1.1  Importance of Concrete Security for Parameter Choice

Theoretically, a security proof of a cryptosystem consists of a reduction from solving some computational problem to breaking the cryptosystem under a defined adversarial model. From the security proof, usually, we can derive a relation between \(T_A=t_A/\varepsilon_A\) and \(T_P=t_P/\varepsilon_P\), where \(t_A\) and \(\varepsilon_A\) are the adversary’s running time and success probability for breaking the cryptosystem and \(t_P\) and \(\varepsilon_P\) are the algorithm’s running time and success probability for solving the computational problem. A typical relation between \(T_P\) and \(T_A\) is as follows: \(T_A\geq T_P/\Phi\), where \(\Phi\) is often referred to as the reduction loss.

When we derive the size of parameters, e.g., an order of the underlying group in a DL-based scheme, for guaranteeing the security of the cryptosystem in practice, \(\Phi\) was often disregarded. However, this disregard sometimes makes schemes vulnerable. An example of this vulnerability is shown by the recent work of Kales and Zaverucha [26] which demonstrated an attack on the MQDSS signature scheme [27]. Their attack exploits the fact that the parameter of MQDSS was derived without considering \(\Phi\). Therefore, it is important to derive the size of parameters by considering \(\Phi\) based on the security proof, and thus we should implement cryptosystems with provable secure parameters.

A small \(\Phi\) is preferable in practice because it does not let the problem mentioned above occur in the first place. Also, if \(\Phi\) is large, we need to ensure that \(T_P\) is sufficiently large so that the derived lower bound of \(T_A\), i.e., \(T_P/\Phi\), is not too small to have a practical meaning. Usually, the only way to make \(T_P\) larger is by setting larger parameters, which means higher costs for implementation in practice. If \(\Phi\) is a relatively small constant value independent of the parameters of the cryptosystem and the adversary, we say that the security proof is tight.

Also, it is difficult for a scheme with a large \(\Phi\) to use the standardized cryptographic tools. Specifically, for the DL-based schemes, a elliptic curve (EC) with a 256-bit prime order is required to guarantee 128-bit security, but it is only applied to tightly secure schemes. The scheme with a large \(\Phi\) requires an EC with an order larger than 256-bit. We have standardized ECs with such an order, e.g., NIST P-384 and P-521. However, for the scheme with very large \(\Phi\), such ECs are not sufficient for 128-bit security, and then, we need to design a new desireable EC. This makes the implementation difficult and less reliable.

For schemes with a small \(\Phi\), it is easy to use the standardized tools because we do not have to care about the above-mentioned problems. Specifically, for the DL-based schemes, we can use the standardized ECs, e.g., NIST P-256 and Secp256k1, for 128-bit security. Also if \(\Phi\) is small, even though \(\Phi\) is not constant, we may be able to avoid the inconvenient situation where there is no suitable standardized tool.

1.2  Concrete Security of Existing DL-Based Multi-Signature Schemes

Here, we review the existing DL-based two-round multi-signature schemes in terms of the tightness of a reduction.

Most of them can be categorized into two types: The first type is the schemes with a non-tight reduction (namely, having a large reduction loss) and the second type is the schemes with a tight reduction. The schemes of the first type include MuSig-DN [7], MuSig2 (\(\nu \ge 4\)) [8], HBMS [10], TZ [25], and mBCJ [6], while the schemes of the second type include MuSig2 (\(\nu = 2\)) [8], DWMS [9], HBMS-AGM [10], LK [11].

When taking tightness into consideration, even for 128-bit security, the first-type schemes require an elliptic curve (EC) with an very large order. Table 1 shows how large the order of the group should be in order to provably ensure 128-bit security. As Table 1 shows, MuSig-DN, MuSig2 (\(\nu \ge 4\)), HBMS, TZ [25], and mBCJ, respectively, require 740-bit, 750-bit, 986-bit, 742-bit, and 544-bit groups. Importantly, these schemes no longer have standardized curves that provably ensure 128-bit security.

The cause of the large reduction losses of these schemes is that to prove the security based on the DL assumption, the reduction performs the rewinding of the adversary, like the security proof of the Schnorr signature scheme. Moreover, in schemes with key aggregation, the number of rewindings has to be increased. Thus, these schemes have larger reduction losses than that of the Schnorr signature scheme.

The schemes of the second type achieve tight security by using the Algebraic Group Model (AGM) [28], which is a very idealized model of computation. The schemes allow us to use an EC of a small order, e.g., 256-bit. However, the reliance on the AGM needs more care because recent research [29], [30] shows that the reliability of the AGM is still not well-understood. Indeed, Zhandry showed the one-time message authentication code that is secure in the AGM but insecure in the standard model [29].

The random oracle model is also an idealized model of hash functions, but the situation is rather different from the AGM. Much cryptanalytic literature investigates the possibility of distinguishing a concrete hash function from a random oracle by finding a dedicated input-output correlation beyond (target) collision resistance or preimage resistance [31]-[34]. These lines of research provide a more fine-grained understanding of how far (or near) concrete hash functions are from a random oracle.

Recently, Pan and Wagner proposed two two-round multi-signature schemes which can guarantee 128-bit security under standardized ECs. The first scheme PW-1 achieves tight security but does not support key aggregation. The second scheme PW-2 has a small but non-tight reduction loss, e.g., \(O(q_S)\) where \(q_S\) is the number of the signing queries. The second scheme is more efficient than the first one and supports key aggregation. Both are proven secure under the decisional Diffie-Hellman (DDH) assumption in the random oracle model.

However, under provably secure parameters, the two schemes do not improve the signature size and the communication complexity over the existing non-tight secure schemes even though those achieve tight security or a small reduction loss. Indeed, as shown in Table 1, the signature size of PW-1 is largest among the existing schemes without using AGM and the size of PW-2 is larger than theirs except for HBMS. Therefore, there is no scheme without using the AGM that (i) can use a standardized EC for 128-bit security and (ii) has high efficiency.

1.3  Our Contribution

In this paper, we propose a two-round multi-signature scheme that achieves (i) and (ii) mentioned above. We construct it from the DDH assumption and the random oracle model without using the AGM. This scheme guarantees 128-bit security under a standardized EC, e.g., NIST P-384. The signature size and the communication complexity under provable secure parameters are the most efficient among the existing two-round schemes without using the AGM. Moreover, our scheme is proven secure in the PPK model and supports key aggregation.

To achieve a scheme with the following properties, two rounds of communication for signing and a small reduction loss, we base our scheme on the Katz-Wang signature scheme [35] by applying the technique of HBMS. HBMS uses a certain tool like a homomorphic equivocal commitment scheme to achieve a two-round signing protocol. However, this tool is specialized to use together with the Schnorr identification scheme. Therefore, we cannot apply it to our case. To overcome this, we introduce a new technique to tailor a certain tool for use with the Katz-Wang DDH-based signature scheme.

Our scheme has a small reduction loss \(O(q_S)\) where \(q_S\) is the number of signing queries of a forger. As the result of the estimation of provable secure parameters, it only needs an EC with at least 321-bit order to ensure 128-bit security². Therefore, the curve P-384 is sufficient. Under P-384, the signature size is 1152 bits and the communication complexity per one signer is 1538 bits. These values achieve the shortest size among the existing schemes without using the AGM. Below, we compare our scheme with the existing scheme in detail.

Firstly, we compare our scheme with the existing non-tight schemes without using the AGM, e.g., MuSig-DN, MuSig2 (\(\nu \ge 4\)), HBMS, TZ, and mBCJ. Our signature size is reduced by more than 22%, 23%, 60%, 45%, and 47%, respectively. Compared to MuSig2 (\(\nu \ge 4\)), HBMS, TZ, and mBCJ, our communication complexity is reduced by more than 59%, 48%, 65%, and 43%, respectively. On the other hand, while the public key of our scheme consists of two group elements, theirs consist of only one group element. However, the public key size of our scheme under P-384 is 770 bits. This size is almost the same as theirs except for mBCJ. While the key size of mBCJ is smaller than ours, it does not support key aggregation. Therefore, we conclude that our scheme is more efficient compared to the existing non-tight schemes when we consider concrete security.

Secondly, we compare ours with PW-1 and PW-2. The signature size of our scheme is reduced by more than 67% and 40%, respectively. The communication complexity of our scheme is also reduced by more than 57% and 41%. The public keys of them are two group elements. The public key size of PW-1 is 514 bits but this scheme does not support key aggregation. The key size of PW-2 is 770 bits as same as ours. Thus, we also conclude that our scheme is more efficient than Pan-Wagner’s schemes.

We implement our scheme on an ordinary machine and measure the running time of our implementation. We set the number of signers \(N=\) 3, 5, 10, and 15, as typical numbers of signers in a real-world Multi-Sig Wallet, and \(N=\) 50 and 100 as large-scale settings. For more details of the setting and the environment, see Sect. 6. Both the running time of the signing protocol and that of the verification under \(N=15\) are less than 10 ms. For large-scale settings, both the running time of the signing protocol and that of the verification are about 30 ms under \(N=50\), and those are about 65 ms under \(N=100\). Moreover, since our proposed scheme also supports key aggregation, by precomputing a aggregated key, both the running time of signing and that of verification can be shortened to less than 2 ms irrelevantly to \(N\). Thus, we can conclude that our scheme has a realistic running time in practice.

1.4  Related Works

Bellare and Neven proposed the first Schnorr-based three-round multi-signature scheme [4] which is secure in the PPK model. In the document [36], they also proposed a DDH-based scheme which is built from the Katz-Wang signature scheme. Maxwell et al. proposed a variant of the Bellare-Neven scheme that supports key aggregation [5]. Fukumitsu and Hasegawa proposed a DDH-based scheme with key aggregation [37].

Drijvers et al. proposed a secure Schnorr-based two-round multi-signature scheme mBCJ [6]. They constructed this scheme by applying a patch to the insecure two-round scheme BCJ [38] which uses a homomorphic (special) equivocal commitment scheme. Bellare and Dai proposed an improvement of mBCJ as HBMS [10]. Lee and Kim proposed a two-round scheme LK [11] based on HBMS and the Okamoto identification scheme [39]. The security of these schemes is proven under the DL assumption. MuSig-DN [7] is a two-round multi-signature scheme with a different approach from the above schemes. Specifically, this scheme achieves a two-round signing protocol by using a pseudorandom functions (PRF), a pseudorandom number generators (PRNG), and a succinct non-interactive arguments of knowledge (SNARKs) [40] to make the signing protocol deterministic. MuSig2 [8] and DWMS [9] are also two-round schemes with different approaches from the above-mentioned schemes. They are proven secure under the algebraic one-more DL (AOMDL) and one-more DL (OMDL) assumptions, respectively. Tessaro and Zhu proposed a two-round scheme [25]. This scheme is similar to MuSig2 but is proven secure under the DL assumption.

1.5  Concurrent Work

In concurrent and independent work, Pan and Wagner proposed two two-round multi-signature schemes based on the DDH assumption [24]. The first scheme PW-1 achieves tight security but key aggregation is not supported. The second scheme PW-2 supports key aggregation and achieves a small but non-tight reduction loss.

Our scheme achieves a more efficient signature size and communication complexity than PW-2 although ours and PW-2 have something in common. Specifically, as shown in Table 1, they have common points, e.g., a security assumption, a reduction loss, and a standardized EC for 128-bit security. While the signature size of PW-2 is \(5|\mathbb{Z}_q|\), that of ours achieves \(3|\mathbb{Z}_q|\) where \(|\mathbb{Z}_q|\) is the size of \(|\mathbb{Z}_q|\).

Whereas Pan and Wagner dedicated the effort to present their construction in a generic and modular way, we trade generality and modularity for more efficiency. Our improvement is a benefit of this. PW-2 is an instantiation of their generic construction. PW-2 is constructed by combining a special commitment scheme and other building blocks in a generic manner. The scheme requires the binding property of the commitment scheme for proving the unforgeability. On the other hand, we construct our scheme in a specific way to be able to directly prove the unforgeability without using the binding property of the commitment scheme. In short, in our scheme, the binding property is not a necessary condition. Then, we can reduce the size of the commitment key, the commitment, and the decommitment. This gives a smaller signature size and communication complexity. However, our scheme cannot be captured by Pan-Wagner’s generic construction because the commitment scheme used in ours deviates from their syntax of the special commitment scheme.

2.1  Existing Non-Tight Secure Two-Round Schemes

Here, we explain the difficulty to construct a two-round multi-signature scheme from the Schnorr signature scheme. Schnorr signatures seem possible to be aggregated by using linearity. However, we cannot do that easily because a hash function used to sign does not have linearity. The well-known approach for this obstacle is to generate a multi-signature interactively as follows. Firstly each signer broadcasts a commitment \(R_i\in \mathbb{G}\) of the Schnorr protocol and computes \(\widetilde{R} \gets \sum_i R_i\) where \(\mathbb{G}\) is an additive cyclic group of a prime order \(q\). Each signer computes a challenge \(c_i \in \mathbb{Z}_q\) of the Schnorr protocol by the random oracle \(H_\mathrm{c}(\widetilde{R},\mathit{pk}_i,m)\), generates a response \(s_i \in \mathbb{Z}_q\) of the Schnorr protocol, and sends it to all the cosigners where \(\mathit{pk}_i\) is a public key corresponding to the signer \(i\) and \(m\) is a message to be signed. Finally, each signer computes \(\tilde{s}\gets \sum_i s_i\) and outputs \((\widetilde{R},\tilde{s})\) as a multi-signature on \(m\). The verification equation is \(\widetilde{R}=\tilde{s}G-\sum_i c_i\cdot \mathit{pk}_i\) where \(G\) is a generator of \(\mathbb{G}\). Unfortunately, this two-round multi-signature scheme is insecure. In this case, honest verifier zero-knowledge does not work because the reduction needs to return \(R\) to a forger before deciding \(c\) in the random oracle. There are attacks [6], [41] against this multi-signature scheme.

As a solution to the above problem, Drijvers et al. proposed the secure two-round multi-signature scheme mBCJ by combining the Schnorr protocol and a homomorphic (special) equivocal commitment scheme. In a nutshell, all signers broadcast their homomorphic commitment \(T\) to \(R\) in the first round, and they broadcast their decommitment \(d\) and response \(s\) in the second round. The commitment key is generated by the random oracle on input a message \(m\), e.g., \(H_\mathrm{ck}(m)\). Thus, in the security proof, the reduction can embed either a binding commitment key or an equivocal commitment key into the random oracle \(H_\mathrm{ck}(m)\). The reduction can simulate the honest signer without the secret key exploiting (special) equivocability if the commitment keys corresponding to queried messages are equivocal keys. It can also extract the secret key of the honest signer due to the binding property and the special soundness of the Schnorr protocol if the commitment key corresponding to the forgery is a binding key.

Bellare and Dai proposed a more efficient DL-based two-round multi-signature scheme HBMS than mBCJ by using a tool like the Pedersen commitment [42] instead of the homomorphic equivocal commitment scheme.

2.2  DDH-Based Lossy Identification

As in a well-known approach to achieve tight security of (standard) signature schemes, we attempts to construct it from the Katz-Wang (standard) signature scheme [35] which employs a DDH-based lossy identification.

Here, we review the DDH-based lossy identification. The secret key is \(x\in \mathbb{Z}_q\) and the public key is \((Y,Z)= x(G,H)^T\), which is a Diffie-Hellman (DH) tuple. The identification protocol is as follows. At first, the prover generates and sends \((R_1,R_2)^T = r(G,H)^T \in \mathbb{G}^2\) to the verifier where \(r\) is uniformly chosen from \(\mathbb{Z}_q\). Next, the verifier uniformly chooses \(c\ {\gets_\$}\mathbb{Z}_q\) and sends it to the prover. After that, the prover computes \(s\gets r+cx \!\!\mod q\) and sends it to the verifier. Finally, the verifier checks \(R=s(G,H)^T -c(Y,Z)^T\).

The soundness is proven under the DDH assumption as follows: First, we prove that impersonation is statistically hard under the lossy key which is a non-DH tuple, i.e., there exists no \(x\in \mathbb{Z}_q\) s.t. \((Y,Z)=x(G,H)^T\). Namely, under the lossy key, even for a computationally unbounded adversary, the success probability of an adversary is negligible³. Next, assume that there is an adversary that can perform impersonation with a non-negligible probability under the real public key, i.e., a DH tuple. Notice that this assumption induces a non-negligible gap between the adversary’s success probability under a lossy key and that under a real public key. Based on this, we can construct an algorithm solving the DDH problem by internally running (without rewinding) the adversary given an instance of the DDH problem as the public key.

2.3  Naive Approach and Difficulty

To construct a two-round scheme with a small reduction loss, we attempt to combine the technique of HBMS and the DDH-based lossy identification. In the signing protocol of HBMS, for a commitment key \(\mathit{ck}\in \mathbb{G}\), each signer generates a commitment \(T\) by \(T\gets d\cdot \mathit{ck}+R\), where we consider an additive cyclic group and \(d\) is a randomness for the commitment. Then, the verification equation is \(T= d\cdot \mathit{ck}+s\cdot G-c\cdot \mathit{pk}\)⁴. Note that one having the discrete logarithm of \(\mathit{ck}\) can extract the secret key from two forgeries \((T,c,(d,s))\) and \((T',c',(d',s'))\) s.t. \(T=T'\) and \(c\neq c'\) like the special soundness. Then, the binding property is no longer needed. Our observation means that we can replace the commitment scheme in mBCJ with a simpler and more efficient tool that has equivocability⁵ and the above property like the special soundness.

We require a tool that has similar properties to HBMS to achieve our goal. More concretely, in our case, a tool needs to have the following two types of commitment keys. The first type Type-1 ensures that forgery is statistically hard under this commitment key and a lossy key like the lossy identification. The second type Type-2 has (special) equivocability.

We need to newly construct such a tool tailored to the DDH-based lossy identification because we cannot reuse the tool used in HBMS. In contrast to the Schnorr protocol, \(R\) of the DDH-based lossy identification consists of two group elements. Thus, we cannot just apply the tool of HBMS to the DDH-based lossy identification.

One may think that the following naive way is sufficient, but it is not true. Below, we explain why the naive way fails. Each signer generates two keys \(\mathit{ck}_1\) and \(\mathit{ck}_2\) of the tool used in HBMS by hashing the message and generates a commitment \(T_1\) of \(R_1\) and a commitment \(T_2\) of \(R_2\) by using \(\mathit{ck}_1\) and \(\mathit{ck}_2\), respectively. Then, the verification equation is \((T_1,T_2)^T = d_1(\mathit{ck}_1,O)^T+ d_2(O,\mathit{ck}_2)^T +s (G,H)^T -c(Y,Z)^T\) where \(O\) is the identity element in \(\mathbb{G}\), \(c=H_\mathrm{c}(T_1,T_2,m,\mathit{pk})\), and \(d_1,d_2 \in \mathbb{Z}_q\). The important observation is that as long as the verification equation includes the term \(d_1(\mathit{ck}_1,O)^T+ d_2(O,\mathit{ck}_2)^T\), we cannot prove that forgery under the lossy key is statistically hard. Note that a forger can maliciously choose \(d_1\) and \(d_2\) so that \(d_1(\mathit{ck}_1,O)^T+ d_2(O,\mathit{ck}_2)^T\) is a non-DH tuple. This means that a computationally unbounded forger can forge by generating \(d_1, d_2\), and \(s\) so that they cancel out the lossy key even if \((Y,Z)\) is a non-DH tuple. Therefore, we must modify the term to ensure the property of Type-1.

2.4  Our Solutions

Our solution is aggregating two terms \(d_1(\mathit{ck}_1,O)^T\) and \(d_2(O,\mathit{ck}_2)^T\) into \(d(ck_1,ck_2)^T\) and programming the random oracle to let \((ck_1,ck_2)\) be a random DH tuple. This programming is validated by the DDH assumption. When \((\mathit{ck}_1,\mathit{ck}_2)\) is a DH tuple, we can rewrite \((\mathit{ck}_1,\mathit{ck}_2)^T=a(G,H)^T\) where \(a \in \mathbb{Z}_q\), and we obtain \((T_1,T_2)^T =(ad+s) (G,H)^T -c(Y,Z)^T\) as the verification equation. Notice that because \((G,H)\) and \((Y,Z)\) are linearly independent, \(c\) satisfying the equation is determined uniquely at the point when \((T_1,T_2)\) is determined. Since \(c\) is uniformly chosen from \(\mathbb{Z}_q\) by the random oracle on input \((T_1,T_2)\), we can prove that forgery is statistically hard. Remind that \((ck_1,ck_2)\) is generated by the random oracle, and thus \((ck_1,ck_2)\) uniformly distributes over \(\mathbb{G}\) in the real environment. Then, due to the DDH assumption, we can program the random oracle to output a random DH tuple in \(\mathbb{G}^{2}\) instead of a random tuple in \(\mathbb{G}^{2}\).

We can construct keys of Type-2 by embedding the public key into a DH tuple. Specifically, we program the random oracle to output \((\mathit{ck}_1,\mathit{ck}_2)^T \gets \rho (G,H)^T + (Y,Z)^T\) where \(\rho\) is a trapdoor uniformly chosen from \(\mathbb{Z}_q\). Due to the above approach, all terms in the verification equation are DH tuples. Then, The simulator can generate \((T_1,T_2)\) with embedded \((Y,Z)\) in the first round and can generate \((d,s)\) by exploiting \(\rho\) and the state information in the first round after \(c\) is determined.

We need to guarantee that the forgery is valid under the commitment key Type-1 and embedded those two types of commitment keys into the same random oracle to make our solution work well. Then, we use the technique of the security proof of the RSA-FDH signature scheme by Coron [43]. Consequently, our scheme has the reduction loss \(O(q_S)\).

Consequently, we can construct a two-round multi-signature scheme with a small reduction loss.

3.1  Notation

Unless noted otherwise, any algorithm is probabilistic. For an algorithm \(\mathcal{A}\), we write \(b\ {\gets_\$}\mathcal{A}(\alpha_1,\ldots)\) to mean that \(\mathcal{A}\) on inputs \(\alpha_1,\ldots\) and a uniformly chosen random tape outputs \(b\). For algorithms \(\mathcal{A}_1, \ldots, \mathcal{A}_n\), we write \(b\ {\gets_\$}\langle \{\mathcal{A}_i(\alpha_{i1}, \ldots)\}_{i=1}^n \rangle\) to mean that each algorithm \(\mathcal{A}_i\) on inputs \(\alpha_{i1},\ldots\) and a uniformly chosen random tape executes a protocol with the others, and eventually all algorithms obtain \(b\). For a list \(L\), we write the \(i\)-th element in \(L\) as \(L[i]\). For any value \(a\), we write \(a \gets b\) means the assignment of \(a\) into \(b\). We denote the security parameter by \(\lambda\).

3.2  Hardness Assumption

For a prime integer \(q\), we denote the ring of integers modulo \(q\) by \(\mathbb{Z}_q\). Let \(\mathbb{G}\) be an additive cyclic group of order \(q\) and let \(G\) be a generator of \(\mathbb{G}\). We denote the identity element of \(\mathbb{G}\) by \(O\).

In this paper, we use the following notations. For \(A,\;B,\;G,\;H\in \mathbb{G}\) and \(x\in \mathbb{Z}_q\), we write \((A,B)^T \gets x(G,H)^T\) to mean that \(A\) and \(B\) are computed by \(xG\) and \(xH\), respectively. Also, for \(A,\;B,\;G,\;H,\;Y,\;Z\in \mathbb{G}\), we write \((A,B)^T \gets (G,H)^T+(Y,Z)^T\) to mean that \(A\) and \(B\) are computed by \(G+Y\) and \(H+Z\), respectively.

Below, we recall the definitions of the discrete logarithm (DL) assumption and the decisional Diffie-Hellman (DDH) assumption.

Definition 1: The advantage \(\mathrm{Adv}_{\mathbb{G}}^{\mathrm{dl}}(\mathcal{A})\) of an algorithm \(\mathcal{A}\) is defined as

We say that an algorithm \(\mathcal{A}\) \((t,\varepsilon)\)-solves the DL problem in \(\mathbb{G}\) if it runs in time at most \(t\) and satisfies \(\mathrm{Adv}_{\mathbb{G}}^{\mathrm{dl}}(\mathcal{A})\geq \epsilon\). We also say that the DL problem in \(\mathbb{G}\) is \((t,\varepsilon)\)-hard if there is no algorithm that \((t,\varepsilon)\)-solves it.

Definition 2: The advantage \(\mathrm{Adv}_{\mathbb{G}}^{\mathrm{ddh}}(\mathcal{A})\) of an algorithm \(\mathcal{A}\) is defined as

We say that an algorithm \(\mathcal{A}\) \((t,\varepsilon)\)-solves the DDH problem in \(\mathbb{G}\) if \(\mathcal{A}\) runs in time at most \(t\) and satisfies \(\mathrm{Adv}_{\mathbb{G}}^{\mathrm{ddh}}(\mathcal{A}) \geq \varepsilon\). We also say that \(\mathbb{G}\) is a \((t,\varepsilon)\)-DDH group if there is no algorithm that \((t,\varepsilon)\)-solves the DDH problem in \(\mathbb{G}\).

3.3  Randomizing Algorithm of (non-)DH tuple

Bellare et al. proposed a randomizing algorithm of a (non-)DH tuple in [44]. Their algorithm on input a (non-)DH tuple outputs a re-randomized (non-)DH tuple. More concretely, the algorithm is given a tuple \((G,H,P,Q) \in \mathbb{G}^4\) as input and outputs a tuple \((G,H',P',Q') \in \mathbb{G}^4\). If \((G,H,P,Q)\) is a DH tuple, \((G,H',P',Q')\) satisfies that \((H',P')\) is uniformly distributed over \(\mathbb{G}^2\) and \((G,H',P',Q')\) is a DH tuple. If \((G,H,P,Q)\) is a non-DH tuple, \((G,H',P',Q')\) satisfies that \((H',P',Q')\) is uniformly distributed over \(\mathbb{G}^3\).

In this paper, we use the subtly modified algorithm to prove Proposition 4. This algorithm on input a (non-)DH tuple outputs a re-randomized (non-)DH tuple of which the second element is also the same as the second one of a tuple given as input. Specifically, if \((G,H,P,Q)\) is a DH tuple, \((G,H,P',Q')\) satisfies that \(P'\) is uniformly distributed over \(\mathbb{G}\) and \((G,H,P',Q')\) is a DH tuple. If \((G,H,P,Q)\) is a non-DH tuple, \((G,H,P',Q')\) satisfies that \((P',Q')\) is uniformly distributed over \(\mathbb{G}^2\).

Below we show our randomizing algorithm \(\mathbf{Rand}\).

\(\mathbf{Rand}(G,H,P,Q)\to (P',Q')\)

3.4  Multi-Signatures

In this section, we show the definition and security model of the multi-signature scheme.

Definition 3: A multi-signature scheme consists of the following three algorithms and an interactive protocol. Let \(n\) be the number of signers.

A multi-signature scheme must satisfy the following correctness property: For any message \(m\), any integer \(n\), \(\mathit{pp}\ {\gets_\$} \mathbf{Pg}(1^\lambda)\), \((\mathit{pk}_i,\mathit{sk}_i)\ {\gets_\$}\mathbf{Kg}(\mathit{pp})\) for all \(i\in\{1,n\}\), \(L\gets \{\mathit{pk}_i\}_{i=1}^n\), and \(\widetilde{\sigma}\ {\gets_\$} \langle\{\mathcal{S}(\mathit{pp},i,\mathit{sk}_i,L,m)\}_{i=1}^n\rangle\), \(\mathbf{Vf}(\mathit{pp},L,\widetilde{\sigma},m)=1\) holds.

4.1  Our Proposed Scheme

Below, we show the construction of our two-round multi-signature scheme.

4.2  Security

We show that our proposed scheme is secure under the DDH assumption in the random oracle model.

Theorem 1: If \(\mathbb{G}\) is a \((t',\varepsilon')\)-DDH group, then our scheme is \((t_{\mathcal{F}},q_S,q_H,N,\varepsilon_\mathcal{F})\)-secure s.t.

where \(e\) is the base of the natural logarithm, and \(t_{\mathrm{mul}}\) is the time of a scalar multiplication in \(\mathbb{G}\).

Before showing the full proof, we show a proof sketch.

As in the Katz-Wang signature scheme, we prove the unforgeability of our scheme by replacing the public key with a non-DH tuple due to the DDH assumption and proving that forgery is statistically hard under such the public key. The main strategy is that we ensure an situation where we can statistically evaluate the forger’s success probability \(\varepsilon_\mathcal{F}\). To enable this, we need to ensure a situation where we can statistically evaluate the forger’s success probability \(\varepsilon_\mathcal{F}\) even if the forger is computationally unbounded when the public key is a non-DH tuple. To ensure such a situation, we replace \((U_1,U_2)\) generated by the random oracle \(H_{\mathrm{ck}}(m)\) with a random DH tuple. The effect of this replacement is guaranteed to be negligible by the DDH assumption. However, if we replace all \((U_1,U_2)\) with DH tuples, we cannot simulate the honest signer without the secret key \(\mathit{sk}\). To solve this issue, we provide another way to generate \((U_1,U_2)\) which allows simulating the honest signer without \(\mathit{sk}\). Then, to make these two contrasting ways compatible, we use the technique of Coron [43], which is to prove the security of the RSA Full Domain Hash (RSA-FDH) signature scheme [45], as in mBCJ and HBMS.

Our proof is a game-hopping proof. We start with the game of the security definition and sequentially change it into a game in which forgery is statistically hard. Specifically, we consider the following game-hopping.

In a nutshell, as first, we show our procedure to prove that Game \(\mathsf{G}_1\) and Game \(\mathsf{G}_3\) are computationally indistinguishable under the DDH assumption. First, we prove that Game \(\mathsf{G}_1\) and Game \(\mathsf{G}_2\) are perfectly indistinguishable by proving that the distribution of responses of the signing oracle with \(\mathit{sk}\) and that of the response of the signing oracle using the property of \((U_1,U_2)\) of Type-2 are perfectly indistinguishable. Next, we prove that Game \(\mathsf{G}_2\) and Game \(\mathsf{G}_3\) are computationally indistinguishable by proving that \(\mathit{pk}\) generated by \(\mathbf{Kg}\) in Game \(\mathsf{G}_2\) which is a DH tuple and \(\mathit{pk}\) in Game \(\mathsf{G}_3\) which is a non-DH tuple are indistinguishable under the DDH assumption.

Using the property of \((U_1,U_2)\) of Type-1, in Game \(\mathsf{G}_3\), we can statistically evaluate \(\varepsilon_\mathcal{F}\) and then prove that forgery is statistically hard. Then, to complete the explanation of this proof sketch, it remains to show the construction of two types of \((U_1,U_2)\) and the indistinguishability between the game of the security definition and Game \(\mathsf{G}_1\). We explain these below.

First, we explain the way to generate \((U_1,U_2)\) of Type-1. The challenger generates it satisfying that it is uniformly distributed in the span of \((G,H)\). Specifically, the challenger chooses \(\rho\ {\gets_\$} \mathbb{Z}_q\) and computes \((U_1,U_2)^T\gets \rho(G,H)^T\). To explain why this is necessary, we consider the simple case where there is only one signer and key aggregation is not supported. Then, the verification equation is \(T_1=z_1(U_1,U_2)^T+s_1(G,H)^T-c(Y_1,Z_1)^T\) where \(c=H_\mathrm{c}(T_1,(Y_1,Z_1),m)\). Notice that, when \((G,H,Y_1,Z_1)\) is a non-DH tuple and \((U_1,U_2)\) is in the span of \((G,H)\), \(c\) satisfying the above equation is determined uniquely at the point when \(T_1\) is determined. Because \(c\) is uniformly chosen from \(\mathbb{Z}_q\) by the random oracle, the probability that \(c\) satisfies the above equation is at most \(1/q\)⁶.

Next, we explain the way to generate \((U_1,U_2)\) of Type-2. The challenge key \((Y_1,Z_1)\) is embedded in this type of \((U_1,U_2)\). More concretely, the challenger chooses \(\rho\ {\gets_\$} \mathbb{Z}_q\) and computes \((U_1,U_2)^T\gets \rho(G,H)^T+(Y_1,Z_1)^T\). Then, the challenger has \(\rho\) as the trapdoor. The equivocal commitment \(T_1\) is generated by \(\alpha (G,H)^T+\beta(Y_1,Z_1)^T\) where \(\alpha\) and \(\beta\) are uniformly chosen from \(\mathbb{Z}_q\). We need to produce \(z_1\) and \(s_1\) satisfying \(T_1=z_1(U_1,U_2)^T+s_1(G,H)^T-c(Y_1,Z_1)^T\) given \(c\). Notice that \(\mathit{sk}\) is no longer required since \(T_1\) and \((U_1,U_2)^T\) is expressed by linear combinations of \((G,H)^T\) and \((Y_1,Z_1)^T\). Specifically, by using \(\rho\), \(\alpha\), and \(\beta\), we can produce \(z_1\) and \(s_1\) satisfying \(T_1=\alpha (G,H)^T+\beta(Y_1,Z_1)^T=z_1( \rho(G,H)^T+(Y_1,Z_1)^T)+s_1(G,H)^T-c(Y_1,Z_1)^T\). For indistinguishability between the distribution of responses of the signing oracle with \(\mathit{sk}\) and that of responses of the signing oracle using \(\rho\), see Proposition 5.

Finally, we explain that the game of the security definition and Game \(\mathsf{G}_1\) are computationally indistinguishable under the DDH assumption. Notice that, for both types of \((U_1,U_2)\), the challenger generates \((U_1,U_2)\) by producing a random DH tuple \(\rho(G,H)^T\). Then, we can prove that the distribution of \((U_1,U_2)\) uniformly chosen from \(\mathbb{G}^2\) and the one of \((U_1,U_2)\) generated by \(H_{\mathrm{ck}}(m)\) in Game \(\mathsf{G}_1\) are computationally indistinguishable under the DDH assumption. Therefore, the game of the security definition and Game \(\mathsf{G}_1\) are computationally indistinguishable under the DDH assumption.

As a result, we can show that our scheme is secure under the DDH assumption in the random oracle model.

Remark. Since we need to guarantee that the forger only produces a forgery which is valid under \((U_1,U_2)\) of Type-1, we need to add a condition that a forgery is valid under \((U_1,U_2)\) of Type-1 into the winning condition of the forger in Game \(\mathsf{G}_1\). In the full proof, we consider intermediate games between the original game of the security definition and Game \(\mathsf{G}_1\) with the above additional winning condition. Thus, our scheme has the reduction loss \(e(q_S+1)\), which is the same as the reduction loss of the RSA-FDH signature scheme proven by Coron [43].

Below, we show the formal security proof.

Proof (proof of Theorem 1): The game \(\mathsf{Game}_0\) is the unforgeability game for our scheme. \(\mathsf{Game}_0\) is as follows.

Now we change the above game \(\mathsf{Game}_0\). Below, we describe only the changes.

Game₁: We change \(\mathsf{Game}_0\) as follows.

Game₂: We change \(\mathsf{Game}_1\) as follows.

Game₃: We change \(\mathsf{Game}_2\) as follows.

Game₄: We change \(\mathsf{Game}_3\) as follows.

Game₅: We change \(\mathsf{Game}_4\) as follows.

Game₆: We change \(\mathsf{Game}_5\) as follows.

We write \(\Pr[\mathsf{Game}_i=1]\) to mean the probability that a forger wins the game \(\mathsf{Game}_i\). From Propositions 1, \(\cdots\), 8, which we will prove later, we obtain

From Propositions 3 and 6, we also have

\(\tag*{◻}\)

From here, we prove Propositions 1, \(\cdots\), 8.

Proposition 1: \(\varepsilon_\mathcal{F}=\Pr[\mathsf{Game}_0=1]\)

Proof (proof of Proposition 1): Because \(\mathsf{Game}_0\) is the unforgeability game of our scheme, the probability that \(\mathcal{F}\) wins this game is identical to \(\varepsilon_\mathcal{F}\). \(\tag*{◻}\)

Proposition 2: \(\Pr[\mathsf{Game}_0=1]=\Pr[\mathsf{Game}_1=1]\)

Proof (proof of Proposition 2): The difference between \(\mathsf{Game}_0\) and \(\mathsf{Game}_1\) is that, in \(\mathsf{Game}_1\), the challenger makes a query \(H_{\mathrm{ck}}(m)\) first in \(H_{\mathrm{c}}\) and Signing Oracle. These newly added steps do not affect the probability of \(\mathcal{F}\) winning the game. Therefore, \(\Pr[\mathsf{Game}_0=1]=\Pr[\mathsf{Game}_1=1]\) holds. \(\tag*{◻}\)

Proposition 3: \(\Pr[\mathsf{Game}_1=1]\leq e(q_S+1)\Pr[\mathsf{Game}_2=1]\)

Proof (proof of Proposition 3): First, we show that the added steps of \(H_{\mathrm{ck}}\) in \(\mathsf{Game}_2\) do not affect the probability of \(\mathcal{F}\) winning the game. Since \((U_1,U_2)\) in \(\mathsf{Game}_2\) is generated by uniformly choosing from \(\mathbb{G}^2\) independently of the value of \(T_{\mathrm{b}}[m]\), the distributions of the responses of \(H_{\mathrm{ck}}\) in both games are identical. Therefore, the added steps do not affect the probability of \(\mathcal{F}\) winning the game.

Second, we show that \(\Pr[\mathsf{Game}_1=1] \leq e(q_S+1)\Pr[\mathsf{Game}_2=1]\). For \(\mathsf{Game}_2\), let \(E_1^{\mathsf{Game}_2}\) be the event where the game does not terminate in Signing Oracle, \(E_2^{\mathsf{Game}_2}\) be the event where \(\mathcal{F}\)’s output satisfies the added condition \(T_{\mathrm{b}}[m^*]=0\), and \(E_3^{\mathsf{Game}_2}\) be the event where \(\mathcal{F}\)’s output satisfies the winning conditions as same as \(\mathsf{Game}_1\). Then, we have

Firstly, we evaluate \(\Pr[E_1^{\mathsf{Game}_2}]\). The game terminates before the challenger starts Round 2 in Signing Oracle if \(T_{\mathrm{b}}[m]=0\) holds for some queried message. Thus, \(E_1^{\mathsf{Game}_2}\) occurs when \(T_{\mathrm{b}}[m]=1\) holds at that point for all messages queried to Signing Oracle. Since the responses of the random oracles and the responses of the signing oracle until Round 1 leak no information on the value of \(T_{\mathrm{b}}[m]\) for any \(m\), \(\mathcal{F}\) can know \(T_{\mathrm{b}}[m]\) only when it observes whether the game continues or not. Also, \(\mathcal{F}\) can only know \(T_{\mathrm{b}}[m]=1\) for all messages queried to Signing Oracle as long as the game continues. Therefore, the probability that \(T_{\mathrm{b}}[m]=0\) holds for a queried message is equal to \((1-\delta)\). In consequence, because \(\mathcal{F}\) can make at most \(q_S\) signing queries, we have \(\Pr[E_1^{\mathsf{Game}_2}]\geq \delta^{q_S}\). Setting \(\delta=q_S/(q_S+1)\), we have \(\Pr[E_1^{\mathsf{Game}_2}]\geq \delta^{q_S}\geq 1/e.\) The last inequality holds because of the fact that \((1+1/q_S)^{q_S}< e\) for \(q_S> 0\).

Next, we evaluate \(\Pr[E_3^{\mathsf{Game}_2}|E_1^{\mathsf{Game}_2}]\). Conditioned on \(E_1^{\mathsf{Game}_2}\), \(\mathsf{Game}_2\) does not terminate, and the distribution of the view of \(\mathcal{F}\) in \(\mathsf{Game}_2\) is identical to the distribution of the view of \(\mathcal{F}\) in \(\mathsf{Game}_1\). Thus, \(\mathcal{F}\)’s output in \(\mathsf{Game}_2\) satisfies the winning conditions of \(\mathsf{Game}_1\) with the same probability as in \(\mathsf{Game}_1\). Namely, we have \(\Pr[E_3^{\mathsf{Game}_2}|E_1^{\mathsf{Game}_2}]=\Pr[\mathsf{Game}_1=1]\).

Finally, we evaluate \(\Pr[ E_2^{\mathsf{Game}_2} |E_1^{\mathsf{Game}_2} \land E_3^{\mathsf{Game}_2}]\). Conditioned on \(E_1^{\mathsf{Game}_2}\) and \(E_3^{\mathsf{Game}_2}\), since Round 2 of the signing protocol on \(m^*\) has never been executed in Signing Oracle, \(\mathcal{F}\) cannot know \(T_{\mathrm{b}}[m^*]\). Then, \(\Pr[ E_2^{\mathsf{Game}_2} |E_1^{\mathsf{Game}_2} \land E_3^{\mathsf{Game}_2}]=(1-\delta)\) holds. Setting \(\delta=q_S/(q_S+1)\), we obtain \(\Pr[ E_2^{\mathsf{Game}_2} |E_1^{\mathsf{Game}_2} \land E_3^{\mathsf{Game}_2}]=1/(q_S+1)\).

From the above, we obtain \(\Pr[\mathsf{Game}_1=1] \leq e(q_S+1)\Pr[\mathsf{Game}_2=1]\). \(\tag*{◻}\)

Proposition 4: If \(\mathbb{G}\) is a \((t',\varepsilon')\)-DDH group, then

where \(t_{\mathrm{mul}}\) is the time for a scalar multiplication in \(\mathbb{G}\).

Proof (proof of Proposition 4): To prove this proposition, we construct a distinguisher \(\mathcal{A}_{\mathrm{DDH}}\) against the DDH problem from a forgery \(\mathcal{F}\) as follows.

We show that \(|\Pr[\mathsf{Game}_2=1]-\Pr[\mathsf{Game}_3=1]|=\mathrm{Adv}_{\mathbb{G}}^{\mathrm{ddh}}(\mathcal{A}_{\mathrm{DDH}})\). We can prove this equality by proving the followings.

The differences between the behavior of \(\mathcal{A}_{\mathrm{DDH}}\) and the behavior of the challenger in \(\mathsf{Game}_2\) or \(\mathsf{Game}_3\) are the way to generate \(\mathit{pp}\) in Setup and the way to generate \((U_1,U_2)\) in \(H_{\mathrm{ck}}(m)\). It is clear that the difference in Setup does not affect the probability of \(\mathcal{F}\) winning the game. Therefore, to prove the above (i) and (ii), it is sufficient to prove the following (I) and (II), respectively.

Below, we prove (I) and (II).

(I): In \(\mathsf{Game}_2\), the challenger chooses \((U_1,U_2)\ {\gets_\$} \mathbb{G}^2\) independently of \(T_{\mathrm{b}}[m]\). \(\mathcal{A}_{\mathrm{DDH}}\) generates \((P',Q')\) by \(\mathbf{Rand}(G,H,P,Q)\), assigns \((U_1,U_2)^T \gets (P',Q')^T\) if \(T_{\mathrm{b}}[m]=0\), and computes \((U_1,U_2)^T \gets (P',Q')^T+(Y^*,Z^*)^T\) if \(T_{\mathrm{b}}[m]=1\). Because of the property of \(\mathbf{Rand}\), conditioned on \((G,H,P,Q)\) is a non-DH tuple, \((P',Q')\) is uniformly distributed over \(\mathbb{G}^2\). Then, \((P',Q')^T+(Y^*,Z^*)^T\) is also uniformly distributed over \(\mathbb{G}^2\). Therefore, the responses of \(H_{\mathrm{ck}}(m)\) of \(\mathcal{A}_{\mathrm{DDH}}\) are uniformly distributed over \(\mathbb{G}^2\) in both cases where \(T_{\mathrm{b}}[m]=0\) and \(T_{\mathrm{b}}[m]=1\). Therefore, (I) holds.

(II): In \(\mathsf{Game}_3\), the challenger chooses \(\rho \ {\gets_\$} \mathbb{Z}_q\), assigns \((U_1,U_2)^T \gets \rho(G,H)^T\) if \(T_{\mathrm{b}}[m]=0\), and computes \((U_1,U_2)^T \gets \rho(G,H)^T+(Y^*,Z^*)^T\) if \(T_{\mathrm{b}}[m]=1\). \(\mathcal{A}_{\mathrm{DDH}}\) generates \((P',Q')\) by \(\mathbf{Rand}(G,H,P, Q)\), assigns \((U_1,U_2)^T \gets (P',Q')^T\) if \(T_{\mathrm{b}}[m]=0\), and assigns \((U_1,U_2)^T \gets (P',Q')^T+(Y^*,Z^*)^T\) if \(T_{\mathrm{b}}[m]=1\). Because of the property of \(\mathbf{Rand}\), conditioned on \((G,H,P,Q)\) is a DH tuple, \((P',Q')\) satisfies that \(P'\) is uniformly distributed over \(\mathbb{G}\) and \((G,H,P',Q')\) is a DH tuple. Thus, the distribution of \((P',Q')^T\) is identical to the distribution of \(\rho(G,H)^T\) where \(\rho\) is uniformly chosen from \(\mathbb{Z}_q\). Therefore, (II) holds.

From the above, we obtain \(|\Pr[\mathsf{Game}_2=1]-\Pr[\mathsf{Game}_3=1]|=\mathrm{Adv}_{\mathbb{G}}^{\mathrm{ddh}}(\mathcal{A}_{\mathrm{DDH}})\). Since \(\mathrm{Adv}_{\mathbb{G}}^{\mathrm{ddh}}(\mathcal{A}_{\mathrm{DDH}})\leq \varepsilon'\) holds when \(\mathbb{G}\) is a \((t',\varepsilon')\)-DDH group, then we obtain \(|\Pr[\mathsf{Game}_2=1]-\Pr[\mathsf{Game}_3=1]|\leq \varepsilon'\).

Now we consider the running time of \(\mathcal{A}_{\mathrm{DDH}}\). We assume that \(t_{\mathrm{mul}}\) time is required for one scalar multiplication in \(\mathbb{G}\), and unit time is required for the other non-cryptographic operations. In Setup, \(\mathcal{A}_{\mathrm{DDH}}\) computes 2 scalar multiplications to generate \(\mathit{pk}\). For time to answer random oracle queries, we consider only the case of \(H_{\mathrm{c}}\) because \(H_{\mathrm{c}}\) takes a longer time than \(H_{\mathrm{ck}}\) and \(H_{\mathrm{agg}}\). To respond to a query to \(H_{\mathrm{c}}\), \(\mathcal{A}_{\mathrm{DDH}}\) makes one query to \(H_{\mathrm{ck}}\) and executes \(O(1)\) other non-cryptographic operations. 4 scalar multiplications and \(O(1)\) other non-cryptographic operations are required for one query to \(H_{\mathrm{ck}}\). Thus, in total, \(\mathcal{A}\) executes 4 scalar multiplications and \(O(1)\) other non-cryptographic operations to respond to one query to \(H_{\mathrm{c}}\). For each signing query, there are at most \(6N\) scalar multiplications, one query to \(H_{\mathrm{ck}}\), one query to \(H_{\mathrm{c}}\), \(N\) queries to \(H_{\mathrm{agg}}\), and \(O(N)\) other non-cryptographic operations, thus totally \(6q_SNt_{\mathrm{mul}}+O(q_SN)\) time is required for responding to all signing queries. In Check, there are \(2N+6\) scalar multiplications, one query to \(H_{\mathrm{ck}}\), one query to \(H_{\mathrm{c}}\), \(N\) queries to \(H_{\mathrm{agg}}\), and \(O(N)\) other non-cryptographic operations. From these evaluations and the fact that \(\mathcal{A}_{\mathrm{DDH}}\) runs \(\mathcal{F}\) once, we obtain \(t_{\mathcal{F}} \geq t' -(4q_H+6q_SN+2N+12)t_{\mathrm{mul}}-O(q_H+q_SN)\). \(\tag*{◻}\)

Proposition 5: \(\Pr[\mathsf{Game}_3=1]=\Pr[\mathsf{Game}_4=1]\).

To prove Proposition 5, we use the following lemma.

Lemma 1: Let \(\mathsf{Game}_{\mathrm{eqv}}\) be the following game between a challenger and a distinguisher \(\mathcal{A}\).

The advantage of \(\mathcal{A}\) is defined as

For any computationally unbounded distinguisher \(\mathcal{A}\), \(\mathrm{Adv}_{\mathrm{eqv}}(\mathcal{A})=0\) holds.

Before we prove Lemma 1, we explain the intuition of the proof.

To prove this lemma, we should prove that, in \(\mathsf{Game}_{\mathrm{eqv}}\), the statistical distance between the distribution of a distinguisher’s view in the case where \(b=0\) and the distribution of a distinguisher’s view in the case where \(b=1\) is equal to 0. However, it is hard to prove it directly because a distinguisher can concurrently access stateful oracles.

To overcome this difficulty, we prove Lemma 1 step by step. We resolve the difficulty arising from concurrently accessing by using the hybrid argument. To carry out this strategy, we consider the intermediate game \(\mathsf{Game}_{\mathrm{eqv},k}\) in which a distinguisher is allowed to access the stateful oracles that switch behavior on the \(k\)-th query. Moreover, to evaluate the advantage of a distinguisher in this game, we consider the simple game \(\mathsf{Game}_{\mathrm{eqv}0}\) in which a distinguisher needs to make all queries to the interactive oracles first of all the game. We prove the advantage of a distinguisher in \(\mathsf{Game}_{\mathrm{eqv}0}\) is 0 (in Lemma 2), and by using this, we prove the advantage of a distinguisher in \(\mathsf{Game}_{\mathrm{eqv},k}\) is also 0.

Now we start the proof of Lemma 1. First, we prove the following lemma.

Lemma 2: We consider the following game \(\mathsf{Game}_{\mathrm{eqv}0}\) between a challenger and a distinguisher \(\mathcal{A}\).

The advantage of \(\mathcal{A}\) is defined as

For any computationally unbounded algorithm \(\mathcal{A}\), \(\mathrm{Adv}_{\mathrm{eqv}0}(\mathcal{A})=0\) holds.

Proof (proof of Lemma 2): For \(W\in \{V\in \mathbb{G}^2| V=v(G,H)^T, v\in \mathbb{Z}_q \}\), let \(\log_{(G,H)}W\) be the element \(w\in \mathbb{Z}_q\) s.t. \(W=w(G,H)^T\). Below, we write \(\Sigma_{\mathrm{eqv}0}\)’s response \((T,z,s)\) using matrices and vectors with \(\mathbb{Z}_q\) coefficients.

The advantage of \(\mathcal{A}\) in \(\mathsf{Game}_{\mathrm{eqv}0}\) is equal to the statistical distance between the distribution of the response of \(\Sigma_{\mathrm{eqv}0}\) in the case \(b=0\) and that in the case \(b=1\). Therefore, to prove \(\mathrm{Adv}_{\mathrm{eqv}0}(\mathcal{A})=0\) for any computationally unbounded algorithm \(\mathcal{A}\), we prove that the distribution of \((\log_{(G,H)}T,z,s)^T\) in Eq. (1) is identical to that in Eq. (2) when \(r,z \ {\gets_\$}\mathbb{Z}_q\) and \(\alpha, \beta \ {\gets_\$} \mathbb{Z}_q\).

For a matrix \(C\), let \(\mathrm{Im}(C)\) denote the column space of \(C\). Let \(D_0\) and \(D_1\) be the column spaces as follows.

Note that the distribution of \((\log_{(G,H)}T,z,s)^T\) in Eq. (1) and that in Eq. (2) are identical if and only if

holds, where the above equality means the equality of the left and the right affine subspaces. Furthermore, the above equality holds when the followings hold.

Now, we prove \(D_0=D_1\) by showing \(D_0 \subseteq D_1\) and \(D_1 \subseteq D_0\). For any \(d_0 \in D_0\), we can write \(d_0\) as follows:

where \(r,z \in \mathbb{Z}_q\). Thus, any \(d_0 \in D_0\) is in \(D_1\). This implies \(D_0 \subseteq D_1\). On the other hand, for any \(d_1 \in D_1\), we can write \(d_1\) as follows:

where \(\alpha,\beta \in \mathbb{Z}_q\). Thus, any \(d_1 \in D_1\) is in \(D_0\). This implies \(D_1 \subseteq D_0\).

Next, we show \((0,0,xc)^T-(0,c, -c\rho)^T \in D_0\). This holds because, for \((0,0,xc)^T\) and \((0,c, -c\rho)^T\), we have

\(\tag*{◻}\)

Now we show Lemma 1 from the above lemma.

Proof (Proof of Lemma 1): We consider the following \(\mathsf{Game}_{\mathrm{eqv},k}\) where \(k\in [1,q_S]\).

Then, the advantage of \(\mathcal{A}_{\mathrm{eqv},k}\) in the above game is defined as

We show that \(\mathrm{Adv}_{\mathrm{eqv},k}(\mathcal{A}_{\mathrm{eqv},k})=0\) for any computationally unbounded algorithm \(\mathcal{A}_{\mathrm{eqv},k}\) and any \(k\in [1,q_S]\) from Lemma 2. To show this, we construct a distinguisher \(\mathcal{A}_{\mathrm{eqv}0}\) in \(\mathsf{Game}_{\mathrm{eqv}0}\) in Lemma 2 from \(\mathcal{A}_{\mathrm{eqv},k}\) as follows.

\(\mathcal{A}_{\mathrm{eqv}0}\) outputs \(\mathcal{A}_{\mathrm{eqv},k}\)’s guess \(b'\) if it does not halt because of \(c= c'\) in \(\Sigma'_{\mathrm{eqv}2,k}\) in the case where \(I= k\). So, we get the following equation.

where \(b\) is a bit which \(\Sigma_{\mathrm{eqv}0}\) has.

Since \(\Sigma_{\mathrm{eqv}0}\) generates \(T\) without using \(c'\) in both cases where \(b=0\) and \(b=1\), \(\mathcal{A}_{\mathrm{eqv},k}\) obtain no information about \(c'\) before \(\mathcal{A}_{\mathrm{eqv},k}\) makes a query \((k,c)\) to \(\Sigma'_{\mathrm{eqv}2,k}\). Also, \(c'\) is uniformly chosen from \(\mathbb{Z}_q\). Therefore, we have \(\Pr[c=c'|b=1]=\Pr[c=c'|b=0]=1/q\). Then, we obtain

In the \(k\)-th query to \(\Sigma'_{\mathrm{eqv}1,k}\), conditioned on \(c=c'\), \(\Sigma_{\mathrm{eqv}0}\) generates \((T,z,s)\) in the same way to \(\Sigma_{\mathrm{eqv}1}\) and \(\Sigma_{\mathrm{eqv}2}\). Thus, for all \(b\in \{0,1\}\), conditioned on \(c=c'\), the distribution of the responses of \(\Sigma'_{\mathrm{eqv}1,k}\) and \(\Sigma'_{\mathrm{eqv}2,k}\) is identical to the distribution of the responses of \(\Sigma_{\mathrm{eqv}1,k}(b,\cdot,\cdot)\) and \(\Sigma_{\mathrm{eqv}1,k}(b,\cdot,\cdot)\), respectively. Then, from Eqs. (3) and (4), we have

From Lemma 2, \(\mathrm{Adv}_{\mathrm{eqv}0}(\mathcal{A}_{\mathrm{eqv}0})=0\) holds. Therefore, for any computationally unbounded algorithm \(\mathcal{A}_{\mathrm{eqv},k}\) and any \(k\in [1,q_S]\), \(\mathrm{Adv}_{\mathrm{eqv},k}(\mathcal{A}_{\mathrm{eqv},k})=0\).

From here, we evaluate \(\mathrm{Adv}_{\mathrm{eqv}}(\mathcal{A})\), which is the advantage of \(\mathcal{A}\) in \(\mathsf{Game}_{\mathrm{eqv}}\). By the hybrid argument, we get

Since \(\mathrm{Adv}_{\mathrm{eqv},k}(\mathcal{A})=0\) for all \(k\in [1,q_S]\), we have \(\mathrm{Adv}_{\mathrm{eqv}}(\mathcal{A})\leq 0\). Also \(\mathrm{Adv}_{\mathrm{eqv}}(\mathcal{A})\geq 0\) because the advantage is a non-negative real number. Therefore, we obtain \(\mathrm{Adv}_{\mathrm{eqv}}(\mathcal{A})= 0\). \(\tag*{◻}\)

Now we prove Proposition 5 by using this lemma.

Proof (proof of Proposition 5): We construct a distinguisher \(\mathcal{A}_{\mathrm{eqv}}\) in the game \(\mathsf{Game}_{\mathrm{eqv}}\) in Lemma 1 from \(\mathcal{F}\) as follows.

For Signing Oracle of \(\mathcal{A}_{\mathrm{eqv}}\), the distribution of responses is the same as in \(\mathsf{Game}_3\) when \(b=0\) where \(b\) is a bit chosen by the challenger in \(\mathsf{Game}_{\mathrm{eqv}}\). That also is the same as that in \(\mathsf{Game}_4\) when \(b=1\). Thus, we have

where \(b'\) is \(\mathcal{A}_{\mathrm{eqv}}\)’s output. From Lemma 1, we have \(\mathrm{Adv}_{\mathrm{eqv}}(\mathcal{A}_{\mathrm{eqv}})=0\). Thus, we obtain \(\Pr[\mathsf{Game}_3=1]=\Pr[\mathsf{Game}_4=1]\). \(\tag*{◻}\)

Proposition 6: If \(\mathbb{G}\) is a \((t',\varepsilon')\)-DDH group, then

where \(t_{\mathrm{mul}}\) is the time for a scalar multiplication in \(\mathbb{G}\).

Proof (proof of Proposition 6): We construct a distinguisher \(\mathcal{A}'_{\mathrm{DDH}}\) who solves the DDH problem by running \(\mathcal{F}\) internally as follows.

In the case where \(T_{\mathrm{b}}[m]=0\), \(\mathcal{A}'_{\mathrm{DDH}}\) can respond to Signing Oracle though \(\mathcal{A}'_{\mathrm{DDH}}\) does not have the secret key because the secret key is unnecessary for executing Round 1 and Round 2 is not executed.

If \((G,H,Y,Z)\) is a DH tuple, the distribution of \(\mathit{pk}\) is the same as that in \(\mathsf{Game}_4\). If \((G,H,Y,Z)\) is a non-DH tuple, the distribution of \(\mathit{pk}\) is the same as that in \(\mathsf{Game}_5\). Then, we have

where \(b'\) is \(\mathcal{A}'_{\mathrm{DDH}}\)’s output. From the assumption that \(\mathbb{G}\) is a \((t',\varepsilon')\)-DDH group, we have \(\mathrm{Adv}_{\mathbb{G}}^{\mathrm{ddh}}(\mathcal{A})\leq \varepsilon'\). Therefore, we obtain \(|\Pr[\mathsf{Game}_4=1]-\Pr[\mathsf{Game}_5=1]| \leq \varepsilon'\).

Now we consider the running time of \(\mathcal{A}'_{\mathrm{DDH}}\). In one signing query, there are at most \(6N\) scalar multiplications, \(O(N)\) other non-cryptographic operations, a query to \(H_{\mathrm{c}}\), a query to \(H_{\mathrm{ck}}\), and \(O(N)\) queries to \(H_{\mathrm{agg}}\). For random oracle queries, we only evaluate the cost of \(H_{\mathrm{ck}}\) because \(H_{\mathrm{ck}}\) is more expensive than \(H_{\mathrm{c}}\) and \(H_{\mathrm{agg}}\). In one query to \(H_{\mathrm{ck}}\), there are 2 scalar multiplications and \(O(1)\) other non-cryptographic operations. In Check, it computes \(2N+6\) scalar multiplications and \(O(N)\) other non-cryptographic operations. From these evaluations and the fact that \(\mathcal{A}_{\mathrm{DDH}}\) runs \(\mathcal{F}\) once, we obtain \(t_{\mathcal{F}} \geq t' -(3q_H+6q_SN+3q_S+2N+6)t_{\mathrm{mul}}-O(q_H+q_SN)\). \(\tag*{◻}\)

Proposition 7: \(\Pr[\mathsf{Game}_5=1]=\Pr[\mathsf{Game}_6=1]\)

Proof (proof of Proposition 7): The difference between \(\mathsf{Game}_5\) and \(\mathsf{Game}_6\) is that, in \(\mathsf{Game}_6\), the challenger defines \(H_{\mathrm{agg}}(L[i],L)\) for all \(i\in [1,n]\). Since the challenger gives \(\mathcal{F}\) only \(T_{\mathrm{agg}}[(Y,Z),L]\), where \(((Y,Z),L)\) is queried, this change does not affect the probability of \(\mathcal{F}\) winning the game. Thus, we have \(\Pr[\mathsf{Game}_5=1]=\Pr[\mathsf{Game}_6=1]\).

Proposition 8: \(\Pr[\mathsf{Game}_6=1] \leq (2q_H+q_S+2)/q\)

Proof (proof of Proposition 8): At the end of \(\mathsf{Game}_6\), \(\mathcal{F}\) outputs \(m^*, L^*,\) and \(\tilde{\sigma}^*=(c^*,\tilde{z}^*,\tilde{s}^*)\). If \(\mathcal{F}\) wins, then \((Y^*,Z^*)\in L^*\), \(T_{\mathrm{b}}[m^*]=0\), and \(\tilde{\sigma}^*\) is a valid forgery on \(m^*\) under \((U_1,U_2)=H_{\mathrm{ck}}(m^*)\). Then, there exists \(c^*=H_{\mathrm{c}}(\widetilde{T}^*,\widetilde{\mathit{pk}}^*,m^*)\) in \(T_{\mathrm{c}}\) s.t.

Below, we show that \(\mathcal{F}\) can make such a query with probability at most \((2q_H+q_S+2)/q\).

To evaluate the probability, we rewrite the right-hand of the equation in (a) by \((G,H)^T\) and \((Y^*,Z^*)^T\). Since \((G,H,Y^*,Z^*)\) in \(\mathsf{Game}_6\) is a non-DH tuple, \((G,H)^T\) and \((Y^*,Z^*)^T\) are linearly independent. Then, we can denote the aggregated key \(\widetilde{\mathit{pk}}^*\) as \(\phi^* \left(G,H\right)^T+\psi^* \left(Y^*,Z^*\right)^T\) where \(\phi^*,\psi^* \in \mathbb{Z}_q\). Substituting the above and (c) in the equation in (a), we have

Since \((G,H)^T\) and \((Y^*,Z^*)^T\) are linearly independent, the values of coefficients \((\tilde{z}^*\rho^*+\tilde{s}^*-c^*\phi^*)\) and \(c^*\psi^*\) which make Eq. (6) hold are uniquely determined at the point where \((\widetilde{T}^*,\widetilde{\mathit{pk}}^*,m^*)\) is queried to \(H_{\mathrm{c}}\). Moreover, the values of \(\phi^*\) and \(\psi^*\) are uniquely determined at the same point since the query includes \(\widetilde{\mathit{pk}}^*\). For the coefficient \(c^*\psi^*\), \(c^*\) is determined by \(H_{\mathrm{c}}\) and \(\psi^*\) is also determined by \(H_{\mathrm{agg}}\).

Here, we evaluate \(\Pr[\mathsf{Game}_6=1]\). For \(R \in \mathbb{G}^2\), let \(\phi(R)\) and \(\psi(R)\) be the elements in \(\mathbb{Z}_q\) s.t. \(R= \phi(R) (G,H)^T + \psi(R) (Y^*,Z^*)^T\). Let \(E_{\mathrm{agg}}\) be the event where there exists at least one random oracle query \(H_{\mathrm{agg}}((Y',Z'),L')\) s.t. \((Y^*,Z^*)\in L'\) and \(\psi(\widetilde{\mathit{pk}}')=0\) for the aggregated key \(\widetilde{\mathit{pk}}'\) computed from \(L'\). Then, we have

Also, let \(E_{\mathrm{chal}}\) be the event where there exists at least one random oracle query \(c'=H_{\mathrm{c}}(\widetilde{T}',\widetilde{\mathit{pk}}',m')\) s.t. \(\psi(\widetilde{\mathit{pk}}')\neq 0\), \(T_{\mathrm{b}}[m']=0\), and \(\psi(\widetilde{T}')=c'\psi(\widetilde{\mathit{pk}}')\). If \(\mathsf{Game}_6=1\) occurs, \(T_{\mathrm{b}}[m^*]=0\) holds from the winning conditions. Also, if \(\mathsf{Game}_6=1\) occurs, there exists at least one random oracle query to \(H_{\mathrm{c}}\) making \(\psi(\widetilde{T}^*)=c^*\psi(\widetilde{\mathit{pk}}^*)\) hold since \(\mathcal{F}\)’s output satisfies Eq. (6). There is no query \(H_{\mathrm{agg}}((Y',Z'),L')\) s.t. \((Y^*,Z^*)\in L'\) and \(\psi(\widetilde{\mathit{pk}}')=0\) when \(\overline{E_{\mathrm{agg}}}\) occurs. Thus, if \(\overline{E_{\mathrm{agg}}}\) occurs, then \(\psi(\widetilde{\mathit{pk}}^*)\neq 0\) holds. Therefore, if \(\mathsf{Game}_6=1\) and \(\overline{E_{\mathrm{agg}}}\) occur, then \(E_{\mathrm{chal}}\) occurs. Then, we have \(\Pr[\mathsf{Game}_6=1\land \overline{E_{\mathrm{agg}}}]\leq \Pr[E_{\mathrm{chal}}]\). Applying this fact to Eq. (7), we obtain

First, we evaluate \(\Pr[E_{\mathrm{agg}}]\). For an aggregate key \(\widetilde{\mathit{pk}}'\) computed from \(L'\), \(\psi(\widetilde{\mathit{pk}}')=\sum_{i=1}^{n'}t'_i\psi(L'[i])\) holds where \(n'\) is the number of the public keys in \(L'\) and \(t'_i = H_{\mathrm{agg}}(L'[i],L')\). Since the challenger defines the value \(t'_i\) for all \(i \in [1,n']\) when \(L'\) is first queried to \(H_{\mathrm{agg}}\), \(\{t'_i\}_{i=1}^{n'}\) is uniformly chosen from \(\mathbb{Z}_q^{n'}\) after \(\{\psi(L'[i])\}_{i=1}^{n'}\) is fixed. If \(L'\) includes \((Y^*,Z^*)\), there exists at least one \(i\) s.t. \(\psi(L'[i])\neq 0\). Thus, per one query to \(H_{\mathrm{agg}}\), \(\sum_{i=1}^{n'}t'_i\psi(L'[i])=0\) holds with probability at most \(1/q\). Since at most \(q_H+q_S+1\) public key lists appear in \(T_{\mathrm{agg}}\), we obtain

Next, we evaluate \(\Pr[E_{\mathrm{chal}}]\). Let \(E_{\mathrm{chal},j}\) be the event where the \(j\)-th random oracle query \(c'_j=H_{\mathrm{c}}(\widetilde{T}'_j,\widetilde{\mathit{pk}}'_j,m'_j)\) satisfies following conditions.

Note that there are at most \(q_H+1\) queries \(H_{\mathrm{c}}(\widetilde{T}',\widetilde{\mathit{pk}}',m')\) s.t. \(T_{\mathrm{b}}[m']=0\). From this fact and the union bound, we have

As described previously, at the point where \((\widetilde{T}'_j,\widetilde{\mathit{pk}}'_j,m'_j)\) is queried to \(H_{\mathrm{c}}\), the value of \(\psi(\widetilde{T}'_j)\) and \(\psi(\widetilde{\mathit{pk}}'_j)\) are fixed. Also, conditioned on \(E_{j,1}\) \(\psi(\widetilde{\mathit{pk}}'_j)\neq 0\) holds. Thus, conditioned on \(E_{j,1}\) and \(E_{j,2}\), before \(c'_j\) is chosen, \(c'_j\) making \(\psi(\widetilde{T}'_j)=c'_j\psi(\widetilde{\mathit{pk}}'_j)\) hold is determined uniquely. Since \(c'_j\) is uniformly chosen from \(\mathbb{Z}_q\) independently of the \(j\)-th random oracle query, \(\Pr[E_{j,3}|E_{j,1} \land E_{j,2}]\) is at most \(1/q\). From this and Eq. (10), we have

From Eqs. (8), (9), and (11), we obtain

\(\tag*{◻}\)

5.1  Estimation of the Underlying Group Size

Here, we explain how to estimate \(|q|_{128}\) which is the size of the underlying group \(\mathbb{G}\) for 128-bit security.

We estimated \(|q|_{128}\) by the following steps:

In Step 3, we assumed \(t_{DL}/\varepsilon_{DL}=t_{DDH}/\varepsilon_{DDH}=t_{OMDL}/\varepsilon_{OMDL} =\sqrt{q}\). This assumption is natural because of the following two facts. The first fact is that the best-known attack for solving the DDH problem and the OMDL problem is to solve the DL problem. The second one is that the known fastest algorithm for solving the DL problem is Pollard’s \(\rho\) algorithm [46], which requires \(O(\sqrt{q})\) scalar multiplications in \(\mathbb{G}\). Also, in the same step, we consider the setting where \(q_H=2^{80}\), \(q_s=2^{30}\), and \(N=2^{15}\). We set \(q_H=2^{80}\) referring to a recent collision attack [47] to SHA-1 with complexity \(2^{61.2}\) with a margin. We set \(q_S=2^{30}\) for a large scenario as in [48]. We set \(N=2^{15}\) for a large-scale setting⁸.

Remarks for Estimation. We estimate \(|q|_{128}\) according to the steps described above and show the results of this estimation in Column 8 in Table 1. Here, we should remark on the following points for this estimation.

For MuSig2 (\(\nu\geq 4\)), we suppose \(\nu=4\) where \(\nu\) is a unique parameter.

For MuSig2 and DWMS, we obtained \(B_p\) and \(B_t\) from [10, Appendix A]. For HBMS-AGM, we obtained \(B_p\) and \(B_t\) from [10, Theorem 7.1]. For LK, we obtained \(B_p\) and \(B_t\) from [11, Theorem 4.1]. For \(B_t\) of this, we suppose \(t_{P}=t_\mathcal{F}\) because there is no evaluation of the running time of the reduction and the fact that the reduction runs a forger only one time. For MuSig-DN, we obtained \(B_p\) and \(B_t\) from [10, Appendix A]. For \(B_p\) and \(B_t\) of this scheme, the terms except for constants and the ones related to the DL assumption were ignored. For HBMS, we obtained \(B_p\) and \(B_t\) from [10, Theorem 3.2, 3.4, and 7.2]. For TZ, we obtained \(B_p\) and \(B_t\) from [25, Theorem 2]. For mBCJ, we obtain \(B_p\) and \(B_t\) from Theorem 2. For PW-1 and PW-2, we obtained \(B_p\) and \(B_t\) from [24, Theorem 3.5 and 3.3], respectively.

For MuSig2 \((\nu=2)\), DWMS, HBMS-AGM, LK, and PW-1 the results of their estimation of \(|q|_{128}\) are 257, 258, or 260. We chose the P-256 curve as the recommended EC, even though the order of this curve is slightly smaller for 128-bit security. We ignore the very small exceedance of the group size, whose effects on concrete security are small.

5.2  Comparison

We compare the efficiency of the related two-round multi-signature schemes in Table 1 under provably secure parameters.

First, we compare our scheme to the schemes having large reduction loss which are proven secure without using the AGM, i.e., MuSig2 \((\nu \geq 4)\), MuSig-DN, HBMS, TZ, and mBCJ. Among these schemes, our scheme has the most efficient signature size and communication complexity. More concretely, \(|\widetilde{\sigma}|_{128}\) of ours is reduced by about 22% from MuSig2 \((\nu \geq 4)\) and MuSig-DN, about 60% from HBMS, and about 45% from TZ and mBCJ. Moreover, we can use NIST standardized P-384 to ensure 128-bit security for our scheme, while other schemes have no such standardized EC. These benefits are because the DDH assumption enables us to prove the security without the rewinding technique. However, remind that the DDH assumption is a stronger (not weaker) computational assumption than the DL assumption. For MuSig2 \((\nu \geq 4)\), the AOMDL assumption is also stronger than the DL assumption. Multi-signatures of MuSig2 \((\nu \geq 4)\) and MuSig-DN consist of only an element in \(\mathbb{G}\) and an element in \(\mathbb{Z}_q\), whose form is the same as the ordinary Schnorr signature. Thus, these schemes are more compatible with a currently deployed scheme than the other schemes. For MuSig2 \((\nu \geq 4)\) and TZ, the first round of signing protocols can be executed before a message to be signed is determined.

Next, we compare our scheme to the schemes proven secure in the AGM, i.e., MuSig2 \((\nu =2 )\), DWMS, HBMS-AGM, and LK. The signature size and the communication complexity of these schemes are more efficient than ours. Concretely, \(|\widetilde{\sigma}|_{128}\) of our scheme is 2.2 times longer than MuSig2 \((\nu =2 )\) and DWMS and 1.5 times longer than HBMS-AGM and LK. This is because these schemes are proven secure without rewinding by using AGM and achieve tight security⁹. Our scheme also does not require rewinding to prove the security because of the DDH assumption, while ours has the reduction loss yielded from the technique of the proof of the RSA-FDH signature scheme by Coron. Thus, \(|q|_{128}\) of ours is larger than the other schemes. Note that our scheme does not require the AGM. For MuSig2 \((\nu =2 )\) and DWMS, the signature size is most efficient among all the two-round schemes.

Finally, we compare our scheme to PW-1 and PW-2. To ensure 128-bit security, PW-1 can use P-256, and PW-2 and our scheme can use P-384. The signature size and communication complexity of our scheme are the most efficient among these schemes. The signature size of ours is reduced by about 67% and 40% from PW-1 and PW-2, respectively. The communication complexity of ours is reduced by about 57% and 41% from PW-1 and PW-2, respectively. PW-1 does not support key aggregation. All schemes are proven secure under the DDH assumption in the random oracle model. Thus, our scheme can be considered an improvement on PW-1 and PW-2 under provably secure parameters.

Conclusion of Comparison. The above comparison shows a trade-off between the efficiency and the strength of underlying assumptions and one between the efficiency and the necessity of the AGM.

Among schemes that do not need the AGM to prove their security, in concrete security, our scheme achieves the smallest signature size and the communication complexity. Moreover, our scheme has a recommended EC, i.e., P-384, for 128-bit security. This fact makes the implementation of our scheme easier because we do not need to design a new suitable EC.

1. \(\rho \ {\gets_\$} R\)
2. \(h_1,\ldots,h_{Q} \ {\gets_\$} H\)
3. \((J,\sigma)\gets \mathcal{A}(x,h_1,\ldots,h_{Q};\rho)\)
4. If \(J=0\), then return \((0,\emptyset,\emptyset)\)
5. \(h'_J,\ldots,h'_{Q} \ {\gets_\$} H\)
6. \((J',\sigma')\gets \mathcal{A}(x,h_1,\ldots,h_{J-1},h'_J,\ldots,h'_{Q};\rho)\)
7. If \((J=J' \land h_J\neq h_{J'})\) return \((1,\sigma, \sigma')\).
8. Else return \((0,\emptyset,\emptyset)\).

• \(\mathsf{Pg}(1^\lambda)\to \mathit{pp}\). On input the security parameter \(1^\lambda\), the public parameter generation algorithm chooses \((\mathbb{G},q,G)\), hash functions \(H_\mathrm{c}:\{0,1\}^*\to \mathbb{Z}_q\), and \(H_\mathrm{ck}:\{0,1\}^* \to \mathbb{G}^3\), and outputs \(\mathit{pp}=(\mathbb{G},q,G,H_\mathrm{c},H_\mathrm{ck})\).
  \(\mathsf{Kg}(\mathit{pp})\to(\mathit{pk},\mathit{sk})\). On input \(\mathit{pp}\), the key generation algorithm chooses \(x\ {\gets_\$} \mathbb{Z}_q\), computes \(X\gets xG\), and outputs a public key \(\mathit{pk}=X\) and a secret key \(\mathit{sk}=x\).
  \(\langle\{\mathcal{S}(\mathit{pp},i,\mathit{sk}_i,L,m)\}_{i=1}^n \rangle \to \widetilde{\sigma}\). Each signer proceeds with the signing protocol as follows.
  • Round 1: Each signer computes \(ck=(P,Q,R)\gets H_\mathrm{ck}(m)\), chooses \((r_i,\alpha_i, \beta_i) \ {\gets_\$}\mathbb{Z}_q^3\), computes \(t_{i,1}\gets \alpha_i G+\beta_i Q\), and \(t_{i,2}\gets \alpha_i P+\beta_i R+r_iG\) and broadcasts \((t_{i,1},t_{i,2})\) to the cosigners.
    Round 2 Each signer receives \(\{(t_{j,1},t_{j,2})\}_{j\in \{1,\ldots,n\}\backslash\{i\}}\) from the cosigners. It computes \(\tilde{t}_1\gets \sum_{j=1}^n t_{j,1}\), \(\tilde{t}_2\gets \sum_{j=1}^n t_{j,2}\), \(c_i\gets H(X_i,\tilde{t}_1,\tilde{t}_2,L,m)\), and \(s_i\gets x_ic_i+r_i \mod q\) and broadcasts \((\alpha_i,\beta_i,s_i)\).
    Aggregate Each signer receives \(\{(\alpha_j,\beta_j, s_j)\}_{j\in\{1,\ldots,n\}\backslash\{i\}}\) from the cosigners. It computes \(\tilde{\alpha}\gets \sum_{j=1}^n \alpha_j \mod q\), \(\tilde{\beta} \gets \sum_{j=1}^n \beta_j \mod q\) and \(\tilde{s}\gets \sum_{j=1}^n s_j \mod q\). It also computes \(c_i\gets H(X_i,\tilde{t}_1,\tilde{t}_2,L,m)\) for all \(i\in[1,n]\) and \(\widetilde{A}\gets \tilde{s} G-\sum_{i=1}^nc_iX_i\). It outputs \(\widetilde{\sigma}=(\widetilde{A},\tilde{s},\tilde{\alpha},\tilde{\beta})\).
• \(\mathsf{Vf}(\mathit{pp},\{\mathit{pk}_j\}_{j=1}^n,\widetilde{\sigma},m)\to \{0,1\}\). On input \(\mathit{pp},\{\mathit{pk}_j\}_{j=1}^n,\widetilde{\sigma},\) and \(m\), the verification algorithm computes \(ck=(P,Q,R)\gets H_\mathrm{ck}(m)\), \(\tilde{t}_1\gets \tilde{\alpha} G+\tilde{\beta}Q\), \(\tilde{t}_2\gets \tilde{\alpha} P+\tilde{\beta}R + \widetilde{A}\), and \(c_j\gets H(X_j,\tilde{t}_1,\tilde{t}_2,L,m)\) for all \(j\). It outputs 1 if \(\widetilde{A}= \tilde{s} G-\sum_{i=1}^nc_iX_i\) holds. Otherwise, it outputs 0.

• Random Oracle \(H_\mathrm{ck}(m)\): It returns \(T_\mathrm{ck}[m]\) if \(T_\mathrm{ck}[m]\) is already defined. If \(T_\mathrm{ck}[m]\) is undefined, it responds as follows. It chooses a bit \(b\) which becomes 1 with probability \(\delta=q_S/(q_S+1)\). If \(b=1\), it chooses \((\omega_{1,1},\omega_{1,2},\omega_{1,3})\ {\gets_\$} \mathbb{Z}_q^3\), computes \(P\gets \omega_{1,1} G\), \(Q\gets \omega_{1,2} G\), and \(R\gets \omega_{1,3}X\). If \(b=0\), it chooses \((\omega_{0,1},\omega_{0,2},\omega_{0,3})\ {\gets_\$}\mathbb{Z}_q^3\), computes \(P\gets \omega_{0,1} G\), \(Q\gets \omega_{0,2} X\), and \(R\gets \omega_{0,3}G\). It assigns \(T_\mathrm{ck}[m]\gets (P,Q,R)\), and \(T_\mathrm{t}[m]\gets (b,\omega_{b,1},\omega_{b,2},\omega_{b,3})\) and returns \(T_\mathrm{ck}[m]\).
  Random Oracle \(H_\mathrm{c}(X_i,\tilde{t}_1,\tilde{t}_2,L,m)\): If \(T_\mathrm{ck}[m]\) is undefined, it makes a query \(H_\mathrm{ck}(m)\). If \(T_\mathrm{c}[X_i,\tilde{t}_1,\tilde{t}_2,L,m]\) is already defined, it returns \(h\) where \((h,J)=T_\mathrm{c}[X_i,\tilde{t}_1,\tilde{t}_2,L,m]\). If \(T_\mathrm{c}[X_i,\tilde{t}_1,\tilde{t}_2,L,m]\) is undefined, it responds as follows.
  • Case \(X\in L\): For \(j\) s.t. \(X\neq X_j\in L\), it chooses \(c_j\ {\gets_\$}\mathbb{Z}_q\) and assigns \(T_\mathrm{c}[X_j,\tilde{t}_1,\tilde{t}_2,L,m]\gets (c_j,0)\). After that, for \(j\) s.t. \(X=X_j\in L\), it assigns \(T_\mathrm{c}[X_i,\tilde{t}_1,\tilde{t}_2,L,m]\gets (h_{ctr},ctr)\) and sets \(ctr\gets ctr+1\). It returns \(h\) where \((h,J)=T_\mathrm{c}[X_i,\tilde{t}_1,\tilde{t}_2,L,m]\).
    Case \(X\notin L\): It chooses \(c\ {\gets_\$}\mathbb{Z}_q\), assigns \(T_\mathrm{c}[X_i,\tilde{t}_1,\tilde{t}_2,L, m]\gets (c,0)\) and returns \(c\).
• Signing Queries: It receives \((I_s,m,L)\) as a query. If \(X\notin L\), it returns \(\bot\). It executes the following protocol. Note that it executes the protocol multiple times if there are multiple public keys s.t. \(X=X_i\in L\). At the end of Round 1, it stores \(T_\Sigma[I_s]\gets (m,L,n_h,\{(t_{i,1},t_{i,2},u_i,v_i,w_i)\}_{i\in n_h})\) where \(n_h\) is the set of the indies of the signers who have \(X\) as public keys. If Round 2 is completed, it sets \(T_M[m]\gets 1\).
  • Round 1: It makes a query \(H_\mathrm{ck}(m)\) if \(T_\mathrm{ck}[m]\) is undefined. It looks up \((P,Q,R)\) from \(T_\mathrm{ck}[m]\), chooses \((u_i,v_i,w_i)\ {\gets_\$}\mathbb{Z}_q^3\), computes \(t_{i,1}\gets u_iG\) and \(t_{i,2} \gets v_iG-w_iX\) and broadcasts \((t_{i,1},t_{i,2})\).
    Round 2: It receives \((I_s,\{(t_{j,1},t_{j,2})\}_{j\in\{1,\ldots,n\}\setminus n_h})\), looks up \((m,L,n_h,\{(t_{i,1},t_{i,2},u_i,v_i,w_i)\}_{i\in n_h})\) from \(T_\Sigma[I_s]\), and \((b,\omega_{b,1}, \omega_{b,2},\omega_{b,3})\) from \(T_\mathrm{t}[m]\). If \((b=0)\) or \((b=1 \land \omega_{1,3}=0)\), it halts with output \((0,\emptyset)\). Otherwise, it computes \(\tilde{t}_1\gets \sum_{j=1}^n t_{j,1}\), \(\tilde{t}_2\gets \sum_{j=1}^n t_{j,2}\), \(c_i\gets H(X_i,\tilde{t}_1,\tilde{t}_2,L,m)\), \(\beta_i\gets (c_i-w_i)/\omega_{1,3} \mod q\), \(\alpha_i\gets u_i-\omega_{1,2}\beta_i \mod q\), and \(s_i\gets v_i-\omega_{1,1}\alpha_i \mod q\). It broadcasts \((\alpha_i,\beta_i,s_i)\).

• \(E_1\): \(\mathcal{F}\)’s forgery satisfies the conditions of Check in the game of the security definition.
• \(E_2\): \(\mathcal{F}\)’s forgery satisfies \(b=0\) where \((b, \omega_{b,1}, \omega_{b,2}, \omega_{b,3}) = T_\mathrm{t}[m^*]\).
• \(E_3\): \(\mathcal{A}\) halts because of \(b=0\) in Signing Queries.
• \(E_4\): \(\mathcal{A}\) halts because of \((b=1 \land \omega_{1,3}=0)\) in Signing Queries.

• Case \((\tilde{\beta}'^*\neq\tilde{\beta}^*)\land (\omega_{0,2}\neq 0)\): \(\mathcal{B}\) outputs \(x\) as \((\tilde{\alpha}^*-\tilde{\alpha}'^*)/((\tilde{\beta}'^*-\tilde{\beta}^*)\omega_{0,2})\).
  Case \((\tilde{\beta}'^*\neq\tilde{\beta}^*)\land (\omega_{0,2}= 0)\): In this case, \(\tilde{\alpha}^*=\tilde{\alpha}'^*\) holds. Thus, \(\mathcal{B}\) outputs \(x\) as \(-((\tilde{\beta}^*-\tilde{\beta}'^*)\omega_{0,3}+(\tilde{s}^*-\tilde{s}'))/((|L^*|-|K^*|)(c-c'))\).
  Case \(\tilde{\beta}'^*=\tilde{\beta}^*\): In this case, \(\tilde{\alpha}^*=\tilde{\alpha}'^*\) holds. Thus, \(\mathcal{B}\) outputs \(x\) as \(-(\tilde{s}^*-\tilde{s}')/((|L^*|-|K^*|)(c-c'))\)

• Setup: The challenger chooses \((\mathbb{G},q,G)\). It sends \((\mathbb{G},q,G)\) to \(\mathcal{A}\) and receives \(x\in \mathbb{Z}_q\) from \(\mathcal{A}\). It computes \(X\gets xG\) and initializes a table \(T_S[\cdot]\). It chooses a bit \(b\ {\gets_\$}\{0,1\}\).
  Oracles: The challenger allows \(\mathcal{A}\) to access to the following oracles concurrently at most \(q_S\) times. Note that \(\mathcal{A}\) is allowed to make only one query for each session identifier \(I\), which is included in each query to oracles.
  • \(\Sigma_{\mathrm{eqv}1}(b,\cdot,\cdot)\): As a query, the challenger receives a session identifier \(I\) and \((\omega_1,\omega_2,\omega_3) \in \mathbb{Z}_q^3\). It computes computes \(P\gets \omega_1 G\), \(Q\gets \omega_2 G\), and \(R\gets \omega_3 X\). It responds as follows.
    • Case \(b=0\): It chooses \(r,\alpha, \beta \ {\gets_\$}\mathbb{Z}_q\) and computes \(t_1\gets \alpha G+\beta Q\), and \(t_2\gets \alpha P+\beta R+ rG\). It stores \(T_S[I]\gets ((P,Q,R),(\omega_1,\omega_2,\omega_3), r,\alpha,\beta,t_1,t_2)\) and returns \((t_1,t_2)\).
      Case \(b=1\): It chooses \(u,v,w\ {\gets_\$}\mathbb{Z}_q^3\) and computes \(t_1\gets uG\) and \(t_2 \gets vG-wX\). It stores \(T_S[I]\gets ((P,Q,R),(\omega_1,\omega_2,\omega_3), u,v,w,t_1,t_2)\) and returns \((t_1,t_2)\).
  • \(\Sigma_{\mathrm{eqv}2}(b,\cdot,\cdot)\): As a query, the challenger receives a session identifier \(I\) and \(c\in \mathbb{Z}_q\). If \(T_S[I]\) is empty, then it return \(\bot\). Otherwise, it responds as follows.
    • Case \(b=0\): The challenger looks up \(((P,Q,R), (\omega_1,\omega_2,\omega_3),r,\alpha,\beta,t_1,t_2)\) from \(T_S[I]\), computes \(s\gets xc+r \mod{q}\) and returns \((\alpha,\beta,s)\).
      Case \(b=1\): The challenger looks up \(((P,Q,R), (\omega_1,\omega_2,\omega_3),u,v,w,t_1,t_2)\) from \(T_S[I]\), computes \(\beta \gets (c-w)/\omega_3 \mod q\), \(\alpha\gets u-\omega_2\beta \mod q\), and \(s\gets v-\omega_1\alpha \mod q\) and returns \((\alpha,\beta,s)\).
• Guess: Finally, \(\mathcal{A}\) outputs a guess \(b'\in \{0,1\}\). If \(b=b'\) holds, then \(\mathcal{A}\) wins this game.