Rust implementation of multi-party Schnorr signatures over elliptic curves.

Overview

Build Status License: GPL v3

Multi Party Schnorr Signatures

This library contains several Rust implementations of multi-signature Schnorr schemes. Generally speaking, these schemes can be classified into:

  1. {n,n}-multi-signature scheme. These schemes require that all parties engage in cooperation to issue the signature.
  2. {t,n}-threshold-signature schemes (TSS). These schemes require that any subset of at least t+1 parties engage in cooperation to issue a valid signature.

Different protocol implementation

This repo implements different Schnorr multi-signature schemes. There is tradoffs between these schemes with respect to type, performance, communications rounds and security assumptions. We use abbreviations DLP, ROM, ASM for respectively, discrete log problem, random oracle model, algebraic group model.

protocol Type Rounds Assumptions comments
Boneh, et al.(MuSig) [2] (section 5) {n,n} 3 DLP, ROM fixes the security proof of [1]
Nick, et al.(MuSig2) [3] {n,n} 2 DLP, ROM, AGM improvement on [2]
Micali, et al. [4] {n,n} 3 DLP, ROM
Stinson-Strobl [5] {t,n} 3 DLP, ROM See (*)

(*) For more efficient implementation we used the DKG from Fast Multiparty Threshold ECDSA with Fast Trustless Setup. The cost is robustness: if there is a malicious party out of the n parties in DKG the protocol stops and if there is a malicious party out of the t parties used for signing the signature protocol will stop

Disclaimers:

(1) This code should not be used for production at the moment.

(2) This code is not secure against side-channel attacks

(3) The code does not contain a network layer (if you are interested, check white-city for ongoing effort, contribtutions are welcome)

Contact

Feel free to reach out or join the ZenGo X Telegram for discussions on code and research.

License

The library is released under the terms of the GPL-3.0 license. See LICENSE for more information.

References

[1] https://github.com/KZen-networks/multi-party-schnorr/blob/master/papers/simple_schnorr_multi_signatures_with_applications_to_bitcoin.pdf

[2] https://github.com/KZen-networks/multi-party-schnorr/blob/master/papers/compact_multi_signatures_for_smaller_blockchains.pdf

[3] https://github.com/KZen-networks/multi-party-schnorr/blob/master/papers/musig2_simple_two_round_schnorr_multi_signatures.pdf

[4] https://github.com/KZen-networks/multi-party-schnorr/blob/master/papers/accountable_subgroups_multisignatures.pdf

[5] https://github.com/KZen-networks/multi-party-schnorr/blob/master/papers/provably_secure_distributed_schnorr_signatures_and_a_threshold_scheme.pdf

Comments
  • Wagner's k-sum attack

    Wagner's k-sum attack

    If I understand, your code implements two round Schnorr multi-signature, much as https://github.com/KZen-networks/multi-party-schnorr/blob/master/papers/accountable_subgroups_multisignatures.pdf describes.

    There is a somewhat viable forgery attack against all known two round Schnorr threshold/multi/etc. signatures given in https://eprint.iacr.org/2018/417.pdf that works by doing a roughly 2^40 computation while holding open 127 parallel signing queries.

    We've an approach for a fix, but so far failed to prove security. We're still recommending the three round trip version as implemented in https://github.com/w3f/schnorrkel/blob/master/src/musig.rs but maybe that'll change in 2020 if we fix our fix. ;)

    As an aside, you should manage MPCs with session types that encode the protocol's security requirements when using Rust, because even highly skilled developers routinely miss-use MPC libraries. These session types cannot be cloned, copied, serialized, etc. and can only be either dropped or consumed by value when advancing the state machine, like in https://github.com/w3f/schnorrkel/blob/master/src/musig.rs#L403

    opened by burdges 9
  • Possibility of using with zilliqa-js-sdk?

    Possibility of using with zilliqa-js-sdk?

    Hello,

    I want to demonstrate TSS for Zilliqa and not sure about how plausible it is. I understand that it is now possible to compile Rust to webassembly and then it could be used in the same environments as the zilliqa-javascript-sdk. Is this presently practical to attempt or request? I am experienced with c/c++ but not rust or webassembly. How will developers use the TSS scheme with Zilliqa as it stands? There is no Rust sdk.

    opened by csajedi 4
  • Refactoring and Suggestions

    Refactoring and Suggestions

    This PR includes changes from https://github.com/KZen-networks/multisig-schnorr/pull/8 with in addition a rebase from master and removal of compiler warnings.

    opened by gbenattar 3
  • what is the EphemeralKey?

    what is the EphemeralKey?

    I'm still learning about MuSig so sorry if this is obvious but I'm wondering what the Ephemeral Key is and if its part of the MuSig spec or an implementation detail. Also, what is the difference in using EphemeralKey::create_from_private_key over EphemeralKey::create, is there any reason to use one over the other?

    opened by Kelbie 2
  • Suggestion to optimize borrowing and change formatting.

    Suggestion to optimize borrowing and change formatting.

    • Changed every ownership take that was unnecessary with borrowing.

    • Changed every unnecessary cloning with ownership take (it's better to let the caller of a function decide if he still needs the variable and should clone or not and just give ownership).

    • Replaced every &Vec<T> with &[T], This way even if the caller doesn't have a vector he can still pass it to the function and if he does have a vector he can just use [..]

    • Formatted some parts to be more rust idiomatic

    opened by elichai 2
  • modifications for Zilliqa-Schnorr multi-party wrapper

    modifications for Zilliqa-Schnorr multi-party wrapper

    Support of new types and trait implementations to make wrapper implementations more straight forward. Wrapper implementations take this repo and wrap it with the needed multi-party communication. Changes specifically refer to Zilliqa Schnorr.

    opened by oleiba 0
  • update readme file

    update readme file

    please update the readme file to :

    1. provide references https://eprint.iacr.org/2018/068.pdf and https://eprint.iacr.org/2018/483.pdf
    2. add disclaimer that this code should not be used in production for now
    3. add disclaimer that this code is not secure under non-cryptographic attacks. i.e. side channels
    opened by omershlo 0
  • Second round is unnecessary

    Second round is unnecessary

    If, in the first round each party uses a proof of knowledge of secret key, the second round where signers verify the commitment - which is necessary to prevent a rogue key attack - is not needed. In addition, there's no need to use each of the signer's public keys in the hash.

    Instead a precomputed aggregate public key can be used for a given set of signers and a given threshold. Since proof of secret key was used during the establishment of this aggregate, it cannot be pre-selected, and is sufficient to use in the subsequent digest computations.

    Finally, it is often desirable for signature schemes to be "malleable" (each message gets a unique sig), and others to be "fixed", (the signature corresponding to a given message is deterministic).

    Such a library should allow for both scenarios.

    opened by earonesty 23
  • Fix generating wrong e value when the message bytes start with

    Fix generating wrong e value when the message bytes start with "00" byte

    This PR fixes issue #35

    The sha256 hash function which is used in schnorr signature generation receives inputs as BigInt value. But the BigInt value eliminate head bytes if it is zero. So that, the output of hash function was wrong. This commit changes the message into BigInt array for each byte of the message.

    It also include changing zilliqa part. But i don't know much about zilliqa, so I wonder if it is ok.🤔

    P.S.

    BIP-340 computes e from x coordinate of R and P at present. I think that this change should be applied to not only message but also R and P when updating this library to latest bitcoin schnorr specification.

    I'm wondering if there are something i don't know... but I thought current create_hash signature such as receiving reference of BigInt slice is not good so much because it leads kind of this issue.

    Thank you for your support 😄 @omershlo .

    opened by rantan 13
  • Wrong local sig is generated, when the first byte of a hash input is 0.

    Wrong local sig is generated, when the first byte of a hash input is 0.

    Current LocalSig generation code in src/protocols/thresholdsig/bitcoin_schnorr.rs uses a hash function which get input values as BigInt. However, if the first bytes of input is 0, the BigInt omit the 0. So the final hash value is going to be wrong.

    I tried to create signature with this crate and i got some wrong signatures. It couldn't be verified on other schnorr signature verification code like this.

    This is a simple test case for the hash function. The assertion is failure.

    extern crate curv;
    extern crate sha2;
    extern crate hex;
    
    #[test]
    fn test_hash() {
        let message: Vec<u8> = vec![0, 1];
    
        let target = {
            use curv::cryptographic_primitives::hashing::hash_sha256::HSha256;
            use curv::cryptographic_primitives::hashing::traits::Hash;
            use curv::BigInt;
            use curv::arithmetic::traits::Converter;
    
            let big_int = BigInt::from(&message[..]);
            HSha256::create_hash(&[&big_int]).to_hex()
        };
    
        let expected = {
            use sha2::Sha256;
            use sha2::Digest;
    
            let mut hasher = Sha256::new();
            hasher.input(&message);
            hex::encode(hasher.result())
        };
    
        assert_eq!(target, expected);
    }
    

    I think that the signature compute code should use other hash function implementation or fix it.

    opened by rantan 10
  • Compare to Schnorrkel

    Compare to Schnorrkel

    https://github.com/w3f/schnorrkel is based on ristretto curve and implements MuSig. multi-party-schnorr can also use Ristretto and MuSig is implemented. It will be interesting to compare both implementations.

    cc: @burdges

    good first issue 
    opened by omershlo 3
Releases(v0.4.4)
Owner
[ZenGo X]
Threshold cryptography for blockchains. Projects with "city" in name are work in progress.
[ZenGo X]
Multi Party Key Management System (KMS) for Secp256k1 Elliptic curve based digital signatures.

Key Management System (KMS) for curve Secp256k1 Multi Party Key Management System (KMS) for Secp256k1 Elliptic curve based digital signatures. Introdu

[ZenGo X] 61 Dec 28, 2022
Elliptic-curves - Collection of pure Rust elliptic curve implementations (e.g. P-256, P-384, secp256k1)

RustCrypto: Elliptic Curves General purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic cu

Rust Crypto 386 Dec 27, 2022
Bulletproofs and Bulletproofs+ Rust implementation for Aggregated Range Proofs over multiple elliptic curves

Bulletproofs This library implements Bulletproofs+ and Bulletproofs aggregated range proofs with multi-exponent verification. The library supports mul

[ZenGo X] 62 Dec 13, 2022
Schnorr VRFs and signatures on the Ristretto group

schnorrkel Schnorrkel implements Schnorr signature on Ristretto compressed Ed25519 points, as well as related protocols like HDKD, MuSig, and a verifi

Web3 Foundation 252 Dec 21, 2022
Two-party and multi-party ECDSA protocols based on class group with Rust

CG-MPC-ECDSA This project aims to implement two-party and multi-party ECDSA protocols based on class group with Rust. It currently includes schemes de

LatticeX Foundation 16 Mar 17, 2022
Cryptle: a secure multi-party Wordle clone with Enarx

Cryptle: a secure multi-party Wordle clone with Enarx Wordle is a popular web-based game, where a single player has to guess a five-letter word in six

Nick Vidal 2 May 9, 2022
User-friendly secure computation engine based on secure multi-party computation

CipherCore If you have any questions, or, more generally, would like to discuss CipherCore, please join the Slack community. See a vastly extended ver

CipherMode Labs 356 Jan 5, 2023
Rust implementation of {t,n}-threshold ECDSA (elliptic curve digital signature algorithm).

Multi-party ECDSA This project is a Rust implementation of {t,n}-threshold ECDSA (elliptic curve digital signature algorithm). Threshold ECDSA include

[ZenGo X] 706 Jan 5, 2023
Basis Spline Fun(ctions) and NURBS Curves / Surfaces

bsfun Basis Spline Fun(ctions) This is a super simple Rust library for working with basis splines and NURBS (Non-Uniform Rational B-Splines) with zero

null 5 May 14, 2023
Implementation of the BLS12-381 pairing-friendly elliptic curve group

bls12_381 This crate provides an implementation of the BLS12-381 pairing-friendly elliptic curve construction. This implementation has not been review

Zero-knowledge Cryptography in Rust 183 Dec 27, 2022
A pairing-based threshold cryptosystem for collaborative decryption and signatures used in HoneybadgerBFT implementation

threshold_crypto A pairing-based threshold cryptosystem for collaborative decryption and signatures. The threshold_crypto crate provides cryptographic

null 166 Dec 29, 2022
X25519 elliptic curve Diffie-Hellman key exchange in pure-Rust, using curve25519-dalek.

x25519-dalek A pure-Rust implementation of x25519 elliptic curve Diffie-Hellman key exchange, with curve operations provided by curve25519-dalek. This

dalek cryptography 252 Dec 26, 2022
Elliptic curve cryptography on Soroban.

Elliptic Curve Cryptography on Soroban Contract examples and reusable primitives. Groth 16 verifier. This crate provides a SorobanGroth16Verifier obje

Xycloo Labs 5 Feb 10, 2023
Private key finder based on the (Bitcoin) secp256k1 elliptic curve.

keyripper keyripper is a powerful tool developed in Rust to assist in the recovery of Bitcoin private keys by leveraging the Baby-Step Giant-Step (BSG

Denzy 12 Sep 27, 2024
BLS Signatures in Rust

BLS Signatures Implementation of BLS signatures in pure Rust. Development BLST Portability To enable the portable feature when building blst dependenc

Filecoin 50 Dec 25, 2022
NIST P-256 signatures for Cortex-M4 microcontrollers

nisty NIST P256 signatures for Cortex-M4 microcontrollers What is this? Sometimes NIST P256 signatures need to be used. This is an attempt to create a

null 13 Mar 14, 2021
Generates Solidity code to verify EIP-712 style signatures

eip712 Generates Solidity code to verify EIP-712 style signatures. Usage First, create an abstract contract implementing the functionality you want: /

Sam Wilson 11 Dec 22, 2022
A tool to optimize your Solidity function signatures.

sigop A CLI tool to optimize your Solidity function signatures. I wanted to create this after seeing transmissions11's comment about this optimization

Quartz Technology 11 Nov 24, 2022
A tool for quickly collecting function selectors and decoding signatures from on-chain EVM bytecode.

Overview | Disclaimer | Tests | Installation | Usage | Examples | Aknowledgements | License Overview Sigmund provides a CLI that allows users to colle

wavefnx 46 Jul 22, 2024