Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

Practical Schnorr Threshold Signatures Without the Algebraic Group Model

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2023 (CRYPTO 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14081))

Included in the following conference series:

Abstract

Threshold signatures are digital signature schemes in which a set of n signers specify a threshold t such that any subset of size t is authorized to produce signatures on behalf of the group. There has recently been a renewed interest in this primitive, largely driven by the need to secure highly valuable signing keys, e.g., DNSSEC keys or keys protecting digital wallets in the cryptocurrency ecosystem. Of special interest is FROST, a practical Schnorr threshold signature scheme, which is currently undergoing standardization in the IETF and whose security was recently analyzed at CRYPTO’22.

We continue this line of research by focusing on FROST’s unforgeability combined with a practical distributed key generation (DKG) algorithm. Existing proofs of this setup either use non-standard heuristics, idealized group models like the AGM, or idealized key generation. Moreover, existing proofs do not consider all practical relevant optimizations that have been proposed. We close this gap between theory and practice by presenting the Schnorr threshold signature scheme \(\textsf{Olaf} \), which combines the most efficient known FROST variant \(\textsf{FROST3} \) with a variant of Pedersen’s DKG protocol (as commonly used for FROST), and prove its unforgeability. Our proof relies on the AOMDL assumption (a weaker and falsifiable variant of the OMDL assumption) and, like proofs of regular Schnorr signatures, on the random oracle model.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    That is, the heuristic argument did not consist of using commonly used idealized model such as the random oracle model, the generic group model or the algebraic group model but was constructed particularly for their proof.

  2. 2.

    A merged version of these two works appeared at CRYPTO 2022 [7].

  3. 3.

    While the idealized key generation can in principle by instantiated using a fully simulatable DKG [31, 33, 38], we are not aware of any suitable DKG that has been proven secure in a dishonest majority setting \((n/2 \le t -1)\).

  4. 4.

    There is a claimed proof of Schnorr signatures in the GGM which does not rely on the ROM [42], but it has been found to be flawed [14].

References

  1. Implementation of FROST by Bank of Italy. https://github.com/bancaditalia/secp256k1-frost

  2. Implementation of FROST by CoinBase. https://github.com/coinbase/kryptology/tree/v1.8.0/pkg/ted25519/frost

  3. Implementation of FROST by Taurus SA. https://github.com/taurusgroup/frost-ed25519

  4. Implementation of FROST in libsecp256k1-zkp. https://github.com/BlockstreamResearch/secp256k1-zkp/pull/138

  5. Abram, D., Nof, A., Orlandi, C., Scholl, P., Shlomovits, O.: Low-bandwidth threshold ECDSA via pseudorandom correlation generators. In: 2022 IEEE Symposium on Security and Privacy, pp. 2554–2572. IEEE Computer Society Press (2022). https://doi.org/10.1109/SP46214.2022.9833559

  6. Bagherzandi, A., Cheon, J.H., Jarecki, S.: Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In: Ning, P., Syverson, P.F., Jha, S. (eds.) ACM CCS 2008, pp. 449–458. ACM Press (2008). https://doi.org/10.1145/1455770.1455827

  7. Bellare, M., Crites, E.C., Komlo, C., Maller, M., Tessaro, S., Zhu, C.: Better than advertised security for non-interactive threshold signatures. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part IV. LNCS, vol. 13510, pp. 517–550. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-15985-5_18

    Chapter  Google Scholar 

  8. Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003). https://doi.org/10.1007/s00145-002-0120-1

    Article  MathSciNet  MATH  Google Scholar 

  9. Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM CCS 2006, pp. 390–399. ACM Press (2006). https://doi.org/10.1145/1180405.1180453

  10. Bellare, M., Palacio, A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162–177. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_11

    Chapter  Google Scholar 

  11. Bellare, M., Tessaro, S., Zhu, C.: Stronger security for non-interactive threshold signatures: BLS and FROST. Cryptology ePrint Archive, Report 2022/833 (2022). https://eprint.iacr.org/2022/833

  12. Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_3

    Chapter  Google Scholar 

  13. Brandao, L., Peralta, R.: NIST First Call for Multi-Party Threshold Schemes. https://csrc.nist.gov/publications/detail/nistir/8214c/draft

  14. Brown, D.R.L.: A flaw in a theorem about Schnorr signatures. Cryptology ePrint Archive, Report 2015/509 (2015). https://eprint.iacr.org/2015/509

  15. Canetti, R., Gennaro, R., Goldfeder, S., Makriyannis, N., Peled, U.: UC non-interactive, proactive, threshold ECDSA with identifiable aborts. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 2020, pp. 1769–1787. ACM Press (2020). https://doi.org/10.1145/3372297.3423367

  16. Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I.: Bandwidth-efficient threshold EC-DSA. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part II. LNCS, vol. 12111, pp. 266–296. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_10

    Chapter  Google Scholar 

  17. Connolly, D., Komlo, C., Goldberg, I., Wood, C.A.: Two-Round Threshold Schnorr Signatures with FROST. Internet-Draft draft-IRTF-CFRG-frost, Internet Engineering Task Force (2023). https://datatracker.ietf.org/doc/draft-irtf-cfrg-frost/. Work in Progress

  18. Crites, E., Komlo, C., Maller, M.: How to prove schnorr assuming schnorr: Security of multi- and threshold signatures. Cryptology ePrint Archive, Paper 2021/1375 (2021). https://eprint.iacr.org/2021/1375

  19. Dalskov, A., Orlandi, C., Keller, M., Shrishak, K., Shulman, H.: Securing DNSSEC keys via threshold ECDSA from generic MPC. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020, Part II. LNCS, vol. 12309, pp. 654–673. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0_32

    Chapter  Google Scholar 

  20. Damgård, I., Jakobsen, T.P., Nielsen, J.B., Pagter, J.I., Østergaard, M.B.: Fast threshold ECDSA with honest majority. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020. LNCS, vol. 12238, pp. 382–400. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6_19

    Chapter  Google Scholar 

  21. De Santis, A., Desmedt, Y., Frankel, Y., Yung, M.: How to share a function securely. In: 26th ACM STOC, pp. 522–533. ACM Press (1994). https://doi.org/10.1145/195058.195405

  22. Desmedt, Y.: Society and group oriented cryptography: a new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_8

    Chapter  Google Scholar 

  23. Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_28

    Chapter  Google Scholar 

  24. Doerner, J., Kondi, Y., Lee, E., shelat, a.: Threshold ECDSA from ECDSA assumptions: the multiparty case. In: 2019 IEEE Symposium on Security and Privacy, pp. 1051–1066. IEEE Computer Society Press (2019). https://doi.org/10.1109/SP.2019.00024

  25. Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_2

    Chapter  Google Scholar 

  26. Fuchsbauer, G., Plouviez, A., Seurin, Y.: Blind Schnorr signatures and signed ElGamal encryption in the algebraic group model. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020, Part II. LNCS, vol. 12106, pp. 63–95. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_3

    Chapter  MATH  Google Scholar 

  27. Gągol, A., Kula, J., Straszak, D., Świętek, M.: Threshold ECDSA for decentralized asset custody. Cryptology ePrint Archive, Report 2020/498 (2020). https://eprint.iacr.org/2020/498

  28. Gennaro, R., Goldfeder, S.: Fast multiparty threshold ECDSA with fast trustless setup. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1179–1194. ACM Press (2018). https://doi.org/10.1145/3243734.3243859

  29. Gennaro, R., Goldfeder, S., Narayanan, A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 156–174. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_9

    Chapter  MATH  Google Scholar 

  30. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 354–371. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_31

    Chapter  Google Scholar 

  31. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 295–310. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_21

    Chapter  Google Scholar 

  32. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure applications of Pedersen’s distributed key generation protocol. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 373–390. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36563-X_26

    Chapter  Google Scholar 

  33. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. J. Cryptol. 20(1), 51–83 (2006). https://doi.org/10.1007/s00145-006-0347-3

    Article  MathSciNet  MATH  Google Scholar 

  34. Gennaro, R., Rabin, T., Jarecki, S., Krawczyk, H.: Robust and efficient sharing of RSA functions. J. Cryptol. 13(2), 273–300 (2000). https://doi.org/10.1007/s001459910011

    Article  MathSciNet  MATH  Google Scholar 

  35. Groth, J., Shoup, V.: Design and analysis of a distributed ECDSA signing service. Cryptology ePrint Archive, Report 2022/506 (2022). https://eprint.iacr.org/2022/506

  36. Katz, J., Zhang, C., Zhou, H.S.: An analysis of the algebraic group model. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022. LNCS, vol. 13794, pp. 310–322. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-22972-5_11

    Chapter  Google Scholar 

  37. Komlo, C., Goldberg, I.: FROST: flexible round-optimized schnorr threshold signatures. In: Dunkelman, O., Jacobson, Jr., M.J., O’Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 34–65. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-81652-0_2

    Chapter  Google Scholar 

  38. Komlo, C., Goldberg, I., Stebila, D.: A formal treatment of distributed key generation, and new constructions. Cryptology ePrint Archive, Report 2023/292 (2023). https://eprint.iacr.org/2023/292

  39. Lindell, Y.: Simple three-round multiparty schnorr signing with full simulatability. Cryptology ePrint Archive, Report 2022/374 (2022). https://eprint.iacr.org/2022/374

  40. Lindell, Y., Nof, A.: Fast secure multiparty ECDSA with practical distributed key generation and applications to cryptocurrency custody. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1837–1854. ACM Press (2018). https://doi.org/10.1145/3243734.3243788

  41. Maurer, U.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_1

    Chapter  MATH  Google Scholar 

  42. Neven, G., Smart, N.P., Warinschi, B.: Hash function requirements for schnorr signatures. J. Math. Cryptol. 3(1), 69–87 (2009). https://doi.org/10.1515/JMC.2009.004

    Article  MathSciNet  MATH  Google Scholar 

  43. Nick, J., Ruffing, T., Seurin, Y.: MuSig2: simple two-round schnorr multi-signatures. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part I. LNCS, vol. 12825, pp. 189–221. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_8

    Chapter  Google Scholar 

  44. Pedersen, T.P.: A threshold cryptosystem without a trusted party. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 522–526. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_47

    Chapter  Google Scholar 

  45. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9

    Chapter  Google Scholar 

  46. Pettit, M.: Efficient threshold-optimal ECDSA. In: Conti, M., Stevens, M., Krenn, S. (eds.) CANS 2021. LNCS, vol. 13099, pp. 116–135. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92548-2_7

    Chapter  Google Scholar 

  47. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000). https://doi.org/10.1007/s001450010003

    Article  MATH  Google Scholar 

  48. Ruffing, T., Ronge, V., Jin, E., Schneider-Bensch, J., Schröder, D.: ROAST: robust asynchronous schnorr threshold signatures. In: Yin, H., Stavrou, A., Cremers, C., Shi, E. (eds.) ACM CCS 2022, pp. 2551–2564. ACM Press (2022). https://doi.org/10.1145/3548606.3560583

  49. Schnorr, C.P.: Method for identifying subscribers and for generating and verifying electronic signatures in a data exchange system. European Patent 0383985A1

    Google Scholar 

  50. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18

    Chapter  Google Scholar 

  51. Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_15

    Chapter  Google Scholar 

  52. Stinson, D.R., Strobl, R.: Provably secure distributed schnorr signatures and a (t, n) threshold scheme for implicit certificates. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 417–434. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-47719-5_33

    Chapter  MATH  Google Scholar 

  53. Wuille, P., Nick, J., Ruffing, T.: Schnorr signatures for secp256k1. Bitcoin Improvement Proposal 340 (2020). https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki

  54. Yuen, T.H., Cui, H., Xie, X.: Compact zero-knowledge proofs for threshold ECDSA with trustless setup. In: Garay, J.A. (ed.) PKC 2021, Part I. LNCS, vol. 12710, pp. 481–511. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75245-3_18

    Chapter  Google Scholar 

Download references

Acknowledgments

We thank the anonymous reviewers for their very helpful comments and suggestions. This work was partially supported by Deutsche Forschungsgemeinschaft as part of the Research and Training Group 2475 “Cybercrime and Forensic Computing” (grant number 393541319/GRK2475/1-2019), and through grant 442893093, and by the state of Bavaria at the Nuremberg Campus of Technology (NCT). NCT is a research cooperation between the Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) and the Technische Hochschule Nürnberg Georg Simon Ohm (THN).

Author information

Authors and Affiliations

  1. Friedrich-Alexander-Universität Erlangen-Nürnberg, Erlangen, Germany

    Hien Chu, Paul Gerhart & Dominique Schröder

  2. Blockstream Research, Victoria, Canada

    Tim Ruffing

Authors
  1. Hien Chu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Paul Gerhart
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tim Ruffing
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dominique Schröder
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hien Chu .

Editor information

Editors and Affiliations

  1. Rambus Inc., San Jose, CA, USA

    Helena Handschuh

  2. Brown University, Providence, RI, USA

    Anna Lysyanskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chu, H., Gerhart, P., Ruffing, T., Schröder, D. (2023). Practical Schnorr Threshold Signatures Without the Algebraic Group Model. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14081. Springer, Cham. https://doi.org/10.1007/978-3-031-38557-5_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-38557-5_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-38556-8

  • Online ISBN: 978-3-031-38557-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation