Bitcoin and Blockchain Technology Elliptic Curve Digital Signature Algorithm v2019.04.03 Comments, corrections, and questions: https://drive.google.com/open?id=1MZu_4zbI8khdYhbGJg9SwWkNA5x-Tb_W © 2019 Digital Gold Institute 

Table of Contents 1. Modular Arithmetic 2. Algebra of Sets: Finite Field 3. Elliptic Curves over Real Numbers 4. Elliptic Curve over 5. Asymmetric Cryptography on Elliptic Curves 6. Digital Signature Protocol 7. Elliptic Curve Digital Signature Algorithm © 2019 Digital Gold Institute 2/69 

Modular Arithmetic arithmetic for integers: numbers "wrap around" upon reaching the modulo value Example: ▪ 9+4 = 1 mod 12 © 2019 Digital Gold Institute https://commons.wikimedia.org/wiki/File:Clock_group.svg 3/69 

Congruence and Remainders If 1 ≡ 1 mod and 2 ≡ 2 mod then ▪ 1 + 2 ≡ 1 + 2 (mod ) ▪ 1 − 2 ≡ 1 − 2 (mod ) ▪ 1 2 ≡ 1 2 (mod ) ▪ mod b mod ≡ mod ▪ mod b mod mod = () mod © 2019 Digital Gold Institute 4/69 

Table of Contents 1. Modular Arithmetic 2. Algebra of Sets: Finite Field 3. Elliptic Curves over Real Numbers 4. Elliptic Curve over 5. Asymmetric Cryptography on Elliptic Curves 6. Digital Signature Protocol 7. Elliptic Curve Digital Signature Algorithm © 2019 Digital Gold Institute 5/69 

Group {F, +} (1/2) A group is a set F together with a binary operator + (also known as group law) with the following properties: ▪ Closure: for all a and b in F, a+b is also in F; ∀, ∈ , + ∈ ▪ Identity: there exists a unique neutral element 0 in F, such that for every element a in F, the equation 0+a=a+0=a; ∃! 0, ∈ | 0 + = + 0 = , ∀ ∈ ▪ Invertibility: for each a in F, there exists the inverse b in F, commonly denoted -a, such that a+b=b+a=0; ∀ ∈ , ∃ − | + (−) = (−) + = 0 ▪ Associativity: for all a, b and c in F, (a+b)+c=a+(b+c); ∀, , ∈ , + + = + ( + ) The number of elements in a group is the group order © 2019 Digital Gold Institute 6/69 

Additive or Multiplicative Notation Neutral Element Inverse Additive Notation Zero Opposite Multiplicative Notation Identity Inverse © 2019 Digital Gold Institute 7/69 

Group {F, +} (2/2) ▪ The set of all integer numbers under addition {ℤ, +} is an infinite order group ▪ The set of all integer numbers under multiplication {ℤ, ∙} is not a group (e.g. multiplicative inverse of 2 is not an integer) ▪ Τ ℤ ℤ : { 0, − 1 , +}, i.e. the set of integer numbers 0, − 1 under addition modulo , is a group of order − 0 is the neutral element (also called zero) − The inverse of any element is − , © 2019 Digital Gold Institute 8/69 

Commutative Group {F, +} A group {F, +} is commutative if for all a and b in F, a+b = b+a ∀, ∈ , + = + ▪ The set of all integer numbers under addition {ℤ, +} is a commutative group ▪ For any modulo , Τ ℤ ℤ : { 0, − 1 , +} is a commutative group © 2019 Digital Gold Institute 9/69 

Cyclic Group {F, +} A group {F, +} is cyclic if there is a generator element ∃ ∀ ∈ , ∃ = + ⋯ + ( ) ▪ When the group order is prime, the group is cyclic: starting from any (non-zero) element and adding this element to itself successively, all elements of the set are recovered ▪ For any prime , Τ ℤ ℤ : { 0, − 1 , +} is a cyclic group; e.g. for = 7, { 0, 6 , +}: − starting from 3 the cycle is 3+3 %7=6; 6+3 %7=2; 2+3 %7=5; 5+3 %7=1; 1+3 %7=4; 4+3 %7=0; 0+3 %7=3 − starting from 2 the cycle is 2+2 %7=4; 4+2 %7=6; 6+2 %7=1; 1+2 %7=3; 3+2 %7=5; 5+2 %7=0; 0+2 %7=2 © 2019 Digital Gold Institute 10/69 

Ring and Field {F, +, ∙} ▪ A ring is a commutative group with a second binary operator that is associative and with distributive properties making the two operators “compatible” ∀, , ∈ , + ∙ = ∙ + ∙ ▪ A field is a ring such that the second operation, after throwing out the identity element of the first operation, satisfies all the commutative group properties ▪ Real numbers ℝ and rational numbers ℚ, with addition and multiplication, are fields of infinite order ▪ In a field you can add, subtract (i.e. add the additive opposite), multiply, and divide (i.e. multiply for the multiplicative inverse) © 2019 Digital Gold Institute 11/69 

The Finite Field Fp = {[0, p−1], +, ∙} ▪ We already established that for any modulo , { 0, − 1 , +} is a commutative (cyclic) group ▪ For any prime number , { , − 1 , ∙} is also a commutative group − 1 is the identity element − For any element there exist its inverse , such that = 1 . It is crucial here that is prime = { 0, − 1 , +,∙} is a finite field © 2019 Digital Gold Institute 12/69 

E.g.: The Finite Field F7 {[0, 6], +} is a commutative group ▪ 4+3 %7 = 0 → 3 is the opposite of 4 ▪ Subtraction must be interpreted as addition of the opposite 2-4 %7 = 2+3 %7 = 5 2-4 %7 =-2 %7 = 5 {[1, 6], ∙} is a commutative group ▪ 4 ∙ 2 %7 = 1 → 2 is the inverse of 4 ▪ Division must be interpreted as multiplication by the inverse 5 ÷ 4 %7 = 5 ∙ 2 %7 = 3 © 2019 Digital Gold Institute 13/69 

Fermat’s Little Theorem When is prime, for each : −1 = 1 e.g. in ([1, 6], ∙ ) with = 3, 36 = 1: 3^2 %7 = 3*3 %7 = 2 3^3 %7 = 2*3 %7 = 6 3^4 %7 = 6*3 %7 = 4 3^5 %7 = 4*3 %7 = 5 3^6 %7 = 5*3 %7 = 1 © 2019 Digital Gold Institute 14/69 

Inverse Calculation ▪ So, it holds that the inverse of −1 = −1 ∙ 1 = −1 ∙ −1 = −2 ▪ In Python a_inv = pow(a, p-2, p) © 2019 Digital Gold Institute 15/69 

Square root concept E.g. in 7 : ▪ 2*2 %7 = 4 → 2 is a (even) square root of 4 ▪ 5*5 %7 = 4 → 5 is a (odd) square root of 4 ▪ 5 = -2 %7 → odd root is similar to negative root for integers ▪ 2 + 5 = 7 → even root + odd root = p © 2019 Digital Gold Institute 16/69 

The Finite Field F7 © 2019 Digital Gold Institute opposite inverse odd sqrt even sqrt 0 0 #N/A 0 0 1 6 1 1 6 2 5 4 3 4 3 4 5 #N/A #N/A 4 3 2 5 2 5 2 3 #N/A #N/A 6 1 6 #N/A #N/A 17/69 

Homework Calculate the table of opposites, inverses, and square roots for the finite fields 19 and 23 Use mod_inv and mod_sqrt from github.com/dginst/btclib/numbertheory.py or Excel/VBA from github.com/dginst/bbt/excel/FiniteFields.xlsm © 2019 Digital Gold Institute 18/69 

Table of Contents 1. Modular Arithmetic 2. Algebra of Sets: Finite Field 3. Elliptic Curves over Real Numbers 4. Elliptic Curve over 5. Asymmetric Cryptography on Elliptic Curves 6. Digital Signature Protocol 7. Elliptic Curve Digital Signature Algorithm © 2019 Digital Gold Institute 19/69 

Elliptic Curves over Real Numbers ▪ A formal definition would require algebraic geometry ▪ Defined by the Weierstrass equation: = + + , , ∈ ℝ ▪ The curve is non-singular if: ∆= −16 43 + 272 ≠ 0 © 2019 Digital Gold Institute 20/69 

Elliptic Curve = − + a = -7 b = 10 ± = ± 3 − 7 + 10 Negative y roots are in red, positive ones in blue © 2019 Digital Gold Institute -5 -4 -3 -2 -1 0 1 2 3 4 5 -5 -4 -3 -2 -1 0 1 2 3 4 21/69 

Point Addition P+Q=R © 2019 Digital Gold Institute https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/reals-add.html 22/69 

Point Doubling Q+Q=R © 2019 Digital Gold Institute https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/reals-add.html 23/69 

Algebraic Formulae Point Addition P+Q=R ▪ = − − 2 − − ▪ = − − − − Point Doubling Q+Q=R ▪ = 3 2+ 2 2 − 2 ▪ = 3 2+ 2 − − 2 © 2019 Digital Gold Institute 24/69 

Infinity Point (aka Group Identity or Neutral Element) Adding two points with the same x-coordinate (y-coordinates being the positive/negative roots of the same 3 + + ) “shoots” at the infinity point ∞ Doubling the point (x, 0) also shoots at ∞ ∞ is the group neutral element: ▪ zero in additive notation ▪ identity in multiplicative notation © 2019 Digital Gold Institute https://en.wikipedia.org/wiki/Elliptic_curve#/media/File:ECClines.svg 25/69 

Opposite of Point Q The infinity point is providing the opposite formula: + = 0 → = − = (, ) and − = (, − ) have the same coordinate. Therefore, their coordinates are the positive/negative roots of: ± = ± 3 + + So − = − and − = , − For every , in the group, , − is also in the group © 2019 Digital Gold Institute 26/69 

Compressed Point Representation = , For every , given 2 = 3 + + , two roots are possible: ± = ± 3 + + plus one single bit ෤ = 0/1 is enough to describe the point: = (, ෤ ) © 2019 Digital Gold Institute 27/69 

Elliptic Curve Commutative Group ▪ With the addition operation, the points of an elliptic curve (augmented with ∞) are a commutative group ▪ The ∞ point is the neutral element, implicitly defining the opposite concept ▪ Arbitrarily named addition: it is simply the group law, and it could have been called multiplication instead − In multiplicative notation doubling would have been called squaring © 2019 Digital Gold Institute 28/69 

Point Multiplication = ▪ Point multiplication = ( ∈ ℕ) is a convenient notation for the repeated application of addition = + ⋯ + ( ) ▪ Elliptic curve multiplication is not a binary operation on the set of curve points: it does not combine two points! ▪ Addition is the only elliptic curve group binary operation © 2019 Digital Gold Institute 29/69 

Double and Add Algorithm = 947 = 20 + 21 + 24 + 25 + 27 + 28 + 2 9 doublings = 947 = 1 + 2 + 16 + 32 + 128 + 256 + 512 6 additions 9 doublings for the powers of two and 6 additions: polynomial in the number of bits representing m. Point multiplication 947 = + 2 + 16 + 32 + 128 + 256 + 512 6 point additions 9 doublings for the powers of two and 6 point additions: much better than 946 point additions! © 2019 Digital Gold Institute https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication 30/69 

Discrete Logarithm Problem (DLP) A One Way Function For any ∈ ℕ, double&add provides an efficient computation of: = To infer from {, } is computationally unfeasible ▪ In additive notation, it is easy to “multiply” = , but difficult to “divide” = Τ ▪ It is called logarithm problem because in multiplicative notation it would have been = , so = © 2019 Digital Gold Institute 31/69 

Table of Contents 1. Modular Arithmetic 2. Algebra of Sets: Finite Field 3. Elliptic Curves over Real Numbers 4. Elliptic Curve over 5. Asymmetric Cryptography on Elliptic Curves 6. Digital Signature Protocol 7. Elliptic Curve Digital Signature Algorithm © 2019 Digital Gold Institute 32/69 

Elliptic Curves Over Fp For cryptographic use, we consider the curve not over ℝ, but over a finite field : 2 = 3 + + where 43 + 272 ≠ 0 , , , ∈ © 2019 Digital Gold Institute 33/69 

y2=x3−7x+10 over F263 Symmetric with respect to = Τ 2 = 131.5 © 2019 Digital Gold Institute 34/69 

▪ Geometric interpretation (line drawing) for sum still holds ▪ Adding same-x points shoots at infinity y2=x3−7x+10 over F263 © 2019 Digital Gold Institute 35/69 https://cdn.rawgit.com/andreacorbellini/ecc/920b29a/interactive/modk-add.html 

Opposite of Point Q + = 0 → = − = (, ) and − = (, − ) have the same coordinate. Therefore, the coordinates are the modulo even/odd roots of: , = 3 + + , So − = − and − = (, − ) For every , in the group, , − is also in the group © 2019 Digital Gold Institute 36/69 

SEC Compressed Point Representation = (, ) ▪ Uncompressed = , representation is For every , two roots are possible: ▪ Even root, compressed = , representation is ▪ Odd root, compressed = , representation is e.g. for y2= x3−7x+10 over F263 (118, 192): 118 192 or 118 (118, 71): 118 71 or 118 © 2019 Digital Gold Institute http://www.secg.org/sec1-v2.pdf 37/69 

Breaking Opposite Point Symmetry The symmetry between opposite points (same x-coordinate) can be resolved with alternative discrimination criteria for the y- coordinate: 1. odd / even 2. high / low The product of two numbers is a quadratic residue, i.e. does have square roots, when either both or none of its factors are quadratic residues. For prime, = 3 mod 4, the number −1 is not a quadratic residue mod . As such, if −1 ∙ is a quadratic residue mod then is not and vice versa. This provide the additional criterium: 3. (when = 3 mod 4) quadratic residue / not a quadratic residue © 2019 Digital Gold Institute 38/69 

Hasse Theorem Note that the EC group order = # and the finite field’s prime are different numbers. Hasse theorem shows that: + 1 − 2 ≤ ≤ + 1 + 2 e.g. for 263 , = 263 231 ≤ ≤ 296 y2= x3−7x+10 over F263 ▪ 280 points: 279 affine points plus ∞ ▪ Odd number of affine points: = , 0 must be in the group, = −, 2 = ∞ © 2019 Digital Gold Institute 39/69 

Elliptic Curves Over a Finite Field Fp ▪ The points on an elliptic curve over a finite field can have cyclic subgroups ▪ Starting from a point its associated cyclic subgroup can be explored ▪ If the subgroup has order , then = 0 e.g. y2=x3−7x+10 over F263 ▪ = (3,4) defines a subgroup of order 280 ▪ = 66,233 = 2 ∙ (3,4) subgroup of order 140 ▪ = 251,101 = 14 ∙ (3,4) subgroup of order 20 © 2019 Digital Gold Institute 40/69 

0 50 100 150 200 250 0 50 100 150 200 250 y2=x3−7x+10 over F263 © 2019 Digital Gold Institute 20 (19 plus ∞) points subgroup generated by G=(251,101) 41/69 

Prime Order for Elliptic Curves Over Fp ▪ If the EC group order is a prime we have a cyclic group with no subgroups ▪ Any point is a generator: adding successively, all the points in the group are recovered © 2019 Digital Gold Institute 42/69 

y2=x3+6x+9 over F263 ▪ Symmetric with respect to = Τ 2 = 131.5 ▪ 269 points: 268 affine points plus ∞ ▪ Even number of affine points: = , 0 is not in the group ▪ Group order = 269 is prime: no subgroups © 2019 Digital Gold Institute 43/69 0 50 100 150 200 250 300 0 50 100 150 200 250 300 

Bitcoin Curve: Koblitz Curve secp256k1 ▪ SEC: Standards for Efficient Cryptography ▪ p256: number of bits in the prime field ▪ is defined by p = 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 – 1 p = 2^256 - 2^32 - 997 p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F ▪ The elliptic curve defined over is 2 = 3 + 7 ▪ The generation point G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8 ▪ The order of G is prime: n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141 © 2019 Digital Gold Institute SECG, SEC 2: Recommended Elliptic Curve Domain Parameters, http://www.secg.org/sec2-v2.pdf https://en.bitcoin.it/wiki/Secp256k1 44/69 

Homework ▪ 2 = 3 + 2 + 2 over 17 − List all its points − It does not have subgroups, why? ▪ 2 = 3 + 4 + 20 over 29 − List all its points − What is the order of the group with generator (8,10)? Check https://github.com/dginst/btclib/tests/ec.py and/or https://github.com/dginst/bbt/excel/EC*.xlsm © 2019 Digital Gold Institute 45/69 

Table of Contents 1. Modular Arithmetic 2. Algebra of Sets: Finite Field 3. Elliptic Curves over Real Numbers 4. Elliptic Curve over 5. Asymmetric Cryptography on Elliptic Curves 6. Digital Signature Protocol 7. Elliptic Curve Digital Signature Algorithm © 2019 Digital Gold Institute 46/69 

Asymmetric Cryptography: Different Families private key → one-way function → public key Different key generation algorithms are based on their own distinguishing one-way function: ▪ Integer factorization (1977), based on the difficulty of factoring large integers (e.g. RSA) ▪ Discrete Logarithm (1976), based on the intractability of the discrete logarithm problem on finite cyclic groups (e.g. Diffie and Hellman) ▪ Elliptic Curve (1985), based on the difficulty of computing the generalized logarithm problem on an elliptic curve (e.g. Bitcoin) © 2019 Digital Gold Institute 47/69 

Elliptic Curve Public/private Key ▪ A Public Key is one point on the elliptic curve ▪ A private key is the number ∈ [1, − 1] of additive steps from the generator point to arrive at point = ▪ → easy (double and add) → hard (discrete logarithm problem) ▪ In multiplicative notation would be called secret exponent = © 2019 Digital Gold Institute https://en.wikipedia.org/wiki/Elliptic_curve_cryptography 48/69 

Number of Bitcoin Private Keys ▪ The order of elliptic curves can be determined in polynomial time ▪ secp256k1 has 115 792 089 237 316 195 423 570 985 008 687 907 852 837 564 279 074 904 382 605 163 141 518 161 494 336 ≈ 10⁷⁷ points (i.e. private/public key pairs) ▪ The observable universe contains 10⁸⁰ atoms ▪ Try to find keys with associated bitcoins at https://keys.lol/bitcoin Beware: better not to look for your keys… © 2019 Digital Gold Institute 49/69 

Break Elliptic Curve Cryptography The best known algorithms to break the EC discrete logarithm problem take steps proportional to 2 where is the number of bits of the key ▪ secp256k1 uses 256bit keys: 2128 steps are needed to break it ▪ An EC computation takes 1 million CPU cycles. A 3GHz CPU is able to process 211.55 EC computations per second ▪ A CPU can break the EC in 2116.45 seconds, or about 291.54 years, i.e. about 3,599,861,590,422,752,583,114,293,248 years ▪ Throwing a million CPUs at the problem would reduce the time by a million, leaving it at 3,599,861,590,422,752,583,114 years, roughly 260,859,535,537 times the age of the universe © 2019 Digital Gold Institute 50/69 

Key Size At Comparable Security Levels © 2019 Digital Gold Institute Security Levels (bits) Symmetric 80 128 192 256 RSA / DH 1024 3072 7680 15360 ECC 160 256 384 512 51/69 

Quantum Computing Resistance ▪ Hash functions and symmetric cryptography are resistant to quantum computing (key size doubling is enough). Asymmetric cryptography is not https://en.wikipedia.org/wiki/Grover%27s_algorithm https://en.wikipedia.org/wiki/Shor%27s_algorithm ▪ Real quantum computers are still distant in the future ▪ Quantum computing will impact on the security of financial system and nuclear weapon, not just bitcoin ▪ Quantum resistant cryptography is being developed https://en.wikipedia.org/wiki/Post-quantum_cryptography © 2019 Digital Gold Institute 52/69 

Table of Contents 1. Modular Arithmetic 2. Algebra of Sets: Finite Field 3. Elliptic Curves over Real Numbers 4. Elliptic Curve over 5. Asymmetric Cryptography on Elliptic Curves 6. Digital Signature Protocol 7. Elliptic Curve Digital Signature Algorithm © 2019 Digital Gold Institute 53/69 

Digital Signature Protocol ▪ Public-key algorithm + digital signature scheme ▪ Message is only authenticated, not encrypted Source: Pedro Franco, “Understanding Bitcoin”, Wiley © 2019 Digital Gold Institute 54/69 

Digital Signature Scheme 1. KeyGeneration(entropy) → {q, Q} Usually KeyGeneration(entropy) → q, as q→Q is easy 2. Sign(msg, q) → signature 3. Verify(msg, Q, signature) → True/False ▪ The signed message has not been altered (integrity) ▪ Only someone with the private key q can create a valid signature (authentication) ▪ The signer cannot deny the message signature (non- repudiation) ▪ Everyone can verify using the public key Q © 2019 Digital Gold Institute 55/69 

Signing the Message Digest ▪ Problem: signature generation/verification is quite slow: message length can be a problem ▪ Solution: sign the hash digest of the message ℎ = ℎℎ , whose length is independent from the message’s size ▪ This can also provides message confidentiality ▪ If the can take only few values (e.g. {tail, head}), it can be concealed using secret salt : sign ℎ = ℎℎ || , later reveal both and © 2019 Digital Gold Institute 56/69 

Digital Signature Process © 2019 Digital Gold Institute Message Hash Function Message Digest Signature Generation Private Key Public Key Signature Message Hash Function Message Digest Signature Verification Valid/Invalid Signature Generation Signature Verification 57/69 

Digital Signature Algorithms ▪ RSA, the most widely used ▪ ElGamal signature. It has little use being computationally intensive and having large signature ▪ Schnorr signature: simplest scheme, the best one. Signing and verification are computationally efficient, signature is small. Limited usage because of US Patent 4,995,082 which finally expired in 2008 ▪ Digital Signature Algorithm (DSA), quicker and smaller than RSA, designed to circumvent the Schnorr patent © 2019 Digital Gold Institute 58/69 

Table of Contents 1. Modular Arithmetic 2. Algebra of Sets: Finite Field 3. Elliptic Curves over Real Numbers 4. Elliptic Curve over 5. Asymmetric Cryptography on Elliptic Curves 6. Digital Signature Protocol 7. Elliptic Curve Digital Signature Algorithm © 2019 Digital Gold Institute 59/69 

EC DSA: Sign Message 1. Choose a nonce as secret ephemeral key 0 < < 2. = ( , ) = Point symmetry is usually resolved requiring to be odd, low, or quadratic residue; if not ← −. Bitcoin canonical 'low-s' encoding require (step 3) to be low. 1. = mod 2. = ℎ mod = ℎℎ mod 3. = + −1 mod If = 0 or = 0 (extremely unlikely), then restart with a different The signature is (, ). must be secret: else = − −1mod © 2019 Digital Gold Institute 60/69 

EC DSA: Verify Signature Steps for the verification of (, ): 1. = ℎ mod = ℎℎ mod 2. = −1 mod 3. = mod 4. = mod 5. , = + 6. The signature is valid if = mod Roughly equivalent to: = + Unfortunately, −1 is unavoidable because cannot be recovered from = mod © 2019 Digital Gold Institute 61/69 

EC DSA: Correctness Proof = mod if = + 1. = + from public key definition 2. = + from signature verification [3] and [4] 3. = + −1 from signature verification [2] 4. = + + −1 from signature generation [5] 5. = © 2019 Digital Gold Institute 62/69 

Ephemeral Key Used for Signing Reusing for different messages signed by the same = + −1 mod 2 = 2 + −1 mod reveals both and : = Τ − 2 − 2 mod = − −1mod Sony PS3 hack: http://www.bbc.com/news/technology-12116051, Bitcoin Android Wallet 2013 hack: https://bitcoin.org/en/alert/2013-08-11-android Even slight biases in the generation of can reveal , after enough signatures must be a nonce, used only once per private key . Even better: avoid randomness at all and use instead a deterministic for each ℎ with salting (see RFC6979) = ℎℎ || mod © 2019 Digital Gold Institute 63/69 

EC DSA: Signature Malleability If (, ) is a valid signature, i.e. = mod then also (, − ) is a valid signature − = = + bitcoin canonical 'low-s' encoding solves this issue © 2019 Digital Gold Institute 64/69 

EC DSA: Public Key Recovery From the signature verification step 3, two implied public keys can be recovered: / = −1 (, / ) − © 2019 Digital Gold Institute 65/69 

EC DSA: Signature Forgery Attack An attacker can generate a -valid signature for a random message digest ℎ computed from a random signature (, ) 1. Pick , at will 2. = + 3. = mod 4. = −1 mod 5. ℎ = = Anyway, the attacker cannot control the semantics of the preimage message : a signature is relevant only for its , not ℎ © 2019 Digital Gold Institute 66/69 

Homework ▪ Calculate the Public key(s) from this valid DSA signature: # message m1 and its DSA signature {r, s} msg = "Paolo is afraid of ephemeral random numbers" r = 0xb94483fc4da2d9dd5de1b0999c38ac364c9d60bafe7c5151dade0c1b78cfcbf3 S = 0x894ab8b28fd3400784aba4305b14d5afa5c623a6679ba9683c5ac2799b6edc6e ▪ A second DSA signature is computed in error using the same ephemeral key. Calculate the private key: # another message m2 and its DSA signature {r, s2} msg2 = "and Paolo is right to be afraid" r = 0xb94483fc4da2d9dd5de1b0999c38ac364c9d60bafe7c5151dade0c1b78cfcbf3 s2 = 0x6f721ed1e10c4d41f52f7b5e5c1ed3f5359892695ea8410ccbc0a04038c12756 © 2019 Digital Gold Institute See https://github.com/dginst/btclib/ec.py and https://github.com/dginst/btclib/dsa.py and/or https://colab.research.google.com/drive/1IxL0ecWxAI9lRXYdAXhDdg5BzsCW4MHd and/or see https://github.com/dginst/bbt/py-scripts/dsa_example.py (requires an installed btclib) 67/69 

Bibliography ▪ Christof Paar and Jan Pelzl, “Understanding Cryptography”, Springer, chapter 8, 9, 10 ▪ Pedro Franco, “Understanding Bitcoin”, Wiley, chapter 5 ▪ Andreas Antonopoulos, “Mastering Bitcoin” 2nd edition, O'Reilly, chapter 4 (https://github.com/bitcoinbook/bitcoinbook) ▪ A. Narayanan et al., “Bitcoin and Cryptocurrencies Technologies”, Princeton, chapter 1 ▪ Standards for Efficient Cryptography (SEC), (http://www.secg.org/) − Elliptic Curve Cryptography, (http://www.secg.org/sec1-v2.pdf) − Recommended Elliptic Curve Domain Parameters (http://www.secg.org/sec2-v2.pdf) ▪ NIST, Digital Signature Standard, (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf) © 2019 Digital Gold Institute 68/69 

Takeaways ▪ Elliptic curve multiplication = is the one-way function converting private key → public key − One way is easy because of doble and add − Reverse way is a hard discrete logarithm problem ▪ Digital signatures provide message integrity, authentication, and nonrepudiation ▪ Bitcoin’s transactions are signed using DSA ▪ DSA is malleable, susceptible to signature forgery ▪ Schnorr is technically superior: it has not been used so far because of patent ▪ Never reuse ephemeral key in signature © 2019 Digital Gold Institute 69/69 

Ferdinando M. Ametrano [email protected] Paolo Mazzocchi [email protected] www.github.com/dginst www.facebook.com/DigitalGoldInstitute www.twitter.com/DigitalGoldInst www.dgi.org/feed.xml [email protected] www.dgi.io www.linkedin.com/company/digital-gold-institute "Scarcity in the Digital Realm" 

Annex 1. EC Computations 2. Schnorr © 2019 Digital Gold Institute 71/69 

Double and Add Algorithm def mult(m, Q): if m == 0 or Q.y == 0: # Infinity point in affine coordinates return 1, 0 # return Infinity point if m % 2 == 1: # addition when m is odd return add(Q, mult(m - 1, Q)) else: # doubling when m is even return mult(m//2, add(Q, Q)) Easy… but recursive functions are not optimal… © 2019 Digital Gold Institute 72/69 

Double and Add Algorithm def mult(m, Q): if m == 0 or Q.y == 0: # Infinity point in affine coordinates return 1, 0 # return Infinity point R = 1, 0 # initialize as infinity point while m > 0: # use binary representation of m if m & 1: # if least significant bit is 1 R = add(R, Q) # then add current Q m = m >> 1 # remove the bit just accounted for Q = add(Q, Q) # double Q for next step return R © 2019 Digital Gold Institute 73/69 

Annex 1. EC Computations 2. Schnorr © 2019 Digital Gold Institute 74/69 

Schnorr Identification Protocol ▪ A prover proves to a verifier the knowledge of the discrete logarithm of Q without revealing q ▪ Proof in zero knowledge: the verifier learns nothing about q from the proof (except the fact that the prover knows q) A Zero-Knowledge Proof (ZKP) requires 3 properties: 1. Completeness: the proof convinces a honest verifier 2. Zero-knowledgeness: the proof does not leak information, i.e. verifier can fake transcript 3. Soundness: a proof can only be produced by a prover who knows the private key, i.e. the prover can fake knowledge only with negligible probability © 2019 Digital Gold Institute 75/69 

▪ K ▪ Choose random c<|H| ▪ s (aka solution) ▪ K = sG+cQ Zero Knowledge Proof of Discrete Logarithm Prover ▪ Q = qG ▪ Choose random k<|G| ▪ kG = K ▪ c (aka challenge) ▪ s = k-c*q Verifier © 2019 Digital Gold Institute 76/69 kG = K = sG+cQ = sG+cqG = (s+cq)G kG = (s+cq)G k = s+cq 

▪ {K, s}; c = hash(K) ▪ K = sG+cQ Non-interactive Proof of Discrete Logarithm Schnorr Identification Protocol Prover ▪ Q = qG ▪ Choose random k<|G| ▪ kG = K ▪ c = hash(K) ▪ s = k-c*q Verifier © 2019 Digital Gold Institute 77/69 kG = K = sG+cQ = sG+cqG = (s+cq)G kG = (s+cq)G k = s+cq 

▪ {K, s}; c = hash(K||msg) ▪ K = sG+cQ Non-interactive Proof of Discrete Logarithm Schnorr Signature Algorithm Prover ▪ Q = qG ▪ Choose random k<|G| ▪ kG = K ▪ c = hash(K||msg) ▪ s = k-c*q Verifier © 2019 Digital Gold Institute 78/69 kG = K = sG+cQ = sG+cqG = (s+cq)G kG = (s+cq)G k = s+cq 

▪ {K, s}; c = hash(Q||K||msg) ▪ K = sG+cQ Non-interactive Proof of Discrete Logarithm Schnorr Signature Algorithm Prover ▪ Q = qG ▪ Choose random k<|G| ▪ kG = K ▪ c = hash(Q||K||msg) ▪ s = k-c*q Verifier © 2019 Digital Gold Institute 79/69 kG = K = sG+cQ = sG+cqG = (s+cq)G kG = (s+cq)G k = s+cq 

EC Schnorr SA: Generation 0. ℎ = ℎℎ() 1. Choose a nonce as secret ephemeral key 0 < < 2. = ( , ) = Point symmetry is usually resolved requiring to be odd, low, or quadratic residue; if not ← −. In the bitcoin case must be a quadratic residue 1. = ℎℎ ||||ℎ mod 2. = − mod The ℎ signature is (, ), encodable as , when the simmetry is someway fixed. must be secret: else = − −1 mod © 2019 Digital Gold Institute 80/69 

EC Schnorr SA: Verification Steps for the verification of ( , ): 1. = ℎℎ ||||ℎ mod 2. The signature is valid if − = © 2019 Digital Gold Institute 81/69 

EC Schnorr SA: Correctness Proof ▪ = − ▪ − = − ▪ − = − ▪ − = − © 2019 Digital Gold Institute 82/69 

Schnorr SA Properties ▪ If the discrete logarithm problem is hard, in the random oracle model there is a proof that Schnorr signature cannot be forged ▪ Intuitively, signature forgery attack is impossible because = ℎℎ ||||ℎ mod , differently from DSA where = ℎ = ℎℎ mod ▪ There is no way to malleate the signature, as is fully specified (no y-coordinate ambiguity) ▪ Signature verification does not use modular inverse: fast ▪ Many {, ℎ, ( , )} can be efficiently batch verified at once ▪ Signature verification is linear → additive signature: sum of signatures on the same ℎ is equivalent to single signature with sum of keys ▪ Easier multi-sig and threshold schemes © 2019 Digital Gold Institute 83/69 

Ephemeral Key Used for Signing For Schnorr too, reusing for different messages signed by the same reveals both and : 1 = − 1 mod 2 = − 2 mod = 1 − 2 2 − 1 −1 mod Even slight biases in the generation of can reveal , after enough signatures must be a nonce, used only once per private key . Even better: avoid randomness at all and use instead a deterministic for each ℎ with salting (see RFC6979) = ℎℎ ||ℎ mod © 2019 Digital Gold Institute 84/69 

Extra Homework Two Schnorr signatures are computed in error using the same ephemeral key. Calculate the private key: # 32-bytes message h1 and its SSA signature {K.x, s1} h1 = 0x9788fd27b3aafd1bd1591a1158ce2d8bdc37ab4040dddb64e64d17616e69ce2b r = 0x968cc26ddaeadb4a7c573a9f391cf78b955816b0b86a6700ae19a8ae19dc31cf s1 = 0x69c2022c2e1170b9b1ce9d4ccb6271e579800aa4d955ecf7ea183fb620e48322 # another 32-bytes message h2 and its SSA signature {K.x, s2} h2 = 0x7adb91982ec03ef87efcae7f0199aefa231d8855e0bd03319460e58c0bd18049 r = 0x968cc26ddaeadb4a7c573a9f391cf78b955816b0b86a6700ae19a8ae19dc31cf s2 = 0x52d9f94c2538ae4c2ee3fd23e34a3603d10652aef1f2ec5ee4327ec4ea532b6e © 2019 Digital Gold Institute See https://github.com/dginst/btclib/ec.py and https://github.com/dginst/btclib/ssa.py and/or see https://github.com/dginst/bbt/py-scripts/ssa_example.py (requires an installed btclib) 85/69 

Bibliography ▪ BIP-Schnorr (Bitcoin Schnorr signature standardization) https://github.com/sipa/bips/blob/bip-schnorr/bip- schnorr.mediawiki © 2019 Digital Gold Institute 86/69