Rogue Key Attacks

The naive implementation of aggregating Schnorr Signatures expose an attack vector where a participant could claim a false Public Key, and control the Multi-Sig

Rogue Key Attack: * Alice and Bob want to create a 2-of-2 Multi-Sig * Alice has a key pair of (xA, XA) (Private Key, Public Key)

* Bob has a key pair of (xB, XB) (Private Key, Public Key) * We can assume that XAB (Aggregated Public Key) = XA + XB * Bob sends a false Public Key: XBf = XB - XA * This is important because the Aggregated Key (XAB) that emerges from using Bob's false Public Key is actually equal to Bob's true key XB * Other users may think they are sending to a 2-of-2 controlled by Alice and Bob but it's simply an address controlled by Bob's true Public Key An extremely simplistic example:

XA (Alice's Public Key) = 10

XBt (Bob's true Public Key) = 11 XBf (Bob's false Public Key) = XBt(11) - XA(10) = 1 XAB = XA(10) + XBf(1) = 11 * Bob has attacked the Aggregated Public Key, by sending a false key which after aggregation with other keys, equals his true Public Key * Bob now controls the Multi-Sig

The problem with participants in an Aggregated Signature scheme is that each participant would need to prove to others, that their Public Key is valid according to a Signature produced by its corresponding Private Key

according to a by its This reduces the problem back to on-chain proof for each participant generating a Signature to validate the authenticity of a Public Key, losing the scaling and efficiency benefits

Bellare-Neven

The Bellare-Neven scheme addresses the security issue of Rogue Key Attacks

Allows aggregation of signatures

====================================================================

Bellare-Neven

==================================================================== Signature creation:

L = H(Xi + (Xi+1)...)

* L is the hash of the summation of all Public Keys R = (ri * G) + ((ri+1) * G)...

* R is the summation of each participants Random Point

* They share their Random Nonce Points with other signers si = ri + H(L, Xi, R, m) * xi

* si is the signature generated for each participant

* si = random nonce + Hash(Hash of all Public Keys, Participants Public Key, Sum of all Random Points, message (transaction)) * Participants Private Key s = (si) + (si+1) + (si+2)...

* s is the summation of each participants signature * (R, s) is the final signature Signature verification:

s*G = R + H(L,X1,R,m) * X1 + H(L,X2,R,m) * X2 +... * Verification is a linear equation, both sides of the equation must be satisfied for the signature to be valid * sum of participants signatures * generator point = sum of Random Nonce Points + Hash(Sum of all Public Keys, Participant 1’s Public Key, Sum of Random Nonce Points, message (transaction)) * Participants 1’s Public Key... same is repeated for each participant

A draw back of BN is that in-order to verify a Multi-sig, we will still need to present the Public Key of each Participant

Mu-sig

Using Mu-sig we are able to aggregate the Signatures and the Public Keys

Instead of verifying a signature according to each participants Public Key, Mu-sig will allow one Public Key to be used in verification

The validator will not need multiple Public Keys to validate a signature and it will hide that the signature is derived from multiple Private Keys

====================================================================

Mu-sig

==================================================================== Signature creation:

L = H(Xi + (Xi+1)...)

* L is the hashed summation of all Public Keys X = ( (H(L, Xi) * Xi) + (H(L, Xi+1) * Xi+1)...)

* X is the sum of all Hashed Public Keys + Participants Public Key- Hash(Sum of all Public Keys hashed, Participant 1's Public Key) * Participant 1’s Public Key R = (ri * G) + ((ri+1) * G)...

* R is the summation of each participants Random Point

* They share their Random Nonce Points with other signers si = ri + H(X, R, m) * H(L, X) * xi

* si is the signature generated for each participant

* si = random nonce + Hash(X, Sum of all Participant's Random Points, message (transaction)) * Hash(Hashed sum of all Public Keys, X) * Participant's Private Key s = (si) + (si+1) + (si+2)...

* s is the summation of each participants signature * (R, s) is the final signature Signature verification:

s*G = R + H(X, R, m) * X * Verification is a linear equation, both sides of the equation must be satisfied for the signature to be valid * sum of participants signatures * generator point = sum of Random Nonce Points + Hash(X, sum of Random Nonce Points, message (transaction)) * X