Robust Threshold Schnorr Signatures

Abstract

Digital signatures are cryptographic mechanisms that provide a way to verify the authenticity, integrity and origin of a digital message. Unlike in the single-party setting, multi- and threshold signatures require cooperation among multiple signers each holding a share of a common private key. Multi-signatures allow a group of signers to jointly produce a compact signature, indistinguishable from a single-party one, thereby optimizing space and verification efficiency. Threshold signatures extend this idea, enabling any subset of signers meeting a predefined threshold (symbolized as t) to collaboratively generate a valid signature. Multi- and threshold signatures are desired due to their increased security in contrast to single-party signatures. However, in order for real-world applications to adopt such schemes, it is vital that they follow some very important properties that will cover the needs of real-world applications as well as being as efficient as possible by minimizing the amount of communication and computation needed. In this thesis, we take a look at multiple multi- and threshold signatures schemes focusing on the domain of Schnorr signatures. We look at security threats, definitions of security in different settings and compare schemes as we go along. We also discuss applications and look at real-world systems where such schemes are used. Moreover, we present a new novel wrapper protocol that adds robustness (i.e the guarantee that t honest signers are able to obtain a valid signature even in the presence of other malicious signers who try to disrupt the protocol) to the adaptively secure Sparkle+ threshold signing scheme in the asynchronous setting. We call our wrapper protocol Sparkling ROAST (it is based on the ROAST wrapper protocol for the FROST signing scheme). We look at two versions on Sparkling ROAST : the first guarantees robustness when t honest signers are present and needs at most O(n^2) internal sessions while the second guarantees robustness in at most O(n) internal sessions but requires f ·(t−1)/2 + t honest signers instead of t (where f is the number of adversarial members). Finally, we discuss how Sparkling ROAST can be extended to other schemes with even more rounds, as long as said schemes provide identifiable aborts.