What is a multisignature? What is a ring signature?

A multisignature (multisignature or multisig) is a technique for authorising transactions with multiple private keys, raising security and privacy during the approval of outgoing transfers.

A multisignature is a form of threshold signature, implemented as a verification of conditions expressed in the cryptocurrency’s base scripting language.

Although the technology is widespread in cryptocurrencies, its fundamentals long predate bitcoin.

For centuries a multisig-like principle was used to protect monastery vaults or crypts that held holy relics. An abbot distributed parts of the keys among monks. No monk could access the relics alone and steal them.

Multisignature support was first implemented for Bitcoin addresses in 2012. The first wallet with multisig functionality was created in 2013. Today there are more than a dozen.

Access to funds in a multisig wallet is possible only when two or more signatures are presented concurrently.

A simple analogy is a safe-deposit box with two locks and two keys. Maria holds one key, Juan the other. They can open the box only if they present both keys at the same time. Neither can open it unilaterally without the other’s consent.

Thus, multisig wallets add an extra layer of security. The approach helps users avoid problems typical of single-key wallets, which represent a single point of failure and are vulnerable to cybercriminals’ constantly evolving phishing tactics.

Because spending requires more than one signature, multisig also suits businesses and corporations that want to keep funds in shared wallets.

1-of-2: a joint account of two business partners — either party’s signature suffices to spend funds.

2-of-2: a joint savings account of two business partners — both signatures are required, preventing one owner from spending without the other’s approval.

2-of-2: a wallet with two-factor authentication — one key is stored on a computer, the other on a smartphone. Funds cannot be spent without signatures from both devices.

3-of-5: a low-trust donations address — each of five trusted project participants holds a private key. Any three can spend funds, while anyone can donate to the project’s address. This arrangement reduces the risk of embezzlement, hacks, malware and loss caused by a participant losing interest. The blockchain records which private key was used for the final signature, improving accounting.

2-of-3: a buyer–seller escrow without trust — the buyer sends funds to a 2-of-3 address, the seller acts as the third arbiter.

If the transaction succeeds, buyer and seller both sign, releasing funds to the seller. If it fails, they can co-sign a refund to the buyer.

If they cannot agree, both turn to the third party, which acts as arbiter and provides the second signature to the side it deems deserving. The arbiter cannot steal the funds because it holds only one key.

2-of-3: a council of three custodians holds a company’s or organisation’s funds — spending requires consent from any two of the three. Larger organisations can use bigger multisig setups — 3-of-5, 5-of-9, and so on.

2-of-3: a hot wallet for businesses. A bitcoin exchange keeps one private key online and another as a paper backup. A separate cybersecurity company holds the third key online and signs only after checking several factors (black/white lists, withdrawal limits over a period, two-factor authentication, regulatory compliance, etc.). If the exchange’s hot wallet is hacked, bitcoins cannot be stolen. If the security firm ceases operations, the exchange can access funds via the paper backup.

2-of-3: a decentralised cold-storage vault — one key is kept by the user in a home safe, the second in a bank deposit box, and a copy of the third key is held by a close friend or relative at their office. The home safe is protected from burglars because spending requires a visit to the friend, the bank or the office.

2-of-2: smart contracts — TumbleBit, Coinswap, Lightning Network.

1 or 3-of-4: distributed recovery — the primary user can spend at will, but if they lose their private keys, access can be restored with three of four other trusted friends/organisations. One key is stored in a bank deposit box, the other three with friends. In the event of the owner’s death, the vault with funds can, under a will, be transferred to a trusted friend or someone who can obtain assistance from the trusted friends.

A ring signature is a type of cryptographic digital signature that can be produced by any member of a group of users, each of whom holds a key.

One security property is that it is computationally infeasible to determine which member’s key was used to sign. Ring signatures resemble group signatures but differ in two ways: an individual signature cannot be deanonymised, and any members of any user group can act as signers without extra setup.

The term “ring signature” comes from the ring-like structure of the signature-generation algorithm.

Ring signatures were invented by cryptographers Ron Rivest, Adi Shamir and Yael Tauman Kalai and were presented at the ASIACRYPT international conference in 2001.

The original concept envisaged ring signatures as a way to protect against leaks of classified information, notably from government offices. The initial model was later refined.

In 2006 Eiichiro Fujisaki and Kotaro Suzuki proposed Traceable Ring Signatures, addressing a vulnerability in ring signatures (the risk of manipulation by malicious or irresponsible signers). An optimised version of this variant is used in CryptoNote coins today, providing sender untraceability in P2P transactions by hiding the source of inputs.

In 2015 Monero Research Labs advanced the idea of ring confidential transactions (Ring Confidential Transactions), which Bitcoin Core developer Gregory Maxwell presented and implemented. Extending the anonymisation of basic ring signatures, ring confidential transactions hide not only the sender’s identity but also the amounts exchanged between sender and recipient.

Ring signatures take the idea of group signatures a step further, offering greater privacy. In P2P transaction formats used by cryptocurrencies such as CryptoNote, ring signatures protect the sender by obscuring the receiving side of the transaction so that it is computationally infeasible to determine who signed it.

Ring signatures are more sophisticated than typical digital signatures such as ECDSA or Schnorr signatures.

Ring signatures may require many different public keys for verification. The term “ring” reflects that a ring signature comprises a set of partial digital signatures from different users. Together these signatures form a unique signature. The set is known as a ring and can be chosen arbitrarily from other users’ outputs on the blockchain.

Conceptually, ring signatures resemble several parties signing a cheque from a joint bank account, except that cryptography hides which group member actually signed.

Structure of a ring signature (using Monero as an example):

• Alice wants to send Bob 10 Monero tokens and initiates a transaction via her Monero wallet.
• The digital signature for this transaction is a one-time key that begins with the output spent from her wallet.
• The non-signers in the ring are past transaction outputs, randomly selected from the blockchain, which serve as decoys.
• All members of the chain are possible signers — a third party cannot, by computation, determine the actual signer.
• All outputs in the ring collectively form the transaction input.
• The transaction creator, Alice, can provably spend the amount in such a way that her identity is indistinguishable from that of other ring members.
• Although Alice’s public key is used in her own transaction, it may, at will, be used as a masking factor in other transactions on the Monero network.

The automatic creation of unique one-time keys prevents linkability of transactions and is enabled by an optimisation of key exchange via the Diffie–Hellman method.

Privacy-focused currencies such as Monero face the double-spend problem. Without a solution these networks would be useless as digital money, hence the use of key images in combination with ring signatures.

A key image is a cryptographic key derived from a spent output and forms part of every ring-signature transaction. There is only one unique key image for each output on the blockchain. The list of all used key images is stored on-chain.

Because of their cryptographic properties, key images cannot be correlated with their originating outputs. Any new ring signatures that use a duplicate key image are automatically rejected as attempted double-spends.

RingCT is an enhanced modification of ring signatures. Whereas ring signatures primarily protect the sender’s privacy, ring confidential transactions were designed to improve privacy for both sender and recipient by concealing the transaction amount.

In the original ring-signature format, outputs were “split” into separate rings because ring signatures could include only outputs of equal value. As a result, third parties could see true transaction amounts. With RingCT, transactions are recorded not in a transparent blockchain such as Bitcoin’s, but in an “obscured” one.

Transactions using RingCT no longer need to be broken up and placed into rings of equal-value outputs — a RingCT-enabled wallet can pick ring members at random from outputs of any size.

RingCT also uses a commitment scheme implemented through a range proof, which verifies that the amount used in a transaction is greater than 0 and less than some upper bound, without revealing the amounts. External observers cannot see the sums yet, thanks to cryptographic verification, can be confident the transaction is valid.

Subscribe to Forklog on YouTube!