DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures

The discussion opens with an inquiry about the appropriateness of including a proof to demonstrate the zero-knowledge property of a particular scheme, rather than solely its soundness. The query hinges on the assertion that the structure of partial signatures, exemplified by the equation (s_k = r_{k1} + br_{k2} + c_k x_k), mirrors the baseline Schnorr signatures closely enough to consider their zero-knowledgeness as trivial. This leads to a broader examination of the security foundations for DahLIAS, emphasizing that any potential leakage of information regarding the secret key (x_k) would enable adversaries to exploit the scheme's unforgeability claim. Specifically, this vulnerability would manifest if an adversary could either solve the Discrete Logarithm (DL) problem or identify a collision in the hash function (H_{non}), thus compromising the scheme.

Further discourse explores the possibility of delineating explicit strategies for optimizing the scheme for single-party cases, although it's acknowledged that such considerations might extend beyond the current paper's scope. A hypothetical scenario is presented where a single-party signer, possessing multiple secret keys (xi, .., xn) corresponding to public keys (X1, .., Xn), could significantly streamline the signing process. By randomly selecting (r), computing (R := rG), and subsequently calculating (s := r + c1x1 + .. + cn*xn), the need for multiple group multiplications is circumvented, thereby simplifying the operation to require just one.

Furthermore, the conversation shifts to address concerns regarding "proof of knowledge of R" as a countermeasure against key subtraction attacks, only to recognize its ineffectiveness against nonce grinding in the context of Wagner-type attacks. An elaboration on these vulnerabilities is found in Appendix B, which clarifies that schemes allowing an adversary to influence the signer into generating partial signatures with variable challenges ((c \neq c')) are inherently susceptible. The theoretical model posited involves an adversary manipulating the signing process to utilize identical effective nonces across distinct challenges, thereby revealing a critical flaw in the proposed "proof of knowledge of R" defense mechanism.