Paper 2024/1809

Foundations of Adaptor Signatures

Paul Gerhart, TU Wien
Dominique Schröder, TU Wien, Friedrich-Alexander-Universität Erlangen-Nürnberg
Pratik Soni, University of Utah
Sri AravindaKrishnan Thyagarajan
Abstract

Adaptor signatures extend the functionality of regular signatures through the computation of pre-signatures on messages for statements of NP relations. Pre-signatures are publicly verifiable; they simultaneously hide and commit to a signature of an underlying signature scheme on that message. Anybody possessing a corresponding witness for the statement can adapt the pre-signature to obtain the "regular" signature. Adaptor signatures have found numerous applications for conditional payments in blockchain systems, like payment channels (CCS'20, CCS'21), private coin mixing (CCS'22, SP'23), and oracle-based payments (NDSS'23). In our work, we revisit the state of the security of adaptor signatures and their constructions. In particular, our two main contributions are: - Security Gaps and Definitions: We review the widely-used security model of adaptor signatures due to Aumayr et al. (ASIACRYPT'21) and identify gaps in their definitions that render known protocols for private coin-mixing and oracle-based payments insecure. We give simple counterexamples of adaptor signatures that are secure w.r.t. their definitions but result in insecure instantiations of these protocols. To fill these gaps, we identify a minimal set of modular definitions that align with these practical applications. - Secure Constructions: Despite their popularity, all known constructions are (1) derived from identification schemes via the Fiat-Shamir transform in the random oracle model or (2) require modifications to the underlying signature verification algorithm, thus making the construction useless in the setting of cryptocurrencies. More concerningly, all known constructions were proven secure w.r.t. the insufficient definitions of Aumayr et al., leaving us with no provably secure adaptor signature scheme to use in applications. Firstly, in this work, we salvage all current applications by proving the security of the widely-used Schnorr adaptor signatures under our proposed definitions. We then provide several new constructions, including presenting the first adaptor signature schemes for Camenisch-Lysyanskaya (CL), Boneh-Boyen-Shacham (BBS+), and Waters signatures, all of which are proven secure in the standard model. Our new constructions rely on a new abstraction of digital signatures, called dichotomic signatures, which covers the essential properties we need to build adaptor signatures. Proving the security of all constructions (including identification-based schemes) relies on a novel non-black-box proof technique. Both our digital signature abstraction and the proof technique could be of independent interest to the community.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
A major revision of an IACR publication in EUROCRYPT 2024
DOI
10.1007/978-3-031-58723-8_6
Keywords
Enhanced SignaturesAdaptor SignaturesNon-black Box ReductionStandard ModelCLBBS+Waters+Schnorr
Contact author(s)
mail @ paul-gerhart de
History
2024-11-08: approved
2024-11-05: received
See all versions
Short URL
https://ia.cr/2024/1809
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1809,
      author = {Paul Gerhart and Dominique Schröder and Pratik Soni and Sri AravindaKrishnan Thyagarajan},
      title = {Foundations of Adaptor Signatures},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1809},
      year = {2024},
      doi = {10.1007/978-3-031-58723-8_6},
      url = {https://eprint.iacr.org/2024/1809}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.