Skip to content

Latest commit

 

History

History
34 lines (23 loc) · 2.53 KB

2023-10-27-schnoor-sigs.md

File metadata and controls

34 lines (23 loc) · 2.53 KB
layout uuid title author affiliation email
post
truffing-schnorr-2023
Schnorr signatures
Tim Ruffing
Blockstream

Blind Schnorr multi-party signatures

Blind Schnorr multisignatures and threshold signature schemes (i.e., some cosigners are blind) have great potential to enhance user's privacy in semi-custodial applications with a semi-trusted cosigner, e.g., a server that cosigns transactions of a user only if the user presents a second authentication factor.

Due to the fact that reuse of public keys is discouraged for privacy reasons, schemes will need to hide the signed message and the aggregate public key from blind cosigners.

While there have been ad-hoc proposals in that direction12, they lack a formal security analysis, including a proper security definition.

Practical deterministic Schnorr multi-party signatures

Implementations of DL-based signature schemes such as ECDSA and Schnorr signatures typically de-randomize the signing algorithm to avoid catastrophic accidents caused by bad random sources.

However, the same de-randomization techniques do not apply to multi-party signatures, and thus all "natural" constructions of Schnorr multi-signature and Schnorr threshold signature schemes critically rely on the availability of good randomness during signing.

While it is possible345 to de-randomize multi-party signing protocols, all known protocols suffer from a lack of efficiency and in particular a high implementation complexity.

More research is necessary to obtain practical protocols for which, in typical scenarios, the additional risk stemming from the implementation complexity is lower than the risk of relying on randomness.

Footnotes

  1. Schnorr Blinded Custody (ref)

  2. Private Collaborative Custody with FROST (ref)

  3. MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces. Jonas Nick, Tim Ruffing, Yannick Seurin, and Pieter Wuille. ACM CCS 2020

  4. Threshold Schnorr with Stateless Deterministic Signing from Standard Assumptions. François Garillot, Yashvanth Kondi, Payman Mohassel, and Valeria Nikolaenko CRYPTO 2021

  5. Two-Round Stateless Deterministic Two-Party Schnorr Signatures From Pseudorandom Correlation Functions. Yashvanth Kondi, Claudio Orlandi, Lawrence Roy. Preprint