Paper 2024/1704

From One-Time to Two-Round Reusable Multi-Signatures without Nested Forking

Lior Rotem, Stanford University
Gil Segev, Hebrew University of Jerusalem
Eylon Yogev, Bar-Ilan University
Abstract

Multi-signature schemes are gaining significant interest due to their blockchain applications. Of particular interest are two-round schemes in the plain public-key model that offer key aggregation, and whose security is based on the hardness of the DLOG problem. Unfortunately, despite substantial recent progress, the security proofs of the proposed schemes provide rather insufficient concrete guarantees (especially for 256-bit groups). This frustrating situation has so far been approached either by relying on the security of seemingly stronger assumptions or by considering restricted classes of attackers (e.g., algebraic attackers, which are assumed to provide an algebraic justification of each group element that they produce). We present a complementing approach by constructing multi-signature schemes that satisfy two relaxed notions of security, whose applicability nevertheless ranges from serving as drop-in replacements to enabling expressive smart contract validation procedures. Our first notion, one-time unforgeability, extends the analogous single-signer notion by considering attackers that obtain a single signature for some message and set of signers of their choice. We construct a non-interactive one-time scheme based on any ring-homomorphic one-way function, admitting efficient instantiations based on the DLOG and RSA assumptions. Aggregated verification keys and signatures consist of two group elements and a single group element, respectively, and our security proof consists of a single application of the forking lemma (thus avoiding the substantial security loss exhibited by the proposed two-round schemes). Additionally, we demonstrate that our scheme naturally extends to a $t$-time scheme, where aggregated verification keys consist of $t+1$ group elements, while aggregated signatures still consist of a single group element. Our second notion, single-set unforgeability, considers attackers that obtain any polynomial number of signatures but are restricted to a single set of signers of their choice. We transform any non-interactive one-time scheme into a two-round single-set scheme via a novel forking-free construction that extends the seminal Naor-Yung tree-based approach to the multi-signer setting. Aggregated verification keys are essentially identical to those of the underlying one-time scheme, and the length of aggregated signatures is determined by that of the underlying scheme while scaling linearly with the length of messages (noting that long messages can always be hashed using a collision-resistant function). Instantiated with our one-time scheme, we obtain aggregated verification keys and signatures whose lengths are completely independent of the number of signers.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
A major revision of an IACR publication in TCC 2024
Contact author(s)
lrotem @ cs stanford edu
segev @ cs huji ac il
eylon yogev @ biu ac il
History
2024-10-21: approved
2024-10-18: received
See all versions
Short URL
https://ia.cr/2024/1704
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1704,
      author = {Lior Rotem and Gil Segev and Eylon Yogev},
      title = {From One-Time to Two-Round Reusable Multi-Signatures without Nested Forking},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1704},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1704}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.