Elliptic Curve Digital Signature Algorithm

Bitcoin and
Blockchain Technology
Elliptic Curve Digital Signature Algorithm
v2019.04.03
Comments, corrections, and questions: https://drive.google.com/open?id=1MZu_4zbI8khdYhbGJg9SwWkNA5x-Tb_W
© 2019 Digital Gold Institute

View Slide

Table of Contents
1. Modular Arithmetic
2. Algebra of Sets: Finite Field
3. Elliptic Curves over Real Numbers
4. Elliptic Curve over
5. Asymmetric Cryptography on Elliptic Curves
6. Digital Signature Protocol
7. Elliptic Curve Digital Signature Algorithm
© 2019 Digital Gold Institute 2/69

View Slide

Modular Arithmetic
arithmetic for integers: numbers "wrap around" upon reaching the
modulo value
Example:
▪ 9+4 = 1 mod 12
https://commons.wikimedia.org/wiki/File:Clock_group.svg
3/69

View Slide

Congruence and Remainders
If 1
≡ 1
mod and 2
≡ 2
mod then
▪ 1
+ 2
≡ 1
+ 2
(mod )
▪ 1
− 2
≡ 1
− 2
(mod )
▪ 1
2
≡ 1
2
(mod )
▪ mod b mod ≡ mod
▪ mod b mod mod = () mod

View Slide

Table of Contents

View Slide

Group {F, +} (1/2)
A group is a set F together with a binary operator + (also known as
group law) with the following properties:
▪ Closure: for all a and b in F, a+b is also in F;
∀, ∈ , + ∈
▪ Identity: there exists a unique neutral element 0 in F, such
that for every element a in F, the equation 0+a=a+0=a;
∃! 0, ∈ | 0 + = + 0 = , ∀ ∈
▪ Invertibility: for each a in F, there exists the inverse b in F,
commonly denoted -a, such that a+b=b+a=0;
∀ ∈ , ∃ − | + (−) = (−) + = 0
▪ Associativity: for all a, b and c in F, (a+b)+c=a+(b+c);
∀, , ∈ , + + = + ( + )
The number of elements in a group is the group order

View Slide

Additive or Multiplicative Notation
Neutral
Element
Inverse
Additive
Notation
Zero Opposite
Multiplicative
Notation
Identity Inverse

View Slide

Group {F, +} (2/2)
▪ The set of all integer numbers under addition {ℤ, +} is an infinite
order group
▪ The set of all integer numbers under multiplication {ℤ, ∙} is not a
group (e.g. multiplicative inverse of 2 is not an integer)
▪ Τ
ℤ ℤ : { 0, − 1 , +}, i.e. the set of integer numbers 0, − 1
under addition modulo , is a group of order
− 0 is the neutral element (also called zero)
− The inverse of any element is − ,

View Slide

Commutative Group {F, +}
A group {F, +} is commutative if for all a and b in F, a+b = b+a
∀, ∈ , + = +
▪ The set of all integer numbers under addition {ℤ, +} is a
commutative group
▪ For any modulo , Τ
ℤ ℤ : { 0, − 1 , +} is a commutative group

View Slide

Cyclic Group {F, +}
A group {F, +} is cyclic if there is a generator element
∃ ∀ ∈ , ∃ = + ⋯ + ( )
▪ When the group order is prime, the group is cyclic: starting
from any (non-zero) element and adding this element to itself
successively, all elements of the set are recovered
▪ For any prime , Τ
ℤ ℤ : { 0, − 1 , +} is a cyclic group; e.g. for
= 7, { 0, 6 , +}:
− starting from 3 the cycle is 3+3 %7=6; 6+3 %7=2; 2+3 %7=5; 5+3 %7=1;
1+3 %7=4; 4+3 %7=0; 0+3 %7=3
− starting from 2 the cycle is 2+2 %7=4; 4+2 %7=6; 6+2 %7=1; 1+2 %7=3;
3+2 %7=5; 5+2 %7=0; 0+2 %7=2

View Slide

Ring and Field {F, +, ∙}
▪ A ring is a commutative group with a second binary operator
that is associative and with distributive properties making the
two operators “compatible”
∀, , ∈ , + ∙ = ∙ + ∙
▪ A field is a ring such that the second operation, after throwing
out the identity element of the first operation, satisfies all the
commutative group properties
▪ Real numbers ℝ and rational numbers ℚ, with addition and
multiplication, are fields of infinite order
▪ In a field you can add, subtract (i.e. add the additive opposite),
multiply, and divide (i.e. multiply for the multiplicative inverse)

View Slide

The Finite Field Fp = {[0, p−1], +, ∙}
▪ We already established that for any modulo , { 0, − 1 , +} is a
commutative (cyclic) group
▪ For any prime number , { , − 1 , ∙} is also a commutative
group
− 1 is the identity element
− For any element there exist its inverse , such that
= 1 . It is crucial here that is prime

= { 0, − 1 , +,∙} is a finite field

View Slide

E.g.: The Finite Field F7
{[0, 6], +} is a commutative group
▪ 4+3 %7 = 0 → 3 is the opposite of 4
▪ Subtraction must be interpreted as addition of the opposite
2-4 %7 = 2+3 %7 = 5
2-4 %7 =-2 %7 = 5
{[1, 6], ∙} is a commutative group
▪ 4 ∙ 2 %7 = 1 → 2 is the inverse of 4
▪ Division must be interpreted as multiplication by the inverse
5 ÷ 4 %7 = 5 ∙ 2 %7 = 3

View Slide

Fermat’s Little Theorem
When is prime, for each :
−1 = 1
e.g. in ([1, 6], ∙ ) with = 3, 36 = 1:
3^2 %7 = 3*3 %7 = 2
3^3 %7 = 2*3 %7 = 6
3^4 %7 = 6*3 %7 = 4
3^5 %7 = 4*3 %7 = 5
3^6 %7 = 5*3 %7 = 1

View Slide

Inverse Calculation
▪ So, it holds that the inverse of
−1 = −1 ∙ 1 = −1 ∙ −1 = −2
▪ In Python
a_inv = pow(a, p-2, p)

View Slide

Square root concept
E.g. in 7
:
▪ 2*2 %7 = 4 → 2 is a (even) square root of 4
▪ 5*5 %7 = 4 → 5 is a (odd) square root of 4
▪ 5 = -2 %7 → odd root is similar to negative root for integers
▪ 2 + 5 = 7 → even root + odd root = p

View Slide

The Finite Field F7
opposite inverse odd sqrt even sqrt
0 0 #N/A 0 0
1 6 1 1 6
2 5 4 3 4
3 4 5 #N/A #N/A
4 3 2 5 2
5 2 3 #N/A #N/A
6 1 6 #N/A #N/A
17/69

View Slide

Homework
Calculate the table of opposites, inverses, and square roots for the
finite fields 19
and 23
Use mod_inv and mod_sqrt from github.com/dginst/btclib/numbertheory.py
or Excel/VBA from github.com/dginst/bbt/excel/FiniteFields.xlsm

View Slide

Table of Contents

View Slide

Elliptic Curves over Real Numbers
▪ A formal definition would require algebraic geometry
▪ Defined by the Weierstrass equation:
= + + , , ∈ ℝ
▪ The curve is non-singular if:
∆= −16 43 + 272 ≠ 0

View Slide

Elliptic Curve = − +
a = -7
b = 10
±
= ± 3 − 7 + 10
Negative y roots are in red,
positive ones in blue
-5
-4
-3
-2
-1
0
1
2
3
4
5
-5 -4 -3 -2 -1 0 1 2 3 4
21/69

View Slide

Point Addition P+Q=R
https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/reals-add.html
22/69

View Slide

Point Doubling Q+Q=R
https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/reals-add.html
23/69

View Slide

Algebraic Formulae
Point Addition P+Q=R
▪
= −
−
2
−
−
▪
= −
−

−
−
Point Doubling Q+Q=R
▪
= 3
2+
2
2
− 2
▪
= 3
2+
2

−
− 2

View Slide

Infinity Point
(aka Group Identity or Neutral Element)
Adding two points with the same
x-coordinate (y-coordinates
being the positive/negative
roots of the same 3 + + )
“shoots” at the infinity point ∞
Doubling the point (x, 0) also
shoots at ∞
∞ is the group neutral element:
▪ zero in additive notation
▪ identity in multiplicative
notation
https://en.wikipedia.org/wiki/Elliptic_curve#/media/File:ECClines.svg
25/69

View Slide

Opposite of Point Q
The infinity point is providing the opposite formula:
+ = 0 → = −
= (,
) and − = (, −
) have the same coordinate.
Therefore, their coordinates are the positive/negative roots of:
±
= ± 3 + +
So
−
= −
and − = , −
For every , in the group, , − is also in the group

View Slide

Compressed Point Representation
= ,
For every , given 2 = 3 + + , two roots are possible:
±
= ± 3 + +
plus one single bit ෤

= 0/1 is enough to describe the point:
= (, ෤

)

View Slide

Elliptic Curve Commutative Group
▪ With the addition operation, the points of an elliptic curve
(augmented with ∞) are a commutative group
▪ The ∞ point is the neutral element, implicitly defining the
opposite concept
▪ Arbitrarily named addition: it is simply the group law, and it
could have been called multiplication instead
− In multiplicative notation doubling would have been called
squaring

View Slide

Point Multiplication =
▪ Point multiplication = ( ∈ ℕ) is a convenient notation for
the repeated application of addition
= + ⋯ + ( )
▪ Elliptic curve multiplication is not a binary operation on the set
of curve points: it does not combine two points!
▪ Addition is the only elliptic curve group binary operation

View Slide

Double and Add Algorithm
= 947 = 20 + 21 + 24 + 25 + 27 + 28 + 2 9 doublings
= 947 = 1 + 2 + 16 + 32 + 128 + 256 + 512 6 additions
9 doublings for the powers of two and 6 additions: polynomial in
the number of bits representing m.
Point multiplication
947 = + 2 + 16 + 32 + 128 + 256 + 512 6 point additions
9 doublings for the powers of two and 6 point additions: much
better than 946 point additions!
https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication
30/69

View Slide

Discrete Logarithm Problem (DLP)
A One Way Function
For any ∈ ℕ, double&add provides an efficient computation of:
=
To infer from {, } is computationally unfeasible
▪ In additive notation, it is easy to “multiply” = , but difficult
to “divide” = Τ

▪ It is called logarithm problem because in multiplicative notation
it would have been = , so =


View Slide

Table of Contents

View Slide

Elliptic Curves Over Fp
For cryptographic use, we consider the curve not over ℝ, but over
a finite field
:
2 = 3 + +
where 43 + 272 ≠ 0
, , , ∈

View Slide

y2=x3−7x+10 over F263
Symmetric with respect
to = Τ
2 = 131.5

View Slide

▪ Geometric interpretation (line
drawing) for sum still holds
▪ Adding same-x points shoots
at infinity
y2=x3−7x+10 over F263
https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html

View Slide

Opposite of Point Q
+ = 0 → = −
= (,
) and − = (, −
) have the same coordinate.
Therefore, the coordinates are the modulo even/odd roots of:
,
= 3 + +
,
So
−
= −
and − = (, −
)
For every , in the group, , − is also in the group

View Slide

SEC Compressed Point Representation
= (, )
▪ Uncompressed = , representation is
For every , two roots are possible:
▪ Even root, compressed = , representation is
▪ Odd root, compressed = , representation is
e.g. for y2= x3−7x+10 over F263
(118, 192): 118 192 or 118
(118, 71): 118 71 or 118
http://www.secg.org/sec1-v2.pdf
37/69

View Slide

Breaking Opposite Point Symmetry
The symmetry between opposite points (same x-coordinate) can
be resolved with alternative discrimination criteria for the y-
coordinate:
1. odd / even
2. high / low
The product of two numbers is a quadratic residue, i.e. does have
square roots, when either both or none of its factors are quadratic
residues. For prime, = 3 mod 4, the number −1 is not a quadratic
residue mod . As such, if −1 ∙ is a quadratic residue mod then
is not and vice versa. This provide the additional criterium:
3. (when = 3 mod 4) quadratic residue / not a quadratic residue

View Slide

Hasse Theorem
Note that the EC group order = #
and the
finite field’s
prime are different numbers.
Hasse theorem shows that:
+ 1 − 2 ≤ ≤ + 1 + 2
e.g. for 263
, = 263
231 ≤ ≤ 296
y2= x3−7x+10 over F263
▪ 280 points: 279 affine points plus ∞
▪ Odd number of affine points: = , 0 must be in the group,
= −, 2 = ∞

View Slide

Elliptic Curves Over a Finite Field Fp
▪ The points on an elliptic curve over a finite field
can have
cyclic subgroups
▪ Starting from a point its associated cyclic subgroup can be
explored
▪ If the subgroup has order , then = 0
e.g. y2=x3−7x+10 over F263
▪ = (3,4) defines a subgroup of order 280
▪ = 66,233 = 2 ∙ (3,4) subgroup of order 140
▪ = 251,101 = 14 ∙ (3,4) subgroup of order 20

View Slide

0
50
100
150
200
250
0 50 100 150 200 250
y2=x3−7x+10 over F263
20 (19 plus ∞) points subgroup
generated by G=(251,101)
41/69

View Slide

Prime Order for Elliptic Curves Over Fp
▪ If the EC group order is a prime we have a cyclic group with
no subgroups
▪ Any point is a generator: adding successively, all the points
in the group are recovered

View Slide

y2=x3+6x+9 over F263
▪ Symmetric with respect
to = Τ
2 = 131.5
▪ 269 points: 268 affine
points plus ∞
▪ Even number of affine
points: = , 0 is not
in the group
▪ Group order = 269 is
prime: no subgroups
0
50
100
150
200
250
300
0 50 100 150 200 250 300

View Slide

Bitcoin Curve: Koblitz Curve secp256k1
▪ SEC: Standards for Efficient Cryptography
▪ p256: number of bits in the prime field
▪
is defined by
p = 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 – 1
p = 2^256 - 2^32 - 997
p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
▪ The elliptic curve defined over
is 2 = 3 + 7
▪ The generation point G =
04
79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798
483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8
▪ The order of G is prime:
n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
SECG, SEC 2: Recommended Elliptic Curve Domain Parameters, http://www.secg.org/sec2-v2.pdf
https://en.bitcoin.it/wiki/Secp256k1
44/69

View Slide

Homework
▪ 2 = 3 + 2 + 2 over 17
− List all its points
− It does not have subgroups, why?
▪ 2 = 3 + 4 + 20 over 29
− List all its points
− What is the order of the group with generator (8,10)?
Check https://github.com/dginst/btclib/tests/ec.py
and/or https://github.com/dginst/bbt/excel/EC*.xlsm

View Slide

Table of Contents

View Slide

Asymmetric Cryptography: Different Families
private key → one-way function → public key
Different key generation algorithms are based on their own
distinguishing one-way function:
▪ Integer factorization (1977), based on the difficulty of factoring
large integers (e.g. RSA)
▪ Discrete Logarithm (1976), based on the intractability of the
discrete logarithm problem on finite cyclic groups (e.g. Diffie
and Hellman)
▪ Elliptic Curve (1985), based on the difficulty of computing the
generalized logarithm problem on an elliptic curve (e.g. Bitcoin)

View Slide

Elliptic Curve Public/private Key
▪ A Public Key is one point on the elliptic curve
▪ A private key is the number ∈ [1, − 1] of additive steps from
the generator point to arrive at point
=
▪ → easy (double and add)
→ hard (discrete logarithm problem)
▪ In multiplicative notation would be called secret exponent
=
https://en.wikipedia.org/wiki/Elliptic_curve_cryptography
48/69

View Slide

Number of Bitcoin Private Keys
▪ The order of elliptic curves can be determined in polynomial
time
▪ secp256k1 has 115 792 089 237 316 195 423 570 985 008 687
907 852 837 564 279 074 904 382 605 163 141 518 161 494
336 ≈ 10⁷⁷ points (i.e. private/public key pairs)
▪ The observable universe contains 10⁸⁰ atoms
▪ Try to find keys with associated bitcoins at
https://keys.lol/bitcoin
Beware: better not to look for your keys…

View Slide

Break Elliptic Curve Cryptography
The best known algorithms to break the EC discrete logarithm
problem take steps proportional to 2 where is the number of
bits of the key
▪ secp256k1 uses 256bit keys: 2128 steps are needed to break it
▪ An EC computation takes 1 million CPU cycles. A 3GHz CPU is
able to process 211.55 EC computations per second
▪ A CPU can break the EC in 2116.45 seconds, or about 291.54 years,
i.e. about 3,599,861,590,422,752,583,114,293,248 years
▪ Throwing a million CPUs at the problem would reduce the time
by a million, leaving it at 3,599,861,590,422,752,583,114
years, roughly 260,859,535,537 times the age of the universe

View Slide

Key Size At Comparable Security Levels
Security Levels (bits)
Symmetric 80 128 192 256
RSA / DH 1024 3072 7680 15360
ECC 160 256 384 512
51/69

View Slide

Quantum Computing Resistance
▪ Hash functions and symmetric cryptography are resistant to
quantum computing (key size doubling is enough). Asymmetric
cryptography is not
https://en.wikipedia.org/wiki/Grover%27s_algorithm
https://en.wikipedia.org/wiki/Shor%27s_algorithm
▪ Real quantum computers are still distant in the future
▪ Quantum computing will impact on the security of financial
system and nuclear weapon, not just bitcoin
▪ Quantum resistant cryptography is being developed
https://en.wikipedia.org/wiki/Post-quantum_cryptography

View Slide

Table of Contents

View Slide

Digital Signature Protocol
▪ Public-key algorithm + digital signature scheme
▪ Message is only authenticated, not encrypted
Source: Pedro Franco, “Understanding Bitcoin”, Wiley

View Slide

Digital Signature Scheme
1. KeyGeneration(entropy) → {q, Q}
Usually KeyGeneration(entropy) → q, as q→Q is easy
2. Sign(msg, q) → signature
3. Verify(msg, Q, signature) → True/False
▪ The signed message has not been altered (integrity)
▪ Only someone with the private key q can create a valid
signature (authentication)
▪ The signer cannot deny the message signature (non-
repudiation)
▪ Everyone can verify using the public key Q

View Slide

Signing the Message Digest
▪ Problem: signature generation/verification is quite slow:
message length can be a problem
▪ Solution: sign the hash digest of the message
ℎ = ℎℎ ,
whose length is independent from the message’s size
▪ This can also provides message confidentiality
▪ If the can take only few values (e.g. {tail, head}), it can be
concealed using secret salt :
sign ℎ = ℎℎ || , later reveal both and

View Slide

Digital Signature Process
Message
Hash Function
Message Digest
Signature
Generation
Private Key
Public Key
Signature
Message
Hash Function
Message Digest
Signature
Verification
Valid/Invalid
Signature Generation Signature Verification
57/69

View Slide

Digital Signature Algorithms
▪ RSA, the most widely used
▪ ElGamal signature. It has little use being computationally
intensive and having large signature
▪ Schnorr signature: simplest scheme, the best one. Signing and
verification are computationally efficient, signature is small.
Limited usage because of US Patent 4,995,082 which finally
expired in 2008
▪ Digital Signature Algorithm (DSA), quicker and smaller than
RSA, designed to circumvent the Schnorr patent

View Slide

Table of Contents

View Slide

EC DSA: Sign Message
1. Choose a nonce as secret ephemeral key
0 < <
2. = (
,
) =
Point symmetry is usually resolved requiring
to be odd, low, or quadratic residue; if not ← −.
Bitcoin canonical 'low-s' encoding require (step 3) to be low.
1. =
mod
2. = ℎ mod = ℎℎ mod
3. = + −1 mod
If = 0 or = 0 (extremely unlikely), then restart with a different
The signature is (, ).
must be secret: else = − −1mod

View Slide

EC DSA: Verify Signature
Steps for the verification of (, ):
1. = ℎ mod = ℎℎ mod
2. = −1 mod
3. = mod
4. = mod
5. , = +
6. The signature is valid if = mod
Roughly equivalent to:
=
+
Unfortunately, −1 is unavoidable because cannot be recovered from =

mod

View Slide

EC DSA: Correctness Proof
=
mod if = +
1. = + from public key definition
2. = +
from signature verification [3] and [4]
3. = +
−1 from signature verification [2]
4. = +
+
−1 from signature generation [5]
5. =

View Slide

Ephemeral Key Used for Signing
Reusing for different messages signed by the same
= + −1 mod
2
= 2
+ −1 mod
reveals both and :
= Τ
− 2
− 2
mod
= − −1mod
Sony PS3 hack: http://www.bbc.com/news/technology-12116051,
Bitcoin Android Wallet 2013 hack: https://bitcoin.org/en/alert/2013-08-11-android
Even slight biases in the generation of can reveal , after enough signatures
must be a nonce, used only once per private key .
Even better: avoid randomness at all and use instead a
deterministic for each ℎ with salting (see RFC6979)
= ℎℎ || mod

View Slide

EC DSA: Signature Malleability
If (, ) is a valid signature, i.e. = mod
then also (, − ) is a valid signature
− =
=
+
bitcoin canonical 'low-s' encoding solves this issue

View Slide

EC DSA: Public Key Recovery
From the signature verification step 3, two implied public keys can
be recovered:
/
= −1 (, /
) −

View Slide

EC DSA: Signature Forgery Attack
An attacker can generate a -valid signature for a random
message digest ℎ computed from a random signature (, )
1. Pick , at will
2. = +
3. =
mod
4. = −1 mod
5. ℎ = =
Anyway, the attacker cannot control the semantics of the preimage
message : a signature is relevant only for its , not ℎ

View Slide

Homework
▪ Calculate the Public key(s) from this valid DSA signature:
# message m1 and its DSA signature {r, s}
msg = "Paolo is afraid of ephemeral random numbers"
r = 0xb94483fc4da2d9dd5de1b0999c38ac364c9d60bafe7c5151dade0c1b78cfcbf3
S = 0x894ab8b28fd3400784aba4305b14d5afa5c623a6679ba9683c5ac2799b6edc6e
▪ A second DSA signature is computed in error using the same
ephemeral key. Calculate the private key:
# another message m2 and its DSA signature {r, s2}
msg2 = "and Paolo is right to be afraid"
r = 0xb94483fc4da2d9dd5de1b0999c38ac364c9d60bafe7c5151dade0c1b78cfcbf3
s2 = 0x6f721ed1e10c4d41f52f7b5e5c1ed3f5359892695ea8410ccbc0a04038c12756
See https://github.com/dginst/btclib/ec.py and https://github.com/dginst/btclib/dsa.py
and/or https://colab.research.google.com/drive/1IxL0ecWxAI9lRXYdAXhDdg5BzsCW4MHd
and/or see https://github.com/dginst/bbt/py-scripts/dsa_example.py (requires an installed btclib)
67/69

View Slide

Bibliography
▪ Christof Paar and Jan Pelzl, “Understanding Cryptography”, Springer,
chapter 8, 9, 10
▪ Pedro Franco, “Understanding Bitcoin”, Wiley, chapter 5
▪ Andreas Antonopoulos, “Mastering Bitcoin” 2nd edition, O'Reilly,
chapter 4 (https://github.com/bitcoinbook/bitcoinbook)
▪ A. Narayanan et al., “Bitcoin and Cryptocurrencies Technologies”,
Princeton, chapter 1
▪ Standards for Efficient Cryptography (SEC), (http://www.secg.org/)
− Elliptic Curve Cryptography, (http://www.secg.org/sec1-v2.pdf)
− Recommended Elliptic Curve Domain Parameters
(http://www.secg.org/sec2-v2.pdf)
▪ NIST, Digital Signature Standard,
(http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf)

View Slide

Takeaways
▪ Elliptic curve multiplication = is the one-way function
converting private key → public key
− One way is easy because of doble and add
− Reverse way is a hard discrete logarithm problem
▪ Digital signatures provide message integrity, authentication, and
nonrepudiation
▪ Bitcoin’s transactions are signed using DSA
▪ DSA is malleable, susceptible to signature forgery
▪ Schnorr is technically superior: it has not been used so far
because of patent
▪ Never reuse ephemeral key in signature

View Slide

Ferdinando M. Ametrano
[email protected]
Paolo Mazzocchi
[email protected]
www.github.com/dginst
www.facebook.com/DigitalGoldInstitute
www.twitter.com/DigitalGoldInst
www.dgi.org/feed.xml
[email protected]
www.dgi.io
www.linkedin.com/company/digital-gold-institute
"Scarcity in the Digital Realm"

View Slide

Annex
1. EC Computations
2. Schnorr

View Slide

def mult(m, Q):
if m == 0 or Q.y == 0: # Infinity point in affine coordinates
return 1, 0 # return Infinity point
if m % 2 == 1: # addition when m is odd
return add(Q, mult(m - 1, Q))
else: # doubling when m is even
return mult(m//2, add(Q, Q))
Easy… but recursive functions are not optimal…

View Slide

def mult(m, Q):
if m == 0 or Q.y == 0: # Infinity point in affine coordinates
return 1, 0 # return Infinity point
R = 1, 0 # initialize as infinity point
while m > 0: # use binary representation of m
if m & 1: # if least significant bit is 1
R = add(R, Q) # then add current Q
m = m >> 1 # remove the bit just accounted for
Q = add(Q, Q) # double Q for next step
return R

View Slide

Annex
1. EC Computations
2. Schnorr

View Slide

Schnorr Identification Protocol
▪ A prover proves to a verifier the knowledge of the discrete
logarithm of Q without revealing q
▪ Proof in zero knowledge: the verifier learns nothing about q
from the proof (except the fact that the prover knows q)
A Zero-Knowledge Proof (ZKP) requires 3 properties:
1. Completeness: the proof convinces a honest verifier
2. Zero-knowledgeness: the proof does not leak information, i.e.
verifier can fake transcript
3. Soundness: a proof can only be produced by a prover who
knows the private key, i.e. the prover can fake knowledge only
with negligible probability

View Slide

▪ K
▪ Choose random c▪ s (aka solution)
▪ K = sG+cQ
Zero Knowledge Proof of Discrete Logarithm
Prover
▪ Q = qG
▪ Choose random k▪ kG = K
▪ c (aka challenge)
▪ s = k-c*q
Verifier
kG = K = sG+cQ = sG+cqG = (s+cq)G
kG = (s+cq)G
k = s+cq

View Slide

▪ {K, s}; c = hash(K)
▪ K = sG+cQ
Non-interactive Proof of Discrete Logarithm
Schnorr Identification Protocol
Prover
▪ Q = qG
▪ c = hash(K)
▪ s = k-c*q
Verifier
kG = (s+cq)G
k = s+cq

View Slide

▪ {K, s}; c = hash(K||msg)
▪ K = sG+cQ
Schnorr Signature Algorithm
Prover
▪ Q = qG
▪ c = hash(K||msg)
▪ s = k-c*q
Verifier
kG = (s+cq)G
k = s+cq

View Slide

▪ {K, s}; c = hash(Q||K||msg)
▪ K = sG+cQ
Schnorr Signature Algorithm
Prover
▪ Q = qG
▪ c = hash(Q||K||msg)
▪ s = k-c*q
Verifier
kG = (s+cq)G
k = s+cq

View Slide

EC Schnorr SA: Generation
0. ℎ = ℎℎ()
1. Choose a nonce as secret ephemeral key
0 < <
2. = (
,
) =
Point symmetry is usually resolved requiring
to be odd, low, or quadratic residue; if not ← −.
In the bitcoin case
must be a quadratic residue
1. = ℎℎ
||||ℎ mod
2. = − mod
The ℎ signature is (, ), encodable as
, when the
simmetry is someway fixed.
must be secret: else = − −1 mod

View Slide

EC Schnorr SA: Verification
Steps for the verification of (
, ):
1. = ℎℎ
||||ℎ mod
2. The signature is valid if − =


View Slide

EC Schnorr SA: Correctness Proof
▪ = −
▪ − = −
▪ − = −
▪ − = −

View Slide

Schnorr SA Properties
▪ If the discrete logarithm problem is hard, in the random oracle
model there is a proof that Schnorr signature cannot be forged
▪ Intuitively, signature forgery attack is impossible because
= ℎℎ
||||ℎ mod ,
differently from DSA where = ℎ = ℎℎ mod
▪ There is no way to malleate the signature, as is fully specified
(no y-coordinate ambiguity)
▪ Signature verification does not use modular inverse: fast
▪ Many {, ℎ, (
, )} can be efficiently batch verified at once
▪ Signature verification is linear → additive signature: sum of
signatures on the same ℎ is equivalent to single signature
with sum of keys
▪ Easier multi-sig and threshold schemes

View Slide

Ephemeral Key Used for Signing
For Schnorr too, reusing for different messages signed by the
same reveals both and :
1
= − 1
mod
2
= − 2
mod
= 1
− 2
2
− 1
−1 mod
Even slight biases in the generation of can reveal , after enough signatures
must be a nonce, used only once per private key .
Even better: avoid randomness at all and use instead a
deterministic for each ℎ with salting (see RFC6979)
= ℎℎ ||ℎ mod

View Slide

Extra Homework
Two Schnorr signatures are computed in error using the same
ephemeral key. Calculate the private key:
# 32-bytes message h1 and its SSA signature {K.x, s1}
h1 = 0x9788fd27b3aafd1bd1591a1158ce2d8bdc37ab4040dddb64e64d17616e69ce2b
r = 0x968cc26ddaeadb4a7c573a9f391cf78b955816b0b86a6700ae19a8ae19dc31cf
s1 = 0x69c2022c2e1170b9b1ce9d4ccb6271e579800aa4d955ecf7ea183fb620e48322
# another 32-bytes message h2 and its SSA signature {K.x, s2}
h2 = 0x7adb91982ec03ef87efcae7f0199aefa231d8855e0bd03319460e58c0bd18049
r = 0x968cc26ddaeadb4a7c573a9f391cf78b955816b0b86a6700ae19a8ae19dc31cf
s2 = 0x52d9f94c2538ae4c2ee3fd23e34a3603d10652aef1f2ec5ee4327ec4ea532b6e
See https://github.com/dginst/btclib/ec.py and https://github.com/dginst/btclib/ssa.py
and/or see https://github.com/dginst/bbt/py-scripts/ssa_example.py (requires an installed btclib)
85/69

View Slide

Bibliography
▪ BIP-Schnorr (Bitcoin Schnorr signature standardization)
https://github.com/sipa/bips/blob/bip-schnorr/bip-
schnorr.mediawiki

View Slide

Elliptic Curve Digital Signature Algorithm

Elliptic Curve Digital Signature Algorithm

Ferdinando M. Ametrano

More Decks by Ferdinando M. Ametrano

Other Decks in Technology

Featured

Transcript