Download - Lecture 3: Signatures
![Page 1: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/1.jpg)
mas.s62 lecture 3 signatures
2018-02-14 Tadge Dryja
1
![Page 2: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/2.jpg)
signatures pset01 was about lamport signatures
There are other signature schemes, some with cool features
Hash-based, RSA, ECDSA, EC schnorr
2
![Page 3: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/3.jpg)
multiple use hash signatures Problem with lamport signatures:
Multiple signatures from one key allows forgeries
Solution: use more public keys
3
![Page 4: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/4.jpg)
multiple use hash signatures Easy way:
make 2 public keys, concatenate and publish
For signatures, indicate use of key1 or key2
4
![Page 5: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/5.jpg)
multiple use hash signatures Signatures: same size
Public keys: 2X size
Private keys: 2X size..?
5
![Page 6: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/6.jpg)
multiple use hash signatures Signatures: same size
Public keys: 2X size
Private keys: 2X size..? make a root private key, and hash(root,1) for key 1, hash(root, 2) for key 2. In fact, private key can be 32 bytes 6
![Page 7: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/7.jpg)
multiple use hash signatures
howto 32 byte privkey:
0row hash(seed,0,0), hash(seed,0,1)..
1row hash(seed,1,0), hash(seed,1,1)..
0,0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 … (256)
… (256)
0
1 1,0 1,1 1,2 1,3 1,4 1,5 1,6 1,7
7
![Page 8: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/8.jpg)
multiple use hash signatures
from 16KB to 32B. That's quite nice!
Can we do that with the pubkey..?
32B pubkey…?
8
![Page 9: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/9.jpg)
multiple use hash signatures
from 16KB to 32B. That's quite nice!
Can we do that with the pubkey..?
32B pubkey…?
Commit to pubkey with 0 0 0 0 0 0 0 0
hash( ) (hash of all 16KB)0 1 2 3 4 5 6 7 ,6
1,
,7
, 5
1,
, 4
1,
, 3
1,
, 2
1,
, 1
1,
, 0
1,1,
9
![Page 10: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/10.jpg)
multiple use hash signatures
private key -> 32B
public key -> 32B
signatures still big; actually get bigger. Include full pubkey in signature.
Can do better: commit to many pubkeys 10
![Page 11: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/11.jpg)
multiple use hash signatures
Hash tree, or Merkle tree
Pub1 Pub3
hash h,h
hash 0,1
Pub0
hash 2,3
Pub2
11
![Page 12: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/12.jpg)
multiple use hash signatures
Prove Pub0 inclusion given root
Pub1 Pub3
root
hash 0,1
Pub0
hash 2,3
Pub2
12
![Page 13: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/13.jpg)
multiple use hash signatures
Prove Pub0 inclusion given root
Pub1 Pub3
root
hash 0,1
Pub0
hash 2,3
Pub2
13
![Page 14: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/14.jpg)
multiple use hash signatures
Prove Pub0 inclusion given root
Pub1 Pub3
root
hash 0,1
Pub0
hash 2,3
Pub2
14
![Page 15: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/15.jpg)
multiple use hash signatures
only need 2 extra hashes, one per row
Pub1 Pub3
root
hash 0,1
Pub0
hash 2,3
Pub2
15
![Page 16: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/16.jpg)
Merkle trees
Pu b1
Pu b3
ha ha
ro ot
Invented for lamport sigs
sh 0, 1
Pu b0
sh 2, 3
Pu b2
add O(n) elements in O(1) sized root
prove an element in the set with O(log) n intermediate hashes
16
![Page 17: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/17.jpg)
Merkle trees
Pu b1
Pu b3
ha ha
ro ot
commit to 1024
signing keys
sh 0, 1
Pu b0
sh 2, 3
Pu b2
use root as pubkey
signature inclues proof that signing key is a leaf in the tree
10*32 = 320B overhead. cool! 17
![Page 18: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/18.jpg)
Merkle trees
Pu b1
Pu b3
ha ha
ro ot
commit to 1024
signing keys
sh 0, 1
Pu b0
sh 2, 3
Pu b2
use root as pubkey
signature inclues proof that signing key is a leaf in the tree
10*32 = 320B overhead. cool! 18
![Page 19: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/19.jpg)
need more power
Hash based signatures are cool.
But we can do better. More powerful signature schemes.
RSA ECDSA ECBN
19
![Page 20: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/20.jpg)
RSA
Invented by locals :)
Not used in Bitcoin (or any currency)
Used for chaumian blinded cash
Basic setup: make 2 primes: p, q
n = p*q 20
![Page 21: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/21.jpg)
RSA
Given p,q, computing n is easy.
Given n, finding p,q is hard!
A one way function… but not a hash function.
21
![Page 22: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/22.jpg)
RSA
Can do some fun math with this.
Set e = 3 (or 65537)
set d = some number you can compute if you know p or q. d = e-1 mod (p-1)*(q-1)
n is public. d is private. p, q not needed after setup. e always the same
22
![Page 23: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/23.jpg)
RSA
Sign: s = md mod n
Verify: se mod n == m
Can sign many times. And do lots of cool stuff.
23
![Page 24: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/24.jpg)
RSA
RSA key sizes are smaller than hash based signatures; often 2048 bits (256 bytes)
Somewhat tricky to implement! Lots of ways to lose your private key
but Bitcoin (& other coins) uses elliptic curve signatures 24
![Page 25: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/25.jpg)
Intermission
3 min, walk around, ask questions about pset . . .
then start on elliptic curves
25
![Page 26: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/26.jpg)
elliptic curves
Curves. Bitcoin's curve is
y2 = x3 + 7
Simple, right?
26
![Page 27: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/27.jpg)
elliptic curves
define point addition
line of 3 points
= 0
so P+Q-R=0
P+Q=-R 27
![Page 28: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/28.jpg)
elliptic curves
point "multiplication"
take the tangent
to add a point
to itself
28
![Page 29: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/29.jpg)
elliptic curves
note: actually "looks" more like this because it's modulo some big prime number
We don't compute it graphically so it's OK
29
![Page 30: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/30.jpg)
point and scalar operations (Note also works on exponents mod n)
a, b lowercase = scalar
A, B uppercase = point
what operations can we do?
30
![Page 31: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/31.jpg)
point and scalar operations scalars are regular unleaded numbers
a+b a-b a*b a/b
everything is OK! just numbers!
31
![Page 32: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/32.jpg)
point and scalar operations Points have addition defined… but not multiplication and division
A+B A-B OK A*B A/B NO
add & subtract OK, but can't multiply two points, or divide a point by a point. Not defined.
32
![Page 33: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/33.jpg)
point and scalar operations Mixed operations
A+b A-b NO A*b A/b OK
adding points and scalars is undefined
point times scalar OK; repeat the tangent doubling process. Division by scalar also possible.
33
![Page 34: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/34.jpg)
point and scalar operations roster of ops: what can we do
a+b a-b a*b a/b (obvious)
A+B A-B A*b A/b
34
![Page 35: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/35.jpg)
point and scalar operations roster of ops: what can we do
a+b a-b a*b a/b (obvious)
A+B A-B A*b A/b
Pick some random point G
That's the generator point Everyone agrees on G 35
![Page 36: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/36.jpg)
EC private & public keys
private key a = 256 bit scalar
(same as one block from lamport priv)
public key ?
36
![Page 37: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/37.jpg)
EC private & public keys
private key a = 256 bit scalar
(same as one block from lamport priv)
public key A = a*G
32 byte x coord, 32 byte y coord = 64B
37
![Page 38: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/38.jpg)
EC private & public keys
private key a = 256 bit scalar
(same as one block from lamport priv)
public key A = a*G
32 byte x coord, 32 byte y coord = 64B
since curve is symmetric about x-axis, can encode x-coord only and 1 bit for y. Down to 33 bytes.
38
![Page 39: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/39.jpg)
ECDSA
What Bitcoin, other coins use today
It's ugly though…
Come up with another priv key k
r = x-coord of k*G
s = k-1(hash(m) + a*r) 39
![Page 40: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/40.jpg)
ECDSA
Made to avoid a patent on a better signature system
That patent has expired, we are free to use the simpler better algo that must not be named.
40
![Page 41: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/41.jpg)
ECsig
Have message m, privkey a
make k, a new random private key
R = k*G
s = k - hash(m, R)a
signature = R, s 41
![Page 42: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/42.jpg)
ECsig
given R,s verify:
s = k - hash(m, R)a
sG = kG - hash(m, R)aG
sG = R - hash(m, R)A
R == sG + hash(m,R)A 42
![Page 43: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/43.jpg)
ECsig
Make up k and compute s,R? but need a
s = k - hash(m, R)a
without a, can't make a valid s
43
![Page 44: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/44.jpg)
ECsig
Make up an s, solve for R?
sG = R - hash(m, R)A
44
![Page 45: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/45.jpg)
ECsig
Make up an s, solve for R?
sG = R - hash(m, R)A
R = hash(m, R)A + sG
R = hash(R)! Can't compute, can't cancel out
45
![Page 46: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/46.jpg)
Fun with points
A = aG
B = bG
aB = bA = (aG)b = (bG)a = (ab)G = C
C is a "Diffie Hellman" point.
Super useful! If you know either a or b, you can compute C. 46
![Page 47: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/47.jpg)
Fun with points
A = aG
B = bG
aB = bA = (aG)b = (bG)a = (ab)G = C
C is a "Diffie Hellman" point.
47
![Page 48: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/48.jpg)
Fun with points
A = aG B = bG
D = A+B = (a+b)G
sign with D? Can with d = a+b
make a combined key D = A+B; either party can reveal their side to the other to give signing ability
48
![Page 49: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/49.jpg)
What do we do with this??
Nothing yet. Hard to program this stuff.
Ground work for cool stuff you can do with keys, transactions, signatures
Fun new area! Non-experts (like me) can come up with new stuff!
49
![Page 50: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/50.jpg)
Next pset: NameChain
Mine your name; get a high score
(hax0r names also OK)
pls don't DDoS the server :)
50
![Page 51: Lecture 3: Signatures](https://reader031.vdocuments.us/reader031/viewer/2022012002/61d8f4296e50e20f90527aa6/html5/thumbnails/51.jpg)
MIT OpenCourseWare https://ocw.mit.edu/
MAS.S62 Cryptocurrency Engineering and Design Spring 2018
For information about citing these materials or our Terms of Use, visit: https://ocw.mit.edu/terms.