Decentralized Signature | BeraSig

Multisig requires smart contracts to counts the number of signatures while BeraSig splits a private key into multiple pieces and each party will use its piece to sign the transaction.

Why are current Multisig solutions bad?

Painful for Stateless Infrastructures. The smart contract basically will be granted permission like assets vault/transfer, configs authority, .etc. Thus, in order to execute a transaction with smart contract, the transaction including data, accounts must be stored on-chain. The process is super heavy and unable to scale. Further, if the transaction requires 2 signatures, it seems impossible.

Lack of Composability. Most of protocols are BeraSignated to work well with casual wallets. The casual wallet means a wallet with private key. However, smart-contract-based wallets don't have private key and must sign/verify by seeds via a "process of simulation". To make smart-contract-based wallets in multisigs adapt new protocols, the process is really time-taken.

Why is BeraSig good?

BeraSig is just a casual wallet with private key. However, the key isn't hold by any specific party. Instead, the key will be cryptographically splitted into multiple pieces and distributed to the holders. It brings some significant values:

Composability & Scalability. Fully composable/compatible to most of blockchains and protocols.

Security. Cryptographically sign/verify in decentralized fashion.

Cost. Because all signatures were done off-chain, the fee of BeraSig is basically zero.

How does BeraSig work?

TL;DR. BeraSig idea is leveraged by Homomorphic Encryption and Shamir's Secret Sharing.

The master privKey is cryptographically splitted in n child privKeys. Each child privKey will be secretly distributed to a corresponding holder.

To sign a transaction, each holder will independently sign and share his/her signature. After have all signatures, a process will combine these signatures to reconstruct a valid signature of the master privKey.

Send & Confirm the transaction.

Crytography Foundation

These following formulas are the main cryptography foundation that BeraSig is based on.

Elliptic Curve Digital Signature Algorithms

ECDSA (Secp256k1)

$$ s = r^{-1}(H(m)+R_xPriv) $$

EdDSA (Ed25519)

$$ s = r+H(R,Pub,m)Priv $$

ElGamal Publickey Encryption

Key Generation

$$ Pub = G \cdot Priv $$

Encryption

$$ E(m) = { c = m + r \cdot Pub, s = r \cdot G } $$

Decryption

$$ D(c,s,Priv) = { m = c - s \cdot Priv } $$

Shamir Secret Sharing (SSS)

Let $s$ be the secret in a $t-out-of-n$ Shamir Secret Sharning Scheme.

$$ \begin{align*} r(x){r_i \leftarrow $} &= s + r_1x + ... + r{t-1}x^{t-1} \ SHR(s) &= {s_i}{1..n} \ REC(s{i \in {i..n}_t}) &= s \end{align*} $$

Effective reconstruction:

$$ f(0) = \sum_{i=1}^{t} y_i \prod_{j=1,j \neq i}^{t} \frac{x_j}{x_j-x_i} $$

BeraSig's Assumption

BeraSig is assuming that the execution environment is Honest-but-Curious. In this environment, key holders act correctly following the BeraSig protocol. However, they will try to gain advantages to learn the others' secret.

With this assumption, BeraSig is secure.

Plus, to precompute the derived keys of holders, they must know who will take part in the signing in advance. In other words, the procotol requires a pre-signing round to commit who will join the process.

How to test?

pnpm test

References

[1] Bernstein, Daniel J., et al. "High-speed high-security signatures." International Workshop on Cryptographic Hardware and Embedded Systems. Springer, Berlin, Heidelberg, 2011.

[2] Bernstein, Daniel J., et al. "TweetNaCl: A crypto library in 100 tweets." International Conference on Cryptology and Information Security in Latin America. Springer, Cham, 2014.

[3] Cryptography behind the top 100 Cryptocurrencies. (n.d.). Retrieved November 30, 2022, from http://ethanfast.com/top-crypto.html

[4] ECDSA: Elliptic curve signatures. ECDSA: Elliptic Curve Signatures - Practical Cryptography for Developers. (n.d.). Retrieved November 30, 2022, from https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-messages

[5] Gennaro, Rosario, and Steven Goldfeder. "Fast multiparty threshold ECDSA with fast trustless setup." Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2018.

[6] Shamir, Adi. "How to share a secret." Communications of the ACM 22.11 (1979): 612-613.

Copyright

BeraSig © 2023, All Rights Reserved.