You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

160 lines
5.9 KiB

  1. # ADR 019: Encoding standard for Multisignatures
  2. ## Changelog
  3. 06-08-2018: Minor updates
  4. 27-07-2018: Update draft to use amino encoding
  5. 11-07-2018: Initial Draft
  6. ## Context
  7. Multisignatures, or technically _Accountable Subgroup Multisignatures_ (ASM),
  8. are signature schemes which enable any subgroup of a set of signers to sign any message,
  9. and reveal to the verifier exactly who the signers were.
  10. This allows for complex conditionals of when to validate a signature.
  11. Suppose the set of signers is of size _n_.
  12. If we validate a signature if any subgroup of size _k_ signs a message,
  13. this becomes what is commonly reffered to as a _k of n multisig_ in Bitcoin.
  14. This ADR specifies the encoding standard for general accountable subgroup multisignatures,
  15. k of n accountable subgroup multisignatures, and its weighted variant.
  16. In the future, we can also allow for more complex conditionals on the accountable subgroup.
  17. ## Proposed Solution
  18. ### New structs
  19. Every ASM will then have its own struct, implementing the crypto.Pubkey interface.
  20. This ADR assumes that [replacing crypto.Signature with []bytes](https://github.com/tendermint/tendermint/issues/1957) has been accepted.
  21. #### K of N threshold signature
  22. The pubkey is the following struct:
  23. ```golang
  24. type ThresholdMultiSignaturePubKey struct { // K of N threshold multisig
  25. K uint `json:"threshold"`
  26. Pubkeys []crypto.Pubkey `json:"pubkeys"`
  27. }
  28. ```
  29. We will derive N from the length of pubkeys. (For spatial efficiency in encoding)
  30. `Verify` will expect an `[]byte` encoded version of the Multisignature.
  31. (Multisignature is described in the next section)
  32. The multisignature will be rejected if the bitmap has less than k indices,
  33. or if any signature at any of the k indices is not a valid signature from
  34. the kth public key on the message.
  35. (If more than k signatures are included, all must be valid)
  36. `Bytes` will be the amino encoded version of the pubkey.
  37. Address will be `Hash(amino_encoded_pubkey)`
  38. The reason this doesn't use `log_8(n)` bytes per signer is because that heavily optimizes for the case where a very small number of signers are required.
  39. e.g. for `n` of size `24`, that would only be more space efficient for `k < 3`.
  40. This seems less likely, and that it should not be the case optimized for.
  41. #### Weighted threshold signature
  42. The pubkey is the following struct:
  43. ```golang
  44. type WeightedThresholdMultiSignaturePubKey struct {
  45. Weights []uint `json:"weights"`
  46. Threshold uint `json:"threshold"`
  47. Pubkeys []crypto.Pubkey `json:"pubkeys"`
  48. }
  49. ```
  50. Weights and Pubkeys must be of the same length.
  51. Everything else proceeds identically to the K of N multisig,
  52. except the multisig fails if the sum of the weights is less than the threshold.
  53. #### Multisignature
  54. The inter-mediate phase of the signatures (as it accrues more signatures) will be the following struct:
  55. ```golang
  56. type Multisignature struct {
  57. BitArray CryptoBitArray // Documented later
  58. Sigs [][]byte
  59. ```
  60. It is important to recall that each private key will output a signature on the provided message itself.
  61. So no signing algorithm ever outputs the multisignature.
  62. The UI will take a signature, cast into a multisignature, and then keep adding
  63. new signatures into it, and when done marshal into `[]byte`.
  64. This will require the following helper methods:
  65. ```golang
  66. func SigToMultisig(sig []byte, n int)
  67. func GetIndex(pk crypto.Pubkey, []crypto.Pubkey)
  68. func AddSignature(sig Signature, index int, multiSig *Multisignature)
  69. ```
  70. The multisignature will be converted to an `[]byte` using amino.MarshalBinaryBare. \*
  71. #### Bit Array
  72. We would be using a new implementation of a bitarray. The struct it would be encoded/decoded from is
  73. ```golang
  74. type CryptoBitArray struct {
  75. ExtraBitsStored byte `json:"extra_bits"` // The number of extra bits in elems.
  76. Elems []byte `json:"elems"`
  77. }
  78. ```
  79. The reason for not using the BitArray currently implemented in `libs/common/bit_array.go`
  80. is that it is less space efficient, due to a space / time trade-off.
  81. Evidence for this is outlined in [this issue](https://github.com/tendermint/tendermint/issues/2077).
  82. In the multisig, we will not be performing arithmetic operations,
  83. so there is no performance increase with the current implementation,
  84. and just loss of spatial efficiency.
  85. Implementing this new bit array with `[]byte` _should_ be simple, as no
  86. arithmetic operations between bit arrays are required, and save a couple of bytes.
  87. (Explained in that same issue)
  88. When this bit array encoded, the number of elements is encoded due to amino.
  89. However we may be encoding a full byte for what we actually only need 1-7 bits for.
  90. We store that difference in ExtraBitsStored.
  91. This allows for us to have an unbounded number of signers, and is more space efficient than what is currently used in `libs/common`.
  92. Again the implementation of this space saving feature is straight forward.
  93. ### Encoding the structs
  94. We will use straight forward amino encoding. This is chosen for ease of compatibility in other languages.
  95. ### Future points of discussion
  96. If desired, we can use ed25519 batch verification for all ed25519 keys.
  97. This is a future point of discussion, but would be backwards compatible as this information won't need to be marshalled.
  98. (There may even be cofactor concerns without ristretto)
  99. Aggregation of pubkeys / sigs in Schnorr sigs / BLS sigs is not backwards compatible, and would need to be a new ASM type.
  100. ## Status
  101. Proposed.
  102. ## Consequences
  103. ### Positive
  104. - Supports multisignatures, in a way that won't require any special cases in our downstream verification code.
  105. - Easy to serialize / deserialize
  106. - Unbounded number of signers
  107. ### Negative
  108. - Larger codebase, however this should reside in a subfolder of tendermint/crypto, as it provides no new interfaces. (Ref #https://github.com/tendermint/go-crypto/issues/136)
  109. - Space inefficient due to utilization of amino encoding
  110. - Suggested implementation requires a new struct for every ASM.
  111. ### Neutral