Improved on-line/off-line threshold signatures

At PKC 2006 Crutchfield, Molnar, Turner and Wagner proposed a generic threshold version of on-line/off-line signature schemes based on the "hash-sign-switch" paradigm introduced by Shamir and Tauman. Such a paradigm strongly relies on chameleon hash functions which are collision-resistant functions, with a secret trapdoor which actually allows to find arbitrary collisions efficiently. The "hash-sign-switch" paradigm works as follows. In the off-line phase, the signer hashes and signs a random message s. When, during the on-line phase, he is given a message m to sign the signer uses its knowledge of the hash trapdoor to find a second preimage and "switches" m with the random s. As shown by Crutchfield et al. adapting this paradigm to the threshold setting is not trivial. The solution they propose introduces additional computational assumptions which turn out to be implied by the so-called one-more discrete logarithm assumption. In this paper we present an alternative solution to the problem. As in the previous result by Crutchfield et al., our construction is generic and can be based on any threshold signature scheme, combined with a chameleon hash function based on discrete log. However we show that, by appropriately modifying the chameleon function, our scheme can be proven secure based only on the traditional discrete logarithm assumption. While this produces a slight increase in the cost of the off-line phase, the efficiency of the on-line stage (the most important when optimizing signature computation) is unchanged. In other words the efficiency is essentially preserved. Finally, we show how to achieve robustness for our scheme. Compared to the work by Crutchfield et al., our main solution tolerates at most [n/4] (arbitrarily) malicious players instead of [n/3] however we stress that we do not rely on random oracles in our proofs. Moreover we briefly present a variant which can achieve robustness in the presence of [n/3] malicious players.