Accountable-subgroup multisignatures: extended abstract
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
Efficient Identification and Signatures for Smart Cards
CRYPTO '89 Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology
Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing
CRYPTO '91 Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology
Short Signatures from the Weil Pairing
Journal of Cryptology
SRDP: Securing Route Discovery in DSR
MOBIQUITOUS '05 Proceedings of the The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services
Secure acknowledgment aggregation and multisignatures with limited robustness
Computer Networks: The International Journal of Computer and Telecommunications Networking - Web dynamics
Multi-signatures in the plain public-Key model and a general forking lemma
Proceedings of the 13th ACM conference on Computer and communications security
Aggregate and verifiably encrypted signatures from bilinear maps
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
Communication-efficient non-interactive proofs of knowledge with online extractors
CRYPTO'05 Proceedings of the 25th annual international conference on Advances in Cryptology
Efficient discrete logarithm based multi-signature scheme in the plain public key model
Designs, Codes and Cryptography
Key Evolution Systems in Untrusted Update Environments
ACM Transactions on Information and System Security (TISSEC)
Secret handshakes with revocation support
ICISC'09 Proceedings of the 12th international conference on Information security and cryptology
Non-interactive multisignatures in the plain public-key model with efficient verification
Information Processing Letters
Non-interactive CDH-based multisignature scheme in the plain public key model with tighter security
ISC'11 Proceedings of the 14th international conference on Information security
Identity-Based aggregate and multi-signature schemes based on RSA
PKC'10 Proceedings of the 13th international conference on Practice and Theory in Public Key Cryptography
Hi-index | 0.00 |
Multisignatures allow n signers to produce a short joint signature on a single message. Multisignatures were achieved in the plain model with a non-interactive protocol in groups with bilinear maps, by Boneh et al, and by a three-round protocol under the Discrete Logarithm (DL) assumption, by Bellare and Neven, with multisignature verification cost of, respectively, O(n) pairings or exponentiations. In addition, multisignatures with O(1) verification were shown in so-called Key Verification (KV) model, where each public key is accompanied by a short proof of well-formedness, again either with a non-interactive protocol using bilinear maps, by Ristenpart and Yilek, or with a three-round protocol under the Diffie-Hellman assumption, by Bagherzandi and Jarecki. We improve on these results in two ways: First, we show a two-round O(n)-verification multisignature secure under the DL assumption in the plain model, improving on the three-round protocol of Bellare-Neven. Second, we show a two-round O(1)-verification multisignature secure under the DL assumption in the KV model, improving on assumptions and/or communication rounds of the schemes of Ristenpart and Yilek and Bagherzandi and Jarecki. Exact security of both schemes matches (in ROM) that of Schnorr signatures. The reduced round complexity is due to a new multiplicatively homomorphic equivocable commitment scheme which can be of independent interest. Moreover, our KV model scheme is enabled by a generalized forking lemma, which shows that standard non-interactive zero-knowledge (NIZK) proofs of knowledge in ROM admit efficient simultaneous post-execution extraction of witnesses of all proof instances. As a consequence of this lemma, any DL-based multisignature secure in so-called Knowledge-of-Secret-Key model can be implemented in the KV model using standard ROM-based NIZK's of DL as proofs of key well-formedness.