MuSig2: simple two-round Schnorr multi-signatures (Q2120074): Difference between revisions

In [\textit{M. Drijvers} et al., ``On the security of two-round multi-signatures'', in: Proceedings of the 2019 IEEE symposium on security and privacy, SP'19. Los Alamitos, CA: IEEE Computer Society. 1084--1101 (2019; \url{doi:10.1109/SP.2019.00050})] it was shown, that all previously proposed two-round multi-signature schemes which allow a group of signers to produce a joint signature on a joint message using the discrete logarithm problem (Schnorr signature) cannot be proven secure and are vulnerable to attacks with subexponential complexity. In the same paper, a secure two-round scheme was proposed, but by this scheme signatures are produced more than twice larger then Schnorr signatures. Here, a new two-round multi-signature scheme is proposed, which is secure under concurrent signing sessions, supports key aggregation, produces ordinary Schnorr signatures and has similar signer complexity as ordinary Schnorr signatures. A lower bound (in terms of bit length for group elements presentation) for the reduction of complexity is derived to one more discrete logarithm problem. For the entire collection see [Zbl 1483.94004].