Title:On the security of Multi-Signature Schemes
In multi-signature schemes, where multiple users sign on a
single message, it has been recently recognized that a
straightforward extension of the security definition of
usual (or single) signature schemes is not sufficient. That
is, the key generation/registration phase can be a target of
an adversary in addition to the traditional adversarial
model, in the multi-signature schemes. This paper defines
two models of the security definition of multi-signature
schemes: weak security model(straightforward
extension of usual signature scheme's definition: no key
generation phase attacks are considered), and strong
security model (key generation phase attacks as well as the
traditional attacks are considered). In this paper we introduce two types of reductions in the provably secure multi-signatures: one is an insensitive reduction, and the other a sensitive reduction. This paper gives two methods of constructing a secure multi-signature scheme in the strong security model from a scheme secure in the weak security model, and also gives some concrete and practical examples of these construction methods. |