Paper 2024/1920

An Extended Hierarchy of Security Notions for Threshold Signature Schemes and Automated Analysis of Protocols That Use Them

Cas Cremers, CISPA Helmholtz Center for Information Security
Aleksi Peltonen, CISPA Helmholtz Center for Information Security
Mang Zhao, Independent Researcher
Abstract

Despite decades of work on threshold signature schemes, there is still limited agreement on their desired properties and threat models. In this work we significantly extend and repair previous work to give a unified syntax for threshold signature schemes and a new hierarchy of security notions for them. Moreover, our new hierarchy allows us to develop an automated analysis approach for protocols that use threshold signatures, which can discover attacks on protocols that exploit the details of the security notion offered by the used scheme, which can help choose the correct security notion (and scheme that fulfills it) that is required for a specific protocol. Unlike prior work, our syntax for threshold signatures covers both non-interactive and interactive signature schemes with any number of key generation and signing rounds, and our hierarchy of security notions additionally includes elements such as various types of corruption and malicious key generation. We show the applicability of our hierarchy by selecting representative threshold signature schemes from the literature, extracting their core security features, and categorizing them according to our hierarchy. As a side effect of our work, we show through a counterexample that a previous attempt at building a unified hierarchy of unforgeability notions does not meet its claimed ordering, and show how to repair it without further restricting the scope of the definitions. Based on our syntax and hierarchy, we develop the first systematic, automated analysis method for higher-level protocols that use threshold signatures. We use a symbolic analysis framework to abstractly model threshold signature schemes that meet security notions in our hierarchy, and implement this in the Tamarin prover. Given a higher-level protocol that uses threshold signatures, and a security notion from our hierarchy, our automated approach can find attacks on such protocols that exploit the subtle differences between elements of our hierarchy. Our approach can be used to formally analyze the security implications of implementing different threshold signature schemes in higher-level protocols.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Preprint.
Keywords
Threshold SignaturesUnforgeabilityFormal VerificationSecurity NotionMalicious Key GenerationAutomated Analysis
Contact author(s)
cremers @ cispa de
aleksi peltonen @ cispa de
mang zhao @ hotmail com
History
2024-11-29: approved
2024-11-26: received
See all versions
Short URL
https://ia.cr/2024/1920
License
Creative Commons Attribution-ShareAlike
CC BY-SA

BibTeX 

@misc{cryptoeprint:2024/1920,
      author = {Cas Cremers and Aleksi Peltonen and Mang Zhao},
      title = {An Extended Hierarchy of Security Notions for Threshold Signature Schemes and Automated Analysis of Protocols That Use Them},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1920},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1920}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.