Two-Party Adaptor Signatures From Identiﬁcation Schemes

. Adaptor signatures are a novel cryptographic primitive with important applications for cryptocurrencies. They have been used to construct second layer solutions such as payment channels or cross-currency swaps. The basic idea of an adaptor signature scheme is to tie the signing process to the revelation of a secret value in the sense that, much like a regular signature scheme, an adaptor signature scheme can au-thenticate messages, but simultaneously leaks a secret to certain parties. Recently, Aumayr et al. provide the ﬁrst formalization of adaptor signature schemes, and present provably secure constructions from ECDSA and Schnorr signatures. Unfortunately, the formalization and constructions given in this work have two limitations: (1) current schemes are limited to ECDSA and Schnorr signatures, and no generic transformation for constructing adaptor signatures is known; (2) they do not oﬀer support for aggregated two-party signing, which can signiﬁcantly reduce the blockchain footprint in applications of adaptor signatures. In this work, we address these two shortcomings. First, we show that signature schemes that are constructed from identiﬁcation (ID) schemes, which additionally satisfy certain homomorphic properties, can generically be transformed into adaptor signature schemes. We further provide an impossibility result which proves that unique signature schemes (e.g., the BLS scheme) cannot be transformed into an adaptor signature scheme. In addition, we deﬁne two-party adaptor signature schemes with aggregatable public keys and show how to instantiate them via a generic transformation from ID-based signature schemes. Finally, we give instan-tiations of our generic transformations for the Schnorr, Katz-Wang and Guillou-Quisquater signature schemes


Introduction
Blockchain technologies, envisioned first in 2009 [34], have spurred enormous interest by academia and industry. This technology puts forth a decentralized payment paradigm, where financial transactions are stored in a decentralized data structure -often referred to as the blockchain. The main cryptographic primitive used by blockchain systems is the one of digital signature schemes, which allow users to authenticate payment transactions. Various different flavors of digital signature schemes are used by blockchain systems, e.g., ring signatures [39] add privacy-preserving features to cryptocurrencies [40], while threshold signatures and multi-signatures are used for multi-factor authorization of transactions [18].
Adaptor signatures (sometimes also referred to as scriptless scripts) are another important type of digital signature scheme introduced by the cryptocurrency community [37] and recently formalized by Aumayr et al. [2]. In a nutshell, adaptor signatures tie together authorization of a message and the leakage of a secret value. Namely, they allow a signer to produce a pre-signature under her secret key such that this pre-signature can be adapted into a valid signature by a publisher knowing a certain secret value. If the completed signature gets published, the signer is able to extract the embedded secret used by the publisher.
To demonstrate the concept of adaptor signatures, let us discuss the simple example of a preimage sale which serves as an important building block in many blockchain applications such as payment channels [6,10,38,2], payment routing in payment channel networks (PCNs) [30,13,33] or atomic swaps [11,21]. Assume that a seller offers to reveal a preimage of a hash value h in exchange for c coins from a concrete buyer. This is a classical instance of a fair exchange problem, which can be solved using the blockchain as follows. The buyer locks c coins in a transaction which can be spent by another transaction if it is authorized by the seller and contains a preimage of the hash value h.
While this solution implements the preimage sale, it has various drawbacks: (i) The only hash functions that can be used are the ones supported by the underlying blockchain. For example, the most popular blockchain-based cryptocurrency, Bitcoin, supports only SHA-1, SHA-256 and RIPEMD-160 [5]. This makes the above solution unsuitable for applications like privacy-preserving payment routing in PCNs [30,13] that crucially rely on the preimage sale instantiated with a homomorphic hash function. (ii) The hash value has to be fixed at the beginning of the sale and cannot be changed later without a new transaction being posted on the blockchain. This is problematic in, e.g., generalized payment channels [2], where users utilize the ideas from the preimage sale to repeatedly update channel balances without any blockchain interaction. (iii) Finally, the blockchain script is non-standard as, in addition to a signature verification, it contains a hash preimage verification. This does not only make the transaction more expensive but also allows parties who are maintaining the blockchain (also known as miners) to censor transactions belonging to a preimage sale.
The concept of adaptor signatures allows us to implement a preimage sale in a way that overcomes most of the aforementioned drawbacks. The protocol works at a high level as follows. The buyer locks c coins in a transaction which can be spent by a transaction authorized by both the seller and the buyer. Thereafter, the buyer pre-signs a transaction spending the c coins with respect to the hash value h. If the seller knows a preimage of h, she can adapt the pre-signature of the buyer, attach her own signature and claim the c coins. The buyer can then extract a preimage from the adapted signature. Hence, parties are not restricted to the hash functions supported by the blockchain, i.e., drawback (i) is addressed. Moreover, the buyer can pre-sign the spending transaction with respect to multiple hash values which overcomes drawback (ii). However, the third drawback remains. While the usage of adaptor signatures avoids the hash preimage verification in the script, it adds a signature verification (i.e., there are now 2 signature verifications in total) which makes this type of exchange easily distinguishable from a normal payment transaction. Hence, the sale remains rather expensive and censorship is not prevented.
The idea of two-party adaptor signatures is to replace the two signature verifications by one. The transaction implementing a preimage sale then has exactly the same format as a transaction simply transferring coins. As a result the price (in terms of fees paid to the miners) of the preimage sale transaction is the same as the price for a normal payment. Moreover, censorship is prevented as miners cannot distinguish the transactions belonging to the preimage sale from a standard payment transaction. Hence, point (iii) is fully addressed.
The idea of replacing two signatures by one has already appeared in the literature in the context of payment channels. Namely, Malavolta et al. [30] presented protocols for two-party threshold adaptor signatures based on Schnorr and ECDSA digital signatures. However, they did not present a standalone definition for the threshold primitive and hence security for these schemes has not been analyzed. Furthermore, the key generation of the existing threshold adaptor signature schemes is interactive which is undesirable. Last but not least, their constructions are tailored to Schnorr and ECDSA signature schemes and hence is not generic. From the above points, the following natural question arises: Is it possible to define and instantiate two-party adaptor signature schemes with non-interactive key generation in a generic way?

Our contribution
Our main goal is to define two-party adaptor signatures and explore from which digital signature we can instantiate this new primitive. We proceed in three steps which we summarize below and depict in Fig. 1.
Step 1: From ID schemes to adaptor signatures. Our first goal is to determine if there exists a specific class of signature schemes which can be generically transformed into adaptor signatures. Given the existing Schnorr-based construction [37,2], a natural choice is to explore signature schemes constructed in a similar fashion. To this end, we focus on signature schemes built from identification (ID) schemes using the Fiat-Shamir transform [25]. We show that ID-based signature schemes satisfying certain additional properties can be transformed to adaptor signature schemes generically. In addition to Schnorr signatures [41], this class includes Katz-Wang and Guillou-Quisquater signatures [24,22]. As an additional result, we show that adaptor signatures cannot be built from unique signatures, ruling out constructions from, e.g., BLS signatures [9]. Our generic transformation of adaptor signatures from ID schemes has multiple benefits. Firstly, by instantiating it with the Guillou-Quisquater siganture scheme, we obtain the first RSA-based adaptor signature scheme. Secondly, since Katz-Wang signatures offers tight security (under the decisional Diffie-Hellman (DDH) assumption), and our generic transformation also achieves tight security, our result shows how to construct adaptor signatures with a tight reduction to the underlying DDH assumption.
Step 2: From ID schemes to two-party signatures. Our second goal is to generically transform signature schemes built from ID schemes into two-party signature schemes with aggregatable public keys. Unlike threshold signatures, these signatures have non-interactive key generation. This means that parties can independently generate their key pairs and later collaboratively generate signatures that are valid under their combined public key. For our transformation, we require the signature scheme to satisfy certain aggregation properties which, as we show, are present in the three aforementioned signature schemes. While this transformation serves as a middle step towards our main goal of constructing two-party adaptor signatures, we believe it is of independent interest.
Step 3: From ID schemes to two-party adaptor signatures. Finally, we define two-party adaptor signature schemes with aggregatable public keys. In order to instantiate this novel cryptographic primitive, we use similar techniques as in step 1 where we "lifted" standard signature schemes to adaptor signature schemes. More precisely, we present a transformation turning a two-party signature scheme based on an ID scheme into a two-party adaptor signature scheme.    Remark 1. Let us point out that Fig. 1 presents our transformation steps from signature schemes based on ID schemes to two-party adaptor signatures. Despite the fact that we generically construct our two-party adaptor signature scheme from two-party signature schemes based on ID schemes, we reduce its security to the strong unforgeability of the underlying single party signature scheme. Therefore, we do not need the two-party signature scheme from ID schemes to be strongly unforgeable. This gives us a more general result than proving security based on strong unforgeability of the two-party signature scheme from ID schemes. We note that any ID scheme can be transformed to a signature scheme with strong unforgeability by Bellare and Shoup [4].
Let us further mention that our security proofs are in the random oracle model. Proving the security of our constructions and the original constructions from [2] in the standard model remains an interesting open problem.

Related Work
Adaptor Signatures. The notion of adaptor signatures was first introduced by Poelstra [37] and has since been used in many blockchain related applications, such as PCNs [30], payment channel hubs [43] or atomic swaps [11]. However, the adaptor signatures as a standalone primitive were only formalized later by Aumayr et al. [2], where they were used to generalize the concept of payment channels. Concurrently, Fournier [17] attempted to formalize adaptor signatures, however, as pointed out in [2], his definition is weaker than the one given in [2] and not sufficient for certain applications. All the previously mentioned works constructed adaptor signatures only from Schnorr and ECDSA signatures, i.e., they did not show generic transformations for building adaptor signature schemes. As previously mentioned, a two-party threshold variant of adaptor signatures was presented by Malavolta et al. [30]. Their construction requires interactive key generation, thereby differing from our two-party adaptor signature notion. Moreover, no standalone definition of the threshold primitive was provided.
Two works [15,44] have recently introduced post-quantum secure adaptor signature schemes, i.e., schemes that remain secure even in presence of an adversary having access to a quantum computer. In order to achieve post-quantum security, [15] based its scheme on standard and well-studied lattice assumptions, namely Module-SIS and Module-LWE, while the scheme in [44] is based on lesser known assumptions for isogenies. Both works additionally show how to construct post-quantum secure PCNs from their respective adaptor signature schemes.
Multi-Signatures and ID Schemes. Multi-Signatures have been subject to extensive research in the past (e.g., [36,35,23]). In a nutshell, multi-signatures allow a set of signers to collaboratively generate a signature for a common message such that the signature can be verified given the public key of each signer. More recently, the notion of multi-signatures with aggregatable public keys has been introduced [31] and worked on [8,26], which allows to aggregate the public keys of all signers into one single public key. We use some results from the work of Kiltz et al. [25], which provides a concrete and modular security analysis of signatures schemes from ID schemes obtained via the Fiat-Shamir transformation. Our paper builds up on their work and uses some of their notation.

Preliminaries
In this section, we introduce notation that we use throughout this work and preliminaries on adaptor signatures and identification schemes. Due to space limitations, we provide formal definitions of digital signature schemes, non-interactive zero-knowledge proofs and extractable commitments in the full version of this paper [14].
Notation. We denote by x ← $ X the uniform sampling of x from the set X . Throughout this paper, n denotes the security parameter. By x ← A(y) we denote a probabilistic polynomial time (PPT) algorithm A that on input y, outputs x. When A is a deterministic polynomial time (DPT) algorithm, we use the notation x := A(y). A function ν : N → R is negligible in n if for every k ∈ N, there exists n 0 ∈ N s.t. for every n ≥ n 0 it holds that |ν(n)| ≤ 1/n k .
Hard relation. Let R ⊆ D S × D w be a relation with statement/witness pairs (Y, y) ∈ D S × D w and let the language L R ⊆ D S associated to R be defined as L R := {Y ∈ D S | ∃y ∈ D w s.t. (Y, y) ∈ R}. We say that R is a hard relation if: (i) There exists a PPT sampling algorithm GenR(1 n ) that on input the security parameter outputs a pair (Y, y) ∈ R; (ii) The relation R is poly-time decidable; (iii) For all PPT adversaries A, the probability that A outputs a valid witness y ∈ D w for Y ∈ L R is negligible.

Adaptor Signatures
We now recall the definition of adaptor signatures, recently put forward in [2].
Definition 1 (Adaptor signature). An adaptor signature scheme w.r.t. a hard relation R and a signature scheme SIG = (Gen, Sign, Vrfy) consists of a tuple of four algorithms aSIG R,SIG = (pSign, Adapt, pVrfy, Ext) defined as: pSign sk (m, Y ): is a PPT algorithm that on input a secret key sk , message m ∈ {0, 1} * and statement Y ∈ L R , outputs a pre-signature σ. pVrfy pk (m, Y ; σ): is a DPT algorithm that on input a public key pk , message m ∈ {0, 1} * , statement Y ∈ L R and pre-signature σ, outputs a bit b. Adapt pk ( σ, y): is a DPT algorithm that on input a pre-signature σ and witness y, outputs a signature σ. Ext pk (σ, σ, Y ): is a DPT algorithm that on input a signature σ, pre-signature σ and statement Y ∈ L R , outputs a witness y such that (Y, y) ∈ R, or ⊥.
An adaptor signature scheme, besides satisfying plain digital signature correctness, should also satisfy pre-signature correctness that we formalize next.
Definition 2 (Pre-signature correctness). An adaptor signature aSIG R,SIG satisfies pre-signature correctness, if for all n ∈ N and m ∈ {0, 1} * : An adaptor signature scheme aSIG R,SIG is called secure if it satisfies three security properties: existential unforgeablity under chosen message attack for adaptor signatures, pre-signature adaptability and witness extractability. Let us recall the formal definition of these properties next.
The notion of unforgeability for adaptor signatures is similar to existential unforgeability under chosen message attacks for standard digital signatures but additionally requires that producing a forgery σ for some message m * is hard even given a pre-signature on m * w.r.t. a random statement Y ∈ L R . Definition 3 (aEUF-CMA Security). An adaptor signature scheme aSIG R,SIG is unforgeable if for every PPT adversary A there exists a negligible function ν such that: Pr[aSigForge A,aSIG R,SIG (n) = 1] ≤ ν(n), where the definition of the experiment aSigForge A,aSIG R,SIG is as follows: A natural requirement for an adaptor signature scheme is that any valid presignature w.r.t. Y (possibly produced by a malicious signer) can be completed into a valid signature using a witness y with (Y, y) ∈ R.
The last property that we are interested in is witness extractability. Informally, it guarantees that a valid signature/pre-signatue pair (σ, σ) for message/statement (m, Y ) can be used to extract a corresponding witness y.
Definition 5 (Witness extractability). An adaptor signature scheme aSIG R is witness extractable if for every PPT adversary A, there exists a negligible function ν such that the following holds: Pr[aWitExt A,aSIG R,SIG (n) = 1] ≤ ν(n), where the experiment aWitExt A,aSIG R,SIG is defined as follows: Let us stress that while the witness extractability experiment aWitExt looks fairly similar to the experiment aSigForge, there is one crucial difference; namely, the adversary is allowed to choose the forgery statement Y * . Hence, we can assume that it knows a witness for Y * and can thus generate a valid signature on the forgery message m * . However, this is not sufficient to win the experiment. The adversary wins only if the valid signature does not reveal a witness for Y * .

Identification and Signature Schemes
In this section we recall the definition of identification schemes and how they are transformed to signature schemes as described in [25].
-The key generation algorithm IGen takes the system parameters par as input and returns secret and public key (sk , pk ). We assume that pk defines the set of challenges, namely ChSet. -The prover algorithm P consists of two algorithms namely P 1 and P 2 : • P 1 takes as input the secret key sk and returns a commitment R ∈ D rand and a state St. • P 2 takes as input the secret key sk , a commitment R ∈ D rand , a challenge h ∈ ChSet, and a state St and returns a response s ∈ D resp . -The verifier algorithm V is a deterministic algorithm that takes the public key pk and the conversation transcript as input and outputs 1 (acceptance) or 0 (rejection).
We recall that an identification scheme ID is called commitment-recoverable, if V first internally calls a function V 0 which recomputes R 0 = V 0 (pk, h, s) and then outputs 1, iff R 0 = R. Using Fiat-Shamir heuristic one can transform any identification scheme ID of the above form into a digital signature scheme SIG ID . We recall this transformation in Fig. 2 when ID is commitment-recoverable.

Adaptor Signatures from SIG ID
Our first goal is to explore and find digital signature schemes which can generically be transformed to adaptor signatures. Interestingly, we observe that both existing adaptor signature schemes, namely the Schnorr-based and the ECDSAbased schemes, utilize the randomness used during signature generation to transform digital signatures to adaptor signatures [2]. We first prove a negative result, namely that it is impossible to construct an adaptor signature scheme from a unique signature scheme [42,29,19]. Thereafter, we focus on signature schemes constructed from identification schemes (cf. Fig. 2) and show that if the underlying ID-based signature scheme SIG ID satisfies certain additional properties, then we can generically transform it into an adaptor signature scheme. To demonstrate the applicability of our generic transformation, we show in the full version of this paper [14] that many existing SIG ID instantiations satisfy the required properties.

Impossibility Result for Unique Signatures
An important class of digital signatures are those where the signing algorithm is deterministic and the generated signatures are unique. Given the efficiency of deterministic signature schemes along with numerous other advantages that come from signatures being unique [42,29,19], it would be tempting to design adaptor signatures based on unique signatures. However, we show in Thm. 1 that if the signature scheme has unique signatures, then it is impossible to construct a secure adaptor signature scheme from it. Theorem 1. Let R be a hard relation and SIG = (Gen, Sign, Vrfy) be a signature scheme with unique signatures. Then there does not exist an adaptor signature scheme aSIG R,SIG .
Proof. We prove this theorem by contradiction. Assume there exists an adaptor signature scheme where the underlying signature scheme, SIG, has unique signatures. We construct a PPT algorithm A which internally uses the adaptor signature and breaks the hardness of R. In other words, A receives (1 n , Y ) as input and outputs y, such that (Y, y) ∈ R. Below, we describe A formally.
We now show that y returned by A is indeed a witness of Y , i.e., (Y, y) ∈ R. From the correctness of the adaptor signature scheme, we know that for any y s.t. (Y, y ) ∈ R the signature σ := Adapt( σ, y ) is a valid signature, i.e., Vrfy pk (m, σ ) = 1. Moreover, we know that y := Ext pk (σ , σ, Y ) is such that (Y, y ) ∈ R. As SIG is a unique signature scheme, this implies that σ = σ which in turn implies that the witness y returned by A is y . Hence, A breaks the hardness of R with probability 1.
Let us briefly discuss which signature schemes are affected by our impossibility result. Unique signature schemes (also known as verifiable unpredictable functions (VUF)) have been first introduced in [19]. Furthermore, many followup works such as [32,29] and most recently [42], have shown how to instantiate this primitive in the standard model. Another famous example of a unique signature scheme is BLS [9]. Naturally, due to our impossibility result, an adaptor signature scheme cannot be instantiated from these signature schemes.

Generic Transformation to Adaptor Signatures
We now describe how to generically transform a randomized digital signature scheme SIG ID from Fig. 2 into an adaptor signature scheme w.r.t. a hard relation R. For brevity, we denote the resulting adaptor signature scheme as aSIG ID,R instead of aSIG R,SIG ID . The main idea behind our transformation is to shift the public randomness of the Sign procedure by a statement Y for the relation R in order to generate a modified signature called a pre-signature. Using a corresponding witness y (i.e., (Y, y) ∈ R), the shift of the public randomness in the pre-signature can be reversed (or adapted), in order to obtain a regular (or full) signature. Moreover, it should be possible to extract a witness given both the pre-signature and the full-signature. To this end, let us formalize three new deterministic functions which we will use later in our transformation.
1. For the randomness shift, we define a function f shift : D rand × L R → D rand that takes as input a commitment value R ∈ D rand of the identification scheme and a statement Y ∈ L R of the hard relation, and outputs a new commitment value R ∈ D rand . 2. For the adapt operation, we define f adapt : D resp × D w → D resp that takes as input a response values ∈ D resp of the identification scheme and a witness y ∈ D w of the hard relation, and outputs a new response value s ∈ D resp . 3. Finally, for witness extraction, we define f ext : D resp × D resp → D w that takes as input two response valuess, s ∈ D resp and outputs a witness y ∈ D w .
Our transformation from SIG ID to aSIG ID,R is shown in Fig. 3.
In order for aSIG ID,R to be an adaptor signature scheme, we need the functions f shift , f adapt and f ext to satisfy two properties. The first property is a homomorphic one and relates the functions f shift and f adapt to the commitment-recoverable component V 0 and the hard relation R. Informally, for all (Y, y) ∈ R, we need the following to be equivalent: (i) Extract the public randomness from a responsẽ s using V 0 and then apply f shift to shift the public randomness by Y , and (ii) apply f adapt to shift the secret randomness ins by y and then extract the public Adapt pk ((h,s), y) randomness using V 0 . Formally, for any public key pk , any challenge h ∈ ChSet, any response values ∈ D resp and any statement/witness pair (Y, y) ∈ R, it must hold that: The second property requires that the function f ext (s, ·) is the inverse function of f adapt (s, ·) for anys ∈ D resp . Formally, for any y ∈ D w ands ∈ D resp , we have To give an intuition about the functions f shift , f adapt and f ext and their purpose, let us discuss their concrete instantiations for Schnorr signatures and show that they satisfy Equations (1) and (2). The instantiations for Katz-Wang signatures and Guillou-Quisquater signatures can be found in the full version of this paper [14].
Example 1 (Schnorr signatures). Let G = g be a cyclic group of prime order p where the discrete logarithm problem in G is hard. The functions IGen, P 1 , P 2 and V 0 for Schnorr's signature scheme are defined in Fig. 4.
Let us consider the hard relation i.e., group elements and their discrete logarithms, and let us define the functions f shift , f adapt , f ext as: Intuitively, the function f shift is shifting randomness in the group while the function f adapt shifts randomness in the exponent. To prove that Eq. (1) holds, let us fix an arbitrary public key pk ∈ G, a challenge h ∈ Z q , a response value s ∈ Z q and a statement witness pair (Y, y) ∈ R, i.e, Y = g y . We have which is what we wanted to prove. In order to show that Eq. (2) holds, let us fix an arbitrary witness y ∈ Z q and a response value s ∈ Z q . Then we have We now show that the transformation from Fig. 3 is a secure adaptor signature scheme if functions f shift , f adapt , f ext satisfying Equations (1) and (2) exist.
Theorem 2. Assume that SIG ID is a SUF-CMA-secure signature scheme transformed using Fig. 2, let f shift , f adapt and f ext be functions satisfying the relations from Equations (1) and (2), and R be a hard relation. Then the resulting aSIG ID,R scheme from the transformation in Fig. 3 is a secure adaptor signature scheme in the random oracle model.
Let us give first a high level overview of the proof. Our goal is to provide a reduction such that, given an adversary A who can win the experiment aSigForge A,aSIG ID,R , we can build a simulator who can win the strongSigForge experiment of the underlying signature or can break the hardness of the relation R. In the first case, we check if A's forgery σ * is equal to Adapt pk ( σ, y). If so, we use A to break the hardness of the relation R by extracting the witness y = Ext(σ * , σ, Y ). Otherwise, A was able to forge a signature "unrelated" to the pre-signature provided to it. In this case, it is used to win the strongSigForge experiment. All that remains is to answer A's signing and pre-signing queries using strongSigForge's signing queries. This is done by programming the random oracle such that the full-signatures generated by the challenger in the strongSigForge game look like pre-signatures for A.
Proof. We prove the lemma by defining a series of game hops. The modifications for each game hop is presented in code form in the full version of this paper [14].
This game is the original aSigForge experiment, where the adversary A outputs a valid forgery σ * for a message m of its choice, while having access to pre-signing and signing oracles O pS and O S respectively. Being in the random oracle model, all the algorithms of the scheme and the adversary have access to the random oracle H.
This game works as G 0 G 0 G 0 except when the adversary outputs a forgery σ * , the game checks if adapting the pre-signature σ using the secret witness y results in σ * . If so, the game aborts.
Claim. Let Bad 1 be the event where G 1 G 1 G 1 aborts. Then Pr[Bad 1 ] ≤ ν 1 (n), where ν 1 is a negligible function in n.
Proof: This claim is proven by a reduction to the relation R. We construct a simulator S which breaks the hardness of R using A that causes G 1 G 1 G 1 to abort with non-negligible probability. The simulator receives a challenge Y * , and generates a key pair (sk , pk ) ← Gen(1 n ) in order to simulate A's queries to the oracles H, O pS and O S . This simulation of the oracles work as described in G 1 G 1 G 1 . Upon receiving the challenge message m * from A, S computes a pre-signature σ ← pSign sk (m * , Y * ) and returns the pair ( σ, Y ) to the adversary. Upon A outputting a forgery σ * and assuming that Bad 1 happened (i.e., Adapt( σ, y) = σ), pre-signature correctness (Def. 2) implies that the simulator can extract y * by executing Ext(σ * , σ, Y * ) in order to obtain (Y * , y * ) ∈ R.
We note that the view of A in this simulation and in G 1 G 1 G 1 are indistinguishable, since the challenge Y * is an instance of the hard relation R and has the same distribution to the public output of GenR. Therefore, the probability that S breaks the hardness of R is equal to the probability that the event Bad 1 happens. Hence, we conclude that Bad 1 only happens with negligible probability.
Game G 2 G 2 G 2 : This game is similar to the previous game except for a modification in the O pS oracle. After the execution of preSign sk , the oracle obtains a presignature σ from which it extracts the randomness R pre ← V 0 (pk , σ). The oracle computes R sign = f shift (R pre , Y ) and checks if H was already queried on the inputs R pre m or R sign m before the execution of pSign sk . In this case the game aborts.
Claim. Let Bad 2 be the event that G 2 G 2 G 2 aborts in O pS . Then Pr[Bad 2 ] ≤ ν 2 (n), where ν 2 is a negligible function in n.
Proof: We first recall that the output of P 1 (i.e., R pre ) is uniformly random from a super-polynomial set of size q in the security parameter. From this it follows that R sign is distributed uniformly at random in the same set. Furthermore, A being a PPT algorithm, it can only make polynomially many queries to H, O S and O pS oracles. Denoting as the total number of queries to H, O S and O pS , we have: This follows from the fact that is polynomial in the security parameter.
Since games G 2 G 2 G 2 and G 1 G 1 G 1 are identical except in the case where Bad 2 occurs, it holds that Pr[G 1 In this game, upon a query to the O pS , the game produces a fullsignature instead of a pre-signature by executing Sign sk instead of preSign sk . Accordingly, it programs the random oracle H to make the full-signature "look like" a pre-signature from the point of view of the adversary A. This is done by: 1. It sets H(R pre m) to the value stored at position H(R sign m). 2. It sets H(R sign m) to a fresh value chosen uniformly at random.
The above programming makes sense as our definition of f shift requires it to be deterministic and to possess the same domain and codomain with respect to the commitment set D rand . Note further that A can only notice that H was programmed if it was previously queried on either R pre m or R sign m. But as described in the previous game, we abort if such an event happens. Hence, we have that Pr[G 2 Game G 4 G 4 G 4 : In this game, we impose new checks during the challenge phase that are same as the ones imposed in G 2 G 2 G 2 during the execution of O pS .
Claim. Let Bad 3 be the event that G 4 G 4 G 4 aborts in the challenge phase. Then Pr[Bad 3 ] ≤ ν 3 (n), where ν 3 is a negligible function in n.
Proof: The proof is identical to the proof in G 2 Game G 5 G 5 G 5 : Similar to game G 3 G 3 G 3 , we generate a signature instead of a pre-signature in the challenge phase and program H such that the full-signature looks like a correct pre-signature from A's point of view. We get Pr[G 5 Now that the transition from the original aSigForge experiment (game G 0 G 0 G 0 ) to game G 5 G 5 G 5 is indistinguishable, it only remains to show the existence of a simulator S that can perfectly simulate G 5 G 5 G 5 and uses A to win the strongSigForge game. The modifications from games G 1 G 1 G 1 -G 5 G 5 G 5 and the simulation in code form can be found in the full version of this paper [14].
We emphasize that the main differences between the simulation and Game G 5 G 5 G 5 are syntactical. Namely, instead of generating the public and secret keys and computing the algorithm Sign sk and the random oracle H, S uses its oracles SIG ID and H ID . Therefore, S perfectly simulates G 5 G 5 G 5 . It remains to show that S can use the forgery output by A to win the strongSigForge game.
Proof: To prove this claim, we show that the tuple (m * , σ * ) has not been returned by the oracle SIG ID before. First note that A wins the experiment if it has not queried on the challenge message m * to O pS or O S . Therefore, SIG ID is queried on m * only during the challenge phase. If A outputs a forgery σ * that is equal to the signature σ as output by SIG ID , it would lose the game since this signature is not valid given the fact that H is programmed.
Hence, SIG ID has never output σ * when queried on m * before, thus making (m * , σ * ) a valid forgery for game strongSigForge. From . Combining this with the probability statement in G 0 G 0 G 0 , we obtain the following: Pr[aSigForge A,aSIG ID,R (n) = 1] ≤ Pr[strongSigForge S A ,SIG ID (n) = 1] + ν(n). Recall that the negligible function ν 1 (n), contained in the sum ν(n) above, precisely quantifies the adversary's advantage in breaking the hard relation R. Thus, the probability of breaking the unforgeability of the aSIG ID,R is clearly bounded above by that of breaking either R or the strong unforgeability of SIG ID .
This proof is very similar to the proof of Lemma 2 with the mere difference that we only need to provide a reduction to the strongSigForge experiment. This is because in the aWitExt A,aSIG Rg ,SIG ID experiment, A provides the public value Y * and must forge a valid full-signature σ * such that (Y * , Ext pk (σ * , σ, Y * )) ∈ R. The full proof can be found in the full version of this paper [14].
Remark 2. We note that our proofs for the aEUF-CMA security and witness extractability are in its essence reductions to the strong unforgeability of the underlying signature schemes. Yet the Fiat-Shamir transformation does not immediately guarantee the resulting signature scheme to be strongly unforgeable. However, we first note that many such signature schemes are indeed strongly unforgeable, for instance Schnorr [25], Katz-Wang (from Chaum-Pedersen identification scheme) [24] and Guillou-Quisquater [1] signature schemes all satisfy strong unforgeability. Moreover, one can transform any Fiat-Shamir based existentially unforgeable signature scheme into a strongly unforgeable one via the generic transformation using the results of Bellare et.al. [4].

Two-party Signatures with Aggregatable Public Keys from Identification Schemes
Before providing our definition and generic transformation for two-party adaptor signatures, we show how to generically transform signature schemes based on identification schemes into two-party signature schemes with aggregatable public keys denoted by SIG 2 . In Sec. 5, we then combine the techniques used in this section with the ones from Sec. 3 in order to generically transform identification schemes into two-party adaptor signature schemes. Informally, a SIG 2 scheme allows two parties to jointly generate a signature which can be verified under their combined public keys. An application of such signature schemes can be found in cryptocurrencies where two parties wish to only allow conditional payments such that both users have to sign a transaction in order to spend some funds. Using SIG 2 , instead of submitting two separate signatures, the parties can submit a single signature while enforcing the same condition (i.e., a transaction must have a valid signature under the combined key) and hence reduce the communication necessary with the blockchain. Importantly and unlike threshold signature schemes, the key generation here is non-interactive. In other words, parties generate their public and secret keys independently and anyone who knows both public keys can compute the joint public key of the two parties.
We use the notation Π Func xi,x1−i to represent a two-party interactive protocol Func between P i and P 1−i with respective secret inputs x i , x 1−i for i ∈ {0, 1}. Furthermore, if there are common public inputs e.g., y 1 , · · · , y n we use the notation Π Func xi,x1−i (y 1 , · · · , y n ). We note that the execution of a protocol might not be symmetric, i.e., party P i executes the procedures Π Func xi,x1−i while party P 1−i executes the procedures Π Func x1−i,xi .

Two-party Signatures with Aggregatable Public Keys
We start with defining a two-party signature scheme with aggregatable public keys. Our definition is inspired by the definitions from prior works [8,26,7].

Definition 7 (Two-party Signature with Aggregatable Public Keys).
A two-party signature scheme with aggregatable public keys is a tuple of PPT protocols and algorithms SIG 2 = (Setup, Gen, Π Sign , KAg, Vrfy), formally defined as: Setup(1 n ): is a PPT algorithm that on input a security parameter n, outputs public parameters pp. Gen(pp): is a PPT algorithm that on input public parameter pp, outputs a key pair (sk , pk ). Π Sign sk i ,sk 1−i (pk 0 , pk 1 , m): is an interactive, PPT protocol that on input secret keys sk i from party P i with i ∈ {0, 1} and common values m ∈ {0, 1} * and pk 0 , pk 1 , outputs a signature σ. KAg(pk 0 , pk 1 ): is a DPT algorithm that on input two public keys pk 0 , pk 1 , outputs an aggregated public key apk . Vrfy apk (m; σ): is a DPT algorithm that on input public parameters pp, a public key apk , a message m ∈ {0, 1} * and a signature σ, outputs a bit b.
The completeness property of SIG 2 guarantees that if the protocol Π Sign is executed correctly between the two parties, the resulting signature is a valid signature under the aggregated public key.
A two-party signature scheme with aggregatable public keys should satisfy unforgeability. At a high level, this property guarantees that if one of the two parties is malicious, this party is not able to produce a valid signature under the aggregated public key without cooperation of the other party. We formalize the property through an experiment SigForge b A,SIG2 , where b ∈ {0, 1} defines which of the two parties is corrupt. This experiment is initialized by a security parameter n and run between a challenger C and an adversary A, which proceeds as follows. The challenger first generates the public parameters pp by running the setup procedure Setup(1 n ) as well as a signing key pair (sk 1−b , pk 1−b ) by executing Gen(1 n ), thereby simulating the honest party P 1−b . Thereafter, C forwards pp C and pk 1−b to the adversary A who generates its own key pair (sk b , pk b ), thereby emulating the malicious party P b , and submits (sk b , pk b ) to C. The adversary A additionally obtains access to an interactive and stateful signing oracle O b ΠS , which simulates the honest party P 1−b during the execution of Π A Sign sk 1−b ,· . Furthermore, every queried message m is stored in a query list Q.
Eventually, A outputs a forgery in form of a SIG ID 2 signature σ * and a message m * . A wins the experiment if σ * is a valid signature for m * under the aggregated public key apk := KAg(pk 0 , pk 1 ) and m * was never queried before, i.e., m * ∈ Q. Below, we give a formal definition of the unforgeability game.
Definition 9 (2-EUF-CMA Security). A two-party, public key aggregatable signature scheme SIG 2 is unforgeable if for every PPT adversary A, there exists a negligible function ν such that: A,SIG2 (n) is defined as follows: Remark 3 (On security definition.). There are two different approaches for modeling signatures with aggregatable public keys in the literature, namely the plain public-key model [3] (also known as key-verification model [12]) and the knowledge-of-secret-key (KOSK) model [7]. In the plain public-key setting the adversary chooses a key pair (sk b , pk b ) and only declares the public key pk b to the challenger in the security game. However, security proofs in this setting typically require rewinding techniques with the forking lemma. This is undesirable for the purpose of this paper, as we aim to construct adaptor signatures and its two-party variant generically as building blocks for further applications such as payment channels [2]. Payment channels are proven secure in the UC framework that does not allow the use of rewinding techniques in order to ensure concurrency. Thus, the plain public-key model does not seem suitable for our purpose. In the KOSK setting, however, the adversary outputs its (possibly maliciously chosen) key pair (sk b , pk b ) to the challenger. In practice this means that the parties need to exchange zero-knowledge proofs of knowledge of their secret key 3 . Similar to previous works [7,28], we do not require the forking lemma or rewinding in the KOSK setting and hence follow this approach.

2
We now give a generic transformation from SIG ID schemes to two-party signature schemes with aggregatable public keys. At a high level, our transformation turns the signing procedure into an interactive protocol which is executed between the two parties P 0 , P 1 . The main idea is to let both parties engage in a randomness exchange protocol in order to generate a joint public randomness which can then be used for the signing procedure. In a bit more detail, to create a joint signature, each party P i for i ∈ {0, 1} can individually create a partial signature with respect to the joint randomness by using the secret key sk i and exchange her partial signature with P 1−i . The joint randomness ensures that both partial signatures can be combined to one jointly computed signature.
In the following, we describe the randomness exchange protocol that is executed during the signing procedure in more detail, as our transformation heavily relies on it. The protocol, denoted by Π Rand-Exc , makes use of two cryptographic building blocks, namely an extractable commitment scheme C = (Gen, Com, Dec, Extract) and a NIZK proof system NIZK = (Setup R , Prove, Verify). Consequently, the common input to both parties P 0 and P 1 are the public parameters pp C of the commitment scheme, while each party P i takes as secret input her secret key sk i . In the following, we give description of the Π Rand-Exc sk 0 ,sk 1 (pp C , crs) protocol and present it in a concise way in Fig. 5. 1. Party P 0 generates her public randomness R 0 using algorithm P 1 from the underlying ID scheme alongside a NIZK proof π 0 ← NIZK.Prove(crs, R 0 , sk 0 ) that this computation was executed correctly with the corresponding secret value sk 0 . P 0 executes (c, d) ← C.Com(pp, (R 0 , π 0 )) to commit to R 0 and π 0 and sends the commitment c to P 1 . 2. Upon receiving the commitment c from P 0 , party P 1 generates her public randomness R 1 using algorithm P 1 . She also computes a NIZK proof as π 1 ← NIZK.Prove(crs, R 1 , sk 1 ), which proves correct computation of R 1 , and sends R 1 and π 1 to P 0 . 3. Upon receiving R 1 and π 1 from P 1 , P 0 sends the opening d to her commitment c to P 1 . 4. P 1 opens the commitment in this round. At this stage, both parties check that the received zero-knowledge proofs are valid. If the proofs are valid, each party Our transformation can be found in Fig. 6. Note that we use a deterministic function f com-rand (·, ·) in step 3 in the signing protocol which combines the two public random values R 0 and R 1 . In step 6 of the same protocol, we assume that the partial signatures are exchanged between the parties via the protocol Π Exchange upon which the parties can combine them using a deterministic function f com-sig (·, ·) in step 7. Further, a combined signature can be verified under a combined public key of the two parties. In more detail, to verify a combined KAg(pk 0 , pk 1 ) 1 : apk := f com-pk (pk 0 , pk 1 ) 2 : return apk Π Sign sk i ,sk 1−i (pk i , pk 1−i , m) 1 : Parse pk i = ((1 n , pp C , crs), pk i ) (pk 0 , sk 0 ) ← IGen(n), (pk 1 , sk 1 ) ← IGen(n) (h, s) ← Π Sign sk 0 ,sk 1 (pk 0 , pk 1 , m) apk := f com-pk (pk 0 , pk 1 ) We also require that given a full signature and a secret key sk i with i ∈ {0, 1}, it is possible to extract a valid partial signature under the the public key pk 1−i of the other party. In particular, there exists a function f dec-sig (·, ·, ·) such that: Pr   Vrfy pk 1−i (m; (h, s 1−i )) = 1 (pk 0 , sk 0 ) ← IGen(n), (pk 1 , sk 1 ) ← IGen(n) (h, s) ← Π Sign sk 0,sk 1 (pk 0 , pk 1 , m) Note that equations 4 and 5 implicitly define f com-sig through the execution of Π Sign in the conditional probabilities.
The instantiations of these functions for Schnorr, Katz-Wang signatures and Guillou-Quisquater signatures can be found in the full version of this paper [14].
We note the similarity between this transformation with that in Fig. 3. In particular, both of them compute the public randomness R sign by shifting the original random values. Note also that running the algorithm V 0 on the inputs (pk i , h, s i ) would return R i , ∀i ∈ {0, 1}.
Below, we show that the transformation in Fig. 6 provides a secure two-party signature with aggregatable public keys. To this end, we show that SIG ID 2 satisfies SIG 2 completeness and unforgeability from Def. 8 and Def. 9, respectively. Theorem 3. Assume that SIG ID is a signature scheme based on the transformation from an identification scheme as per Fig. 2. Further, assume that the functions f com-sig , f com-pk and f dec-sig satisfy the relations, Equations (4) and (5) respectively. Then the resulting SIG ID 2 scheme from the transformation in Fig. 6 is a secure two-party signature scheme with aggregatable public keys in the random oracle model. Proof. We prove this lemma by exhibiting a simulator S that breaks the unforgeability of the SIG ID scheme if it has access to an adversary that can break the unforgeability of the SIG ID 2 scheme. More precisely, we show a series of games, starting with the SigForge b A,SIG2 experiment, such that each game is computationally indistinguishable from the previous one. The last game is modified in such a way that the simulator can use the adversary's forgery to create its own forgery for the unforgeability game against the SIG ID scheme.
To construct this simulator, we note that the Π Rand-Exc protocol in Fig. 6 must satisfy two properties (similar to [27]). First, the commitment scheme must be extractable for the simulator, and second, the NIZK proof used must be simulatable. The reasons for these two properties become evident in the proof.
We prove Lemma 6 by separately considering the cases of the adversary corrupting party P 0 or party P 1 , respectively.
Adversary corrupts P 0 . In the following we give the security proof in case the adversary corrupts party P 0 . Game G 0 G 0 G 0 : This is the regular SigForge 0 A,SIG2 (n) experiment, in which the adversary plays the role of party P 0 . In the beginning of the game, the simulator generates the public parameters as pp ← Setup(1 n ). Note that the Setup procedure, apart from computing crs ← NIZK.Setup R (1 n ), includes the execution of C.Gen through which the simulator learns the trapdoor tr for the commitment scheme C. Further, S generates a fresh signing key pair (sk 1 , pk 1 ) ← Gen(1 n ), sends pp and pk 1 to A and receives the adversary's key pair (pk 0 , sk 0 ). The simulator simulates the experiment honestly. In particular, it simulates the interactive signing oracle O 0 ΠS honestly by playing the role of party P 1 . Game G 1 G 1 G 1 : This game proceeds exactly like the previous game, with a modification in the simulation of the signing oracle. Upon A initiating the signing protocol by calling the interactive signing oracle, S receives the commitment c to its public randomness R 0 from A. The simulator, using the trapdoor tr , then extracts a randomness R 0 ← C.Extract(pp, tr , c) and computes the joint randomness as R sign ← f com-rand (R 0 , R 1 ). S honestly computes the zero-knowledge proof to its own randomness R 1 and sends it to A. Upon receiving the opening d to c from the adversary, S checks if R 0 = C.Dec(pp, c, d). If this does not hold, S aborts, otherwise S continues to simulate the rest of the experiment honestly.
Claim. Let Bad 1 be the event that G 1 G 1 G 1 aborts in the signing oracle. Then, we have Pr[Bad 1 ] ≤ ν 1 (n), where ν 1 is a negligible function in n.
Proof: Note that game G 1 G 1 G 1 aborts only if the extracted value R 0 from commitment c is not equal to the actual committed value R 0 in c, i.e., if C.Extract(pp, tr , c) = C.Dec(pp, c, d). By the extractability property of C this happens only with negligible probability. In other words, it holds that Pr[Bad 1 ] ≤ ν 1 (n), where ν 1 is a negligible function in n.
Game G 2 G 2 G 2 : This game proceeds as game G 1 G 1 G 1 , with a modification to the signing oracle. Upon input message m, instead of generating its signature (h, s 0 ) with respect to the joint public randomness R sign , the simulator generates it only with respect to its own randomness R 0 . Further, the simulator programs the random oracle in the following way: as in the previous game, it computes the joint randomness R sign and then programs the random oracle in a way such that on input (R sign , m) the random oracle returns h.
It is easy to see that this game is indistinguishable from G 1 G 1 G 1 if the adversary has not queried the random oracle on input (R sign , m) before the signing query. If, however, the adversary has issued this random oracle query before the signing query (i.e., H(R sign , m) = ⊥)), then the simulation aborts.
Claim. Let Bad 2 be the event that G 2 G 2 G 2 aborts in the signing oracle. Then, we have Pr[Bad 2 ] ≤ ν 2 (n), where ν 2 is a negligible function in n.
Proof: We first recall that the output of P 1 (i.e., R pre ) is uniformly random from a super-polynomial set of size q in the security parameter. From this it follows that R sign is distributed uniformly at random in the same set. Furthermore, A being a PPT algorithm, can only make polynomially many queries to H and O pS oracles. Denoting as the total number of queries to H and O S , we have: Pr[Bad 2 ] = Pr[H(R sign , m) = ⊥] ≤ q ≤ ν 2 (n). This follows from the fact that is polynomial in the security parameter.
In this game, the only modification as compared to the previous game is that during the Setup procedure, the simulator executes the algorithm ( crs, τ ) ← NIZK.Setup R (1 n ) instead of crs ← Setup R (1 n ), which allows the simulator to learn the trapdoor τ . Since the two distributions {crs : crs ← Setup R (1 n )} and { crs : ( crs, τ ) ← Setup R (1 n )} are indistinguishable to A except with negligible probability, we have that Pr[G 2 This game proceeds exactly like the previous game except that the simulator does not choose its own key pair, but rather uses its signing oracle from the EUF-CMA game to simulate the adversary's interactive signing oracle O 0 ΠS . More concretely, upon the adversary calling O 0 ΠS on message m, the simulator calls its own signing oracle which provides a signature (h, s 1 ) for m under secret key sk 1 . Note that the simulator does not know sk 1 or the secret randomness r 1 used in s 1 . Therefore, the simulator has to additionally simulate the NIZK proof that proves knowledge of r 1 in s 1 . More concretely, the simulator executes π S ← S( crs, τ, R 1 ), where R 1 is the public randomness used in s 1 . Due to the fact that the distributions {π : π ← Prove( crs, R 1 , r 1 )} and {π S : π S ← S( crs, τ, R 1 )} are indistinguishable to A except with negligible probability, it holds that Pr[G 3 where ν 4 is a negligible function in n.
It remains to show that the simulator can use a valid forgery output by A to break unforgeability of the SIG ID scheme.

Claim.
A valid forgery (m * , (h * , s * )) output by A in game SigForge A,SIG ID 2 can be transformed into a valid forgery (m * , (h * , s * 1 )) in game SigForge S,SIG ID . Proof: When A outputs a valid forgery (m * , (h * , s * )), S extracts the partial signature (h * , s * 1 ) by executing f dec-sig (sk 0 , pk 0 , (h * , s * )) (from Eq. 5). Note that the simulator knows the adversary's key pair (sk 0 , pk 0 ). The simulator then submits (m * , (h * , s * 1 )) as its own forgery to the EUF-CMA challenger. By definition, A wins this game if it has not queried a signature on m * before. Thus, S has also not queried the EUF-CMA signing oracle on m * before. Further, Eq. (5) implies that (m * , (h * , s * 1 )) is a valid forgery under the public key pk 1 .
Adversary corrupts P 1 . In case the adversary corrupts P 1 , the simulator has to simulate P 0 . The proof for this case follows exactly the same steps as above with the exception that game G 1 G 1 G 1 is not required. This is due to the reason that the simulator now plays the role of the committing party in the randomness exchange and hence does not have to extract A's randomness from the commitment c.

Two-party Aggregatable Adaptor Signatures
We are now ready to formally introduce the notion of two-party adaptor signatures with aggregatable public keys which we denote by aSIG 2 . Our definition can be seen as a combination of the definition of adaptor signatures from Sec. 3 and the definition of two-party signatures with aggregatable public keys from Sec. 4. Unlike the single party adaptor signatures, in aSIG 2 both parties have the role of the signer and generate pre-signatures cooperatively. Furthermore, both parties can adapt the pre-signature given a witness value y. We note that both the pre-signature and the full-signature are valid under the aggregated public keys of the two parties. We formally define an aSIG 2 scheme w.r.t. a SIG 2 scheme (which is in turn defined w.r.t. a SIG scheme) and a hard relation R.
Afterwards, we show how to instantiate our new definition. Concretely, we present a generic transformation that turns a SIG ID 2 scheme with certain homomorphic properties into a two-party adaptor signatures scheme. As a SIG ID 2 scheme is constructed w.r.t. a SIG ID scheme (cf. Sec. 4), the construction presented in this section can implicitly transform digital signatures based on ID schemes to two-party adaptor signatures.
The definition of a two-party adaptor signature scheme aSIG 2 is similar to the definition of a standard adaptor signature scheme as for Def. 1. The main difference lies in the pre-signature generation. Namely, the algorithm pSign is replaced by a protocol Π pSign which is executed between two parties.
Definition 10 (Two-Party Adaptor Signature Scheme with Aggregatable Public Keys). A two-party adaptor signature scheme with aggregatable public keys is defined w.r.t. a hard relation R and a two-party signature scheme with aggregatable public keys SIG 2 = (Setup, Gen, Π Sign, KAg, Vrfy). It is run between parties P 0 , P 1 and consists of a tuple aSIG 2 = (Π pSign, Adapt, pVrfy, Ext) of efficient protocols and algorithms which are defined as follows: Π pSign sk i ,sk 1−i (pk 0 , pk 1 , m, Y ): is an interactive protocol that on input secret keys sk i from party P i with i ∈ {0, 1} and common values public keys pk i , message m ∈ {0, 1} * and statement Y ∈ L R , outputs a pre-signature σ. pVrfy apk (m, Y ; σ): is a DPT algorithm that on input an aggregated public key apk , a message m ∈ {0, 1} * , a statement Y ∈ L R and a pre-signature σ, outputs a bit b. Adapt apk ( σ, y): is a DPT algorithm that on input an aggregated public key apk , a pre-signature σ and witness y, outputs a signature σ. Ext apk (σ, σ, Y ): is a DPT algorithm that on input an aggregated public key apk , a signature σ, pre-signature σ and statement Y ∈ L R , outputs a witness y such that (Y, y) ∈ R, or ⊥.
We note that in aSIG 2 , the pVrfy algorithm enables public verifiability of the pre-signatures, e.g., aSIG 2 can be used in a three-party protocol where the third party needs to verify the validity of the generated pre-signatrue.
In the following, we formally define properties that a two-party adaptor signature scheme with aggregatable public keys aSIG 2 has to satisfy. These properties are similar to the ones for single party adaptor signature schemes. We start by defining two-party pre-signature correctness which, similarly to Def. 2 states that an honestly generated pre-signature and signature are valid, and it is possible to extract a valid witness from them.
Finally, we define two-party witness extractability.
A two-party adaptor signature scheme with aggregatable public keys aSIG 2 is called secure if it satisfies the properties 2-aEUF-CMA security, two-party presignature adaptability and two-party witness extractability.

Generic transformation from SIG ID
2 to aSIG ID,R

2
We now present our generic transformation to achieve two-party adaptor signature schemes with aggregatable public keys from identification schemes. In its essence, this transformation is a combination of the transformations presented in Figs. 3 and 6. More precisely, similar to the transformation from SIG ID to aSIG ID,R presented in Fig. 3, we assume the existence of functions f shift , f adapt and f ext with respect to the relation R. We then make use of the Π Rand-Exc protocol from the transformation in Fig. 6 to let parties agree on the randomness that is going to be used during the pre-signing process. However, unlike the transformation in Fig. 6, the resulting randomness is shifted by a statement Y for relation R using the function f shift . The transformation can be found in Fig. 7.
Theorem 4. Assume that SIG ID is an SUF-CMA-secure signature scheme transformed using Fig. 2. Let f shift , f adapt and f ext be functions satisfying the relations from Equations (1) and (2), and R be a hard relation. Further, assume that f com-sig , f com-pk and f dec-sig satisfy the relation from Equations (4) and (5).
In order to prove Thm. 4, we must show that aSIG ID,R 2 satisfies the pre-signature correctness, 2-aEUF-CMA security, pre-signature adaptability and witness extractability properties as described in Defs. 11 to 14 respectively. We provide the full proofs of the following lemmas in the full version of this paper [14] and only mention the intuition behind the proofs here. As mentioned in the introduction of this work, despite the fact that aSIG ID,R 2 is constructed from SIG ID 2 , we require only SIG ID to be SUF-CMA-secure in order to prove 2-aEUF-CMA security for aSIG ID,R The proof of Lemma 7 follows directly from Equations (1) to (3) and the correctness of SIG 2 from Lemma 5.
Proof Sketch: In a nutshell the proof of this lemma is a combination of the proofs of Lemmas 2 and 6, i.e., the proof is done by a reduction to the hardness of the relation R and the SUF-CMA of the underlying signature scheme. During the signing process, the challenger queries its SUF-CMA signing oracle and receives a signature σ. As in the proof of Lemma 6, the challenger programs the random oracle such that σ appears like a signature generated with the combined randomness of the challenger and the adversary. Simulating the pre-signing process is similar with the exception that before programming the random oracle, the randomness must be shifted using the function f shift . Finally, the challenger and the adversary generate a pre-signature σ * = (h,s) on the challenge message m * and the adversary outputs the forgery σ * = (h, s). If f ext (s,s) returns the y generated by the challenger, as in the proof of Lemma 2, the hardness of the relation R can be broken. Otherwise, using f dec-sig , it is possible to use the forgery provided by the adversary to extract a forgery for the SUF-CMA game. Proof Sketch: The proof of Lemma 10 is very similar to the proof of Lemma 8 except that the adversary chooses Y now and thus, no reduction to the hardness of the relation R is needed.