Author: AdamISZ 2023-05-03 12:58:21
Published on: 2023-05-03T12:58:21+00:00
A recent paper by Wei Dai, Okamoto and Yamamoto published in December 2022 focuses on the same point as mentioned by AdamISZ earlier in Section 3. The paper highlights that the aEUF-CMA definition of the Aumayr paper does not address the possibility of multiple-adaptors-on-the-same-message-at-once. This issue has also been reused by other researchers. The paper has a lot of meat in terms of security definitions and a malicious version of the "preSign" (i.e. adaptor-sign) algorithm is used in the paper to illustrate the insufficiency of the definition. In response to Lloyd Fournier's comment on the usefulness of single signer adaptors, AdamISZ struggles to understand the point made and believes he might have missed some implicit concept in the argument. AdamISZ's paper on GitHub provides an analysis of the security of using signature adaptors and delves into scenarios of multiple adaptors at once or multiple signing sessions at once with the same adaptor. The penultimate case of "multiple signing sessions, same adaptor" proved to be the most interesting, and in trying to reduce this to ECDLP, an issue around sequencing was found.Lloyd Fournier suggests making a general proof against all secure Schnorr signing schemes in the ROM by extending the ROM forwarding approach from Aumayer et al to all "tweak" operations on the elements that go into the Schnorr challenge hash. This would be cool because then all these variants could be proven secure for all schemes past and present in one go.
Updated on: 2023-06-16T18:07:40.583364+00:00