Abstract
Artificial intelligence (AI) is having a profound impact on our daily lives. We suggest using digital signatures to protect the user’s identity and achieve data accountability. To address high-risk applications, multi-signatures are expected to play an important role in AI. MuSig2 by Nick et al. is an efficient and secure Schnorr multi-signature scheme. MuSig2 implements signature aggregation and key aggregation, and MuSig2 is reduced to the One-More Discrete Logarithms (OMDL) problem in the random oracle model. This comes at the cost that the signer needs four nonces instead of one nonce for each signature. However, MuSig2 ignores the change of nonces in the forking lemma, which leads to the signer signature requiring too many nonces, and makes the proof of the scheme complicated. In this paper, we reduce the number of nonces from 4 to 2 and simplify the security proof of the MuSig2 scheme in the random oracle model. Then by reducing the security requirement slightly, we achieve the MuSig2 scheme’s security when the nonces are reused. Finally, we utilize the proof technology of MuSig2 to reduce the MSDL (Discrete-Logarithm based Multi-Signature) scheme by Boneh et al. to the OMDL assumption.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alper, H.K., Burdges, J.: Two-round trip Schnorr multi-signatures via Delinearized witnesses. IACR Cryptology ePrint Archive (2020)
Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (2008)
Bellare, M., Dai, W.: Chain reductions for multi-signatures and the HBMS scheme. In: International Conference on the Theory and Application of Cryptology and Information Security (2021)
Bellare, M., and Neven, G. Multi-signatures in the plain public-key model and a general forking lemma. In: Conference on Computer and Communications Security (2006)
Boneh, D., Drijvers, M., Neven, G.: Compact multi-signatures for smaller blockchains. IACR Cryptol. ePrint Arch. 2018, 483 (2018)
Drijvers, M., et al.: On the security of two-round multi-signatures. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1084–1101 (2019)
Itakura, K.: A public-key cryptosystem suitable for digital multisignatures. NEC Res. Dev. 71, 1–8 (1983)
Kaur, D., Uslu, S., Rittichier, K.J., Durresi, A.: Trustworthy artificial intelligence: a review. ACM Comput. Surv. (CSUR) 55, 1–38 (2022)
Lee, K., Kim, H.: Two-round multi-signatures from Okamoto signatures. IACR Cryptol. ePrint Arch. 2022, 1117 (2023)
Legg, S., Hutter, M.: A collection of definitions of intelligence. In: Artificial General Intelligence (2007)
Ma, C., Weng, J., Li, Y., Deng, R.H.: Efficient discrete logarithm based multi-signature scheme in the plain public key model. Des. Codes Crypt. 54, 121–133 (2010)
Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple Schnorr multi-signatures with applications to bitcoin. Des. Codes Cryptogr. 87, 1–26 (2019)
Nick, J.D., Ruffing, T., Seurin, Y.: Musig2: simple two-round Schnorr multi-signatures. IACR Cryptology ePrint Archive (2020)
Nick, J.D., Ruffing, T., Seurin, Y., Wuille, P.: MuSig-DN: Schnorr multi-signatures with verifiably deterministic nonces. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (2020)
Nicolosi, A., Krohn, M. N., Dodis, Y., Mazières, D.: Proactive two-party signatures for user authentication. In: Network and Distributed System Security Symposium (2003)
Pan, J., Wagner, B.: Chopsticks: fork-free two-round multi-signatures from non-interactive assumptions. IACR Cryptol. ePrint Arch. 2023, 198 (2023)
Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4, 161–174 (2004)
Syta, E., et al.: Keeping authorities “honest or bust” with decentralized witness cosigning. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 526–545 (2015)
Szalachowski, P., Matsumoto, S., and Perrig, A. PoliCert: Secure and flexible TLS certificate management. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014)
Tessaro, S., Zhu, C.: Threshold and multi-signature schemes from linear hash functions. IACR Cryptol. ePrint Arch. 2023, 276 (2023)
Wagner, D.A.: A generalized birthday problem. In: Annual International Cryptology Conference (2002)
Xiao, Y.-L., Zhang, P., Liu, Y.: Secure and efficient multi-signature schemes for fabric: an enterprise blockchain platform. IEEE Trans. Inf. Forensics Secur. 16, 1782–1794 (2022)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of the MSOMDL
A Proof of the MSOMDL
Theorem 2
MSOMDL is EUF-CMA in the random oracle model for \( H_{agg}, H_{con},\) \( H_{sig}: \{0,1\}^{*}\longrightarrow \mathbb {Z}_{p} \), if the OMDL problem is hard. More precisely, for any adversary \( \mathcal {A} \) against MSOMDL running in time at most t, making at most \( q_{s} \) Sign queries and at most \( q_{h} \) queries to each random oracle, and such that the size of L in any signing session and in the forgery is at most N, there exists an algorithm D taking as input group parameters \( (\mathbb {G}, p, g) \leftarrow GrGen(1^{\lambda }) \), running in time at most
where \( q = 2q_{h}+ q_{s}+ 1 \) and \( t_{exp} \) is the time of an exponentiation in \( \mathbb {G} \), making at most \( 2q_{s} DLOG_{g} \) queries, and solving the OMDL problem with an advantage
Proof. We construct algorithm \( \mathcal {B} \), algorithm \( \mathcal {C} \) and algorithm \( \mathcal {D} \). They work the same as described in the proof of Musig2. We first construct a “wrapping” algorithm \( \mathcal {B} \) which essentially runs the algorithm \( \mathcal {A} \) and returns a forgery together with some information about the adversary execution, unless some bad events happen. For the specific structure of algorithm \( \mathcal {B} \), see [13].
Following we construct \( \mathcal {C} \) to calculate aggregated secret key \( \tilde{x} \). The conditions for the forking lemma are the same as for MuSig2. We have \( R=R' \), \( \tilde{X}=\tilde{X}' \) since the forger \( c^{*}=H_{sig}(\tilde{X},R,m) \) change lastly. According to the \( \textsf{KeyColl} \) and \( \textsf{BadOrder} \) is not ture, \( \tilde{X}=\tilde{X}' \) implies \( L=L'\), \(i_{agg}=i'_{agg}\) and \(\boldsymbol{a} = \boldsymbol{a}' \).
Therefore, we have that
which implies in particular that \( \tilde{X} =\tilde{X}' \). By lemma 3, the two outputs returned by \( \mathcal {B} \) are such that
which allows \( \mathcal {C} \) to compute the discrete logarithm of \( \tilde{X} \) as
Then \( \mathcal {C} \) returns \( (i_{agg}, L, \boldsymbol{a}, \tilde{x}) \).
letting \( \varepsilon = Adv^{EUF-CMA}_{\mathcal {A},MSOMDL}(\lambda ) \), \( \mathcal {C'} \) accepting probability satisfies
Following we constuct \( \mathcal {D} \) to calculate secret key \( x^{*} \). The conditions for the forking lemma are the same as for MuSig2 except requires to replace the query \( H_{non}(\tilde{X},(R_{1}, \ldots , R_{v}), m) \) to the query \( H_{con}(R_{i}) \). Since the two executions of \( \mathcal {B} \) are identical up to the assignments \( T_{agg}(L, X^{*}):= h_{agg,i_{agg} }\) and \( T_{agg}(L', X^{*}):= h'_{agg,i_{agg}} \), the arguments of the two assignments \( T_{agg}(L, X_{i})\) and \( T_{agg}(L', X'_{i}) \) must be the same, which implies that \( L = L' \), \( a_{i}= a'_{i} \) for each i such that \( X_{i}\ne X^{*} \).
The adversaty behaves differently in these two excutions. Concretely, the simulator should use different \( R_{i} \) for different \( a_{i} \) in these two excutions. Thus the simulator requires \( 2q_{s} DLOG_{g} \) oracles.
Therefore, we have that
By lemma 3, we have that
Thus, \( \mathcal {D} \) is able to compute the discrete logarithm of \( X^{*} \) as
We have \( r=s-cx \). This is contradict with OMDL problem.
According to \( r=s-cx \), we can obtain the discrete logarithm \( R_{1j}^{(k)}, j=\{1,2\},k=\{1,\ldots ,q_{s}\} \). Noted that \(j=\{1,2\}\) represents that the simulator uses different nonces in the different excutions of the foking lemma. This is cantradict with \(2q_{s}\)OMDL problem.
Let \( \varepsilon = Adv^{EUF-CMA}_{\mathcal {A},MSOMDL}(\lambda ) \). By Lemmas 1 and 3, the success probability of \( Fork_{\mathcal {C}} \) is at least
The advantage of \( \mathcal {D} \) is
Time’s analyze is the same as described in lemma2 except the time needed to compute the honest signer’s effective nonce. Thus the running time \( t' \) of \( \mathcal {D} \) is \( t'= 2(t + qN)t_{exp}+ O(qN) \).
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Wang, W., Qin, J., Liu, J., Zhang, X., Hou, X., Wei, Z. (2024). The Analysis of Schnorr Multi-Signatures and the Application to AI. In: Vaidya, J., Gabbouj, M., Li, J. (eds) Artificial Intelligence Security and Privacy. AIS&P 2023. Lecture Notes in Computer Science, vol 14509. Springer, Singapore. https://doi.org/10.1007/978-981-99-9785-5_9
Download citation
DOI: https://doi.org/10.1007/978-981-99-9785-5_9
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-9784-8
Online ISBN: 978-981-99-9785-5
eBook Packages: Computer ScienceComputer Science (R0)