The Analysis of Schnorr Multi-Signatures and the Application to AI

Abstract

Artificial intelligence (AI) is having a profound impact on our daily lives. We suggest using digital signatures to protect the user’s identity and achieve data accountability. To address high-risk applications, multi-signatures are expected to play an important role in AI. MuSig2 by Nick et al. is an efficient and secure Schnorr multi-signature scheme. MuSig2 implements signature aggregation and key aggregation, and MuSig2 is reduced to the One-More Discrete Logarithms (OMDL) problem in the random oracle model. This comes at the cost that the signer needs four nonces instead of one nonce for each signature. However, MuSig2 ignores the change of nonces in the forking lemma, which leads to the signer signature requiring too many nonces, and makes the proof of the scheme complicated. In this paper, we reduce the number of nonces from 4 to 2 and simplify the security proof of the MuSig2 scheme in the random oracle model. Then by reducing the security requirement slightly, we achieve the MuSig2 scheme’s security when the nonces are reused. Finally, we utilize the proof technology of MuSig2 to reduce the MSDL (Discrete-Logarithm based Multi-Signature) scheme by Boneh et al. to the OMDL assumption.

A Proof of the MSOMDL

Theorem 2

MSOMDL is EUF-CMA in the random oracle model for \( H_{agg}, H_{con},\) \( H_{sig}: \{0,1\}^{*}\longrightarrow \mathbb {Z}_{p} \), if the OMDL problem is hard. More precisely, for any adversary \( \mathcal {A} \) against MSOMDL running in time at most t, making at most \( q_{s} \) Sign queries and at most \( q_{h} \) queries to each random oracle, and such that the size of L in any signing session and in the forgery is at most N, there exists an algorithm D taking as input group parameters \( (\mathbb {G}, p, g) \leftarrow GrGen(1^{\lambda }) \), running in time at most

$$\begin{aligned} t'= 2(t + N q )t_{exp}+ O(qN), \end{aligned}$$

(17)

where \( q = 2q_{h}+ q_{s}+ 1 \) and \( t_{exp} \) is the time of an exponentiation in \( \mathbb {G} \), making at most \( 2q_{s} DLOG_{g} \) queries, and solving the OMDL problem with an advantage

$$\begin{aligned} Adv^{OMDL}_{\mathcal {D},GrGen(\lambda )} \ge (Adv^{EUF-CMA}_{A,MSOMDL(\lambda )})4/q^{3}- 22/2^{\lambda }. \end{aligned}$$

(18)

Proof. We construct algorithm \( \mathcal {B} \), algorithm \( \mathcal {C} \) and algorithm \( \mathcal {D} \). They work the same as described in the proof of Musig2. We first construct a “wrapping” algorithm \( \mathcal {B} \) which essentially runs the algorithm \( \mathcal {A} \) and returns a forgery together with some information about the adversary execution, unless some bad events happen. For the specific structure of algorithm \( \mathcal {B} \), see [13].

Following we construct \( \mathcal {C} \) to calculate aggregated secret key \( \tilde{x} \). The conditions for the forking lemma are the same as for MuSig2. We have \( R=R' \), \( \tilde{X}=\tilde{X}' \) since the forger \( c^{*}=H_{sig}(\tilde{X},R,m) \) change lastly. According to the \( \textsf{KeyColl} \) and \( \textsf{BadOrder} \) is not ture, \( \tilde{X}=\tilde{X}' \) implies \( L=L'\), \(i_{agg}=i'_{agg}\) and \(\boldsymbol{a} = \boldsymbol{a}' \).

Therefore, we have that

$$\begin{aligned} i_{agg}= i'_{agg},\ L = L', R = R' \ and\ \boldsymbol{a} = \boldsymbol{a}' \end{aligned}$$

(19)

which implies in particular that \( \tilde{X} =\tilde{X}' \). By lemma 3, the two outputs returned by \( \mathcal {B} \) are such that

$$\begin{aligned} g^{s}= R\tilde{X}^{h_{sig, i_{sig}}}\ and\ g^{s'}= R'(\tilde{X}')^{h' _{sig,i_{sig}}}= R\tilde{X}^{h'_{sig,i_{sig}}}, \end{aligned}$$

(20)

which allows \( \mathcal {C} \) to compute the discrete logarithm of \( \tilde{X} \) as

$$\begin{aligned} \tilde{x}:= (s - s')(h_{sig,i_{sig}}- h'_{sig,i_{sig}})^{-1} \mod p. \end{aligned}$$

(21)

Then \( \mathcal {C} \) returns \( (i_{agg}, L, \boldsymbol{a}, \tilde{x}) \).

letting \( \varepsilon = Adv^{EUF-CMA}_{\mathcal {A},MSOMDL}(\lambda ) \), \( \mathcal {C'} \) accepting probability satisfies

$$\begin{aligned} acc(C) \ge acc(\mathcal {B})(\frac{acc(\mathcal {B})}{q}-\frac{1}{p}) \ge \frac{\varepsilon ^{2}}{q} - \frac{2(4q+1)}{2^{\lambda }}. \end{aligned}$$

(22)

Following we constuct \( \mathcal {D} \) to calculate secret key \( x^{*} \). The conditions for the forking lemma are the same as for MuSig2 except requires to replace the query \( H_{non}(\tilde{X},(R_{1}, \ldots , R_{v}), m) \) to the query \( H_{con}(R_{i}) \). Since the two executions of \( \mathcal {B} \) are identical up to the assignments \( T_{agg}(L, X^{*}):= h_{agg,i_{agg} }\) and \( T_{agg}(L', X^{*}):= h'_{agg,i_{agg}} \), the arguments of the two assignments \( T_{agg}(L, X_{i})\) and \( T_{agg}(L', X'_{i}) \) must be the same, which implies that \( L = L' \), \( a_{i}= a'_{i} \) for each i such that \( X_{i}\ne X^{*} \).

The adversaty behaves differently in these two excutions. Concretely, the simulator should use different \( R_{i} \) for different \( a_{i} \) in these two excutions. Thus the simulator requires \( 2q_{s} DLOG_{g} \) oracles.

Therefore, we have that

$$\begin{aligned} L = L'\ and\ a_{i}= a'_{i} \ for\ each\ i\ such\ that\ X_{i}\ne X^{*} . \end{aligned}$$

(23)

By lemma 3, we have that

$$\begin{aligned} \begin{aligned} g^{\tilde{x}}=\prod _{i=1}^{n}X^{a_{i}}_{i}= (X^{*})^{n^{*}h_{agg},i_{agg}}\prod _{{\mathop {X_{i}\ne X^{*}}\limits ^{i\in \{1, ... , n\}}}} X^{a_{i}}_{i},\\ g^{\tilde{x}'}=\prod _{i=1}^{n}X^{a'_{i}}_{i}= (X^{*})^{n^{*}h'_{agg},i_{agg}}\prod _{{\mathop {X_{i}\ne X^{*}}\limits ^{i\in \{1, ... , n\}}}} X^{a_{i}}_{i}, \end{aligned} \end{aligned}$$

(24)

Thus, \( \mathcal {D} \) is able to compute the discrete logarithm of \( X^{*} \) as

$$\begin{aligned} x^{*}:= (\tilde{x} - \tilde{x}')(n^{*})^{-1}(h_{agg,i_{agg}}- h'_{agg,i_{agg}})^{-1}\mod p. \end{aligned}$$

(25)

We have \( r=s-cx \). This is contradict with OMDL problem.

According to \( r=s-cx \), we can obtain the discrete logarithm \( R_{1j}^{(k)}, j=\{1,2\},k=\{1,\ldots ,q_{s}\} \). Noted that \(j=\{1,2\}\) represents that the simulator uses different nonces in the different excutions of the foking lemma. This is cantradict with \(2q_{s}\)OMDL problem.

Let \( \varepsilon = Adv^{EUF-CMA}_{\mathcal {A},MSOMDL}(\lambda ) \). By Lemmas 1 and 3, the success probability of \( Fork_{\mathcal {C}} \) is at least

$$\begin{aligned} acc(Fork_{\mathcal {C}}) \ge acc(\mathcal {C})(\frac{acc(\mathcal {C})}{q}-\frac{1}{p})\ge \frac{\varepsilon ^{4}}{q^{3}} - \frac{22}{2^{\lambda }}. \end{aligned}$$

(26)

The advantage of \( \mathcal {D} \) is

$$\begin{aligned} Adv^{OMDL}_{\mathcal {D},GrGen(\lambda )}\ge acc(Fork_{\mathcal {C}})\ge \frac{\varepsilon ^{4}}{q^{3}} - \frac{22}{2^{\lambda }}. \end{aligned}$$

(27)

Time’s analyze is the same as described in lemma2 except the time needed to compute the honest signer’s effective nonce. Thus the running time \( t' \) of \( \mathcal {D} \) is \( t'= 2(t + qN)t_{exp}+ O(qN) \).