Defining Unforgeability for Threshold Signatures

Abstract. This talk addresses the question of defining unforgeability for threshold signatures. Despite rapid growth in the literature, divergent and sometimes incomparable models have created some degree of confusion and hindered comparisons. I will first revisit joint work with Bellare, Crites, Komlo, Maller, and Zhu (CRYPTO 2022), which introduced fine-grained notions of unforgeability for threshold signatures. This work highlights subtle but important distinctions, such as whether a message should be considered signed once a protocol is initiated or only after its completion, and how the latter is defined. Our framework offers a hierarchy of definitions that better captures these nuances. I will then discuss more recent work with Sela Navot (ASIACRYPT 2024) on defining strong unforgeability for multi-party signing protocols. We propose one-more unforgeability as a versatile approach to define strong unforgeability. Time permitting, I will also comment on stronger security notions such as UC security and other modeling aspects.

Joint work: Based on works with Mihir Bellare, Chenzhi Zhu, Elizabeth Crites, Chelsea Komlo, Mary Maller, Sela Navot

[Slides] Suggested reading: One-More Unforgeability for Multi- and Threshold Signatures (ia.cr/2024/1947)