Upgrade to Pro — share decks privately, control downloads, hide ads and more …

MuSig

 MuSig

論文紹介
「Simple Schnorr Multi-Signatures with Applications to Bitcoin

Avatar for Takaya Imai

Takaya Imai

March 12, 2018
Tweet

More Decks by Takaya Imai

Other Decks in Technology

Transcript

  1. MuSig — Simple Schnorr Multi-Signatures with Applications to Bitcoin —

    ʲ҉߸௨՟ྠಡձ#16ʳMuSig @ 01Booster 2018/3/12 ϑϩϯςΟΞύʔτφʔζ߹ಉձࣾ ૑ۀऀ&୅දCEO United Bitcoiners Inc. ڞಉ૑ۀऀ&औక໾CTO ࠓҪਸ໵
  2. ࠓճͷ࿦จ Title: Simple Schnorr Multi-Signatures with Applications to Bitcoin Author:

    Gregory Maxwell, Andrew Poelstra, Yannick Seurin, and Pieter Wuille Article: https://eprint.iacr.org/2018/068.pdf Published: January 2018
  3. ͜ͷ࿦จͷํ਑ [࿦จͷAbstract͔Β] ৽͍͠γϡϊΞ(Schnorr)ϕʔεͷϚϧνγάωνϟεΩʔϜʢ͢ͳΘͪɺॺ໊ऀͷάϧʔϓ͕ڞ௨ͷϝοηʔδʹ୹ ͍ॺ໊Λੜ੒͢Δ͜ͱΛՄೳʹ͢ΔϓϩτίϧʣΛઆ໌͓ͯ͠Γɺ؆ૉެ։伴(plain public-key)ϞσϧͷதͰূ໌Մೳ ͳ҆શੑΛ࣋ͭ΋ͷͰ͢ɻ ϓϨΠϯެ։伴Ϟσϧͱ͸ɺॺ໊ऀʹ͸ެ։伴Λ࣋ͭ͜ͱͷΈ͕ཁٻ͞Εɺϓϩτίϧʹै͏લʹɺެ։伴ʹରԠ ͢Δൿີ伴ͷ஌ࣝΛূ໌ػؔ·ͨ͸ଞͷॺ໊ऀʹ஌ΒͤΔඞཁ͕ͳ͍͜ͱΛҙຯ͠·͢ɻ ຊ࿦จ͸ɺҎԼ2ͭͷ఺ͰBellare and

    NevenʢACM-CCS 2006ʣ͓Αͼͦͷมछ BagarezandiΒʢACM-CCS 2008ʣ· ͨ͸MaΒʢDes. Codes Cryptogr. 2010ʣͷ࠷ઌ୺εΩʔϜΑΓ΋վળ͞Ε͍ͯ·͢ɻ ʢiʣBellare-NevenํࣜͷΑ͏ʹ3ճͰ͸ͳ͘ɺඪ४తͳγϡϊΞॺ໊ͱಉ͡伴ͱॺ໊αΠζͰ2ճͷ௨৴Λߦ͏͚ͩ ͰɺγϯϓϧͰޮ཰తͰ͢ɻ ʢiiʣ伴ू໿(ΩʔΞάϦήʔγϣϯɺkey aggregation)ΛՄೳʹ͠·͢ɻ͜Ε͸ɺॺ໊ऀͷݸʑͷެ։伴͔Βܭࢉ͢Δ ͜ͱ͕Ͱ͖Δ୯Ұͷʮू໿ʯެ։伴(aggregated public-key)ʹؔͯ͠ɺ߹ಉॺ໊(joint signature)͕ඪ४ͷγϡϊΞॺ໊ͱ ਖ਼֬ʹর߹Ͱ͖Δ͜ͱΛҙຯ͠·͢ɻ ͜Ε͸ɺඪ४తͳ཭ࢄର਺໰୊ΑΓڧ͍҆શੑԾఆΛ՝͢ϫϯϞΞ཭ࢄର਺໰୊(One More Discrete Logarithm, OMDL)Λલఏͱ͠ɺ෼྾ิ୊(ϑΥʔΩϯάϨϯϚɺForking Lemma, Spliting Lemma)ͷ2ճͷݺͼग़͠ʹΑΔΑΓ؇΍ ͔ͳηΩϡϦςΟ௿ԼΛ΋ͬͯߦΘΕ·͢ɻ Ԡ༻ͱͯ͠ɺ৽͍͠ϚϧνγάωνϟεΩʔϜ͕ϏοτίΠϯͷύϑΥʔϚϯεͱϢʔβʔͷϓϥΠόγʔͷ྆ํΛ ͲͷΑ͏ʹվળͰ͖Δ͔Λઆ໌͠·͢ɻ
  4. BitcoinͷεέʔϦϯά໰୊ w 5SBOTBDUJPOTJOPOFCMPDLJTGVMM w .#QFSCMPDL w *ODSFBTFPG#JUDPJOCMPDLDIBJOEBUBTJ[F w )JHI59GFF w

    FYTBUPTIJCZUF w d59QFSTFDPOE w NJOCMPDLUJNF w .CZUFTCZUFTNJOTFDPOE59QFSTFDPOE w 5IJTCMPDLUJNFJTOFDFTTBSZGPSTUBCMF#JUDPJOCMPDLDIBJOBOEJTFOPVHIGPSVTVBMCJUDPJOQBZNFOU w #VUJUJTWFSZTMPXDPNQBSJOHXJUIDSFEJUDBSEPS/'$ w ʜ
  5. γϡϊΞॺ໊(Schnorr Signature) هड़๏ G: p࣍८ճ܈ g: Gͷੜ੒ݩ m: ॺ໊ର৅ϝοηʔδ x:

    ൿີ伴(੔਺) X: ެ։伴, X = g x H(ɾ): ϋογϡؔ਺ ॺ໊࡞੒ ཚ਺rΛબͿ([0,p-1]) R = g r mod p c = H(X, R, m) ஫: ͜Εʹҧ࿨ײΛײ͡Δํ͕͍Δͱࢥ͍·͢ɻ௨ৗ͸c = H(R, m)ɻ s = r + cx mod p ͜ͷͱ͖ɺॺ໊Λ(R, s)ͱ͢Δɻ ஫: c, s, ॺ໊ʹҧ࿨ײΛײ͡Δํ͕͍Δͱࢥ͍·͢ɻ௨ৗc = H(R, m)ɺs = r - cx ɺॺ໊͸(c, s)ɻॺ໊ʹ͍ͭͯ͸p22 Discussionʹͯٞ࿦ɻ ॺ໊ݕূ g s = RX c ͕੒Γཱ͔ͭͲ͏͔Λ֬ೝɻ੒Γཱͯ͹ॺ໊͸ਖ਼͍͠ɻ ੒Γཱͨͳ͚Ε͹ॺ໊͸ෆਖ਼ ஫: ࿦จͰ͸͜͏ͳͬͯ·͢ɻ௨ৗͱҧ͏ॺ໊ݕূ౳ࣜͰ͢ɻ ·ͨfiat-shamirม׵͸ෆཁʁͱ͍͏ͷ΋ٙ໰఺Ͱ͢ɻ
  6. γϡϊΞॺ໊ͷ γϯϓϧͳϚϧνγάωνϟ֦ு هड़๏ G: p࣍८ճ܈ g: Gͷੜ੒ݩ m: ॺ໊ର৅ϝοηʔδ i:

    ॺ໊ऀʹৼͬͨ൪߸([1, n]) x i : ൿີ伴, {x 1 , …, x n } X i : ެ։伴, {X 1 =g x1 , …, X n =g xn } (x1͸x 1 ͷҙຯ) H(ɾ): ϋογϡؔ਺ ॺ໊࡞੒ ཚ਺ri ΛબͿ([0,p-1]) Ri = g ri mod p R = R1 R2 …Rn X~ = X1 X2 …Xn , (X~ ͷ~͸Xͷ্ͷҙ) c = H(X~, R, m) si = ri + cxi mod p s = s1 +s2 +…+sn ͜ͷͱ͖ɺॺ໊Λ(R, s)ͱ͢Δɻ ॺ໊ݕূ g s = RX c ͕੒Γཱ͔ͭͲ͏͔Λ֬ೝɻ੒Γཱͯ͹ॺ ໊͸ਖ਼͍͠ɻ੒Γཱͨͳ͚Ε͹ॺ໊͸ෆਖ਼
  7. ൺֱ ॺ໊ू໿ͳ͠ ॺ໊࡞੒ ཚ਺rΛબͿ([0,p-1]) R = g r mod p

    c = H(X, R, m) s = r + cx mod p ͜ͷͱ͖ɺॺ໊Λ(R, s)ͱ͢Δɻ ॺ໊ݕূ g s = RX c ͕੒Γཱ͔ͭͲ͏͔Λ֬ೝɻ੒Γཱͯ͹ ॺ໊͸ਖ਼͍͠ɻ੒Γཱͨͳ͚Ε͹ॺ໊͸ෆਖ਼ ॺ໊ू໿͋Γ ॺ໊࡞੒ ཚ਺r i ΛબͿ([0,p-1]) R i = g ri mod p R = R 1 R 2 …R n X~ = X 1 X 2 …X n , (X~ ͷ~͸Xͷ্ͷҙ) c = H(X~, R, m) s i = r i + cx i mod p s = s 1 +s 2 +…+s n ͜ͷͱ͖ɺॺ໊Λ(R, s)ͱ͢Δɻ ॺ໊ݕূ g s = RX c ͕੒Γཱ͔ͭͲ͏͔Λ֬ೝɻ੒Γཱͯ͹ ॺ໊͸ਖ਼͍͠ɻ੒Γཱͨͳ͚Ε͹ॺ໊͸ෆਖ਼
  8. ΩʔΞάϦήʔγϣϯͰ໰୊ͱͳΔ߈ܸ — Rogue Key ߈ܸ — Rogue Key߈ܸ Alice(ળਓ): ެ։伴X

    a ɺBob(ѱਓ): ެ։伴X b ू໿ެ։伴Λ࡞Δͱ͖ʹɺAlice͸Bobʹެ։伴ΛૹΔɻ ࣍ʹɺBob͸X b ΛAliceʹૹΔͷͰ͸ͳ͘ɺX b /X a ΛBobͷެ։伴ͱͯ͠ૹΔɻ Alice͸ू໿ެ։伴(ຊ౰͸X a X b ɺ͔͠͠X b /X a *X a = X b ʹͳ͍ͬͯΔ)Λ࡞੒͠ɺ͜ͷΞυϨε΁ͷࢧ෷͍ ͱͯ͠τϥϯβΫγϣϯΛϒϩʔυΩϟετ Bob͸X b ʹରԠͨ͠ൿີ伴x b Λ࢖͖ͬͯ͞΄ͲͷτϥϯβΫγϣϯʹର͢Δॺ໊Λ࡞੒͠ɺAliceʹແஅ ͰτϥϯβΫγϣϯΛ࢖͑ͯ͠·͏ ؆қతͳղܾํ๏ Bob͕ૹ͖ͬͯͨެ։伴ʹର͢Δൿີ伴ΛBob͕ؒҧ͍ͳ͍࣋ͬͯ͘Δ͜ͱΛূ໌͢ΔखஈΛ࣋ͭ͜ͱ (ೝূػؔ౳)
  9. γϯϓϧͳ΋ͷͱԿ͕ҧ͏ʁ ϋογϡؔ਺Λ̎छྨ༻ҙ H0 ɺH1 cΛҎԼʹมߋ c = H1 (X~, R,

    m) ू໿ެ։伴ΛҎԼʹมߋ X~ = X1 a1 X2 a2 …Xn an ai = H0 (<L>, Xi ) L = {X1 , …, Xn } <L> = unique encoding(L) ࿦จϦϑΝϨϯε[BN06]ͷΑ͏ͳ༧උతίϛο τϝϯτϑΣΠζΛͳͨ͘͠ OMDL(ϫϯϞΞ཭ࢄର਺໰୊, One More Discrete Logarithm)Λલఏͱ͠ͳ͍ͱ͍͚ͳ ͍(ղऍΛؒҧ͍͑ͯΔ͔΋͠Ε·ͤΜ) ͜Ε͸௨ৗͷ཭ࢄର਺໰୊ΑΓ΋ɺΑΓղ ͖೉͍໰୊ cͷܭࢉΛ̎ͭʹ෼͚Δ͜ͱͰɺϋογϡؔ਺ ͕̎ͭʹͳΓɺηΩϡϦςΟূ໌Ͱ෼྾ิ୊ (Forking Lemma)Λ̎ճ࢖Θͳ͍ͱ͍͚ͳ͍ ͜ΕʹΑͬͯɺূ໌Ͱ͖ΔηΩϡϦςΟڧ ౓͕Լ͕ͬͯ͠·͏(ղऍΛؒҧ͍͑ͯΔ͔ ΋͠Ε·ͤΜɻ͜ͷ৔߹ͷηΩϡϦςΟڧ ౓ͷఆ͕ٛ·ͩࣗ෼ͷதͰ͋΍;΍Ͱ͢)
  10. γϯϓϧͳ΋ͷͱԿ͕ҧ͏ʁ ࣭໰Ͱࢦఠ͕͋ͬͨͷͰهࡌ ͳͥຊ࿦จͷఏҊํ๏ͩͱRogue Key߈ܸ͕ޮ͔ͳ͍͔ʁ શͯͷa i ͸શެ։伴ͷ৘ใΛؚΉLͱɺa i ʹରԠͨ͠X i

    ͕ͳ͍ͱ࡞Εͳ͍͕ɺଞͷਓͷެ։伴Λ ड͚औͬͨͷͪʹRogue Key߈ܸͷͨΊʹX i Λِ૷ͯ͠ӕͷ΋ͷʹม͑ͨͱͯ͠΋ɺX i Λม͑ͯ ͠·͏ͱa i ͚ͩͰͳ͘ଞͷa j≠i ΋มΘͬͯ͠·͏ͨΊɺ͏·͘߈ܸ͕੒ޭ͢ΔΑ͏ͳX i ͕બ΂ͳ ͍ σΟʔϓϥʔχϯά(χϡʔϥϧωοτϫʔΫ)ͰͷӅΕ૚ͷஞ࣍తॏΈߋ৽ͷΑ͏ͳํ๏Ͱ߈ܸ͕੒ ޭ͢ΔΑ͏ͳX i ͕બ΂ͦ͏ͳؾ͕͕ͨ͠ɺҎԼͷ఺ͰͰ͖ͳ͍ a i ͸ϋογϡؔ਺H 0 Λ௨ܾͯ͠·ΔͷͰɺҾ਺Λͪΐͬͱ͚ͩม͑ͯ΋a i ͸େ෯ʹ஋͕มΘΔ ͜ͷͨΊɺԾܾΊͨ͠X i ΛϕʔεʹX i ->a i ->X i ’->a i ’’->X i ’’->…ͷΑ͏ʹஞ࣍ߋ৽͍ͯͬͯ͠΋̎ ͭͷύϥϝʔλʔ͕ঃʑʹऩଋ͢ΔΑ͏ʹ͸ͳΒͳ͍
  11. ECDSAͩͱॺ໊ू໿͸Ͱ͖ͳ͍ʁ 2ਓͷॺ໊ऀ s1 , R1 , c, a1 , x1

    , X1 s2 , R2 , c, a2 , x2 , X2 ͜ͷͱ͖ɺҎԼ͕੒Γཱͭ g s1 =R1 X1 a1*c , g s2 =R2 X2 a2*c s=s1 +s2 , R=R1 R2 , X~=X1 a1 X2 a2 ͱ͢Δͱɺลʑಉ࢜Λ͔͚ͯ g s =R1 X1 a1*c R2 X2 a2*c =R1 R2 X1 a1*c X2 a2*c =R(X1 a1 X2 a2 ) c =RX~ c (͜ͷٯͷূ໌΋ඞཁͳ͸ͣɻٯ͸੒ཱ͠ͳ͍ʁ)
  12. ΋ͬͱγϯϓϧʹ͸Ͱ͖ͳ͍ʁ a i = 1͸μϝ ͜ͷ৔߹͸୯७ͳ֦ுʹҰகͯ͠͠·͍ɺRogue Key߈ܸ͔Β੬ऑʹͳΔ a i =

    H 0 (X i )΋μϝ ѱਓॺ໊ऀ਺͕े෼େ͖͍ͱɺ߈ܸऀ͸WargnerͷΞϧΰϦζϜ(࿦จϦϑΝϨϯε [Wag02])Λ࢖ͬͯॺ໊Λِ଄ͯ͠ળਓऀͷ͓ۚΛ౪ΊΔɻ ߈ܸʹ͔͔Δ࣌ؒܭࢉྔΦʔμʔ͸O(2 2√k ) k͸८ճ܈GͷҐ਺pͷbit௕ ϥϯμϜ஋ r i ͷ࢖͍ճ͠͸ݫې ू໿伴ͷੜ੒աఔͰɺଞͷॺ໊ऀʹൿີ伴͕๫͔Εͯ͠·͍·͢