Cryptology ePrint Archive: Report 2018/068

Simple Schnorr Multi-Signatures with Applications to Bitcoin

Gregory Maxwell and Andrew Poelstra and Yannick Seurin and Pieter Wuille

Abstract: We describe a new Schnorr-based multi-signature scheme (i.e., a protocol which allows a group of signers to produce a short, joint signature on a common message), provably secure in the plain public-key model (meaning that signers are only required to have a public key, but do not have to prove knowledge of the private key corresponding to their public key to some certification authority or to other signers before engaging the protocol), which improves over the state-of-art scheme of Bellare and Neven (ACM-CCS 2006) and its variants by Bagherzandi et al. (ACM-CCS 2008) and Ma et al. (Des. Codes Cryptogr., 2010) in two respects: (i) it is simple and efficient, having only two rounds of communication instead of three for the Bellare-Neven scheme and the same key and signature size as standard Schnorr signatures; (ii) it allows key aggregation, which informally means that the joint signature can be verified exactly as a standard Schnorr signature with respect to a single ``aggregated'' public key which can be computed from the individual public keys of the signers. This comes at the cost of a stronger security assumption, namely the hardness of the One-More Discrete Logarithm problem, rather than the standard Discrete Logarithm problem, and a looser security reduction due to a double invocation of the Forking Lemma. As an application, we explain how our new multi-signature scheme could improve both performance and user privacy in Bitcoin.

Category / Keywords: public-key cryptography / multi-signatures, Schnorr signatures, one-more discrete logarithm problem, forking lemma, Bitcoin

Date: received 15 Jan 2018, last revised 15 Jan 2018

Contact author: yannick seurin at m4x org

Available format(s): PDF | BibTeX Citation

Version: 20180118:124757 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]