On the Security of Two-Round Multi-Signatures

Drijvers, Manu; Edalatnejad, Kasra; Ford, Bryan; Kiltz, Eike; Loss, Julian; Neven, Gregory; Stepanovs, Igors

doi:10.1109/sp.2019.00050

Cited by 72 publications

(28 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This can be done by using the general forking lemma [2], and it is known that the (general) forking lemma induces loose security. Due to the same reason, the security of other multisignatures [18,7,6,16] is also loose.…”

Section: Proof Techniquementioning

confidence: 99%

“…Maxwell, Poelstra, Seurin, and Wuille [18] proposed the first multisignature with public-key aggregation based on the discrete logarithm (DL) assumption. Following their work, several multisignatures with public-key aggregation based on the DL assumption are constructed [7,6,13]. Not only the DL-based schemes but also lattice-based multisignatures with public-key aggregation are given [16,10].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Tightly Secure DDH-based Multisignature with Public-Key Aggregation

Fukumitsu

Hasegawa

2021

IJNC

View full text Add to dashboard Cite

From the birth of the blockchain technology, multisignatures attract much attention as a tool for handling blockchain transactions. Concerning the application to the blockchain, multisignatures with public-key aggregation, which can compress public keys of signers to a single public key, is preferable to the standard multisignature because the public keys and the signature used in a transaction are stored to verify the transaction later. Several multisignature schemes with public key aggregation are proposed, however, there are no known schemes having a tight security reduction.We propose a first multisignature with public-key aggregation whose security is proven to be tightly secure under the DDH assumption in the random oracle model. Our multisignature is based on the DDH-based multisignature by Le, Yang, and Ghorbani, however, our security proof is different from theirs. The idea of our security proof originates from another DDH-based multisignature by Le, Bonnecaze, and Gabillon whose security proof is tightly one. By tailoring their security proof to a setting which admits the public-key aggregation, we can prove the tight security of our multisignature.

show abstract

Section: Proof Techniquementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

A Tightly Secure DDH-based Multisignature with Public-Key Aggregation

Fukumitsu

Hasegawa

2021

IJNC

View full text Add to dashboard Cite

show abstract

“…Remark 3 (On security definition.). There are two different approaches for modeling signatures with aggregatable public keys in the literature, namely the plain public-key model [3] (also known as key-verification model [15]) and the knowledge-of-secret-key (KOSK) model [8]. In the plain public-key setting the adversary chooses a key pair (sk b , pk b ) and only declares the public key pk b to the challenger in the security game.…”

Section: Definition 9 (2-euf-cma Security)mentioning

confidence: 99%

Two-Party Adaptor Signatures from Identification Schemes

Erwig

Faust

Hostáková

et al. 2021

Public-Key Cryptography – PKC 2021

View full text Add to dashboard Cite

Adaptor signatures are a novel cryptographic primitive with important applications for cryptocurrencies. They have been used to construct second layer solutions such as payment channels or cross-currency swaps. The basic idea of an adaptor signature scheme is to tie the signing process to the revelation of a secret value in the sense that, much like a regular signature scheme, an adaptor signature scheme can authenticate messages, but simultaneously leaks a secret to certain parties. Recently, Aumayr et al. provide the first formalization of adaptor signature schemes, and present provably secure constructions from ECDSA and Schnorr signatures. Unfortunately, the formalization and constructions given in this work have two limitations: (1) current schemes are limited to ECDSA and Schnorr signatures, and no generic transformation for constructing adaptor signatures is known; (2) they do not offer support for aggregated two-party signing, which can significantly reduce the blockchain footprint in applications of adaptor signatures. In this work, we address these two shortcomings. First, we show that signature schemes that are constructed from identification (ID) schemes, which additionally satisfy certain homomorphic properties, can generically be transformed into adaptor signature schemes. We further provide an impossibility result which proves that unique signature schemes (e.g., the BLS scheme) cannot be transformed into an adaptor signature scheme. In addition, we define two-party adaptor signature schemes with aggregatable public keys and show how to instantiate them via a generic transformation from ID-based signature schemes. Finally, we give instantiations of our generic transformations for the Schnorr, Katz-Wang and Guillou-Quisquater signature schemes.

show abstract

“…Recently, it turned out that, according to [26], CoSi was not proved secure. The authors introduced mBCJ, a secure tworound multi-signature scheme.…”

Section: B Limitations Of the Sklcoin Protocolmentioning

confidence: 99%

SklCoin: Toward a Scalable Proof-of-Stake and Collective Signature Based Consensus Protocol for Strong Consistency in Blockchain

Jaroucheh

Ghaleb

Buchanan

2020

2020 IEEE International Conference on Software Architecture Companion (ICSA-C)

View full text Add to dashboard Cite

The proof-of-work consensus protocol suffers from two main limitations: waste of energy and offering only probabilistic guarantees about the status of the blockchain. This paper introduces SklCoin, a new Byzantine consensus protocol and its corresponding software architecture. This protocol leverages two ideas: 1) the proof-of-stake concept to dynamically form stakeproportionate consensus groups that represent block miners (stakeholders), and 2) scalable collective signing to efficiently commit transactions irreversibly. SklCoin has immediate finality characteristic where all miners instantly agree on the validity of blocks. In addition, SklCoin supports high transaction rate because of its fast miner election mechanism.

show abstract

On the Security of Two-Round Multi-Signatures

Cited by 72 publications

References 31 publications

A Tightly Secure DDH-based Multisignature with Public-Key Aggregation

A Tightly Secure DDH-based Multisignature with Public-Key Aggregation

Two-Party Adaptor Signatures from Identification Schemes

SklCoin: Toward a Scalable Proof-of-Stake and Collective Signature Based Consensus Protocol for Strong Consistency in Blockchain

Contact Info

Product

Resources

About