Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning

Critical Internet authorities - such as time, name, certificate, and software update services - are prime targets for hackers, criminals, and spy agencies who might secretly use an authority's private keys to compromise many other hosts. To protect both authorities and their users proactively we introduce CoSi, a protocol enabling authorities to have their statements collectively signed by a diverse, decentralized, scalable group of witnesses. Clients can verify these witness cosignatures efficiently without extra communication, protecting clients from secret misuse of the authority's private keys and disincentivizing the malicious acquisition of these keys in the first place. CoSi builds on existing cryptographic multisignature methods, scaling them to support thousands of participants via signature aggregation over efficient communication trees. A working prototype demonstrates CoSi in the context of timestamping and logging authorities, enabling groups of over 8,000 distributed witnesses to collectively sign authoritative statements in under two seconds.