An Explicit High-Moment Forking Lemma and its Applications to the Concrete Security of Multi-Signatures

. In this work we first present an explicit forking lemma that distills the information-theoretic essence of the high-moment technique introduced by Rotem and Segev (CRYPTO ’21), who analyzed the security of identification protocols and Fiat-Shamir signature schemes. Whereas the technique of Rotem and Segev was particularly geared towards two specific cryptographic primitives, we present a stand-alone probabilistic lower bound, which does not involve any underlying primitive or idealized model. The key difference between our lemma and previous ones is that instead of focusing on the tradeoff between the worst-case or expected running time of the resulting forking algorithm and its success probability, we focus on the tradeoff between higher moments of its running time and its success probability. Equipped with our lemma, we then establish concrete security bounds for the BN and BLS multi-signature schemes that are significantly tighter than the concrete security bounds established by Bellare and Neven (CCS ’06) and Boneh, Drijvers and Neven (ASIACRYPT ’18), respectively. Our analysis does not limit adversaries to any idealized algebraic model, such as the algebraic group model in which all algorithms are assumed to provide an algebraic justification for each group element they produce. Our bounds are derived in the random-oracle model based on the standard-model second-moment hardness of the discrete logarithm problem (for the BN scheme) and the computational co-Diffie-Hellman problem (for the BLS scheme). Such second-moment assumptions, asking that the success probability of any algorithm in solving the underlying computational problems is dominated by the second moment of the algorithm’s running time, are particularly plausible in any group where no better-than-generic algorithms are currently known.


Introduction
A multi-signature scheme [IN83,BN06] enables any set of signers, within a large and decentralized system, to jointly produce a compact signature on a given message.Research on the design and analysis of multi-signature schemes has recently gained significant renewed interest, as such schemes were found particularly suitable for blockchain applications (e.g., [BDN18,MPSW19]).This high level of suitability dates back to the work of Bellare and Neven [BN06], who showed that multi-signature schemes can be constructed in the plain public-key model.In this model, each signer locally produces their signing and verification keys, without engaging in an interactive key-generation process with other signers or with a generic bilinear-group model3 , this leads to the concrete bound ϵ ≤ (q 5 H • t 2 /p) 1/3 on the security of the BLS multi-signature scheme.For various realistic ranges of the malicious forger's running time t and number of queries q H , this bound may fall somewhat short of providing sufficient guarantees (once again, especially for 256-bit groups).
Tighter concrete security within the algebraic group model.The above-described significant gaps in the concrete security of multi-signature schemes have so far been addressed mainly by proving security with respect to restricted classes of attackers.Specifically, tighter concrete security bounds were established for multi-signature schemes [AB21, BD21, NRS21, LK23] with respect to algebraic attackers within the idealized algebraic group model [FKL18].In this idealized model, all algorithms are assumed to provide an algebraic justification for each group element that they produce.Such an algebraic justification typically enables to prove the security of schemes without relying on the forking lemma and thus avoids the resulting security loss [AHK20, BFL20, FPS20, MTT19, RS20]. 4his approach is significantly refined by the work of Bellare and Dai [BD20, BD21], who introduced the following two-step modular analysis: (1) Given a (single-signer or multi-signer) signature scheme, identify a (possibly interactive) computational problem whose concrete hardness is tightly equivalent to the concrete security of the scheme, but which can be described in a more direct and elegant manner, and then (2) derive concrete security bounds by reducing this problem to the DL problem.However, using the forking lemma for these reductions then leads to the above-discussed concrete security gaps.Therefore, to avoid these gaps, the algebraic group model is nevertheless utilized.
Tighter concrete security without the algebraic group model?Rotem and Segev [RS21] provided tighter concrete security bounds for Σ-protocols and their associated Fiat-Shamir signature schemes [FS87,AABN02].Instead of analyzing security in an idealized algebraic model, they introduced a different forking technique, relying on the assumption that the underlying computational problem is "d-th moment hard": The success probability of any algorithm in solving it is dominated by the d-th moment of the algorithm's running time.Equipped with such an underlying assumption, their forking technique transforms a malicious attacker into an algorithm solving the underlying computational problem by optimizing the trade-off between the algorithm's success probability and the d-th moment of their running time.
In the concrete context of the DL problem, the assumption that the problem is dmoment hard states that any algorithm running in time T solves the DL problem with probability at most E[T d ]/p, where E[T d ] denotes the d-th moment of the distribution corresponding to the algorithm's running time (see Section 2.1 for the formal definition of d-moment hardness).Shoup's original proof shows that the DL problem is 2-moment hard in the generic-group model [Sho97], and thus the second-moment DL assumption can be viewed as a highly plausible strengthening of the DL assumption in any group where no better-than-generic algorithms are currently known.More generally, the recent work of Segev, Sharabi and Yogev [SSY23] provided a generic framework for analyzing the d-moment hardness of a wide range of computational problems (refining and extending the work of Jeager and Tessaro [JT20] on expected-time hardness).
The forking technique introduced by Rotem and Segev, however, was particularly geared towards analyzing the security of Σ-protocols and their associated Fiat-Shamir (single-signer) signature schemes.In contrast to the work of Bellare and Neven [BN06], they did not explicitly provide a stand-along probabilistic tool, or any other indication of the extent to which their approach may be applicable for other cryptographic purposessuch as obtaining tighter concrete security bounds for multi-signature schemes.

Our Contributions
In this work we first present an explicit high-moment forking lemma that distills the information-theoretic essence of the technique introduced by Rotem and Segev [RS21].Similarly to the general forking lemma of Bellare and Neven [BN06], our high-moment generalization consists of a stand-alone probabilistic lower bound, which does not involve any underlying cryptographic primitive (such as a signature scheme) or any idealized model (such as the random-oracle model).At a very high level, the key difference between our approach and that of Bellare and Neven is that whereas their forking lemma may be viewed as optimizing the tradeoff between the worst-case running time of the resulting forking algorithm and its success probability, our lemma focuses on optimizing the tradeoff between the d-th moment of its running time and its success probability.
Then, equipped with our lemma, we establish concrete security bounds for the BN and BLS multi-signature schemes that are tighter than the concrete security bounds established by Bellare and Neven [BN06] and Boneh, Drijvers and Neven [BDN18], respectively.Our tighter bounds are derived in the random-oracle model based on the standard-model second-moment hardness of the discrete logarithm problem (for the BN scheme) and the computational co-Diffie-Hellman problem (for the BLS scheme).We prove the following theorems (which, for simplicity, are stated here rather informally5 ): Theorem 1 (informal).Let G be a cyclic group of prime order p.Assuming that the DL problem is second-moment hard in G, then for any adversary that runs in time t, issues q H random oracle queries, and breaks the security of the BN multi-signature scheme with probability ϵ, it holds that ) be a triplet of cyclic groups of prime order p equipped with a bilinear map e : G 1 × G 2 → G t .Assuming that co-CDH problem is second-moment hard in G, then for any adversary that runs in time t, issues q H random oracle queries, and breaks the security of the BLS multi-signature scheme with probability ϵ, it holds that .
Recall, as discussed above, that the analysis of Bellare and Neven provided the bound ϵ ≤ (q H • t 2 /p) 1/2 , and the analysis of Boneh, Drijvers and Neven provided the bound ϵ ≤ (q 5 H • t 2 /p) 1/3 .Thus, compared to their bounds, our bounds are significantly tighter as we increase the exponent from 1/2 to 2/3 for the BN scheme, and from 1/3 to 2/3 for the BLS scheme.For example, from the practical perspective of a 256-bit group, the security bounds established by Bellare and Neven and by Boneh, Drijvers and Neven show that any attacker that runs in time at most t = 2 64 and issues at most q = 2 30 random oracle queries breaks the BN multi-signature scheme with probability at most 2 −49 and the BLS multi-signature scheme with probability at most 1.Our tighter bounds improve these to 2 −65 and 2 −35 , respectively.Although these bounds still do not match the best-possible "generic group" bound, we believe they provide a significant step towards better understanding these schemes without relying on idealized algebraic models.Tables 1 and 2 below provide additional such concrete examples.

Paper Organization
The remainder of this paper is organized as follows.First, in Section 2 we present the basic notions of d-th moment hardness and multi-signature schemes.In Section 3 we formalize and prove an explicit high-moment forking lemma.In Sections 4 and 5 we then rely on our lemma for establishing tighter concrete security bounds for the BN and BLS multi-signature schemes, respectively.

Preliminaries
For an integer n ∈ N we denote by [n] the set {1, . . ., n}.For a distribution X we denote by x ← X the process of sampling a value x from the distribution X.Similarly, for a set X we denote by x ← X the process of sampling a value x from the uniform distribution over X .In the remainder of this section, we present the notion of d-th moment hardness and the standard notion of security for multi-signature schemes.

d-th Moment Hardness
We consider relations R = {R λ } λ∈N , where R λ ⊆ X λ ×W λ for any λ ∈ N, and distributions D = {D λ } λ∈N where each D λ produces pairs (x, w) ∈ R λ .For any probabilistic algorithm A and for any input x ∈ {0, 1} * we denote by Time(A(x)) the random variable corresponding to the running time of the computation A(x) over the internal randomness of A.
We say that R is d-moment (∆, δ)-hard with respect to a distribution D = {D λ } λ∈N if for every algorithm A it holds that Pr for all sufficiently large λ ∈ N, where the probability is additionally taken over the internal randomness of A.
For the computational problems considered in this work (as discussed in the remainder of this section), the known generic-group hardness results show that it suffices to consider the above definition when setting ∆(λ) = 1 and δ(λ) = 1 for all λ ∈ N.For this setting of the parameters, we will simply say that a relation R is d-moment hard instead of d-moment (1, 1)-hard.When stating our results, we thus consider the setting of ∆(λ) = 1 and δ(λ) = 1, and note that all of our results in fact hold for any setting of ∆ and δ.
The DL and co-CDH relations.In Section 4, for proving a tighter concrete security bound for the BN scheme [BN06], we consider the above definition in the case of the discrete logarithm problem.In this case, the underlying distribution D and relation R are defined as follows: • The distribution D λ first invokes a group-generation algorithm GroupGen(1 λ ) for producing the description (G, p, g) of a cyclic group of order q that is generated by g, where p is a λ-bit prime.Then, it uniformly samples h ← G and lets x = (G, p, g, h).• The relation R consists of all such pairs ((G, p, g, h), w) where h = g w for w ∈ Z p .
As discussed by Rotem and Segev [RS21], given that the discrete logarithm problem is second-moment hard in the generic-group model [Sho97, JT20, SSY23], the assumption that the discrete logarithm (DL) problem is second-moment hard in the standard model can be viewed as capturing the problem's generic hardness in the form of a standard-model assumption.
Similarly, for proving a tighter concrete security bound for the BLS multi-signature scheme due to Boneh, Drijvers and Neven [BDN18], we consider the above definition in the case of the computational co-Diffie-Hellman problem (co-CDH).In this case, the underlying distribution D and relation R are defined as follows: • The distribution D first invokes a group-generation algorithm GroupGen(1 λ ) for producing the description (G 1 , G 2 , G t , p, g 1 , g 2 , e) of three cyclic groups of order p, where G 1 is generated by g 1 , G 2 is generated by g 2 , p is a λ-bit prime, and e : G 1 × G 2 → G t is an efficiently-computable non-degenerated bilinear map (in fact, the group G t and the bilinear map e are not essential in order to define the distribution D and the relation R).Then, it uniformly samples α, β ← Z p and lets The recent work of Segev, Sharabi and Yogev [SSY23] provided a generic framework for analyzing the d-moment hardness of a wide range of computational problems (refining and extending the work of Jeager and Tessaro [JT20] on expected-time hardness).Their framework, together with the classic generic hardness results for the computational Diffie-Hellman problem [Sho97], establish the second-moment hardness of the computational co-Diffie-Hellman problem in the generic-group model.

Multi-Signature Schemes
A multi-signature scheme [IN83,BN06] is a six-tuple Π = (Setup, KG, KeyAgg, Sign, SigAgg, Verify) of polynomial-time algorithms.The setup algorithm Setup receives as input the unary representation of the security parameter λ ∈ N and outputs public parameters pp.The key-generation algorithm KG receives as input the public parameters pp, and outputs a signing key sk and a verification key vk.The key-aggregation algorithm KeyAgg is a deterministic algorithm that takes as input the public parameters pp and a vector of verification keys ⃗ vk, and outputs an aggregated verification key aggvk. 6It should be noted that not all multi-signature schemes offer a non-trivial key-aggregation algorithm.In such cases (e.g., the BN scheme [BN06]), we can view its key-aggregation algorithm as the identity function that takes as input a vector ⃗ vk of verification keys and outputs it as the aggregated key aggvk.
For schemes with non-interactive signing, the signing algorithm Sign receives as input the public parameters pp, a signing key sk, a vector ⃗ vk of verification keys, and a message m that is taken from a message space M, and outputs a signature σ.For schemes with interactive signing, the signing algorithm defines an interactive protocol by additionally receiving as input at each round the relevant party's internal state and the communication produced by all other parties.The signature-aggregation algorithm SigAgg is a deterministic algorithm that takes as input the public parameters pp, a vector of verification keys ⃗ vk, and a vector of signatures ⃗ σ, and outputs an aggregated signature σ.Finally, the verification algorithm Verify receives as input the public parameters pp, an aggregated verification key aggvk, a message m and an aggregated signature σ, and outputs either 0 or 1.
In terms of correctness, we consider the following requirement, which we formalize for simplicity for schemes with non-interactive signing and without random oracles.We then discuss its standard extensions to consider interactive signing and random oracles.for ⃗ vk = (vk 1 , . . ., vk n ) and ⃗ σ = (σ 1 , . . ., σ n ), where the probability is taken over the choice of pp ← Setup(1 λ ), and over the choices of (sk i , vk i ) ← KG(pp) and As noted above, Definition 2 may be extended in various manners.These include, in particular, the following two standard extensions: • Interactive signing: Definition 2 extends to schemes with interactive signing by letting (σ 1 , . . ., σ n ) denote the local output of each party in the interactive signing protocol, where each party i ∈ [n] is provided with pp, sk i , ⃗ vk, m as input.We refer the reader to the work of Bellare and Dai [BD21] for a formal treatment of the correctness requirement for schemes with interactive signing.
• Random-oracle model: Definition 2 extends to schemes whose security is analyzed in the random-oracle model [BR93] by augmenting all algorithms with access to the random oracle, and considering all probabilities also over the randomness of the oracle.
In terms of security, the standard notion of security for multi-signature schemes [BN06] considers adversaries that obtain a single honestly-generated verification key vk, and can then adaptively issue any polynomial number of signing queries.Each such query consists of a message m and a set of signers in the form of a vector ⃗ vk of verification keys that contains the honestly-generated verification key vk.The goal of such an adversary is to output a triplet ⃗ vk * , m * , aggσ * , where: (1) ⃗ vk * contains the honestly-generated verification key vk, (2) the adversary did not issue a signing query for ⃗ vk * , m * , and (3) aggσ * is a valid aggregated signature on the message m * with respect to ⃗ vk * .This is captured by the following definition, which we again formalize for simplicity for schemes with non-interactive signing and without random oracles, and then discuss its standard extensions to consider interactive signing and random oracles.Definition 3. Let t = t(λ), q sign = q sign (λ), and ϵ = ϵ(λ) be functions of the security parameter λ ∈ N. A multi-signature scheme Π = (Setup, KG, KeyAgg, Sign, SigAgg, Verify) with non-interactive signing is (t, q sign , ϵ)-unforgeable if for any algorithm A that runs in time at most t and issues at most q sign signing queries, it holds that for all sufficiently large λ ∈ N, where the experiment Exp MultiSig Π (A, λ) is defined as follows: As discussed above, Definition 3 naturally extends to consider interactive signing and random oracles: • Interactive signing: Definition 3 extends to schemes with an interactive signing protocol by providing adversaries with access to a stateful signing oracle [BN06,BD21].This stateful oracle enables the initiation of new signing sessions and the execution of previously initiated ones in an adversarial manner.For our work, for the case of the BN scheme (whose signing is interactive), we do not directly analyze the security of the scheme and, therefore, do not require a formal extension of Definition 3 to schemes with interactive signing.Instead, we analyze the hardness of an interactive computational problem, which Bellare and Dai [BD21] proved to imply the security of their scheme.For the case of the BLS multi-signature scheme [BDN18], which we do analyze directly, Definition 3 suffices as the scheme has non-interactive signing.
• Random-oracle model: Definition 3 extends to schemes whose security is analyzed in the random-oracle model [BR93] by augmenting all algorithms (including the adversary) with access to the random oracle, introducing an additional parameter q H that upper bounds the number of direct random-oracle queries issued by the adversary, and considering all probabilities also over the randomness of the oracle.
A relaxed notion of unforgeability.The goal of the adversary in the experiment Exp MultiSig Π described in Definition 3 is to output a valid forgery ⃗ vk * , m * , aggσ * where: (1) ⃗ vk * contains the honestly-generated verification key vk, and (2) the adversary did not issue a signing query for ⃗ vk * , m * .However, Boneh and Drijvers and Neven [BDN18] proved the security of the BLS multi-signature scheme with respect to a more relaxed notion, in which the adversary is not allowed to issue any signing query involving the message m * .Formally, we denote by Exp rMultiSig Π the experiment corresponding to this relaxed notion, which is obtained from the experiment Exp MultiSig Π by replacing Item 4b with the requirement that A did not query the oracle Sign(pp, sk, •, •) with ⃗ vk, m * for any vector ⃗ vk of verification keys.On the one hand, it should be noted that the BLS scheme is, in fact, insecure with respect to the more standard notion.However, on the other hand, it can be easily modified into one that satisfies the more standard notion: Instead of signing a message m with respect to ⃗ vk, sign the message ( ⃗ vk, m) with respect to ⃗ vk.This simple modification does not introduce a significant overhead since the signed message is anyway first hashed via a random oracle, and essentially the exact same proof of Boneh and Drijvers and Neven goes through.However, to enable a direct-as-possible comparison to the concrete security bound proved by Boneh and Drijvers and Neven [BDN18], we analyze the concrete security of the BLS scheme with respect to this relaxed notion.
Asymptotic vs. fixed-group analysis.The above discussion of the security of multisignature schemes, as well as the discussion of the DL and co-CDH problems in Section 2.1, are of an asymptotic flavor.Specifically, they consider an explicit security parameter λ ∈ N which is given as input to a setup algorithm Setup(1 λ ) or group-generation algorithm GroupGen(1 λ ) (and thus indirectly also to all other algorithms), and provide guarantees for all sufficiently large λ ∈ N.
When analyzing the security of the BN and BLS multi-signature schemes in Sections 4 and 5, respectively, we follow a more concrete approach, in which a description of an underlying group is fixed in advance (its prime order p can essentially be viewed as a concrete analogous security parameter).It is important to note that we do not rely on any assumed properties related to the structure of the group (beyond its prime order) or to the representation of its elements.This standard approach enables to provide concrete security guarantees for any fixed-size candidate group in which the underlying cryptographic problems (e.g., DL or co-CDH) are assumed to be computationally hard (in our case, d-moment hard).

An Explicit High-Moment Forking Lemma
In this section we present an explicit high-moment forking lemma that distills the information-theoretic essence of the technique introduced by Rotem and Segev [RS21] in the form of a stand-alone probabilistic lower bound.As in the stand-alone forking lemma of Bellare and Neven [BN06], our lemma considers a randomized algorithm A that is provided with q + 1 inputs, where q ≥ 1 may be any integer.Its first input is a value x ∈ X , and its additional q inputs are values h 1 , . . ., h q ∈ C, for finite sets X and C. Given such input, the algorithm then outputs a pair (I, σ) ∈ {0, . . ., q} × {0, 1} * .We are interested in the distribution of the output pair (I, σ), where the value x is sampled from a given distribution X over the set X , and the values h 1 , . . ., h q are sampled independently and uniformly from the set C. We let X × C q denote the corresponding product distribution.
For any such algorithm A, and for any integer B ≥ 1, we define the following "forking" algorithm F A,B that is given as input a value x ∈ X (note that the case B = 1 corresponds to the forking algorithm of Bellare and Neven [BN06]): The Algorithm F A,B (x) 1. Sample h1, . . ., hq ← C and ρ ← {0, 1} * independently and uniformly.

If there exists an index j ∈ [B]
for which Ij = I0 and h (j) for the minimal such j, and otherwise output ⊥.
Recall that, as defined in Section 2.1, for any x ∈ X we denote by Time(F A,B (x)) the random variable corresponding to the running time of the computation F A,B (x; h 1 , . . ., h q , ρ) over the uniform choice of the randomness (h 1 , . . ., h q , ρ) ← C q × {0, 1} * .Equipped with our forking algorithm F A,B , we prove the following lemma: Lemma 1.Let q ≥ 1 and let A be a randomized algorithm that obtains q + 1 inputs with associated finite sets X and C as described above.In addition, let t be an upper bound on the worst-case running time of A, let X be a distribution over X , and let Proof of Lemma 1.We first prove the above lower bound on the success probability of F A,B (x) as a function of ϵ, B and q.For every i ∈ {1, . . ., q} and h 1 , . . ., h q ∈ C we let ⃗ h i = (h 1 , . . ., h i ), and we let ⃗ h 0 = ⊥.Based on the description of the algorithm F A,B , it holds that F A,B (x) ̸ = ⊥ if and only if I 0 ∈ {1, . . ., q} and there exists an index j ∈ [B] for which I j = I 0 and h (j) .
; ρ is a pair (I, σ) for which I > 0. At this point, since each value h (j) ℓ for ℓ ∈ {i, . . ., q} is uniformly sampled conditioned on x, ρ and ⃗ h i−1 , then instead of comparing it to the actual value h ℓ we can compare it to the lexicographically first such h * ℓ that produces I > 0.Then, where Eq. (1) follows from the fact that the events I 0 = i and B j=1 are independent conditioned on x, ρ and ⃗ h i−1 , and Eq.(2) follows from the fact that for any 1 ≤ j 1 ̸ = j 2 ≤ B the corresponding executions of A are independent.Now, via a union bound we obtain For every i, x, ρ, and h 1 , . . ., B and therefore where we let εi = E εi (x, ρ, ⃗ h i−1 ) for every i ∈ [q], and Eq.(3) follows from the following claim which is proved in Appendix A.1: , and using Jensen's inequality, we obtain: where Eq. (4) follows from the following claim which is proved in Appendix A.2: as required, where Eq. (5) follows from the assumption ϵ > 2 • q 2 /|C|.We now turn to upper bounding the d-th moment of the running time of the algorithm F A,B .Note that, when x ← X, then with probability 1 − ϵ the algorithm F A,B runs in time at most t, and with probability ϵ it runs in time at most (1 + B) • t.Therefore, where Eq. ( 6) following from our choice of B ≥ (1/ϵ) This concludes the proof of Lemma 1.

Tighter Concrete Security for BN Multi-Signatures
In this section we show that our high-moment forking lemma can be used for establishing a concrete security bound for the Bellare-Neven (BN) multi-signature scheme [BN06].Our starting point is the recent work of Bellare and Dai [BD21], who showed that the security of the Bellare-Neven multi-signature scheme is equivalent to the hardness of the identification discrete-logarithm (IDL) problem, introduced by Kiltz, Masny, and Pan [KMP16].Bellare and Dai showed that in the algebraic-group model [FKL18] the hardness of the IDL problem is equivalent to that of the DL problem.As previously discussed, the algebraic group model, however, is an idealized model which considers a rather restricted class of attackers (attackers which are assumed to provide an algebraic justification of each group element that they produce).In fact, in this model, the hardness of an extremely wide class of strong computational and decisional problems is known to be equivalent to that of the DL problem [FKL18, AHK20, BFL20, FPS20, MTT19, RS20]).
In the standard model, Kiltz, Masny, and Pan [KMP16] showed that the hardness of the IDL problem can be based on that of the DL problem using the forking lemma, once again leading to the square-root loss for the BN multi-signature scheme.By applying our high-moment forking lemma, assuming the second-moment hardness of the DL problem, we prove a tighter concrete hardness bound for the IDL problem in the standard model and, therefore, also for the Bellare-Neven multi-signature scheme.
For stating our theorem, recall that the BN scheme relies on a cyclic group G of prime order p that is generated by a given element g ∈ G, as well as on an integer ℓ.We let G = (G, p, g) denote the description of the group, and we let Π BN[G,ℓ] denote the BN scheme.The scheme relies on two hash functions, H 0 and H 1 , that are modeled as random oracles for the scheme's security analysis.These two hash functions are used to map arbitrary strings to the sets {0, 1} ℓ and Z p .That is, H 0 : {0, 1} * → {0, 1} ℓ and H 1 : {0, 1} * → Z p .We prove the following theorem: Theorem 5. Let G = (G, p, g), where G be a cyclic group of prime order p that is generated by an element g ∈ G, and let ℓ be an integer.Assuming that the DL problem is second-moment hard in the group G, then for any adversary A it holds that where: • t is an upper bound on the running time of the experiment Exp MultiSig Π BN[G,ℓ] (A).• q 0 , q 1 and q S are upper bounds on the number of H 0 -queries, H 1 -queries and signing queries issued during the experiment Exp MultiSig Π BN[G,ℓ] (A), respectively.• n is an upper bound on the largest signer set involved in a single multi-signature during the experiment Exp MultiSig Π BN[G,ℓ] (A).
Compared to the bound proved by Bellare and Dai [BD21], our bound is tighter by replacing their exponent 1/2 with our exponent 2/3.All other terms in our bound are exactly the same as in their bound (up to the multiplicative constant 32), as we explain in Section 4.2.In addition, note that as with the bound of Bellare and Dai, our bound is stated in terms of the parameters t, q 0 , q 1 and q S of the entire experiment Exp MultiSig Π BN[G,ℓ] (A) and not those of the adversary only (e.g., the number of H 0 and H 1 queries issued during the experiment consists of the number of such queries issued directly by the adversary and the number of such queries issued by the signing oracle).
In what follows we first describe the BN scheme Π BN[G,ℓ] .Then, in Section 4.1 we prove a tighter concrete hardness bound for the IDL problem in the standard model, which we use in Section 4.2 for deriving Theorem 5.For simplicity, in the following description of the scheme Π BN[G,ℓ] , we assume that all algorithms receive G = (G, p, g) and ℓ ∈ N as inputs, and we explicitly include them only for the key-generation algorithm.
and output 1 if and only if

IDL Hardness Based on Second-Moment DL Hardness
The identification discrete logarithm (IDL) problem, introduced by Kiltz, Masny, and Pan [KMP16] and further studied by Bellare and Dai [BD21], is parameterized by an integer q and a description (G, p, g) of a cyclic group as above.It considers an algorithm A that is provided with a uniformly distributed group element X ∈ G as input and may issue up to q queries to the following oracle O IDL : On input as query a group element R ∈ G, it samples and returns a challenge c, which is distributed uniformly and independently of all previous queries.Denoting by R 1 , . . ., R q the queries issued by A, and by c 1 , . . ., c q the corresponding challenges returned by the oracle, the goal of the algorithm A is to output a pair (I, z) for which I ∈ [q] and g z = R I • X c I .The advantage of such an algorithm A is formally captured by the following definition: where G be a cyclic group of prime order p that is generated by an element g ∈ G, and let q be an integer.For any algorithm A that issues at most q oracle queries, we define where the experiment Exp IDL G,q (A) is defined as follows: 1. X ← G.

(I, z)
3. Denote by R 1 , . . ., R q ∈ G the oracle queries issued by A, and by c 1 , . . ., c q ∈ Z p the corresponding responses.4. If I ∈ [q] and g z = R I • X c I then output 1 and otherwise output 0.
The following lemma shows that our high-moment forking lemma can be applied to derive a concrete hardness result for the IDL problem which improved upon the abovediscussed square-root loss without relying on idealized models [KMP16,BD21].
Lemma 2. Let G = (G, p, g), where G be a cyclic group of prime order p that is generated by an element g ∈ G, let A IDL be an algorithm that runs in time at most t and issues at most q oracle queries, and let ϵ = Adv IDL G,q (A IDL ).
Then, either ϵ < 2•q 2 p , or there exists an algorithm A DL such that Equipped with Lemma 2, we directly obtain the following corollary based on the second-moment hardness of the DL problem: Corollary 1.Let G = (G, p, g), where G be a cyclic group of prime order p that is generated by an element g ∈ G, and let A be an algorithm that runs in time at most t and issues at most q oracle queries.Then, assuming that the DL problem is second-moment hard in the group G, it holds that .
In what follows we prove Lemma 2 and Corollary 1.
Proof of Lemma 2. Let G = (G, p, g), where G be a cyclic group of prime order p that is generated by an element g ∈ G, and let A IDL be an algorithm that runs in time at most t and issues at most q oracle queries.First, we transform the algorithm A IDL into an algorithm A ′ IDL which is compatible with the Lemma 1.The algorithm A ′ IDL receives as input the group description G = (G, p, g), a group element X ∈ G and values c 1 , . . ., c q ∈ Z p , as well as randomness r ∈ {0, 1} * of the appropriate length for running A IDL , and is defined as follows: The Algorithm A ′ IDL (G, X, c 1 , ...., c q ; r) 1. Invoke A IDL (G, X; r).

For every i ∈ [q]
, when A IDL issues its ith oracle query Ri, respond with ci.
That is, the algorithm A ′ IDL emulates the experiment Exp IDL G,q (A IDL ) while using the values c 1 , . . ., c q as the responses of the oracle.Therefore, the running time of A ′ IDL is identical to the running time t of A IDL (for simplicity we ignore an additional minor additive term due to the verification of the equation g z = R I • X c I ), and it holds that Pr (X,c1,...,cq)←G×(Zp) q [A ′ IDL (G, X, c 1 , ..., c q ) = (I, (z, c I )) s.t.
Now, assuming that ϵ ≥ 2•q 2 p , we apply Lemma 1 with the algorithm A ′ IDL , the parameters q and d = 2, and with the sets X = G and C = Z p .This yields an algorithm F such that and where B = (1/ϵ) 1/2 − 1 .Equipped with the algorithm F , we can now define the following DL algorithm A DL : The Algorithm A DL (G, X) 2. Otherwise, denote by (I, (z, cI ), (z ′ , c ′ I )) the output of F , and output Note that the distribution of A DL 's running time is identical to that of F (for simplicity we are ignoring an additional minor additive term due to the computation of x).In addition, note that whenever F returns (I, (z, c I ), (z ′ , c ′ I )) then c I ̸ = c ′ I (thus c I − c ′ I can indeed be inverted modulo p), and it holds that Proof of Corollary 1.Let G = (G, p, g), where G be a cyclic group of prime order p that is generated by an element g ∈ G, let A IDL be an algorithm that runs in time at most t and issues at most q oracle queries, and let Lemma 2 stated that either ϵ < 2•q 2 p , or that there exists an algorithm and thus This implies that .
Taking into account also the case in which ϵ < 2•q 2 p , and the fact that q ≤ t, we obtain that , which settles the proof of Corollary 1.

Proof of Theorem 5
For deriving Theorem 5 we rely on the following theorem due to Bellare and Dai [BD21] (refining the original analysis of Bellare and Neven [BN06]): where G be a cyclic group of prime order p that is generated by an element g ∈ G, and let ℓ be an integer.For any adversary A that exists an adversary A ′ that such for all sufficiently large λ ∈ N, where: • The running time of A ′ is that of the experiment Exp MultiSig Π BN[G,ℓ] (A).• q 0 , q 1 and q S are upper bounds on the number of H 0 -queries, H 1 -queries and signing queries issued during the experiment Exp MultiSig Π BN[G,ℓ] (A), respectively.• n is an upper bound on the largest signer set involved in a single multi-signature during the experiment Exp MultiSig Π BN[G,ℓ] (A).
Theorem 5 now easily follows by replacing the term Adv IDL G,q1 (A ′ ) in the statement of Theorem 6 with the term 32 • q1•t 2 p 2/3 provided by Corollary 1.

Tighter Concrete Security for BLS Multi-Signatures
In this section we show that our high-moment forking lemma can be used for establishing a concrete security bound for the BLS multi-signature scheme, introduced and analyzed by Boneh and Drijvers and Neven [BDN18].For stating our theorem, recall that the BLS multi-signature scheme (which is described below) relies on an efficiently-computable non-degenerated bilinear map e : G 1 × G 2 → G t , where G 1 , G 2 and G t are cyclic groups of prime order p.We let G = (G 1 , G 2 , G t , p, g 1 , g 2 , e) denote the description of the groups and of the bilinear map, where g 1 and g 2 are generators of the groups G 1 and G 2 , respectively, and we let Π BLS[G] denote the BLS multi-signature scheme.Additionally, the scheme relies on two hash functions, H 0 and H 1 , that are modeled as random oracles for the scheme's security analysis.These two hash functions are used to map arbitrary strings to G 1 and Z p .That is, H 0 : {0, 1} * → G 1 and H 1 : {0, 1} * → Z p .We prove the following theorem:

e) as above. Assuming that the co-CDH problem is second-moment hard in G, then for any adversary A it holds that
, where: • t is an upper bound on the running time of the adversary A.
• q 0 , q 1 and q S are upper bounds on the number of H 0 -queries, H 1 -queries and signing queries issued by the adversary A, respectively.• n is an upper bound on the largest signer set involved in a single multi-signature during the experiment Exp rMultiSig Π BLS[G] (A).• τ exp 1 is the time required to compute an exponentiation in G 1 , and τ exp n 2 is the time required to compute an n-multi-exponentiation in G 2 .
Note that in the statement of the above theorem, unlike in the statement of Theorem 5 for the BN scheme, we have explicitly included the exponentiation times in G 1 and G 2 .This is due to the fact that the exponentiation times in these two groups may be rather different, whereas for the BN scheme there is only one group.
Additionally, as discussed in Section 2, to enable a direct-as-possible comparison to the concrete security bound proved by Boneh and Drijvers and Neven [BDN18], we analyze the concrete security of the BLS scheme with respect to the relaxed security experiment Exp rMultiSig Π .This security experiment is obtained from the standard security experiment Exp MultiSig Π for multi-signature schemes (see Definition 3) by asking that an adversary outputting ⃗ vk * , m * , aggσ * does not issue a signing query ⃗ vk, m * for any vector ⃗ vk of verification keys.As discussed in Section 2, the BLS scheme can be easily transformed into one that satisfies the standard notion.
For comparing our bound to the one proved by Boneh and Drijvers and Neven (see [BDN18, Thm.1]), note that Boneh and Drijvers and Neven transformed any malicious forger that runs in time t, issues q H = q 0 + q 1 random oracle queries and q S signing queries, and breaks the security of the scheme with probability ϵ into a co-CDH algorithm that runs in time and has success probability ϵ/(8q H ). Thus, in bilinear groups of prime order p in which one assumes that the co-CDH problem is as hard as in the generic bilinear-group model [Sho97, Mau05, BB08] (i.e., that any algorithm running in time T solves the co-CDH problem with probability at most T 2 /p), we obtain (when ignoring for simplicity the lower-order logarithmic term as well as multiplicative constants) the bound on the success probability of any such malicious forger.In contrast, Theorem 7 (when replacing q 0 and q 1 with q H that upper bounds them, and ignoring the multiplicative constant 2 2/3 ), provides the bound ϵ ≤ q 5/3 Thus, our bound is tighter by replacing their exponent 1/2 with our exponent 2/3 (with additional, although rather minor, improved dependence on the number of signing queries q S and multi-exponentiation time τ exp n 2 in G 2 ).In what follows we first describe the Π BLS[G] scheme.Then, we show that our forking lemma enables to transform any forger that attacks the scheme into a co-CDH algorithm designed in order to optimize the trade-off between second-moment of their running time and their success probability.Finally, we show that Theorem 7 then follows by combining the resulting trade-off with the assumption that the co-CDH problem is second-moment hard.For simplicity, in the following description of the scheme Π BLS[G] , we assume that all algorithms receive G = (G 1 , G 2 , G t , p, g 1 , g 2 , e) as input, and we explicitly include it only for the key-generation algorithm.

KeyAgg
Then, either ϵ < for B = (q 0 /ϵ) 1/2 − 1 , where: • t is an upper bound on the running time of the adversary A.
• q 0 , q 1 and q S are upper bounds on the number of H 0 -queries, H 1 -queries and signing queries issued by the adversary A, respectively.• n is an upper bound on the largest signer set involved in a single multi-signature during the experiment Exp rMultiSig Π BLS[G] (A).• τ exp 1 is the time required to compute an exponentiation in G 1 , and τ exp n 2 is the time required to compute an n-multi-exponentiation in G 2 .
Proof of Lemma 3. Let G = (G 1 , G 2 , G t , p, g 1 , g 2 , e) as above, and let A be an adversary that runs in time at most t and issues at most q S , q 0 and q 1 oracle queries to the signing oracle, H 0 and H 1 , respectively.Without loss of generality, we assume that A does not query either of these oracles more than once with the same input (since all three are deterministic), and that when A outputs a potential forgery ⃗ vk * , m * , σ * then it previously issued the H 1 query vk * , ⃗ vk * .For simplicity, we additionally assume that whenever A issues a signing query ⃗ vk, m , then A previously issued the queries H 0 m and H 1 vk * , ⃗ vk (this is not essential, and we discuss below how to avoid this assumption).
We transform the adversary A into an algorithm Ã that is compatible with Lemma 1.The algorithm Ã receives as input the group description G = (G 1 , G 2 , G t , p, g 1 , g 2 , e), a triplet X = g α 1 , g β 1 , g β 2 of group elements, values h 1 , . . ., h q1 ∈ Z p , as well as randomness ρ 1 , ρ 2 ∈ {0, 1} * , where ρ 1 will be used as Ã's own internal randomness and ρ 2 will be used as the randomness required for running A. The algorithm Ã is defined as follows: The Algorithm Ã g α 1 , g   We observe that for uniformly and independently distributed α, β, h 1 , . . ., h q1 ∈ Z p and ρ 1 , ρ 2 ∈ {0, 1} * , the algorithm Ã perfectly emulates the experiment Adv rMultiSig Π BLS[G] (A) to A, as long as A does not issue a signing query for the message m * .Therefore, letting In addition, in terms of Ã's running time, note that it invokes A, and performs the following additional computations (as common, we focus on counting the additional number of group operations): (1) For each H 0 -query Ã computes at most one exponentiation in G 1 , (2) for each signing query Ã computes at most one exponentiation in G 1 , and (3) when A provides an output Ã computes an n-multi-exponentiation in G 2 (for simplicity, we ignore an additional minor additive term due to the single pairing computed by Ã).Thus, upper bounds the worst-case running time of t Ã.Now, applying Lemma 1 for the algorithm Ã, C = Z p , q = q 1 and d = 2, we obtain that either ϵ/q 0 ≥ 2 • q 2 1 /p, or that the algorithm F Ã,B defined in Section 3 satisfies Pr α,β←Zp where B = (q 0 /ϵ) 1/2 −1 .Equipped with the algorithm F , consider the following co-CDH algorithm A co-CDH that receives as input G = (G 1 , G 2 , G t , p, g 1 , g 2 , e) and X = g α 1 , g β 1 , g β 2 : The Algorithm A co-CDH (G, X) 2. Otherwise, denote by I, σ, σ ′ , h1, . . ., hq 1 , h ′ I , . . ., h ′ q 1 the output produced by F Ã,B , and output (σ First, note that the distribution of A co-CDH 's running time is essentially identical to that of F Ã,B , where we ignore for simplicity the additional minor additive term due to the computation of its output (σ/σ ′ ) where h I ̸ = h ′ I .These two executions are identical up until Ã responds to the I-th H 1 -query issued by A, and therefore in both executions the I-th H 1 -query issued by A is the same vk Recall that when proving Lemma 3, we have assumed that whenever A issues a signing query ⃗ vk, m , then A previously issued the queries H 0 (m) and H 1 vk * , ⃗ vk .The simplest way to avoid this assumption is to transform A into a completely equivalent algorithm that issues these two queries upon any signing query.This would increase the number of H 0 -queries and H 1 -queries issued by A by an additive q S term, and thus have a minor effect on the resulting concrete security bound.However, as for the number of H 0 queries, this is not essential.Specifically, for avoiding a (potential) additional query H 0 (m) with each signing query, we can modify Ã as follows: Upon any signing query ⃗ vk, m , since it is guaranteed that m ̸ = m * (recall that we are considering the relaxed experiment as discussed following the statement of Theorem 7), then Ã can first execute Step 2(a)ii for sampling a value r ← Z p and defining H 0 (m) = g r 1 before proceeding to Step 2(c)iii.
Equipped with Lemma 3, we can now derive the proof of Theorem 7.
Taking into account also the case in which ϵ < 2q 0 • q 2 1 /p and using the fact that q 1 ≤ t, we obtain , which settles the proof of Theorem 7.

Table 1 :
A comparison of the concrete security guarantees for the Bellare-Neven multisignature scheme in the standard model.

Table 2 :
A comparison of the concrete security guarantees for the BLS multi-signature scheme in the standard model.
. Moreover, this also implies that in both executions A produces a forgery with respect to the same vk * and ⃗ vk * , where in the first execution it holds that H 1 vk * , ⃗ vk * = h I and in the second execution it holds that H 1 vk * , ⃗ vk * = h ′ I .Letting ⃗ vk * = vk * 1 , . .., vk * n , and denoting by ℓ ∈ [n] the index for which vk * = vk * ℓ , we observe that in both execution the values H 1 vk * i , ⃗ vk * are identical for every i ̸ = ℓ since these values are sampled the same internal randomness ρ 1 .The fact that A produces valid signatures σ and σ ′ in these two executions implies that * , ⃗ vk * ′ , g 2 ) = e g α 1 , (vk * ) 1/2 − 1 .Assuming the co-CDH problem is second-moment hard in G guarantees that