Simple Schnorr multi-signatures with applications to Bitcoin

We describe a new Schnorr-based multi-signature scheme (i.e., a protocol which allows a group of signers to produce a short, joint signature on a common message) called MuSig , provably secure under the Discrete Logarithm assumption and in the plain public-key model (meaning that signers are only re...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Designs, codes, and cryptography Jg. 87; H. 9; S. 2139 - 2164
Hauptverfasser: Maxwell, Gregory, Poelstra, Andrew, Seurin, Yannick, Wuille, Pieter
Format: Journal Article
Sprache:Englisch
Veröffentlicht: New York Springer US 15.09.2019
Springer Nature B.V
Schlagworte:
Agglomeration
Circuits
Coding and Information Theory
Computer Science
Cryptography
Cryptology
Data encryption
Data Structures and Information Theory
Digital currencies
Discrete Mathematics in Computer Science
Information and Communication
Public Key Infrastructure
Security
Signatures
Multi-signatures
Schnorr signatures
Key aggregation
Bitcoin
Discrete logarithm problem
94A60
Forking lemma
ISSN:0925-1022, 1573-7586
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:We describe a new Schnorr-based multi-signature scheme (i.e., a protocol which allows a group of signers to produce a short, joint signature on a common message) called MuSig , provably secure under the Discrete Logarithm assumption and in the plain public-key model (meaning that signers are only required to have a public key, but do not have to prove knowledge of the private key corresponding to their public key to some certification authority or to other signers before engaging the protocol). MuSig improves over the state-of-art scheme of Bellare and Neven (ACM Conference on Computer and Communications Security-CCS 2006) and its variants by Bagherzandi et al. (ACM Conference on Computer and Communications Security-CCS 2008) and Ma et al. (Des Codes Cryptogr 54(2):121–133, 2010) in two respects: (i) it is simple and efficient, having the same key and signature size as standard Schnorr signatures; (ii) it allows key aggregation , which informally means that the joint signature can be verified exactly as a standard Schnorr signature with respect to a single “aggregated” public key which can be computed from the individual public keys of the signers. To the best of our knowledge, this is the first multi-signature scheme provably secure under the Discrete Logarithm assumption in the plain public-key model which allows key aggregation. As an application, we explain how our new multi-signature scheme could improve both performance and user privacy in Bitcoin.
Bibliographie:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:0925-1022
1573-7586
DOI:10.1007/s10623-019-00608-x