Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Navigation: DEDIS :: Cothority :: Building Blocks :: Collective Signing

Collective Signing (CoSi)

WARNING: this package is kept here for historical and research purposes. It should not be used in other services as it has been deprecated by the blscosi package.

CoSi is a protocol that enables a decentralized (potentially large) group of independent servers to efficiently issue aggregate Schnorr signatures. These collective signatures (co-signatures) convey the same information as a list of conventional signatures but are much more compact and efficient to verify against the aggregate public key of the server group. In practice, a co-signature is not much bigger than an individual Schnorr signature.

CoSi is intended to facilitate increased transparency and security-hardening for critical Internet authorities such as certificate authorities, time services, naming authorities such as DNSSEC, software distribution and update services, directory services used by tools such as Tor, and next-generation cryptocurrencies.


CoSi is implemented as a single protocol. It uses four types of messages: announcement, commitment, challenge and response. The root initializes the protocol with the announcement message. It is then propagated down the tree, where the tree is specified by the service or the program that initializes the protocol. Upon receiving the announcement, the leafs begin propagating commitment messages back up, which are aggregated at the intermediate nodes. As a result, the root should receive an aggregate commitment from all the nodes. Then, the root starts a second round-trip by propagating the challenge message down the tree. Like before, upon receiving the challenge, the leafs begin to propagate the response messages back up and are aggregated by the intermediate nodes. Finally, using the aggregate response, the root generates a final signature. An illustration is shown below.

       root     announcement  ▲    challenge    ▲
       /   \         |        |        |        |
     node  node      |        |        |        |
     /  \    \       |        |        |        |
    /    \    \      |        |        |        |
  leaf  leaf  leaf   ▼    commitment   ▼     response

We provide hooks functionality where the initiator of the protocol is able to add custom behaviour at every stage of the protocol. For instance, the initiator can create a hook and register it with the final signature such that the signature is sent back to one of the receiver's channels.

Research Paper

For further background and technical details, please refer to the research paper or one of the following links:


  • ftcosi is a fault tolerant version of CoSi Please use ftCoSi
  • CoSi CLI is a command line interface for interacting with CoSi
  • CoSi protocol the protocol used for collective signing
  • CoSi service the service with the outward looking API
  • CoSi RFC a draft for a CoSi RFC

Other Standalone CoSi Clients

You can’t perform that action at this time.