Okamoto Beats Schnorr: On the Provable Security of Multi-Signatures

A multisignature scheme allows a group of signers to collaboratively sign a message, creating a single signature that convinces a verifier that every individual signer approved the message. The increased interest in technologies to decentralize trust has triggered the proposal of two highly efficient Schnorr-based multisignature schemes designed to scale up to thousands of signers, namely CoSi by Syta et al. (S&P 2016) andMuSig by Maxwell et al. (ePrint 2018). TheMuSig scheme was presented with a proof under the one-more discrete-logarithm assumption, while the provable security of CoSi has so far remained an open question. In this work, we prove that CoSi and MuSig cannot be proved secure without radically departing from currently known techniques (and point out a flaw in the proof of MuSig). We then present DG-CoSi, a double-generator variant of CoSi based on the Okamoto (multi)signature scheme, and prove it secure under the discrete-logarithm assumption in the random-oracle model. Our experiments show that the second generator in DG-CoSi barely affects scalability compared to CoSi, allowing 8192 signers to collaboratively sign a message in under 1.5 seconds, making it a highly practical and provably secure alternative for large-scale deployments.

[1]  Silvio Micali,et al.  Accountable-subgroup multisignatures: extended abstract , 2001, CCS '01.

[2]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[3]  Robert H. Deng,et al.  Efficient discrete logarithm based multi-signature scheme in the plain public key model , 2010, Des. Codes Cryptogr..

[4]  Michael J. Fischer,et al.  Scalable Bias-Resistant Distributed Randomness , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[5]  Yannick Seurin,et al.  Simple Schnorr multi-signatures with applications to Bitcoin , 2019, Designs, Codes and Cryptography.

[6]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[7]  Mihir Bellare,et al.  Multi-signatures in the plain public-Key model and a general forking lemma , 2006, CCS '06.

[8]  Bryan Ford,et al.  Proof-of-Personhood: Redemocratizing Permissionless Cryptocurrencies , 2017, 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[9]  K. Itakura,et al.  A public-key cryptosystem suitable for digital multisignatures , 1983 .

[10]  David Wolinsky,et al.  Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning , 2015, 2016 IEEE Symposium on Security and Privacy (SP).

[11]  Bryan Ford,et al.  OmniLedger: A Secure, Scale-Out, Decentralized Ledger , 2017, IACR Cryptol. ePrint Arch..

[12]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[13]  Bryan Ford,et al.  Enhancing Bitcoin Security and Performance with Strong Consistency via Collective Signing , 2016, USENIX Security Symposium.

[14]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[15]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[16]  Justin Cappos,et al.  CHAINIAC: Proactive Software-Update Transparency via Collectively Signed Skipchains and Verified Builds , 2017, USENIX Security Symposium.

[17]  Stanislaw Jarecki,et al.  Multisignatures Using Proofs of Secret Key Possession, as Secure as the Diffie-Hellman Problem , 2008, SCN.

[18]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[19]  Rafail Ostrovsky,et al.  Sequential Aggregate Signatures and Multisignatures Without Random Oracles , 2006, EUROCRYPT.

[20]  Pascal Paillier,et al.  Discrete-Log-Based Signatures May Not Be Equivalent to Discrete Log , 2005, ASIACRYPT.

[21]  Tatsuaki Okamoto,et al.  Provably Secure and Practical Identification Schemes and Corresponding Signature Schemes , 1992, CRYPTO.

[22]  Boaz Barak,et al.  Non-black-box Techniques in Cryptography , 2006, CSR.

[23]  Thomas Ristenpart,et al.  The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks , 2007, EUROCRYPT.

[24]  Patrick Horster,et al.  On the Risk of Disruption in Several Multiparty Signature Schemes , 1996, ASIACRYPT.

[25]  Jung Hee Cheon,et al.  Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma , 2008, CCS.

[26]  Anna Lysyanskaya,et al.  On the Security of One-Witness Blind Signature Schemes , 2013, ASIACRYPT.

[27]  Gregory Neven,et al.  Hash function requirements for Schnorr signatures , 2009, J. Math. Cryptol..

[28]  Dan Boneh,et al.  Breaking RSA May Not Be Equivalent to Factoring , 1998, EUROCRYPT.

[29]  Mihir Bellare,et al.  GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks , 2002, CRYPTO.

[30]  Kazuo Ohta,et al.  A Digital Multisignature Scheme Based on the Fiat-Shamir Scheme , 1991, ASIACRYPT.