Abstract
Adaptor signatures have seen wide applications in layer-2 and peer-to-peer blockchain applications such as atomic swaps and payment channels. We first identify two shortcomings of previous literature on adaptor signatures. (1) Current aim of “script-less” adaptor signatures restricts instantiability, limiting designs based on BLS or current NIST PQC candidates. (2) We identify gaps in current formulations of security. In particular, we show that current notions do not rule out a class of insecure schemes. Moreover, a natural property concerning the on-chain unlinkability of adaptor signatures has not been formalized. We then address these shortcomings by providing new and stronger security notions, as well as new generic constructions from any signature scheme and hard relation. On definitions:
-
1.
We develop security notions that strictly imply previous notions.
-
2.
We formalize the notion of unlinkability for adaptor signatures.
-
3.
We give modular proof frameworks that facilitate simpler proofs.
On constructions:
-
1.
We give a generic construction of adaptor signature from any signature scheme and any hard relation, showing that theoretically, (linkable) adaptor signatures can be constructed from any one-way function.
-
2.
We also give an unlinkable adaptor signature construction from any signature scheme and any strongly random-self reducible relation, which we show instantiations of using DL, RSA, and LWE.
W. Dai and T. Okamoto—Work done while at NTT Research.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
We remark that this is not a weakness of previous constructions, but rather a gap in the formal security guarantees and the security is expected for applications.
- 2.
One can think of the “first stage” as everything leading up to the challenge oracle call and the “second stage” being everything following the challenge oracle call.
- 3.
More formally, A should be sampled as a parameter for each security parameter, but we fix such A here for simplicity.
References
Aumayr, L., et al.: Bitcoin-compatible virtual channels. Cryptology ePrint Archive, Report 2020/554 (2020). https://eprint.iacr.org/2020/554
Aumayr, L., et al.: Generalized bitcoin-compatible channels. Cryptology ePrint Archive, Report 2020/476 (2020). https://eprint.iacr.org/2020/476
Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) Advances in Cryptology - EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25
Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: Efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. Part I, volume 11921 of LNCS, pp. 227–247. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-34578-5_9
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/s00145-004-0314-9
Dai, W., Okamoto, T., Yamamoto, G.: Stronger security and generic constructions for adaptor signatures. Cryptology ePrint Archive (2022)
Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehle, D.: CRYSTALS - Dilithium: digital signatures from module lattices. Cryptology ePrint Archive, Report 2017/633 (2017). https://eprint.iacr.org/2017/633
Erwig, A., Faust, S., Hostáková, K., Maitra, M., Riahi, S.: Two-party adaptor signatures from identification schemes. In: Garay, J. (ed.) PKC 2021. Part I, volume 12710 of LNCS, pp. 451–480. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-75245-3_17
Esgin, M.F., Ersoy, O., Erkin, Z.: Post-quantum adaptor signatures and payment channel networks. Cryptology ePrint Archive, Report 2020/845 (2020). https://eprint.iacr.org/2020/845
Fournier, L.: One-time verifiably encrypted signatures aka adaptor signatures (2019)
Gugger, J.: Bitcoin-monero cross-chain atomic swap. Cryptology ePrint Archive, Report 2020/1126 (2020). https://eprint.iacr.org/2020/1126
Huang, Q., Wong, D.S., Zhao, Y.: Generic transformation to strongly unforgeable signatures. In: Katz, J., Yung, M. (eds.) ACNS 07. LNCS, vol. 4521, pp. 1–17. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_1
Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions (extended abstracts). In: 21st ACM STOC, pp. 12–24. ACM Press (1989)
Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)
Malavolta, G., Moreno-Sanchez, P., Schneidewind, C., Kate, A., Maffei, M.: Anonymous multi-hop locks for blockchain scalability and interoperability. In: NDSS 2019. The Internet Society (2019)
Moody, D., et al.: Status report on the second round of the NIST post-quantum cryptography standardization process (2020)
Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: 21st ACM STOC, pp. 33–43. ACM Press (1989)
Peikert, C.: How (not) to instantiate ring-LWE. Cryptology ePrint Archive, Report 2016/351 (2016). https://eprint.iacr.org/2016/351
Poelstra, A.: Lightning in scriptless scripts (2017). https://lists.launchpad.net/mimblewimble/msg00086.html. Accessed Aug 2021
Poelstra, A.: Scriptless scripts (2017). https://download.wpsoftware.net/bitcoin/wizardry/mw-slides/2017-03-mit-bitcoin-expo/slides.pdf. Accessed Aug 2021
Poon, J., Dryja, T.: The bitcoin lightning network: scalable off-chain instant payments (2016). https://lightning.network/lightning-network-paper.pdf. Accessed: Aug 2021
Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: 22nd ACM STOC, pp. 387–394. ACM Press (1990)
Schnorr, C.-P.: Efficient signature generation by smart cards. J. Crypt. 4(3), 161–174 (1991)
Tairi, E., Moreno-Sanchez, P., Maffei, M.: Post-quantum adaptor signature for privacy-preserving off-chain payments. Cryptology ePrint Archive, Report 2020/1345 (2020). https://eprint.iacr.org/2020/1345
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Omitted Proofs
A Omitted Proofs
1.1 A.1 Proof of Theorem 5
Proof
(of Theorem 5). First, correctness holds by construction. Next, we check adaptability. Let \((\textrm{pk}, \textrm{sk}) \in [\textsf{KeyGen}(1^\lambda )]\) and \(m \in \{0, 1\}^*\). Let \(\hat{\sigma }, (Y, y)\) be such that \((Y, y) \in R\) and \(\textsf{pVrf}(\textrm{pk}, m, \hat{\sigma }, Y) = \textsf{True}\). This means that \(\hat{\sigma }= (\sigma , Y)\) and \(\textsf{Sig}.\textsf{Vrf}(\textrm{pk}, (m, Y), \sigma ) = \textsf{True}\). Hence, by the verification of \(\textsf{SigR}\), it must be that \(\textsf{SigR}.\textsf{Vrf}(\textrm{pk}, m, (\sigma , Y, y)) = \textsf{True}\).
We move on to FExt and SFExt. With the help of Theorem 3 and Theorem 4, we simply need to show that for any adversary \(\mathcal {A}_{\textrm{ext}}\) and \(\mathcal {A}_{\textrm{uext}}\),


where are reduction adversaries to be constructed.
We first show (13). Consider the following game \(\textbf{G}_0\) and adversary .

We claim that

This is straightforward, because if \(\textbf{G}_0\) returns true, then it must be that \(Y^*\) returned by the adversary is fresh, meaning it has not queried \(\textsf{pSign}(m^*, Y^*)\) previously. Finally, we note that adversary also wins exactly when \((m^*, Y^*)\) is fresh.
Next, we bound (14). Consider the following games \(\textbf{G}_1, \textbf{G}_2, \textbf{G}_3\). Game \(\textbf{G}_1\) is \(\textbf{G}^{\textrm{uext}}_{\textsf{GAS}_1, \mathcal {A}_{\textrm{uext}}}\). Games \(\textbf{G}_2\) and \(\textbf{G}_3\) rewrites the winning condition of \(\textbf{G}_1\) depending on disjoint events \(b_1\) and \(b_2\).

Clearly, we have
Next, we construct adversaries and \(\mathcal {A}_{\textrm{uwit}}\), such that


This is straightforward, can simulate \(\textsf{pSign}\) with its \(\textrm{Sign}\) oracle, and \(\mathcal {A}_{\textrm{uwit}}\) can sample its own key pair to simulate game \(\textbf{G}_3\). The specifications of these adversaries are given below.

This concludes the proof of Theorem 5. \(\square \)
1.2 Proof of Theorem 7
Proof
(of Theorem 7). First, correctness and adaptability holds similar to \(\textsf{GAS}_1\). We give a reduction that turns any unlink adversary to a strong RSR adversary for \(\textsf{R}\). The reduction is very straightforward and we keep the descript at a high-level here. The SRSR adversary sample a key pair \((\textrm{pk}, \textrm{sk}) \twoheadleftarrow \textsf{Sig}.\textsf{KeyGen}(1^\lambda )\), using which it can run \(\textsf{pSign}\) and \(\textsf{Sign}\) algorithms. It can simulate oracles \(\textrm{Sign}\) and \(\textrm{pSign}\) honestly. It uses the \(\textrm{New}\) oracle given to it from the strong RSR game to simulate \(\textrm{SignChl}\), the pair (Y, y) that is in the input of \(\textrm{SignChl}\) is simply forwarded to \(\textrm{New}\).
We check extractability. Similar to \(\textsf{GAS}_1\), we need to show that for any adversary \(\mathcal {A}_{\textrm{ext}}\) and \(\mathcal {A}_{\textrm{uext}}\),


where are reduction adversaries to be constructed.
We first show (19). Consider the following game \(\textbf{G}_0\) and adversary .

We claim that

We claim that if \(\textbf{G}_0\) returns true, it must be that \(Y^*\) returned by adversary is fresh, meaning the adversary has not queried \(\textsf{Sign}((m^*, Y^*))\) previously. Seeking a contradiction, suppose that adversary has incurred a query \(\textsf{Sign}(m^*, Y^*)\), then this query must have come from some query \(\textsf{pSign}(m^*, Y_0)\), where the game has sampled some \(r_0\) such that \(\textsf{R}.A(Y_0, r_0) = Y^*\). By line 4, \((Y^*, y^*) \in R\). So, \(\textsf{R}.C(y^*, r)\) must be a witness of \(Y_0\). This means that the game must return \(\textsf{False}\) at line 5. Therefore, there was no signature on message \((m^*, Y^*)\) if the game returns \(\textsf{True}\). We note that adversary also wins exactly when \((m^*, Y^*)\) is fresh. This verifies (19).
Next, we bound (20). Consider the following games \(\textbf{G}_1, \textbf{G}_2, \textbf{G}_3\). Game \(\textbf{G}_1\) is \(\textbf{G}^{\textrm{uext}}_{\textsf{GAS}_2, \mathcal {A}_{\textrm{uext}}}\). Games \(\textbf{G}_2\) and \(\textbf{G}_3\) rewrites the winning condition of \(\textbf{G}_1\) depending on disjoint events \(b_1\) and \(b_2\).

Clearly, we have
Next, we construct adversaries and \(\mathcal {A}_{\textrm{uwit}}\), such that


This is straightforward, can simulate \(\textsf{pSign}\) with its \(\textrm{Sign}\) oracle, and \(\mathcal {A}_{\textrm{uwit}}\) can sample its own key pair to simulate game \(\textbf{G}_3\). The specifications of these adversaries are given below.

This concludes the proof of Theorem 7. \(\square \)
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Dai, W., Okamoto, T., Yamamoto, G. (2022). Stronger Security and Generic Constructions for Adaptor Signatures. In: Isobe, T., Sarkar, S. (eds) Progress in Cryptology – INDOCRYPT 2022. INDOCRYPT 2022. Lecture Notes in Computer Science, vol 13774. Springer, Cham. https://doi.org/10.1007/978-3-031-22912-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-22912-1_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22911-4
Online ISBN: 978-3-031-22912-1
eBook Packages: Computer ScienceComputer Science (R0)