Can Schnorr collective signatures be nested within other Schnorr collective signatures?
Schnorr signatures are a type of digital signature used in various blockchain and cryptocurrency applications. They are designed to allow parties to securely and efficiently verify the authenticity and integrity of messages without revealing their contents. One of the key features of Schnorr signatures is that they can combine the signatures of multiple parties into a single collective signature, known as a collective signature. In this article, we will examine whether it is possible to nest collective signatures within other collective signatures using Schnorr protocols.
Understanding Schnorr Signatures
Schnorr signatures are based on the concept of a “blind signature,” which allows parties to sign messages without revealing their contents to others. They consist of three components: a private key (p), a public key (P), and a hash function (h). The public value P is obtained from the private key p using the Schnorr hash function h(P) = r + p^k, where k is an integer parameter.
Aggregate Signatures
Schnorr aggregate signatures are used to combine signatures from multiple parties into a single aggregate signature. An aggregate signature consists of a list of signatures (s_i), and the Schnorr hash function of each signature is combined using the hash function hAggregate(s_i).
Can aggregate signatures be nested within other aggregate signatures?
In theory, using Schnorr protocols, it is possible to nest aggregate signatures within other aggregate signatures. However, there are some limitations and potential issues that need to be considered.
One way to nest aggregate signatures is to use a combination of the Schnorr hash function and the new hash function hAggregate2(s_i). The idea is to create a new public value P2 by concatenating the two private keys p1 and p2 using the Schnorr hash function: P2 = hAggregate2(P1, P2). From this public value, we can then derive the aggregate signature s2 using the same Schnorr hash function.
However, there are potential issues to consider:
- Security: Nested aggregate signatures can introduce new security risks, such as increased complexity and vulnerability to attacks. A nested aggregate signature can be more difficult to verify or extract information from.
- Performance
: Creating and verifying nested aggregate signatures can be computationally expensive, especially with large inputs. This can make them less practical for real-world applications.
Example Use Case
To illustrate this concept, let’s consider an example use case where we have two parties (Alice and Bob) who want to sign a message together using Schnorr signatures. We will create a nested collective signature within another collective signature.
Suppose Alice has a private key p1 = e1^p2^k1, where e1 is the public signing value. She wants to combine her signature with Bob’s signature to form a collective signature s_nested(s1, s2), where s1 and s2 are separate Schnorr signatures.
We create a new public value P2 by combining Alice’s private key p1 = e1^p2^k1 with Bob’s private key p2: P2 = hAggregate2(P1, P2) = e1^hAggregate(s1, s2).
We then obtain the collective signature s_nested using the Schnorr hash function: s_nested = hAggregate(s1, s2)
The public value of this nested collective signature is P3 = e1^P2.
Conclusion
In summary, Schnorr protocols allow for nesting of aggregate signatures within other aggregate signatures. However, there are potential security and performance issues that need to be considered when creating such nested signatures. The trade-offs and limitations of this approach should be carefully considered before implementing it in a real-world scenario.
Recommendations
- Carefully consider the security risks and potential vulnerabilities that arise from nesting aggregate signatures.