Paper 2025/1941
Adaptively-Secure Three-Round Threshold Schnorr from DL
, PQShield, Univ Rennes, CNRS, IRISA, ETH Zurich, PQShield, National Institute of Advanced Industrial Science and TechnologyAbstract
Threshold signatures are an important tool for trust distribution, and preserving the interface of standardized signatures, such as Schnorr signatures, is crucial for their adoption. In practice, latency dominates end-to-end signing time, so minimizing the number of interaction rounds is critical. Ideally, this is achieved under minimal assumptions and with adaptive security, where the adversary can corrupt signers on-the-fly during the protocol. While Schnorr signatures are proven secure under the Discrete Logarithm (DL) assumption in the random oracle model, the most round-efficient adaptively-secure threshold Schnorr protocols rely on stronger assumptions such as Decisional Diffie-Hellman (DDH), the Algebraic One-More Discrete Logarithm (AOMDL) or even the Low-Dimensional Vector Representation (LDVR) assumptions. The only adaptively-secure threshold Schnorr signature from the DL assumption requires five rounds, leaving a significant gap in our understanding of this fundamental primitive. Achieving low-round protocols with adaptive security from the DL assumption has remained an open question.We resolve this question by presenting the first adaptively-secure threshold Schnorr scheme in three rounds (two online, one offline) in the random oracle model under the DL assumption. Our result demonstrates that achieving both low round complexity and adaptive security is possible while preserving the (so far) minimal assumptions for Schnorr signatures.To achieve this, we introduce new techniques, including a novel use of an equivocal commitment scheme paired with a simulation-extractable NIZK, and a masking-based aggregated opening strategy for homomorphic commitments. Our work also makes several contributions that might be of independent interest, including a formalization of a strong adaptive security notion, a stronger commitment equivocation property, and an analysis of the simulation-extractability of the randomized Fischlin transformation.
Metadata
- Available format(s)
PDF- Category
- Cryptographic protocols
- Publication info
- A major revision of an IACR publication in EUROCRYPT 2026
- Keywords
- Threshold signaturesAdaptive securitySchnorr signaturesThree-roundDL
- Contact author(s)
- guilhem @gniot fr
michael reichle @inf ethz ch
kaoru takemure @pqshield com - History
- 2026-02-19: last of 4 revisions
- 2025-10-17: received
- See all versions
- Short URL
- https://ia.cr/2025/1941
- License
CC BY
BibTeX
@misc{cryptoeprint:2025/1941, author = {Guilhem Niot and Michael Reichle and Kaoru Takemure}, title = {Adaptively-Secure Three-Round Threshold Schnorr from {DL}}, howpublished = {Cryptology {ePrint} Archive, Paper 2025/1941}, year = {2025}, url = {https://eprint.iacr.org/2025/1941}}