Using ECC for (Multi-)Signatures

Math-powered methods for proving message authenticity, sounds great, doesn't it?

04/12/2024 · 10 min read · sapling 🪴

Info

I am not a cryptographer, nor a mathematician. This article is the result of my own research and understanding of the subject. If you find any mistakes, please let me know!

The vast majority of what is written here is taken from various sources, which are listed at the end of this article. I highly recommend you to read them if you want to dive deeper into the subject.

Elliptic curves may not write your emails, but they can help prove you sent them. Our goal is to output a signature (r, s) (r, s) for a given message , so that the recipient can verify that the sender is authentic. The sender’s keys are (p, P) (p, P) , with the private key, and the public one.

ECDSA Signatures

Let’s take a look at the Elliptic Curve Digital Signature Algorithm (ECDSA).

Compute the hash where is any cryptographic hash function (e.g. SHA-256).
Generate a random number in in the current subgroup.
Calculate the associated random point on the curve , with a generator, with the -coordinate of this point.
Calculate the signature , where is the modular inverse of .

By sending (r, s) (r, s) , you confirm you know:

The content of the message
The private key associated to

The verifier may follow this procedure to check if the message that he received along with (r,s) (r,s) is authentic:

Compute the hash with the same cryptographic hash function defined before.
Calculate the modular inverse of :
Recover the random point used in the signature process:
Check whether , if so, then the message is authentic.

To prove this works, let’s start with the definition of the signature :

$& s = k^(-1) dot (h + x_K dot p) \ <==>& s dot$ $& s = k^(-1) dot (h + x_K dot p) \ <==>& s dot$

Incorporate (a) (a) into :

$K &= h S dot G + r S dot P \ &= h s^(-1) dot G +$ $K &= h S dot G + r S dot P \ &= h s^(-1) dot G +$

Which is just our definition of when generating the signature.

Cool Kids Public Key Recovery

Let’s suppose you are talking through a Tin can telephone with your friend and every byte you send matters. You don’t want to send the public key along with the signature (r, s) (r, s) because that’s just too much data. Instead, you can recover the public key from the signature and the message.

Given x_K x_K , there are typically two candidate points K'_i K'_i that fit. And since we know that K = h S dot G + r S dot P , which we just verified works, it can be rearranged to isolate the public key :

$K'_i &= h S dot G + r S dot P_i \ <==> P_i &=$ $K'_i &= h S dot G + r S dot P_i \ <==> P_i &=$

To choose which one is the correct one, we need to verify the signature with each P_i P_i :

$K_i = h S dot G + r S dot P_i = (x_K, y_K) \ x_K =$ $K_i = h S dot G + r S dot P_i = (x_K, y_K) \ x_K =$

This ambiguity is often removed by adding a single bit b in {0,1} into the signature message: (r, s, b)

Schnorr Signatures

Schnorr signatures are a bit like ECDSA, but faster and simpler. We are going to use the same keys (p, P) (p, P) as before, with the private key and the public one. We’ll first see the procedure and then discuss the mathematical proof of why this works.

Sample a random nonce

What the hell is ZZ_n

The set ZZ_n ZZ_n is a cyclic group of integers, isomorphic to the quotient group ZZ slash n ZZ . It is basically just the set of integers modulo .

$ZZ_n = {0, 1, 2, ..., n-1}$ $ZZ_n = {0, 1, 2, ..., n-1}$

In our case, is the order (how many points are in) of the subgroup generated by . If the curve’s cofactor is 1, then is the order of the curve. If is not 1, the order is n/h = "ord"(G)

Multiply it by the generator:
We can now compute the challenge
And the signature:

The final signature is (R, s) (R, s) .

Once the signature has been emitted, verifying it is as easy as checking:

To know , the verifier needs to know the message , the public key . In some cases, you might not need to include the public key into the challenge and simply hash e = H(R || m) .

Why it Works

There isn’t really a proof needed for the verifying step as it’s just factoring out , but here you are:

$& s dot G = R + e P \ <==>& s dot G = underbra$ $& s dot G = R + e P \ <==>& s dot G = underbra$

One trickier part is to explain why we are adding a random nonce to both the signature and the challenge. This value has to be sampled randomly and must not be reused. If it is, the private key can be recovered. Let’s first take the case where no is used:

$& s = e p \ <==>& p = s^(-1) e$ $& s = e p \ <==>& p = s^(-1) e$

Recovering the private key is as simple as multiplying the challenge by the modular inverse of . Not good.

Now, let’s take the case where is reused, with two messages m_1 m_1 and m_2 m_2 , along with their respective signatures (R, s_1) and (R, s_2) :

Combining (a) (a) and (b) (b) :

$& r = (s_1 - e_1 p) = (s_2 - e_2 p) \ <==>& e_$ $& r = (s_1 - e_1 p) = (s_2 - e_2 p) \ <==>& e_$

You may see as an additional unknown variable that is used to prevent the linear equation system from being solved, because for messages, you have equations and n+1 n+1 unknowns, which is unsolvable in our case.

Aggregating Signatures

Schnorr signatures have the nice property that they can be aggregated, this means that a group of people can sign a message together and the signature can be verified as if it was signed by a single person. Let’s consider our signing group S = {a,b,c} for Alice, Bob and Charlie respectively.

The aggregated nonce is simply the sum of all nonces:

$R &= sum_(i in S) R_i \ &= R_a + R_b + R_c \ &$ $R &= sum_(i in S) R_i \ &= R_a + R_b + R_c \ &$

Likewise for the public key:

$P &= sum_(i in S) P_i \ &= P_a + P_b + P_c \ &$ $P &= sum_(i in S) P_i \ &= P_a + P_b + P_c \ &$

Each of them computes the challenge along with the final signature s_i s_i with the parameters just agreed upon:

$e = H(R || P || m) \ s_i = e p_i + r_i$ $e = H(R || P || m) \ s_i = e p_i + r_i$

Aggregate again:

The final signature that can be sent to others is (R, s) (R, s) .

Because we are just adding signatures parts together, we can group the nonces and the private keys in our final signature:

$s &= sum_(i in S) s_i \ &= sum_(i in S) (e p_i +$ $s &= sum_(i in S) s_i \ &= sum_(i in S) (e p_i +$

In the verifying step, multiplying each side by :

But wait!

At no point in this procedure, we ever check if the nonces or the public keys provided are honest. What if Charlie provided a malicious key P^*_c P^*_c in the sharing step ? Because everyone doesn’t send their public key at the exact same time, Carol could wait for everyone to send theirs, and compute:

$P^*_c = P_c - P_a - P_b \$ $P^*_c = P_c - P_a - P_b \$

The aggregated key will look like:

$P &= sum_(i in S) P_i \ &= P_a + P_b + P^*_c \$ $P &= sum_(i in S) P_i \ &= P_a + P_b + P^*_c \$

Carol just wiped everyone else from the signing key, and is now in full control of the signature. How can we prevent that ?

Multi-Signatures, don’t trust, verify

The most common way to prevent this is to force everyone to provide a proof that their public key is honest. This is done by providing a Proof of Knowledge for the private key, proving that they know the private key associated to the public key they provided.

Let’s take the case of a prover Patricia and a verifier Victor. Patricia wants to prove that she knows the private key associated to the public key P = p dot G . The proof is done in four steps:

Patricia samples at random and sends to Victor.
Victor sends a challenge to Patricia.
Patricia computes and sends it to Victor.
Victor verifies that .

This works because:

$z &= r + c p \ z dot G &= (r + c p) dot G \$ $z &= r + c p \ z dot G &= (r + c p) dot G \$

But what if Patricia doesn’t know the associated private key but still wants to prove that her key is honest ? Remember commitment schemes ? We can use them here. In our case, every participant will commit to their public key before disclosing it. Think of it as putting your public key in a box, sealing it and waiting for everyone to do the same before opening it. Let’s get back to our group S = {a,b,c} :

Each participant hashes their public key and sends to everyone.
Once everyone has sent their hash, they disclose their public key .
Everyone verifies that the hash they received matches the public key.
The signing process continues as usual.

This way, everyone can be sure that the public keys are honest and that no one is trying to pull a fast one.

There’s more!

Random nonces are also aggregated, and at no point we are verifying that they are authentic. The exploit method is a bit trickier, I recommend you to read this article by conduition on the subject if you want to know the details.

References / Suggested readings

Practical Cryptography for Developers - Digital Signatures
Svetlin Nakov
cryptobook.nakov.com
A Dive Into the Math Behind Bitcoin Schnorr Signatures
conduition.io
Wagner’s Birthday Attack - How to Break InsecureMuSig
conduition.io
How to Prove Schnorr Assuming Schnorr: Security of Multi- and Threshold Signatures
Elizabeth Crites, Chelsea Komlo, and Mary Maller
eprint.iacr.org