Digital Signatures - Obsidian Publish

- The 2 signatures currently used in Bitcoin are: - *Schnorr Signature Algorithm* - *Elliptic Curve Digital Signature Algorithm* - They are used for: - Spending segwit v0 P2WPKH outputs - Spending segwit v1 P2TR keypath spending - Script functions - A digital signatures serves 3 purposes 1. Signature proves that the controller of a private key has *authorized* the spending of those funds 2. Proof of authorization is undeniable (*nonrepudiation*) 3. The authorized transaction cannot be changed by unauthenticated parties i.e. the *integrity* is intact - Digital signatures present proof-of-control of a private key without revealing that private key ### How Digital Signatures Work Creating a Digital Signature - In Bitcoin, the "message" being signed is the transaction - More accurately, a hash of a specific subset of the data in the transaction i.e. the *commitment hash* - The signing key is the user's private key - $\text{Sig} = F_{\text{sig}}(F_{\text{hash}}(m), x)$ - $x$ is the signing key - $m$ is the message to sign (i.e. commitment hash) - $F_{\text{hash}}$ is the hashing function - $F_{\text{sig}}$ is the signing algorithm - In both Schnorr and ECDSA signatures, the function $F_{\text{sig}}$ produces a signature $\text{Sig}$ which is composed to $2$ values - After the two values are calculated they are serialized into a byte stream - For ECDSA signatures, the encoding rules use an international encoding scheme called DER - For Schnorr signatures, a simpler serialization format is used **Verifying the Signature** - The verification algorithm takes the message (a hash of parts of the transaction and related data), the signer's public key, and the signature - Returns `TRUE` if the signature is valid for this message and public key - "Only the controller of the private key that generated this public key could have produced this signature on this transaction" **Signature Hash Types - SIGHASH** - Digital signatures apply to messages, which in the case of Bitcoin, are the transaction themselves - The signature proves a commitment by the signer to a specific transaction data - Bitcoin signatures have a way of indicating which part of a transaction's data is included in the hash signed by the private key using a `SIGHASH` flag (a single byte appended to the signature) - Every signature has either an explicit or implicit `SIGHASH` flag which can be different from input to input - A transaction with 3 signed inputs may have 3 signatures with different sighash flags, each signature signing (committing) to different parts of the transaction - Remember each input may contain $1$ or more signatures - As a result, an input may have signatures with different sighash flags that commit to different parts of the transaction - Note also that Bitcoin transactions may contain inputs from different "owners" who may sign only one input in a partially constructed transaction, collaborating with others to gather all necessary signatures to make a valid transaction![[Pasted image 20241217030309.png]] - There is additionally a modifier flag `SIGHASH_ANYONECANPAY` which can be combined with each of the preceding flags - When set, only one input is signed, leaving the rest (and their sequence numbers) open for modification - The way `SIGHASH` flags are applied during signing and verification is that a copy of the transaction is made and certain fields within are either omitted or truncated - The resulting transaction is serialized - The `SIGHASH` flag is included in the serialized transaction data and the result is hashed - The hash digest itself is the "message" that is signed - Depending on which sighash flag is used, different parts of the transaction are included - By including the `SIGHASH` flag itself, the signature commits the sighash type as well, so it cant be changed by e.g. a miner Some `SIGHASH` types and how they can be used in practice - `ALL | ANYONECANPAY` - Signature applies to one input and all outputs - Crowdfunding style transaction - Someone attempting to raise funds to construct a transaction with a single output being the goal of the fundraiser - Such a transaction is not valid, as it has no inputs - However, others can now amend it by adding an input of their own - They sign their input with `ALL | ANYONECANPAY` - Unless enough inputs are gathered to reach the value of the output, the transaction is invalid - `NONE` - Signature applies to *all* inputs and *none* of the outputs - Blank check of a specific amount - It commits to *all* inputs but allows the outputs to be changed - Anyone can write their own Bitcoin address into the output script - By itself, any miner could change the output destination and claim the funds for themselves - But if other required signatures in the transaction use `SIGHASH_ALL` or another type that commits the output, it allows those spenders to change the destination without allowing any 3rd parties (like miners) to change the outputs - `NONE | ANYONECANPAY` - Signature applies to *one* input and *none* of the outputs - Dust collector - Users who have tiny UTXOs in their wallets cannot spend these without the cost in fees exceeding the value of the UTXO - Thus, it can be donated for anyone to aggregate and spend whatever they want - Proposals to modify or expand the `SIGHASH` system - Most widely discussed proposal is BIP118 - Add $2$ new sighash flags - A signature using `SIGHASH_ANYPREVOUT` would not commit to an input's outpoint field - Thus, allowing it to be used to spend any previous input for a particular witness program - e.g. Alice receives 2 outputs for the same amount to the same witness program (e.g. requiring a single signature from her wallet), then a `SIGHASH_ANYPREVOUT` signature for spending either one of those outputs could be copied and used to spend the other output to the same destination - A signature using `SIGHASH_ANYPREVOUTANYSCRIPT` would not commit to the outpoint, the amount, the witness program, or the specific leaf in the taproot merkle tree (script tree) - Thus, allowing it to spend any previous output that the signature could satisfy - e.g. Alice received 2 outputs for different amounts and different witness programs (e.g. one requiring a single signature and another requiring her signature + some other data) - A `SIGHASH_ANYPREVOUTANYSCRIPT` signature for spending either one of those outputs could be copied and used to spend the other output to the same destination (assuming the extra data for the second output was known) - The main expected use for the two previous opcodes is improved payment channels, such as those used in the Lightning Network (LN), though several other uses have been described - You will not often see `SIGHASH` flags presented as an option in a user's wallet application - Simple wallet applications sign with `SIGHASH_ALL` flags - More sophisticated applications such as LN nodes may use alternative sighash flags - But, they use protocols that have been extensively reviewed to understand the influence of alternative flags ### Schnorr Signatures - The algorithm is not specific to ECC though it is most strongly associated with ECC today - Nice properties - Provable security - Depends on discrete logarithm problem and the ability of a hash function to produce unpredictable values (called the random oracle model - ROM) - Other signature algorithms have additional dependencies or require much larger public keys or signatures for equivalent security to ECC-Schnorr - Linearity - In cryptographic operations, some functions may be private (such as functions involving private keys or secret nonces) so being able to get the same result whether performing an operation inside or outside a function makes it easy for multiple parties to coordinate and cooperate without sharing their secrets - Batch verification - When used in the way Bitcoin does, one consequence of Schnorr's linearity is that it is relatively straightforward to verify more than one schnorr signature at the same time (in less time that it would take for each one independently) - The more signatures are verified in a batch, the greater the speed up - For a typical number of signatures in a block, it takes half the time to verify them than it would for each one independently Example - Alice chooses a large random number (private key) $x$ - She knows a public point on Bitcoin's elliptic curve called the generator $G$ - Alice uses EC multiplication to multiply $G$ by her private key $x$ - The result is Alice's public key $xG$ - Alice gives her public key to Bob - Even though Bob also knows $G$, the discrete logarithm problem prevents Bob from being able to divide $xG$ by $G$ to derive $x$ - Bob wants Alice to identify herself by proving that she knows the $x$ for the public key $xG$ that Bob received earlier - Alice cannot give Bob $x$ directly because that would allow him to identify as her to other people - She needs a *zero-knowledge proof* Example - Schnorr Identity Process 1. Alice chooses another large random number $k$, which we call the *private nonce* - She uses it again as a scalar, multiplying it by $G$ to produce $kG$ which we call the *public nonce* - She gives the public nonce to Bob 2. Bob chooses a large random number of his own $e$ which we call the *challenge scalar* - It is used to challenge Alice to prove that she knows the private key $x$ for the public key $xG$ she previously gave to Bob 3. Alice now has scalars $x,k,e$ and combines them together to produce a final scalar $s=k+ex$ and gives $s$ to Bob 4. Bob now knows the scalars $s,e$ but not $x,k$ - Bob does know $xG$ and $kG$ - Bob can compute for himself $sG$ and $exG$ - Bob can check the quality of a scaled up version of the operation Alice performed - If this is fulfilled - $sG==kG+exG$ - Then Bob can be sure that Alice knew $x$ when she generated $s$ Recap - Alice created 1. $x,xG,kG$ 3. Then, $s=k+ex$ given to Bob ==Notice==: Alice could *not* have made $s$ here, if she did not know the value of $x\,\,!!!$ Is this right? - Bob created 2. $e$ - Given to Alice 4. Bob checks $sG==kG+exG$ - ==QUESTIONS== - Why do we even need $k$? Could we not have done everything without it? i.e. - Bob chooses $e$ and gives it to Alice. Alice creates $s=ex$ and gives $s$ to Bob. Bob checks $sG==exG$ Schnorr Identity Protocol with Integers Instead of Points - Easier to understand if we create an insecure oversimplification by substituting each of the preceding values (including $G$) with simple integers instead of points on an elliptic curve - We will use prime numbers starting with $3$ - Setup - Alice chooses private nonce $k=7$ and generates the public nonce $kG=35$ and gives it to Bob - Bob receives $kG$ - Bob chooses $e=11$ and gives it to Alice - Alice generates $s=40=7+11\cdot{3}=k+ex$ and gives it to Bob - Bob receives $s$ - Bob derives: - Bob has $xG=15$ - Bob calculates $exG$ by $11\cdot (xG=15)=165$ - Bob now has: - $s=40$ - $xG=15$ - $kG=35$ - $exG=165$ - Bob calculates $sG=40\cdot{5}$ and verifies if this value is equal to summing $kG$ and $exG$ - $200==35+165$ - Note: this is the *same* operation that Alice performed, but all the values have been scaled by $G=5$ - When working with simple integers, we can divide products by the generator $G$ to get the underlying scalar, which is *not* secure - This is why a critical property of ECC used in Bitcoin is that multiplication is easy, but division by a point on the curve is impractical - Also with numbers this small, brute force is easy **Video** - How to Design Schnorr Signatures - W and A both know $k_{\text{pub}}$ - W claims to own the private key $x$ which created $k_{\text{pub}}$ - A challenges W by sending him a random $e$ - W embeds his private key in a new calculation via $s=ex$ - W sends $s$ to A - A uses $s$ to calculate $sG$, and then separately also calculates $ek_{\text{pub}}$ - A realizes that $sG==ek_{\text{pub}}$ - In order for this to hold, W must have had access to $x$ in order to create this valid $s$ value - Thanks to $sG=exG=ek_{\text{pub}}$ - Basically, you say you know the $x$ to create $xG$, so I'll give you $e$ and i want you to calculate $ex$ (which you can only do if you truly know $x$), and send it to me so i can complete the triple $exG$ and see if you were telling the truth - *Problem* with this approach - It is not too hard to find $x=e^{-1}s$ - Therefore, we introduce the nonce - Based on the hiding property "which two numbers were added to give $13$?" - ==But something I do not understand is that we still have a huge space to search, and if we choose large enough numbers, it should be infeasible to find the right multiplier to get $x$ right? Is this not a property of ECC where finding the $n$ which gave $nG$ is intractable for points on an elliptic curve?== **Security Features of the Interactive Schnorr Identity Protocol** - The nonce - $k$ - In step 1, Alice chooses a number (unknown to Bob) and gives him the scaled version of that number $kG$ - Bob already has the public key $xG$ - Thus, when Bob is working on the final equation $sG=kG+exG$ there are 2 variables Bob does not know, $x$ and $k$ - It is not possible to use simple algebra to solve an equation with 2 independent, unknown variables - The presence of Alice's nonce prevents Bob from being able to derive her private key - This depends on nonces being unguessable in any way - The challenge scaler - $e$ - Bob waits to receive Alice's public nonce and proceeds in step 2 to give her $e$ (which Alice can't know or guess) - Bob must wait to give her $e$ only after she commits to her public nonce - If someone who did not know $x$ wanted to impersonate Alice - And Bob accidentally gives them $e$ before they told him the public nonce $kG$ - Then, this impersonator can change parameters on both sides of the equation Bob will use for verification - i.e. change both $sG$ and $kG$ - For the actual equation, the impersonator simply: - Chooses a random number for $s$ - Generates $sG$ - Uses EC subtraction to select a $kG$ that equals $kG=sG-exG$ - They give Bob their calculated $kG$, and later their random $sG$ - Bob thinks its valid because $sG==(sG-exG)+exG$ - Thus, the order of operations in the protocol is essential - Bob must only give Alice the challenge scalar after Alice has committed to her public nonce **Interactive Identity Protocol** - Difference from original description - The protocol described lacks $2$ essential features we need for the decentralized Bitcoin network 1. It relies on Bob waiting for Alice to commit to her public nonce 2. Then Bob giving her a random challenge scaler - In Bitcoin, the spender of every transaction needs to be authenticated by thousands of bitcoin full-nodes - Including full nodes that have not been started yet but whose operators will one day want to ensure the Bitcoins they receive came from a chain of transfers where every transaction was valid - Any node that is unable to communicate with Alice (today or in the future) will be unable to authenticate it, and thus be in disagreement - Unacceptable for a consensus system like Bitcoin - For Bitcoin to work, we need a protocol that does not require interaction between Alice and *each* node that wants to authenticate her - Fiat-Shamir Transform **Fiat-Shamir Transform** - Can turn the schnorr interactive identity protocol into a noninteractive digital signature scheme - Recall - Alice must commit to an unpredictable nonce - Bob must give Alice an unpredictable challenge scaler only after he has received her commitment - Hashes can produce the same output when given the same input, but will produce a value indistinguishable from random data when given a different input - With this, Alice can: - Choose her private nonce - Derive her public nonce - Hash the public nonce to get the challenge scalar - Since Alice cannot predict the output of the hash function (the challenge) and because it is always the same for the same input (i.e. nonce), we ensure Alice gets a random challenge even though she chooses the nonce and hashes it herself - We no longer need interaction from Bob - She can simply publish her public nonce $kG$ and scalar $s$, and each of the thousands of nodes (past and future) can hash $kG$ to produce $e$, and use that to produce $exG$ - And then finally verify $sG==kG+exG$ - ==The part where Alice proves she knows private key $x$ comes in her publishing== $s\,\,!!!$ - ==Wait but if she publishes $s$ after already hashing and finding $e$ do we not run into the same problem as before? Where she can edit the other variables to ensure the condition is fulfilled?== - ==NO BECAUSE $e$ comes after creating $kG$== - Then, the full nodes can hash $kG$ to produce $e$ and then find all the variables which are necessary to check the $==$ condition - Explicitly - $sG==kG+\text{hash}(kG)\cdot xG$ - We need one other thing to finish converting the "interactive schnorr identity protocol" into a "digital signature protocol" useful for Bitcoin - We do not just want Alice to prove that she knows the private key - We want to give Alice the ability to commit to a message - Specifically, we want her to commit to the data related to the Bitcoin transaction she wants to send - With the Fiat-Shamir transform, we already have a commitment, so we can simply have it additionally commit to the message - Instead of $\text{hash}(kG)$ we now also commit to the message $m$ using $\text{hash}(kG||m)$ - ==Is the space of all possible values $kG$ too small or why do we need to commit the message here additionally?== - This is now a version of the schnorr signature protocol, but there is one more Bitcoin-specific concern - Recall: - Consider public key $kG$, it is possible to create a derived key pair called a *child key pair* by simply adding the same value to both sides of the equation - $K+(123\cdot G)==(x+123)G$ - An interesting consequence is that adding $123$ to the public key can be done using *entirely public information* - Alice creates and gives public key $K$ to Bob, where he can add any value to it to produce a *derived public child key* - If he then tells Alice the value he added to $K$, she can add that same value to $x$ to produce a *derived private child key* which corresponds to the public child key Bob created - i.e. it is possible to create child public keys even if you don't know anything about the parent private key - The value added is the *key tweak* - In BIP32 key derivation, we take a public key and add it to a nonsecret value to produce a derived public key - This means it is also possible to add that nonsecret value to a valid signature for one key, to produce a signature for a related key - That related signature is *valid* but *not authorized* by the person possessing the private key - Major security failure - To protect BIP32 unhardened derivation and also support several protocols, people wanted to build on top of schnorr signatures to create BIP340 schnorr signatures for secp256k1 - These signatures also commit to the public key being used in addition to the public nonce and the message - Full commitment - Committing to the public key used to sign the transaction, so that anyone who adds the nonsecret value to this public key to create a derived public key, cannot create an unauthorized signature - Because we can see that the original public key (not the derived one) $xG$ was committed as it takes an argument in the hash - $\text{hash}(kG||xG||m)$ **Defining the Protocol** - We have defined each part of the BIP340 schnorr signature algorithm, let us now define the protocol - Multiplication of integers are performed modulus $p$ - Alice chooses a large random number $x$ as her private key - Either directly or by using a protocol like BIP32 to deterministically generate a private key from a large random seed value - She uses the parameters defined in secp256k1 to multiply the generator $G$ by her scalar $x$ and produces $xG$ - She gives her public key to everyone who will later authenticate her Bitcoin transactions - e.g. by having $xG$ included in a transaction output - When she is ready to spend, she begins generating her signature 1. Alice chooses a large random private nonce $k$ and derives the public nonce $kG$ 2. She chooses her message $m$ (e.g. transaction data) and generates the challenge scalar $e=\text{hash}(kG||xG||m)$ 3. She produces the scalar $s=k+ex$ - Both values $kG$ and $s$ are her signature - She gives this signature to everyone who wants to verify it - She needs to ensure everyone receives her message $m$ - In Bitcoin this is done by including her signature in the witness structure of her spending transaction 4. The verifiers (e.g. full nodes) use $s$ to derive $sG$ and then verify that $sG==kG+\text{hash}(kG||xG||m)xG$ - If the equation is valid, Alice proved that she knows her private key $x$ without revealing it, and committed to the message $m$ containing the transaction data **Serialization of Schnorr Signatures** - A schnorr signature consists of $2$ values: $kG$ and $s$ - $kG$ is a point on secp256k1 and is represented by the x-coordinate - $s$ is a scalar, which for secp256k1 can never be more than $32$ bytes long - Although both $kG$ and $s$ can sometimes be values that can be represented with fewer than $32$ bytes, its improbable that they'd be much smaller than 32 bytes, so they are serialized as two 32 byte values - Values smaller than 32 bytes have leading zeros - They are serialized in the order of $kG$ and then $s$, producing exactly 64 bytes - The taproot soft fork (v1 segwit) introduced schnorr signatures to Bitcoin and is the only way they are used in Bitcoin - When used with either taproot keypath or scriptpath spending, a 64 byte schnorr signature is considered to use the default signature hash (sighash) that is `SIGHASH_ALL` - If an alternative sighash is used or if the spender wants to waste space to explicitly specify `SIGHASH_ALL`, a single additional byte is appended to the signature that specifies the signature hash, making it 65 bytes - Considerably more efficient that the serialization used for ECDSA signatures **Schnorr-based Scriptless Multisignatures** - In the single signature schnorr protocol, Alice uses a signature $(kG,s)$ to publicly prove her knowledge of her private key (which we call here $y$) - Imagine Bob has a private key $z$ and he wants to work with Alice to prove that they know $x=y+z$ without either of them revealing their private key - The following protocol is simplified and insecure - Alice and Bob need to derive the public key for $x$ which is $xG$ - They start by Alice deriving $yG$ and Bob $zG$ - They add to create $xG=yG+zG$ - The point $xG$ is their *aggregated public key* - They begin their multisignature protocol 1. They each individually choose a large private nonce $a$ and $b$ and derive public nonces $aG$ and $bG$ to produce $kG=aG+bG$ 2. They agree on the message to sign, $m$ and each generates a copy of the challenge scalar $e=\text{hash}(kG||xG||m)$ 3. Alice produces the scalar $q=a+ey$ and Bob produces the scalar $r=b+ez$, in order to combine $s=q+r$ to create a combined signature $(kG,s)$ - Alice and Bob have proven that they know the sum of their private keys without either of them revealing their private key to the other or anyone else - This protocol has several security problems - Most notable is that one party may learn the public keys of the other parties *before* committing to their own public key - e.g. *key cancellation attack* - Alice generates her public key $yG$ and shares it with Bob - Bob generates his public key as $zG-yG$, which when combined creates $zG$ - Now Bob can create a valid signature without any assistance from Alice - Ways to solve the key cancellation attack - The simplest scheme would be to require each participant to commit to their part of the public key *before* sharing anything about that key with all other participants - e.g. Alice and Bob each individually hash their public keys and share their digests with each other - When they both have the other's digest, they can share their keys - They individually check each other's key hashes to the previously provided digest and then proceed with the protocol normally - This prevents either of them from choosing a public key which cancels out the keys of other participants - However, it is easy to fail to implement this scheme correctly, such as using it in a naïve way with unhardened BIP32 public key derivation - Additionally it adds an extra step for communication between participants - There are also a number of attacks possible against nonces - Recall the purpose of the nonce is to prevent anyone from being able to use their knowledge of other values in the signature verification equation to solve for your private key - Thus, you must use a different nonce every time you sign a different message or change other signature parameters - There is no single protocol to recommend in all cases - MuSig - MuSig2 - Best multisignature protocol for most cases - MuSig-DN **Recall** - *Script-Based* Multisignatures vs *Scriptless* Multisignatures - The difference lies in how they implement the requirement for multiple parties to sign a Bitcoin transaction and how these implementations affect privacy, efficiency, and scalability - Script-Based - The most common example is the `OP_CHECKMULTISIG` opcode which requires multiple public keys and a specific number of valid signatures to unlock the funds - e.g. 2-of-3 multisignature transaction - `<2> <Pub Key 1> <Pub Key 2> <Pub Key 3> <3> <OP_CHECKMULTISIG>` - Characteristics - All public keys involved in the multisignature and the number of required signatures are visible on-chain - Reduces privacy because observers can see the structure of the multisignature - Each public key and signature must be included in the transaction which increases its size and the transaction fees - On-chain data grows linearly with the number of participants - It is easy to distinguish multisignature transactions from single-signature transactions on the blockchain $\rightarrow$ reducing privacy - Scriptless - Implemented using cryptographic techniques such as Schnorr signatures *without* relying on Bitcoin Script - Instead of listing all public keys and signatures, scriptless multisignatures aggregate them into a single combined public key and single combined signature - This aggregation makes the transaction look like a standard single-signature transaction - Characteristics - Only a single aggregated public key and signature appear on-chain - The aggregated public key signature results in a smaller transaction size, reducing fees - e.g. Scriptless 2-of-3 Multisignature - A scriptless multisig aggregates - The $3$ public keys into $1$ key - The $2$ signatures into $1$ signature - Note: The book calls these *scriptless threshold signatures* instead of *scriptless multisignatures* **Schnorr-based Scriptless Threshold Signatures** - Scriptless multisignature protocols only work for $k$-of-$k$ signing - Everyone with a partial public key that becomes part of the aggregated public key must contribute a partial signature and a partial nonce to the final signature - However, sometimes participants only want a subset $t$-of-$k$ for threshold $t$ - i.e. *threshold signature* - Just as scriptless multisignatures save space and increase privacy compared to scripted multisignatures, *scriptless threshold signatures* save space and increase privacy compared to *scripted threshold signatures* - To anyone not involved in the signing, a scriptless threshold signature looks like any other signature that could have been created by a single-signature or through a scriptless multisignature protocol - Various methods are known for generating scriptless threshold signatures - The simplest being a slight modification of how we created scriptless multisignatures previously - This protocol also depends on verifiable secret sharing (which itself depends on secure secret sharing) - Basic secret sharing can work through simple splitting - Alice has a secret number that she can split into $3$ equal-length parts and shares with Bob, Carol, and Dan - They can combine the partial numbers they received (i.e. shares) in the correct order to reconstruct Alice's secret - A more sophisticated scheme would involve Alice adding on some additional information to each share, called a correction code which allows any two of them to recover the number - This scheme is not secure because each share gives its holder partial knowledge of Alice's secret, making it easier for the participant to guess Alice's secret than a nonparticipant who did not have a share - Secure secret sharing schemes prevent participants from learning anything about the secret unless they combine the minimum threshold number of shares - The best known secret sharing algorithm is *Shamir's Secret Sharing Scheme* - In scriptless threshold signature schemes, it is critical for Bob, Carol, and Dan to know that Alice followed her side of the protocol correctly - They need to know that the shares she creates all: - Derive from the same secret - That she used the threshold value she claims - That she gave each of them a different share - A protocol which accomplishes all of this and still a secure secret sharing scheme, is a *verifiable secret sharing scheme* - To see how multisignatures and verifiable secret sharing work for Alice, Bob, and Carol, imagine they each wish to receive funds that can be spent by any $2$ of them - They collaborate using a Schnorr scriptless multisignature to produce a regular multisignature public key to accept the funds i.e. $k$-of-$k$ - Then, each participant derives $2$ secret shares from their private key - One for each of two of the other participants - The shares allow any $2$ of them to reconstruct the originating partial private key for the multisignature - Each participant distributes $1$ of their secret shares to the other $2$ participants, resulting in each participant storing - Their own partial private key - + one share for every other participant - Subsequently, each participant verifies the authenticity and uniqueness of the shares they received compared to the shares given to other participants - Later on, when e.g. Alice and Bob want to generate a scriptless threshold signature without Carol's involvement, they exchange the $2$ shares they possess for Carol - This enables them to reconstruct Carol's partial private key - Alice and Bob also have their private keys, allowing them to create a scriptless multisignature with all $3$ necessary keys **Things to be Aware About** - When considering a Scriptless threshold signature protocol - The scriptless threshold signature scheme just described is the same as a scriptless multisignature scheme, *except* that a threshold number of participants have the ability to reconstruct the partial private keys of any other participants who are unable or unwilling to sign - No Accountability - Because Alice and Bob reconstruct Carol's partial private key, there can be no fundamental difference between a scriptless multisignature produced by a process that involved Carol and one that did not - Even if Alice, Bob, or Carol claim that they did not sign, there is not guaranteed way for them to prove they did not help produce the signature - If it is important to know which members of the group signed, you will need to use a script - Manipulation Attacks - Imagine that Bob tells Alice that Carol is unavailable, so they work together to reconstruct Carol's partial private key - Then, Bob tells Carol that Alice is unavailable, so they work together to reconstruct Alice's partial private key - Now, Bob has his own partial private key + the keys of Alice and Carol, allowing him to spend the funds himself without their involvement - This attack can be addressed if all of the participants agree to only communicate using a scheme that allows any one of them to see all the other's messages - e.g. if Bob tells Alice that Carol is unavailable, Carol is able to see that message before she begins working with Bob - Other solutions are being researched - No scriptless threshold signature protocol has been proposed as a BIP yet, although significant research into the subject has been performed by multiple Bitcoin contributors - Peer-reviewed solutions are expected to become available after the publication of this book (2023) **ECDSA Signatures** - Unfortunately Claus Schnorr patented the algorithm and prevented its use in open standards and open source software for almost 2 decades - Thus cryptographers in 1990s developed an alternative construction called the Digital Signature Algorithm (DSA) with a version adapted to elliptic curves called ECDSA - ECDSA and standardized parameters for suggested curves could be used with what were widely implemented cryptographic libraries at the time Bitcoin began in 2007 - Thus ECDSA was the only digital signature protocol that Bitcoin supported from its first release version until the activation of *taproot* soft fork in 2021 (though it still remains supported) - Differences to Schnorr signatures - More complex - ECDSA requires more operations to create or verify a signature - Less provable security - The interactive schnorr signature identification protocol depends only on the strength of the elliptic curve Discrete Logarithm Problem (ECDLP) - The non-interactive authentication protocol used in Bitcoin also relies on the random oracle model (ROM) - Recall: ROM is a theoretical construct used in cryptography to model hash functions as if they were ideal, perfectly random functions - However, ECDSA's extra complexity has prevented a complete proof of its security being published - Unlikely that after 30 years that ECDSA will be proven only to require the same $2$ assumptions as schnorr - Nonlinear - ECDSA signatures cannot be easily combined to create scriptless multisignatures or used in related advanced applications, such as multiparty signature adaptors - There are workarounds for this problem but they involve additional extra complexity that significantly slows down operations and which, in some cases, has resulted in software accidentally leaking private keys **ECDSA Algorithm** - $F_{\text{sig}}$ produces a signature composed of $2$ values 1. in ECDSA, those values are $R$ and $s$ 2. The signature first generates private nonce $k$ and derives from it a public nonce $K$ 3. The $R$ value is then the x-coordinate of the public nonce $K$ 4. From there, the algorithm calculates the $s$ value of the signature - $s=k^{-1}(\text{hash}(m)+xR)\,\,\text{mod}\,\,p$ 5. Verification is the inverse of the signature generation function, using the $R,s$ values and the public key to calculate a value $K$ which is a point on the elliptic curve i.e. public nonce used in signature creation - $K=s^{-1}\text{hash}(m)G+s^{-1}RX \,\,\text{mod}\,\, p$ 6. If the x-coordinate of the calculated point $K$ is equal to $R$ then the verifier can conclude that the signature is valid - Variables - $k$ private nonce - $K$ public nonce - $R$ x-coordinate of the public nonce - $x$ Alice's private key - $X$ Alice's public key - $m$ transaction data - $G$ elliptic curve generator point **Serialization of ECDSA Signatures - DER** ![[Pasted image 20241223172517.png]] - This signature is a serialized byte stream of the $R$ and $s$ values produced by the signer to prove control of the private key authorized to spend an output - The serialization format consists of $9$ elements: 1. $30$ - Indication of start of DER sequence 2. $45$ - Length of the sequence (69 bytes) - Total length of the signature data 3. $02$ - Integer value follows - Indicates the start of the $R$ component 4. $21$ - Length of the integer (33 bytes) - The length of the $R$ component 5. $R$ - $\text{00884d1...4ae24cb}$ 6. $02$ - Integer value follows - Indicates the start of the $s$ component 7. $20$ - Length of the integer (32 bytes) - The length of the $s$ component 8. $s$ - $\text{4b9f039...f6e3813}$ 9. $01$ - Suffix indicating the type of hash used (`SIGHASH_ALL`) **The Importance of Randomness in Signatures** - We saw in Schnorr and ECDSA that the algorithm uses a random number $k$ as a basis for a private/public nonce pair - The value of $k$ is not important as long as it is *random* - If the same value $k$ is used in the signing algorithm on $2$ different transactions, the private key can be calculated and exposed to the world - This can happen with an improperly initialized random number generator - To avoid this vulnerability, industry best practice is not to generate $k$ with a random number generator seeded *only with entropy* - Instead, use a process seeded in part with the transaction data itself + the private key being used to sign - This ensures that each transaction produces a different $k$ - The industry standard algorithm for deterministic initialization of $k$ for ECDSA is defined in $\text{RFC6979}$ by the Internet Engineering Task Force - For Schnorr signatures, $\text{BIP340}$ recommends a default signing algorithm - $\text{BIP340}$ and $\text{RFC6979}$ can generate $k$ entirely deterministically, meaning the same transaction data will *always* produce the *same* $k$ - Many wallets do this because it makes it easy to write tests to verify their safety-critical signing code is producing $k$ values correctly - They both also allow including additional data in the calculation - Rather if that data is entropy, then a different $k$ will be produced even if the exact same transaction data is signed - This can increase protection against side-channel and fault-injection attacks - Side-channel attacks exploit information leaked during the execution of cryptographic operations - Fault injection attacks involve deliberately inducing errors in a system to observe how it behaves under faulty conditions - i.e. in environments where high-quality entropy sources are not available, non-deterministic RNGs might produce weak or predictable outputs **Segregated Witness' New Signing Algorithm** - Signatures in Bitcoin transactions are applied on a *commitment hash* - Which is calculated from the transaction data, locking specific parts of the data indicating the signer's commitment to those values - e.g. in a `SIGHASH_ALL` type signature, the commitment hash includes all inputs and outputs - Unfortunately, the way the legacy commitment hashes were calculated introduced the possibility that a node verifying a signature can be forced to perform a significant number of hash calculations - Specifically, the hash operations increase roughly quadratically $\sim(\text{no. inputs in transaction})^{2}$ - An attacker could thus create a transaction with a very large number of signature operations, causing the entire Bitcoin network to perform thousands of hash operations to verify the transaction - DoS - SegWit represented an opportunity to address this problem by changing the way the commitment hash is calculated - For SegWit v0 witness programs, signature verification occurs using an improved commitment hash algorithm as specified in BIP143 - $\mathcal{O}(n)$ to the number of signature operations **Conclusion** - We learned about Schnorr and ECDSA signatures for Bitcoin - This explains how full nodes authenticate transactions to ensure that only someone controlling the key to which bitcoins were received can spend those bitcoins - We examined several advanced applications of signatures such as: - Scriptless multisignatures - Scriptless threshold signatures - Which can be used to improve the efficiency and privacy of Bitcoin - We have learned up to now how to create transactions, how to secure them with authorization and authentication, and how to sign them - Next we will learn how to encourage miners to confirm them by adding fees to the transactions we create