Formal security model of multisignatures

A multisignature scheme enables multiple signers to cooperate to generate one signature for some message. The aim of the multisignatures is to decrease the total length of the signature and/or the signing (verification) costs. This paper first discusses a formal security model of multisignatures following that of the group signatures [1,4]. This model allows an attacker against multisignatures to access five oracles adaptively. With this model, we can ensure more general security result than that with the existence model [14,11,12]. Second, we propose a multisignature scheme using a claw-free permutation. The proposed scheme can decrease the signature length compared to those of existence multisignature schemes using a trapdoor one-way permutation (TWOP) [11,12], because its signing does not require the random string. We also prove that the proposed scheme is tightly secure with the formal security model, in the random oracle model. Third, we discuss the security of the multisignature schemes [11,12] using a TOWP with the formal security model to confirm that these schemes can be proven to be tightly secure.