[go: up one dir, main page]

What a lovely hat

Is it made out of tin foil?

Paper 2025/943

On the Adaptive Security of Key-Unique Threshold Signatures

Elizabeth Crites, Web3 Foundation
Chelsea Komlo, University of Waterloo, NEAR One
Mary Maller, Ethereum Foundation, PQShield
Abstract

In this work, we investigate the security assumptions required to prove the adaptive security of threshold signatures. Adaptive security is a strong notion of security that allows an adversary to corrupt parties at any point during the execution of the protocol, and is of practical interest due to recent standardization efforts for threshold schemes. Towards this end, we give two different impossibility results. We begin by formalizing the notion of a key-unique threshold signature scheme, where public keys have a unique correspondence to secret keys and there is an efficient algorithm for checking that public keys are well-formed. Key-uniqueness occurs in many threshold schemes that are compatible with standard, single-party signatures used in practice, such as BLS, ECDSA, and Schnorr signatures. Our first impossibility result demonstrates that it is impossible to prove the adaptive security of any key-unique threshold signature scheme under any non-interactive computational assumption for a broad class of reductions, in the range $⌊t/2⌋< t_c ≤ t$, where $n$ is the total number of parties, $t_c$ is the number of corrupted parties, and $t+ 1$ is the threshold. We begin by ruling out full adaptive security (i.e., $t_c = t$ corruptions) for key-unique threshold signatures under non-interactive computational assumptions, including, but not limited to, the discrete logarithm (DL), computational Diffie-Hellman (CDH), and q-Strong Diffie-Hellman (q-SDH) assumptions. We then generalize this impossibility result for all $t_c$ such that $⌊t/2⌋< t_c ≤ t$. Our second impossibility result applies specifically to key-unique threshold Schnorr signatures, currently an active area of research. We demonstrate that, even under the interactive computational assumptions One-More Discrete Logarithm (OMDL) and Algebraic OMDL (AOMDL), it is impossible to prove adaptive security for $⌊t/2⌋< t_c ≤ t$ in the programmable ROM with rewinding. Taken together, our results underscore the difficulty of achieving adaptive security for key-unique threshold signatures. However, we believe this work can open a new line of research, by indicating assumptions and properties to aim for when constructing adaptively secure threshold schemes.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
adaptive securitythreshold signaturesmetareduction
Contact author(s)
elizabeth_crites @ alumni brown edu
ckomlo @ uwaterloo ca
mary maller @ ethereum org
History
2025-05-28: last of 2 revisions
2025-05-23: received
See all versions
Short URL
https://ia.cr/2025/943
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/943,
      author = {Elizabeth Crites and Chelsea Komlo and Mary Maller},
      title = {On the Adaptive Security of Key-Unique Threshold Signatures},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/943},
      year = {2025},
      url = {https://eprint.iacr.org/2025/943}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.