Skip to main content

Stronger Security and Generic Constructions for Adaptor Signatures

  • Conference paper
  • First Online:
Progress in Cryptology – INDOCRYPT 2022 (INDOCRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13774))

Included in the following conference series:

Abstract

Adaptor signatures have seen wide applications in layer-2 and peer-to-peer blockchain applications such as atomic swaps and payment channels. We first identify two shortcomings of previous literature on adaptor signatures. (1) Current aim of “script-less” adaptor signatures restricts instantiability, limiting designs based on BLS or current NIST PQC candidates. (2) We identify gaps in current formulations of security. In particular, we show that current notions do not rule out a class of insecure schemes. Moreover, a natural property concerning the on-chain unlinkability of adaptor signatures has not been formalized. We then address these shortcomings by providing new and stronger security notions, as well as new generic constructions from any signature scheme and hard relation. On definitions:

  1. 1.

    We develop security notions that strictly imply previous notions.

  2. 2.

    We formalize the notion of unlinkability for adaptor signatures.

  3. 3.

    We give modular proof frameworks that facilitate simpler proofs.

On constructions:

  1. 1.

    We give a generic construction of adaptor signature from any signature scheme and any hard relation, showing that theoretically, (linkable) adaptor signatures can be constructed from any one-way function.

  2. 2.

    We also give an unlinkable adaptor signature construction from any signature scheme and any strongly random-self reducible relation, which we show instantiations of using DL, RSA, and LWE.

W. Dai and T. Okamoto—Work done while at NTT Research.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We remark that this is not a weakness of previous constructions, but rather a gap in the formal security guarantees and the security is expected for applications.

  2. 2.

    One can think of the “first stage” as everything leading up to the challenge oracle call and the “second stage” being everything following the challenge oracle call.

  3. 3.

    More formally, A should be sampled as a parameter for each security parameter, but we fix such A here for simplicity.

References

  1. Aumayr, L., et al.: Bitcoin-compatible virtual channels. Cryptology ePrint Archive, Report 2020/554 (2020). https://eprint.iacr.org/2020/554

  2. Aumayr, L., et al.: Generalized bitcoin-compatible channels. Cryptology ePrint Archive, Report 2020/476 (2020). https://eprint.iacr.org/2020/476

  3. Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) Advances in Cryptology - EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25

    Chapter  Google Scholar 

  4. Beullens, W., Kleinjung, T., Vercauteren, F.: CSI-FiSh: Efficient isogeny based signatures through class group computations. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. Part I, volume 11921 of LNCS, pp. 227–247. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-030-34578-5_9

    Chapter  Google Scholar 

  5. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/s00145-004-0314-9

    Chapter  Google Scholar 

  6. Dai, W., Okamoto, T., Yamamoto, G.: Stronger security and generic constructions for adaptor signatures. Cryptology ePrint Archive (2022)

    Google Scholar 

  7. Ducas, L., Lepoint, T., Lyubashevsky, V., Schwabe, P., Seiler, G., Stehle, D.: CRYSTALS - Dilithium: digital signatures from module lattices. Cryptology ePrint Archive, Report 2017/633 (2017). https://eprint.iacr.org/2017/633

  8. Erwig, A., Faust, S., Hostáková, K., Maitra, M., Riahi, S.: Two-party adaptor signatures from identification schemes. In: Garay, J. (ed.) PKC 2021. Part I, volume 12710 of LNCS, pp. 451–480. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-030-75245-3_17

    Chapter  Google Scholar 

  9. Esgin, M.F., Ersoy, O., Erkin, Z.: Post-quantum adaptor signatures and payment channel networks. Cryptology ePrint Archive, Report 2020/845 (2020). https://eprint.iacr.org/2020/845

  10. Fournier, L.: One-time verifiably encrypted signatures aka adaptor signatures (2019)

    Google Scholar 

  11. Gugger, J.: Bitcoin-monero cross-chain atomic swap. Cryptology ePrint Archive, Report 2020/1126 (2020). https://eprint.iacr.org/2020/1126

  12. Huang, Q., Wong, D.S., Zhao, Y.: Generic transformation to strongly unforgeable signatures. In: Katz, J., Yung, M. (eds.) ACNS 07. LNCS, vol. 4521, pp. 1–17. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72738-5_1

    Chapter  Google Scholar 

  13. Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions (extended abstracts). In: 21st ACM STOC, pp. 12–24. ACM Press (1989)

    Google Scholar 

  14. Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)

    Article  Google Scholar 

  15. Malavolta, G., Moreno-Sanchez, P., Schneidewind, C., Kate, A., Maffei, M.: Anonymous multi-hop locks for blockchain scalability and interoperability. In: NDSS 2019. The Internet Society (2019)

    Google Scholar 

  16. Moody, D., et al.: Status report on the second round of the NIST post-quantum cryptography standardization process (2020)

    Google Scholar 

  17. Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: 21st ACM STOC, pp. 33–43. ACM Press (1989)

    Google Scholar 

  18. Peikert, C.: How (not) to instantiate ring-LWE. Cryptology ePrint Archive, Report 2016/351 (2016). https://eprint.iacr.org/2016/351

  19. Poelstra, A.: Lightning in scriptless scripts (2017). https://lists.launchpad.net/mimblewimble/msg00086.html. Accessed Aug 2021

  20. Poelstra, A.: Scriptless scripts (2017). https://download.wpsoftware.net/bitcoin/wizardry/mw-slides/2017-03-mit-bitcoin-expo/slides.pdf. Accessed Aug 2021

  21. Poon, J., Dryja, T.: The bitcoin lightning network: scalable off-chain instant payments (2016). https://lightning.network/lightning-network-paper.pdf. Accessed: Aug 2021

  22. Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: 22nd ACM STOC, pp. 387–394. ACM Press (1990)

    Google Scholar 

  23. Schnorr, C.-P.: Efficient signature generation by smart cards. J. Crypt. 4(3), 161–174 (1991)

    Article  MathSciNet  MATH  Google Scholar 

  24. Tairi, E., Moreno-Sanchez, P., Maffei, M.: Post-quantum adaptor signature for privacy-preserving off-chain payments. Cryptology ePrint Archive, Report 2020/1345 (2020). https://eprint.iacr.org/2020/1345

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Wei Dai .

Editor information

Editors and Affiliations

A Omitted Proofs

A Omitted Proofs

1.1 A.1 Proof of Theorem 5

Proof

(of Theorem 5). First, correctness holds by construction. Next, we check adaptability. Let \((\textrm{pk}, \textrm{sk}) \in [\textsf{KeyGen}(1^\lambda )]\) and \(m \in \{0, 1\}^*\). Let \(\hat{\sigma }, (Y, y)\) be such that \((Y, y) \in R\) and \(\textsf{pVrf}(\textrm{pk}, m, \hat{\sigma }, Y) = \textsf{True}\). This means that \(\hat{\sigma }= (\sigma , Y)\) and \(\textsf{Sig}.\textsf{Vrf}(\textrm{pk}, (m, Y), \sigma ) = \textsf{True}\). Hence, by the verification of \(\textsf{SigR}\), it must be that \(\textsf{SigR}.\textsf{Vrf}(\textrm{pk}, m, (\sigma , Y, y)) = \textsf{True}\).

We move on to FExt and SFExt. With the help of Theorem 3 and Theorem 4, we simply need to show that for any adversary \(\mathcal {A}_{\textrm{ext}}\) and \(\mathcal {A}_{\textrm{uext}}\),

(13)
(14)

where are reduction adversaries to be constructed.

We first show (13). Consider the following game \(\textbf{G}_0\) and adversary .

figure x

We claim that

(15)

This is straightforward, because if \(\textbf{G}_0\) returns true, then it must be that \(Y^*\) returned by the adversary is fresh, meaning it has not queried \(\textsf{pSign}(m^*, Y^*)\) previously. Finally, we note that adversary also wins exactly when \((m^*, Y^*)\) is fresh.

Next, we bound (14). Consider the following games \(\textbf{G}_1, \textbf{G}_2, \textbf{G}_3\). Game \(\textbf{G}_1\) is \(\textbf{G}^{\textrm{uext}}_{\textsf{GAS}_1, \mathcal {A}_{\textrm{uext}}}\). Games \(\textbf{G}_2\) and \(\textbf{G}_3\) rewrites the winning condition of \(\textbf{G}_1\) depending on disjoint events \(b_1\) and \(b_2\).

figure z

Clearly, we have

$$\begin{aligned} \textbf{Adv}^{\mathrm {\textrm{uext}}}_{\textsf{GAS}_1, \mathcal {A}_{\textrm{uext}}}(\lambda ) = \Pr [\textbf{G}_1] = \Pr [\textbf{G}_2] + \Pr [\textbf{G}_3] \;. \end{aligned}$$
(16)

Next, we construct adversaries and \(\mathcal {A}_{\textrm{uwit}}\), such that

(17)
(18)

This is straightforward, can simulate \(\textsf{pSign}\) with its \(\textrm{Sign}\) oracle, and \(\mathcal {A}_{\textrm{uwit}}\) can sample its own key pair to simulate game \(\textbf{G}_3\). The specifications of these adversaries are given below.

figure ac

This concludes the proof of Theorem 5.   \(\square \)

1.2 Proof of Theorem 7

Proof

(of Theorem 7). First, correctness and adaptability holds similar to \(\textsf{GAS}_1\). We give a reduction that turns any unlink adversary to a strong RSR adversary for \(\textsf{R}\). The reduction is very straightforward and we keep the descript at a high-level here. The SRSR adversary sample a key pair \((\textrm{pk}, \textrm{sk}) \twoheadleftarrow \textsf{Sig}.\textsf{KeyGen}(1^\lambda )\), using which it can run \(\textsf{pSign}\) and \(\textsf{Sign}\) algorithms. It can simulate oracles \(\textrm{Sign}\) and \(\textrm{pSign}\) honestly. It uses the \(\textrm{New}\) oracle given to it from the strong RSR game to simulate \(\textrm{SignChl}\), the pair (Yy) that is in the input of \(\textrm{SignChl}\) is simply forwarded to \(\textrm{New}\).

We check extractability. Similar to \(\textsf{GAS}_1\), we need to show that for any adversary \(\mathcal {A}_{\textrm{ext}}\) and \(\mathcal {A}_{\textrm{uext}}\),

(19)
(20)

where are reduction adversaries to be constructed.

We first show (19). Consider the following game \(\textbf{G}_0\) and adversary .

figure af

We claim that

(21)

We claim that if \(\textbf{G}_0\) returns true, it must be that \(Y^*\) returned by adversary is fresh, meaning the adversary has not queried \(\textsf{Sign}((m^*, Y^*))\) previously. Seeking a contradiction, suppose that adversary has incurred a query \(\textsf{Sign}(m^*, Y^*)\), then this query must have come from some query \(\textsf{pSign}(m^*, Y_0)\), where the game has sampled some \(r_0\) such that \(\textsf{R}.A(Y_0, r_0) = Y^*\). By line 4, \((Y^*, y^*) \in R\). So, \(\textsf{R}.C(y^*, r)\) must be a witness of \(Y_0\). This means that the game must return \(\textsf{False}\) at line 5. Therefore, there was no signature on message \((m^*, Y^*)\) if the game returns \(\textsf{True}\). We note that adversary also wins exactly when \((m^*, Y^*)\) is fresh. This verifies (19).

Next, we bound (20). Consider the following games \(\textbf{G}_1, \textbf{G}_2, \textbf{G}_3\). Game \(\textbf{G}_1\) is \(\textbf{G}^{\textrm{uext}}_{\textsf{GAS}_2, \mathcal {A}_{\textrm{uext}}}\). Games \(\textbf{G}_2\) and \(\textbf{G}_3\) rewrites the winning condition of \(\textbf{G}_1\) depending on disjoint events \(b_1\) and \(b_2\).

figure ah

Clearly, we have

$$\begin{aligned} \textbf{Adv}^{\mathrm {\textrm{uext}}}_{\textsf{GAS}_1, \mathcal {A}_{\textrm{uext}}}(\lambda ) = \Pr [\textbf{G}_1] = \Pr [\textbf{G}_2] + \Pr [\textbf{G}_3] \;. \end{aligned}$$
(22)

Next, we construct adversaries and \(\mathcal {A}_{\textrm{uwit}}\), such that

(23)
(24)

This is straightforward, can simulate \(\textsf{pSign}\) with its \(\textrm{Sign}\) oracle, and \(\mathcal {A}_{\textrm{uwit}}\) can sample its own key pair to simulate game \(\textbf{G}_3\). The specifications of these adversaries are given below.

figure ak

This concludes the proof of Theorem 7.   \(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dai, W., Okamoto, T., Yamamoto, G. (2022). Stronger Security and Generic Constructions for Adaptor Signatures. In: Isobe, T., Sarkar, S. (eds) Progress in Cryptology – INDOCRYPT 2022. INDOCRYPT 2022. Lecture Notes in Computer Science, vol 13774. Springer, Cham. https://doi.org/10.1007/978-3-031-22912-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22912-1_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22911-4

  • Online ISBN: 978-3-031-22912-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics