DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures

Posted by Tim Ruffing

Jul 2, 2025/11:36 UTC

In the exploration of cryptographic protocols, particularly within the context of digital signatures, a detailed analysis reveals the comparative efficiency and security implications of utilizing a uniform versus distinct ephemeral identifiers (denoted as b_i) across participants in a signing session. The initial approach, involving unique b_i values for each participant, was initially considered due to its natural alignment with the scheme's conceptual framework and had been substantiated with a preliminary security proof in an unpublished draft. However, this method introduces significant computational inefficiency, primarily because it necessitates multi-exponentiation processes proportional to the number of participants minus one (n-1), which markedly slows down the operation, requiring O(n/log n) time compared to a constant time operation (O(1)) with a single shared b value.

The decision to adopt a singular b value across all participants, despite the intuitive appeal of distinct identifiers, is grounded in the pursuit of operational efficiency. This design choice reduces the computational requirement to three group exponentiations, regardless of participant count, thereby streamlining the protocol. An additional, albeit minor, advantage of this approach includes the potential for the coordinating entity to pre-compute certain values, further alleviating the computational load on participants, although this benefit is somewhat marginal as individual R_{2,i} transmissions remain necessary.

The strategy of employing a shared ephemeral identifier also ingeniously leverages the R_i values, serving as temporary unique identifiers for participants. This mechanism effectively distinguishes between participants, even in scenarios where public keys are duplicated, by circumventing the need for direct uniqueness checks on the public keys themselves. Despite the apparent peculiarity of forgoing duplicate checks, the implementation’s integrity is maintained through the creation of specific test vectors that can identify failures, addressing concerns regarding inadvertent omissions of uniqueness verification in practical deployments.

Concerns regarding the identification of disruptive participants within this framework were also addressed. The protocol does not explicitly facilitate the detection of such actors; however, the uniqueness check inherent in the use of ephemeral identifiers indirectly aids in mitigating disruptions. Specifically, in instances of collusion or identity duplication among participants, secure communication channels with the coordinator ensure that malicious attempts to compromise session integrity can be traced back to the offenders. This assumes an honest coordinator and secure channels, underpinning the system's resilience against attacks aimed at disrupting or undermining the signature process.

Link to Raw Post
Bitcoin Logo

TLDR

Join Our Newsletter

We’ll email you summaries of the latest discussions from authoritative bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.

Explore all Products

ChatBTC imageBitcoin searchBitcoin TranscriptsSaving SatoshiBitcoin Transcripts Review
Built with 🧡 by the Bitcoin Dev Project
View our public visitor count

We'd love to hear your feedback on this project?

Give Feedback