Two-Round Multi-Signatures from Okamoto Signatures

Abstract

Multi-signatures (MS) are a special type of public-key signature (PKS) in which multiple signers participate cooperatively to generate a signature for a single message. Recently, applications that use an MS scheme to strengthen the security of blockchain wallets or to strengthen the security of blockchain consensus protocols are attracting a lot of attention. In this paper, we propose an efficient two-round MS scheme based on Okamoto signatures rather than Schnorr signatures. To this end, we first propose a new PKS scheme by modifying the Okamoto signature scheme and prove the unforgeability of our PKS scheme under the discrete logarithm assumption in the algebraic group model (AGM) and the non-programmable random oracle model (ROM). Next, we propose a two-round MS scheme based on the new PKS scheme and prove the unforgeability of our MS scheme under the discrete logarithm assumption in the AGM and the non-programmable ROM. Our MS scheme is the first one to prove security among two-round MS based on Okamoto signatures.

1. Introduction

Multi-signatures (MS) are a special kind of public-key signature (PKS) in which multiple signers who have individual public keys $P{K}_1,\dots ,P{K}_n$ can cooperatively participate to create a signature for a single message and verify the signature by using the public keys of all signers participating in the signature generation. An MS scheme becomes an interesting MS scheme only when the size of the multi-signature is compact, regardless of the number of cooperating signers, because an MS scheme can be easily built from the existing PKS scheme in a simple way of attaching individual signatures of PKS schemes. Interactive MS schemes can be constructed from the existing Fiat–Shamir-based signature schemes [1,2,3], and non-interactive MS schemes also can be constructed based on bilinear groups [4,5,6,7]. In recent years, research on multi-signatures has been attracting a lot of attention because it can be effectively used to enhance the security of blockchain wallets or to perform secure consensus among multiple nodes in blockchains.

A popular way to design a PKS scheme is to convert an identification protocol into a PKS scheme by using the Fiat–Shamir transformation [8]. The Schnorr signature scheme is the famous example of this case [9]. A PKS scheme derived from this transformation has the advantage of being widely implemented and used in various places because it can be very efficient and proven under standard assumptions. One important way to design an MS scheme is to convert a Fiat–Shamir-based PKS scheme to an MS scheme with interactive signing. Bellare and Neven [1] have shown that a three-round MS scheme can be constructed from the Schnorr signature scheme in the plain public-key model. Afterwards, a number of two-round MS schemes that improve the rounds required in the interactive signing process were proposed [10,11,12]. However, Drijvers et al. [13] showed that all of these two-round MS schemes can be attacked by using a parallel signing session attack with the Wagner algorithm, and it is difficult to prove the security of these MS schemes by using the meta-reduction technique. To solve this problem, a number of new two-round MS schemes based on Schnorr signatures or trapdoor commitment schemes have been proposed recently [13,14,15,16,17].

The Okamoto signature scheme is also one of the Fiat–Shamir-based PKS schemes [18]. An important feature of Okamoto signatures, different from Schnorr signatures, is that Schnorr-based signatures use the zero-knowledge property to handle the signature queries of an attacker, but Okamoto signatures use the witness indistinguishability to handle these signature queries. Due to this difference, the simulation of the signature in the security proof of Okamoto signatures can be easily processed using the private key selected by a simulator. The Okamoto signature scheme can also be converted to a three-round MS scheme by following the conversion method of Bellare and Neven [1]. To reduce the number of rounds further, Ma et al. [11] proposed a two-round MS scheme from Okamoto signatures, but this scheme is not secure against the parallel signing session attack, as shown by Drijvers et al. [13]. There are many secure two-round MS schemes based on Schnorr signatures or trapdoor commitments [13,15,16,17], but constructing a secure two-round MS scheme based on Okamoto signatures is still an unsolved problem.

In this paper, we focus on the problem of constructing a two-round MS scheme based on Okamoto signatures. Designing an MS scheme based on Okamoto signatures is an interesting problem because it can present a new design direction for MS schemes different from the existing design of two-round MS schemes. In addition, an MS scheme based on Okamoto signatures can use a weaker random oracle model because it uses a non-programmable random oracle model (NPROM) instead of a programmable random oracle model (PROM).

1.1. Our Contributions

We first propose a PKS scheme suitable for multi-signatures by modifying Okamoto signatures. The essential part of the modification is to set a commitment element in a message-dependent way such as $R={\left(g^{m}h\right)}^{r_1}{\left(g_2^m{h}_2\right)}^{r_2}$ instead of $R=g^{r_1}{g}_2^{r_2}$. We prove that the proposed PKS scheme is secure under the discrete logarithm (DL) assumption in the algebraic group model (AGM) and the non-programmable random oracle model (NPROM). Next, we propose a two-round MS scheme that supports the public key aggregation from our PKS scheme based on Okamoto signatures. We also prove that our MS scheme is unforgeable even when an attacker performs parallel signing session queries under the DL assumption in the AGM and NPROM. Compared to other MS schemes, our proposed MS scheme also has a compact public key, a succinct multi-signature, and efficient signing and verification with the support of two-round signing and key aggregation. Although our MS scheme does not provide improved efficiency compared to the most efficient MuSig2 scheme, our MS scheme is the first two-round MS scheme based on Okamoto signatures, and the security is proven under the weaker DL assumption in the weaker non-programmable ROM. The detailed comparison of our MS scheme and other MS schemes is given in

Table 1. Comparison of Fiat–Shamir-based multi-signature schemes.

Scheme	RN, KA	PK	MS	Sign	Verify	Security
BN [1]	3, N	$\mathbb{G}$	$\mathbb{G}+{\mathbb{Z}}_p$	1E	$(n+1)$E	DL, ROM
	3, N	2$\mathbb{G}$	$2\mathbb{G}+{\mathbb{Z}}_p$	2E	$2(n+1)$E	DDH, ROM
MuSig [3]	3, Y	$\mathbb{G}$	$\mathbb{G}+{\mathbb{Z}}_p$	1E	2E	DL, ROM
mBCJ [13]	2, N	$\mathbb{G}+2{\mathbb{Z}}_p$	$2\mathbb{G}+3{\mathbb{Z}}_p$	5E	6E	DL, ROM
MuSig-DN [14]	2, Y	$\mathbb{G}$	$\mathbb{G}+{\mathbb{Z}}_p$	NIZK	2E	DL, DDH, ZK, PRF, ROM
MuSig2 [16]	2, Y	$\mathbb{G}$	$\mathbb{G}+{\mathbb{Z}}_p$	8E	2E	AOMDL, ROM
	2, Y	$\mathbb{G}$	$\mathbb{G}+{\mathbb{Z}}_p$	4E	2E	AOMDL, AGM + ROM
DWMS [15]	2, Y	$\mathbb{G}$	$\mathbb{G}+{\mathbb{Z}}_p$	$(2n+2)$E	2E	OMDL + 2ES, AGM + ROM
HBMS [17]	2, Y	$\mathbb{G}$	$\mathbb{G}+2{\mathbb{Z}}_p$	2E	3E	XIDL, ROM or DL, AGM + ROM
Ours	2, Y	2$\mathbb{G}$	$3{\mathbb{Z}}_p$	4E	6E	DL, AGM + ROM

Let n be the number of co-signers. We denote RN for the number of rounds, KA for key aggregation, PK for public key, and MS for multi-signature. We use E for exponentiation and NIZK for zero-knowledge proof.

.

There are two issues to consider in the security proof of the two-round MS scheme: the rogue-key attack [1] and parallel signing session attack [13]. In the rogue-key attack, an attacker forges a multi-signature by manipulating a carefully crafted public key without knowing the corresponding private key since the attacker can select the arbitrary public key of a co-signer in the plain public-key model. For example, we consider a simple Schnorr-based MS scheme in which the public keys of co-signers are simply multiplied. Let $X_1=g^{x_1}$ be the public key of an honest party 1. If an adversary simply sets the public key of party 2 as $X_2=g^a/X_1$ by selecting a random a, then it can forge a multi-signature $\sigma =(R=g^r,z=r+ca)$ where $c=H(R,M)$ since $X_1{X}_2=g^a$. Fortunately, by using the key aggregation method of the MuSig scheme [3], this rogue-key attack can be easily prevented in our MS scheme. The parallel signing session attack is a complicated attack in which an attacker opens multiple signature query sessions in parallel in a two-round MS scheme since the signing process is an interactive protocol, and then the attacker manipulates the obtained signatures of parallel sessions to forge a multi-signature. This parallel signing session attack is based on Wagner’s algorithm to solve the generalized birthday problem, which is to find a set of queries $\{q_1,\dots ,q_{\ell }\}$ such that ${\sum }_{i=1}^{\ell }H\left(q_i\right)=t$ when a fixed value t and access to random oracle H are given. In the case of $\ell \le 2$, this problem is equal to finding a pre-image or a collision in the random oracle. However, in the case of $\ell >2$, this problem becomes easy for large ℓ. The detailed explanation of this attack in Schnorr-based signatures is given in the work [13,16]. Recall that many two-round MS schemes proposed early can be attacked by using this parallel signing session attack [13]. To prevent this parallel signing session attack, our MS scheme generates a commitment in the form $R={\left(g^{m}h\right)}^{r_1}{\left(g_2^m{h}_2\right)}^{r_2}$ where m is a message. As the commitment is configured depending on the signature message, in this way, if an attacker performs the parallel signing session attack, the commitments for the same message can be changed to a new commitment, but these commitments cannot be converted to a new commitment for a different message. The detailed explanation of the security proof is given in Section 2.3.

1.2. Related Work

Multi-signatures (MS) are a kind of PKS in which multiple signers participate to generate a signature for a common message and anyone can verify the signature with the public keys of multiple signers. Early MS schemes were vulnerable to rogue-key attacks, in which an attacker arbitrarily sets the public key of a signer participating in multi-signature to perform a forgery attack. Bellare and Neven [1] introduced the plain public-key model in which an attacker can freely set the public key of a signer without proving the knowledge of a private key and proposed a three-round MS scheme that is secure against the rogue-key attack by modifying Schnorr signatures. Since then, a number of two-round MS schemes have been proposed to improve the round complexity of Fiat–Shamir-based MS schemes [10,11,12]. However, Drijvers et al. [13] showed that these two-round MS schemes are vulnerable to parallel signing session attack by using Wagner’s algorithm and proposed a modified MS scheme by modifying the existing BCJ-MS scheme. Maxwell et al. [3] presented the MuSig scheme in which the signers’ public keys are aggregated into one short public key in the three-round MS scheme and showed that this MS scheme can be used for Bitcoin. Recently, a number of secure two-round MS schemes, MuSig-DN, MuSig2, DWMS, and HBMS, have been proposed [14,15,16,17]. Another way to design an MS scheme is to convert an aggregate signature scheme into a non-interactive MS scheme by setting a message to be the same for all signers. Using this idea, Boneh et al. [2] proposed an efficient non-interactive MS scheme from the BLS short signature scheme and proved the security in the plain public-key model. Drijvers et al. [7] proposed a non-interactive MS scheme with forward security from a sequential aggregate signature scheme that can be used in blockchain consensus protocols.

Threshold signatures (TS) are a specific kind of PKS such that a threshold number of signers cooperate to generate a signature on a message and the signature can be verified by a compact verification key. Multi-signatures can also be viewed as a special form of threshold signatures where the number of threshold is equal to the number of all signers. Since the ECDSA scheme is a standard signature scheme that is widely used in cryptocurrency such as Bitcoin, many studies have been conducted to convert the ECDSA scheme into an efficient threshold ECDSA scheme [19,20,21,22]. Recently, efficient TS schemes have been proposed by modifying Schnorr signatures [23,24,25]. An important difference between TS schemes and MS schemes is the key generation process. In MS, signers can generate private keys independently of each other. Contrary to this, TS schemes require the distribution of a common secret key to multiple signers, so a rather complicated distributed key generation protocol must be introduced. A distributed key generation (DKG) protocol allows the sharing of a common secret to many signers without a trusted center. If a common secret to be shared is a field element, a DKG protocol can be implemented by using a verifiable secret sharing (VSS) scheme that can privately verify the validity of a shared secret [26]. If a common secret is a group element, a DKG protocol can be implemented by using a public verifiable secret sharing (PVSS) scheme that can publicly verify the validity of a shared secret [27]. Recently, Groth [28] proposed a PVSS scheme that can support a field element by splitting a common secret into multiple chunks and constructed a non-interactive DKG scheme by combining the PVSS scheme with a binary tree encryption scheme with forward secrecy.

Aggregate signatures (AS) are a special type of PKS that allows multiple signers to create signatures for different messages and aggregate them into a single signature. The concept of aggregate signatures was introduced by Boneh et al. [29], and they constructed an efficient AS scheme by modifying BLS signatures in bilinear groups. Since then, many AS schemes based on bilinear groups and trapdoor functions have been proposed [5,6,30,31]. The security of AS schemes is proven in the knowledge of secret key (KOSK) model, which requires the proof of secret key in the key registration process, and it is stronger than the plain public-key model of multi-signatures. AS schemes are divided into three types, full aggregation, sequential aggregation, and synchronized aggregation, according to the method of aggregation. A full AS scheme is the most flexible type of AS schemes that allows anyone to non-interactively aggregate individual signatures generated by different signers on different messages into a succinct signature [29]. A sequential AS scheme supports for a signer to sequentially add his signature to the previous aggregate signature received from the previous signer [5,30]. A synchronized AS scheme is similar to the full AS scheme except that all signers have the synchronized information and individual signatures with the same synchronized information can be non-interactively aggregated [31]. As previously described, a pairing-based non-interactive MS scheme can be constructed from an AS scheme if the same message is used for all signers.

1.3. Subsequent Work

Subsequent to our work, Tessaro and Zhu [32] proposed another two-round MS scheme based on Okamoto signatures and proved its security under the DL assumption in ROM. They constructed an efficient MS scheme by combining the linear combination of nonces used in the MuSig2 scheme with Okamoto signatures.

2. Public-Key Signature

In this section, we propose a new PKS scheme by modifying Okamoto signatures and prove the security in the AGM and ROM.

2.1. Definition

The syntax of public-key signature (PKS) is generally composed of key generation, signing, and verification algorithms. Because we consider a PKS scheme in which multiple users share common public parameters, we add a setup algorithm to generate public parameters. The detailed syntax of PKS is given as follows.

Definition 1

(Public-Key Signature). A public-key signature (PKS) scheme consists of four PPT algorithms, Setup, GenKey, Sign, and Verify, which are defined as follows:

• $\mathit{Setup}\left(1^{\lambda }\right)$. The setup algorithm takes as input the security parameters λ in unary and outputs public parameters $PP$.
• $\mathit{GenKey}\left(PP\right)$. The key generation algorithm takes as input public parameters $PP$ and outputs a private key $SK$ and a public key $PK$.
• $\mathit{Sign}(SK,M)$. The signing algorithm takes as input a message M and a private key $SK$ and outputs a signature σ.
• $\mathit{Verify}(PK,\sigma ,M)$. The verification algorithm takes as input a signature σ, a message M, and a public key $PK$ and outputs 1 if the signature is valid and 0 otherwise.

The correctness requirement is that for $PP$ output by Setup$\left(1^{\lambda }\right)$, any $(SK,PK)$ output by GenKey$\left(PP\right)$ and any M, we have that $\mathit{Verify}(PK,\mathit{Sign}(SK,M),M)=1$.

The standard security model of PKS is the unforgeability under chosen message attack (UF-CMA). In this model, an attacker is initially given a challenge public key for attack, and can request a signature query for any message and receive a signature. Finally, the attacker outputs a forged signature for a message. The attacker is successful if the forged signature passes the verification algorithm and the message has not been queried before. The detailed security model of PKS is described as follows.

Definition 2

(Unforgeability). The security notion of a PKS scheme is unforgeability under chosen message attack (UF-CMA), which is defined in terms of the following experiment between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$:

1. 

Setup: $\mathcal{C}$ first generates $PP$ by running Setup$\left(1^{\lambda }\right)$. Next, it obtains a key pair $(SK,PK)$ by running GenKey$\left(PP\right)$. It gives $PK$ to $\mathcal{A}$.

2. 

Signature Query: $\mathcal{A}$ adaptively requests a signature on a message M to sign under the challenge public key $PK$, and it receives a signature σ.

3. 

Output: Finally, $\mathcal{A}$ outputs a forged signature ${\sigma }^{*}$ on a message $M^{*}$ under the public key $PK$. $\mathcal{C}$ outputs 1 if the forged signature satisfies the following two conditions, or outputs 0 otherwise: (1) $\mathit{Verify}(PK,{\sigma }^{*},M^{*})=1$, and (2) the corresponding message $M^{*}$ must not have been queried by $\mathcal{A}$ to the signing oracle.

The advantage of $\mathcal{A}$ is defined as ${\mathit{Adv}}_{\mathcal{A}}^{PKS}\left(\lambda \right)=Pr[\mathcal{C}=1]$, where the probability is taken over all the randomness of the experiment. A PKS scheme is UF-CMA-secure if all probabilistic polynomial-time (PPT) adversaries have at most a negligible advantage in the above experiment where a function $f\left(\lambda \right)$ is negligible if $f\left(\lambda \right)<1/p\left(\lambda \right)$ for all polynomial $p\left(\lambda \right)$ with a large enough security parameter λ.

2.2. Construction

Our PKS scheme is a modification of Okamoto signatures [18]. The Okamoto PKS scheme generates a commitment as $R=g^{r_1}{g}_2^{r_2}$ where $r_1$ and $r_2$ are random exponents, but our PKS scheme generates a commitment as $R={\left(g^{m}h\right)}^{r_1}{\left(g_2^m{h}_2\right)}^{r_2}$ to depend on a message m. This modification helps to simplify the security proof of our PKS scheme in the algebraic group model and it enables the construction of a secure multi-signature scheme in the next section. The detailed description of our PKS scheme is given as follows:

• PKS.Setup($1^{\lambda }$): It first generates a cyclic group $\mathbb{G}$ of prime order p where the bit size of p is $\mathsf{\Theta }\left(\lambda \right)$. It generates two random generators $g,h\in \mathbb{G}$. It selects a random exponent $\alpha \in {\mathbb{Z}}_p$ and sets $g_2=g^{\alpha },h_2=h^{\alpha }$. It chooses cryptographic hash functions $H_1,H_2$ such that $H_1:{\{0,1\}}^{*}\to {\mathbb{Z}}_p$ and $H_2:{\{0,1\}}^{*}\to {\mathbb{Z}}_p$. Finally, it outputs public parameters $PP=(p,\mathbb{G},g,g_2,h,h_2,H_1,H_2)$.
• PKS.GenKey($PP$): It selects random $x_1,x_2\in {\mathbb{Z}}_p$ and computes $X=g^{x_1}{g}_2^{x_2},Y=h^{x_1}{h}_2^{x_2}$. It outputs a private key $SK=(PP,x_1,x_2)$ and a public key $PK=(PP,X,Y)$.
• PKS.Sign($SK,M$): Let $SK=(PP,x_1,x_2)$. It first calculates a hash $m=H_1\left(M\right)$. Next, it selects random $r_1,r_2\in {\mathbb{Z}}_p$ and computes $R={\left(g^{m}h\right)}^{r_1}{\left(g_2^m{h}_2\right)}^{r_2}$. It calculates $c=H_2(R,M)$ and computes $s_1=r_1+x_{1}cmodp$, $s_2=r_2+x_{2}cmodp$. It outputs a signature $\sigma =(c,s_1,s_2)$.
• PKS.Verify($PK,\sigma ,M$): Let $\sigma =(c,s_1,s_2)$ and $PK=(PP,X,Y)$. It first calculates $m=H_1\left(M\right)$. Next, it computes $R={\left(g^{m}h\right)}^{s_1}{\left(g_2^m{h}_2\right)}^{s_2}/{\left(X^{m}Y\right)}^c$ and checks that $c\stackrel{?}{=}{H}_2(R,M)$. If the equation holds, then it outputs 1. Otherwise, it outputs 0.

The correctness of this PKS scheme can be easily verified when $m=H_1\left(M\right)$ through the following equation

$$\begin{array}{cc}\hfill {\left(g^{m}h\right)}^{s_1}{\left(g_2^m{h}_2\right)}^{s_2}& ={\left(g^{m}h\right)}^{r_1+x_{1}c}{\left(g_2^m{h}_2\right)}^{r_2+x_{2}c}\hfill \\ \hfill & ={\left(g^{m}h\right)}^{r_1}{\left(g_2^m{h}_2\right)}^{r_2}{\left(g^{m}h\right)}^{x_{1}c}{\left(g_2^m{h}_2\right)}^{x_{2}c}\hfill \\ \hfill & =\left({\left(g^{m}h\right)}^{r_1}{\left(g_2^m{h}_2\right)}^{r_2}\right){\left({\left(g^{x_1}{g}_2^{x_2}\right)}^m\left(h^{x_1}{h}_2^{x_2}\right)\right)}^c=R{\left(X^{m}Y\right)}^c\hfill \end{array}$$

where $R={\left(g^{m}h\right)}^{r_1}{\left(g_2^m{h}_2\right)}^{r_2}$, $X=g^{x_1}{g}_2^{x_2}$, and $Y=h^{x_1}{h}_2^{x_2}$.

2.3. Security Analysis

Before we analyze the security of our scheme, we define an algebraic adversary, the discrete logarithm assumption, and the Schwartz–Zippel Lemma, which are needed for the security analysis.

Definition 3

(Algebraic Algorithm [33]). Let $\mathbb{G}$ be a group with order p. We say that an algorithm ${\mathcal{A}}_{alg}$ is algebraic if it satisfies the following requirements: whenever ${\mathcal{A}}_{alg}$ outputs a group element $Z\in \mathbb{G}$, it also outputs a representation $\overrightarrow{z}=(z_1,\dots ,z_{\ell })\in {\mathbb{Z}}_p^{\ell }$ such that $Z={\prod }_{k=1}^{\ell }{V}_k^{z_k}$ where $V_1,\dots ,V_{\ell }$ are group elements that are given to ${\mathcal{A}}_{alg}$ during its execution.

Assumption 1

(Discrete Logarithm). Let $(p,\mathbb{G})$ be a description of the group of prime order p. Let g be a generator of $\mathbb{G}$. The discrete logarithm (DL) assumption is that if the challenge values $D=(p,\mathbb{G},g,g^x)$ are given, no probabilistic polynomial-time (PPT) algorithm $\mathcal{B}$ can compute x with more than a negligible advantage. The advantage of $\mathcal{B}$ is defined as ${\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)=Pr[\mathcal{B}\left(D\right)=x]$ where the probability is taken over the random choice of $x\in {\mathbb{Z}}_p$.

Lemma 1

(Schwartz–Zippel Lemma [34]). Let $f(x_1,\dots ,x_n)$ be a non-zero polynomial of total degree d. Let $S\subseteq \mathbb{F}$ be any finite set. Then, if $r_1,\dots ,r_n$ are randomly chosen from S, $Pr[f(r_1,\dots ,x_n)=0]\le d/\left|S\right|$.

In order to prove the security of our PKS scheme under the DL assumption, it is needed to devise a method to simulate the signature query requested by an adversary and to extract the discrete logarithm from a forged signature submitted by the adversary. One nice feature of Okamoto signatures is that the signature simulation is very simple because a simulator chooses a private key itself and generates a signature by using the private key [18]. The signature simulation of our PKS scheme is also handled very simply, the same as that of Okamoto signatures. In order to extract the discrete logarithm from the forged signature, we take advantage of the fact that an algebraic adversary additionally submits the representation of a group element when it submits the group element of the forged signature.

In Schnorr-based signature schemes, a formula for discrete logarithm can be derived using the representation of a group element and the verification equation of the scheme, and the extraction of discrete logarithm is possible because the denominator of the formula is not zero with high probability due to the randomness of the random oracle model. However, unlike the Schnorr-based signature scheme, the Okamoto-based signature scheme additionally includes a signature element submitted by an adversary in the denominator of the discrete logarithm-related formula, so it is difficult to analyze that the denominator is not zero by simply using the randomness of the random oracle model. To solve this problem, we divide the adversary into three types. In the case of Type-1 and Type-2 adversaries, the discrete logarithm problem is simply planted to enable the extraction of the discrete logarithm. In the case of Type-3 adversary, we will show that it is difficult for the adversary to submit a valid forged signature due to the restriction of the security model through probability analysis. The detailed security proof of our PKS scheme is given in the following theorem.

Theorem 1.

The above PKS scheme is UF-CMA-secure in the algebraic group model and the random oracle model if the DL assumption holds. That is, for any PPT algebraic adversary ${\mathcal{A}}_{alg}$, there exists a PPT algorithm $\mathcal{B}$ such that ${\mathit{Adv}}_{{\mathcal{A}}_{alg}}^{PKS}\left(\lambda \right)\le 2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+negl\left(\lambda \right)$.

Proof. 

Suppose there exists an algebraic adversary ${\mathcal{A}}_{alg}$ that forges the above PKS scheme with non-negligible advantage $ϵ$. A reduction algorithm $\mathcal{B}$ that solves the DL assumption is given as input for a challenge tuple $D=(p,\mathbb{G},g,g^a)$. Then, $\mathcal{B}$ that interacts with ${\mathcal{A}}_{alg}$ is described as follows:

• Setup: The algorithm $\mathcal{B}$ first chooses a random bit $b\in \{0,1\}$ to guess the type of an adversary. If $b=0$, then it selects a random exponent $h^{\prime }\in {\mathbb{Z}}_p$ and sets $g_2=g^a,h=g^{h^{\prime }}$, $h_2=g_2^{h^{\prime }}$. Otherwise, it selects a random exponent $\alpha \in {\mathbb{Z}}_p$ and sets $g_2=g^{\alpha },h=g^a$, $h_2={\left(g^a\right)}^{\alpha }$. It sets public parameters $PP=(p,\mathbb{G},g,g_2,h,h_2,H_1,H_2)$ where $H_1$ and $H_2$ are two hash functions that are modeled as random oracles. Next, it selects random exponents $x_1,x_2\in {\mathbb{Z}}_p$ and computes $X=g^{x_1}{g}_2^{x_2},Y=h^{x_1}{h}_2^{x_2}$. It keeps $SK=(PP,x_1,x_2)$ internally and gives $PK=(PP,X,Y)$ to ${\mathcal{A}}_{alg}$.

• Hash Query: If ${\mathcal{A}}_{alg}$ requests an $H_1$ or $H_2$ hash query, then $\mathcal{B}$ handles this query as follows:

• $H_1$ hash query for $\left(M\right)$: If $(M,·)\in L_{H_1}$, then it retrieves $(M,m)$ from $L_{H_1}$. Otherwise, it selects random $m\in {\mathbb{Z}}_p$ and adds $(M,m)$ to $L_{H_1}$. It gives m to ${\mathcal{A}}_{alg}$.
• $H_2$ hash query for $(R,M)$: If $(R,M,·)\in L_{H_2}$, then it retrieves $(R,M,c)$ from $L_{H_2}$. Otherwise, it selects random $c\in {\mathbb{Z}}_p$ and adds $(R,M,c)$ to $L_{H_2}$. It gives c to ${\mathcal{A}}_{alg}$.

• Signature Query: If ${\mathcal{A}}_{alg}$ requests a signature query for a message M, then $\mathcal{B}$ adds M to Q and generates a signature $\sigma =(c,s_1,s_2)$ by running PKS.Sign$(SK,M)$ since it has $SK$. It gives $\sigma$ to ${\mathcal{A}}_{alg}$. Recall that ${\mathcal{A}}_{alg}$ is implicitly given a commitment $R={\left(g^{m}h\right)}^{s_1}{\left(g_2^m{h}_2\right)}^{s_2}{\left(X^{m}Y\right)}^{-c}$ from the signature $\sigma$ where $m=H_1\left(M\right)$.

Note that ${\mathcal{A}}_{alg}$ is an algebraic adversary that when it requests hash queries with a group element $Z\in$, it also submits a representation $\overrightarrow{z}=(z_1,\dots ,z_{\ell })$ for the group element Z such that $Z={\prod }_{i=1}^{\ell }{V}_i^{z_i}$ and $\left\{V_i\right\}$ are group elements given to ${\mathcal{A}}_{alg}$. For the simplicity of the notation, we do not describe representations for group elements in hash queries. We assume that the representations of group elements submitted by ${\mathcal{A}}_{alg}$ are implicitly stored in the lists maintained by $\mathcal{B}$.

• Output: Finally, ${\mathcal{A}}_{alg}$ outputs a forged signature ${\sigma }^{*}=(c^{*},s_1^{*},s_2^{*})$ on a message $M^{*}$. $\mathcal{B}$ checks that PKS.Verify$(PK,{\sigma }^{*},M^{*})=1$ and $M^{*}\notin Q$.

From the verification algorithm of the PKS scheme, it can derive the commitment group element $R^{*}$ of ${\sigma }^{*}$ by computing $R^{*}={\left(g^{m^{*}}h\right)}^{s_1^{*}}{\left(g_2^{m^{*}}{h}_2\right)}^{s_2^{*}}{\left(X^{m^{*}}Y\right)}^{-c^{*}}$ where $m^{*}=H_1\left(M^{*}\right)$. Next, it finds the representation $\overrightarrow{z}=(z_1,\dots ,z_6,z_{7,1},\dots ,z_{7,q_S})$ of the element $R^{*}$ that is implicitly stored in $L_{H_2}$ such as $R^{*}=g^{z_1}{g}_2^{z_2}{h}^{z_3}{h}_2^{z_4}{X}^{z_5}{Y}^{z_6}{\prod }_{k=1}^{q_S}{\left(R^{\left(k\right)}\right)}^{z_{7,k}}$ where $X=g^{x_1}{g}_2^{x_2}$, $Y=h^{x_1}{h}_2^{x_2}$, and $R^{\left(k\right)}={\left(g^{m^{\left(k\right)}}h\right)}^{r_1^{\left(k\right)}}{\left(g_2^{m^{\left(k\right)}}{h}_2\right)}^{r_2^{\left(k\right)}}$ is the commitment of k-th signature query. By combining the above equations, it can derive the following equation

$$\begin{array}{cc}\hfill 1=& {\left(g^{m^{*}}h\right)}^{s_1^{*}}{\left(g_2^{m^{*}}{h}_2\right)}^{s_2^{*}}{\left(X^{m^{*}}Y\right)}^{-c^{*}}{R^{*}}^{-1}\hfill \\ \hfill =& g^{m^{*}{s}_1^{*}}{h}^{s_1^{*}}{g}_2^{m^{*}{s}_2^{*}}{h}_2^{s_2^{*}}{\left({\left(g^{x_1}{g}_2^{x_2}\right)}^{m^{*}}\left(h^{x_1}{h}_2^{x_2}\right)\right)}^{-c^{*}}·\hfill \\ \hfill & {\left(g^{z_1}{h}^{z_3}{g}_2^{z_2}{h}_2^{z_4}{\left(g^{x_1}{g}_2^{x_2}\right)}^{z_5}{\left(h^{x_1}{h}_2^{x_2}\right)}^{z_6}\prod _{k=1}^{q_S}{\left(g^{m^{\left(k\right)}}h\right)}^{r_1^{\left(k\right)}{z}_{7,k}}{\left(g_2^{m^{\left(k\right)}}{h}_2\right)}^{r_2^{\left(k\right)}{z}_{7,k}}\right)}^{-1}\hfill \\ \hfill =& g^{m^{*}(s_1^{*}-x_1{c}^{*})}{h}^{(s_1^{*}-x_1{c}^{*})}{g}_2^{m^{*}(s_2^{*}-x_2{c}^{*})}{h}_2^{(s_2^{*}-x_2{c}^{*})}·\hfill \\ \hfill & {\left(g^{z_1+x_1{z}_5+{\sum }_{k=1}^{q_S}{m}^{\left(k\right)}{r}_1^{\left(k\right)}{z}_{7,k}}{h}^{z_3+x_1{z}_6+{\sum }_{k=1}^{q_S}{r}_1^{\left(k\right)}{z}_{7,k}}{g}_2^{z_2+x_2{z}_5+{\sum }_{k=1}^{q_S}{m}^{\left(k\right)}{r}_2^{\left(k\right)}{z}_{7,k}}{h}_2^{z_4+x_2{z}_6+{\sum }_{k=1}^{q_S}{r}_2^{\left(k\right)}{z}_{7,k}}\right)}^{-1}\hfill \\ \hfill =& g^{A_1}{h}^{A_2}{g}_2^{B_1}{h}_2^{B_2}\hfill \end{array}$$

where $A_1,A_2,B_1$, and $B_2$ are variables defined as

$$\begin{array}{cc}\hfill A_1:=& m^{*}(s_1^{*}-x_1{c}^{*})-\left(z_1+x_1{z}_5+\sum _{k=1}^{q_S}{m}^{\left(k\right)}{r}_1^{\left(k\right)}{z}_{7,k}\right),\hfill \\ \hfill A_2:=& (s_1^{*}-x_1{c}^{*})-\left(z_3+x_1{z}_6+\sum _{k=1}^{q_S}{r}_1^{\left(k\right)}{z}_{7,k}\right),\hfill \\ \hfill B_1:=& m^{*}(s_2^{*}-x_2{c}^{*})-\left(z_2+x_2{z}_5+\sum _{k=1}^{q_S}{m}^{\left(k\right)}{r}_2^{\left(k\right)}{z}_{7,k}\right),\hfill \\ \hfill B_2:=& (s_2^{*}-x_2{c}^{*})-\left(z_4+x_2{z}_6+\sum _{k=1}^{q_S}{r}_2^{\left(k\right)}{z}_{7,k}\right).\hfill \end{array}$$

To solve the discrete logarithm, we classify algebraic adversaries into the following three types depending on the conditions of variables:

• Type-1: an algebraic adversary is Type-1 if $B_1+{\mathrm{dlog}}_g\left(h\right)B_2\not\equiv 0modp$.
• Type-2: an algebraic adversary is Type-2 if $B_1+{\mathrm{dlog}}_g\left(h\right)B_2\equiv 0modp$ and $B_2\not\equiv 0modp$.
• Type-3: an algebraic adversary is Type-3 if $B_1+{\mathrm{dlog}}_g\left(h\right)B_2\equiv 0modp$ and $B_2\equiv 0modp$.

Let F be the event that an adversary succeeds to forge a multi-signature and $T_i$ be the event that an adversary is Type-i. Since the random bit b is hidden to the adversary and b is independent to the type of the adversary, we have that $Pr[b=0\wedge F|T_i]=Pr[b=1\wedge F|T_i]$ for each type of adversary. If the Type-1 adversary is successful to forge and the guess of the reduction algorithm is correct ($b=0$), then the reduction can compute the discrete logarithm as ${\mathrm{dlog}}_g\left(g_2\right)=-(A_1+h^{\prime }{A}_2)/(B_1+h^{\prime }{B}_2)modp$ since $g_2=g^a$ and $B_1+h^{\prime }{B}_2\not\equiv 0modp$. That is, $Pr[b=0\wedge F|T_1]\le {\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)$. If the Type-2 adversary is successful to forge and the guess of the reduction is correct ($b=1$), then the reduction can compute the discrete logarithm as ${\mathrm{dlog}}_{g_2}\left(h_2\right)=-B_1/B_{2}modp$ since $g_2=g^{\alpha },h_2={\left(g^a\right)}^{\alpha }$, $B_1+{\mathrm{dlog}}_g\left(h\right)B_2\equiv 0modp$, and $B_2\not\equiv 0modp$. That is, $Pr[b=1\wedge F|T_2]\le {\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)$. From Lemma 3, the probability of the Type-3 adversary to successfully forge is negligible. That is, $Pr\left[F\right|T_3]\le \mathrm{negl}\left(\lambda \right)$. Therefore, we obtain the following result

$$\begin{array}{cc}\hfill {\mathit{Adv}}_{{\mathcal{A}}_{alg}}^{UF\text{-}CMA}\left(\lambda \right)& =Pr[F\wedge T_1]+Pr[F\wedge T_2]+Pr[F\wedge T_3]\hfill \\ \hfill & =Pr\left[T_1\right]Pr\left[F\right|T_1]+Pr\left[T_2\right]Pr\left[F\right|T_2]+Pr\left[T_3\right]Pr\left[F\right|T_3]\hfill \\ \hfill & =Pr\left[T_1\right]\left(Pr[b=0\wedge F|T_1]+Pr[b=1\wedge F|T_1]\right)+\hfill \\ \hfill & Pr\left[T_2\right]\left(Pr[b=0\wedge F|T_2]+Pr[b=1\wedge F|T_2]\right)+Pr\left[T_3\right]Pr\left[F\right|T_3]\hfill \\ \hfill & \le Pr\left[T_1\right]2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+Pr\left[T_2\right]2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+Pr\left[T_3\right]\mathrm{negl}\left(\lambda \right)\hfill \\ \hfill & \le Pr\left[T_1\right]2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+(1-Pr\left[T_1\right])2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+\mathrm{negl}\left(\lambda \right)\hfill \\ \hfill & \le 2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+\mathrm{negl}\left(\lambda \right).\hfill \end{array}$$

This completes our proof. □

Lemma 2.

In the above PKS scheme, the private key exponents $(x_1,x_2)$ and random exponents $\left\{(r_1^{\left(k\right)},r_2^{\left(k\right)})\right\}$ for signature queries are statistically hidden to an algebraic adversary.

Proof. 

In order to show that the private key exponents $(x_1,x_2)$ and random exponents $\left\{(r_1^{\left(k\right)},r_2^{\left(k\right)})\right\}$ selected by the reduction algorithm are statistically hidden from the adversary, we should show that these exponents can be changed to different exponents $({\tilde{x}}_1,{\tilde{x}}_2)$ and $\left\{({\tilde{r}}_1^{\left(k\right)},{\tilde{r}}_2^{\left(k\right)})\right\}$ while the public key group elements, the commitment group elements, and the signatures given to the adversary are fixed.

Let $(X,Y)$ be the challenge public key. If the private key exponents $(x_1,x_2)$ can be changed to different private key exponents $({\tilde{x}}_1,{\tilde{x}}_2)$, then we obtain the first relation $x_1+\alpha x_2\equiv {\tilde{x}}_1+\alpha {\tilde{x}}_{2}modp$ from the following equation

$$\begin{array}{cc}\hfill X=& \left(g^{x_1}{g}_2^{x_2}\right)=g^{x_1+\alpha x_2}=g^{{\tilde{x}}_1+\alpha {\tilde{x}}_2}=\left(g^{{\tilde{x}}_1}{g}_2^{{\tilde{x}}_2}\right),\hfill \\ \hfill Y=& \left(h^{x_1}{h}_2^{x_2}\right)=h^{x_1+\alpha x_2}=h^{{\tilde{x}}_1+\alpha {\tilde{x}}_2}=\left(h^{{\tilde{x}}_1}{h}_2^{{\tilde{x}}_2}\right).\hfill \end{array}$$

Let $R^{\left(k\right)}$ be the commitment element of the k-th signature query. If the random exponents $(r_1^{\left(k\right)},r_2^{\left(k\right)})$ can be changed to different random exponents $({\tilde{r}}_1^{\left(k\right)},{\tilde{r}}_2^{\left(k\right)})$, then we obtain the second relation $r_1^{\left(k\right)}+\alpha r_2^{\left(k\right)}\equiv {\tilde{r}}_1^{\left(k\right)}+\alpha {\tilde{r}}_2^{\left(k\right)}modp$ from the following equation

$$\begin{array}{cc}\hfill R^{\left(k\right)}=& {\left(g^{m^{\left(k\right)}}h\right)}^{r_1^{\left(k\right)}}{\left(g_2^{m^{\left(k\right)}}{h}_2\right)}^{r_2^{\left(k\right)}}=g^{(m^{\left(k\right)}+h^{\prime })(r_1^{\left(k\right)}+\alpha r_2^{\left(k\right)})}\hfill \\ \hfill =& g^{(m^{\left(k\right)}+h^{\prime })({\tilde{r}}_1^{\left(k\right)}+\alpha {\tilde{r}}_2^{\left(k\right)})}={\left(g^{m^{\left(k\right)}}h\right)}^{{\tilde{r}}_1^{\left(k\right)}}{\left(g_2^{m^{\left(k\right)}}{h}_2\right)}^{{\tilde{r}}_2^{\left(k\right)}}.\hfill \end{array}$$

Let $(s_1^{\left(k\right)},s_2^{\left(k\right)})$ be the signature of the k-th signature query where $s_1^{\left(k\right)}=r_1^{\left(k\right)}+x_1{c}^{\left(k\right)}$ and $s_2^{\left(k\right)}=r_2^{\left(k\right)}+x_2{c}^{\left(k\right)}$. If the random exponents $(x_1,x_2)$ and $(r_1^{\left(k\right)},r_2^{\left(k\right)})$ can be changed to different random exponents $({\tilde{x}}_1,{\tilde{x}}_2)$ and $({\tilde{r}}_1^{\left(k\right)},{\tilde{r}}_2^{\left(k\right)})$, then we obtain the following third and fourth relations

$$\begin{array}{cc}\hfill r_1^{\left(k\right)}+x_1{c}^{\left(k\right)}& \equiv {\tilde{r}}_1^{\left(k\right)}+{\tilde{x}}_1{c}^{\left(k\right)}modp,\hfill \\ \hfill r_2^{\left(k\right)}+x_2{c}^{\left(k\right)}& \equiv {\tilde{r}}_2^{\left(k\right)}+{\tilde{x}}_2{c}^{\left(k\right)}modp.\hfill \end{array}$$

Now, we argue that new private key exponents and new random exponents can satisfy the above four relations and these exponents are different from the original exponents. From the above first, second, and third relations, we set the new exponents as follows

$$\begin{array}{cc}\hfill & {\tilde{x}}_1\leftarrow {\mathbb{Z}}_p^{*},{\tilde{x}}_2:=x_2+(x_1-{\tilde{x}}_1){\alpha }^{-1}modp,\hfill \\ \hfill & {\tilde{r}}_1^{\left(k\right)}:=r_1^{\left(k\right)}+(x_1-{\tilde{x}}_1)c^{\left(k\right)}modp,\hfill \\ \hfill & {\tilde{r}}_2^{\left(k\right)}:=r_2^{\left(k\right)}+(r_1^{\left(k\right)}-{\tilde{r}}_1^{\left(k\right)}){\alpha }^{-1}modp.\hfill \end{array}$$

Next, we show that these new exponents satisfy the fourth relation as follows

$$\begin{array}{cc}\hfill & r_2^{\left(k\right)}-{\tilde{r}}_2^{\left(k\right)}+x_2{c}^{\left(k\right)}-{\tilde{x}}_2{c}^{\left(k\right)}\hfill \\ \hfill & \equiv -(r_1^{\left(k\right)}-{\tilde{r}}_1^{\left(k\right)}){\alpha }^{-1}-(x_1-{\tilde{x}}_1){\alpha }^{-1}{c}^{\left(k\right)}\hfill \\ \hfill & \equiv -\left((r_1^{\left(k\right)}-{\tilde{r}}_1^{\left(k\right)})+(x_1-{\tilde{x}}_1)c^{\left(k\right)}\right){\alpha }^{-1}\equiv 0modp.\hfill \end{array}$$

This completes our proof. □

Lemma 3.

If the algebraic adversary is Type-3, then the advantage of the adversary in UF-CMA game is negligible.

Proof. 

From Theorem 1, we have the equation $g^{A_1}{h}^{A_2}{g}_2^{B_1}{h}_2^{B_2}=1$ where variables $B_1$ and $B_2$ are defined as follows

$$\begin{array}{cc}\hfill B_1:=& m^{*}(s_2^{*}-x_2{c}^{*})-\left(z_2+x_2{z}_5+\sum _{k=1}^{q_S}{m}^{\left(k\right)}{r}_2^{\left(k\right)}{z}_{7,k}\right),\hfill \\ \hfill B_2:=& (s_2^{*}-x_2{c}^{*})-\left(z_4+x_2{z}_6+\sum _{k=1}^{q_S}{r}_2^{\left(k\right)}{z}_{7,k}\right).\hfill \end{array}$$

Now, we analyze the conditions to satisfy $B_2\equiv 0modp$. From Lemma 2, we know that $x_2$ and $\left\{r_2^{\left(k\right)}\right\}$ are statistically hidden to the adversary. To satisfy $B_2\equiv 0modp$, the term $x_2{c}^{*}$ of $B_2$ that is not directly controlled by the adversary should be cancelled out. To analyze this, we consider the following two cases:

• Case 1: Let $BA{D}_1$ be an event that $x_2{c}^{*}$ is cancelled by $\left(z_4+x_2{z}_6+{\sum }_{k=1}^{q_S}{r}_2^{\left(k\right)}{z}_{7,k}\right)$. Recall that the term $\left(z_4+x_2{z}_6+{\sum }_{k=1}^{q_S}{r}_2^{\left(k\right)}{z}_{7,k}\right)$ is associated with the element $R^{*}$. In the signing algorithm, $c^{*}$ is the output of a hash function $H_2$ that takes $R^{*}$ as an input, and $H_2$ is modeled as a random oracle. Thus, $c^{*}$ is a random value independent of $R^{*}$ by the property of the random oracle. This means that the probability of $BA{D}_1$ is at most $1/p$.
• Case 2: Let $BA{D}_2$ be the event that the term $x_2{c}^{*}$ is cancelled by $s_2^{*}$. Recall that the term $s_2^{*}$ is the output of the adversary as the forged signature and $x_2$ is statistically hidden to the adversary. The only way to cancel out this term is for the adversary to construct a forged signature by combining the simulated signatures $\left\{(s_1^{\left(k\right)},s_2^{\left(k\right)})\right\}$ given from the signature queries since the reduction algorithm simply constructs a signature $s_2^{\left(k\right)}=r_2^{\left(k\right)}+x_2{c}^{\left(k\right)}$ by using the hidden private key element $x_2$. In this case, the term $(s_2^{*}-x_2{c}^{*})$ additionally contains a statistically hidden random exponent $r_2^{\left(k\right)}$ from the commitment $R^{\left(k\right)}$ for some k. Thus, there should exist an index $k\in \{1,\dots ,q_S\}$ such that $z_{7,k}\not\equiv 0modp$ since ${\mathcal{A}}_{alg}$ is an algebraic adversary that submits a group element with a representation of group elements given to the adversary.
  From the conditions $B_1+{\mathrm{dlog}}_g\left(h\right)B_2\equiv 0modp$ and $B_2\equiv 0modp$ of the Type-3 adversary, we have that $B_1\equiv B_2\equiv 0modp$. By combining $B_1$ and $B_2$, we have the following equation

  $$\begin{array}{cc}\hfill -B_1+m^{*}{B}_2& \equiv \left(z_2+x_2{z}_5-m^{*}(z_4+x_2{z}_6)+\sum _{k=1}^{q_S}(m^{\left(k\right)}-m^{*})r_2^{\left(k\right)}{z}_{7,k}\right)\equiv 0modp.\hfill \end{array}$$
  Since $z_{7,k}\not\equiv 0modp$ for some k and $r_2^{\left(k\right)}$ is statistically hidden to the adversary, the above equation can be reshaped as a degree-one polynomial $C_1{r}_2^{\left(k\right)}+C_0\equiv 0modp$ where a coefficient $C_1$ is expressed as $C_1=(m^{\left(k\right)}-m^{*})z_{7,k}$. By the Schwartz–Zippel lemma, the probability of the above polynomial to be zero is at most $1/p$ if $r_2^{\left(k\right)}$ is randomly selected and $C_1\not\equiv 0modp$. By the restrictions of the security model 2, we have $M^{*}\notin Q$. Thus the probability that $m^{\left(k\right)}-m^{*}\equiv 0modp$ for some k when $M^{*}\notin Q$ is bounded by $q_S/p$ since $H_1$ is modeled as a random oracle. This means that the probability of $BA{D}_2$ is at most $(q_S+1)/p$.

The success probability of the adversary is bounded by the probability of all bad events, and the probability of all bad events are bounded as

$$\begin{array}{c}\hfill Pr\left[BAD\right]\le Pr\left[BA{D}_1\right]+Pr\left[BA{D}_2\right]\le (q_{S_1}+2)/p.\end{array}$$

This completes our proof. □

2.4. Discussion

Multi-User Security. In the security proof, we analyzed the security of our PKS scheme in the single-user setting. In the multi-user setting, many public keys $P{K}_1,\dots ,P{K}_n$ are given to an adversary where n is bounded by a polynomial, and the adversary forges a signature for one of these public keys. In general, a PKS scheme that provides the single-user security also satisfies the multi-user security, but the security reduction is not tight since it has a loss of a factor n. In the security proof of our PKS scheme, a simulator can freely select the private key of each user. Thus, it is possible to prove the multi-user security of our PKS scheme with tight proof.

3. Multi-Signature

In this section, we propose a two-round MS scheme supporting public-key aggregation based on the PKS scheme in the previous section and prove that it is secure in the DL assumption in the AGM and ROM.

3.1. Definition

Multi-signature (MS) is a special kind of PKS in which multiple signers participate to generate a multi-signature for a message, and the multi-signature can be verified by using all public keys of the signers participating in the signature generation. We define the syntax of MS that supports the aggregation of the public keys of the signers into a single public key. The detailed syntax of MS supporting public key aggregation is given as follows.

Definition 4

(Multi-Signature). A multi-signature (MS) scheme with key aggregation consists of five PPT algorithms Setup, GenKey, AggKey, Sign, and Verify, which are defined as follows:

• $\mathit{Setup}\left(1^{\lambda }\right)$. The setup algorithm takes as input the security parameters λ in unary and outputs public parameters $PP$.
• $\mathit{GenKey}\left(PP\right)$. The key generation algorithm takes as input public parameters $PP$ and outputs a private key $SK$ and a public key $PK$.
• $\mathit{AggKey}\left(LK\right)$. The key aggregation algorithm takes as input a list of public keys $LK=(P{K}_1,\dots ,P{K}_n)$ and outputs an aggregated public key $AK$.
• $\mathit{Sign}(S{K}_i,LK,M)$. The signing algorithm takes as input a private key $S{K}_i$, a list of public keys $LK$, and a message M and outputs a multi-signature σ.
• $\mathit{Verify}(LK,\sigma ,M)$. The verification algorithm takes as input a list of public keys $LK$, a signature σ, and a message M and outputs either 1 or 0 depending on the validity of the signature.

The correctness requirement is that for $PP$ output by Setup$\left(1^{\lambda }\right)$, $(S{K}_i,P{K}_i)$ output by GenKey$\left(PP\right)$, and any M, we have that $\mathit{Verify}(LK,\mathit{Sign}(S{K}_i,LK,M),M)=1$.

The security model of MS extends the standard security model of PKS to the multi-user setting, which is called the plain public-key model [1]. In this plain public-key model, it is possible for an attacker to freely select the public keys of co-signers except the target public key. Because of this relaxation, the attacker can create a fake public key without knowing the private key of that public key, which is called a rogue-key attack. Additionally, if the signing protocol is composed of multiple rounds, the attacker can request parallel signing queries for multiple signatures when querying the signature. Finally, the attacker succeeds in forgery if the target public key is included in the final multi-signature and a target message has not been queried before in the signing queries. The detailed security model of MS is defined as follows.

Definition 5

(Unforgeability). The security notion of an MS scheme in the plain public-key model is unforgeability under a chosen message attack (MS-UF-CMA), which is defined in terms of the following experiment between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$:

1. 

Setup: $\mathcal{C}$ obtains public parameters $PP$ by running Setup$\left(1^{\lambda }\right)$ and obtains a challenge key pair $(S{K}^{*},P{K}^{*})$ by running GenKey$\left(PP\right)$. It gives $P{K}^{*}$ to $\mathcal{A}$.

2. 

Signature Query: $\mathcal{A}$ adaptively requests a multi-signature on a message M to sign under the challenge public key $PK$, and it receives a multi-signature σ.

3. 

Output: Finally, $\mathcal{A}$ outputs a forged multi-signature ${\sigma }^{*}$ on a message $M^{*}$ under public keys $L{K}^{*}=(P{K}_1,\dots ,P{K}_n)$. $\mathcal{C}$ outputs 1 if the forged multi-signature satisfies the following three conditions, or outputs 0 otherwise: (1) $\mathit{Verify}(L{K}^{*},{\sigma }^{*},M^{*})=1$, (2) the challenge public key $P{K}^{*}$ must exist in $L{K}^{*}$, and (3) the message $M^{*}$ must not have been queried by $\mathcal{A}$ to the signing oracle.

The advantage of $\mathcal{A}$ is defined as ${\mathit{Adv}}_{\mathcal{A}}^{MS}\left(\lambda \right)=Pr[\mathcal{C}=1]$ where the probability is taken over all the randomness of the experiment. An MS scheme is MS-UF-CMA-secure if all PPT adversaries have at most a negligible advantage in the above experiment where a function $f\left(\lambda \right)$ is negligible if $f\left(\lambda \right)<1/p\left(\lambda \right)$ for all polynomial $p\left(\lambda \right)$ with a large enough security parameter λ.

3.2. Construction

In order to design a secure two-round MS scheme, it is necessary to design a method to be secure against the Wagner algorithm using parallel signing query as shown in previous studies [13]. To do this, we change the random commitment element dependent on the signature message. That is, a commitment element is formed as $R={\left(g^{m}h\right)}^{r_1}{\left(g_2^m{h}_2\right)}^{r_2}$ where m is a message and $r_1,r_2$ are random exponents. The advantage of message-dependent commitment such as this is that even if an attacker obtains multiple commitment elements by requesting parallel signing queries, it is difficult for the attacker to derive another commitment for a new message because the commitment elements can be converted only for the same message. To perform such a commitment, the MS scheme needs to include h and $h_2$ elements in addition to g and $g_2$ elements in public parameters. Each private key of a user is set to the same $x_1$ and $x_2$ field elements as the Okamoto signature scheme, and the public key is set to $X=g^{x_1}{g}_2^{x_2}$ and $Y=h^{x_1}{h}_2^{x_2}$ due to additional public parameters. Note that the public key of the Okamoto signature scheme consists of one group element X, but our MS scheme consists of two group elements X and Y. The method of supporting the public key aggregation follows the previous method [3], and the aggregated public key consists of two group elements. The detailed description of our MS scheme is given as follows:

• MS.Setup($1^{\lambda }$): It first generates a cyclic group $\mathbb{G}$ of prime order p of bit size $\mathsf{\Theta }\left(\lambda \right)$. It chooses random generators $g,h\in \mathbb{G}$. It selects a random exponent $\alpha \in {\mathbb{Z}}_p$ and sets $g_2=g^{\alpha },h_2=h^{\alpha }$. Next, it chooses cryptographic hash functions $H_1,H_2,H_3$ such that $H_1:{\{0,1\}}^{*}\to {\mathbb{Z}}_p$, $H_2:{\{0,1\}}^{*}\to {\mathbb{Z}}_p$, and $H_3:{\{0,1\}}^{*}\to {\mathbb{Z}}_p$. It outputs public parameters $PP=(p,\mathbb{G},g,g_2,h,h_2,H_1,H_2,H_3)$.
• MS.GenKey($PP$): It chooses random $x_{i,1},x_{i,2}\in {\mathbb{Z}}_p$ and computes $X_i=g^{x_{i,1}}{g}_2^{x_{i,2}}$, $Y_i=h^{x_{i,1}}{h}_2^{x_{i,2}}$. It outputs a private key $S{K}_i=(PP,x_{i,1},x_{i,2})$ and a public key $P{K}_i=(PP,X_i,Y_i)$.
• MS.AggKey($LK$): Let $LK=(P{K}_1,\dots ,P{K}_n)$ be the list of public keys where $P{K}_i=(PP,X_i,Y_i)$. It calculates $a_i=H_3(LK,P{K}_i)$ for all $i\in \{1,\dots ,n\}$. Next, it computes $AX={\prod }_{i=1}^n{X}_i^{a_i}$ and $AY={\prod }_{i=1}^n{Y}_i^{a_i}$. It outputs an aggregated public key $AK=(PP,AX,AY)$.
• MS.Sign($S{K}_i,LK,M$): Let $S{K}_i=(PP,x_{i,1},x_{i,2})$ and $LK=(P{K}_1,\dots ,P{K}_n)$ where $P{K}_i=(PP,X_i,Y_i)$. It obtains $AK$ by running MS.AggKey$\left(LK\right)$ and calculates $a_i=H_3(LK,P{K}_i)$.

  1. 

  It calculates a hash $m=H_1\left(M\right)$. It selects random $r_{i,1},r_{i,2}\in {\mathbb{Z}}_p$ and computes $R_i={\left(g^{m}h\right)}^{r_{i,1}}{\left(g_2^m{h}_2\right)}^{r_{i,2}}$. Next, it broadcasts $R_i$ to all co-signers.

  2. 

  It receives ${\left\{R_j\right\}}_{1\le j\ne i\le n}$ from the co-signers. It computes $AR={\prod }_{i=1}^n{R}_i$. It calculates $c=H_2(AK,AR,M)$. Next, it computes $s_{i,1}=r_{i,1}+x_{i,1}{a}_{i}cmodp$ and $s_{i,2}=r_{i,2}+x_{i,2}{a}_{i}cmodp$. It broadcasts $(s_{i,1},s_{i,2})$ to all co-signers.

  3. 

  It receives ${\left\{(s_{j,1},s_{j,2})\right\}}_{1\le j\ne i\le n}$ from the co-signers. Next, it sets $s_1={\sum }_{i=1}^n{s}_{i,1}modp$ and $s_2={\sum }_{i=1}^n{s}_{i,2}modp$. It outputs a multi-signature $\sigma =(c,s_1,s_2)$.

• MS.Verify($LK,\sigma ,M$): Let $\sigma =(c,s_1,s_2)$ be a multi-signature on a message M under the list of public keys $LK$. It obtains $AK=(PP,AX,AY)$ by running MS.AggKey$\left(LK\right)$. It calculates a hash $m=H_1\left(M\right)$. Next, it derives

  $$AR={\left(g^{m}h\right)}^{s_1}{\left(g_2^m{h}_2\right)}^{s_2}/{\left(A{X}^{m}AY\right)}^c$$

  and checks that $c\stackrel{?}{=}{H}_2(AK,AR,M)$. If the equation holds, then it outputs 1. Otherwise, it outputs 0.

The correctness of this MS scheme can be easily verified when $m=H_1\left(M\right)$ through the following equation

$$\begin{array}{cc}\hfill {\left(g^{m}h\right)}^{s_1}{\left(g_2^m{h}_2\right)}^{s_2}& ={\left(g^{m}h\right)}^{{\sum }_{i=1}^n(r_{i,1}+x_{i,1}{a}_{i}c)}{\left(g_2^m{h}_2\right)}^{{\sum }_{i=1}^n(r_{i,2}+x_{i,2}{a}_{i}c)}\hfill \\ \hfill & ={\left(g^{m}h\right)}^{{\sum }_{i=1}^n{r}_{i,1}}{\left(g_2^m{h}_2\right)}^{{\sum }_{i=1}^n{r}_{i,2}}{\left(g^{m}h\right)}^{{\sum }_{i=1}^n{x}_{i,1}{a}_{i}c}{\left(g_2^m{h}_2\right)}^{{\sum }_{i=1}^n{x}_{i,2}{a}_{i}c}\hfill \\ \hfill & =\prod _{i=1}^n\left({\left(g^{m}h\right)}^{r_{i,1}}{\left(g_2^m{h}_2\right)}^{r_{i,2}}\right)·\prod _{i=1}^n{\left({\left(g^{m}h\right)}^{x_{i,1}{a}_i}{\left(g_2^m{h}_2\right)}^{x_{i,2}{a}_i}\right)}^c\hfill \\ \hfill & =\prod _{i=1}^n{R}_i·\prod _{i=1}^n{\left({\left(g^{x_{i,1}}{g}_2^{x_{i,2}}\right)}^{a_{i}m}{\left(h^{x_{i,1}}{h}_2^{x_{i,2}}\right)}^{a_i}\right)}^c\hfill \\ \hfill & =\prod _{i=1}^n{R}_i·{\left(\prod _{i=1}^n{X}_i^{a_{i}m}\prod _{i=1}^n{Y}_i^{a_i}\right)}^c=AR·{\left(A{X}^{m}AY\right)}^c.\hfill \end{array}$$

3.3. Security Analysis

The overall strategy to prove the security of our MS scheme is mostly similar to the strategy to prove the security of our PKS scheme in the previous section. That is, the simulator of security proof processes the signature query of an adversary by using a self-selected private key and divides the algebraic adversaries into three types to derive discrete logarithms from the forged signature of the adversary. First, in the case of Type-1 and Type-2 adversaries, if the challenge element of the discrete logarithm assumption is embedded in $g_2$ and h, respectively, it is possible for the simulator to extract the discrete logarithm without difficulty by using the forged signature submitted by the adversary and the representation of a group element in the forged signature. The difficult part of the proof is to show that a Type-3 adversary has a negligible probability of succeeding in forgery. To do this, we take advantage of the fact that the private key elements and the random commitment exponents are statistically hidden from the adversary, which is the important characteristic of Okamoto signatures. In this case, we use the condition that the target message $m^{*}$ is different from a message $m^{\left(k\right)}$ queried in the signing query, which is the security constraint of the MS-UF-CMA security model. In this case, it can be shown that the probability of successful forgery of the Type-3 adversary is negligible. Additionally, in the case of our MS scheme, the Type-3 adversary analysis is somewhat complicated because the final commitment element is aggregated from individual commitment elements generated by co-signers. The detailed security proof of our MS scheme is given in the following theorem.

Theorem 2.

The above MS scheme is MS-UF-CMA-secure in the algebraic group model if the DL assumption holds. That is, for any PPT algebraic adversary ${\mathcal{A}}_{alg}$, there exist PPT algorithms $\mathcal{B}$ such that ${\mathit{Adv}}_{{\mathcal{A}}_{alg}}^{MS}\left(\lambda \right)\le 2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+negl\left(\lambda \right)$.

Proof. 

Suppose there exists an algebraic adversary ${\mathcal{A}}_{alg}$ that forges the above MS scheme with non-negligible advantage $ϵ$. A reduction algorithm $\mathcal{B}$ that solves the DL assumption is given as input for a challenge tuple $D=(p,\mathbb{G},g,g^a)$. Then, $\mathcal{B}$ that interacts with ${\mathcal{A}}_{alg}$ is described as follows:

• Setup: The algorithm $\mathcal{B}$ first chooses a random bit $b\in \{0,1\}$ to guess the type of an adversary. If $b=0$, then it selects a random exponent $h^{\prime }\in {\mathbb{Z}}_p$ and sets $g_2=g^a,h=g^{h^{\prime }}$, $h_2=g_2^{h^{\prime }}$. Otherwise, it selects a random exponent $\alpha \in {\mathbb{Z}}_p$ and sets $g_2=g^{\alpha },h=g^a$, $h_2={\left(g^a\right)}^{\alpha }$. It sets public parameters $PP=(p,\mathbb{G},g,g_2,h,h_2,H_1,H_2)$ where $H_1$ and $H_2$ are hash functions that are modeled as random oracles. Next, it selects random exponents $x_1^{*},x_2^{*}\in {\mathbb{Z}}_p$ and computes $X^{*}=g^{x_1^{*}}{g}_2^{x_2^{*}},Y^{*}=h^{x_1^{*}}{h}_2^{x_2^{*}}$. It sets a challenge private key $S{K}^{*}=(PP,x_1^{*},x_2^{*})$ and a challenge public key $P{K}^{*}=(PP,X^{*},Y^{*})$. It keeps $S{K}^{*}$ internally and gives $P{K}_1=P{K}^{*}$ to ${\mathcal{A}}_{alg}$.

• Hash Query: If ${\mathcal{A}}_{alg}$ requests an $H_1$, $H_2$, or $H_3$ hash query, then $\mathcal{B}$ handles this query as follows:

• $H_1$ hash query for $\left(M\right)$: If $(M,·)\in L_{H_1}$, then it retrieves $(M,m)$ from $L_{H_1}$. Otherwise, it selects random $m\in {\mathbb{Z}}_p$ and adds $(M,m)$ to $L_{H_1}$. It gives m to ${\mathcal{A}}_{alg}$.
• $H_2$ hash query for $(AK,AR,M)$: If $(AK,AR,M,·)\in L_{H_2}$, then it retrieves $(AK,AR,M,c)$ from $L_{H_2}$. Otherwise, it selects random $c\in {\mathbb{Z}}_p$ and adds $(AK,AR,M,c)$ to $L_{H_2}$. It gives c to ${\mathcal{A}}_{alg}$.
• $H_3$ hash query for $(LK,P{K}_i)$: If $(LK,P{K}_i,·)\in L_{H_3}$, then it retrieves $(LK,P{K}_i,a_i)$ from $L_{H_3}$. Otherwise, it selects random $a_i\in {\mathbb{Z}}_p$ and adds $(LK,P{K}_i,a_i)$ to $L_{H_3}$. It gives $a_i$ to ${\mathcal{A}}_{alg}$.

• Signature Query: If ${\mathcal{A}}_{alg}$ requests a first-round or second-round signature query, then $\mathcal{B}$ handles this query as follows:

• First-round signature query for $\left(M\right)$: It adds M to Q and calculates $m=H_1\left(M\right)$. It selects random exponents $r_{1,1},r_{1,2}\in {\mathbb{Z}}_p$ and computes $R_1={\left(g^{m}h\right)}^{r_{1,1}}{\left(g_2^m{h}_2\right)}^{r_{1,2}}$. It adds $(M,R_1,r_{1,1},r_{1,2})$ to $L_{S_1}$. It gives $R_1$ to ${\mathcal{A}}_{alg}$.
• Second-round signature query for $(LK,M,{\left\{R_i\right\}}_{i=1}^n)$ where $LK=(P{K}_1,\dots ,P{K}_n)$: If $(M,R_1,·,·)\notin L_{S_1}$ or $P{K}_1\ne P{K}^{*}$, then it returns 0. It retrieves $(M,R_1,r_{1,1},r_{1,2})$ from $L_{S_1}$. It computes $AR={\prod }_{i=1}^n{R}_i$. It obtains $AK$ by running MS.AggKey$\left(LK\right)$ and calculates $a_1=H_3(LK,P{K}_1)$. It calculates $c=H_2(AK,AR,M)$. Next, it computes $s_{1,1}=r_{1,1}+x_1^{*}{a}_{1}cmodp$ and $s_{1,2}=r_{1,2}+x_2^{*}{a}_{1}cmodp$. It adds $(LK,M,{\left\{R_i\right\}}_{i=1}^n,AR,c,s_{1,1},s_{1,2},r_{1,1},r_{1,2})$ to $L_{S_2}$. It gives $(s_{1,1},s_{1,2})$ to ${\mathcal{A}}_{alg}$.

Note that ${\mathcal{A}}_{alg}$ is an algebraic adversary that when it requests hash and signature queries with a group element $Z\in \mathbb{G}$, it also submits a representation $\overrightarrow{z}=(z_1,\dots ,z_{\ell })$ for the group element Z such that $Z={\prod }_{i=1}^{\ell }{V}_i^{z_i}$ and $\left\{V_i\right\}$ are group elements given to ${\mathcal{A}}_{alg}$. For the simplicity of the notation, we do not describe representations for group elements in hash and signature queries. We assume that the representations of group elements submitted by ${\mathcal{A}}_{alg}$ are implicitly stored in the lists maintained by $\mathcal{B}$.

• Output: Finally, ${\mathcal{A}}_{alg}$ outputs a forged multi-signature ${\sigma }^{*}=(c^{*},s_1^{*},s_2^{*})$ on a message $M^{*}$ under a list of public keys $L{K}^{*}=(P{K}_1,\dots ,P{K}_n)$. $\mathcal{B}$ checks that MS.Verify$(L{K}^{*},{\sigma }^{*},M^{*})=1$, $P{K}_1=P{K}^{*}$, and $M^{*}\notin Q$.

From the verification algorithm of the MS scheme, it can derive the following equation

$$\begin{array}{cc}\hfill A{R}^{*}& ={\left(g^{m^{*}}h\right)}^{s_1^{*}}{\left(g_2^{m^{*}}{h}_2\right)}^{s_2^{*}}{\left(A{X}^{m^{*}}AY\right)}^{-c^{*}}\hfill \\ \hfill & =g^{m^{*}{s}_1^{*}}{h}^{s_1^{*}}{g}_2^{m^{*}{s}_2^{*}}{h}_2^{s_2^{*}}{\left(X_1^{a_1}\prod _{i=2}^n{X}_i^{a_i}\right)}^{-m^{*}{c}^{*}}{\left(Y_1^{a_1}\prod _{i=2}^n{Y}_i^{a_i}\right)}^{-c^{*}}\hfill \end{array}$$

where $X_1=g^{x_1^{*}}{g}_2^{x_2^{*}}$ and $Y_1=h^{x_1^{*}}{h}_2^{x_2^{*}}$. Next, it finds representations $\overrightarrow{z}=(z_1,\dots ,z_{7,1},\dots ,z_{7,q_{S_1}})$ of the group element $A{R}^{*}$, ${\overrightarrow{u}}^{\left(i\right)}=(u_1^{\left(i\right)},\dots ,u_{7,1}^{\left(i\right)},\dots ,u_{7,q_{S_1}}^{\left(i\right)})$ of the group element $X_i$, and ${\overrightarrow{v}}^{\left(i\right)}=(v_1^{\left(i\right)},\dots ,v_{7,1}^{\left(i\right)},\dots ,v_{7,q_{S_1}}^{\left(i\right)})$ of the group element $Y_i$ that are implicitly stored in hash lists such as

$$\begin{array}{cc}\hfill & A{R}^{*}=g^{z_1}{g}_2^{z_2}{h}^{z_3}{h}_2^{z_4}{X}_1^{z_5}{Y}_1^{z_6}\prod _{k=1}^{q_{S_1}}{\left(R_1^{\left(k\right)}\right)}^{z_{7,k}},\hfill \\ \hfill & X_i=g^{u_1^{\left(i\right)}}{g}_2^{u_2^{\left(i\right)}}{h}^{u_3^{\left(i\right)}}{h}_2^{u_4^{\left(i\right)}}{X}_1^{u_5^{\left(i\right)}}{Y}_1^{u_6^{\left(i\right)}}\prod _{k=1}^{q_{S_1}}{\left(R_1^{\left(k\right)}\right)}^{u_{7,k}^{\left(i\right)}},\hfill \\ \hfill & Y_i=g^{v_1^{\left(i\right)}}{g}_2^{v_2^{\left(i\right)}}{h}^{v_3^{\left(i\right)}}{h}_2^{v_4^{\left(i\right)}}{X}_1^{v_5^{\left(i\right)}}{Y}_1^{v_6^{\left(i\right)}}\prod _{k=1}^{q_{S_1}}(R_1^{\left(k\right)}{)}^{v_{7,k}^{\left(i\right)}}\hfill \end{array}$$

where $R_1^{\left(k\right)}={\left(g^{m^{\left(k\right)}}h\right)}^{r_{1,1}^{\left(k\right)}}{\left(g_2^{m^{\left(k\right)}}{h}_2\right)}^{r_{2,2}^{\left(k\right)}}$ is the commitment of the k-th first-round signature query.

By combining above equations, it can derive the following simplified equation

$$\begin{array}{c}\hfill g^{A_1}{h}^{A_2}{g}_2^{B_1}{h}_2^{B_2}=g^{A_1+{\mathrm{dlog}}_g\left(h\right)A_2}{g}_2^{B_1+{\mathrm{dlog}}_g\left(h\right)B_2}=1\end{array}$$

where $A_1,A_2,B_1,B_2$ are variables defined by the forged signature $(c^{*},s_1^{*},s_2^{*})$, the representations $\overrightarrow{z},\{{\overrightarrow{u}}^{\left(i\right)},{\overrightarrow{v}}^{\left(i\right)}\}$, private key elements $x_1^{*},x_2^{*}$, random exponents $\{r_{1,1}^{\left(k\right)},r_{1,2}^{\left(k\right)}\}$, and message hashes $m^{*},\left\{m^{\left(k\right)}\right\}$.

To solve the discrete logarithm, we classify algebraic adversaries into the following three types depending on the conditions of variables:

• Type-1: an algebraic adversary is Type-1 if $B_1+{\mathrm{dlog}}_g\left(h\right)B_2\not\equiv 0modp$.
• Type-2: an algebraic adversary is Type-2 if $B_1+{\mathrm{dlog}}_g\left(h\right)B_2\equiv 0modp$ and $B_2\not\equiv 0modp$.
• Type-3: an algebraic adversary is Type-3 if $B_1+{\mathrm{dlog}}_g\left(h\right)B_2\equiv 0modp$ and $B_2\equiv 0modp$.

Let F be the event that an adversary succeeds to forge a multi-signature and $T_i$ be the event that an adversary is Type-i. Since the random bit b is hidden to the adversary and b is independent of the type of the adversary, we have that $Pr[b=0\wedge F|T_i]=Pr[b=1\wedge F|T_i]$ for each type of the adversary. If the Type-1 adversary is successful to forge and the guess of the reduction algorithm is correct ($b=0$), then the reduction can compute the discrete logarithm as ${\mathrm{dlog}}_g\left(g_2\right)=-(A_1+h^{\prime }{A}_2)/(B_1+h^{\prime }{B}_2)modp$ since $g_2=g^a$ and $B_1+h^{\prime }{B}_2\not\equiv 0modp$. That is, $Pr[b=0\wedge F|T_1]\le {\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)$. If the Type-2 adversary is successful to forge and the guess of the reduction is correct ($b=1$), then the reduction can compute the discrete logarithm as ${\mathrm{dlog}}_{g_2}\left(h_2\right)=-B_1/B_{2}modp$ since $g_2=g^{\alpha },h_2={\left(g^a\right)}^{\alpha }$, $B_1+{\mathrm{dlog}}_g\left(h\right)B_2\equiv 0modp$, and $B_2\not\equiv 0modp$. That is, $Pr[b=1\wedge F|T_2]\le {\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)$. From Lemma 5, the probability of the Type-3 adversary to successfully forge is negligible. That is, $Pr\left[F\right|T_3]\le \mathrm{negl}\left(\lambda \right)$. Therefore, we obtain the following result

$$\begin{array}{cc}\hfill {\mathit{Adv}}_{{\mathcal{A}}_{alg}}^{MS\text{-}UF\text{-}CMA}\left(\lambda \right)& =Pr[F\wedge T_1]+Pr[F\wedge T_2]+Pr[F\wedge T_3]\hfill \\ \hfill & =Pr\left[T_1\right]Pr\left[F\right|T_1]+Pr\left[T_2\right]Pr\left[F\right|T_2]+Pr\left[T_3\right]Pr\left[F\right|T_3]\hfill \\ \hfill & =Pr\left[T_1\right]\left(Pr[b=0\wedge F|T_1]+Pr[b=1\wedge F|T_1]\right)+\hfill \\ \hfill & Pr\left[T_2\right]\left(Pr[b=0\wedge F|T_2]+Pr[b=1\wedge F|T_2]\right)+Pr\left[T_3\right]Pr\left[F\right|T_3]\hfill \\ \hfill & \le Pr\left[T_1\right]2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+Pr\left[T_2\right]2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+Pr\left[T_3\right]\mathrm{negl}\left(\lambda \right)\hfill \\ \hfill & \le Pr\left[T_1\right]2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+(1-Pr\left[T_1\right])2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+\mathrm{negl}\left(\lambda \right)\hfill \\ \hfill & \le 2{\mathit{Adv}}_{\mathcal{B}}^{DL}\left(\lambda \right)+\mathrm{negl}\left(\lambda \right).\hfill \end{array}$$

This completes our proof. □

Lemma 4.

In the above MS scheme, the private key exponents $(x_1^{*},x_2^{*})$ and random exponents $\left\{(r_{1,1}^{\left(k\right)},r_{1,2}^{\left(k\right)})\right\}$ for first-round signature queries are statistically hidden to an algebraic adversary.

Proof. 

In order to show that the private key exponents $(x_1^{*},x_2^{*})$ and random exponents $\left\{(r_{1,1}^{\left(k\right)},r_{1,2}^{\left(k\right)})\right\}$ selected by the reduction algorithm are statistically hidden from the adversary, we should show that these exponents can be changed to different exponents $({\tilde{x}}_1^{*},{\tilde{x}}_2^{*})$ and $\left\{({\tilde{r}}_{1,1}^{\left(k\right)},{\tilde{r}}_{1,2}^{\left(k\right)})\right\}$ while the public key group elements, the commitment group elements, and the partial signatures given to the adversary are fixed.

Let $(X_1,Y_1)$ be the challenge public key. If the private key exponents $(x_1^{*},x_2^{*})$ can be changed to different private key exponents $({\tilde{x}}_1^{*},{\tilde{x}}_2^{*})$, then we obtain the first relation $x_1^{*}+\alpha x_2^{*}\equiv {\tilde{x}}_1^{*}+\alpha {\tilde{x}}_2^{*}modp$ from the following equation

$$\begin{array}{cc}\hfill X_1=& \left(g^{x_1^{*}}{g}_2^{x_2^{*}}\right)=g^{x_1^{*}+\alpha x_2^{*}}=g^{{\tilde{x}}_1^{*}+\alpha {\tilde{x}}_2^{*}}=\left(g^{{\tilde{x}}_1^{*}}{g}_2^{{\tilde{x}}_2^{*}}\right),\hfill \\ \hfill Y_1=& \left(h^{x_1^{*}}{h}_2^{x_2^{*}}\right)=h^{x_1^{*}+\alpha x_2^{*}}=h^{{\tilde{x}}_1^{*}+\alpha {\tilde{x}}_2^{*}}=\left(h^{{\tilde{x}}_1^{*}}{h}_2^{{\tilde{x}}_2^{*}}\right).\hfill \end{array}$$

Let $R_1^{\left(k\right)}$ be the commitment element of the k-th signature query. If the random exponents $(r_{1,1}^{\left(k\right)},r_{1,2}^{\left(k\right)})$ can be changed to different random exponents $({\tilde{r}}_{1,1}^{\left(k\right)},{\tilde{r}}_{1,2}^{\left(k\right)})$, then we obtain the second relation $r_{1,1}^{\left(k\right)}+\alpha r_{1,2}^{\left(k\right)}\equiv {\tilde{r}}_{1,1}^{\left(k\right)}+\alpha {\tilde{r}}_{1,2}^{\left(k\right)}modp$ from the following equation

$$\begin{array}{cc}\hfill R_1^{\left(k\right)}=& {\left(g^{m^{\left(k\right)}}h\right)}^{r_{1,1}^{\left(k\right)}}{\left(g_2^{m^{\left(k\right)}}{h}_2\right)}^{r_{1,2}^{\left(k\right)}}=g^{(m^{\left(k\right)}+h^{\prime })(r_{1,1}^{\left(k\right)}+\alpha r_{1,2}^{\left(k\right)})}\hfill \\ \hfill =& g^{(m^{\left(k\right)}+h^{\prime })({\tilde{r}}_{1,1}^{\left(k\right)}+\alpha {\tilde{r}}_{1,2}^{\left(k\right)})}={\left(g^{m^{\left(k\right)}}h\right)}^{{\tilde{r}}_{1,1}^{\left(k\right)}}{\left(g_2^{m^{\left(k\right)}}{h}_2\right)}^{{\tilde{r}}_{1,2}^{\left(k\right)}}.\hfill \end{array}$$

Let $(s_{1,1}^{\left(k\right)},s_{1,2}^{\left(k\right)})$ be the partial signature of the k-th signature query where $s_{1,1}^{\left(k\right)}=r_{1,1}^{\left(k\right)}+x_1^{*}{a}_1{c}^{\left(k\right)}$ and $s_{1,2}^{\left(k\right)}=r_{1,2}^{\left(k\right)}+x_2^{*}{a}_1{c}^{\left(k\right)}$. If the random exponents $(x_1^{*},x_2^{*})$ and $(r_{1,1}^{\left(k\right)},r_{1,2}^{\left(k\right)})$ can be changed to different random exponents $({\tilde{x}}_1^{*},{\tilde{x}}_2^{*})$ and $({\tilde{r}}_{1,1}^{\left(k\right)},{\tilde{r}}_{1,2}^{\left(k\right)})$, then we obtain the following third and fourth relations

$$\begin{array}{cc}\hfill r_{1,1}^{\left(k\right)}+x_1^{*}{a}_1{c}^{\left(k\right)}& \equiv {\tilde{r}}_{1,1}^{\left(k\right)}+{\tilde{x}}_1^{*}{a}_1{c}^{\left(k\right)}modp,\hfill \\ \hfill r_{1,2}^{\left(k\right)}+x_2^{*}{a}_1{c}^{\left(k\right)}& \equiv {\tilde{r}}_{1,2}^{\left(k\right)}+{\tilde{x}}_2^{*}{a}_1{c}^{\left(k\right)}modp.\hfill \end{array}$$

Now, we argue that new private key exponents and new random exponents can satisfy the above four relations and that these exponents are different than the original exponents. From the above first, second, and third relations, we set the new exponents as follows

$$\begin{array}{cc}\hfill & {\tilde{x}}_1^{*}\leftarrow {\mathbb{Z}}_p^{*},{\tilde{x}}_2^{*}:=x_2^{*}+(x_1^{*}-{\tilde{x}}_1^{*}){\alpha }^{-1}modp,\hfill \\ \hfill & {\tilde{r}}_{1,1}^{\left(k\right)}:=r_{1,1}^{\left(k\right)}+(x_1^{*}-{\tilde{x}}_1^{*})a_1{c}^{\left(k\right)}modp,\hfill \\ \hfill & {\tilde{r}}_{1,2}^{\left(k\right)}:=r_{1,2}^{\left(k\right)}+(r_{1,1}^{\left(k\right)}-{\tilde{r}}_{1,1}^{\left(k\right)}){\alpha }^{-1}modp.\hfill \end{array}$$

Next, we show that these new exponents satisfy the fourth relation as follows

$$\begin{array}{cc}\hfill & r_{1,2}^{\left(k\right)}-{\tilde{r}}_{1,2}^{\left(k\right)}+x_2^{*}{a}_1{c}^{\left(k\right)}-{\tilde{x}}_2^{*}{a}_1{c}^{\left(k\right)}\hfill \\ \hfill & \equiv -(r_{1,1}^{\left(k\right)}-{\tilde{r}}_{1,1}^{\left(k\right)}){\alpha }^{-1}-(x_1^{*}-{\tilde{x}}_1^{*}){\alpha }^{-1}{a}_1{c}^{\left(k\right)}\hfill \\ \hfill & \equiv -\left((r_{1,1}^{\left(k\right)}-{\tilde{r}}_{1,1}^{\left(k\right)})+(x_1^{*}-{\tilde{x}}_1^{*})a_1{c}^{\left(k\right)}\right){\alpha }^{-1}\equiv 0modp.\hfill \end{array}$$

This completes our proof. □

Lemma 5.

If the algebraic adversary is Type-3, then the advantage of the adversary in MS-UF-CMA game is negligible.

Proof. 

Let $A{R}^{*}$ be the group element derived from a forged multi-signature ${\sigma }^{*}$. From the verification algorithm, the forged signature ${\sigma }^{*}=(c^{*},s_1^{*},s_2^{*})$ with the element $A{R}^{*}$ satisfies the following equation

$$\begin{array}{cc}\hfill 1& ={\left(g^{m^{*}}h\right)}^{s_1^{*}}{\left(g_2^{m^{*}}{h}_2\right)}^{s_2^{*}}{A{R}^{*}}^{-1}{\left(A{X}^{m^{*}}AY\right)}^{-c^{*}}\hfill \\ \hfill & =g^{m^{*}{s}_1^{*}}{h}^{s_1^{*}}{g}_2^{m^{*}{s}_2^{*}}{h}_2^{s_2^{*}}{A{R}^{*}}^{-1}{\left(\prod _{i=1}^n{X}_i^{a_i}\right)}^{-m^{*}{c}^{*}}{\left(\prod _{i=1}^n{Y}_i^{a_i}\right)}^{-c^{*}}\hfill \\ \hfill & =g^{m^{*}{s}_1^{*}}{h}^{s_1^{*}}{g}_2^{m^{*}{s}_2^{*}}{h}_2^{s_2^{*}}·X_1^{-a_1{m}^{*}{c}^{*}}{Y}_1^{-a_1{c}^{*}}·{A{R}^{*}}^{-1}·\prod _{i=2}^n{X}_i^{-m^{*}{a}_i{c}^{*}}\prod _{i=2}^n{Y}_i^{-a_i{c}^{*}}\hfill \\ \hfill & =g^{m^{*}{s}_1^{*}}{h}^{s_1^{*}}{g}_2^{m^{*}{s}_2^{*}}{h}_2^{s_2^{*}}·{\left(g^{x_1^{*}}{g}_2^{x_2^{*}}\right)}^{-a_1{m}^{*}{c}^{*}}{\left(h^{x_1^{*}}{h}_2^{x_2^{*}}\right)}^{-a_1{c}^{*}}·{A{R}^{*}}^{-1}·\prod _{i=2}^n{X}_i^{-m^{*}{a}_i{c}^{*}}\prod _{i=2}^n{Y}_i^{-a_i{c}^{*}}\hfill \\ \hfill & =g^{m^{*}{s}_1^{*}-m^{*}{x}_1^{*}{a}_1{c}^{*}}{h}^{s_1^{*}-x_1^{*}{a}_1{c}^{*}}{g}_2^{m^{*}{s}_2^{*}-m^{*}{x}_2^{*}{a}_1{c}^{*}}{h}_2^{s_2^{*}-x_2^{*}{a}_1{c}^{*}}·{A{R}^{*}}^{-1}·\prod _{i=2}^n{X}_i^{-m^{*}{a}_i{c}^{*}}\prod _{i=2}^n{Y}_i^{-a_i{c}^{*}}.\hfill \end{array}$$

Next, we find the representation $\overrightarrow{z}=(z_1,\dots ,z_6,z_{7,1},\dots ,z_{7,k})$ from $L_{H_2}$ for the group element $A{R}^{*}$ such as

$$\begin{array}{cc}\hfill A{R}^{*}& =g^{z_1}{g}_2^{z_2}{h}^{z_3}{h}_2^{z_4}{X}_1^{z_5}{Y}_1^{z_6}\prod _{k=1}^{q_{S_1}}{\left(R_1^{\left(k\right)}\right)}^{z_{7,k}}\hfill \\ \hfill & =g^{z_1}{g}_2^{z_2}{h}^{z_3}{h}_2^{z_4}{\left(g^{x_1^{*}}{g}_2^{x_2^{*}}\right)}^{z_5}{\left(h^{x_1^{*}}{h}_2^{x_2^{*}}\right)}^{z_6}\prod _{k=1}^{q_{S_1}}{\left({\left(g^{m^{\left(k\right)}}h\right)}^{r_{1,1}^{\left(k\right)}}{\left(g_2^{m^{\left(k\right)}}{h}_2\right)}^{r_{1,2}^{\left(k\right)}}\right)}^{z_{7,k}}\hfill \\ \hfill & =g^{z_1}{g}_2^{z_2}{h}^{z_3}{h}_2^{z_4}{g}^{x_1^{*}{z}_5}{g}_2^{x_2^{*}{z}_5}{h}^{x_1^{*}{z}_6}{h}_2^{x_2^{*}{z}_6}{g}^{{\sum }_{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,1}^{\left(k\right)}{z}_{7,k}}{h}^{{\sum }_{k=1}^{q_{S_1}}{r}_{1,1}^{\left(k\right)}{z}_{7,k}}{g}_2^{{\sum }_{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,2}^{\left(k\right)}{z}_{7,k}}{h}_2^{{\sum }_{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{z}_{7,k}}\hfill \\ \hfill & =g^{z_1+x_1^{*}{z}_5+{\sum }_{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,1}^{\left(k\right)}{z}_{7,k}}{h}^{z_3+x_1^{*}{z}_6+{\sum }_{k=1}^{q_{S_1}}{r}_{1,1}^{\left(k\right)}{z}_{7,k}}{g}_2^{z_2+x_2^{*}{z}_5+{\sum }_{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,2}^{\left(k\right)}{z}_{7,k}}{h}_2^{z_4+x_2^{*}{z}_6+{\sum }_{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{z}_{7,k}}.\hfill \end{array}$$

We can also find the representations ${\overrightarrow{u}}^{\left(i\right)}=(u_1^{\left(i\right)},\dots ,u_6^{\left(i\right)},u_{7,1}^{\left(i\right)},\dots ,u_{7,k}^{\left(i\right)})$, ${\overrightarrow{v}}^{\left(i\right)}=(v_1^{\left(i\right)},\dots ,v_6^{\left(i\right)},v_{7,1}^{\left(i\right)},\dots ,v_{7,k}^{\left(i\right)})$ from $L_{H_2}$ for the group elements $X_i,Y_i$, respectively, such as

$$\begin{array}{cc}\hfill X_i& =g^{u_1^{\left(i\right)}}{g}_2^{u_2^{\left(i\right)}}{h}^{u_3^{\left(i\right)}}{h}_2^{u_4^{\left(i\right)}}{X}_1^{u_5^{\left(i\right)}}{Y}_1^{u_6^{\left(i\right)}}\prod _{k=1}^{q_{S_1}}{\left(R_1^{\left(k\right)}\right)}^{u_{7,k}^{\left(i\right)}}\hfill \\ \hfill & =g^{u_1^{\left(i\right)}+x_1^{*}{u}_5^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,1}^{\left(k\right)}{u}_{7,k}^{\left(i\right)}}{h}^{u_3^{\left(i\right)}+x_1^{*}{u}_6^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{r}_{1,1}^{\left(k\right)}{u}_{7,k}^{\left(i\right)}}\hfill \\ \hfill & g_2^{u_2^{\left(i\right)}+x_2^{*}{u}_5^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,2}^{\left(k\right)}{u}_{7,k}^{\left(i\right)}}{h}_2^{u_4^{\left(i\right)}+x_2^{*}{u}_6^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{u}_{7,k}^{\left(i\right)}},\hfill \\ \hfill Y_i& =g^{v_1^{\left(i\right)}}{g}_2^{v_2^{\left(i\right)}}{h}^{v_3^{\left(i\right)}}{h}_2^{v_4^{\left(i\right)}}{X}_1^{v_5^{\left(i\right)}}{Y}_1^{v_6^{\left(i\right)}}\prod _{k=1}^{q_{S_1}}{\left(R_1^{\left(k\right)}\right)}^{v_{7,k}^{\left(i\right)}}\hfill \\ \hfill & =g^{v_1^{\left(i\right)}+x_1^{*}{v}_5^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,1}^{\left(k\right)}{v}_{7,k}^{\left(i\right)}}{h}^{v_3^{\left(i\right)}+x_1^{*}{v}_6^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{r}_{1,1}^{\left(k\right)}{v}_{7,k}^{\left(i\right)}}\hfill \\ \hfill & g_2^{v_2^{\left(i\right)}+x_2^{*}{v}_5^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,2}^{\left(k\right)}{v}_{7,k}^{\left(i\right)}}{h}_2^{v_4^{\left(i\right)}+x_2^{*}{v}_6^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{v}_{7,k}^{\left(i\right)}}.\hfill \end{array}$$

By combining the above equations, we can derive the equation $g^{A_1}{h}^{A_2}{g}_2^{B_1}{h}_2^{B_2}=1$, where variables $B_1$ and $B_2$ are defined as follows

$$\begin{array}{cc}\hfill B_1=& m^{*}(s_2^{*}-x_2^{*}{a}_1{c}^{*})-\left(z_2+x_2^{*}{z}_5+\sum _{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,2}^{\left(k\right)}{z}_{7,k}\right)-\hfill \\ \hfill & \sum _{i=2}^n\left(u_2^{\left(i\right)}+x_2^{*}{u}_5^{\left(i\right)}+\sum _{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,2}^{\left(k\right)}{u}_{7,k}^{\left(i\right)}\right)\left(m^{*}{a}_i{c}^{*}\right)-\hfill \\ \hfill & \sum _{i=2}^n\left(v_2^{\left(i\right)}+x_2^{*}{v}_5^{\left(i\right)}+\sum _{k=1}^{q_{S_1}}{m}^{\left(k\right)}{r}_{1,2}^{\left(k\right)}{v}_{7,k}^{\left(i\right)}\right)\left(a_i{c}^{*}\right),\hfill \\ \hfill B_2=& (s_2^{*}-x_2^{*}{a}_1{c}^{*})-\left(z_4+x_2^{*}{z}_6+\sum _{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{z}_{7,k}\right)-\hfill \\ \hfill & \sum _{i=2}^n\left(u_4^{\left(i\right)}+x_2^{*}{u}_6^{\left(i\right)}+\sum _{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{u}_{7,k}^{\left(i\right)}\right)\left(m^{*}{a}_i{c}^{*}\right)-\hfill \\ \hfill & \sum _{i=2}^n\left(v_4^{\left(i\right)}+x_2^{*}{v}_6^{\left(i\right)}+\sum _{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{v}_{7,k}^{\left(i\right)}\right)\left(a_i{c}^{*}\right).\hfill \end{array}$$

Now, we analyze the conditions to satisfy $B_2\equiv 0modp$. From Lemma 4, we know that $x_2^{*}$ and $\left\{r_{1,2}^{\left(k\right)}\right\}$ are statistically hidden to the adversary. To satisfy $B_2\equiv 0modp$, the term $x_2^{*}{a}_1{c}^{*}$ of $B_2$ that is not directly controlled by the adversary should be cancelled out. To analyze this, we consider the following three cases:

• Case 1: Let $BA{D}_1$ be an event that $x_2^{*}{a}_1{c}^{*}$ is cancelled by $\left(z_4+x_2^{*}{z}_6+{\sum }_{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{z}_{7,k}\right)$. Recall that the term $\left(z_4+x_2^{*}{z}_6+{\sum }_{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{z}_{7,k}\right)$ is associated with the group element $A{R}^{*}$. In the signing algorithm, $c^{*}$ is the output of a hash function $H_2$ that takes $A{R}^{*}$ as an input, and $H_2$ is modeled as a random oracle. Thus, $c^{*}$ is a random value independent of $A{R}^{*}$ by the property of the random oracle. This means that the probability of $BA{D}_1$ is at most $1/p$.
• Case 2: Let $BA{D}_2$ be the event that $x_2^{*}{a}_1{c}^{*}$ is cancelled by ${\sum }_{i=2}^n\left(u_4^{\left(i\right)}+x_2^{*}{u}_6^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{u}_{7,k}^{\left(i\right)}\right)\left(m^{*}{a}_i{c}^{*}\right)+{\sum }_{i=2}^n\left(v_4^{\left(i\right)}+x_2^{*}{v}_6^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{v}_{7,k}^{\left(i\right)}\right)\left(a_i{c}^{*}\right)$. Recall that the terms $\left(u_4^{\left(i\right)}+x_2^{*}{u}_6^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{u}_{7,k}^{\left(i\right)}\right)$ and $\left(v_4^{\left(i\right)}+x_2^{*}{v}_6^{\left(i\right)}+{\sum }_{k=1}^{q_{S_1}}{r}_{1,2}^{\left(k\right)}{v}_{7,k}^{\left(i\right)}\right)$ are associated with the group elements $X_i$ and $Y_i$, respectively. In the key aggregation algorithm, $a_1$ is the output of a hash function $H_2$ that takes $LK=(P{K}_1,\dots ,P{K}_n)$ and $P{K}_i=(PP,X_i,Y_i)$ as inputs, and $H_3$ is modeled as a random oracle. Thus, $a_1$ is a random value independent of $LK$ and $P{K}_i$ by the property of the random oracle. This means that the probability of $BA{D}_2$ is at most $1/p$.
• Case 3: Let $BA{D}_3$ be the event that the term $x_2^{*}{a}_1{c}^{*}$ is cancelled by $s_2^{*}$. Recall that the term $s_2^{*}$ is the output of the adversary as the forged multi-signature and $x_2^{*}$ is statistically hidden to the adversary. The only way to cancel out this term is for the adversary to construct a forged multi-signature by combining the simulated signatures $\left\{(s_{1,1}^{\left(k\right)},s_{1,2}^{\left(k\right)})\right\}$ given from the second-round signature queries since the reduction algorithm simply constructs a partial signature $s_2^{\left(k\right)}=r_{1,2}^{\left(k\right)}+x_2^{*}{a}_1{c}^{\left(k\right)}$ by using the hidden private key element $x_2^{*}$. In this case, the term $(s_2^{*}-x_2^{*}{a}_1{c}^{*})$ additionally contains a statistically hidden random exponent $r_{1,2}^{\left(k\right)}$ from the commitment $R_1^{\left(k\right)}$ for some k. Thus, there should exist an index $k\in \{1,\dots ,q_{S_1}\}$ such that $z_{7,k}\not\equiv 0modp$ since ${\mathcal{A}}_{alg}$ is an algebraic adversary that submits a group element with a representation of group elements given to the adversary.
  From the conditions $B_1+{\mathrm{dlog}}_g\left(h\right)B_2\equiv 0modp$ and $B_2\equiv 0modp$ of the Type-3 adversary, we have that $B_1\equiv B_2\equiv 0modp$. By combining $B_1$ and $B_2$, we have the following equation

  $$\begin{array}{cc}\hfill & -B_1+m^{*}{B}_2\hfill \\ \hfill & \equiv \left(z_2+x_2^{*}{z}_5-m^{*}(z_4+x_2^{*}{z}_6)+\sum _{k=1}^{q_{S_1}}(m^{\left(k\right)}-m^{*})r_{1,2}^{\left(k\right)}{z}_{7,k}\right)+\hfill \\ \hfill & \sum _{i=2}^n\left(u_2^{\left(i\right)}+x_2^{*}{u}_5^{\left(i\right)}-m^{*}(u_4^{\left(i\right)}+x_2^{*}{u}_6^{\left(i\right)})+\sum _{k=1}^{q_{S_1}}(m^{\left(k\right)}-m^{*})r_{1,2}^{\left(k\right)}{u}_{7,k}^{\left(i\right)}\right)\left(m^{*}{a}_i{c}^{*}\right)+\hfill \\ \hfill & \sum _{i=2}^n\left(v_2^{\left(i\right)}+x_2^{*}{v}_5^{\left(i\right)}-m^{*}(v_4^{\left(i\right)}+x_2^{*}{v}_6^{\left(i\right)})+\sum _{k=1}^{q_{S_1}}(m^{\left(k\right)}-m^{*})r_{1,2}^{\left(k\right)}{v}_{7,k}^{\left(i\right)}\right)\left(a_i{c}^{*}\right)\hfill \\ \hfill & \equiv 0modp.\hfill \end{array}$$
  Since $z_{7,k}\not\equiv 0modp$ for some k and $r_{1,2}^{\left(k\right)}$ is statistically hidden to the adversary, the above equation can be reshaped as a degree-one polynomial $C_1{r}_{1,2}^{\left(k\right)}+C_0\equiv 0modp$ where a coefficient $C_1$ is expressed as

  $$\begin{array}{c}\hfill C_1=(m^{\left(k\right)}-m^{*})\left(z_{7,k}+\sum _{i=2}^n{u}_{7,k}^{\left(i\right)}\left(m^{*}{a}_i{c}^{*}\right)+\sum _{i=2}^n{v}_{7,k}^{\left(i\right)}\left(a_i{c}^{*}\right)\right).\end{array}$$
  By the Schwartz–Zippel lemma, the probability of the above polynomial to be zero is at most $1/p$ if $r_{1,2}^{\left(k\right)}$ is randomly selected and $C_1\not\equiv 0modp$. By the restrictions of the security model 5, we have $M^{*}\notin Q$. The probability that $m^{\left(k\right)}-m^{*}\equiv 0modp$ for some k when $M^{*}\notin Q$ is bounded by $q_{S_1}/p$ since $H_1$ is modeled as a random oracle. The probability that $z_{7,k}+{\sum }_{i=2}^n{u}_{7,k}^{\left(i\right)}\left(m^{*}{a}_i{c}^{*}\right)+{\sum }_{i=2}^n{v}_{7,k}^{\left(i\right)}\left(a_i{c}^{*}\right)\equiv 0modp$ is bounded by $1/p$ since $c^{*}$ is the output of $H_2$ when $A{R}^{*}$, $X_i$, and $Y_i$ are given as inputs where $z_{7,k},u_{7,k}^{\left(i\right)},v_{7,k}^{\left(i\right)}$ are associated with $A{R}^{*},X_i,Y_i$, respectively. Thus, the probability that $C_1\equiv 0modp$ is bounded by $(q_{S_1}+1)/p$. This means that the probability of $BA{D}_3$ is at most $(q_{S_1}+2)/p$.

The success probability of the adversary is bounded by the probability of all bad events, and the probability of all bad events are bounded as

$$\begin{array}{cc}\hfill Pr\left[BAD\right]\le & Pr\left[BA{D}_1\right]+Pr\left[BA{D}_2\right]+Pr\left[BA{D}_3\right]\le (q_{S_1}+4)/p.\hfill \end{array}$$

This completes our proof. □

3.4. Discussion

Multi-Signatures with Proofs of Possession. Our MS scheme requires $2n$ exponentiations to aggregate the public keys of co-signers. As suggested by the previous studies [35], if public keys additionally include the proofs of possession of private keys, it is possible to simply aggregate all public keys of co-signers by multiplying these public keys without using expensive exponentiations. At this time, the security model that requires the proof of possession of a private key is a weaker model than the plain public-key model.

Synchronized Multi-Signature. If co-signers participating in multi-signature share the same information that is synchronized with each other, such as time or session count, it is possible for co-signers to create a commitment by using the synchronized information instead of using a message [31]. As an example, in the consensus protocol of a blockchain, the information of a previous block can be used as synchronization information. If such synchronized information exists, the signers can compute the commitment in advance and share it before a message to be signed is provided.

4. Performance Analysis

In this section, we analyze the public key and signature size of our MS scheme on a popular elliptic curve and estimate the performance of the algorithms of our MS scheme. To estimate the performance of basic operations in the elliptic curve, we use a laptop with Intel Core i7-1185G7 3.0 GHz CPU and 16.0 GB RAM running the Windows 11 operating system. That is, we first measure the performance of basic operations in the laptop and estimate the performance of the algorithms of our MS scheme based on this.

For the underlying elliptic curve, we choose secp256k1 used in Bitcoin because it allows for efficient computation compared to other elliptic curves and less possibility of backdoors. In this elliptic curve, the prime order p is 256 bits in size, the uncompressed generator g is 512 bits in size, and the compressed generator g is 257 bits in size. We use the secp256kfun library implemented in Rust language to measure the performance of group multiplication and exponentiation of the secp256k1 elliptic curve. Additionally, we use the sha2 library implemented in Rust language to measure the performance of a hash function. The details of the elliptic curve groups and the benchmark of basic operations are given in

Table 2. Elliptic curve group sizes and basic operations.

Curve	${\mathbb{Z}}_{\mathit{p}}$	$\mathbb{G}$	M	E	H
secp256k1	256-bit	257-bit	0.003	0.758	0.003

We use M for multiplication, E for exponentiation, and H for sha256 hash. All operations are measured in milliseconds.

.

The asymptotic comparison of our MS scheme with other MS schemes is given in

Table 3. Key size, signature size, and algorithm analysis of MS schemes.

Scheme	PK	AK	PS	MS	GenKey	AggKey	Sign	Verify
MuSig [3]	$\mathbb{G}$	$\mathbb{G}$	$\mathbb{G}+2{\mathbb{Z}}_p$	$\mathbb{G}+{\mathbb{Z}}_p$	1E	nE + nM + nH	1E + nM	2E
MuSig2 [16]	$\mathbb{G}$	$\mathbb{G}$	$2\mathbb{G}+{\mathbb{Z}}_p$	$\mathbb{G}+{\mathbb{Z}}_p$	1E	nE + nM + nH	4E + nM	2E
Ours	2$\mathbb{G}$	2$\mathbb{G}$	$\mathbb{G}+2{\mathbb{Z}}_p$	$3{\mathbb{Z}}_p$	4E	$2n$E + $2n$M + nH	4E + nM	6E

Let n be the number of co-signers. We denote PK for public key, AK for aggregated key, PS for partial signature of a co-signer in the signing process, and MS for multi-signature. We use symbols M for multiplication, E for exponentiation, and H for hash.

. For this comparison, we select the MuSig scheme of Maxwell et al. [3] since it is the first three-round MS scheme that supports key aggregation and the MuSig2 scheme of Nick et al. [16] since it is the most efficient two-round MS scheme with key aggregation. In our MS scheme, a public key PK consists of two elements in $\mathbb{G}$ and an aggregate key AK consists of two elements in $\mathbb{G}$. A signing algorithm is a protocol in which multiple co-signers participate. A partial signature PS that must be transmitted to other co-signers consists of one element in $\mathbb{G}$ and two elements in ${\mathbb{Z}}_p$, and the final multi-signature MS consists of three elements in ${\mathbb{Z}}_p$. Thus, PK and AK are 66 bytes each, and MS is 96 bytes. In MuSig and MuSig2 schemes, a public key consists of one element in $\mathbb{G}$ and a multi-signature consists of one element in $\mathbb{G}$ and one element in ${\mathbb{Z}}_p$. Thus, PK and MS of the MuSig and MuSig2 schemes are 33 bytes and 65 bytes, respectively. Compared to other MS schemes, our MS scheme has a slightly larger size in the public key and multi-signature.

Our MS scheme consists of four main algorithms: GenKey, AggKey, Sign, and Verify. In Table 3, we analyze the approximate performance of these algorithms in terms of the number of co-signers and basic operations. In our MS scheme, the GenKey algorithm consists of 4 exponentiations, and the AggKey algorithm consists of $2n$ exponentiations, $2n$ multiplications, and n hashes, so the number of basic operations increases linearly depending on the number of co-signers. The Sign algorithm consists of 4 exponentiations and n multiplications, excluding the communication overhead between co-signers since the communication overhead varies depending on the network environment, and the Verify algorithm consists of 6 exponentiations. In this case, we assume that the aggregation key is given as an input to the Sign and Verify algorithms, so these algorithms do not calculate the aggregation key again.

In

Table 4. Estimated algorithm performance analysis of MS schemes.

Scheme	Co-Signers n	20	50	100	200	500	1000
MuSig2 [16]	GenKey	0.758	0.758	0.758	0.758	0.758	0.758
	AggKey	15.28	38.2	76.4	152.8	382	764
	Sign	3.092	3.182	3.332	3.632	4.532	6.032
	Verify	1.516	1.516	1.516	1.516	1.516	1.516
Ours	GenKey	3.032	3.032	3.032	3.032	3.032	3.032
	AggKey	30.5	76.25	152.5	305	762.5	1525
	Sign	3.092	3.182	3.332	3.632	4.532	6.032
	Verify	4.548	4.548	4.548	4.548	4.548	4.548

Let n be the number of co-signers. We estimate the performance in milliseconds.

, we analyze how the performance of the algorithms of our MS scheme and the MuSig2 scheme change as the number of co-signers changes. To this end, we estimate the performance of these algorithms by combining the performance analysis of the basic operation in Table 2 and the algorithm analysis in Table 3. In our MS scheme, the estimated running time of the GenKey and Verify algorithms are 3.032 milliseconds and 4.548 milliseconds, respectively, since they are independent of the number of co-signers. The estimated running time of the AggKey algorithm that generates an aggregate key of co-signers increases in proportion to the number of co-signers, but it can be done within 1.525 s even for $n=1000$. Therefore, it is not a problem since the generated aggregate key can be reused again without needing to regenerate it. The estimated running time of the Sign algorithm is efficient because it takes 6.032 milliseconds even for $n=1000$, excluding the communication overhead between co-signers.

5. Conclusions

In this paper, we proposed a new PKS scheme and a two-round MS scheme by modifying the Okamoto signature scheme. In addition, we proved the unforgeability of these PKS and MS schemes under the discrete logarithm assumption in the AGM and the non-programmable ROM. Our proposed MS scheme is the first two-round MS scheme from Okamoto signatures. One drawback of our MS scheme is that the tight security reduction is proven in the AGM. Thus, it is an interesting problem to devise an efficient two-round MS scheme with tight security reduction without relying on the AGM.