Two-round trip Schnorr multi-signatures via delinearized witnesses

We introduce a new m-entwined ROS problem that tweaks a random inhomogeneities in an overdetermined solvable system of linear equations (ROS) problem in a scalar field using an associated group. We prove hardness of the 2-entwined ROS-like problem in AGM plus ROM, assuming DLOG hardness in the associated group. Assuming AGM plus ROM plus KOSK and OMDL, we then prove security for a two-round trip Schnorr multi-signature protocol DWMS that creates its witness aka nonce by delinearizing two pre-witnesses supplied by each signer. At present, DWMS and MuSig-DN are the only known provably secure two-round Schnorr multi-signatures, or equivalently threshold Schnorr signatures. All cryptographic schemes have nasty footguns underneath the surface. If a scheme matures properly, these become hidden away behind either the interfaces to cryptographic libraries or preferably by the underlying protocol being made miss-use resistant. Yet, growing up is hard. Increased operational security demands have driven a growth spurt in multi-signer implementations for signature schemes, including Schnorr. At their core, any multi-signer scheme should protect each individual participating honest signer against forgeries by an adversary who controls all other signers and interacts extensively with our one honest signer. Yet in [7], Drijvers, et al. broke all previously known multi-signer Schnorr protocols, using the traumatic ROS or k-SUM lesson that nearly killed blind Schnorr signatures. In short, there are forgery attacks against the known two round trip Schnorr signing protocols [1,11,17,12] that work if the adversary engages in enough parallel signing sessions. In theory, deployments could forbid parallel signing sessions, but footguns abound, and include such horrors as warning users not to place related keys on too many machines. After [7], one required a three round trip signing protocol in which parties first commit to their witness share, second reveal their witness share, and third send their signature share. Although miss-use resistant, an extra round trip brings deployment problems too, so some protocol designers continue making ad hoc arguments that their deployments remain unaffected. We propose an extremely simple and lightweight two-round multi-signer Schnorr protocol, called delinearized witness multi-signatures (DWMS): first all signers propose two pre-witnesses curve points, and second after obtaining all pre-wtinesses then all signers compute the shared witness by delinearizing these pre-witnesses with a random oracle and produce their signature share using their portion of the combined witness. We have since January 2020 provided our delinearized witness protocol as an option for multisignatures in the schnorrkel/sr25519 [4] signature scheme used by substrate based blockchains. In this work, we give a security proof for DWMS in the algebraic group model (AGM) [8], under a knowledge of secret key (KOSK) assumption for the adversary, and assuming hardness of the one more discrete logarithm (OMDL) problem [7, Definition 2]. We deduce that 2-DWMS is secure in 2 Handan Kilinc Alper and Jeffrey Burdges the generic group model (GGM) because OMDL is hard in GGM by [6, Table 2 or §5]. Along the way, we introduce the 2-entwined ROS problem that captures the mathematical problem underlying DWMS, and prove its hardness in AGM. Aside from DWMS, MuSig-DN [13] is the only other Schnorr multi-signature protocol with a security proof. MuSig-DN provides deterministic witnesses, a lovely property previously unavailable in a Schnorr multi-signature. It achieves determinism using several beautiful and novel bulletproof optimizations. In MuSig-DN, the first round messages require only 1124 bytes per signer, but their participant only benchmarks show 0.9 second proving times. MuSig-DN requires no additional hardness assumptions, but exploits features bespoke to the secp256k1 curve. In DWMS, all signers incur a per signer cost of only 64 bytes and only two scalar multiplications. DWMS requires the AGM+OMDL hardness assumptions, but asks no special features of the underlying group. DWMS permits agrement upon the message during the second round. Also, DWMS is extremely simple, next to the underlying multi-signature implementation. Yet, our second round message agreement comes with the cost that DWMS implementations should prevent witnesses being reused or even saved on disk. MuSig-DN avoids this with determinism. We break the paper down as follows: In §1, we introduce DWMS multi-signer protocol and discuss some related concerns. In §2, we introduce the entwined ROS problem and discuss related work on the ROS problem and security proofs for multi-signatures. We refer the reader to [7] for a deeper discussion of past multi-signature protocols. In §3, we recall the algebraic group model (AGM) and introduce doing linear algebra in this model. After these preliminary sections, we prove hardness of the entwined ROS problem in §4, largely by doing a modified Gaussian elimination in augmented matrices built from non-independent random oracles in AGM. We prove DWMS secure in §5 using a diret reduction to OMDL in AGM. We abuse AGM aggressively in this argument as well, so it remains an open question to reduce DWMS to OMDL, assuming hardness of the entwined ROS problem or similar, but only using more common techniques.