A Fully Adaptively Secure Threshold Signature Scheme Based on Dual-Form Signatures Technology

unrestricted use, distribution, and provided the original work In ( t, n ) threshold signature schemes, any subset of t participants out of n can produce a valid signature, but any fewer than t participants cannot. Meanwhile, a threshold signature scheme should remain robust and unforgeable against up to t − 1 corrupted participants. This nonforgeability property is that even an adversary breaking into up to t − 1 participants should be unable to generate signatures on its own. Existential unforgeability against adaptive chosen message attacks is widely considered as a standard security notion for digital signature, and threshold signature should also follow this accordingly. However, there are two special attack models in a threshold signature scheme: one is the static corruption attack and the other is the adaptive corruption attack. Since the adaptive corruption model appears to better capture real threats, designing and proving threshold signature schemes secure in the adaptive corruption model has been focused on in recent years. If a threshold signature is secure under adaptive chosen message attack and adaptive corruption attack, we say it is fully adaptively secure. In this paper, based on the dual pairing vector spaces technology, we construct a threshold signature scheme and use Gerbush et al.’s dual-form signatures technology to prove our scheme, which is fully adaptively secure in the standard model, and then compare it to other schemes in terms of the eﬃciency and computation.


Introduction
A simple communication model, in which there is a single pair, sender and receiver, has to be extended by allowing communication between groups. To meet the security requirements for such a model, group-oriented cryptography was invented by Desmedt [1]. Given a group of n participants. A (t, n) threshold signature is a cryptographic protocol that allows any subgroup of t participants (t ≤ n) to collectively sign messages. On the other hand, any subgroup of (t − 1) participants (or smaller) is unable to generate a valid signature for any message. A threshold signature is called robust if misbehaving participants (who do not follow the protocol) are unable to prevent the honest participants from a successful execution of the signature protocol.
Goldwasser et al. studied the security of signatures in [2]. ey introduced a security notion called existential unforgeability against chosen message attacks (EUF-CMA) and analysed it using an appropriate security game. In the game, an adversary can get a public key (for signature verification) and she can query a signature oracle a polynomial number of times for messages of her choice. She wins the game (and breaks the security) if she is able to come up with a valid signature σ * for a message m * that has not been queried before. ere are two flavours of the game: nonadaptive and adaptive. In a nonadaptive EUF-CMA, the adversary queries the signature oracle before she gets the public key. In an adaptive EUF-CMA, she gets the public key first and then she uses the signature oracle.
In group-oriented cryptography, there are two basic adversarial models: static and adaptive. In the static model, the adversary fixes a subset of participants that she wants to corrupt before the protocol starts [3,4]. In the adaptive model, the adversary waits for an appropriate time during the protocol execution. She collects information from a protocol run and corrupts a specific subset of participants to maximise her chances of success [5][6][7]. Clearly, the adaptive adversary is strictly stronger than the static one. Besides, the adaptive model reflects better real-life adversaries and therefore it has attracted more attention from researchers.
Needless to say, it is a more challenging task to design threshold signatures with EUF-aCMA security under the adaptive adversarial model (than under the static model).
In 2004, Abe and Fehr in their work [8] proposed threshold signatures secure against adaptive corruptions using the universal composability framework. Although reduced, there is still a need for interactions. Wang et al. [7] apply the Waters signatures [9] to construct threshold signatures secure against adaptive adversaries in the standard model. eir signatures still require interactions via secure point-to-point channels.
Libert and Yung [10] used the Lewko-Waters identitybased encryption [11] and bilinear mapping over groups of composite order to design threshold signatures secure against adaptive adversaries, where there is no need for interactions. However, Freeman [12] argued that, for the same security level, the Libert-Yung signatures are roughly 50 times slower than signatures in prime-order groups. Hwang et al. in their work [13] constructed (t, n) threshold directed signatures that are existentially unforgeable under the chosen message attack under the assumption that the computational Diffie-Hellman problem is intractable. However, the security claims hold only when the adversary is static. Raman et al. in their work [14] proposed threshold proxy signatures based on the RSA assumptions. Both constructions [13,14] are not secure against adaptive corruptions.
Libert et al. [15] employ the Pedersen distributed key generation protocol [16] to design two variants of threshold signatures that are adaptively secure against a static adversary. e efficiency of the first scheme is high, but the security proof is done in the random-oracle model. e second scheme is proven secure in the standard model using the Groth-Sahai arguments [17]. Unfortunately, the time price is low efficiency; for example, the time required for a partial signature is proportional to the length of the block message. Harn and Wang [18] have studied threshold signatures using the Chinese remainder theorem. eir designs are secure against adaptively chosen message attacks and static corruptions in the random-oracle model. Recently, Assidi et al. [19] have proposed an efficient code-based threshold ring signature. However, their scheme cannot withstand the adaptive corruptions attacks.
It turns out that the dual pairing vector space (DPVS) technique offers a powerful tool for constructing cryptographic algorithms such as identity-based encryption (IBE) and attribute-based encryption (ABE). We show that the technique can also be employed to design threshold signatures. e main contribution of our paper is the construction of (t, n) threshold signatures that are EUF-CMA secure under adaptive corruption attacks in the standard model. Our construction is based on the Lewko identity-based encryption [20] and the Okamoto-Takashima DPVS technique [21,22]. e security proof, however, applies dual-form signature arguments developed by Gerbush et al. in [23].

Preliminaries
Given a set S. We denote by x← R S the fact that x is drawn randomly and uniformly from S. |S| denotes the set cardinality and |x| is the length of x (or the number of bits in its binary form). If N is the set of natural numbers, then 1 k denotes the string of k ones; k ∈ N.

Bilinear Maps.
Given two cyclic groups G and G T of prime order p, a bilinear map e(·, ·) is a function G × G ⟶ G T such that, for any generator g ∈ G and any integers α, β ∈ Z p , the map satisfies the following properties [24]: (i) Bilinearity: e(g α , g β ) � e(g, g) αβ (ii) Nondegeneracy: e(g, g) ≠ 1 G T unless g � 1 G (iii) Computability: there exists an efficient algorithm that computes e(g 1 , g 2 ) for ∀g 1 , g 2 ∈ G Note that Z p is the set of integers modulo p. Let us introduce the notation that will be used in the paper. Given a vector w � (w 1 , . . . , w ℓ ) ∈ Z ℓ p and an integer a ∈ Z p , we define the following shorthand notations: p , e is a bilinear map and g ∈ G A group generation algorithm GG(Λ) takes a requested security level parameter Λ and returns (G, G T , p, e(·, ·), g), where p is a large prime and g is a generator of G.

Dual Pairing Vector Spaces. Given two random bases
where ψ ∈ Z p . Note that, for a generator g of G, the following relation holds: Dual(Z ℓ p ) denotes the set of dual orthonormal bases [20,21,25].

Subspace Intractability Assumption.
Given a group generator GG(Λ) and a positive integer k ≤ (ℓ/3), the subspace assumption is defined as follows [20]. For a given security level Λ, generate the parameters of an instance at random: G, G T , p, e(·, ·), g ← R GG(Λ), Calculate the following collection of vectors: 2 Security and Communication Networks where i � 1, 2, . . . , k. en calculate a vector D such that We assume that, for any probabilistic polynomial time (PPT) algorithm A, the advantage in distinguishing vectors

Target Collision Resistant Hash Functions.
Given a security parameter Λ, a ℓ(Λ)-bit key k, a group G of prime order p(Λ), and a family of keyed hash functions that is indexed by both the key k and the security parameter, the family T is target collision resistant (TCR) if, for any PPT adversary H, her advantage in finding a collision is negligible in the security parameter Λ or in other words (see also [26]): TCR is a weaker requirement of collision resistance than the standard collision resistance of hash functions without keys. erefore, it is a better match for the hashing used in practice.

Signatures.
We recall the definition of digital signatures and their security models.

Definition 1. A signature scheme (SS) is a triplet 〈KeyGen,
Sign, Verify〉 of PPT algorithms described as follows: (i) KeyGen(Λ): for a required security level Λ, the algorithm returns a pair of keys (pk, sk) of appropriate length. e key pk is public (for verification), while the key sk is secret (for signing) (ii) Sign(sk, m): for an input, the secret key sk, and a message m, the algorithm returns a signature σ of the message m (iii) Verify(pk, m, σ): for an input, the public key pk, the message m, and a string σ, the algorithm outputs 1 if σ is a valid signature of m. Otherwise, it returns 0 e adaptive chosen message attack (aCMA) model is stronger than the nonadaptive chosen message attack (naCMA) model. So, we only think about the EUF aCMA game.

Dual-Form Signatures.
In 2012, Gerbush et al. [23] proposed the concept of dual-form signatures (DFSs), which is a useful framework for proving the security (existential unforgeability) of signatures from static assumptions. A dual-form signature is defined by the following algorithms [23]: (i) KeyGen(Λ): generates a public key pk and a private key sk for a security parameter Λ (ii) Sign A (sk, m): returns a signature σ for a message m and a secret key sk (iii) Sign B (sk, m): outputs a signature σ for a message m and a secret key sk (iv) Verify (pk, m, σ): outputs TRUE if the signature σ is valid for the message m and the public key pk. Otherwise, it returns FALSE As one can see, dual-form signatures apply two variants of the signature algorithm, Sign A and Sign B . Both algorithms generate valid signatures.
is means that they pass the verification algorithm Verify no matter which signature algorithm has been used. However, only one signing Security and Communication Networks algorithm will be used in the real scheme. e other signature algorithm will be used in the security proof/game. To prove the security of dual-form signatures, Gerbush et al. [23] gave a general proof method that works as follows.
In a security game, forgeries can be categorised into two (disjoint) types: I and II. ey correspond to the signatures obtained by Sign A and Sign B , respectively. e security proof involves a sequence of transformations of queries obtained from both signature variants Sign A and Sign B . In the proof, an adversary is asked to produce a valid signature that can be of a specific form. e following list details the required properties: A-I matching: an adversary is only given access to the oracle Sign A . It is expected that it is harder for her to produce Type II forgeries B-II matching: an adversary is only given access to the oracle Sign B . It is expected that it is harder for her to produce Type I forgeries Dual-oracle invariance: an adversary is given access to both oracles Sign A and Sign B . It is expected that the adversary has the same probability of success to generate Type I and Type II forgeries A dual-form signature is secure if it satisfies the three properties listed above.
In [23], the author shows that, by the A-I matching property, it might have a noticeable probability ϵ of producing a Type I forgery but has only a negligible probability of producing any other kind of forgery, and show that ϵ must also be negligible. By the dual-oracle invariance property, the probability of producing a Type I forgery will be close to ϵ if gradually replacing the signing algorithm with Sign B , one signature at a time. Once all of the signatures the attacker receives are from Sign B , the B-II matching property implies that the probability of producing a Type I forgery must be negligible in the security parameter.
If 〈Setup, Sign A , Sign B , Verify〉 is a secure dual-form signature, then 〈Setup, Sign A , Verify〉 is existentially unforgeable under an adaptive chosen message attack [23].
is proven technique has a great potential to be a useful tool in the analysis of other cryptographic primitives that use digital signatures.

reshold Signatures.
A threshold signature Φ consists of the following five algorithms 〈Setup, Share-sign, Shareverify, Combine, and Verify〉. algorithm. It takes as input an identity of P i ∈ Γ, its verification key VK i , its signature share u i , and a message M. It outputs valid or invalid depending on whether u i is considered to be a valid share or not. (iv) Combine(PK, M, Γ, (P i , u i ) P i ∈Γ ) takes as input the public key PK, a message M, and a subset Γ ⊂ 1, . . . , n { } of size |Γ| � t with pairs (P i , u i ) such that P i ∈ Γ and u i is a signature share. is algorithm outputs either a full signature S or ⊥ if the set contains invalid signature shares.
(v) Verify(PK, M, S) is a deterministic algorithm that takes as input a message M, the public key PK, and a signature S. is algorithm outputs valid or invalid depending on whether S is a valid signature or not.
We assume that an adversary A can corrupt up to t − 1 participants (from all n participants). A can learn all the information stored by the corrupted participants and can listen to all their communication. We consider two types of adversaries: static and adaptive. A static adversary corrupts participants at the beginning of a protocol. An adaptive adversary corrupts participants during protocol execution and chooses the best time so it maximises her chances of compromising the security of noncorrupted participants. As the adaptive adversary captures real-life threats better, we are going to consider threshold signatures that guarantee EUF-aCMA security under adaptive corruption attacks. Consequently, the other case of static corruption attacks is going to be ignored in this work.
Given an adaptive adversary and a threshold signature Φ, to evaluate the security of the signature in this setting, we need to develop an appropriate security notion. Fortunately, we can use the notion formulated by Libert and Yung in their work [LY13].

Definition 2.
A threshold signature scheme Φ is existentially unforgeable under adaptively chosen message attacks and adaptive corruption attacks (EUF-aCMA-DCA) if no PPT adversary A has a nonnegligible advantage in the following game between a challenger C and an adversary A.
e challenger sends public parameters to the adversary. In other words, C ⟶ A: PP, PK, VK.
(ii) Queries: A can adaptively invoke an arbitrary number of queries. Each query must be either a corruption query or a signing query. e two types are defined below.
(i) Corruption query: If A wants to corrupt the ith participant, then No more than t − 1 private keys can be obtained by A in the whole game. (ii) Partial signature query: If the adversary A asks for patrial signature on an arbitrary message M on behalf of a participant P i ∈ Γ, then (iii) Signing query: A asks for a signature on an arbitrary message M and then We have that S is a signature of M. Forgery: A outputs a message M * and a signature S * . She wins if (i) M * was never submitted to the partial signature query or signing query; (ii) A did not obtain more than t − 1 private key shares in the whole game; (iii) Verify(PK, M * , S * ) � valid.

Construction
In this section, we present a threshold signature Φ based on dual pairing vector spaces. e security of the proposed scheme is proven under the subspace assumption. e algorithms of the signature are as follows.
Select a hash function H, where H: 0, 1 { } * ⟶ Z p is a target collision-resistant hash function. (ii) Set ℓ � 6 and sample a pair of random dual orthonormal bases.
Let d 1 , . . . , d 6 denote the elements of D and let d * 1 , . . . , d * 6 denote the elements of D * , where (iii) Choose random values α, θ, σ ∈ Z * p and a random polynomial F(x) � t−1 j�0 a j x j of degree t − 1 (where t is the threshold value and a j ∈ Z p for j � 0, . . . , t − 1, and a 0 � α) and compute the partial decryption keys and verification key (iv) Publish the public parameters PP � G, G T , p, e (·, ·), g, H(·)}, public key PK � Z � e(g, g) αθψ , g d 1 , g d 2 , g d 3 , g d 4 }, and verification key VK � (VK 1 , . . . , VK n ) on the bulletin board. Partial private key Denote the currently active set of t participants by Γ. P i selects at random k i ∈ Z p and computes its partial signature (or signature share) s i � (u i , K i ) using SK i according to where λ i � j∈Γ,j≠i − j/(i − j), and then sends s i � (u i , K i ) to the combiner. Share-Verify (P i , Γ, VK i , u i , M): Given P i 's (P i ∈ Γ) verification key VK i and the partial signature s i � (u i , K i ) of the message M, the combiner verifies s i by checking if If the above equality holds, Otherwise, the combiner declares that P i is corrupted. Combine (PK, M, Γ, (P i , s i ) P i ∈Γ ): Given the set Γ, the public key PK, the message M, and t valid shares ( (P i , s i ) P i ∈Γ ), the combiner computes the signature S � (S 1 , S 2 ) as Verify (PK, M, S) : For a signature S � (S 1 , S 2 ) of a message M with respect to a public key PK, the Security and Communication Networks 5 algorithm outputs valid (or 1) if the following equation holds: Otherwise, it returns invalid (or 0).

Correctness.
We are going to show that the two verification algorithms Share-Verify and Verify always accept the well-formed shares and the final signatures. e Share-Verify algorithm accepts the input if equation (17) holds. We start from the left-hand side of the equation and run through a sequence of transformations, so we arrive at the right-hand side of equation (17).
e Verify algorithm uses equation (19) to check if the signatures are valid. In a similar vein, we start from the lefthand side of equation (19) and show how to arrive at the right-hand side of the equation. where

Security
Theorem 1. Given our threshold signature Φ � 〈Setup, Share-sign, Share-Verify, Combine, and Verify〉, assume that the subspace intractability assumption holds; then the signature scheme Φ is EUF-aCMA-DCA secure (or can withstand existential forgeries under adaptive chosen message and adaptive corruption attacks).
We prove the theorem using the hybrid argument for a sequence of games similar to [23]. Like [23], our proof makes use of normal signatures and semifunctional semisignatures.
Type I signatures are normal signatures of S 1 :

Security and Communication Networks
where R 1 , R 2 ∈ Z p , R 3 � i∈Γ F(i)k i . Type II signatures are semisignatures of S 1 : where R 1 , R 2 , z 5 , z 6 ∈ Z p , R 3 � i∈Γ F(i)k i θ.
We apply the dual-form signature technique to prove the security of our threshold signatures. We start from a real security game, denoted by Game 0 followed by the sequence Game 1 , . . ., Game q and Game final .
(i) Game 0 is identical to the EUF-aCMA-DCA game, an adversary produces a Type I signature as a forgery, and the advantage of adversary A is defined accordingly. Game 0 is played between a challenger C and an adversary A as follows.
Initialisation: C runs Setup(Λ, t, n) to get (PP, PK, SK, VK), where PP � G, G T , p, e(·, ·), g , Queries: A adaptively makes a number q of queries. Each query can be either a corruption one or a signing one. A cannot make more than t−1 corruption queries.
A gets also valid signatures for messages of her choice. Forgery: A outputs S * � (S * 1 , S 2 ) for a message M * that has not been queried.
C wins the game if Verify(PK, M * , S * ) � 1. (ii) Game J (1 ≤ J ≤ q) is like Game J−1 , except that the challenger C answers the first J signing query by returning Type II signatures, and the last q − J signing queries are answered using Type I signatures. e process is as follows. Initialisation: C runs Setup(Λ, t, n) to get (PP, PK, SK, VK), where PP � G, G T , p, e(·, ·), g , Queries: A adaptively makes a number q of queries.
Each query can be either a corruption one or a signing one. A cannot make more than t−1 corruption queries.
A gets Type II signatures of the first J signing queries and gets Type I signatures of the last q−J signing queries for messages of her choice. Forgery: A outputs S * � (S * 1 , S 2 ) for a message M * that has not been queried.
A wins the game if Verify(PK, M * , S * ) � 1 and the probability is the same for the Type I and Type II forgeries.
(iii) Game final is identical to Game q , except that the challenger C answers the corruption query by returning the private key shares which contain random d * 5 , d * 6 , signing the query by returning Type II signatures, and needs to output a forgery of the same type. e process is as follows. Initialisation: C runs Setup(Λ, t, n) to get (PP, PK, SK, VK), where PP � G, G T , p, e(·, ·), g , Queries: A adaptively makes a number q of queries.
Each query can be either a corruption one or a signing one.
She cannot make more than t − 1 corruption queries.
A gets Type II signatures of signing queries for messages of her choice. Forgery: A outputs S * � (S * 1 , S 2 ) for a message M * that has not been queried.
A wins the game if Verify(PK, M * , S * ) � 1 and the forgery signature is Type I.
We will prove that eorem 1 is true through a sequence of claims.

Claim 1.
In Game 0 , adversary A has a negligible chance of outputting a Type II signature if the subspace assumption with k � 2 and ℓ � 6 holds.
Proof. We construct an algorithm D that, on the input of an instance (G, G T , p, e (·, ·),g, g b 1 , . .., g b 4 , g ηb * 1 , g ηb * 2 , g βb * 3 ,g βb * 4 ,  D picks random values α, θ ′ , σ ′ ∈ Z p and a random polynomial F(x) ∈ Z p with degree t − 1 and implicitly sets θ � θ ′ η, σ � σ ′ β, and F(0) � α. D computes the public key as follows: is a Type II signature; then D will abort. Notice that D needs the output of A to be a Type I forgery signature in order to defeat the subspace assumption with k � 1 and l � 6. Finally, D uses the forgery signature to determine what subspace T 1 is in. D can simply check whether e ℓ (S * 1 , T 1 ) � 1 G T or not. If so, T 1 � g τ 1 ηb * 1 +τ 2 βb * 2 . Otherwise, T 1 � g τ 1 ηb * 1 +τ 2 βb * 2 +τ 3 b * 3 . It comes that A 's advantage is thus negligible if the subspace assumption with k � 1 and l � 6 holds.

Comparison
Now, let us proceed to compare our scheme to other related schemes. As a reference for a further efficiency discussion, we have chosen the Libert-Yung (LY) signature scheme [10] and the second signature scheme in [15]. Let us denote the computational cost needed to perform a single bilinear pairing by e and the cost of a single modular exponentiation by E. Recall that the cost e N of a single bilinear pairing of composite order N � p 1 p 2 p 3 is about 50 times more expensive than the cost e p of a single bilinear pairing of prime order p [12]. In general, in terms of computational overhead, a single bilinear pairing is equivalent to four modular exponentiations (or e ≈ 4E). e first column in Table 1 provides the name of signature (LY13, LJY16, and ours). Other columns detail the computational costs needed to set up signature scheme (Setup), generate shares of signature (Share-Sign), verify shares (Share-Verify), combine shares into a signature (Combine), and verify a signature (Verify).
In [15], the scheme mainly uses Groth-Sahai's [17] proof systems technique, but our scheme mainly uses dual pairing vector spaces (DPVS) technique. e main difference of these two techniques is that the DPVS technique can effectively reduce computational complexity at the cost of slightly increasing storage space.

Conclusion
In this paper, we have proposed an efficient (t, n) threshold signature scheme. Under the subspace assumption, we have proven that our scheme is secure against existential forgeries under adaptive chosen message attacks and adaptive corruption attacks in the standard model. Our scheme is more efficient than the LY13's and LJY16's threshold signature schemes.
Data Availability e data supporting the findings of this study are available within the article.

Conflicts of Interest
e author declares that there are no conflicts of interest.