Paper 2025/638

Round-Efficient Adaptively Secure Threshold Signatures with Rewinding

Yanbo Chen, University of Ottawa
Abstract

A threshold signature scheme allows distributing a signing key to $n$ users, such that any $t$ of them can jointly sign, but any $t-1$ cannot. It is desirable to prove adaptive security of threshold signature schemes, which considers adversaries that can adaptively corrupt honest users even after interacting with them. For a class of signatures that relies on security proofs with rewinding, such as Schnorr signatures, proving adaptive security entails significant challenges. This work proposes two threshold signature schemes that are provably adaptively secure with rewinding proofs. Our proofs are solely in the random oracle model (ROM), without relying on the algebraic group model (AGM). - We give a 3-round scheme based on the algebraic one-more discrete logarithm (AOMDL) assumption. The scheme outputs a standard Schnorr signature. - We give a 2-round scheme based on the DL assumption. Signatures output by the scheme contain one more scalar than a Schnorr signature. We follow the recent work by Katsumata, Reichle, and Takemure (Crypto 2024) that proposed the first threshold signature scheme with a rewinding proof of full adaptive security. Their scheme is a 5-round threshold Schnorr scheme based on the DL assumption. Our results significantly improve the round complexity. The protocol by Katsumata, Reichle, and Takemure can be viewed as applying a masking technique to Sparkle, a threshold Schnorr signature scheme by Crites, Komlo, and Maller (Crypto 2023). This work shows wider applications of the masking technique. Our first scheme is obtained by masking FROST, a threshold Schnorr protocol by Komlo and Goldberg (SAC 2020). The second scheme is obtained by masking a threshold version of HBMS, a multi-signature scheme by Bellare and Dai (Asiacrypt 2021). Katsumata, Reichle, and Takemure masked Sparkle at the cost of 2 additional rounds. Our main insight is that this cost varies across schemes, especially depending on how to simulate signing in the security proofs. The cost is 1 extra round for our first scheme, and is 0 for our second scheme.

Note: Added discussion of concurrent work; fixed typos.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published by the IACR in CIC 2025
Keywords
Threshold SignatureAdaptive SecuritySchnorr Signature
Contact author(s)
ychen918 @ uottawa ca
History
2025-06-17: revised
2025-04-08: received
See all versions
Short URL
https://ia.cr/2025/638
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/638,
      author = {Yanbo Chen},
      title = {Round-Efficient Adaptively Secure Threshold Signatures with Rewinding},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/638},
      year = {2025},
      url = {https://eprint.iacr.org/2025/638}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.