Optimized Privacy-Preserving Multi-signatures from Discrete Logarithm Assumption
摘要
Multi-signatures allow a set of signers to generate a joint signature for the same message, which have been a popular realm in recent years. Tessaro and Zhu (EUROCRYPT’23) proposed an optimized version of a two-round multi-signature scheme \(\textsf{MuSig2}\) (CRYPTO’21), called \(\mathsf {MuSig2\text {-}H}\) , whose security relies on the plain discrete logarithm assumption. However, heavy computational overhead cannot be avoided during aggregated key generation, due to multiple exponentiations. Crites et al. (CRYPTO’22) proposed \(\textsf{SpeedyMuSig}\) , a more efficient version of \(\textsf{MuSig2}\) . Unfortunately, its proof relies on a non-standard assumption (the OMDL assumption) in an idealized model (the AGM). In a very recent work, Abou Haidar et al. (PKC’25) presented \(\mathsf {PP\text {-}MuSig2}\) , a privacy-preserving version of \(\textsf{MuSig2}\) which satisfies the strongest unforgeability and privacy, but failed to optimize efficiency and provide detailed proof of security reduction under the AOMDL assumption. In this paper, we propose an optimized multi-signature scheme, called \(\mathsf {PP\text {-}SpeedyMuSig2\text {-}H}\) , with high efficiency, strong security and privacy. Firstly, we use proofs of possession during key generation and verification, to improve the efficiency. Then, we revisit the framework of \(\mathsf {PP\text {-}MuSig2}\) and add privacy to the original \(\mathsf {MuSig2\text {-}H}\) scheme. Moreover, we prove the strongest security and privacy of the new scheme in detail, where its security proof relies on the discrete logarithm assumption and the random oracle model, without using the AGM. Finally, we instantiate \(\mathsf {PP\text {-}SpeedyMuSig2\text {-}H}\) based on the discrete logarithm assumption.