$30 off During Our Annual Pro Sale. View Details »

MuSig

 MuSig

論文紹介
「Simple Schnorr Multi-Signatures with Applications to Bitcoin

Takaya Imai

March 12, 2018
Tweet

More Decks by Takaya Imai

Other Decks in Technology

Transcript

  1. MuSig
    — Simple Schnorr Multi-Signatures
    with Applications to Bitcoin —
    ʲ҉߸௨՟ྠಡձ#16ʳMuSig @ 01Booster
    2018/3/12
    ϑϩϯςΟΞύʔτφʔζ߹ಉձࣾ ૑ۀऀ&୅දCEO
    United Bitcoiners Inc. ڞಉ૑ۀऀ&औక໾CTO
    ࠓҪਸ໵

    View Slide

  2. ࣗݾ঺հ
    United Bitcoiners Inc. ڞಉ૑ۀऀˍऔక໾CTO
    ϑϩϯςΟΞύʔτφʔζ߹ಉձࣾ ୅දCEO
    ϚελϦϯάϏοτίΠϯɺ຋༁ऀ୅ද
    ੈքͰॳΊͯͷɺ೔ຊޠʹΑΔϏοτίΠϯɾϒϩο
    ΫνΣʔϯͷৄࡉٕज़ॻ(NTTग़൛ࣾ)
    2016/7/14ग़൛
    ిࢠॻ੶൛(kindle)΋
    ΦʔϓϯΤσΟγϣϯ൛
    https://www.bitcoinbook.info

    View Slide

  3. ࣗݾ঺հ
    όοΫάϥ΢ϯυ
    ৽ׁେֶେֶӃɹૉཻࢠཧ࿦෺ཧɹത࢜(ཧ)
    ΧΧΫίϜ
    ݕࡧΤϯδϯ։ൃɹݕࡧαʔόΫϥελߏஙӡ༻ɹେن໛σʔλॲ
    ཧɹػցֶशɹը૾ೝࣝ
    σʔλλϫʔגࣜձࣾɹ୅දऔక໾

    View Slide

  4. ࠓճͷ࿦จ
    Title:
    Simple Schnorr Multi-Signatures with Applications to Bitcoin
    Author:
    Gregory Maxwell, Andrew Poelstra, Yannick Seurin, and Pieter Wuille
    Article:
    https://eprint.iacr.org/2018/068.pdf
    Published:
    January 2018

    View Slide

  5. ࠓճͷ࿦จ
    ࢲͷํͰ࿦จ಺༰ͷղऍΛؒҧ͍͑ͯΔՕॴ
    ͕͋Δͱࢥ͍·͢ͷͰɺෆ໌఺͸ݪ࿦จͰ֬
    ೝ͍͖ͯͨͩ͠·͢Α͏͓ئ͍͍ͨ͠·͢ɻ
    ؒҧ͍఺͸΍͘͞͠ڭ͍͚͑ͯͨͩΔͱ͋Γ
    ͕͍ͨͰ͢ɻ

    View Slide

  6. ͜ͷ࿦จͷํ਑
    [࿦จͷAbstract͔Β]
    ৽͍͠γϡϊΞ(Schnorr)ϕʔεͷϚϧνγάωνϟεΩʔϜʢ͢ͳΘͪɺॺ໊ऀͷάϧʔϓ͕ڞ௨ͷϝοηʔδʹ୹
    ͍ॺ໊Λੜ੒͢Δ͜ͱΛՄೳʹ͢ΔϓϩτίϧʣΛઆ໌͓ͯ͠Γɺ؆ૉެ։伴(plain public-key)ϞσϧͷதͰূ໌Մೳ
    ͳ҆શੑΛ࣋ͭ΋ͷͰ͢ɻ
    ϓϨΠϯެ։伴Ϟσϧͱ͸ɺॺ໊ऀʹ͸ެ։伴Λ࣋ͭ͜ͱͷΈ͕ཁٻ͞Εɺϓϩτίϧʹै͏લʹɺެ։伴ʹରԠ
    ͢Δൿີ伴ͷ஌ࣝΛূ໌ػؔ·ͨ͸ଞͷॺ໊ऀʹ஌ΒͤΔඞཁ͕ͳ͍͜ͱΛҙຯ͠·͢ɻ
    ຊ࿦จ͸ɺҎԼ2ͭͷ఺ͰBellare and NevenʢACM-CCS 2006ʣ͓Αͼͦͷมछ BagarezandiΒʢACM-CCS 2008ʣ·
    ͨ͸MaΒʢDes. Codes Cryptogr. 2010ʣͷ࠷ઌ୺εΩʔϜΑΓ΋վળ͞Ε͍ͯ·͢ɻ
    ʢiʣBellare-NevenํࣜͷΑ͏ʹ3ճͰ͸ͳ͘ɺඪ४తͳγϡϊΞॺ໊ͱಉ͡伴ͱॺ໊αΠζͰ2ճͷ௨৴Λߦ͏͚ͩ
    ͰɺγϯϓϧͰޮ཰తͰ͢ɻ
    ʢiiʣ伴ू໿(ΩʔΞάϦήʔγϣϯɺkey aggregation)ΛՄೳʹ͠·͢ɻ͜Ε͸ɺॺ໊ऀͷݸʑͷެ։伴͔Βܭࢉ͢Δ
    ͜ͱ͕Ͱ͖Δ୯Ұͷʮू໿ʯެ։伴(aggregated public-key)ʹؔͯ͠ɺ߹ಉॺ໊(joint signature)͕ඪ४ͷγϡϊΞॺ໊ͱ
    ਖ਼֬ʹর߹Ͱ͖Δ͜ͱΛҙຯ͠·͢ɻ
    ͜Ε͸ɺඪ४తͳ཭ࢄର਺໰୊ΑΓڧ͍҆શੑԾఆΛ՝͢ϫϯϞΞ཭ࢄର਺໰୊(One More Discrete Logarithm,
    OMDL)Λલఏͱ͠ɺ෼྾ิ୊(ϑΥʔΩϯάϨϯϚɺForking Lemma, Spliting Lemma)ͷ2ճͷݺͼग़͠ʹΑΔΑΓ؇΍
    ͔ͳηΩϡϦςΟ௿ԼΛ΋ͬͯߦΘΕ·͢ɻ
    Ԡ༻ͱͯ͠ɺ৽͍͠ϚϧνγάωνϟεΩʔϜ͕ϏοτίΠϯͷύϑΥʔϚϯεͱϢʔβʔͷϓϥΠόγʔͷ྆ํΛ
    ͲͷΑ͏ʹվળͰ͖Δ͔Λઆ໌͠·͢ɻ

    View Slide

  7. BitcoinͷεέʔϦϯά໰୊
    w 5SBOTBDUJPOTJOPOFCMPDLJTGVMM
    w .#QFSCMPDL
    w *ODSFBTFPG#JUDPJOCMPDLDIBJOEBUBTJ[F
    w )JHI59GFF
    w FYTBUPTIJCZUF
    w d59QFSTFDPOE
    w NJOCMPDLUJNF
    w .CZUFTCZUFTNJOTFDPOE59QFSTFDPOE
    w 5IJTCMPDLUJNFJTOFDFTTBSZGPSTUBCMF#JUDPJOCMPDLDIBJOBOEJTFOPVHIGPSVTVBMCJUDPJOQBZNFOU
    w #VUJUJTWFSZTMPXDPNQBSJOHXJUIDSFEJUDBSEPS/'$
    w ʜ

    View Slide

  8. View Slide

  9. 160GB

    View Slide

  10. 4.6tx/sec

    View Slide

  11. https://bitcoinfees.info
    4000ԁ͘Β͍/tx

    View Slide

  12. ͍Ζ͍Ζͳղܾࡦ
    ΦϯνΣʔϯଆ
    αΠυνΣʔϯ/υϥΠϒνΣʔϯ
    SegWit (Segregated Witness)
    ϏοάϒϩοΫ
    γϡϊΞॺ໊(Schnorr Signature)
    ΦϑνΣʔϯଆ
    ϥΠτχϯάωοτϫʔΫ

    View Slide

  13. γϡϊΞॺ໊͕
    ͳͥεέʔϦϯά໰୊ʹΑ͍͔ʁ
    m-of-nϚϧνγάΞυϨεͷUTXOΛ࢖͏ͱ͖ʹɺunlocking script
    ͱredeem scriptʹͦΕͧΕmݸͷॺ໊ɺnݸͷެ։伴Λஔ͔ͳ͍ͱ͍
    ͚ͳ͍
    ̍ݸͰ͋Ε͹ͱΓ͍͍͕͋͑ͣɺෳ਺ͷॺ໊ɺެ։伴ΛͦΕͧΕ̍
    ݸͣͭʹͰ͖Ε͹τϥϯβΫγϣϯͷσʔλαΠζΛখ͘͞Ͱ͖Δ
    τϥϯβΫγϣϯͷσʔλαΠζ͕খ͘͞ͳΔͱɺ̍ϒϩοΫʹೖ
    ΔτϥϯβΫγϣϯͷ਺͕૿͑ɺॲཧՄೳͳτϥϯβΫγϣϯ਺
    Λ૿΍ͤΔ

    View Slide

  14. ஫ҙ
    ECDSA(ପԁؔ਺σδλϧॺ໊)Ͱ͸ͳ͍
    ओுͦͷ΋ͷ͸m-of-nϚϧνγάωνϟͰ͸ͳ͘n-of-nϚϧν
    γάωνϟ
    ϏοτίΠϯʹ࢖͏ʹ͸ɺ·ͩௐ੔͕ඞཁ
    ࢀর
    https://blockstream.com/2018/01/23/musig-key-aggregation-
    schnorr-signatures.html

    View Slide

  15. γϡϊΞॺ໊(Schnorr Signature)
    Schnorrॺ໊(ΦϦδφϧ)
    ࢀߟ: ೔޲͞Μͷઆ໌
    https://blog.visvirial.com/articles/721#i-10

    View Slide

  16. γϡϊΞॺ໊(Schnorr Signature)
    هड़๏
    G: p࣍८ճ܈
    g: Gͷੜ੒ݩ
    m: ॺ໊ର৅ϝοηʔδ
    x: ൿີ伴(੔਺)
    X: ެ։伴, X = g
    x
    H(ɾ): ϋογϡؔ਺
    ॺ໊࡞੒
    ཚ਺rΛબͿ([0,p-1])
    R = g
    r
    mod p
    c = H(X, R, m)
    ஫: ͜Εʹҧ࿨ײΛײ͡Δํ͕͍Δͱࢥ͍·͢ɻ௨ৗ͸c =
    H(R, m)ɻ
    s = r + cx mod p
    ͜ͷͱ͖ɺॺ໊Λ(R, s)ͱ͢Δɻ
    ஫: c, s, ॺ໊ʹҧ࿨ײΛײ͡Δํ͕͍Δͱࢥ͍·͢ɻ௨ৗc =
    H(R, m)ɺs = r - cx ɺॺ໊͸(c, s)ɻॺ໊ʹ͍ͭͯ͸p22
    Discussionʹͯٞ࿦ɻ
    ॺ໊ݕূ
    g
    s
    = RX
    c
    ͕੒Γཱ͔ͭͲ͏͔Λ֬ೝɻ੒Γཱͯ͹ॺ໊͸ਖ਼͍͠ɻ
    ੒Γཱͨͳ͚Ε͹ॺ໊͸ෆਖ਼
    ஫: ࿦จͰ͸͜͏ͳͬͯ·͢ɻ௨ৗͱҧ͏ॺ໊ݕূ౳ࣜͰ͢ɻ
    ·ͨfiat-shamirม׵͸ෆཁʁͱ͍͏ͷ΋ٙ໰఺Ͱ͢ɻ

    View Slide

  17. γϯϓϧͳ֦ுͰΑ͍ͷͰ͸ʁ
    લϖʔδͷγϡϊΞॺ໊Λ୯७ʹϚϧνγά
    ωνϟʹ֦ுͰ͖Δɻ
    ݁࿦Λઌʹݴ͏ͱɺ͜Ε͸੬ऑੑΛؚΜͰ͠
    ·͏

    View Slide

  18. γϡϊΞॺ໊ͷ
    γϯϓϧͳϚϧνγάωνϟ֦ு
    هड़๏
    G: p࣍८ճ܈
    g: Gͷੜ੒ݩ
    m: ॺ໊ର৅ϝοηʔδ
    i: ॺ໊ऀʹৼͬͨ൪߸([1, n])
    x
    i
    : ൿີ伴, {x
    1
    , …, x
    n
    }
    X
    i
    : ެ։伴, {X
    1
    =g
    x1
    , …, X
    n
    =g
    xn
    } (x1͸x
    1
    ͷҙຯ)
    H(ɾ): ϋογϡؔ਺
    ॺ໊࡞੒
    ཚ਺ri
    ΛબͿ([0,p-1])
    Ri
    = g
    ri
    mod p
    R = R1
    R2
    …Rn
    X~ = X1
    X2
    …Xn
    , (X~ ͷ~͸Xͷ্ͷҙ)
    c = H(X~, R, m)
    si
    = ri
    + cxi
    mod p
    s = s1
    +s2
    +…+sn
    ͜ͷͱ͖ɺॺ໊Λ(R, s)ͱ͢Δɻ
    ॺ໊ݕূ
    g
    s
    = RX
    c
    ͕੒Γཱ͔ͭͲ͏͔Λ֬ೝɻ੒Γཱͯ͹ॺ
    ໊͸ਖ਼͍͠ɻ੒Γཱͨͳ͚Ε͹ॺ໊͸ෆਖ਼

    View Slide

  19. ൺֱ
    ॺ໊ू໿ͳ͠
    ॺ໊࡞੒
    ཚ਺rΛબͿ([0,p-1])
    R = g
    r
    mod p
    c = H(X, R, m)
    s = r + cx mod p
    ͜ͷͱ͖ɺॺ໊Λ(R, s)ͱ͢Δɻ
    ॺ໊ݕূ
    g
    s
    = RX
    c
    ͕੒Γཱ͔ͭͲ͏͔Λ֬ೝɻ੒Γཱͯ͹
    ॺ໊͸ਖ਼͍͠ɻ੒Γཱͨͳ͚Ε͹ॺ໊͸ෆਖ਼
    ॺ໊ू໿͋Γ
    ॺ໊࡞੒
    ཚ਺r
    i
    ΛબͿ([0,p-1])
    R
    i
    = g
    ri
    mod p
    R = R
    1
    R
    2
    …R
    n
    X~ = X
    1
    X
    2
    …X
    n
    , (X~ ͷ~͸Xͷ্ͷҙ)
    c = H(X~, R, m)
    s
    i
    = r
    i
    + cx
    i
    mod p
    s = s
    1
    +s
    2
    +…+s
    n
    ͜ͷͱ͖ɺॺ໊Λ(R, s)ͱ͢Δɻ
    ॺ໊ݕূ
    g
    s
    = RX
    c
    ͕੒Γཱ͔ͭͲ͏͔Λ֬ೝɻ੒Γཱͯ͹
    ॺ໊͸ਖ਼͍͠ɻ੒Γཱͨͳ͚Ε͹ॺ໊͸ෆਖ਼

    View Slide

  20. ΩʔΞάϦήʔγϣϯͰ໰୊ͱͳΔ߈ܸ
    — Rogue Key ߈ܸ —
    Rogue Key߈ܸ
    Alice(ળਓ): ެ։伴X
    a
    ɺBob(ѱਓ): ެ։伴X
    b
    ू໿ެ։伴Λ࡞Δͱ͖ʹɺAlice͸Bobʹެ։伴ΛૹΔɻ
    ࣍ʹɺBob͸X
    b
    ΛAliceʹૹΔͷͰ͸ͳ͘ɺX
    b
    /X
    a
    ΛBobͷެ։伴ͱͯ͠ૹΔɻ
    Alice͸ू໿ެ։伴(ຊ౰͸X
    a
    X
    b
    ɺ͔͠͠X
    b
    /X
    a
    *X
    a
    = X
    b
    ʹͳ͍ͬͯΔ)Λ࡞੒͠ɺ͜ͷΞυϨε΁ͷࢧ෷͍
    ͱͯ͠τϥϯβΫγϣϯΛϒϩʔυΩϟετ
    Bob͸X
    b
    ʹରԠͨ͠ൿີ伴x
    b
    Λ࢖͖ͬͯ͞΄ͲͷτϥϯβΫγϣϯʹର͢Δॺ໊Λ࡞੒͠ɺAliceʹແஅ
    ͰτϥϯβΫγϣϯΛ࢖͑ͯ͠·͏
    ؆қతͳղܾํ๏
    Bob͕ૹ͖ͬͯͨެ։伴ʹର͢Δൿີ伴ΛBob͕ؒҧ͍ͳ͍࣋ͬͯ͘Δ͜ͱΛূ໌͢ΔखஈΛ࣋ͭ͜ͱ
    (ೝূػؔ౳)

    View Slide

  21. ͜ͷ؆қղܾ๏͸໘౗
    ͍͍ͪͪൿີ伴ͷอ࣋Λ֬ೝ͠ͳ͍ͱ͍͚ͳ͍ͷ͸໘

    ެ։伴ͷอ͚࣋ͩͰΑ͍Α͏ʹ͠ͳ͍ͱ͍͚ͳ͍
    ެ։伴ͷอ͚࣋ͩͰΑ͘ɺൿີ伴ͷอ࣋ͷ֬ೝΛෆཁ
    ʹ͢ΔલఏʹཱͭϞσϧΛɺ؆ૉެ։伴(Plain Public-
    Key)Ϟσϧͱݴ͍ɺ͜ͷ࿦จͷओு͕ຬͨ͢΂͖લఏ

    View Slide

  22. ͪΐͬͱԣಓ(key prefixed)
    ௨ৗͷγϡϊΞॺ໊ʹग़ͯ͘Δͷ͸ҎԼͷܗ
    c = H(R, m)
    ͜ͷ࿦จͰ͸͜͏ɻ
    c = H(X, R, m)
    ͜ΕΛkey prefixedεΩʔϜͱ͍͏ɻ

    View Slide

  23. ຊ࿦จͰͷఏҊํ๏

    View Slide

  24. γϯϓϧͳ΋ͷͱԿ͕ҧ͏ʁ
    ϋογϡؔ਺Λ̎छྨ༻ҙ
    H0
    ɺH1
    cΛҎԼʹมߋ
    c = H1
    (X~, R, m)
    ू໿ެ։伴ΛҎԼʹมߋ
    X~ = X1
    a1
    X2
    a2
    …Xn
    an
    ai
    = H0
    (, Xi
    )
    L = {X1
    , …, Xn
    }
    = unique encoding(L)
    ࿦จϦϑΝϨϯε[BN06]ͷΑ͏ͳ༧උతίϛο
    τϝϯτϑΣΠζΛͳͨ͘͠
    OMDL(ϫϯϞΞ཭ࢄର਺໰୊, One More
    Discrete Logarithm)Λલఏͱ͠ͳ͍ͱ͍͚ͳ
    ͍(ղऍΛؒҧ͍͑ͯΔ͔΋͠Ε·ͤΜ)
    ͜Ε͸௨ৗͷ཭ࢄର਺໰୊ΑΓ΋ɺΑΓղ
    ͖೉͍໰୊
    cͷܭࢉΛ̎ͭʹ෼͚Δ͜ͱͰɺϋογϡؔ਺
    ͕̎ͭʹͳΓɺηΩϡϦςΟূ໌Ͱ෼྾ิ୊
    (Forking Lemma)Λ̎ճ࢖Θͳ͍ͱ͍͚ͳ͍
    ͜ΕʹΑͬͯɺূ໌Ͱ͖ΔηΩϡϦςΟڧ
    ౓͕Լ͕ͬͯ͠·͏(ղऍΛؒҧ͍͑ͯΔ͔
    ΋͠Ε·ͤΜɻ͜ͷ৔߹ͷηΩϡϦςΟڧ
    ౓ͷఆ͕ٛ·ͩࣗ෼ͷதͰ͋΍;΍Ͱ͢)

    View Slide

  25. γϯϓϧͳ΋ͷͱԿ͕ҧ͏ʁ
    ࣭໰Ͱࢦఠ͕͋ͬͨͷͰهࡌ
    ͳͥຊ࿦จͷఏҊํ๏ͩͱRogue Key߈ܸ͕ޮ͔ͳ͍͔ʁ
    શͯͷa
    i
    ͸શެ։伴ͷ৘ใΛؚΉLͱɺa
    i
    ʹରԠͨ͠X
    i
    ͕ͳ͍ͱ࡞Εͳ͍͕ɺଞͷਓͷެ։伴Λ
    ड͚औͬͨͷͪʹRogue Key߈ܸͷͨΊʹX
    i
    Λِ૷ͯ͠ӕͷ΋ͷʹม͑ͨͱͯ͠΋ɺX
    i
    Λม͑ͯ
    ͠·͏ͱa
    i
    ͚ͩͰͳ͘ଞͷa
    j≠i
    ΋มΘͬͯ͠·͏ͨΊɺ͏·͘߈ܸ͕੒ޭ͢ΔΑ͏ͳX
    i
    ͕બ΂ͳ
    ͍
    σΟʔϓϥʔχϯά(χϡʔϥϧωοτϫʔΫ)ͰͷӅΕ૚ͷஞ࣍తॏΈߋ৽ͷΑ͏ͳํ๏Ͱ߈ܸ͕੒
    ޭ͢ΔΑ͏ͳX
    i
    ͕બ΂ͦ͏ͳؾ͕͕ͨ͠ɺҎԼͷ఺ͰͰ͖ͳ͍
    a
    i
    ͸ϋογϡؔ਺H
    0
    Λ௨ܾͯ͠·ΔͷͰɺҾ਺Λͪΐͬͱ͚ͩม͑ͯ΋a
    i
    ͸େ෯ʹ஋͕มΘΔ
    ͜ͷͨΊɺԾܾΊͨ͠X
    i
    ΛϕʔεʹX
    i
    ->a
    i
    ->X
    i
    ’->a
    i
    ’’->X
    i
    ’’->…ͷΑ͏ʹஞ࣍ߋ৽͍ͯͬͯ͠΋̎
    ͭͷύϥϝʔλʔ͕ঃʑʹऩଋ͢ΔΑ͏ʹ͸ͳΒͳ͍

    View Slide

  26. ECDSAͩͱॺ໊ू໿͸Ͱ͖ͳ͍ʁ
    ͜ͷ࿦จͰͷγϡϊΞεΩʔϜॺ໊Ͱॺ໊ू໿Λ΍ͬ
    ͯΈΔ
    2ਓͷॺ໊ऀ͕͍ΔɻͦΕͧΕެ։伴ɺൿີ伴Λ࣋
    ͭɻ
    ͔͜͜Βू໿ެ։伴Λ࡞੒ͨ͠৔߹ɺ֎෦ͷਓ͕ݸʑ
    ͷॺ໊ऀͷެ։伴Λ஌Δ͜ͱͳ͘ɺू໿ެ։伴͚ͩ
    Λ༻͍ͯॺ໊ݕূͰ͖Δ͔

    View Slide

  27. ECDSAͩͱॺ໊ू໿͸Ͱ͖ͳ͍ʁ
    2ਓͷॺ໊ऀ
    s1
    , R1
    , c, a1
    , x1
    , X1
    s2
    , R2
    , c, a2
    , x2
    , X2
    ͜ͷͱ͖ɺҎԼ͕੒Γཱͭ
    g
    s1
    =R1
    X1
    a1*c
    , g
    s2
    =R2
    X2
    a2*c
    s=s1
    +s2
    , R=R1
    R2
    , X~=X1
    a1
    X2
    a2
    ͱ͢Δͱɺลʑಉ࢜Λ͔͚ͯ
    g
    s
    =R1
    X1
    a1*c
    R2
    X2
    a2*c
    =R1
    R2
    X1
    a1*c
    X2
    a2*c
    =R(X1
    a1
    X2
    a2
    )
    c
    =RX~
    c
    (͜ͷٯͷূ໌΋ඞཁͳ͸ͣɻٯ͸੒ཱ͠ͳ͍ʁ)

    View Slide

  28. ECDSAͩͱॺ໊ू໿͸Ͱ͖ͳ͍ʁ
    https://ja.wikipedia.org/wiki/ପԁۂઢDSA
    ย΍ٯ਺ɺย΍࿨ͳͷͰ
    ୯७ʹ͸ॺ໊ू໿Ͱ͖ͳͦ͏Ͱ͕͢ɺ
    ݫີূ໌͸ʁ
    ࿦จϦϑΝϨϯε[MR01, GGN16, Lin17]

    View Slide

  29. ΋ͬͱγϯϓϧʹ͸Ͱ͖ͳ͍ʁ
    a
    i
    = 1͸μϝ
    ͜ͷ৔߹͸୯७ͳ֦ுʹҰகͯ͠͠·͍ɺRogue Key߈ܸ͔Β੬ऑʹͳΔ
    a
    i
    = H
    0
    (X
    i
    )΋μϝ
    ѱਓॺ໊ऀ਺͕े෼େ͖͍ͱɺ߈ܸऀ͸WargnerͷΞϧΰϦζϜ(࿦จϦϑΝϨϯε
    [Wag02])Λ࢖ͬͯॺ໊Λِ଄ͯ͠ળਓऀͷ͓ۚΛ౪ΊΔɻ
    ߈ܸʹ͔͔Δ࣌ؒܭࢉྔΦʔμʔ͸O(2
    2√k
    )
    k͸८ճ܈GͷҐ਺pͷbit௕
    ϥϯμϜ஋ r
    i
    ͷ࢖͍ճ͠͸ݫې
    ू໿伴ͷੜ੒աఔͰɺଞͷॺ໊ऀʹൿີ伴͕๫͔Εͯ͠·͍·͢

    View Slide

  30. ϏοτίΠϯ΁ͷద༻

    View Slide

  31. Ͱ΋ɺϏοτίΠϯʹରͯ͠ॺ໊ू໿ʹޮՌ͕͋Δͷ͸
    ෳ਺ͷॺ໊ऀ͕͍Δͱ͖͚ͩͰ͸ʁ
    MuSig͸ɺෳ਺ͷΠϯϓοτͷॺ໊Λ̍ͭʹ·ͱΊΔ͜
    ͱ΋೦಄ʹஔ͍͍ͯΔ
    Πϝʔδͱͯ͠͸ɺ૬ޓతू໿ॺ໊(IASɺInteractive
    Aggregated Signature)Λ࢖͏ɻ࿦จϦϑΝϨϯε[BN06]
    ͸ɺ͋ΒΏΔϚϧνγάωνϟεΩʔϜΛIASʹ֦ு͢
    Δํ๏ΛఏҊ͍ͯ͠Δ
    [BN06]͸black boxεΩʔϜ

    View Slide

  32. non black-box ૬ޓతू໿ॺ໊
    ͔͠͠ɺ؆ૉެ։伴Ϟσϧ্Ͱͷblackbox ૬ޓతू
    ໿ॺ໊͸͏·͍͔͘ͳ͍
    Appendix AͰ͜ΕΛূ໌
    ͜ͷͨΊɺຊ࿦จͰ͸؆ૉެ։伴Ϟσϧ্Ͱͷnon
    black-box ૬ޓతू໿ॺ໊ΛఏҊ
    ͨͩ͠ɺ۩ମతͳఏҊ಺༰͸ͳ͠

    View Slide

  33. ϏοτίΠϯ΁ͷద༻
    m-of-nϚϧνγάωνϟ΁ͷద༻
    n-of-nϚϧνγάωνϟ্ʹm-of-nϚϧνγάωνϟΛ࡞ΔͨΊ
    ʹɺϚʔΫϧπϦʔΛ࢖͏ํ๏͕͋Δ
    ू໿ެ։伴Λඞཁͳެ։伴Λ૊Έ߹Θͤ෼࡞ΓɺϚʔΫϧπ
    Ϧʔͷ༿ʹ഑ஔ͢ΔɻτϥϯβΫγϣϯʹஔ͍͓ͯ͘ͷ͸͜ͷ
    ϚʔΫϧϧʔτɻ
    ϚʔΫϧπϦʔͷࢬ෼ذΛ࡞Δͱ͖ʹɺू໿ެ։伴ͷ࡞Γ
    ํΛ࢖͏ʁ

    View Slide

  34. ݸਓϦϑΝϨϯε
    աڈϓϨθϯࢿྉ
    https://www.slideshare.net/lawmn/presentations
    https://www.slideshare.net/takayaimai/presentations
    Linkedin
    https://www.linkedin.com/in/takaya-imai-4a915310

    View Slide

  35. fin.

    View Slide