Multi-signatures allow a set of signers to generate a joint signature for the same message, which have been a popular realm in recent years. Tessaro and Zhu (EUROCRYPT’23) proposed an optimized version of a two-round multi-signature scheme \(\textsf{MuSig2}\) (CRYPTO’21), called \(\mathsf {MuSig2\text {-}H}\) , whose security relies on the plain discrete logarithm assumption. However, heavy computational overhead cannot be avoided during aggregated key generation, due to multiple exponentiations. Crites et al. (CRYPTO’22) proposed \(\textsf{SpeedyMuSig}\) , a more efficient version of \(\textsf{MuSig2}\) . Unfortunately, its proof relies on a non-standard assumption (the OMDL assumption) in an idealized model (the AGM). In a very recent work, Abou Haidar et al. (PKC’25) presented \(\mathsf {PP\text {-}MuSig2}\) , a privacy-preserving version of \(\textsf{MuSig2}\) which satisfies the strongest unforgeability and privacy, but failed to optimize efficiency and provide detailed proof of security reduction under the AOMDL assumption. In this paper, we propose an optimized multi-signature scheme, called \(\mathsf {PP\text {-}SpeedyMuSig2\text {-}H}\) , with high efficiency, strong security and privacy. Firstly, we use proofs of possession during key generation and verification, to improve the efficiency. Then, we revisit the framework of \(\mathsf {PP\text {-}MuSig2}\) and add privacy to the original \(\mathsf {MuSig2\text {-}H}\) scheme. Moreover, we prove the strongest security and privacy of the new scheme in detail, where its security proof relies on the discrete logarithm assumption and the random oracle model, without using the AGM. Finally, we instantiate \(\mathsf {PP\text {-}SpeedyMuSig2\text {-}H}\) based on the discrete logarithm assumption.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Optimized Privacy-Preserving Multi-signatures from Discrete Logarithm Assumption

  • Xiaoyang Wei,
  • Shuai Han,
  • Shengli Liu

摘要

Multi-signatures allow a set of signers to generate a joint signature for the same message, which have been a popular realm in recent years. Tessaro and Zhu (EUROCRYPT’23) proposed an optimized version of a two-round multi-signature scheme \(\textsf{MuSig2}\) (CRYPTO’21), called \(\mathsf {MuSig2\text {-}H}\) , whose security relies on the plain discrete logarithm assumption. However, heavy computational overhead cannot be avoided during aggregated key generation, due to multiple exponentiations. Crites et al. (CRYPTO’22) proposed \(\textsf{SpeedyMuSig}\) , a more efficient version of \(\textsf{MuSig2}\) . Unfortunately, its proof relies on a non-standard assumption (the OMDL assumption) in an idealized model (the AGM). In a very recent work, Abou Haidar et al. (PKC’25) presented \(\mathsf {PP\text {-}MuSig2}\) , a privacy-preserving version of \(\textsf{MuSig2}\) which satisfies the strongest unforgeability and privacy, but failed to optimize efficiency and provide detailed proof of security reduction under the AOMDL assumption. In this paper, we propose an optimized multi-signature scheme, called \(\mathsf {PP\text {-}SpeedyMuSig2\text {-}H}\) , with high efficiency, strong security and privacy. Firstly, we use proofs of possession during key generation and verification, to improve the efficiency. Then, we revisit the framework of \(\mathsf {PP\text {-}MuSig2}\) and add privacy to the original \(\mathsf {MuSig2\text {-}H}\) scheme. Moreover, we prove the strongest security and privacy of the new scheme in detail, where its security proof relies on the discrete logarithm assumption and the random oracle model, without using the AGM. Finally, we instantiate \(\mathsf {PP\text {-}SpeedyMuSig2\text {-}H}\) based on the discrete logarithm assumption.