Keywords

1 Introduction

Guillou-Quisquater signature, also called GQ signature, was proposed by Guillou and Quisquater in 1988 [21]. Together with Schnorr signature [34], GQ signature scheme is amongst the most efficient and famous Fiat-Shamir [15] follow-ons. GQ has some applications in cryptographic protocols such as forward-secure signature [27], identity-based signature with bounded life-span [13], distributed certificate status protocol [40], distributed authentication algorithm for mobile ad-hoc network [37], GQ1 (identity-based) and GQ2 schemes in ISO/IEC 14888-2 standard [25] and etc. GQ has already been used to construct distributed signing protocols, including multi-signature schemes [1, 2, 12, 35] and threshold signature schemes [10, 29, 36]. Nevertheless, GQ’s application scenarios and research discussions are still rather limited when compared with Schnorr and ECDSA which are the most widely used two digital signature schemes by virtue of Schnorr’s great simplicity and ECDSA’s application in blockchains like Bitcoin and Ethereum.

Drawbacks of RSA-based GQ. One obvious flaw of all the aforementioned GQ applications is that all these applications require a trusted setup to generate the public/private key pair through generating two large primes p and q secretly and setting \(n=pq\) publicly as the group order. This is prohibitive for practical adoption of GQ in trustless environments like public blockchain or digital walletd where no trusted third party (TTP) is involved. In 2000, Hamdy and Möller [22] informally pointed out that class groups of imaginary of quadratic fields (IQC) proposed by Buchmann and Williams [6] can be applied in GQ signature, thus shedding light on how to remove the RSA trapdoor in GQ signature scheme, i.e., replacing the RSA group in GQ signature with a class group. Yet, such a class group based GQ signature lacks a formal definition and a rigorous security proof for EUF-CMA (Existential Unforgeability under Chosen Message Attack) along with a suitable hardness assumption. Another shortcoming for GQ protocols is that, since all the elements in RSA group of order n have to be represented by a 3072-bit string for 128-bit security, it is not bandwidth efficient, especially in a multi-user setting. On the class group side, to achieve 128-bit security, a group element only needs a tuple (ab) which can be represented by a 1665-bit string, with a 1665-bit discriminant \(\varDelta \) which only needs to be declared for once. Thus, switching from RSA group to class group can save the bandwidth by 45.8% per each group element, which makes applying GQ in a trustless distributed setting more appealing.

Multi-signature and its Applications. Multi-signature is firstly proposed in [26] which is a joint signing protocol that allows a group of signers to collaboratively generate a compact signature on a common message and requires that the verification time and signature size is constant. Two important applications of multi-signature are digital wallet and asset custody. Digital wallet usually requires its user to split his secret key into multiple devices and use all (or some) of them to transfer the currencies he holds. Asset custody is a bank service of protecting customer’s currencies or real assets. For security consideration, any one single entity (bank, customer, or some third party institution) can not access the secret key directly, especially for some large amount of currencies protected, so the secret key should be also divided into multiple shares. Here are two major concerns: can we resist misbehaved devices/parties? And can we identify who is misbehaving?

Intuitions. In this work, we focus on constructing a trustless multi-signature scheme, allowing key aggregation and identifiable abort properties. The trustless property requires a non-trusted setup and security against the existence of any number of malicious participants during all phases (for both key setup or signing). Although the dishonest majority model in [20] can well capture this security requirement, abort is not a violation of its security definition. Then, a malicious adversary can easily initiate DoS (Denial of Service) attack on the system. Thus we require an identifiable abort property, which is defined in [24], ensuring that the identities of the malicious participants leading to system abort are detectable to any participants or external entities, which is significant to detect broken or hacked devices or misbehaving banks or institutions which cause the failure the joint signing. Additionally, we hope our scheme supports key aggregation, which means that a signer, instead of using a full list of the public keys (or key shares), only needs an aggregated public key for everyone to verify a signature, thus saving computations and storage for devices with limited computing resources. In this work, we give a pretty nice solution with enough security and promising efficiency using GQ and class group.

1.1 Related Work

Now, we review the multiparty signature protocols built on top of GQ, Schnorr and ECDSA in the past few years.

The state-of-the-art GQ multi-signature (identity based) is proposed by Bellare and Neven (CT-RSA 2006 [2]). It is highly efficient in computation and proved secure using the forking lemma, although the bandwidth is heavier when compared to Schnorr-based multi-signatures which will be discussed later. But they adopted a fragile security model where all the signers are required honest, which is unrealistic to make it work in the presence of dishonest adversaries. We do not consider the key aggregation property since it is an identity based scheme, where there is only one secret key required to initialize the system by a trusted centre.

Table 1. Comparison with existing multiparty signing schemes. rds is the abbreviation of rounds; n denotes the number of sigining parties;each round allowing broadcasting and a point-to-point message sending is considered one round.
Full size table

Bellare and Neven proposed an efficient Schnorr multi-signature scheme (ACM-CCS 2006 [1]) under a plain public-key model allowing the existence of dishonest signers. But it does not support key aggregation. In plain public-key model, the security against rogue-key attackFootnote 1 can be achieved without relying on KOSK (Knowledge of Secret Key) assumption like [4, 30] and accordingly reduce some burdensome computationFootnote 2. Maxwell et al. adopted the same plain public-key model and proposed a variant of Bellare and Neven’s Schnorr multi-signature, called MuSig, which adds the property of key aggregation [31] (DCC 19). Later on, MuSig2 [33] and MuSig-DN [32] are proposed both of which optimize the round complexity of MuSig from 3 rounds to 2 rounds. However, MuSig and MuSig2 have a considerable reduction loss led by a double-forking technique [31]. MuSig-DN achieves a deterministic signing at a cost of expensive zero-knowledge proofs. All of above schemes on GQ and Schnorr cannot achieve identifiable abort since there are no checks on the correctness on either \(R_i\) or \(s_i\).

Lindell et al. proposed the first practical threshold ECDSA (ACM-CCS 2018 [28]) and Gennaro et al. proposed a parallel work: the first efficient threshold ECDSA construction relying on game-based security proof (ACM-CCS 2018 [17]), there has been an abundance of follow-up work [7, 9, 14, 16, 18, 39] to improve these two schemes and made remarkable improvements on different aspects, like waiving expensive range proofs, lowering the signing rounds, adding the identifiable abort functionality. All the mentioned threshold ECDSA schemes operate in the dishonest majority model, which is much more secure than plain public-key model, especially for decentralized and trustless settings. Gennaro and Goldfeder’s scheme [18] achieves the identifiable abort which attributes to a specific phase. Ga̧gol et al.’s scheme [16] achieves the identifiable abort only in the online signing phase, thus marked with \((\surd )\) in the identifiable abort option in Table 1.

1.2 Contributions

We give a brief comparison between our proposed GQ multi-signature scheme and the above-mentioned multi-signature/threshold signature schemes in Table 1, which demonstrates that our protocol is well-rounded, with a competitive signing round complexity (4 rounds of interaction), supporting key aggregation and identifiable abort, secure in the dishonest majority model. Our construction can achieve a highly trustless digital wallet and asset custody. We summarize our contributions as follows.

(1) Formal definition and security proof for class group based GQ signature (CL-GQ). Applying class group to GQ signature can make GQ trapdoorless as mentioned in [22] but no formal discussion is given. We first formalize the definition of GQ signature over class group of imaginary quadratic fields, find the suitable hardness assumption prime root assumption for CL-GQ, and prove that the existential unforgeability under chosen message attack (EUF-CMA) in the random oracle model (ROM) under the prime root assumption implied by the root assumption in generic group in [11].

(2) Compact one-round NIZK proofs to resist malicious adversaries and achieve identifiable abort. In order to detect the malicious behaviour during the multi-party signing and the protocol can abort once misbehaving is detected once the malicious message is recieved (a timely identifiable abort with attributability to the exact malicious message), we design two tailored ZK proofs including ZKPoKRoot and ZKPoKSig following the 3 moves in the traditional \(\varSigma \)-protocol. They promise any messages sent during interactions are verifiable. Our ZK proofs are highly efficient, since no repetition is required after adopting a Beout trick, although the ZK proofs work in an unknown order class group, unlike the binary challenge based ZK proofs in [8, 9]. This Bezout trick nicely solves the open problem of how to accelerate the ZK proof of Paillier ciphertext used in Yi’s blind ECDSA [38], which is illustrated in detail in the full version of this paper.

(3) Provably secure trustless CL-GQ multi-signature in dishonest majority model. We generalize CL-GQ to a multi-user setting and combine non-malleable equivocable commitment used in [9, 17] and our ZK proofs to build up our trustless CL-GQ multi-signature scheme. Our scheme does not rely on any common reference string (CRS) produced by a trusted party. We reduce the unforgeability of our new multi-signature in dishonest majority model to the EUF-CMA of CL-GQ under ROM. Our proof enjoys smaller reduction loss than [31, 33] since we only require one time rewinding when reducing the CL-GQ to prime root assumption and no rewinding when reducing the CL-GQ multi-signature to CL-GQ, differing the double-forking technique which needs a two-layer rewinding framework, and it is much more concise than the ECDSA schemes [9, 17] since our simulator does not need to distinguish any non semi-correct executions.

(4) Implementation and efficiency analysis. We implement our protocol in RustFootnote 3 to demonstrate the practical efficiency. One signer only needs 2.1/3.6 s to sign a document for 112/128-bit security level in a 5-user setting. We also analyze the concrete bandwidth needed in our scheme. In 128-bit security, our protocol only costs 6 kB (kilobytes) and 10 kB bandwidth for the interactive key generation and interactive signing phases respectively in a 5-signer setting. For signing, the bandwidth of our scheme is about one-third of the bandwidth in [17] since we do not have expensive range proofs led by Paillier encryption or tedious MtA (Multiplication-to-Addition) protocol led by the non-linear structure of ECDSA. Both running time and bandwidth are promising.

2 Preliminaries

2.1 Adversary Model and Security Definitions

Our proposed multi-signature scheme works in a dishonest majority model allowing static corruption which was used in [9, 17, 18, 28]. Following [19], we present a game-based definition of security analogous to EUF-CMA: multi-signature unforgeability under chosen message attacks (MU-CMA).

Dishonest Majority Model with Static Corruption. In dishonest majority model, there can exist a majority of malicious adversaries who may arbitrarily deviate from the protocol and abort is not deemed as violating the security, assuming the existence of both broadcast channel and point-to-point channel among each participant, and assuming the static corruption that requires adversaries to select the participants to corrupt ahead of the start of the protocol.

Definition 1 (Multi-signature Unforgeability)

Consider a multi-signature scheme \(\mathcal {MS}= (\mathsf{MKeyGen},\mathsf{MSign}, \mathsf{Verify})\) with N parties and a PPT malicious adversary \(\mathcal {A}\) who corrupts at most \(N-1\) players, given the view of \(\mathsf{MKeyGen}\) and \(\mathsf{MSign}\) on inputs of adaptively chosen messages, denoted by \(\mathcal {M}\), and the corresponding signatures on those messages. The multi-signature scheme \(\mathcal {MS}\) is said to be existentially unforgeable (EUF-CMA) if there is no such a PPT adversary \(\mathcal {A}\) that can produce, except with negligible probability, a valid signature on a message \(m \notin \mathcal {M}\).

2.2 Guillou-Quisquater Signature (GQ)

We review the original GQ signature scheme in [21].

  • KeyGen. Choose randomly two large primes p and q and compute \(n=pq\). Select an integer v s.t. \(0<v<\phi (n)\) and \(gcd(v, \phi (n)) = 1\), where \(\phi \)(n) is the Euler function. Select a hash function \(H: \{0,1\}^* \rightarrow \mathbb {Z}_{v-1}\). Randomly select the secret key B from \(\mathbb {Z}_n\) and compute \( J = B^{-v}\) mod n. Set \(PK = (n, v, J, H)\) and \(SK = (p, q, B)\).

  • Sign. Randomly select r from \(\mathbb {Z}_n\), then compute \(T=r^v\) mod n, \( h = H(M,T) \) and \(t=r B^h\) mod n, where M is the message to be signed. Output signature \(\sigma =(t, h)\).

  • Verify. Upon receiving a signature \(\sigma =(t, h)\) of message M, compute \(T' = t^v J^h\)mod n. If \(h = H(M, T')\), output 1; otherwise, output 0.

The correctness is by \(T' = t^v J^h = (r B^h)^v J^h = r^v (J B^v)^h= r^v = T \mod n\). According to [3], GQ identification is secure under RSA-OMI (RSA one-more inversion) assumption and after applying Fiat-Shamir transformation, GQ signature is secure under RSA-OMI assumption in ROM (random oracle model).

RSA Trapdoor. If knowing the p and q, a malicious PKG can easily obtain the secret key B from public J through simply computing \(d = v^{-1} \) mod \( (p-1)(q-1)\) and then \( B= J^{-d}\). This RSA trapdoor makes the GQ signature infeasible to be used in trustless scenarios.

2.3 Class Group of Imaginary Quadratic Field

Let \(-\varDelta \) be a random (large) \(\lambda \)-bit prime such that \(\varDelta \equiv 1\) mod 4. The ring \(\mathcal {O}_\varDelta = \mathbb {Z}+ \frac{\varDelta + \sqrt{\varDelta }}{2} \mathbb {Z}\) is an imaginary quadratic order of discriminant \(\varDelta \). Its field of fractions is \(\mathcal {Q} (\sqrt{\varDelta })\). The fractional ideals of \(\mathcal {O}_\varDelta \) are of the form \(q(a\mathbb {Z} + \frac{b+ \sqrt{\varDelta }}{2} \mathbb {Z})\) with \(q \in \mathcal {Q}, \alpha \in \mathbb {Z}^+, b \in \mathbb {Z}\) and \(4a|(b^2-\varDelta )\). An ideal is integral if \(q = 1\), and it can be represented by a pair (ab). Two factional ideals \( \mathfrak {a}, \mathfrak {b} \in \mathcal {O}_\varDelta \) are equivalent if for some non-zero \(\alpha \in \mathcal {Q} (\sqrt{\varDelta }), \mathfrak {a} = \alpha \mathfrak {b}\). The set of equivalence classes form an Abelian group under ideal multiplication, which is known as the class group of imaginary quadratic order CL(\(\varDelta \)). Sometimes we denote the group as \(D_i\), where \(i = -\varDelta \). One set of equivalence classes can be represented by a unique (ab) form through a reduction algorithm satisfying that \(gcd(a,b,c)=1,-a<b\le a\le c,\)and \( b\ge 0\) if \(a = c\). The class group of imaginary quadratic order \(D_i\) is an Abelian group with ideal multiplication. Meanwhile, class group is always finite and the group order is unknown. More description can be found in [22, 23].

3 GQ Signature Scheme Without Trapdoor (CL-GQ)

When we replace the RSA group by class group of imaginary quadratic field \(CL(\varDelta )\), the group order and thus factoring of group order are unknown even to the authority or user who generates the group. Hence, this \(n=pq\) trapdoor is perfectly removed. The GQ signature based on class group is portraited below. The main difference between GQ and CL-GQ is in the KeyGen phase, where v has to be a prime and the group is initialized by a prime \(\varDelta \). Procedures in sign and verification are basically the same as GQ’s. Group operations in class group and the necessity of computing modulo. We now describe the details.

  • KeyGen. Given the security parameter \(\lambda \), find a \(\lambda \)-bit prime \(-\varDelta \) s.t. \(\varDelta \equiv 1 \mod 4\) and a \(\lambda \)-bit prime v. Randomly sample a generator B from class group of imaginary quadratic field \(CL(\varDelta )\). Compute \(J = B^{-v}\). Notice that all the multiplication and exponentiation in class group should be finalized to a reduced form. It is for the unity of representation and to lower computation cost. Choose a hash function \(H:\{0,1\}^* \rightarrow \mathbb {Z}_{v-1}\). Set \(PK = (\varDelta , v, J, H)\) and \(SK = (B)\).

  • Sign. On input the secret key B and a message M, randomly selects r from \(CL(\varDelta )\), then compute \(T=r^v\), \( h = H(M,T) \) and \(t=r B^{ h}\) . Output signature \(\sigma =(t, h)\).

  • Verify. Upon receiving a signature \(\sigma =(t, h)\) of message M, compute \(T' = t^v J^h\) and \(h' = H(M, T')\). If \(h' = h\), output 1; otherwise, output 0.

Security. Damgård and Koprowski defined root assumption [11] working in generic group model, as a generalization of RSA assumption, by describing that given a group element \(x\in G\) and a number e, finding a group element y s.t. \(y^e=x\) is intractable, where G is a finite Abelian group in which the inverse and multiplication can be efficiently computed. Thus, we define a prime root assumption as below, working in class group, which rules out composite exponent and can be directly implied by root assumption. By Theorem 1, the EUF-CMA security of CL-GQ can be reduced to prime root assumption in ROM. Due to the page limit, we provide all the proofs expect for Theorem 1 in the full version of this paper.

Definition 2 (Prime root assumption)

We say that a class group of imaginary quadratic fields satisfies prime root assumption for any efficient \(\mathcal {A}\) if

figure a

is negligible in \(\lambda \), where \(\mathsf{Primes}(\lambda )\) is the set of primes less than \(2^\lambda \) and \(\mathsf{Primes^*}(\lambda )\) is the set of \(\lambda \)-bit primes which are equal to 3 modulo 4.

Theorem 1

If prime root assumption holds and H is a random oracle, the CL-GQ signature is provably secure in the EUF-CMA model.

Proof

Suppose \(\mathcal {B}\) is given a prime root problem instance \((\varDelta ,J^*, v)\), \(J^*\) is a group member in \(CL(\varDelta )\) and v is a prime. \(\mathcal {B}\) tries to find a \(B^*\) from \(CL(\varDelta )\) s.t. \({B^*}^v = J^*\) by using an EUF-CMA adversary \(\mathcal {A}\) against the CL-GQ signature scheme.

Setup. \(\mathcal {B}\) prepares an empty list \(\mathcal {H}\), set p as the length of each element in \(\mathcal {H}\). \(\mathcal {B}\) sends \((\varDelta , v, J^*,H)\) to adversary \(\mathcal {A}\) as the public key.

Oracle Query. \(\mathcal {B}\) answers the oracle queries as follows:

  • Sign: On input a message M, \(\mathcal {B}\) picks some random \(t\in CL(\varDelta ), h \in \mathbb {Z}_p\) and computes \(T = t^v J^h\). \(\mathcal {B}\) puts (hTM) in the list \(\mathcal {H}\). (If the value of h is already set in \(\mathcal {H}\), \(\mathcal {B}\) picks another h and repeats the previous step.) \(\mathcal {B}\) returns \(\sigma = (t, h)\).

  • H: On input (TM), if (hTM) is in the list \(\mathcal {H}\), \(\mathcal {B}\) returns h. Otherwise, \(\mathcal {B}\) picks a random \(h \in \mathbb {Z}_p\). \(\mathcal {B}\) puts (hTM) in the list \(\mathcal {H}\) and returns h.

Output. Finally \(\mathcal {A}\) outputs an a message \(M^*\) and a forged signature \(\sigma ^* = (t^*, h^*)\). \(\mathcal {B}\) can compute \(h^* = H(T^*, M^*)\) s.t. \( T^* = {t^*}^v {J^*}^{h^*}. \)

\(\mathcal {B}\) rewinds H to the point that \((T^*, M^*)\) was queried, and returns a different \(h' \ne h^*\). \(\mathcal {B}\) eventually obtains another forgery \((t', h')\) from \(\mathcal {A}\). Therefore, we have \( {t^*}^v {J^*}^{h^*} = {t'}^v {J^*}^{h'} \) and it can be transformed into \( {J^*}^{h^*-h'} = (t'/{t^*}) ^ v. \)

According to Bezout formula, there exists a unique pair of non-zero integers (km) where \(0 \le |k|\le v-1\) and \(0 \le |m| \le |h^*-h'| -1\) which is easily computed by Euclidean algorithm s.t.:

$$ m v - k (h^*-h') = gcd(v, h^*-h') = 1. $$

Raise equation \({J^*}^{h^*-h'} = (t'/{t^*}) ^ v\) to power k, we have:

$$\begin{aligned} {J^*}^{k(h^*-h')}&= (t'/{t^*}) ^ {vk} \\ {J^*}^{m v - 1}&= (t'/{t^*}) ^ {vk} \\ {J^*}&= \{{J^*}^{ m} ({t^*}/t') ^ {k} \}^v \end{aligned}$$

Hence, \(\mathcal {B}\) successfully extracts \(B^* = {J^*}^{ m} ({t^*}/t') ^ {k} \) to solve the problem instance.    \(\square \)

4 Our Multi-signature Scheme

In this section, we give the construction of our multi-signature scheme, which is a trustless GQ multi-signature with identifiable abort, secure in dishonest majority model. Both distributed key generation and distributed signing have six phases, they will either abort or output a CRS and a valid signature in each phase. We also utilize two zero-knowledge proofs ZKPoKRoot and ZKPoKSig in our protocol, which will be described in details in next section. Here we note that a plausible idea to achieve trustless setup is to use Boneh’s distributed RSA key generation method [5] which will not compromise any secret information of each signer to others. The reason why we did not adopt this fashion to construct our GQ multi-signature is that this key generation is only secure assuming all the parties are honest. This contradicts our dishonest majority setting.

Parameters and Notations. For the security level of 80/112/128-bit security, we set \(\lambda \) (the bit length of the discriminant \(\varDelta \) of class group) 958/1208/1665 according to the estimation in [22] and set \(\eta (\lambda )\)=160/224/256 bits. Considering the requirement in [21] that h is smaller than v, h and v are set \(\eta (\lambda )\) and \(\eta (\lambda )+1\) bits respectively. NextPrime(x) (resp. PrevPrime(x)) is a function using Miller-Rabin prime test to generate the next (resp. previous) nearest prime. NextPrime*(x) (resp. PrevPrime*(x)) is a function using Miller-Rabin prime test to generate the next (resp. previous) nearest prime r such that \(r \equiv 1 \mod 4\) after the input integer x. Com(x) is a non-malleable commitment for a committed value x and Reveal(cd) opens the underlying committed value of the non-malleable equivocal commitment where c is a commitment and d is a decommitment.

Table 2. Interactive key generation protocol IKeyGen
Full size table

4.1 Distributed Key Generation

Our distributed key generation algorithm (Table 2) will either abort or output a CRS. ZKPoKRoot is used to promise that public key \(J_i\) broadcasted by party \(P_i\) is correctly generated. We describe the details as follows.

Phase 1. Each party \(P_i\) picks \(\delta _i\xleftarrow {\$} \{0,1\}^\lambda \) and \( v_i \xleftarrow {\$} \{0,1\}^{\eta (\lambda )+1}\). \(P_i\) computes the commitment \([c_i, d_i] \leftarrow \mathsf{{Com} }(\delta _i)\) and \([\hat{c_i}, \hat{d_i}] \leftarrow \mathsf{{Com} }(v_i)\). Each \(P_i\) broadcasts to all other parties the commitment \((c_i, \hat{c_i})\).

Phase 2. Each \(P_i\) broadcasts the decommitment \((d_i, \hat{d_i})\) to all other parties.

Phase 3. After each \(P_i\) received all the \((\delta _j, v_j)\) generated by every \(P_j (j\ne i)\), a collaboratively generated \((\varDelta , v)\) is computed by \(\varDelta =\mathsf{{NextPrime^*}}(\oplus _{i=1}^{n} \delta _i)\) and \(v=\mathsf{{NextPrime}}(\oplus _{i=1}^{n} v_i)\). Then, each \(P_i\) generate its key pair \((B_i, J_i)\) by \(B_i \xleftarrow {\$} CL(\varDelta )\) and \(J_i= B_i^{-v}\). \(P_i\) computes the commitment \([c^*_i, d^*_i] \leftarrow \mathsf{{Com} }(J_i)\) and broadcasts to all other parties the commitment \(c^*_i\).

Phase 4. Each \(P_i\) broadcasts the decommitment \(d^*_i\) along with a non-interactive zero-knowledge proof \(\pi _i\) for the relation \(\{(J_i,v):B_i| J_i = B^{-v}_i\}\) to all other parties.

Phase 5. Upon receiving \(\pi _i\) from \(P_j (j\ne i)\), each \(P_i\) checks the validity of \(\pi _j\). If passing the check, \(P_i\) accepts \( \pi _j\); otherwise, abort.

Phase 6. After each \(P_i\) received all the \(\pi _j\) generated by every \(P_j (j\ne i)\) and every \(\pi _j\)’s validity is proved, a common J is computed by \(J = \prod _{i=1}^{n} J_i\). Each party \(P_i\) sets \(CRS = (\varDelta , v, J), PK_i =J_i; SK_i= B_i\).

Table 3. Interactive signing protocol ISign
Full size table

4.2 Distributed Signing

Our distributed signing algorithm (Table 3) will either abort or output a valid signature. We use ZKPoKRoot to ensure the well-formedness of commitment \(T_i\) and use ZKPoKSig to ensure the well-formedness of response \(t_i\), thus preventing malicious behaviors during the signing phase. We describe the details as follows.

Phase 1. Each party \(P_i\) picks \(r_i\xleftarrow {\$} CL(\varDelta )\) and compute \(T_i = r_i^v\). \(P_i\) computes the commitment \([c_i, d_i] \leftarrow \mathsf{{Com} }(T_i)\). Each \(P_i\) broadcasts to all other parties the commitment \(c_i\).

Phase 2. Each \(P_i\) broadcasts the decommitment \(d_i\) along with a non-interactive zero-knowledge proof \(\pi _i\) for the relation \(\{(T_i,v) : r_i | T_i = r_i^{v}\}\) to all other parties.

Phase 3. Upon receiving \(\pi _j\) from \(P_j (j\ne i)\), \(P_i\) checks the validity of each \(\pi _j\). If it is valid, \(P_i\) accepts \(\pi _j\) ; otherwise, abort.

Phase 4. After each \(P_i\) received all the \(T_j\) and \(\pi _j\) generated by every \(P_j (j\ne i)\) and \(\pi _j\) is proved valid, a common \(T = \prod _{i=1}^{n} T_i\) is computed. Then, calculate \(h = \mathsf{{H}}(M, T)\). Each \(P_i\) computes \(t_i = r_i B_i^h\) and the commitment \([\hat{c}_i, \hat{d}_i] \leftarrow \mathsf{{Com} }(t_i)\). Each \(P_i\) broadcasts to all other parties the commitment \(\hat{c}_i\).

Phase 5. Each \(P_i\) broadcasts the decommitment \(\hat{d}_i\) along with a non-interactive zero-knowledge proof \(\hat{\pi _i}\) for the relation \(\{(T_i,J_i,t_i,h,v):(r_i, B_i)| t_i = r_i B_i^h, T_i = {r_i}^v, J_i = {B_i}^{-v}\}\) to all other parties.

Phase 6. Upon receiving \(\hat{\pi }_j\) from \(P_j (j\ne i)\) , each \(P_i\) checks the validity of \(\hat{\pi _i}\). If it is valid, \(P_i\) accepts \( \hat{\pi _i}\); otherwise, abort. Each party computes \(t = \prod _{i=1}^{n} t_i\). Output the collaborative signature \(\sigma = (t,h)\).

4.3 Verification

When receiving a signature \(\sigma = (t,h)\) for the message M, the verification is similar to the original GQ signature scheme. Accept if and only h is equal to \(\mathsf{H}(M, T')\) where \(T' = t^v J^h\). The correctness follows by \(T' = t^v J^h = (\prod _{i=1}^{n} t_i)^v (\prod _{i=1}^{n} J_i)^h = (\prod _{i=1}^{n} r_i B_i^h)^v (\prod _{i=1}^{n} B_i^{-v})^h = (\prod _{i=1}^{n}{r_i})^v= r^v = T\). Since the operation is based on an unknown order class group and the results produced by class group multiplication and exponentiation is normalized when output, we do not need to modulo the result by any integer. Since the validity of the signature can be checked by any \(P_j\), it is possible for \(P_i\) to send \(P_j\) the signature if it confirms the validity of this signature. This will not affect security at all. Moreover, non-malleable commitments and zero-knowledge proofs promise that each party cannot deny the message it broadcasts to the network and each message contributing to collaboratively generated signature is well-formed, and thus no malicious behaviors can affect the joint signing. Note that, the verification phase only needs the aggregated key \(J = \prod _{i=1}^{n} J_i\), not the full list of signers’ public keys \(\{J_i\}_{i\in [1,n]}\).

4.4 Rogue-Key Attack Resistant

In the IKeyGen phase, an adversary, \(P_{j^*}\) for example, cannot choose its \(PK_{j^*}\) after seeing the public keys of other parties to initiate rogue-key attack. More specifically, he cannot set his public key as \(J_{j^*} = B^{-v}_{j^*}(\prod _{i=1, i \ne j^*}^{n} J_i)^{-1}\) and thus make the aggregated key equal his arbitrarily selected public key \(B^{-v}_{j^*}\), in which case he can forge valid multi-signature by himself easily, since he cannot prove the knowledge of the discrete logarithm of \(J_{j^*}\) by submitting valid ZKPoKRoot. This rules out the possibility of rogue-key attack following the KOSK assumption.

4.5 Identifiable Abort or Not

If we simply achieve dishonest majority security without identifiable abort, there is no need to generate and verify the well-formedness ZK Proof of \(t_i\) in ISign, namely, the ZKPoKSig. Instead, after obtaining \(t_i\), each party directly computes \(t = \prod _{i=1}^{n} t_i\), and verify the validity of \(\sigma = (t,h)\), then output this \(\sigma \) if it is valid, abort if it is invalid. This does not violate the dishonest majority model we used. However, without using ZKPoKSig the identity of malicious party cannot be detected in the Phase 5, and thus our scheme cannot reach the property of identifiable abort.

5 Security Proof of Our Multi-signature Scheme

The security proof of our multi-signature scheme is a reduction to the unforgeability of CL-GQ. If there is a PPT adversary \(\mathcal {A}\) which breaks our multi-party CL-GQ, then we can construct a forger \(\mathcal {F}\) to use \(\mathcal {A}\) to break CL-GQ. \(\mathcal {F}\) must simulate the environment of \(\mathcal {A}\). Namely, when \(\mathcal {A}\) corrupts \(\{P_j\}\) where \(j \ne 1\), we can construct a \(\mathcal {F}\) to simulate honest party \(P_1\) s.t. \(\mathcal {A}\)’s view of interaction with \(\mathcal {F}\) is indistinguishable from \(\mathcal {A}\)’s view of interaction with \(P_1\). Let \(\mathcal {F}\) have the public key \((\varDelta , v,J,H)\) of CL-GQ and owns the access to the signing oracle of its choice. After a series of queries from \(\mathcal {F}\), it can output a forgery signature \(\sigma = (t, h)\) for a message M chosen by itself which has never been queried. Different from the security proof of the multiparty ECDSA in [9], \(\mathcal {F}\) does not need to distinguish a semi-correct or non semi-correct execution of \(\mathcal {A}\) (\(\delta _i\) in Phase 3, Fig. 5 in [9] sent from adversary can be malicious) which makes our proof more concise.

Simulating \(P_1\) in IKeyGen. \(\mathcal {F}\) obtains a public key \((\varDelta , v,J,H)\) from its CL-GQ challenger and he must set up in its simulation with \(\mathcal {A}\) this same public key \((\varDelta , v,J,H)\). This will allow \(\mathcal {F}\) to subsequently simulate interactively signing messages with \(\mathcal {A}\), using the output of its CL-GQ signing oracle. \(\mathcal {F}\) repeats the following steps by rewinding \(\mathcal {A}\) until \(\mathcal {A}\) sends the correct decommitments for \(P_2,...,P_n\) on both iterations.

  1. 1.

    \(\mathcal {F}\) randomly selects \(\delta _1 \in \{0,1\}^\lambda \) and \(v_1 \in \{0,1\}^{\eta (\lambda )+1}\), computes \([c_1, d_1] \leftarrow \mathsf{{Com} }(\delta _1)\) and \([\hat{c_1}, \hat{d_1}] \leftarrow \mathsf{{Com} }(v_1)\) and broadcasts \((c_1, \hat{c_1})\). \(\mathcal {F}\) receives \(\{c_j, \hat{c_j}\}_{j\in [n], j\ne 1}\).

  2. 2.

    \(\mathcal {F}\) broadcasts \((d_1, \hat{d_1})\) and receives \(\{d_j, \hat{d_j}\}_{j\in [n], j\ne 1}\). For \(i\in [n]\), let \(\delta _i \leftarrow \mathsf{{Reveal}}(c_i, d_i)\) and \(v_i \leftarrow \mathsf{{Reveal}}(\hat{c_i}, \hat{d_i})\).

  3. 3.

    \(\mathcal {F}\) randomly selects \(\delta '_1, v'_1 \in \{0,1\}^\lambda \), subject to the condition \(\varDelta = \mathsf{{NextPrime^*}}(\delta '_1 \oplus (\oplus _{2}^{n} \delta _i))\) and \(v = \mathsf{{NextPrime}}(v'_1 \oplus ( \oplus _{2}^{n} v_i))\). Then \(\mathcal {F}\) computes equivocated decommitment \((d'_1, \hat{d'_1})\) which reveal \(\delta '_1, v'_1 \), rewinds \(\mathcal {A}\) to step 2 and broadcasts \((d'_1, \hat{d'_1})\).

  4. 4.

    All parties compute the common output \(\varDelta = \mathsf{{NextPrime^*}}(\delta '_1 \oplus (\oplus _{2}^{n} \delta _i))\) and \(v = \mathsf{{NextPrime}}(v'_1 \oplus ( \oplus _{2}^{n} v_i))\).

  5. 5.

    \(\mathcal {F}\) randomly selects \(B_1 \in CL(\varDelta )\) and computes \(J_1 = {B^{-v}_1}\). Then \(\mathcal {F}\) computes \([c^*_1, d^*_1] \leftarrow \mathsf{{Com} }(J_1)\) and broadcasts to all other parties the commitment \(c^*_1\). \(\mathcal {F}\) receives \(\{c^*_j\}_{j\ne i}\).

  6. 6.

    \(\mathcal {F}\) broadcasts \(d^*_1\) and performs a ZKPoKRoot for relation \(\{(J_1,v):B_1:|J_1=B^{-v}_1\}\). \(\mathcal {F}\) then receives \(\{d^*_j\}_{j\ne i}\). For \(i \in [n]\), let \(J_i \leftarrow \mathsf{Reveal}(c^*_i, d^*_i)\) be the opened commitment value of each party.

  7. 7.

    \(\mathcal {F}\) rewinds \(\mathcal {A}\) to step 6 and equivocates \(P_1 \)’s commitment to \(d^{*'}_1\) so that the revealed value now is \(J'_1 = J (\prod _{i=2}^{n} J_i)^{-1} \) and broadcasts \(d^{*'}_1\). Then \(\mathcal {F}\) simulates ZKPoKRoot.

  8. 8.

    If all the proofs and commitments are correct the protocol continues with \(J'=J'_1 \prod _{i=2}^n{J_i}=J\).

Theorem 2

If the commitment scheme is non-malleable and equivocal and ZKPoKRoot is honest verifier zero-knowledge proof of knowledge, then the IKeyGen simulation above is indistinguishable from a real execution in the view of potentially corrupted parties \(P_2, P_3\), \(\ldots , P_n\). Moreover, when the simulation does not abort, all parties output \(\varDelta ,v\) in step 4 and J in step 8.

Simulating \(P_1\) in ISign Phase

  1. 1.

    As in a real execution, \(\mathcal {F}\) randomly selects \(r_1 \in CL(\varDelta )\) and computes \(T_1 = {r^{v}_1}\). Then \(\mathcal {F}\) computes \([c_1, d_1] \leftarrow \mathsf{{Com} }(T_1)\) and broadcasts to all other parties the commitment \(c_1\). \(\mathcal {F}\) receives \(\{c_j\}_{j\ne i}\).

  2. 2.

    \(\mathcal {F}\) broadcasts \(d_1\) and performs a ZKPoKRoot for relation \(\{(T_1,v):r_1:|T_1=r^{v}_1\}\). \(\mathcal {F}\) then receives \(\{d_j\}_{j\ne i}\). For \(i \in [n]\), let \(T_i \leftarrow \mathsf{Reveal}(c_i, d_i)\) be the opened commitment value of each party.

  3. 3.

    \(\mathcal {F}\) requests a signature (th) for a message M from its CL-GQ signing oracle and computes \(T=t^v J^h\) (note that \(h=H(M,T)\)).

  4. 4.

    \(\mathcal {F}\) rewinds \(\mathcal {A}\) to step 2 and equivocates \(P_1 \)’s commitment to \(d'_1\) so that the revealed value now is \(T'_1 = T (\prod _{i=2}^{n} T_i)^{-1} \) and broadcasts \(d^{'}_1\). Then \(\mathcal {F}\) simulates ZKPoKRoot.

  5. 5.

    If all the proofs and commitments are correct, all parties compute \(T' = T'_1\prod _{i=2}^n{T_i} = T\), \(h'=H(M,T)=h\). \(\mathcal {F}\) computes \(t_1 = r_1 B^{h'}_1\). and \([\hat{c}_1, \hat{d}_1] \leftarrow \mathsf{{Com} }(t_1)\). \(\mathcal {F}\) broadcasts to all other parties the commitment \(\hat{c}_1\). \(\mathcal {F}\) receives \(\{\hat{c}_j\}_{j\ne i}\).

  6. 6.

    \(\mathcal {F}\) broadcasts \(\hat{d}_1\) and performs a ZKPoKSig for relation \(\{(T_1,J_1,t_1,h):(r_1, B_1)| t_1 = r_1 B_1^{h}, T_1 = {r_1}^v, J_1 = {B_1}^{-v}\}\). \(\mathcal {F}\) then receives \(\{\hat{d}_j\}_{j\ne i}\). For \(i \in [n]\), let \(t_i \leftarrow \mathsf{Reveal}(\hat{c}_i, \hat{d}_i)\) be the opened commitment of each party.

  7. 7.

    \(\mathcal {F}\) rewinds \(\mathcal {A}\) to step 5 and equivocates \(P_1 \)’s commitment to \(\hat{d'}_1\). The revealed value is \(t'_1=t (\prod _{i=2}^n{t_i})^{-1}\) and broadcasts \(\hat{d'}_1\). Then \(\mathcal {F}\) simulates ZKPoKSig.

  8. 8.

    If all the proofs and commitments are correct, all parties compute \(t'=t'_1 \prod _{i=2}^n{t_i} = t\) and output \(\sigma = (t',h)\).

Theorem 3

If the commitment scheme is non-malleable and equivocal and ZKPoKRoot and ZKPoKSig are honest verifier zero-knowledge proof of knowledge, then the ISign simulation above is indistinguishable from a real execution in the view of potentially corrupted parties \(P_2,P_3,...,P_n\) and on input M the simulation outputs a valid signature \(\sigma = (t,h)\) or aborts.

Finally, we capture the security of our protocol by Theorem 4.

Theorem 4

Assuming standard CL-GQ is an existentially unforgeable signature scheme; the ZKPoKRoot and ZKPoKSig are honest verifier zero-knowledge proof of knowledge; and the commitment scheme is non-malleable and equivocable, then our GQ multi-signature protocol (IKeyGen, ISign) is an existentially unforgeable multi-signature scheme.

6 Zero-Knowledge Proofs

In this section, we give the detailed construction of ZKPoKRoot and ZKPoKSig which are used in our multi-signature protocol. At the first glance, both ZK proofs seem easy to construct. But one problem of ZK proofs in an unknown order group is that it requires that the challenge is a binary string and thus should be repeated for many rounds to achieve an acceptable soundness error, like the one-bit challenge ZK proofs in [8, 38]. We observe an interesting thing that the Bezout formula utilized in the EUF-CMA of CL-GQ can also be adopted when proving the special soundness of our ZK proofs, which accordingly waive the repetition of our protocol, the additional constraint is that the length of the challenge space should be smaller than v. This trick also answers the open problem in Yi’s blind ECDSA scheme [38], that how to speed up their ZK proof of Paillier ciphertext and in the full version of this paper we give a slightly modified version of the ZK proof they used, which waives any repetition.

6.1 Zero-Knowledge Proof for the \(-v\)-th Root

We define a relation for the \(-v\)-th root of a class group element x where v is a prime:

$$ \mathcal {R}_\mathsf{root} = \{ (X,v):x| X = x^{-v} \}. $$

We put forward a zero-knowledge proof of knowledge (ZKPoK) protocol named ZKPoKRoot (Table 4) which is needed in our multi-signature scheme. It should run for only one round to achieve a soundness error of \(2^{-\gamma }\) where \(\gamma \) is the length of the challenge space we set in the ZKPoKRoot protocol, additionally required that \(1\le \gamma \le v-1\). x and X are class group elements and v is a prime.

Table 4. Zero-knowledge Proof ZKPoKRoot for relation \(\mathcal {R}_\mathsf{root}\)
Full size table

Theorem 5

The protocol ZKPoKRoot is an honest verifier zero-knowledge proof of knowledge with soundness error \(2^{-\gamma }\) where \(1\le \gamma \le v-1\).

6.2 Zero-Knowledge Proof of a CL-GQ Signature

We need another one-round ZKPoK protocol named ZKPoKSig (Table 5) for the following relation, where \(T_i, J_i, B_i\) are class group elements, h is a positive integer and v is a prime. We set \(\gamma \) as the challenge space which can be used to adjust the soundness error of ZKPoKSig, additionally required that \(1\le \gamma \le v-1\).

$$ \mathcal {R}_\mathsf{sig} = \{(T_i,J_i,t_i,h, v):(r_i, B_i) | t_i = r_i B_i^h, T_i = {r_i}^v, J_i = {B_i}^{-v}\} $$
Table 5. Zero-knowledge Proof ZKPoKSig for relation \(\mathcal {R}_\mathsf{sig}\)
Full size table

Theorem 6

The protocol ZKPoKSig is an honest verifier zero-knowledge proof of knowledge with soundness error \(2^{-\gamma }\) where \(1\le \gamma \le v-1\).

Remarks. To reduce the unnecessary interactions, we adopt Fiat-Shamir transformation [15] to make both ZKPoKRoot and ZKPoKSig non-interactive by replacing the challenge k in each ZKPoK with H(t) and \(H(\tau _1,\tau _2,\tau _3)\) respectively where H is a secure hash function. Due to the security level concern, we will set v larger than 161 bits in the joint signing protocol while \(\gamma \) is usually required to be 40/60/80 bits in the industry. Hence, for either ZKPoKRoot or ZKPoKSig, the additional requirement of \(1\le \gamma \le v-1\) is practical.

6.3 ZKPoK with Lower Soundness

Consider an extreme scenario that we want to achieve a strict soundness error, \(2^{-1000}\) for example, Bezout trick can not be applied in the soundness with extractor proof since the additional requirement of \(1\le \gamma \le v-1\) does not hold (v is smaller than 257 in our real use, as claimed in Sect. 4). The \(\gamma \) can only be set 1 to construct the successful extractor. Hence, \(\ell \) repetitions of either ZKPoKRoot or ZKPoKSig are compulsory when we want to achieve a soundness \(2^{-\ell }\) where \(\ell \) is a positive integer. The massive running time undermines its practical application. In this case, if a low soundness error should be satisfied, with reasonable computational cost, the LCM (lowest common multiple) trick used in [9] can be used to reduce the repeating time and thus remarkably improve the efficiency. To adopt this LCM trick, we need to modify the original ZKPoK protocols in two places: i) change the challenge space of k from \(\{0,1\}\) to \(\{0,1\}^C\) for some positive integer C and ii) change the repeat time from \(\ell \) to \(\ell /C\). Through the revisited ZKPoK protocols, the relations, where y= lcm\((1,2,3,...,2^C)\), are proved.

$$ \mathcal {R'}_\mathsf{root} = \{ x: X^z = (x^y)^v \} $$
$$ \mathcal {R'}_\mathsf{sig} = \{(T_i,J_i,t_i,h,v):(r_i, B_i) | t_i^z = r_i^y (B_i^y)^h, T_i^z = (r_i^y)^v, J_i^z = ({B_i}^y)^v\} $$

Caveat. The major concern of such an LCM trick is that the modified relation is a loosed relation and thus it is questionable if we can initiate any potential attacks, more specifically, forge a witness which holds in the loosed relation but does not hold in the standard relation and this issue is not well discussed in [9].

7 Implementation and Evaluation

We implemented the original GQ signature, the CL-GQ signature, and our multi-party GQ signature without trusted setup in Rust language. We use the Rust library ClassFootnote 4 to conduct the class group operations, including sampling, reduction, exponentiation and multiplication. It should be noted that this Rust library calls the C library Pari and thus it basically ensures the efficiency of the heavy arithmetic computations for class groups, but can still be improved. We benchmark the running times of both KeyGen and Sign for three schemes. All the programs are executed in a single thread on a MacBook Pro with Intel Core i5 1.4 GHz and 16 GB RAM.

7.1 Standard GQ v.s. CL-GQ

We compare the standard GQ and CL-GQ in three security levels: 80-bit, 112-bit, 128-bit security, where 80-bit security is insecure and over 112-bit is generally deemed as secure. We set v as \(\eta (\lambda )\)+1 bits for both GQ and CL-GQ schemes. We compare the signature sizes, running times of both schemes. As observed from results in Table 6, removing the RSA trapdoor is obviously a trade-off of computational efficiency. CL-GQ is much slower for both KeyGen and Sign due to the complicated arithmetic operations for class group in CL-GQ. For signature size, our CL-GQ is much shorter than GQ.

Table 6. Running time of original GQ and CL-GQ in different security levels.
Full size table
Table 7. Benchmarks of trustless GQ multi-signature.
Full size table

7.2 Performance of Trustless GQ Multi-signature

We evaluate the running time and bandwidth of multi-party GQ without trusted setup in Tables 7. The running time is obtained from the median running time among 20 test samples each of which sequentially executes the computation of each signer (in fact the protocol can be executed in parallel but here we consider achieving a fair comparison). In a 5-user setting without considering the network constraint, each signer only needs around 2.1 and 3.6 s to sign a message in 112-bit and 128-bit security levels respectively. We computed the concrete Bytes needed for multi-party GQ in 112-bit and 128-bit asymmetric security levels, and gave the calculation formula (Notice that in the given formula \(\lambda \) means the length of \(\varDelta \), instead of a security level 112 or 128). Both bandwidth and running time confirm that our trapdoorless GQ multi-signature is very practical in use. Our bandwidth is only about one-thirds of the bandwidth of joint signing in [17].

$$\begin{aligned} Comm.cost(\mathsf{IKeyGen})&= n \times \{10 \times \lceil \frac{\lambda -1}{2} \rceil + 6 \times \eta (\lambda )+5\} \quad (bits)\\ Comm.cost(\mathsf{ISign})&= n \times \{ 18 \times \lceil \frac{\lambda -1}{2} \rceil + 4 \times \eta (\lambda )+ 9 \}\quad (bits) \end{aligned}$$

Impacts from the Number of Users. Consider an N-party setting, since we assume the existence of broadcast channel, each party only computes their commitments and NIZK proofs once, and thus N computations in total are needed. On the receiver’s side, however, each party should de-commit the commitments and verify the NIZK proofs received from all other parties, and thus \(N(N-1)\) computations in total are needed. The accumulations of \(\delta _i,v_i, J_i,T_i,t_i\) are also in \(\mathcal {O}(N^2)\) complexity. Hence, the computational burden increases in a non-linear way when participants increase. Besides, as the increasing of the size of \(\varDelta \) and v, the uncertainty of computing \(\mathsf{{NextPrime^*}}\) and \(\mathsf{{NextPrime}}\) increases, which will lead to a noticeable variance of running time of IKeyGen. On the other hand, the variance of the running time of ISign is trivial.

8 Conclusion

In this paper, we first formalize the class group based GQ signature and then propose a trapdoorless GQ multi-signature scheme with identifiable abort property and only 4 rounds of interaction in the signing phase, secure in the dishonest majority model. We have concise security proof (no need for the simulator to detect a non semi-correct execution) and two compact one-round NIZKs (removing repetitions led by binary challenge). We give a detailed implementation and efficiency analysis which demonstrate that our scheme has promising running time and extraordinary bandwidth.