神刀安全网

Ring Multisignature

In this blog post I explain Ring Multisignature -of- Ring Multisignature anonymous threshold ring signatures, “Ring Multisignatures”. This technique is a straight-forward generalization of a method for n-of-n Schnorr multisignature described to me last summer by Monero Developer TacoTime.

Suppose that a group of Ring Multisignature users wants to create a multisignature address requiring Ring Multisignature of the group to sign in order to spend any funds received, and in such a way that any observer will be unable to determine for certain whether funds have been sent from this address or not, but in such a way that spending funds twice is impossible.

3.1. Setup Phase

First create a shared key for each Ring Multisignature sized subset of the Ring Multisignature users. For a running example suppose Ring Multisignature and Ring Multisignature , I will say that Ring Multisignature are users, and denote their shared keys Ring Multisignature . Now the destination multisignature address Ring Multisignature will be the sum of all of these shared keys. So in our example, Ring Multisignature . Note that at least two users of Ring Multisignature are required to know the private keys belonging to each of the summands, so this results in a Ring Multisignature -of- Ring Multisignature multisignature address.

3.2. Ring Signing

How does one create a ring signature with this type of addresses? Suppose that Ring Multisignature of the Ring Multisignature signers (say Ring Multisignature and Ring Multisignature in the above example) wish to sign a transaction. The shared key in this case is the sum of all Ring Multisignature subset-shared keys, and thus, since Ring Multisignature , each summand in the shared key:

Ring Multisignature

has a private key Ring Multisignature known by at least one of the signers.

Let Ring Multisignature and Ring Multisignature denote cryptographic hash functions returning a scalar and curve point respectively. If signer Ring Multisignature knows the private key Ring Multisignature to summand Ring Multisignature , Ring Multisignature in the above shared key, then to start the signature, they generate a random scalar Ring Multisignature and share Ring Multisignature to the other signers (keeping Ring Multisignature secret). As in a usual ring signature, the signers decide on Ring Multisignature other unspent public keys Ring Multisignature from the block-chain to be partners in the ring with. Furthermore, signer Ring Multisignature will compute Ring Multisignature and the key image of the signature will be Ring Multisignature .

Now, supposing the signers decide on putting their multisignature key at secret index Ring Multisignature , they start the ring signature by computing:

Ring Multisignature

Ring Multisignature

(in the MLSAG setting of RingCT these computation are carried out in each row of the signature) with Ring Multisignature and

Ring Multisignature

The ring signature proceeds as in the usual MLSAG fashion (c.f. RingCT ), for each index Ring Multisignature the signers choose a random scalar Ring Multisignature and compute

Ring Multisignature

Ring Multisignature

and

Ring Multisignature

stopping after Ring Multisignature has been computed.

Finally, using the relation:

Ring Multisignature

each signer computes (without revealing Ring Multisignature )

Ring Multisignature

where Ring Multisignature is the order of the underlying field. The final Ring Multisignature is then the sum of the Ring Multisignature ,

Ring Multisignature

If there are other inputs, the MLSAG apparatus allows for these other inputs in other rows of the MLSAG with no changes from RingCT , and verification of the above signature, which consists of the key-image Ring Multisignature , the scalars Ring Multisignature , and the Ring Multisignature -th index hash Ring Multisignature proceeds exactly as in RingCT , since the pubkey Ring Multisignature is indistinguishable, to an observer, from any other pubkey.

Note that the Schnorr multisignature described by TacoTime is a special case of the above, with a ring of size Ring Multisignature (having no additional public keys), and in that case, if Ring Multisignature , the shared keys belonged to one user only, or in the case that Ring Multisignature , the shared keys belong to Ring Multisignature users. Thus the above, is really a straight-forward generalization. Furthermore, since Ring Multisignature is chosen randomly, the probablility that Ring Multisignature will be the same in two different signatures is negligible. Thus we avoid the repeated nonce attack which must be specially taken care of in other threshold signature schemes.

Claim 1 In the above scheme describing Ring Multisignature, at least Ring Multisignature of Ring Multisignature signers are needed for a given transaction, and conversely, Ring Multisignature of Ring Multisignature signers can sign a given transaction.

Proof: This is fairly simple: suppose that there are Ring Multisignature signers in the given transaction. If the claim holds for Ring Multisignature , then it clearly holds for smaller Ring Multisignature , so without loss of generality, assume Ring Multisignature . We may clearly assume that Ring Multisignature is at least two. Note that given a set of Ring Multisignature integers, there is clearly a subset of size Ring Multisignature elements not containing any given Ring Multisignature elements (namely the complement of those Ring Multisignature elements). Thus it follows that at least Ring Multisignature signers are needed, since each summand in the pubkey is a shared key among Ring Multisignature signers.

Conversely, if there are at least Ring Multisignature distinct signers, then any subset of the Ring Multisignature signers size Ring Multisignature distinct must clearly intersect with the signers, so all of the summands have a secret key known to the signers. Ring Multisignature

The hash of our eprint draft, which will be posted shortly to eprint.iacr, after being checked again for grammatical errors and such.

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Ring Multisignature

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
分享按钮