Fully Adaptive Schnorr Threshold Signatures

Crites, Elizabeth C.; Komlo, Chelsea; Maller, Mary

doi:10.1007/978-3-031-38557-5_22

Cited by 15 publications

(2 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In contrast, it isn't clear that any security is achieved by the protocol in [Mak22] in such a case. Another subsequent work [CKM23] also considers three-round Schnorr without zero-knowledge proofs. They also study adaptive security, but work with game-based definitions, which are fundamentally different as discussed above.…”

Section: Subsequent Workmentioning

confidence: 99%

Simple Three-Round Multiparty Schnorr Signing with Full Simulatability

Lindell

2024

IACR CiC

View full text Add to dashboard Cite

In a multiparty signing protocol, also known as a threshold signature scheme, the private signing key is shared amongst a set of parties and only a quorum of those parties can generate a signature. Research on multiparty signing has been growing in popularity recently due to its application to cryptocurrencies. Most work has focused on reducing the number of rounds to two, and as a result: (a) are not fully simulatable in the sense of MPC real/ideal security definitions, and/or (b) are not secure under concurrent composition, and/or (c) utilize non-standard assumptions of different types in their proofs of security. In this paper, we describe a simple three-round multiparty protocol for Schnorr signatures that is secure for any number of corrupted parties; i.e., in the setting of a dishonest majority. The protocol is fully simulatable, secure under concurrent composition, and proven secure in the standard model or random-oracle model (depending on the instantiations of the commitment and zero-knowledge primitives). The protocol realizes an ideal Schnorr signing functionality with perfect security in the ideal commitment and zero-knowledge hybrid model (and thus the only assumptions needed are for realizing these functionalities). In our presentation, we do not assume that all parties begin with the message to be signed, the identities of the participating parties and a unique common session identifier, since this is often not the case in practice. Rather, the parties achieve consensus on these parameters as the protocol progresses.

show abstract

Section: Subsequent Workmentioning

confidence: 99%

Simple Three-Round Multiparty Schnorr Signing with Full Simulatability

Lindell

2024

IACR CiC

View full text Add to dashboard Cite

show abstract

“…Using these protocols, a certain set of parties may transfer their joint right to generate a signature to any subset among themselves equal to or a Correspondence should be addressed to Nikita Snetkov: nikita.snetkov@cyber.ee larger than a specific threshold. There are threshold variants of RSA [62,31,22], Schnorr [49,56,29,27], Ed-DSA [44,15,57,50] and ECDSA [52,35,23,1,67] signatures, which could be used in the blockchain infrastructure or as an authentication solution [21]. With several parties being required to participate in the generation of a signature, it is not unreasonable to somewhat relax the security requirements on any single party, related to the storage or handling of its private key material.…”

Section: Introductionmentioning

confidence: 99%

TOPCOAT: Towards Practical Two-Party Crystals-Dilithium

Snetkov,

Vakarjuk,

Laud

2024

Preprint

View full text Add to dashboard Cite

The development of threshold protocols based on lattice-signature schemes has been of increasing interest in the past several years. The main research focus was towards protocols constructed for various variants of Crystals-Dilithium, future NIST digital signature standard known as ML-DSA. In this work, we propose TOPCOAT, a two-party lattice-based signature algorithm that embodies Dilithium's compression techniques. The aforesaid result is achieved by introducing a new hinting mechanism that allows parties to collaboratively calculate $\textsf{HighBits}$. Our hinting mechanism allows public key compression similar to Dilithium. Additionally, we suggest an optimization technique to minimize number of restarts both parties need to produce a valid signature. We prove security of our scheme under MLWE and MSIS assumptions in ROM, and provide implementation of our proposed scheme. As additional contribution, we present vulnerabilities and inconsistencies found in Liu et al. work which aimed to construct distributed lattice-based signature protocol.

show abstract