specific universe, an aggregator can produce a short fixed and all verifiers have the same belief (i.e., trust) aggregate signature relative to that universe. in the signers. However, as we discuss shortly, emerging We construct an MTS scheme building on BLS sig- applications in blockchains involve verifiers who do not natures. Our scheme is practical, and can be used to necessarily share the same beliefs. In particular, each reduce bandwidth complexity and computational costs in verifier might live in its own universe, where it trusts decentralized oracle networks. As an example data point, consider a multiverse containing 2000 nodes and 100 only a specific subset of signers and wishes to choose universes (parameters inspired by Chainlink’s use in the its own security threshold. We ask whether it is possible wild), each of which contains arbitrarily large subsets to design threshold signature schemes where multiple of nodes and arbitrary thresholds. Each node computes such universes can co-exist. and outputs 1 group element as its partial signature; the aggregator performs under 0.7 seconds of work for each A naı̈ve approach to handle this scenario involves aggregate signature, and the final signature of size 192 simply executing a fresh instance of a threshold signature bytes takes 6.4 ms (or 198K EVM gas units) to verify. For scheme for each universe. This, however, leads to highly this setting, prior approaches, when used to construct MTS, impractical solutions even for modest choices of param- yield schemes that have one of the following drawbacks: (i) eters (see discussion later in this section). The main goal partial signatures that are 48× larger, (ii) have aggregation times 311× worse, or (iii) have signature size 39× and of our work is to address this scalability challenge. verification gas costs 3.38× larger. We also provide an open- source implementation and a detailed evaluation. Multiverse Threshold Signatures. We introduce a new notion of multiverse threshold signatures (MTS), where I. I NTRODUCTION at any time, a verifier can define a new universe contain- ing any subset of the parties present in the system. The A threshold signature scheme [25], [26] allows for multiverse is the set of all such (possibly overlapping) distributing a secret signing key among multiple parties universes with possibly different security thresholds. A such that each party can (non-interactively) generate party signs a message irrespective of what (or how many) a partial signature over any message m using its key universes it is in, and an aggregator can take a threshold share.2 Given sufficiently many partial signatures, an un- number of partial signatures corresponding to a universe 1 The second author was supported in part by DARPA under Agree- and produce a short aggregate signature (independent of ment No. HR00112020026, AFOSR Award FA9550-19-1-0200, NSF the size of the universe) that can be verified under the CNS Award 1936826, and research grants by the Sloan Foundation, and specific universe’s verification key. Visa Inc. The third author was supported in part by NSF CNS-1814919, An MTS scheme must satisfy the following properties: NSF CAREER 1942789, Johns Hopkins University Catalyst award, AFOSR Award FA9550-19-1-0200, Office of Naval Research Grant 1) non-interactive setup: a universe involving any set N00014-19-1-2294, JP Morgan Faculty Award, and research gifts from of parties can be setup via a non-interactive protocol. Ethereum, Stellar and Cisco. Any opinions, findings and conclusions, or recommendations in this material are those of the authors and do 2) compact keys: each party’s state is oblivious to the not necessarily reflect the views of the United States Government or universes that it belongs to. In particular, each party’s DARPA. Part of the work was done when the fourth, fifth, and seventh key material (and state) is independent of the number authors were at Swirlds Labs, and the third author visited UC Berkeley. 2 Our work primarily focuses on non-interactive signing. We remark of universes that it participates in. that some threshold signature schemes only support interactive signing. 3) compact partial signatures: each party’s partial sig-
nature is compact, i.e., it is independent of the num- be modeled as a separate universe with a specific subset ber of universes the party belongs to. In particular, of all nodes and a specific threshold. its partial signature should be reusable for computing As signature verification is done by a smart contract, aggregate signatures across different universes. it places additional efficiency requirements for MTS. In 4) fast aggregation and verification: it should take particular, we need the verification EVM gas costs to constant time to verify an aggregated signature for be small. any universe. In the best case, aggregation will be Drawbacks of existing approaches. While the notion linear in the number of partial signatures – we require of MTS is new to this paper, we observe the drawbacks that this aggregation be concretely efficient. of existing approaches in realizing MTS. As discussed The security requirements are similar to that of stan- earlier, a naı̈ve approach for the multiverse setting can dard threshold signatures. Namely, we require that an be obtained by implementing an independent copy of aggregate signature associated with a universe can only a threshold signature scheme for every universe. It is be verified when a threshold number of parties in that not hard to see, however, that such a solution quickly universe have signed the corresponding message. runs into scalability issues. A node that belongs to n Our multiverse model is inspired by an important different universes would need to use n different signing scaling issue that arises in oracle networks for smart keys to sign the same message n-many times, generating contracts, which rely heavily on threshold signatures. n-many partial signatures, which are then broadcast to the aggregator. Hence, the state size, signature size, and Application: Decentralized Oracle Networks. Oracles computation all scale linearly with n. Consider some enable smart contracts to perform transactions based on data points based on the metrics reported by ChainLink. off-chain data, such as issuing DeFi transactions based For example, even with 20 universes, and each universe on the exchange rate of tokens or automatically pro- spanning an average of 500 (active) nodes who will sign tecting user funds during an undercollateralization event the message, an aggregator receives 0.46 MB worth of (e.g., unforeseen fractional reserve practices from off- partial signatures, for a single message (data feed), or chain custodians [1]). In Chainlink [19], [27],3 whenever more challengingly, nearly 1 GB traffic for over 2000 the data feed’s value (e.g., MKR/ETH exchange rate) data feeds served by the Chainlink network4 . This is for fluctuates beyond a limit, the oracle nodes collectively a single message! This approach quickly exhausts band- agree on a new value to submit on-chain along with a width on a peer-to-peer network. The problem becomes threshold signature that is verified by the smart contract. completely unmanageable in the weighted setting,5 as Historically, smart contract authors have shared the both the network traffic and the signer’s computation are same data feed, whenever possible, typically to offset linear in the weights. high gas costs on platforms such as Ethereum. However, To avoid such scaling issues, one can devise an with substantially higher throughput and lower fees on alternative solution by using succinct non-interactive the next generation of smart contract platforms, and with arguments of knowledge (SNARK) [11], [12]. The high- the increased set of applications with diverse security level idea is to design an aggregator who computes and cost profiles, the one-size-fits-all approach is no a SNARK attesting to having witnessed a threshold longer adequate. For instance, contracts that perform number of signatures over a message. This approach, autonomous real-time auditing of collateral prefer the however, yields prohibitive aggregation costs. Even using (proof-of-reserve [1]) data feed to be fulfilled by a set of state-of-the-art SNARKs (such as PLONK [29]) and the highly reputed and rigorously audited oracle nodes [6]; most efficient signature schemes such as EdDSA [10] such contracts may also choose higher thresholds for results in aggregation time in the order of a few minutes the signature. On the opposite end of the spectrum, for modest choices of parameters (see Section VI). contracts with lower security needs (e.g., sports betting) Moreover, even such performance numbers are only pos- may opt for lower-cost oracle nodes and latency-sensitive sible when we instantiate EdDSA with SNARK-friendly applications may choose highly available nodes, or opt hash functions such as MiMc [7], whose security is for lower security thresholds for the signatures. Indeed, not well-understood. Finally, we note that this approach Chainlink’s users already have the appropriate knobs inherently makes non-black-box use of the hash function – i.e., choice of oracle nodes (with reputation scores), 4 In Chainlink’s protocol [19], for each message to be signed, there signing threshold, etc. This scenario naturally maps to is a single leader who prepares the message and requests all nodes our multiverse setting since each separate preference can (that are supporting the relevant price feed, for instance) to sign it. 5 In a weighted setting, instead of a T out of N access structure, parties are assigned different weights, and aggregation is possible 3 At the time of writing, Chainlink is the largest oracle network, com- only when partial signatures are produced by parties whose combined prising over 300 participant nodes, serving over 2000 data feeds, and weight is larger or equal to the threshold. A special case of this is the generating over $4.5M USD in monthly revenue for the participants. standard threshold setting, in that each party has equal weight. 2
and therefore does not yield a security proof in the interactive asynchronous setup property, nodes can Random Oracle Model. go offline without being penalized (though economic We also consider the Micali et. al.’s [38] SNARK ap- incentives encourage honest participation); that is, a node proach specialized to the signature setting for obtaining can come online and participate in a universe’s creation smaller aggregation times. However, this reduction in independently of other nodes. Compare this to the setup aggregation time is at the cost of a larger signature size for BLS, where parties engage in an interactive DKG and an increase in the verification gas cost, which is protocol [24], [33]. The signing phase is identical to undesirable for our application. BLS, so parties operate non-interactively, and a threshold Finally, one may wonder if multisignatures [14], [37] number of correct participants is sufficient to construct can be used to construct multiverse threshold signa- an aggregate signature. We stress that having a compact tures. In particular, every party samples its own public state and a non-interactive setup not only makes the key/secret key pair; the public key of each universe system efficient, but also greatly simplifies its design. would be the public keys of all the users in the universe. Our Contribution. The contribution of this work is To aggregate partial signatures, the aggregator generates two-fold: we first present formal definitions of multi- a multisignature6 on all the partial signatures to certify verse threshold signatures. Second, we give the first that enough parties from the universe sign the message. construction of an MTS scheme building on the BLS The apparent advantages of this approach are that: 1) signature. We prove that our scheme satisfies existen- a party’s private key is oblivious to the universes that tial unforgeability based on the knowledge of exponent it belongs to; 2) there is no setup phase; and, 3) in assumption [23]. We provide an open-source implemen- the weighted setting, the aggregator’s computation is tation of our scheme at http://github.com/rsinha/mts. We independent of weights, providing off-chain scalability then present a detailed evaluation of our MTS scheme, in the case of oracle networks. However, the multisig where we show that it is practical for application to approach has prohibitive performance and cost concerns decentralized oracle networks. on the verification side. For instance, the aggregated sig- nature itself needs to contain the information regarding II. T ECHNICAL OVERVIEW which set of parties have signed; thus, the signature size is linear in the universe size. On that note, the In this section, we give a high-level overview of our universe’s public verification key and the verification construction of the BLS-based [16] multiverse threshold time also grow linearly in the size of the universe. In signature scheme. For simplicity, the presentation in this the case of oracle networks, these drawbacks make the section only considers the unweighted setting, but it smart contract prohibitively expensive; on Ethereum, it naturally extends to the weighted setting. takes up to 60 million gas to set up the smart contract for 2000 signers, which is prohibitive. We provide a A. The Multiverse Model cost analysis for the multisignature-based approach (on A multiverse is a possibly overlapping set of uni- Ethereum smart contracts) in Section VI. verses each containing an arbitrary subset of all parties {P1 , P2 , . . .} in the system and a specific threshold. Advantages of MTS. We now describe how the effi- When a new party Pi enters the system, it chooses a ciency features of MTS can help address the shortcom- private key ski and publishes the corresponding public ings of existing approaches. Recall that while selecting a key pki . Then, the online parties engage in a separate data feed, a smart contract specifies an access structure, setup phase for each universe, where each party indepen- which includes the set of oracle nodes, their weights, dently contributes randomness to the public parameters and a threshold. Hence, a data feed maps to a universe, unique to that universe. Once a universe is set up, it can wherein the highly reputed oracle nodes would typically be used to produce threshold signatures. During signing, be members of a large number of universes. each party Pi uses its private key ski to sign a message The compact partial signatures property of MTS m, and the partial signature is broadcasted or sent to addresses the bandwidth concern: the bandwidth reduces an aggregator – this step is totally agnostic of any uni- from 1 GB to 1 MB for the data point discussed above. verse. For each universe, there is a separate aggregating Second, regardless of the node’s weight or the number procedure which combines the partial signatures for that of smart contracts (universes), each node must only particular universe. Crucially, the partial signatures are keep a compact key of size the security parameter κ “reusable” so that the same partial signature can be used = 128 bits, and does not require any information about in an unlimited number of aggregation procedures across its universes during signing. Finally, due to the non- multiple universes to produce many signatures on the 6 Note that this aggregate signature is not unique, as any multisigna- same message. Each aggregated signature verifies only ture aggregated from enough partial signatures will pass verification. with respect to a specific universe. 3
The setup phase can happen concurrently with other ski ← Fp and publishes the public-key pki = g ski . setups or signing phases. Moreover, both the setup Note that the secret keys sk1 , . . . , skN implicitly de- and signing phases are fully asynchronous and non- fines a degree-(N − 1) polynomial f (hidden from all interactive, and they require honest participation from parties) where f (i) = ski . Moreover, any evaluation only a threshold (say, T ) number of parties. of this polynomial, and in particular the verification We emphasize that, in our model, we do not assume key pk = g f (0) , can be constructed via Lagrange the aggregator to be honest for unforgeability. interpolation in the exponent. Now, we notice that if N − T points on this polynomial f are somehow made B. Construction public, this effectively reduces the degree of the poly- Background on Threshold BLS. We start by recalling nomial f from N − 1 to T − 1. For instance, suppose the standard threshold BLS signature scheme. Let G be f (−1), f (−2), . . . , f (−(N − T )) are publicly known. a group with a prime order p and a generator g where Then, given any T signatures {H(m)ski }i , an aggregator the standard pairing-based assumption holds. Let H be can compute H(m)f (−1) , . . . , H(m)f (−(N −T )) locally a cryptographic hash function that maps messages to and subsequently is able to compute the aggregated group elements. In the threshold BLS signature scheme, signatures σ = H(m)f (0) . there is a setup phase, in that a random secret key Although this approach works for a single universe, it sk ← Fp is sampled and shared among the parties breaks down when used directly in a multiverse setting. using Shamir secret sharing for a threshold T ; the The crux of the problem stems from the fact that since public key is set to be pk = g sk . Let ski be party-i’s the evaluations for different polynomials (corresponding share. To ensure complete decentralization the setup is to different universes) collide, it ends up revealing too implemented by an interactive distributed key generation many linear equations. Let us elaborate with an example. (DKG) protocol such as [33]. To sign a message m, Consider four parties among which P1 and P2 are honest, party i uses ski to compute H(m)ski as its (partial) but Pe3 and Pe4 are controlled by the adversary. Now signature. Given at least T signatures {H(m)ski }i , one consider a universe U that consists of P1 , P2 , Pe3 and can simply use Lagrange interpolation to compute the has a threshold 2, which means the evaluation fU (−1) aggregated threshold signature H(m)sk , which verifies is public where fU is the secret degree-2 polynomial as e(pk, H(m)) = e(g, H(m)sk ). corresponding to universe U . Again, assume another Extending Threshold BLS to the Multiverse. To universe U ′ consisting of P1 , P2 and Pe4 with threshold extend this scheme from a single universe to a multiverse 2 – this implies the point fU ′ (−1) of polynomial fU ′ is setting, one encounters several roadblocks. First, a naı̈ve also public. Now note that, since fU (−1) and fU ′ (−1) approach is to simply repeat the threshold BLS for every each reveal one linear relation about the honest party’s universe. That is, to create a new universe, involving secret keys sk1 and sk2 , the malicious parties could parties will engage in a fresh instance of the DKG potentially use them to reconstruct sk1 and sk2 entirely!7 protocol to generate new secret shares of this new To resolve this issue in the multiverse setting, we universe. As mentioned before, this runs into a scalability refrain from publishing additional points explicitly to issue as for each party the size of the secret key, the reduce the threshold, but instead change how verification computation, and the corresponding signatures all grow works and use the additional points in the exponent linearly with the number of universes. Recall that, we (which, as mentioned above, everyone can compute from need our signatures to be generated independently of any the public keys). Without loss of generality, suppose universe. However, it appears hard to achieve if the setup that P1 , P2 , . . . , PT sign a message m. Each party phase generates correlated shares of the secret-keys – this Pi publishes H(m)f (i) as a partial signature. Addi- makes the individual secret-key shares compatible only tionally, one can compute the public points g f (j) for with one public-key and hence one universe. Therefore j ∈ {−1, −2, . . .}. The challenge is now to use these we change the setup phase in a way, which ensures that together to ensure verification as well as unforgeability. the individual secret-keys are compatible with different public-keys. Our Approach. We let each party pick its own se- cret key independently and publish the corresponding public-key. Then each universe combines a different 7 For instance, by Lagrange interpolation over degree-2 polynomial, combination of the public-keys to compute a universe- we have f (−1) = 6f (1) − 8f (2) + 3f (3). In the first universe with specific public-key. In more detail, suppose a universe ordering P1 , P2 , Pe3 , the adversary learns 6sk1 − 8sk2 . In the second universe with ordering Pe4 , P1 , and P2 , it learns −8sk1 + 3sk2 . In consists of parties P1 , P2 , . . . , PN with a threshold T . any field F, where (6, −8) and (−8, 3) are linearly independent, the Then each party Pi chooses an independent secret-key adversary could fully reconstruct sk1 and sk2 . 4
8 P To see this, we first express the secret key as follows: where k = i ki . An aggregator now additionally pub computes σ1 that needs to pass a second verification f (0) = λ−1 f (−1) + · · · + λ−(N −T ) f (−(N − T )) + | {z } equation: Public Points e(σ pub , g k ) = e(σ1pub , g). (2) λ1 f (1) + · · · + λT f (T ), | {z } This check ensures that as long as σ pub is a linear Partial Signatures combination of the public points, one can compute σ1pub where the λi ’s are the appropriate Lagrange coefficients. by using the same linear combination on the public pa- For the ease of notation, let us write f (0) = f pub (0) + rameter. Alternatively, if σ pub is not a linear combination f par (0), where f pub (0) stands for the public points part of the public points, one can not find the unique σ1pub and f par (0) stands for the partial signature part. We that passes Equation 2 except with negligible probability. observe that Unforgeability follows from the fact that as long as σ pub pub par is a linear combination of the public points, the adver- e g, H(m)f (0) = e g, H(m)f (0)+f (0) sary never knows the exponent of pk/σ pub and without knowing that one can not forge a signature. Hence, we pub par = e g f (0) , H(m) · e g, H(m)f (0) . prove existential unforgeability assuming a variant of the Therefore, the verification procedure could check widely used knowledge of exponent assumption [23]. pk The above modification leads to a one-round setup e , H(m) = e(g, σ par ), (1) phase. However, this also requires a stateful aggregator, σ pub because the aggregator needs to use the entire public where the aggregator computes the threshold signature parameter pp during aggregation and, hence, needs to par σ par = H(m)f (0) from the partial signatures and the maintain it in its local state. pub verifier later computes σ pub = g f (0) from the public points. Note that, both these computations require the Handling Offline Parties. One salient feature about knowledge of participating sets (as Langrage coefficients the setup phase is that it does not require all parties to depend on that information). This becomes a problem be online. In particular, the security only relies on the for the verifier, as by definition threshold signature presence of one honest party who contributes a random verification should be agnostic about the participating ki to the random power k. Therefore, with a corruption sets. Furthermore, the verification procedure needs to threshold of T − 1, the setup of a universe is successful perform O(N ) amount of work to compute σ pub incur- as long as ⩾ T parties participate in the setup phase. ring significant computation cost. Extension to the weighted setting. One can extend A potential way to resolve this issue could be to our scheme to the weighted setting via the standard ask the aggregator to also compute σ pub . The verifier virtualization approach. That is, if party Pi has weight would then verify the aggregated signature (σ pub , σ par ) Wi , it participates in the protocol as Wi (virtual) parties, by checking Equation 1. However, one can see that this by computing Wi partial signatures. To that end, Pi construction is not secure. Note that for any α ∈ Fp , persists a κ-bit secret key, and uses PRG expansion (σ pub , σ par ) = pk · g −α , H(m)α to derive Wi secret values. Crucially, we also allow a party to have different weights in different universes. A is a signature that will pass Equation 1 violating unforge- subtle issue here is that we want the signing step to be ability completely. This attack is due to the fact that σ pub agnostic to any universe. Hence, if a party has different is not the correct aggregation of the public points. Rather, weights in different universes, it is unclear how many the adversary intentionally picks σ pub such that it knows partial signatures it should compute. Motivated by our the exponent of pk/σ pub , namely, α. applications, we assume that there is an upper bound Our construction handles this issue via a different B on the maximum weights. Consequently, each party route. During the setup of a universe, we ask the parties derives B keys from the κ-bit secret, and releases B to engage in a one-round protocol to collectively raise partial signatures on each message. the public points to some random power k ∈ Fp . In particular, we ask party Pi to pick a random ki ← Fp Strong Unforgeability. An astute reader may find that and send the signatures that will pass our verification algorithms k i ki ki are not unique. Indeed, suppose > T number of parties g ki , g f (−1) , g f (−2) , . . . , g f (−(N −T )) . have signed the message; there are multiple ways to aggregate the signature. Namely, the aggregator could The final public parameter pp of the universe shall be 8 The actual protocol computes k = P k k k i αi · ki , where αi is the output of the random oracle on input (g k1 , . . . , g kn , g ki ). Similar k f (−1) f (−2) f (−(N −T )) g , g , g ,..., g , to [14], this is to prevent attacks from rushing adversaries. 5
use any subset (with size ⩾ T ) of partial signatures to Our knowledge assumption is similar to the compute the aggregated signature. Hence, if there are knowledge-of-exponent (KEA) assumption [9], [23] ex- enough partial signatures, one may find exponentially cept that we consider an oracle-aided adversary A, which many correctly aggregated signatures. Consequently, it has access to a random oracle H. is unclear how one defines strong unforgeability for Definition 3 (BLS Signature [16]). The BLS signature our scheme. Achieving strong unforgeability without scheme consists of the following tuple of algorithms harming efficiency is a fascinating open problem. (KGen, Sign, Verify): Let e(G1 , G2 ) → GT be a non- III. P RELIMINARIES degenerate, efficiently computable, bilinear pairing be- Let N be the set of all natural numbers {1, 2, . . .} tween G1 , G2 of prime order p and target group GT . For any integer n, [n] refers to the set of integers Let g1 be the generator of G1 . Furthermore let H : {1, 2, . . . , n}. For any integers n < m, [n : m] refers {0, 1}∗ → G2 be a random oracle. to the set {n + 1, . . . , m}. For any vector ⃗v , we use ⃗v [i] • KGen(1κ ) : Sample s ← Fp and set verification key to denote the ith coordinate of ⃗v and ⃗v [: i] to denote the as VK = g1s and the signing key as sk = s. slicing up to the ith element. • Sign(m, sk) : Output σ = H(m)sk . We use κ as the security parameter. A function f (κ) • Verify(VK, m, σ) : Output 1 if e(g1 , σ) = is negligible if for all polynomial p(κ), f (κ) < 1/p(κ) e(VK, H(m)). Otherwise, output 0. for all large enough κ. For any vectors ⃗a, ⃗b over a field Fp , we use ⟨⃗a, ⃗b⟩ Boneh et. al. [16] proved the strong unforgeability prop- to denote vector inner product. We use g⃗a to denote erty assuming the co-CDH assumption. the vector g a1 , g a2 , . . . , g ak , where ⃗a = (a1 , . . . , ak ). Our construction also uses the following non- Similarly, if ⃗a ∈ Gk is a vector over a group G of order interactive zero-knowledge proof of knowledge for the p and ⃗b ∈ Fkp , ⟨⃗a, ⃗b⟩ denote vector inner product over discrete log problem. the exponents. That is, Definition 4 (NIZKPoK for DL). A NIZKPoK of dis- D E Y k crete log problem consists of a tuple of algorithms ⃗ ⃗a, ⃗b = ⃗a[i]b[i] ∈ G. (Gen, P, V, S, E) that satisfies the following guarantees. i=1 • Correctness. For all x ∈ Fp , A machine is probabilistic polynomial time (PPT) if it " # is a probabilistic algorithm that runs in time poly(κ). x crs ← Gen(1κ ) Pr V(crs, g , π) = 1 : = 1. Definition 1 (co-CDH Assumption). A pairing group π ← P(crs, g x , x) (G1 , G2 ) with generator g1 , g2 and a bilinear pairing e : • Zero-knowledge. There exists a simulator S such G1 × G2 → GT satisfies the co-CDH assumption if, for that for all g x , the output of S(g x ) is indistinguish- all PPT adversary A, it holds that able from the output of P(crs, g x , x). Pr [A(g1 , g2 , g1s , g2s , g2r ) = g2sr : s, r ← F] = negl(κ). • Simulation Extraction. For all PPT A and x ∈ Fp , " # Definition 2 (Knowledge Assumption). With respect to (V(crs, g x , π) = 1) crs ← Gen(1κ ) (1) groups G1 , G2 of prime order p and its generator Pr : = negl(κ). ∧ (E(A, g x , π) ̸= x) π = AS (crs, g x ) g1 , g2 and (2) a random oracle H : {0, 1}∗ → G2 , the knowledge assumption states that for all polynomial N = poly(κ) and stateful PPT adversary A = (A1 , A2 ), Construction of NIZKPoK for DL. One can construct there exists a knowledge extractor E such that, for all a NIZKPoK for DL based on Schnorr’s protocol. s, r ∈ F and h1 , . . . , hN ∈ G1 , we have Schnorr NIZKPoK for DL: ′ κ k ← Fp , α ← Fp • Gen(1 ): Sample random oracle crs = H. x k′′ ′′ ′ ′ • P(crs, g , x) : Sample r ← Fp . Compute c = ({hi }i∈[N ] , g2k ) = A1 ({hki }i∈[N ] , g2k ) (y = xk )∧ ′ ′′ ′ ′′ H(g, g , g ) and z = r+c·x. Output (g r , c, z). x r Pr (x ̸= bi : g k = (g k )α · g k , hk = (hk )α · hk Y x r (hi ) ) 2 2 2 i i i • V(crs, g , π = (g , c, z)) : Output 1 if H k k i∈[N ] (x, y) = A (α, g , {hi , h } ) 2 2 i i∈[N ] c = H(g, g x , g r ) ∧ g z = g r · (g x )c . E H (α, A, g2k , {hi , hki }i∈[N ] ) = ⃗b = negl(κ), Correctness is trivial. The simulation for zero knowledge is straightforward by programming the random oracle. where both A and E takes g1 , g2 , g1s , g2s , g2r as public The simulation extraction property follows from the input. forking lemma [41]. 6
IV. M ULTIVERSE T HRESHOLD S IGNATURE S CHEME lenger. These oracles9 allow the adversary to add new honest parties to the system, set up any universes, corrupt In this section, we present the formal definition for parties, and request partial signatures in an arbitrary a Multiverse Threshold Signature Scheme. We write interleaved manner. The challenger maintains a state {P1 , P2 , . . .} for all the parties in the system. We write which includes the following: {W1 , W2 , . . .} for their corresponding weights where • H is the set of honest parties; without loss of generality we assume that Wi ∈ N. • M is the set of malicious parties; Definition 5 (Weighted Threshold Access Structure). An • L is the set of universes that have already been access structure Λ over a set U ⊆ {P1 , P2 , . . .} of setup; parties is a weighted threshold access structure with a • Tm is the set of honest parties which have already threshold T if it associates a weight with each party signed the message m; in this particular set; and any subset S ⊆ U is called • ski is the secret key of an honest party Pi ; authorized P (which we denote as S ∈ Λ) if and only if • ω(U,Λ),i is the randomness of Pi used during setup i∈S W i ⩾ T. of the universe (U, Λ); • ρ(U,Λ) , the messages of honest parties during setup Definition 6 (Universe). A universe (U, Λ) is specified of the universe (U, Λ). by an arbitrary subset U of all parties {P1 , P2 . . .} and All the sets are all initialized as ∅ and all the variables an access structure Λ over U . are initialized as ⊥. We also consider the standard notion of (unweighted) threshold access structure, which is a special case where OKGenstate (Pi ) Wi = 1 for each i in each universe. 1) If Pi ̸∈ H ∪ M then generate (pki , ski ) ← Definition 7 (Multiverse Signature Scheme). A multi- KGen(1λ ), update H = H ∪ {Pi } and output verse signature scheme is a tuple of PPT algorithms de- pki . Otherwise, output ⊥. noted by Σ = (KGen, UGenon , UGenoff , Sign, Aggregate, Verify) defined as follows: • (pk, sk) ← KGen(1κ ): On input the security param- OCorruptstate (Pi ) eter 1κ , output a public-secret key pair (pk, sk). 1) Update M = M ∪ {Pi }. • ρ ← UGenon ((U, Λ), sk) : On input a universe 2) If Pi ∈ H then update H = H\{Pi }, and (U, Λ) and secret key sk, it samples a message ρ. output ski . Otherwise, output ⊥. • (VK, pp) = UGenoff ((U, Λ), ρ) : On input a uni- verse (U, Λ) and all party’s messages ρ, it outputs a verification key VK and public parameters pp. OSignstate (Pi , m) • σ ← Sign(sk, m) : On input the secret key sk and message m, output a partial signature σ. 1) If Pi ∈ H then update Tm = Tm ∪ {Pi } and • σ = Aggregate((U, Λ), pp, σ) : On input the uni- output Sign(sk, m), else output ⊥. verse (U, Λ), the public parameter pp, a set of signatures σ, output an aggregated signature σ. • b = Verify(VK, σ, m) : On input the verification key OUGenstate (U, Λ) VK, a signature σ and a message m, output either 1) update L = L ∪ {(U, Λ)}. For each Pi ∈ H ∩ b = 0 (reject) or b = 1 (accept). U , set ρi ← UGenon ((U, Λ), ski ). Finally, set Remark 1. The universe setup consists of two phases. ρ(U,Λ) = {ρi }Pi ∈H∩U , and output ρ(U,Λ) . During the online phase, every party samples one mes- sage ρ ← UGenon using its private key and private Definition 8 (Correctness). A multiverse signature randomness. In the offline phase, the verification key and scheme Σ satisfies correctness if for any PPT adversary10 the public parameter of the universe can be computed A with oracle access to OKGen, OCorrupt, OSign, and via the deterministic function UGenoff using all parties’ OUGen, the output of the Correctness − GameA (1κ ) de- messages. Notably, one party can reuse the same secret fined in Figure 1 is 1 with probability at least 1−negl(κ). key for the setup of multiple universes without storing 9 The adversary is allowed to directly add malicious parties without any additional information in its secret state. using these oracles. 10 For the sake of simplicity, we assume that the adversary is To formalize the security of our scheme, we define the restricted to instantiate a universe for a (Λ, U ) only once. We stress that following oracles (OKGen, OCorrupt, OSign, OUGen), this assumption is made only for simplicity and our schemes remain which allows the adversary to interact with the chal- secure even if the same universe is instantiated multiple times. 7
1) The adversary outputs a universe (U, Λ) and • The signature verifies, i.e., the messages of the corrupted parties in that Verify(VK, σ, m) = 1. universe. Also, it outputs a message m and a set of partial signatures for parties in set S: Fig. 2: Forgery − GameA (1κ ) On our security notion and comparison to [8]. In a ((U, Λ), {ρi }Pi ∈M ∩U , m, {σj }Pj ∈S ) ← A(1κ ). recent work, Bellare et. al. [8] investigate the subtleties 2) The verification key and public parameter are in the security definitions of threshold signature schemes. computed as follows: In particular they look into unforgeability which guaran- tees that the adversary should not be able to produce any (VK, pp) = UGenoff ((U, Λ), ρ(U,Λ) ∥{ρi }Pi ∈M ∩U ). “non-trivial forgery” except with negligible probability.12 ′ In particular, based on what makes a “trivial forgery”, Among these let S ⊆ S denotes the sub- set where all partial signatures {σj }j∈S ′ are they define various levels of security. honestly computed (hence, correct) by calling We note that our definition considers the strongest OSign(Pj , m). possible security as a forgery is only considered non- 3) The output of this game is 1 if and only if at trivial as long as < T − c honest parties sign the least one of the following conditions is met. message (which is captured by M ∪ Tm ∈ / Λ in our • All parties in the universe are corrupted at definition). Besides achieving the strongest existential setup. That is, ρ(Λ,U ) = ∅. unforgeability notion, our definitions are stronger in the • The subset of correct signatures is not an following aspects. authorized subset. That is, S ′ ∈ / Λ. • We consider malicious security even for the uni- • The aggregated signature verifies. That is, verse setup phase together with the signing phase. Verify(VK, σ, m) = 1, where In most prior works, the security of setup phase is considered separately [33]. σ = Aggregate((U, Λ), pp, {σj }Pj ∈S ). • The multiverse setting is novel to our work. Hence, the adversary could interleave the universe setup A κ and signing requests in an arbitrary manner. Fig. 1: Correctness − Game (1 ) • Our correctness guarantee is also stronger in that Definition 9 (Security). A multiverse signature scheme even if some parties submit invalid signatures, the Σ satisfies security if for any PPT adversary A with aggregate signature should still be correct with oracle access to OKGen, OCorrupt, OSign, and OUGen, overwhelming probability as long as a sufficient the output of the following Forgery−GameA (1κ ) defined amount of partial signatures are honestly generated. in Figure 2 is 1 with at most negl(κ) probability.11 Finally, as we discussed earlier, our scheme is weaker 1) The adversary outputs a universe (U, Λ) and in that we do not achieve strong unforgeability. the UGenon message of the corrupted parties V. T HE P ROTOCOL in that universe. Additionally, it outputs a A. Multiverse Threshold Signature Protocol for message m and a signature σ. That is, Weighted Threshold Access Structure ((U, Λ), {ρi }Pi ∈M ∩U , m, σ) ← A(1κ ). In this section, we present a multiverse signature 2) The verification key and public parame- protocol for weighted threshold access structure. ter are computed. That is, (VK, pp) = Notation and Building Blocks. UGenoff ((U, Λ), ρ(U,Λ) ∥{ρi }Pi ∈M ∩U ). • Let G1 , G2 be prime-order groups with g1 , g2 3) The output of this game is 1 only if all of the as their respective generators. Let p be the following conditions are met. order of G1 and G2 . Let e(G1 , G2 ) → GT be • The adversary has not acquired sufficient a bilinear map between G1 , G2 and the target partial signatures of m; i.e. M ∪ Tm ∈ / Λ. group GT . • Let {P1 , P2 , . . . } be a list of all the parties in the system. We assume that there exists an up- per bound B such that for any universe (U, Λ), 11 We note that our security game allows the adversary to launch non- malleability attacks. For instance, the adversary could copy an honest party’s public key (and its corresponding NIZKPoK) as its own public key. Intuitively, these attacks, however, are not helpful for producing 12 In the non-threshold setting a “trivial forgery” is simply defined a valid forgery. Our security proof implicitly proves this. by the signatures obtained by querying the signing oracle. 8
every party Pi ∈ U has weight Wi ⩽ B. 7) Output (VK, pp). • Let H : {0, 1}∗ → G2 and H ′ : {0, 1}∗ → Fp be a random oracle. Let F : {0, 1}κ → FB Description of Sign(sk, m) : • p be a PRG. 1) Output signature σ = H(m)F (sk) ∈ GB 2 . Description of KGen(1κ ) : Description of Aggregate((U, Λ), pp, σ) : 1) Sample a random PRG seed s ← {0, 1}κ . F (s) |U | 2) Output (pk = g1 , sk = s) ∈ GB κ 1 × {0, 1} . 1) Parse (U, Λ) = {(pki , Pi , Wi )}i=1 , T . As- sume parties are indexed by some canonical ordering. Description of UGenon ((U, Λ), sk) : 2) Parse σ = {σi }Pi ∈S . Initiate an empty set Q. |U | 1) Parse (U, Λ) = {(pki , Pi , Wi )}i=1 , T . As- Sample a random vector ⃗r ← FB p . For each sume parties are indexed by some canonical Pi ∈ S ∩ U , add Pi to Q if F (sk) Pj be the index s.t. g1 ordering. Let = pkj . e(⟨pki , ⃗r⟩, H(m)) = e(g1 , ⟨σi , ⃗r⟩). 2) Let W = i∈[|U |] Wi . We shall reconstruct the degree-(W − 1) polynomial defined by the 3) Let X be the set of evaluation points cor- W public keys of the parties in the universe, responding to parties in Q. For instance, if where party Pi specifies Wi points. Q = {1, 3}, X = [1 : W1 ] ∪ [W1 + W2 + 1 : 3) In particular, let pk∗j = pkj [1 : Wj ] and W1 + W2 + W3 ]. 4) Let λi be the Lagrange coefficients satisfying pk = pk∗1 ∥pk∗2 ∥ · · · ∥pk∗N ∈ GW 1 . X f (0) = λi · f (i). Define a polynomial f ∈ Fp [X] of degree W − i∈X∪[−(W −T ):−1] f (x) 1 such that g1 = pk[x] for x ∈ [W ]. Note that λi are determined by the set X. 4) Interpolate these points on the exponents: 5) We write {λi }i∈X in short as ⃗λpar and in short as ⃗λpub f (x) evals0 = g1 x ∈ {−(W −T ), . . . , −1, 0} . {λi }i∈[−(W −T ):1] 6) Parse pp = B, ⃗ A⃗ ∈ G2(W −T ) . Compute 5) Sample k ← Fp , then compute 1 k·f (x) evals1 = g1 x ∈ {−(W −T ), . . . , −1} . ⃗ ⃗λpub ⟩ σ0′ := ⟨B, and ⃗ ⃗λpub ⟩. σ1′ := ⟨A, 6) Compute NIZKPoK π DLog for each group el- 7) Let ⃗σ be the concatenation of σi ’s where Pi ∈ ement in pkj using witness F(sk). Q. Compute σ ′ := ⟨⃗σ , ⃗λpar ⟩. 7) Output ρ = evals1 , g2k , π DLog . 8) Output σ = (σ ′ , σ0′ , σ1′ ). Description of UGenoff ((U, Λ), ρ) : Description of Verify(VK, σ, m) : 1) Repeat the same steps in UGenon and compute 1) Parse VK = (VK0 , VK1 ), σ = (σ ′ , σ0′ , σ1′ ). f (x) 2) Output 1 (and 0 otherwise) if it holds that evals0 = {g1 | x ∈ {−(W − T ), . . . , −1}}. ( e(VK0 /σ0′ , H(m)) = e(g1 , σ ′ ) 2) Parse ρ = {ρ1 , . . . , ρN ′ } and initialize Q = ∅. . e(σ1′ , g2 ) = e(σ0′ , VK1 ) 3) For each i ∈ [N ′ ], parse ρi = evals1,i , g2ki , πiDLog . B. Correctness 4) Add i to Q if the proof πiDLog verifies and We now show via the following theorem that our con- struction satisfies correctness according to Definition 8. e(evals1,i , g2 ) = e(evals0,i , g2ki ). k Theorem 1. Let us assume that the NIZKPoK proof sys- 5) Let αi = H ′ {g2 j }j∈Q , g2ki and evals1 be tem for DLOG is complete with probability 1. Then our the (coordinate-wise) linear combination of all MTS scheme is correct with overwhelming probability. elements in {evals1,i }i∈Q with coefficients αi . 6) Set pp = (evals0 , evals1 ), and set VK = Proof. In our proof, we use the same notations for all f (0) (VK0 = g1 , VK1 = i∈Q (g2ki )αi ). Q variables that appeared in our description of the scheme in Section V-A. 9
Suppose at the end of Correctness-Game, the ad- Proof Overview. Our security proof reduces the security versary A outputs: ((U, Λ), {ρi }Pi ∈M ∩U , m, {σj }Pj ∈S ). of our MTS scheme to the security of the co-CDH Let S ′ ⊆ S be the subset of signatures that are assumption. In particular, given an adversary A that honestly generated. We would like to show that breaks the MTS scheme with non-negligible probability, with all but negligible probability, if (U ̸⊆ M ) ∧ we construct an adversary A∗ that breaks co-CDH with (S ′ ∈ Λ) Then Verify(VK, σ, m) = 1, where σ = non-negligible probability. Aggregate((U, Λ), pp, {σj }Pj ∈S ). On a high level, A∗ interacts with an external chal- As U ̸⊆ M , there exists some P ∗ ∈ U ∩ H. lenger for the co-CDH security game. It receives the Therefore, ρ∗ ∈ ρΛ,U is honestly computed by challenge g1s , g2s , and g2r from the challenger and pro- the oracle OUGenstate (U, Λ). Now consider run- ceeds to interact with the adversary A. When it simulates ning UGenoff ((U, Λ), ρΛ,U ∥{ρi }Pi ∈M ∩U ): since ρ∗ is the MTS security game, A∗ will embed the challenge g1s honestly computed, we must have P ∗ ∈ Q as the public key of some random honest parties. For the and thus Q ̸= ∅. Now for all Pj ∈ Q, other honest parties, it samples their secret keys honestly. k since e(evals1,j , g2 ) = e(evals0 , g2 j ), we have Additionally, A∗ will program the random oracle H and e(evals1 , g2 ) = e(evals0 , VK1 ). Therefore it al- embed the challenge g2r as the hash H(m) of a few ways holds that e(σ1′ , g2 ) = e(⟨evals1 , ⃗λpar ⟩, g2 ) = random messages. For the other messages, it honestly ′ samples a random r′ and sets H(m) = g2r . In the end, e(⟨evals0 , ⃗λpar ⟩, VK1 ) = e(σ0′ , VK1 ). Thus verifier’s first check will pass. we show that if A successfully produces a forgery for For any Pj ∈ S ′ , since σj is the output of A’s query the MTS game, we could use it to compute g2rs with to OSign(Pj , m), we have σj = H(m)F (skj ) and, thus, some non-negligible probability. Below, we highlight e(⟨pkj , ⃗r⟩, H(m)) = e(g1 , ⟨σj , ⃗r⟩) for any ⃗r. Thereforesome technical challenges. S ′ ⊆ Q. Oracle queries. A∗ can answer most queries by A We further claim that with all but negligible probabil- directly with a few exceptions. First, suppose A requests ity, for all Pj ∈ Q \ S ′ , we have σj = H(m)F (skj ) . To an honest party with embedded challenge g1s as its public prove this, notice that if σj ̸= H(m)F (skj ) , then key to sign a message m with the embedded challenge g2r as its hash value H(m). A∗ cannot compute the Pr[e(⟨pkj , ⃗r⟩, H(m)) = e(g1 , ⟨σj , ⃗r⟩)] ⩽ 1/|Fp |. partial signature H(m)s as it does not know neither s ⃗ r By a union bound, nor r. However, by carefully choosing the embedding probability, we will ensure that this never happens with ′ F (skj ) |Q \ S ′ | a non-negligible probability. Pr[∃Pj ∈ Q \ S : σj ̸= H(m) ]⩽ , |Fp | Second, since we allow A to adaptively corrupt par- which is negligible in κ. P Since S ′ ∈ Λ and S ′ ⊆ Q, ties, it may decide to corrupt an honest party with the we have Q ∈ Λ, and thus Pi ∈Q Wi = |X| ⩾ T . Since embedded challenge g s as its public key. Again, we f (x) is a degree W −1 polynomial, it can be interpolated cannot give the secret state of this party as we do not know s. However, with a non-negligible probability, A P its evaluations at X ∪ {T − W, . . . , −1}. correctly using Let f (0) = x∈X S{T −W,...,−1} λx · f (x). Notice that will not corrupt any honest parties with an embedded P challenge. This is because A succeeds with a non- e(VK0 /σ0′ , H(m)) = e(g1 , H(m)f (0)− x∈{T −W,...,−1} f (x)·λx ) negligible probability in the MTS game, and A only P = e(g1 , H(m) x∈X f (x)·λx ) = e(g1 , σ ′ ). succeeds if it does not corrupt all parties. Therefore, with a non-negligible probability, A does not corrupt Thus Verify(VK, σ, m) = 1 with 1 − negl(κ) probability. any parties where we embed the challenges, as there are C. Security very few of them. Therefore A∗ can successfully answer We prove the security/unforgeability of our scheme all of A queries with a non-negligible probability. ∗ according to Definition 9 via the following theorem. Solve co-CDH challenge. Conditioned on (1) A can successfully answer all of A queries and (2) A indeed Theorem 2. In addition to the knowledge assump- successfully generates a forgery, we now need to argue tion (Assumption 2), let us assume that the underlying that we can solve the co-CDH problem and compute g sr . 2 NIZKPoK proof system for DLOG is sound with over- Note that A produces a signature (σ, σ0 , σ1 ) such that whelming probability. Then the security of our MTS ( construction can be reduced to the co-CDH assump- e(VK0 /σ0 , H(m)) = e(g1 , σ) tion (Definition 1). e(σ1 , g2 ) = e(σ0 , VK1 ) Due to the space limit, we shall only give an overview Our plan is to show that with a non-negligible probability of the proof in the main body. The full security proof is VK0 /σ0 can be written as g1a·s+b for some a ̸= 0 and deferred to Appendix A. b that A∗ knows. If so, σ must be equal to H(m)a·s+b . 10
And, consequently, if H(m) is a hash value with the We measure the performance of signing, verification, embedded challenge g2r (which happens independently and aggregation algorithms. We compare our MTS con- with a non-negligible probability), we can easily use σ struction against alternative threshold signature schemes, to compute g2sr . when adapted to the multiverse setting. These include: To argue this, we invoke the knowledge assumption13 1) generic zk-SNARK approach; 2) compact certificates to argue that the only way that A can compute σ0 and σ1 in Micali et. al. [38]; 3) (vanilla) threshold BLS; and, 4) that pass the second equation is by a linear combination multisignature based on BLS. These are described below. of the public points, and one can extract such a linear Aggregation using zk-SNARKs. The aggregator can combination. Consequently, one can write VK0 /σ0 di- function as a prover who convinces the verifier that rectly as some linear combination of all parties’ pub- it knows a threshold number of valid signatures, each lic keys. Furthermore, by relying on the knowledge verifiable under a distinct public key. To set up this extraction property of the NIZKPoK scheme, we can experiment, we use the gnark library [2] to create extract the malicious parties’ secret keys. Henceforth, a circuit composing multiple instances of the signa- we know all the exponents of public keys in the linear ture verification circuit.15 For fairness, we choose the combination, except for those with embedded challenges, most SNARK-friendly signature scheme available in the which means VK0 /σ0 can indeed be written as g1a·s+b . gnark library, which is EdDSA signatures – with the Next, we note that a ̸= 0 with high probability, as gnark frontend, a single EdDSA verification produces we pick a random honest party to embed the challenge; roughly 6.2K constraints in the Groth16 system [35] and therefore, no matter what linear relation the adversary 13.1K constraints in the PLONK system [29]. To get a chooses to aggregate the public points, one can prove ballpark estimate, we will assume the verifier has the that a ̸= 0 with high probability. entire address book mapping nodes to their public keys; Security Loss. Our proof shows that if the adversary alternatively, the proof can be constructed with respect to A succeeds in the MTS game with some non-negligible a commitment to the address book, but that only adds to probability δ, then A∗ succeeds in solving the co-CDH the prover (aggregator) running time that we report. Note problem with some non-negligible probability δ ′ . We that this approach computes the MiMc [7] hash function, emphasize that our security proof does not optimize the used in the signature scheme as a random oracle, inside security loss between δ ′ and δ. Note that this security the SNARK circuit. As we show later, the aggregator’s loss affects the choices of security parameters and, running time is prohibitively expensive. henceforth, all parameters in our scheme, e.g., signature size, aggregation/verification time, etc. Therefore, tighter Compact Certificates. Micali et. al. [38] introduce security loss will potentially lead to more efficient con- compact certificates, based on non-interactive proofs of struction. We leave this as exciting future works. knowledge in the random oracle model. The certificate proves that signers have a sufficient total weight, while VI. I MPLEMENTATION AND E VALUATION only including logarithmic number of individual signa- We implement our MTS construction in Rust and tures. As we show later, the certificate size is orders of release it open-source at https://github.com/rsinha/mts. magnitude larger than ours, incurring a heavy gas cost. We use the BLS12-381 pairing-based curve [15], and the hashing to elliptic curve method defined in [28]. Threshold BLS. The (vanilla) threshold BLS system For efficiency, we implement multi-exponentiation of uses a BLS scheme that is setup by a distributed key group elements (within the aggregator) using Pippenger’s generation (DKG) protocol, such as Gennaro et. al. [33] method [17], [40], which, for n group elements, requires or with the recent improvements in [44]. Recall that a O(n / log(n)) running time as opposed to O(n). party produces independent partial signatures for each For a fair comparison of all schemes, we only im- universe; not surprisingly, as we show later, the network plement the single-threaded version of our algorithms, bandwidth usage is prohibitively expensive. though there are obvious opportunities for parallelism. BLS Multisignature. We also test MTS based on All experiments are run on a Macbook Pro with M1 Pro BLS multisignatures [14], [37], where rogue key attacks chip and 32 GB RAM. We also report EVM gas costs14 are addressed via proofs-of-possession in a setup phase for publishing and verifying signatures on-chain. – see Appendix B for details on this construction. In 13 Note that A is an oracle-aided circuit that has access to the random this scheme: 1) the aggregate signature contains the oracle H. In particular, our knowledge assumption assumes that one identity of each signer; and, 2) the aggregate public could extract from such oracle-aided circuits. 14 Our calculation uses the pre-compiled gas costs for alt bn128 15 Alternatively, we could have produced k independent Groth16 curve as defined in EIP-1108 [22]: ECADD costs 150, ECMUL costs proofs, and aggregated them using Bunz et. al. [20] (implemented 6000, and k pairings cost 35, 000 · k + 45, 000. The gas cost for each in [30]), that results in O(log(k)) sized proofs. Recursive composition 32-byte storage slot is 20000. techniques also exist [18], but they are relatively inefficient. 11
key is computed by the verifier (e.g. smart contract) by Verifying compact certificates has the highest gas aggregating the public keys of all signers. As we show cost. We are also under-approximating here, as we only later, this scheme has expensive (on-chain) verification include the gas cost of computing keccak256 hashes cost, both in the setup cost (storing linear public keys) (costing 28 gas units [4]) in the Merkle paths and the and operation cost (multiplying linear group elements). EdDSA (over Curve25519) signatures (costing 2000 gas units [5]); i.e., we are not including the cost of verifying A. Signature Size the proof against the commitment to the public key set. We report the signature size in Table I. Depending BLS multisigs require linear group additions to com- on the scheme, a signature has several components: pute the aggregate key, causing the gas cost to exceed G1 and G2 denote group elements (of size 48 and that of MTS verification beyond a few hundred signers. It 96 bytes, respectively) from the source groups of the also requires the smart contract setup to store n public pairings curve, and F denotes field elements (of size 32 keys on-chain, which comes out to 60 million gas for bytes). Except for compact certificates and BLS multisig, 2000 nodes (roughly $1460 at the time of writing). all other schemes produce an aggregate signature of The summary of our analysis here is that compact constant size, with threshold BLS producing the shortest certificates and BLS multisignatures have high veri- signature of size 1 group element (48 bytes). fication complexity, when used in the multiverse setting. Compact certificates use logarithmic size proofs; for 128-bit security, soundness requires them to output a C. Bandwidth Requirement certificate of size 7.5-12 KB for 100 parties, and roughly We now analyze the inbound bandwidth complexity 40-250 KB for 10K parties – Table I includes a data from the point of view of the aggregator. The bandwidth point for threshold that is 80% of total weight, and the is a proxy for network traffic flowing over P2P channels signature is even larger for lower thresholds.16 In fact, in the oracle network. We report the results in Table II, for a few hundred nodes, the certificate is larger than for select parameters of network size, weight (per party), simply outputting all signatures, due to the overheads of and the number of universes. the Merkle paths – their approach is targeted towards All three of compact certificates, multisig, and zk- networks with millions of nodes, but that is orders of SNARK based approaches use similar bandwidth, as magnitude larger than any existing blockchain network each party sends one signature – bandwidth is indepen- (Bitcoin has 10K nodes). Therefore, compact certificates dent of the weight or the number of universes. are impractical for our use case, especially since the In our MTS scheme, the bandwidth is linear in the aggregate signature is published and verified on-chain. weight, but constant in the number of universes. Our BLS multisig produces a linear size aggregate signa- conclusion from this study is that while MTS is worse ture, as the aggregator must communicate which parties than the SNARK approach for large weights, the band- have signed (1 bit per party). Though asymptotically width is still under 10 MB for reasonable weights, and worse, it fares better in practice compared to compact therefore not problematic for practical parameters. In certificates; for n nodes, the signature must have 1 group contrast, the threshold BLS scheme uses a little under 1 element and n bits – for practical values of n, say 1000 GB for 100 universes, for weight B = 50 – this is for one nodes, we have a 224 byte signature. message, and is quickly unmanageable for our setting, as Chainlink concurrently serves several hundreds of data B. Verification Time feeds (with separate message for each feed). Table I also reports verification complexity, in alge- The summary of the bandwidth analysis here is that braic operations, wall clock time, and Ethereum virtual the naı̈ve application of threshold BLS to the multi- machine (EVM) gas units (computed using [3]) – we verse setting is not at all scalable. report the EVM gas cost for both smart contract setup D. Aggregation Time (where the verification key is stored on-chain) and per- signature verification. Algebraic operations are of several 1) Unweighted Setting: We start with the unweighted types: H denotes hash functions, P denotes pairing setting because it is a default or natural setting in several operations, while group operations in G1 are either expo- applications of threshold signatures. Table III displays nentiations or multiplications. Again, with the exception the running time of the aggregator for the different of compact certificates and BLS multisig, all schemes schemes in the unweighted setting (i.e., B = 1). We have constant time. measure how the running time increases as the size of the network grows (while keeping the threshold to be 16 Irrespective of the number of nodes and weights, the certificate a fixed fraction T = W/2, where W = n equals the contains the following number of signatures (in addition to the Merkle path hashes) for 128-bit security : 1343 for T = 0.55W, 702 for T = number of nodes). Since aggregation is performed for 0.6 W, 380 for T = 0.7 W, 272 for T = 0.8W, and 217 for T = 0.9W. each universe separately, the reported running time is 12
You can also read