Threshold Signatures in the Multiverse
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Threshold Signatures in the Multiverse
Leemon Baird‡ , Sanjam Garg∗§ , Abhishek Jain† , Pratyay Mukherjee¶ ,
Rohit Sinha‡‡ , Mingyuan Wang∗ , Yinuo Zhang∗
∗ UC Berkeley † Johns Hopkins University ‡ Swirlds Labs § NTT Research ¶ Supra ‡‡ Meta
Abstract—We introduce a new notion of multiverse trusted aggregator can combine them into a compact sig-
threshold signatures (MTS). In an MTS scheme, multiple nature attesting that a threshold number of signers signed
universes – each defined by a set of (possibly overlapping) m. Threshold signatures have seen widespread use in
signers, their weights, and a specific security threshold –
can co-exist. A universe can be (adaptively) created via a recent years, especially within the blockchain ecosys-
non-interactive asynchronous setup. Crucially, each party tem [43]. Furthermore, efforts to standardize threshold
in the multiverse holds constant-sized keys and releases cryptosystems have already begun [39].
compact signatures with size and computation time both Threshold signatures have traditionally been studied in
independent of the number of universes. Given sufficient
a static setting where the signers and the threshold are
partial signatures over a message from the members of
a specific universe, an aggregator can produce a short fixed and all verifiers have the same belief (i.e., trust)
aggregate signature relative to that universe. in the signers. However, as we discuss shortly, emerging
We construct an MTS scheme building on BLS sig- applications in blockchains involve verifiers who do not
natures. Our scheme is practical, and can be used to necessarily share the same beliefs. In particular, each
reduce bandwidth complexity and computational costs in verifier might live in its own universe, where it trusts
decentralized oracle networks. As an example data point,
consider a multiverse containing 2000 nodes and 100 only a specific subset of signers and wishes to choose
universes (parameters inspired by Chainlink’s use in the its own security threshold. We ask whether it is possible
wild), each of which contains arbitrarily large subsets to design threshold signature schemes where multiple
of nodes and arbitrary thresholds. Each node computes such universes can co-exist.
and outputs 1 group element as its partial signature; the
aggregator performs under 0.7 seconds of work for each
A naı̈ve approach to handle this scenario involves
aggregate signature, and the final signature of size 192 simply executing a fresh instance of a threshold signature
bytes takes 6.4 ms (or 198K EVM gas units) to verify. For scheme for each universe. This, however, leads to highly
this setting, prior approaches, when used to construct MTS, impractical solutions even for modest choices of param-
yield schemes that have one of the following drawbacks: (i) eters (see discussion later in this section). The main goal
partial signatures that are 48× larger, (ii) have aggregation
times 311× worse, or (iii) have signature size 39× and
of our work is to address this scalability challenge.
verification gas costs 3.38× larger. We also provide an open-
source implementation and a detailed evaluation. Multiverse Threshold Signatures. We introduce a new
notion of multiverse threshold signatures (MTS), where
I. I NTRODUCTION at any time, a verifier can define a new universe contain-
ing any subset of the parties present in the system. The
A threshold signature scheme [25], [26] allows for multiverse is the set of all such (possibly overlapping)
distributing a secret signing key among multiple parties universes with possibly different security thresholds. A
such that each party can (non-interactively) generate party signs a message irrespective of what (or how many)
a partial signature over any message m using its key universes it is in, and an aggregator can take a threshold
share.2 Given sufficiently many partial signatures, an un- number of partial signatures corresponding to a universe
1 The second author was supported in part by DARPA under Agree-
and produce a short aggregate signature (independent of
ment No. HR00112020026, AFOSR Award FA9550-19-1-0200, NSF the size of the universe) that can be verified under the
CNS Award 1936826, and research grants by the Sloan Foundation, and specific universe’s verification key.
Visa Inc. The third author was supported in part by NSF CNS-1814919, An MTS scheme must satisfy the following properties:
NSF CAREER 1942789, Johns Hopkins University Catalyst award,
AFOSR Award FA9550-19-1-0200, Office of Naval Research Grant 1) non-interactive setup: a universe involving any set
N00014-19-1-2294, JP Morgan Faculty Award, and research gifts from of parties can be setup via a non-interactive protocol.
Ethereum, Stellar and Cisco. Any opinions, findings and conclusions,
or recommendations in this material are those of the authors and do 2) compact keys: each party’s state is oblivious to the
not necessarily reflect the views of the United States Government or universes that it belongs to. In particular, each party’s
DARPA. Part of the work was done when the fourth, fifth, and seventh key material (and state) is independent of the number
authors were at Swirlds Labs, and the third author visited UC Berkeley.
2 Our work primarily focuses on non-interactive signing. We remark of universes that it participates in.
that some threshold signature schemes only support interactive signing. 3) compact partial signatures: each party’s partial sig-nature is compact, i.e., it is independent of the num- be modeled as a separate universe with a specific subset
ber of universes the party belongs to. In particular, of all nodes and a specific threshold.
its partial signature should be reusable for computing As signature verification is done by a smart contract,
aggregate signatures across different universes. it places additional efficiency requirements for MTS. In
4) fast aggregation and verification: it should take particular, we need the verification EVM gas costs to
constant time to verify an aggregated signature for be small.
any universe. In the best case, aggregation will be Drawbacks of existing approaches. While the notion
linear in the number of partial signatures – we require of MTS is new to this paper, we observe the drawbacks
that this aggregation be concretely efficient. of existing approaches in realizing MTS. As discussed
The security requirements are similar to that of stan- earlier, a naı̈ve approach for the multiverse setting can
dard threshold signatures. Namely, we require that an be obtained by implementing an independent copy of
aggregate signature associated with a universe can only a threshold signature scheme for every universe. It is
be verified when a threshold number of parties in that not hard to see, however, that such a solution quickly
universe have signed the corresponding message. runs into scalability issues. A node that belongs to n
Our multiverse model is inspired by an important different universes would need to use n different signing
scaling issue that arises in oracle networks for smart keys to sign the same message n-many times, generating
contracts, which rely heavily on threshold signatures. n-many partial signatures, which are then broadcast to
the aggregator. Hence, the state size, signature size, and
Application: Decentralized Oracle Networks. Oracles computation all scale linearly with n. Consider some
enable smart contracts to perform transactions based on data points based on the metrics reported by ChainLink.
off-chain data, such as issuing DeFi transactions based For example, even with 20 universes, and each universe
on the exchange rate of tokens or automatically pro- spanning an average of 500 (active) nodes who will sign
tecting user funds during an undercollateralization event the message, an aggregator receives 0.46 MB worth of
(e.g., unforeseen fractional reserve practices from off- partial signatures, for a single message (data feed), or
chain custodians [1]). In Chainlink [19], [27],3 whenever more challengingly, nearly 1 GB traffic for over 2000
the data feed’s value (e.g., MKR/ETH exchange rate) data feeds served by the Chainlink network4 . This is for
fluctuates beyond a limit, the oracle nodes collectively a single message! This approach quickly exhausts band-
agree on a new value to submit on-chain along with a width on a peer-to-peer network. The problem becomes
threshold signature that is verified by the smart contract. completely unmanageable in the weighted setting,5 as
Historically, smart contract authors have shared the both the network traffic and the signer’s computation are
same data feed, whenever possible, typically to offset linear in the weights.
high gas costs on platforms such as Ethereum. However, To avoid such scaling issues, one can devise an
with substantially higher throughput and lower fees on alternative solution by using succinct non-interactive
the next generation of smart contract platforms, and with arguments of knowledge (SNARK) [11], [12]. The high-
the increased set of applications with diverse security level idea is to design an aggregator who computes
and cost profiles, the one-size-fits-all approach is no a SNARK attesting to having witnessed a threshold
longer adequate. For instance, contracts that perform number of signatures over a message. This approach,
autonomous real-time auditing of collateral prefer the however, yields prohibitive aggregation costs. Even using
(proof-of-reserve [1]) data feed to be fulfilled by a set of state-of-the-art SNARKs (such as PLONK [29]) and the
highly reputed and rigorously audited oracle nodes [6]; most efficient signature schemes such as EdDSA [10]
such contracts may also choose higher thresholds for results in aggregation time in the order of a few minutes
the signature. On the opposite end of the spectrum, for modest choices of parameters (see Section VI).
contracts with lower security needs (e.g., sports betting) Moreover, even such performance numbers are only pos-
may opt for lower-cost oracle nodes and latency-sensitive sible when we instantiate EdDSA with SNARK-friendly
applications may choose highly available nodes, or opt hash functions such as MiMc [7], whose security is
for lower security thresholds for the signatures. Indeed, not well-understood. Finally, we note that this approach
Chainlink’s users already have the appropriate knobs inherently makes non-black-box use of the hash function
– i.e., choice of oracle nodes (with reputation scores), 4 In Chainlink’s protocol [19], for each message to be signed, there
signing threshold, etc. This scenario naturally maps to is a single leader who prepares the message and requests all nodes
our multiverse setting since each separate preference can (that are supporting the relevant price feed, for instance) to sign it.
5 In a weighted setting, instead of a T out of N access structure,
parties are assigned different weights, and aggregation is possible
3 At the time of writing, Chainlink is the largest oracle network, com- only when partial signatures are produced by parties whose combined
prising over 300 participant nodes, serving over 2000 data feeds, and weight is larger or equal to the threshold. A special case of this is the
generating over $4.5M USD in monthly revenue for the participants. standard threshold setting, in that each party has equal weight.
2and therefore does not yield a security proof in the interactive asynchronous setup property, nodes can
Random Oracle Model. go offline without being penalized (though economic
We also consider the Micali et. al.’s [38] SNARK ap- incentives encourage honest participation); that is, a node
proach specialized to the signature setting for obtaining can come online and participate in a universe’s creation
smaller aggregation times. However, this reduction in independently of other nodes. Compare this to the setup
aggregation time is at the cost of a larger signature size for BLS, where parties engage in an interactive DKG
and an increase in the verification gas cost, which is protocol [24], [33]. The signing phase is identical to
undesirable for our application. BLS, so parties operate non-interactively, and a threshold
Finally, one may wonder if multisignatures [14], [37] number of correct participants is sufficient to construct
can be used to construct multiverse threshold signa- an aggregate signature. We stress that having a compact
tures. In particular, every party samples its own public state and a non-interactive setup not only makes the
key/secret key pair; the public key of each universe system efficient, but also greatly simplifies its design.
would be the public keys of all the users in the universe.
Our Contribution. The contribution of this work is
To aggregate partial signatures, the aggregator generates
two-fold: we first present formal definitions of multi-
a multisignature6 on all the partial signatures to certify
verse threshold signatures. Second, we give the first
that enough parties from the universe sign the message.
construction of an MTS scheme building on the BLS
The apparent advantages of this approach are that: 1)
signature. We prove that our scheme satisfies existen-
a party’s private key is oblivious to the universes that
tial unforgeability based on the knowledge of exponent
it belongs to; 2) there is no setup phase; and, 3) in
assumption [23]. We provide an open-source implemen-
the weighted setting, the aggregator’s computation is
tation of our scheme at http://github.com/rsinha/mts. We
independent of weights, providing off-chain scalability
then present a detailed evaluation of our MTS scheme,
in the case of oracle networks. However, the multisig
where we show that it is practical for application to
approach has prohibitive performance and cost concerns
decentralized oracle networks.
on the verification side. For instance, the aggregated sig-
nature itself needs to contain the information regarding
II. T ECHNICAL OVERVIEW
which set of parties have signed; thus, the signature
size is linear in the universe size. On that note, the In this section, we give a high-level overview of our
universe’s public verification key and the verification construction of the BLS-based [16] multiverse threshold
time also grow linearly in the size of the universe. In signature scheme. For simplicity, the presentation in this
the case of oracle networks, these drawbacks make the section only considers the unweighted setting, but it
smart contract prohibitively expensive; on Ethereum, it naturally extends to the weighted setting.
takes up to 60 million gas to set up the smart contract
for 2000 signers, which is prohibitive. We provide a A. The Multiverse Model
cost analysis for the multisignature-based approach (on A multiverse is a possibly overlapping set of uni-
Ethereum smart contracts) in Section VI. verses each containing an arbitrary subset of all parties
{P1 , P2 , . . .} in the system and a specific threshold.
Advantages of MTS. We now describe how the effi-
When a new party Pi enters the system, it chooses a
ciency features of MTS can help address the shortcom-
private key ski and publishes the corresponding public
ings of existing approaches. Recall that while selecting a
key pki . Then, the online parties engage in a separate
data feed, a smart contract specifies an access structure,
setup phase for each universe, where each party indepen-
which includes the set of oracle nodes, their weights,
dently contributes randomness to the public parameters
and a threshold. Hence, a data feed maps to a universe,
unique to that universe. Once a universe is set up, it can
wherein the highly reputed oracle nodes would typically
be used to produce threshold signatures. During signing,
be members of a large number of universes.
each party Pi uses its private key ski to sign a message
The compact partial signatures property of MTS
m, and the partial signature is broadcasted or sent to
addresses the bandwidth concern: the bandwidth reduces
an aggregator – this step is totally agnostic of any uni-
from 1 GB to 1 MB for the data point discussed above.
verse. For each universe, there is a separate aggregating
Second, regardless of the node’s weight or the number
procedure which combines the partial signatures for that
of smart contracts (universes), each node must only
particular universe. Crucially, the partial signatures are
keep a compact key of size the security parameter κ
“reusable” so that the same partial signature can be used
= 128 bits, and does not require any information about
in an unlimited number of aggregation procedures across
its universes during signing. Finally, due to the non-
multiple universes to produce many signatures on the
6 Note that this aggregate signature is not unique, as any multisigna- same message. Each aggregated signature verifies only
ture aggregated from enough partial signatures will pass verification. with respect to a specific universe.
3The setup phase can happen concurrently with other ski ← Fp and publishes the public-key pki = g ski .
setups or signing phases. Moreover, both the setup Note that the secret keys sk1 , . . . , skN implicitly de-
and signing phases are fully asynchronous and non- fines a degree-(N − 1) polynomial f (hidden from all
interactive, and they require honest participation from parties) where f (i) = ski . Moreover, any evaluation
only a threshold (say, T ) number of parties. of this polynomial, and in particular the verification
We emphasize that, in our model, we do not assume key pk = g f (0) , can be constructed via Lagrange
the aggregator to be honest for unforgeability. interpolation in the exponent. Now, we notice that if
N − T points on this polynomial f are somehow made
B. Construction public, this effectively reduces the degree of the poly-
Background on Threshold BLS. We start by recalling nomial f from N − 1 to T − 1. For instance, suppose
the standard threshold BLS signature scheme. Let G be f (−1), f (−2), . . . , f (−(N − T )) are publicly known.
a group with a prime order p and a generator g where Then, given any T signatures {H(m)ski }i , an aggregator
the standard pairing-based assumption holds. Let H be can compute H(m)f (−1) , . . . , H(m)f (−(N −T )) locally
a cryptographic hash function that maps messages to and subsequently is able to compute the aggregated
group elements. In the threshold BLS signature scheme, signatures σ = H(m)f (0) .
there is a setup phase, in that a random secret key Although this approach works for a single universe, it
sk ← Fp is sampled and shared among the parties breaks down when used directly in a multiverse setting.
using Shamir secret sharing for a threshold T ; the The crux of the problem stems from the fact that since
public key is set to be pk = g sk . Let ski be party-i’s the evaluations for different polynomials (corresponding
share. To ensure complete decentralization the setup is to different universes) collide, it ends up revealing too
implemented by an interactive distributed key generation many linear equations. Let us elaborate with an example.
(DKG) protocol such as [33]. To sign a message m, Consider four parties among which P1 and P2 are honest,
party i uses ski to compute H(m)ski as its (partial) but Pe3 and Pe4 are controlled by the adversary. Now
signature. Given at least T signatures {H(m)ski }i , one consider a universe U that consists of P1 , P2 , Pe3 and
can simply use Lagrange interpolation to compute the has a threshold 2, which means the evaluation fU (−1)
aggregated threshold signature H(m)sk , which verifies is public where fU is the secret degree-2 polynomial
as e(pk, H(m)) = e(g, H(m)sk ). corresponding to universe U . Again, assume another
Extending Threshold BLS to the Multiverse. To universe U ′ consisting of P1 , P2 and Pe4 with threshold
extend this scheme from a single universe to a multiverse 2 – this implies the point fU ′ (−1) of polynomial fU ′ is
setting, one encounters several roadblocks. First, a naı̈ve also public. Now note that, since fU (−1) and fU ′ (−1)
approach is to simply repeat the threshold BLS for every each reveal one linear relation about the honest party’s
universe. That is, to create a new universe, involving secret keys sk1 and sk2 , the malicious parties could
parties will engage in a fresh instance of the DKG potentially use them to reconstruct sk1 and sk2 entirely!7
protocol to generate new secret shares of this new
To resolve this issue in the multiverse setting, we
universe. As mentioned before, this runs into a scalability
refrain from publishing additional points explicitly to
issue as for each party the size of the secret key, the
reduce the threshold, but instead change how verification
computation, and the corresponding signatures all grow
works and use the additional points in the exponent
linearly with the number of universes. Recall that, we
(which, as mentioned above, everyone can compute from
need our signatures to be generated independently of any
the public keys). Without loss of generality, suppose
universe. However, it appears hard to achieve if the setup
that P1 , P2 , . . . , PT sign a message m. Each party
phase generates correlated shares of the secret-keys – this
Pi publishes H(m)f (i) as a partial signature. Addi-
makes the individual secret-key shares compatible only
tionally, one can compute the public points g f (j) for
with one public-key and hence one universe. Therefore
j ∈ {−1, −2, . . .}. The challenge is now to use these
we change the setup phase in a way, which ensures that
together to ensure verification as well as unforgeability.
the individual secret-keys are compatible with different
public-keys.
Our Approach. We let each party pick its own se-
cret key independently and publish the corresponding
public-key. Then each universe combines a different 7 For instance, by Lagrange interpolation over degree-2 polynomial,
combination of the public-keys to compute a universe- we have f (−1) = 6f (1) − 8f (2) + 3f (3). In the first universe with
specific public-key. In more detail, suppose a universe ordering P1 , P2 , Pe3 , the adversary learns 6sk1 − 8sk2 . In the second
universe with ordering Pe4 , P1 , and P2 , it learns −8sk1 + 3sk2 . In
consists of parties P1 , P2 , . . . , PN with a threshold T . any field F, where (6, −8) and (−8, 3) are linearly independent, the
Then each party Pi chooses an independent secret-key adversary could fully reconstruct sk1 and sk2 .
48
P
To see this, we first express the secret key as follows: where k = i ki . An aggregator now additionally
pub
computes σ1 that needs to pass a second verification
f (0) = λ−1 f (−1) + · · · + λ−(N −T ) f (−(N − T )) +
| {z } equation:
Public Points e(σ pub , g k ) = e(σ1pub , g). (2)
λ1 f (1) + · · · + λT f (T ),
| {z } This check ensures that as long as σ pub is a linear
Partial Signatures
combination of the public points, one can compute σ1pub
where the λi ’s are the appropriate Lagrange coefficients. by using the same linear combination on the public pa-
For the ease of notation, let us write f (0) = f pub (0) + rameter. Alternatively, if σ pub is not a linear combination
f par (0), where f pub (0) stands for the public points part of the public points, one can not find the unique σ1pub
and f par (0) stands for the partial signature part. We that passes Equation 2 except with negligible probability.
observe that Unforgeability follows from the fact that as long as σ pub
pub par
is a linear combination of the public points, the adver-
e g, H(m)f (0) = e g, H(m)f (0)+f (0) sary never knows the exponent of pk/σ pub and without
knowing that one can not forge a signature. Hence, we
pub par
= e g f (0) , H(m) · e g, H(m)f (0) .
prove existential unforgeability assuming a variant of the
Therefore, the verification procedure could check widely used knowledge of exponent assumption [23].
pk
The above modification leads to a one-round setup
e , H(m) = e(g, σ par ), (1) phase. However, this also requires a stateful aggregator,
σ pub
because the aggregator needs to use the entire public
where the aggregator computes the threshold signature parameter pp during aggregation and, hence, needs to
par
σ par = H(m)f (0) from the partial signatures and the maintain it in its local state.
pub
verifier later computes σ pub = g f (0) from the public
points. Note that, both these computations require the Handling Offline Parties. One salient feature about
knowledge of participating sets (as Langrage coefficients the setup phase is that it does not require all parties to
depend on that information). This becomes a problem be online. In particular, the security only relies on the
for the verifier, as by definition threshold signature presence of one honest party who contributes a random
verification should be agnostic about the participating ki to the random power k. Therefore, with a corruption
sets. Furthermore, the verification procedure needs to threshold of T − 1, the setup of a universe is successful
perform O(N ) amount of work to compute σ pub incur- as long as ⩾ T parties participate in the setup phase.
ring significant computation cost. Extension to the weighted setting. One can extend
A potential way to resolve this issue could be to our scheme to the weighted setting via the standard
ask the aggregator to also compute σ pub . The verifier virtualization approach. That is, if party Pi has weight
would then verify the aggregated signature (σ pub , σ par ) Wi , it participates in the protocol as Wi (virtual) parties,
by checking Equation 1. However, one can see that this by computing Wi partial signatures. To that end, Pi
construction is not secure. Note that for any α ∈ Fp , persists a κ-bit secret key, and uses PRG expansion
(σ pub , σ par ) = pk · g −α , H(m)α
to derive Wi secret values. Crucially, we also allow a
party to have different weights in different universes. A
is a signature that will pass Equation 1 violating unforge- subtle issue here is that we want the signing step to be
ability completely. This attack is due to the fact that σ pub agnostic to any universe. Hence, if a party has different
is not the correct aggregation of the public points. Rather, weights in different universes, it is unclear how many
the adversary intentionally picks σ pub such that it knows partial signatures it should compute. Motivated by our
the exponent of pk/σ pub , namely, α. applications, we assume that there is an upper bound
Our construction handles this issue via a different B on the maximum weights. Consequently, each party
route. During the setup of a universe, we ask the parties derives B keys from the κ-bit secret, and releases B
to engage in a one-round protocol to collectively raise partial signatures on each message.
the public points to some random power k ∈ Fp . In
particular, we ask party Pi to pick a random ki ← Fp Strong Unforgeability. An astute reader may find that
and send the signatures that will pass our verification algorithms
k i ki ki are not unique. Indeed, suppose > T number of parties
g ki , g f (−1) , g f (−2) , . . . , g f (−(N −T )) . have signed the message; there are multiple ways to
aggregate the signature. Namely, the aggregator could
The final public parameter pp of the universe shall be 8 The actual protocol computes k =
P
k k k i αi · ki , where αi is the
output of the random oracle on input (g k1 , . . . , g kn , g ki ). Similar
k f (−1) f (−2) f (−(N −T ))
g , g , g ,..., g , to [14], this is to prevent attacks from rushing adversaries.
5use any subset (with size ⩾ T ) of partial signatures to Our knowledge assumption is similar to the
compute the aggregated signature. Hence, if there are knowledge-of-exponent (KEA) assumption [9], [23] ex-
enough partial signatures, one may find exponentially cept that we consider an oracle-aided adversary A, which
many correctly aggregated signatures. Consequently, it has access to a random oracle H.
is unclear how one defines strong unforgeability for
Definition 3 (BLS Signature [16]). The BLS signature
our scheme. Achieving strong unforgeability without
scheme consists of the following tuple of algorithms
harming efficiency is a fascinating open problem.
(KGen, Sign, Verify): Let e(G1 , G2 ) → GT be a non-
III. P RELIMINARIES degenerate, efficiently computable, bilinear pairing be-
Let N be the set of all natural numbers {1, 2, . . .} tween G1 , G2 of prime order p and target group GT .
For any integer n, [n] refers to the set of integers Let g1 be the generator of G1 . Furthermore let H :
{1, 2, . . . , n}. For any integers n < m, [n : m] refers {0, 1}∗ → G2 be a random oracle.
to the set {n + 1, . . . , m}. For any vector ⃗v , we use ⃗v [i] • KGen(1κ ) : Sample s ← Fp and set verification key
to denote the ith coordinate of ⃗v and ⃗v [: i] to denote the as VK = g1s and the signing key as sk = s.
slicing up to the ith element. • Sign(m, sk) : Output σ = H(m)sk .
We use κ as the security parameter. A function f (κ) • Verify(VK, m, σ) : Output 1 if e(g1 , σ) =
is negligible if for all polynomial p(κ), f (κ) < 1/p(κ) e(VK, H(m)). Otherwise, output 0.
for all large enough κ.
For any vectors ⃗a, ⃗b over a field Fp , we use ⟨⃗a, ⃗b⟩ Boneh et. al. [16] proved the strong unforgeability prop-
to denote vector inner product. We use g⃗a to denote erty assuming the co-CDH assumption.
the vector g a1 , g a2 , . . . , g ak , where ⃗a = (a1 , . . . , ak ). Our construction also uses the following non-
Similarly, if ⃗a ∈ Gk is a vector over a group G of order interactive zero-knowledge proof of knowledge for the
p and ⃗b ∈ Fkp , ⟨⃗a, ⃗b⟩ denote vector inner product over discrete log problem.
the exponents. That is, Definition 4 (NIZKPoK for DL). A NIZKPoK of dis-
D E Y k crete log problem consists of a tuple of algorithms
⃗
⃗a, ⃗b = ⃗a[i]b[i] ∈ G. (Gen, P, V, S, E) that satisfies the following guarantees.
i=1
• Correctness. For all x ∈ Fp ,
A machine is probabilistic polynomial time (PPT) if it " #
is a probabilistic algorithm that runs in time poly(κ). x crs ← Gen(1κ )
Pr V(crs, g , π) = 1 : = 1.
Definition 1 (co-CDH Assumption). A pairing group π ← P(crs, g x , x)
(G1 , G2 ) with generator g1 , g2 and a bilinear pairing e :
• Zero-knowledge. There exists a simulator S such
G1 × G2 → GT satisfies the co-CDH assumption if, for
that for all g x , the output of S(g x ) is indistinguish-
all PPT adversary A, it holds that
able from the output of P(crs, g x , x).
Pr [A(g1 , g2 , g1s , g2s , g2r ) = g2sr : s, r ← F] = negl(κ). • Simulation Extraction. For all PPT A and x ∈ Fp ,
" #
Definition 2 (Knowledge Assumption). With respect to (V(crs, g x , π) = 1) crs ← Gen(1κ )
(1) groups G1 , G2 of prime order p and its generator Pr : = negl(κ).
∧ (E(A, g x , π) ̸= x) π = AS (crs, g x )
g1 , g2 and (2) a random oracle H : {0, 1}∗ → G2 ,
the knowledge assumption states that for all polynomial
N = poly(κ) and stateful PPT adversary A = (A1 , A2 ), Construction of NIZKPoK for DL. One can construct
there exists a knowledge extractor E such that, for all a NIZKPoK for DL based on Schnorr’s protocol.
s, r ∈ F and h1 , . . . , hN ∈ G1 , we have
Schnorr NIZKPoK for DL:
′
κ
k ← Fp , α ← Fp • Gen(1 ): Sample random oracle crs = H.
x
k′′ ′′ ′ ′ • P(crs, g , x) : Sample r ← Fp . Compute c =
({hi }i∈[N ] , g2k ) = A1 ({hki }i∈[N ] , g2k )
(y = xk )∧
′ ′′ ′ ′′
H(g, g , g ) and z = r+c·x. Output (g r , c, z).
x r
Pr (x ̸= bi : g k = (g k )α · g k , hk = (hk )α · hk
Y x r
(hi ) ) 2 2 2 i i i
• V(crs, g , π = (g , c, z)) : Output 1 if
H k k
i∈[N ] (x, y) = A (α, g , {hi , h } )
2 2 i i∈[N ] c = H(g, g x , g r ) ∧ g z = g r · (g x )c .
E H (α, A, g2k , {hi , hki }i∈[N ] ) = ⃗b
= negl(κ), Correctness is trivial. The simulation for zero knowledge
is straightforward by programming the random oracle.
where both A and E takes g1 , g2 , g1s , g2s , g2r as public The simulation extraction property follows from the
input. forking lemma [41].
6IV. M ULTIVERSE T HRESHOLD S IGNATURE S CHEME lenger. These oracles9 allow the adversary to add new
honest parties to the system, set up any universes, corrupt
In this section, we present the formal definition for
parties, and request partial signatures in an arbitrary
a Multiverse Threshold Signature Scheme. We write
interleaved manner. The challenger maintains a state
{P1 , P2 , . . .} for all the parties in the system. We write
which includes the following:
{W1 , W2 , . . .} for their corresponding weights where
• H is the set of honest parties;
without loss of generality we assume that Wi ∈ N.
• M is the set of malicious parties;
Definition 5 (Weighted Threshold Access Structure). An • L is the set of universes that have already been
access structure Λ over a set U ⊆ {P1 , P2 , . . .} of setup;
parties is a weighted threshold access structure with a • Tm is the set of honest parties which have already
threshold T if it associates a weight with each party signed the message m;
in this particular set; and any subset S ⊆ U is called • ski is the secret key of an honest party Pi ;
authorized
P (which we denote as S ∈ Λ) if and only if • ω(U,Λ),i is the randomness of Pi used during setup
i∈S W i ⩾ T. of the universe (U, Λ);
• ρ(U,Λ) , the messages of honest parties during setup
Definition 6 (Universe). A universe (U, Λ) is specified
of the universe (U, Λ).
by an arbitrary subset U of all parties {P1 , P2 . . .} and
All the sets are all initialized as ∅ and all the variables
an access structure Λ over U .
are initialized as ⊥.
We also consider the standard notion of (unweighted)
threshold access structure, which is a special case where OKGenstate (Pi )
Wi = 1 for each i in each universe.
1) If Pi ̸∈ H ∪ M then generate (pki , ski ) ←
Definition 7 (Multiverse Signature Scheme). A multi- KGen(1λ ), update H = H ∪ {Pi } and output
verse signature scheme is a tuple of PPT algorithms de- pki . Otherwise, output ⊥.
noted by Σ = (KGen, UGenon , UGenoff , Sign, Aggregate,
Verify) defined as follows:
• (pk, sk) ← KGen(1κ ): On input the security param- OCorruptstate (Pi )
eter 1κ , output a public-secret key pair (pk, sk). 1) Update M = M ∪ {Pi }.
• ρ ← UGenon ((U, Λ), sk) : On input a universe 2) If Pi ∈ H then update H = H\{Pi }, and
(U, Λ) and secret key sk, it samples a message ρ. output ski . Otherwise, output ⊥.
• (VK, pp) = UGenoff ((U, Λ), ρ) : On input a uni-
verse (U, Λ) and all party’s messages ρ, it outputs
a verification key VK and public parameters pp. OSignstate (Pi , m)
• σ ← Sign(sk, m) : On input the secret key sk and
message m, output a partial signature σ. 1) If Pi ∈ H then update Tm = Tm ∪ {Pi } and
• σ = Aggregate((U, Λ), pp, σ) : On input the uni- output Sign(sk, m), else output ⊥.
verse (U, Λ), the public parameter pp, a set of
signatures σ, output an aggregated signature σ.
• b = Verify(VK, σ, m) : On input the verification key OUGenstate (U, Λ)
VK, a signature σ and a message m, output either 1) update L = L ∪ {(U, Λ)}. For each Pi ∈ H ∩
b = 0 (reject) or b = 1 (accept). U , set ρi ← UGenon ((U, Λ), ski ). Finally, set
Remark 1. The universe setup consists of two phases. ρ(U,Λ) = {ρi }Pi ∈H∩U , and output ρ(U,Λ) .
During the online phase, every party samples one mes-
sage ρ ← UGenon using its private key and private Definition 8 (Correctness). A multiverse signature
randomness. In the offline phase, the verification key and scheme Σ satisfies correctness if for any PPT adversary10
the public parameter of the universe can be computed A with oracle access to OKGen, OCorrupt, OSign, and
via the deterministic function UGenoff using all parties’ OUGen, the output of the Correctness − GameA (1κ ) de-
messages. Notably, one party can reuse the same secret fined in Figure 1 is 1 with probability at least 1−negl(κ).
key for the setup of multiple universes without storing
9 The adversary is allowed to directly add malicious parties without
any additional information in its secret state.
using these oracles.
10 For the sake of simplicity, we assume that the adversary is
To formalize the security of our scheme, we define the
restricted to instantiate a universe for a (Λ, U ) only once. We stress that
following oracles (OKGen, OCorrupt, OSign, OUGen), this assumption is made only for simplicity and our schemes remain
which allows the adversary to interact with the chal- secure even if the same universe is instantiated multiple times.
71) The adversary outputs a universe (U, Λ) and • The signature verifies, i.e.,
the messages of the corrupted parties in that Verify(VK, σ, m) = 1.
universe. Also, it outputs a message m and a
set of partial signatures for parties in set S: Fig. 2: Forgery − GameA (1κ )
On our security notion and comparison to [8]. In a
((U, Λ), {ρi }Pi ∈M ∩U , m, {σj }Pj ∈S ) ← A(1κ ).
recent work, Bellare et. al. [8] investigate the subtleties
2) The verification key and public parameter are in the security definitions of threshold signature schemes.
computed as follows: In particular they look into unforgeability which guaran-
tees that the adversary should not be able to produce any
(VK, pp) = UGenoff ((U, Λ), ρ(U,Λ) ∥{ρi }Pi ∈M ∩U ).
“non-trivial forgery” except with negligible probability.12
′ In particular, based on what makes a “trivial forgery”,
Among these let S ⊆ S denotes the sub-
set where all partial signatures {σj }j∈S ′ are they define various levels of security.
honestly computed (hence, correct) by calling We note that our definition considers the strongest
OSign(Pj , m). possible security as a forgery is only considered non-
3) The output of this game is 1 if and only if at trivial as long as < T − c honest parties sign the
least one of the following conditions is met. message (which is captured by M ∪ Tm ∈ / Λ in our
• All parties in the universe are corrupted at
definition). Besides achieving the strongest existential
setup. That is, ρ(Λ,U ) = ∅. unforgeability notion, our definitions are stronger in the
• The subset of correct signatures is not an
following aspects.
authorized subset. That is, S ′ ∈
/ Λ. • We consider malicious security even for the uni-
• The aggregated signature verifies. That is, verse setup phase together with the signing phase.
Verify(VK, σ, m) = 1, where In most prior works, the security of setup phase is
considered separately [33].
σ = Aggregate((U, Λ), pp, {σj }Pj ∈S ). • The multiverse setting is novel to our work. Hence,
the adversary could interleave the universe setup
A κ and signing requests in an arbitrary manner.
Fig. 1: Correctness − Game (1 )
• Our correctness guarantee is also stronger in that
Definition 9 (Security). A multiverse signature scheme even if some parties submit invalid signatures, the
Σ satisfies security if for any PPT adversary A with aggregate signature should still be correct with
oracle access to OKGen, OCorrupt, OSign, and OUGen, overwhelming probability as long as a sufficient
the output of the following Forgery−GameA (1κ ) defined amount of partial signatures are honestly generated.
in Figure 2 is 1 with at most negl(κ) probability.11
Finally, as we discussed earlier, our scheme is weaker
1) The adversary outputs a universe (U, Λ) and in that we do not achieve strong unforgeability.
the UGenon message of the corrupted parties V. T HE P ROTOCOL
in that universe. Additionally, it outputs a
A. Multiverse Threshold Signature Protocol for
message m and a signature σ. That is,
Weighted Threshold Access Structure
((U, Λ), {ρi }Pi ∈M ∩U , m, σ) ← A(1κ ). In this section, we present a multiverse signature
2) The verification key and public parame- protocol for weighted threshold access structure.
ter are computed. That is, (VK, pp) = Notation and Building Blocks.
UGenoff ((U, Λ), ρ(U,Λ) ∥{ρi }Pi ∈M ∩U ).
• Let G1 , G2 be prime-order groups with g1 , g2
3) The output of this game is 1 only if all of the
as their respective generators. Let p be the
following conditions are met.
order of G1 and G2 . Let e(G1 , G2 ) → GT be
• The adversary has not acquired sufficient
a bilinear map between G1 , G2 and the target
partial signatures of m; i.e. M ∪ Tm ∈ / Λ. group GT .
• Let {P1 , P2 , . . . } be a list of all the parties in
the system. We assume that there exists an up-
per bound B such that for any universe (U, Λ),
11 We note that our security game allows the adversary to launch non-
malleability attacks. For instance, the adversary could copy an honest
party’s public key (and its corresponding NIZKPoK) as its own public
key. Intuitively, these attacks, however, are not helpful for producing 12 In the non-threshold setting a “trivial forgery” is simply defined
a valid forgery. Our security proof implicitly proves this. by the signatures obtained by querying the signing oracle.
8every party Pi ∈ U has weight Wi ⩽ B. 7) Output (VK, pp).
• Let H : {0, 1}∗ → G2 and H ′ : {0, 1}∗ → Fp
be a random oracle.
Let F : {0, 1}κ → FB Description of Sign(sk, m) :
• p be a PRG.
1) Output signature σ = H(m)F (sk) ∈ GB
2 .
Description of KGen(1κ ) :
Description of Aggregate((U, Λ), pp, σ) :
1) Sample a random PRG seed s ← {0, 1}κ .
F (s) |U |
2) Output (pk = g1 , sk = s) ∈ GB κ
1 × {0, 1} .
1) Parse (U, Λ) = {(pki , Pi , Wi )}i=1 , T . As-
sume parties are indexed by some canonical
ordering.
Description of UGenon ((U, Λ), sk) : 2) Parse σ = {σi }Pi ∈S . Initiate an empty set Q.
|U |
1) Parse (U, Λ) = {(pki , Pi , Wi )}i=1 , T . As- Sample a random vector ⃗r ← FB p . For each
sume parties are indexed by some canonical Pi ∈ S ∩ U , add Pi to Q if
F (sk)
Pj be the index s.t. g1
ordering. Let = pkj . e(⟨pki , ⃗r⟩, H(m)) = e(g1 , ⟨σi , ⃗r⟩).
2) Let W = i∈[|U |] Wi . We shall reconstruct
the degree-(W − 1) polynomial defined by the 3) Let X be the set of evaluation points cor-
W public keys of the parties in the universe, responding to parties in Q. For instance, if
where party Pi specifies Wi points. Q = {1, 3}, X = [1 : W1 ] ∪ [W1 + W2 + 1 :
3) In particular, let pk∗j = pkj [1 : Wj ] and W1 + W2 + W3 ].
4) Let λi be the Lagrange coefficients satisfying
pk = pk∗1 ∥pk∗2 ∥ · · · ∥pk∗N ∈ GW
1 . X
f (0) = λi · f (i).
Define a polynomial f ∈ Fp [X] of degree W − i∈X∪[−(W −T ):−1]
f (x)
1 such that g1 = pk[x] for x ∈ [W ].
Note that λi are determined by the set X.
4) Interpolate these points on the exponents:
5) We write {λi }i∈X in short as ⃗λpar and
in short as ⃗λpub
f (x)
evals0 = g1 x ∈ {−(W −T ), . . . , −1, 0} . {λi }i∈[−(W −T
):1]
6) Parse pp = B, ⃗ A⃗ ∈ G2(W −T ) . Compute
5) Sample k ← Fp , then compute 1
k·f (x)
evals1 = g1 x ∈ {−(W −T ), . . . , −1} . ⃗ ⃗λpub ⟩
σ0′ := ⟨B, and ⃗ ⃗λpub ⟩.
σ1′ := ⟨A,
6) Compute NIZKPoK π DLog for each group el- 7) Let ⃗σ be the concatenation of σi ’s where Pi ∈
ement in pkj using witness F(sk). Q. Compute σ ′ := ⟨⃗σ , ⃗λpar ⟩.
7) Output ρ = evals1 , g2k , π DLog . 8) Output σ = (σ ′ , σ0′ , σ1′ ).
Description of UGenoff ((U, Λ), ρ) : Description of Verify(VK, σ, m) :
1) Repeat the same steps in UGenon and compute 1) Parse VK = (VK0 , VK1 ), σ = (σ ′ , σ0′ , σ1′ ).
f (x)
2) Output 1 (and 0 otherwise) if it holds that
evals0 = {g1 | x ∈ {−(W − T ), . . . , −1}}. (
e(VK0 /σ0′ , H(m)) = e(g1 , σ ′ )
2) Parse ρ = {ρ1 , . . . , ρN ′ } and initialize Q = ∅. .
e(σ1′ , g2 ) = e(σ0′ , VK1 )
3) For each i ∈ [N ′ ], parse
ρi = evals1,i , g2ki , πiDLog . B. Correctness
4) Add i to Q if the proof πiDLog verifies and We now show via the following theorem that our con-
struction satisfies correctness according to Definition 8.
e(evals1,i , g2 ) = e(evals0,i , g2ki ).
k
Theorem 1. Let us assume that the NIZKPoK proof sys-
5) Let αi = H ′ {g2 j }j∈Q , g2ki and evals1 be
tem for DLOG is complete with probability 1. Then our
the (coordinate-wise) linear combination of all MTS scheme is correct with overwhelming probability.
elements in {evals1,i }i∈Q with coefficients αi .
6) Set pp = (evals0 , evals1 ), and set VK = Proof. In our proof, we use the same notations for all
f (0)
(VK0 = g1 , VK1 = i∈Q (g2ki )αi ).
Q
variables that appeared in our description of the scheme
in Section V-A.
9Suppose at the end of Correctness-Game, the ad- Proof Overview. Our security proof reduces the security
versary A outputs: ((U, Λ), {ρi }Pi ∈M ∩U , m, {σj }Pj ∈S ). of our MTS scheme to the security of the co-CDH
Let S ′ ⊆ S be the subset of signatures that are assumption. In particular, given an adversary A that
honestly generated. We would like to show that breaks the MTS scheme with non-negligible probability,
with all but negligible probability, if (U ̸⊆ M ) ∧ we construct an adversary A∗ that breaks co-CDH with
(S ′ ∈ Λ) Then Verify(VK, σ, m) = 1, where σ = non-negligible probability.
Aggregate((U, Λ), pp, {σj }Pj ∈S ). On a high level, A∗ interacts with an external chal-
As U ̸⊆ M , there exists some P ∗ ∈ U ∩ H. lenger for the co-CDH security game. It receives the
Therefore, ρ∗ ∈ ρΛ,U is honestly computed by challenge g1s , g2s , and g2r from the challenger and pro-
the oracle OUGenstate (U, Λ). Now consider run- ceeds to interact with the adversary A. When it simulates
ning UGenoff ((U, Λ), ρΛ,U ∥{ρi }Pi ∈M ∩U ): since ρ∗ is the MTS security game, A∗ will embed the challenge g1s
honestly computed, we must have P ∗ ∈ Q as the public key of some random honest parties. For the
and thus Q ̸= ∅. Now for all Pj ∈ Q, other honest parties, it samples their secret keys honestly.
k
since e(evals1,j , g2 ) = e(evals0 , g2 j ), we have Additionally, A∗ will program the random oracle H and
e(evals1 , g2 ) = e(evals0 , VK1 ). Therefore it al- embed the challenge g2r as the hash H(m) of a few
ways holds that e(σ1′ , g2 ) = e(⟨evals1 , ⃗λpar ⟩, g2 ) = random messages. For the other messages, it honestly
′
samples a random r′ and sets H(m) = g2r . In the end,
e(⟨evals0 , ⃗λpar ⟩, VK1 ) = e(σ0′ , VK1 ). Thus verifier’s first
check will pass. we show that if A successfully produces a forgery for
For any Pj ∈ S ′ , since σj is the output of A’s query the MTS game, we could use it to compute g2rs with
to OSign(Pj , m), we have σj = H(m)F (skj ) and, thus, some non-negligible probability. Below, we highlight
e(⟨pkj , ⃗r⟩, H(m)) = e(g1 , ⟨σj , ⃗r⟩) for any ⃗r. Thereforesome technical challenges.
S ′ ⊆ Q. Oracle queries. A∗ can answer most queries by A
We further claim that with all but negligible probabil- directly with a few exceptions. First, suppose A requests
ity, for all Pj ∈ Q \ S ′ , we have σj = H(m)F (skj ) . To an honest party with embedded challenge g1s as its public
prove this, notice that if σj ̸= H(m)F (skj ) , then key to sign a message m with the embedded challenge
g2r as its hash value H(m). A∗ cannot compute the
Pr[e(⟨pkj , ⃗r⟩, H(m)) = e(g1 , ⟨σj , ⃗r⟩)] ⩽ 1/|Fp |. partial signature H(m)s as it does not know neither s
⃗
r
By a union bound, nor r. However, by carefully choosing the embedding
probability, we will ensure that this never happens with
′ F (skj ) |Q \ S ′ | a non-negligible probability.
Pr[∃Pj ∈ Q \ S : σj ̸= H(m) ]⩽ ,
|Fp | Second, since we allow A to adaptively corrupt par-
which is negligible in κ. P Since S ′ ∈ Λ and S ′ ⊆ Q, ties, it may decide to corrupt an honest party with the
we have Q ∈ Λ, and thus Pi ∈Q Wi = |X| ⩾ T . Since embedded challenge g s as its public key. Again, we
f (x) is a degree W −1 polynomial, it can be interpolated cannot give the secret state of this party as we do not
know s. However, with a non-negligible probability, A
P its evaluations at X ∪ {T − W, . . . , −1}.
correctly using
Let f (0) = x∈X S{T −W,...,−1} λx · f (x). Notice that will not corrupt any honest parties with an embedded
P challenge. This is because A succeeds with a non-
e(VK0 /σ0′ , H(m)) = e(g1 , H(m)f (0)− x∈{T −W,...,−1} f (x)·λx ) negligible probability in the MTS game, and A only
P
= e(g1 , H(m) x∈X f (x)·λx ) = e(g1 , σ ′ ). succeeds if it does not corrupt all parties. Therefore,
with a non-negligible probability, A does not corrupt
Thus Verify(VK, σ, m) = 1 with 1 − negl(κ) probability. any parties where we embed the challenges, as there are
C. Security very few of them. Therefore A∗ can successfully answer
We prove the security/unforgeability of our scheme all of A queries with a non-negligible probability. ∗
according to Definition 9 via the following theorem. Solve co-CDH challenge. Conditioned on (1) A can
successfully answer all of A queries and (2) A indeed
Theorem 2. In addition to the knowledge assump- successfully generates a forgery, we now need to argue
tion (Assumption 2), let us assume that the underlying that we can solve the co-CDH problem and compute g sr .
2
NIZKPoK proof system for DLOG is sound with over- Note that A produces a signature (σ, σ0 , σ1 ) such that
whelming probability. Then the security of our MTS (
construction can be reduced to the co-CDH assump- e(VK0 /σ0 , H(m)) = e(g1 , σ)
tion (Definition 1). e(σ1 , g2 ) = e(σ0 , VK1 )
Due to the space limit, we shall only give an overview Our plan is to show that with a non-negligible probability
of the proof in the main body. The full security proof is VK0 /σ0 can be written as g1a·s+b for some a ̸= 0 and
deferred to Appendix A. b that A∗ knows. If so, σ must be equal to H(m)a·s+b .
10And, consequently, if H(m) is a hash value with the We measure the performance of signing, verification,
embedded challenge g2r (which happens independently and aggregation algorithms. We compare our MTS con-
with a non-negligible probability), we can easily use σ struction against alternative threshold signature schemes,
to compute g2sr . when adapted to the multiverse setting. These include:
To argue this, we invoke the knowledge assumption13 1) generic zk-SNARK approach; 2) compact certificates
to argue that the only way that A can compute σ0 and σ1 in Micali et. al. [38]; 3) (vanilla) threshold BLS; and, 4)
that pass the second equation is by a linear combination multisignature based on BLS. These are described below.
of the public points, and one can extract such a linear
Aggregation using zk-SNARKs. The aggregator can
combination. Consequently, one can write VK0 /σ0 di-
function as a prover who convinces the verifier that
rectly as some linear combination of all parties’ pub-
it knows a threshold number of valid signatures, each
lic keys. Furthermore, by relying on the knowledge
verifiable under a distinct public key. To set up this
extraction property of the NIZKPoK scheme, we can
experiment, we use the gnark library [2] to create
extract the malicious parties’ secret keys. Henceforth,
a circuit composing multiple instances of the signa-
we know all the exponents of public keys in the linear
ture verification circuit.15 For fairness, we choose the
combination, except for those with embedded challenges,
most SNARK-friendly signature scheme available in the
which means VK0 /σ0 can indeed be written as g1a·s+b .
gnark library, which is EdDSA signatures – with the
Next, we note that a ̸= 0 with high probability, as
gnark frontend, a single EdDSA verification produces
we pick a random honest party to embed the challenge;
roughly 6.2K constraints in the Groth16 system [35] and
therefore, no matter what linear relation the adversary
13.1K constraints in the PLONK system [29]. To get a
chooses to aggregate the public points, one can prove
ballpark estimate, we will assume the verifier has the
that a ̸= 0 with high probability.
entire address book mapping nodes to their public keys;
Security Loss. Our proof shows that if the adversary
alternatively, the proof can be constructed with respect to
A succeeds in the MTS game with some non-negligible
a commitment to the address book, but that only adds to
probability δ, then A∗ succeeds in solving the co-CDH
the prover (aggregator) running time that we report. Note
problem with some non-negligible probability δ ′ . We
that this approach computes the MiMc [7] hash function,
emphasize that our security proof does not optimize the
used in the signature scheme as a random oracle, inside
security loss between δ ′ and δ. Note that this security
the SNARK circuit. As we show later, the aggregator’s
loss affects the choices of security parameters and,
running time is prohibitively expensive.
henceforth, all parameters in our scheme, e.g., signature
size, aggregation/verification time, etc. Therefore, tighter Compact Certificates. Micali et. al. [38] introduce
security loss will potentially lead to more efficient con- compact certificates, based on non-interactive proofs of
struction. We leave this as exciting future works. knowledge in the random oracle model. The certificate
proves that signers have a sufficient total weight, while
VI. I MPLEMENTATION AND E VALUATION
only including logarithmic number of individual signa-
We implement our MTS construction in Rust and tures. As we show later, the certificate size is orders of
release it open-source at https://github.com/rsinha/mts. magnitude larger than ours, incurring a heavy gas cost.
We use the BLS12-381 pairing-based curve [15], and
the hashing to elliptic curve method defined in [28]. Threshold BLS. The (vanilla) threshold BLS system
For efficiency, we implement multi-exponentiation of uses a BLS scheme that is setup by a distributed key
group elements (within the aggregator) using Pippenger’s generation (DKG) protocol, such as Gennaro et. al. [33]
method [17], [40], which, for n group elements, requires or with the recent improvements in [44]. Recall that a
O(n / log(n)) running time as opposed to O(n). party produces independent partial signatures for each
For a fair comparison of all schemes, we only im- universe; not surprisingly, as we show later, the network
plement the single-threaded version of our algorithms, bandwidth usage is prohibitively expensive.
though there are obvious opportunities for parallelism. BLS Multisignature. We also test MTS based on
All experiments are run on a Macbook Pro with M1 Pro BLS multisignatures [14], [37], where rogue key attacks
chip and 32 GB RAM. We also report EVM gas costs14 are addressed via proofs-of-possession in a setup phase
for publishing and verifying signatures on-chain. – see Appendix B for details on this construction. In
13 Note that A is an oracle-aided circuit that has access to the random this scheme: 1) the aggregate signature contains the
oracle H. In particular, our knowledge assumption assumes that one identity of each signer; and, 2) the aggregate public
could extract from such oracle-aided circuits.
14 Our calculation uses the pre-compiled gas costs for alt bn128 15 Alternatively, we could have produced k independent Groth16
curve as defined in EIP-1108 [22]: ECADD costs 150, ECMUL costs proofs, and aggregated them using Bunz et. al. [20] (implemented
6000, and k pairings cost 35, 000 · k + 45, 000. The gas cost for each in [30]), that results in O(log(k)) sized proofs. Recursive composition
32-byte storage slot is 20000. techniques also exist [18], but they are relatively inefficient.
11key is computed by the verifier (e.g. smart contract) by Verifying compact certificates has the highest gas
aggregating the public keys of all signers. As we show cost. We are also under-approximating here, as we only
later, this scheme has expensive (on-chain) verification include the gas cost of computing keccak256 hashes
cost, both in the setup cost (storing linear public keys) (costing 28 gas units [4]) in the Merkle paths and the
and operation cost (multiplying linear group elements). EdDSA (over Curve25519) signatures (costing 2000 gas
units [5]); i.e., we are not including the cost of verifying
A. Signature Size the proof against the commitment to the public key set.
We report the signature size in Table I. Depending BLS multisigs require linear group additions to com-
on the scheme, a signature has several components: pute the aggregate key, causing the gas cost to exceed
G1 and G2 denote group elements (of size 48 and that of MTS verification beyond a few hundred signers. It
96 bytes, respectively) from the source groups of the also requires the smart contract setup to store n public
pairings curve, and F denotes field elements (of size 32 keys on-chain, which comes out to 60 million gas for
bytes). Except for compact certificates and BLS multisig, 2000 nodes (roughly $1460 at the time of writing).
all other schemes produce an aggregate signature of The summary of our analysis here is that compact
constant size, with threshold BLS producing the shortest certificates and BLS multisignatures have high veri-
signature of size 1 group element (48 bytes). fication complexity, when used in the multiverse setting.
Compact certificates use logarithmic size proofs; for
128-bit security, soundness requires them to output a C. Bandwidth Requirement
certificate of size 7.5-12 KB for 100 parties, and roughly We now analyze the inbound bandwidth complexity
40-250 KB for 10K parties – Table I includes a data from the point of view of the aggregator. The bandwidth
point for threshold that is 80% of total weight, and the is a proxy for network traffic flowing over P2P channels
signature is even larger for lower thresholds.16 In fact, in the oracle network. We report the results in Table II,
for a few hundred nodes, the certificate is larger than for select parameters of network size, weight (per party),
simply outputting all signatures, due to the overheads of and the number of universes.
the Merkle paths – their approach is targeted towards All three of compact certificates, multisig, and zk-
networks with millions of nodes, but that is orders of SNARK based approaches use similar bandwidth, as
magnitude larger than any existing blockchain network each party sends one signature – bandwidth is indepen-
(Bitcoin has 10K nodes). Therefore, compact certificates dent of the weight or the number of universes.
are impractical for our use case, especially since the In our MTS scheme, the bandwidth is linear in the
aggregate signature is published and verified on-chain. weight, but constant in the number of universes. Our
BLS multisig produces a linear size aggregate signa- conclusion from this study is that while MTS is worse
ture, as the aggregator must communicate which parties than the SNARK approach for large weights, the band-
have signed (1 bit per party). Though asymptotically width is still under 10 MB for reasonable weights, and
worse, it fares better in practice compared to compact therefore not problematic for practical parameters. In
certificates; for n nodes, the signature must have 1 group contrast, the threshold BLS scheme uses a little under 1
element and n bits – for practical values of n, say 1000 GB for 100 universes, for weight B = 50 – this is for one
nodes, we have a 224 byte signature. message, and is quickly unmanageable for our setting, as
Chainlink concurrently serves several hundreds of data
B. Verification Time feeds (with separate message for each feed).
Table I also reports verification complexity, in alge- The summary of the bandwidth analysis here is that
braic operations, wall clock time, and Ethereum virtual the naı̈ve application of threshold BLS to the multi-
machine (EVM) gas units (computed using [3]) – we verse setting is not at all scalable.
report the EVM gas cost for both smart contract setup
D. Aggregation Time
(where the verification key is stored on-chain) and per-
signature verification. Algebraic operations are of several 1) Unweighted Setting: We start with the unweighted
types: H denotes hash functions, P denotes pairing setting because it is a default or natural setting in several
operations, while group operations in G1 are either expo- applications of threshold signatures. Table III displays
nentiations or multiplications. Again, with the exception the running time of the aggregator for the different
of compact certificates and BLS multisig, all schemes schemes in the unweighted setting (i.e., B = 1). We
have constant time. measure how the running time increases as the size of
the network grows (while keeping the threshold to be
16 Irrespective of the number of nodes and weights, the certificate
a fixed fraction T = W/2, where W = n equals the
contains the following number of signatures (in addition to the Merkle
path hashes) for 128-bit security : 1343 for T = 0.55W, 702 for T = number of nodes). Since aggregation is performed for
0.6 W, 380 for T = 0.7 W, 272 for T = 0.8W, and 217 for T = 0.9W. each universe separately, the reported running time is
12You can also read
