Two-Round Trip Schnorr Multi-signatures via Delinearized Witnesses

Alper, Handan Kılınç; Burdges, Jeffrey

doi:10.1007/978-3-030-84242-0_7

Cited by 25 publications

(5 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Then a new blind signature based on the one-more DL assumption was proposed in AGM [26]. Most recently, [27,29,5,22] discussed the security of cryptographic protocols related to Sch in AGM.…”

Section: Related Workmentioning

confidence: 99%

On Multi-user Security of Schnorr Signature in Algebraic Group Model

Fukumitsu

Hasegawa

2023

IJNC

View full text Add to dashboard Cite

The security of Schnorr signature Sch has been widely discussed so far. Recently, Fuchsbauer, Plouviez and Seurin gave a tight reduction that proves EUF-CMA of Sch in the random oracle (ROM) with the algebraic group model (AGM) from the discrete logarithm (DL) assumption at EUROCRYPT 2020. Kiltz, Masny and Pan considered multi-user security of Sch at CRYPTO 2016, whereas Fuchsbauer et al. considered the single-user security only. More precisely, Kiltz et al. constructed a tight reduction from EUF-CMA to MU-EUF-CMA. Combining these two results will likely enable us to construct a tight reduction that proves MU-EUF-CMA security of Sch in AGM+ROM from DL assumption.Against such an intuition, we show an impossibility on proving MU-EUF-CMA of Sch in AGM+ROM only by combining them in this paper. To estimate our impossibility result, we also discuss why the result by Fuchsbauer et al. cannot be applied to MU-EUF-CMA setting. Our result therefore suggests that we are required to develop a new proof technique beyond the algebraic reduction or to find a new form of public keys other than that considered in our impossibility, in order to show MU-EUF-CMA of Sch in AGM+ROM.

show abstract

Section: Related Workmentioning

confidence: 99%

On Multi-user Security of Schnorr Signature in Algebraic Group Model

Fukumitsu

Hasegawa

2023

IJNC

View full text Add to dashboard Cite

show abstract

“…Maxwell et al [3] presented the MuSig scheme in which the signers' public keys are aggregated into one short public key in the three-round MS scheme and showed that this MS scheme can be used for Bitcoin. Recently, a number of secure two-round MS schemes, MuSig-DN, MuSig2, DWMS, and HBMS, have been proposed [14][15][16][17]. Another way to design an MS scheme is to convert an aggregate signature scheme into a non-interactive MS scheme by setting a message to be the same for all signers.…”

Section: Related Workmentioning

confidence: 99%

“…However, Drijvers et al [13] showed that all of these two-round MS schemes can be attacked by using a parallel signing session attack with the Wagner algorithm, and it is difficult to prove the security of these MS schemes by using the meta-reduction technique. To solve this problem, a number of new two-round MS schemes based on Schnorr signatures or trapdoor commitment schemes have been proposed recently [13][14][15][16][17].…”

Section: Introductionmentioning

confidence: 99%

“…To reduce the number of rounds further, Ma et al [11] proposed a two-round MS scheme from Okamoto signatures, but this scheme is not secure against the parallel signing session attack, as shown by Drijvers et al [13]. There are many secure two-round MS schemes based on Schnorr signatures or trapdoor commitments [13,[15][16][17], but constructing a secure two-round MS scheme based on Okamoto signatures is still an unsolved problem.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Two-Round Multi-Signatures from Okamoto Signatures

Lee

Kim

2023

Mathematics

View full text Add to dashboard Cite

Multi-signatures (MS) are a special type of public-key signature (PKS) in which multiple signers participate cooperatively to generate a signature for a single message. Recently, applications that use an MS scheme to strengthen the security of blockchain wallets or to strengthen the security of blockchain consensus protocols are attracting a lot of attention. In this paper, we propose an efficient two-round MS scheme based on Okamoto signatures rather than Schnorr signatures. To this end, we first propose a new PKS scheme by modifying the Okamoto signature scheme and prove the unforgeability of our PKS scheme under the discrete logarithm assumption in the algebraic group model (AGM) and the non-programmable random oracle model (ROM). Next, we propose a two-round MS scheme based on the new PKS scheme and prove the unforgeability of our MS scheme under the discrete logarithm assumption in the AGM and the non-programmable ROM. Our MS scheme is the first one to prove security among two-round MS based on Okamoto signatures.

show abstract

“…The FROST scheme [KG21] is full threshold, meaning it can be instantiated with any secretsharing recovery threshold t (out of n). MuSig2 [NRS21] and the delinearized witness multi-signatures (DWMS) [AB21] are multisignature schemes that operate in the plain public key model. SpeedyMuSig is similar to MuSig2 but operates in the KOSK model, which enables faster key aggregation [CKM21].…”

Section: Nonce Commitmentioning

confidence: 99%

Notes on Threshold EdDSA/Schnorr Signatures

Brandão¹

2022

View full text Add to dashboard Cite

This report considers threshold signature schemes interchangeable with respect to the verification mechanism of the Edwards-Curve Digital Signature Algorithm (EdDSA). Historically, EdDSA is known as a variant of Schnorr signatures, which are well-studied and suitable for efficient thresholdization, i.e., for being computed when the private signing key is secret-shared across multiple parties. In the threshold setting, signatures remain unforgeable even if up to some threshold number of the cosigners become compromised. The report analyzes the conventional (non-threshold) EdDSA specification from Draft FIPS 186-5, reviews important security properties, with an emphasis on strong unforgeability, and distinguishes various approaches for corresponding threshold schemes. Notably, while providing better security assurances, threshold signatures can be used as drop-in replacement for conventionally produced signatures, without changing legacy code for verification of authenticity. The report identifies various challenges and questions that would benefit from more attention, are of interest for future guidance and recommendations, and may be applicable beyond EdDSA.

show abstract

Two-Round Trip Schnorr Multi-signatures via Delinearized Witnesses

Cited by 25 publications

References 23 publications

On Multi-user Security of Schnorr Signature in Algebraic Group Model

On Multi-user Security of Schnorr Signature in Algebraic Group Model

Two-Round Multi-Signatures from Okamoto Signatures

Notes on Threshold EdDSA/Schnorr Signatures

Contact Info

Product

Resources

About