158 research outputs found
Uma implementação do esquema de multi-assinaturas MuSig no cenário m-de-n com árvores de Merkle e suas aplicações ao bitcoin
Neste trabalho é proposto uma implementação prova de conceito do esquema de multi-
assinatura MuSig no cenário m-de-n com validação de chaves públicas agregadas através
de árvores de Merkle, expandindo a descrição original do MuSig neste cenário. Foi uti-
lizado a linguagem de programação Python e curvas elípticas (com destaque para a curva
secp256k1) para a construção da implementação. As multi-assinaturas produzidas man-
têm o tamanho de uma assinatura individual de Schnorr e podem ser verificadas utilizando
uma única chave pública agregada calculada a partir das chaves públicas dos signatarios,
tal situação traz expectativas positivas quanto a melhorias no desempenho e privacidade
do Bitcoin. Melhorias futuras incluem a implementação de uma prova de conceito que
integre o MuSig diretamente ao protocolo Bitcoin e a utilização do MuSig para construção
de um esquema de assinatura agregada interativa (IAS).This work presents a proof-of-concept implementation of the multi-signature scheme MuSig
in the m-of-n scenario with aggregated key validation using Merkle trees, expanding the
original MuSig description in this scenario. Python was the programming language of
choice and elliptic curves (mainly secp256k1) were used as the basis of the implementa-
tion. The multi-signatures generated by the scheme can keep the same size as a single
Schnorr signature and can be verified with a single aggregated public key computed from
the individual public keys of the signers, this scenario brings positive expectations for per-
formance and privacy improvements in Bitcoin. Future works includes a proof-of-concept
implementation that integrates the MuSig scheme directly into the Bitcoin protocol and
the implementation of an interactive signature scheme (IAS) with the MuSig scheme as
its basis
Securing Update Propagation with Homomorphic Hashing
In database replication, ensuring consistency when propagating updates is a
challenging and extensively studied problem. However, the problem of securing
update propagation against malicious adversaries has received less attention in
the literature. This consideration becomes especially relevant when sending
updates across a large network of untrusted peers.
In this paper we formalize the problem of secure update propagation and
propose a system that allows a centralized distributor to propagate signed
updates across a network while adding minimal overhead to each transaction.
We show that our system is secure (in the random oracle model) against an
attacker who can maliciously modify any update and its signature. Our approach
relies on the use of a cryptographic primitive known as homomorphic
hashing, introduced by Bellare, Goldreich, and Goldwasser.
We make our study of secure update propagation concrete with an instantiation of
the lattice-based homomorphic hash LtHash of Bellare and Miccancio. We
provide a detailed security analysis of the collision resistance of LtHash,
and we implement Lthash using a selection of parameters that gives at least
200 bits of security. Our implementation has been deployed to secure update
propagation in production at Facebook, and is included in the Folly open-source
library
Proving the correct execution of concurrent services in zero-knowledge
This paper introduces Spice, a system for building verifiable state machines (VSMs). A VSM is a request-processing service that produces proofs establishing that requests were executed correctly according to a specification. Such proofs are succinct (a verifier can check them efficiently without reexecution) and zero-knowledge (a verifier learns nothing about the content of the requests, responses, or the internal state of the service). Recent systems for proving the correct execution of stateful computations---Pantry, Geppetto, CTV, vSQL, etc.--implicitly implement VSMs, but they incur prohibitive costs. Spice reduces these costs significantly with a new storage primitive. More notably, Spice’s storage primitive supports multiple writers, making Spice the first system that can succinctly prove the correct execution of concurrent services. We find that Spice running on a cluster of 16 servers achieves 488--1167 transactions/second for a variety of applications including inter-bank transactions, cloud-hosted ledgers, and dark pools. This represents an 18,000--685,000× higher throughput than prior work
MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces
MuSig is a multi-signature scheme for Schnorr signatures, which supports key aggregation and is secure in the plain public key model. Standard derandomization techniques for discrete logarithm-based signatures such as RFC 6979, which make the signing procedure immune to catastrophic failures in the randomness generation, are not applicable to multi-signatures as an attacker could trick an honest user into producing two different partial signatures with the same randomness, which would reveal the user\u27s secret key.
In this paper, we propose a variant of MuSig in which signers generate their nonce deterministically as a pseudorandom function of the message and all signers\u27 public keys and prove that they did so by providing a non-interactive zero-knowledge proof to their cosigners. The resulting scheme, which we call MuSig-DN, is the first Schnorr multi-signature scheme with deterministic signing. Therefore its signing protocol is robust against failures in the randomness generation as well as attacks trying to exploit the statefulness of the signing procedure, e.g., virtual machine rewinding attacks. As an additional benefit, a signing session in MuSig-DN requires only two rounds instead of three as required by all previous Schnorr multi-signatures including MuSig. To instantiate our construction, we identify a suitable algebraic pseudorandom function and provide an efficient implementation of this function as an arithmetic circuit. This makes it possible to realize MuSig-DN efficiently using zero-knowledge proof frameworks for arithmetic circuits which support inputs given in Pedersen commitments, e.g., Bulletproofs. We demonstrate the practicality of our technique by implementing it for the secp256k1 elliptic curve used in Bitcoin
Scaling Verifiable Computation Using Efficient Set Accumulators
Verifiable outsourcing systems offload a large computation to a remote server, but require that the remote server provide a succinct proof, called a SNARK, that proves that the server carried out the computation correctly. Real-world applications of this approach can be found in several blockchain systems that employ verifiable outsourcing to process a large number of transactions off-chain. This reduces the on-chain work to simply verifying a succinct proof that transaction processing was done correctly. In practice, verifiable outsourcing of state updates is done by updating the leaves of a Merkle tree, recomputing the resulting Merkle root, and proving using a SNARK that the state update was done correctly.
In this work, we use a combination of existing and novel techniques to implement an RSA accumulator inside of a SNARK, and use it as a replacement for a Merkle tree. We specifically optimize the accumulator for compatibility with SNARKs. Our experiments show that the resulting system reduces costs compared to existing approaches that use Merkle trees for committing to the current state. These results apply broadly to any system that needs to offload batches of state updates to an untrusted server
Revisiting Tree Isomorphism: AHU Algorithm with Primes Numbers
The AHU algorithm has been the state of the art since the 1970s for
determining in linear time whether two unordered rooted trees are isomorphic or
not. However, it has been criticized (by Campbell and Radford) for the way it
is written, which requires several (re)readings to be understood, and does not
facilitate its analysis. In this paper, we propose an alternative version of
the AHU algorithm, which addresses this issue by being designed to be clearer
to understand and implement, with the same theoretical complexity and equally
fast in practice.. Whereas the key to the linearity of the original algorithm
lay on the careful sorting of lists of integers, we replace this step by the
multiplication of lists of prime numbers, and prove that this substitution
causes no loss in the final complexity of the new algorithm
Simple Schnorr Multi-Signatures with Applications to Bitcoin
We describe a new Schnorr-based multi-signature scheme (i.e., a protocol which allows a group of signers to produce a short, joint signature on a common message) called MuSig, provably secure in the plain public-key model (meaning that signers are only required to have a public key, but do not have to prove knowledge of the private key corresponding to their public key to some certification authority or to other signers before engaging the protocol), which improves over the state-of-art scheme of Bellare and Neven (ACM-CCS 2006) and its variants by Bagherzandi et al. (ACM-CCS 2008) and Ma et al. (Des. Codes Cryptogr., 2010) in two respects: (i) it is simple and efficient, having the same key and signature size as standard Schnorr signatures; (ii) it allows key aggregation, which informally means that the joint signature can be verified exactly as a standard Schnorr signature with respect to a single ``aggregated\u27\u27 public key which can be computed from the individual public keys of the signers. To the best of our knowledge, this is the first multi-signature scheme provably secure in the plain public-key model which allows key aggregation. As an application, we explain how our new multi-signature scheme could improve both performance and user privacy in Bitcoin
Succinct Arguments over Towers of Binary Fields
We introduce an efficient SNARK for towers of binary fields. Adapting Brakedown (CRYPTO \u2723), we construct a multilinear polynomial commitment scheme suitable for polynomials over tiny fields, including that with 2 elements. Our commitment scheme, unlike those of previous works, treats small-field polynomials with zero embedding overhead. We further introduce binary-field adaptations of HyperPlonk\u27s (EUROCRYPT \u2723) product and permutation checks, as well as of Lasso\u27s lookup. Our scheme\u27s binary PLONKish variant captures standard hash functions—like Keccak-256 and Grøstl—extremely efficiently. With recourse to thorough performance benchmarks, we argue that our scheme can efficiently generate precisely those Keccak-256-proofs which critically underlie modern efforts to scale Ethereum
- …