{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T15:16:30Z","timestamp":1778166990530,"version":"3.51.4"},"publisher-location":"Cham","reference-count":53,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032252906","type":"print"},{"value":"9783032252913","type":"electronic"}],"license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-25291-3_8","type":"book-chapter","created":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T14:56:12Z","timestamp":1778165772000},"page":"215-245","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["DahLIAS: Discrete Logarithm-Based Interactive Aggregate Signatures"],"prefix":"10.1007","author":[{"given":"Jonas","family":"Nick","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6237-5228","authenticated-orcid":false,"given":"Tim","family":"Ruffing","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2948-9423","authenticated-orcid":false,"given":"Yannick","family":"Seurin","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,5,8]]},"reference":[{"key":"8_CR1","unstructured":"Script for computing the estimates in Table 2. https:\/\/github.com\/BlockstreamResearch\/cross-input-aggregation\/blob\/master\/savings.org"},{"key":"8_CR2","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"157","DOI":"10.1007\/978-3-030-84242-0_7","volume-title":"Advances in Cryptology \u2013 CRYPTO 2021","author":"H K\u0131l\u0131n\u00e7 Alper","year":"2021","unstructured":"K\u0131l\u0131n\u00e7 Alper, H., Burdges, J.: Two-round trip Schnorr multi-signatures via delinearized witnesses. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 157\u2013188. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-84242-0_7"},{"key":"8_CR3","doi-asserted-by":"publisher","unstructured":"Bellare, M., Crites, E.C., Komlo, C., Maller, M., Tessaro, S., Zhu, C.: Better than advertised security for non-interactive threshold signatures. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO\u00a02022, Part\u00a0IV. LNCS, vol. 13510, pp. 517\u2013550. Springer, Cham (2022). https:\/\/doi.org\/10.1007\/978-3-031-15985-5_18","DOI":"10.1007\/978-3-031-15985-5_18"},{"key":"8_CR4","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"607","DOI":"10.1007\/978-3-030-34618-8_21","volume-title":"Advances in Cryptology \u2013 ASIACRYPT 2019","author":"M Bellare","year":"2019","unstructured":"Bellare, M., Dai, W., Li, L.: The local forking lemma and its application to deterministic encryption. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11923, pp. 607\u2013636. Springer, Cham (2019). https:\/\/doi.org\/10.1007\/978-3-030-34618-8_21"},{"key":"8_CR5","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"236","DOI":"10.1007\/BFb0054130","volume-title":"Advances in Cryptology \u2014 EUROCRYPT\u201998","author":"M Bellare","year":"1998","unstructured":"Bellare, M., Garay, J.A., Rabin, T.: Fast batch verification for modular exponentiation and digital signatures. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 236\u2013250. Springer, Heidelberg (1998). https:\/\/doi.org\/10.1007\/BFb0054130"},{"key":"8_CR6","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"411","DOI":"10.1007\/978-3-540-73420-8_37","volume-title":"Automata, Languages and Programming","author":"M Bellare","year":"2007","unstructured":"Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdzi\u0144ski, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 411\u2013422. Springer, Heidelberg (2007). https:\/\/doi.org\/10.1007\/978-3-540-73420-8_37"},{"key":"8_CR7","doi-asserted-by":"publisher","unstructured":"Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more- RSA-inversion problems and the security of Chaum\u2019s blind signature scheme. J. Cryptol. 16(3), 185\u2013215 (2003). https:\/\/doi.org\/10.1007\/s00145-002-0120-1","DOI":"10.1007\/s00145-002-0120-1"},{"key":"8_CR8","doi-asserted-by":"publisher","unstructured":"Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: Juels, A., Wright, R.N., De Capitani di Vimercati, S. (eds.) ACM CCS 2006, pp. 390\u2013399. ACM Press (2006). https:\/\/doi.org\/10.1145\/1180405.1180453","DOI":"10.1145\/1180405.1180453"},{"key":"8_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"162","DOI":"10.1007\/3-540-45708-9_11","volume-title":"Advances in Cryptology \u2014 CRYPTO 2002","author":"M Bellare","year":"2002","unstructured":"Bellare, M., Palacio, A.: GQ and Schnorr identification schemes: proofs of security against impersonation under active and concurrent attacks. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 162\u2013177. Springer, Heidelberg (2002). https:\/\/doi.org\/10.1007\/3-540-45708-9_11"},{"key":"8_CR10","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"409","DOI":"10.1007\/11761679_25","volume-title":"Advances in Cryptology - EUROCRYPT 2006","author":"M Bellare","year":"2006","unstructured":"Bellare, M., Rogaway, P.: The security of triple encryption and a framework\u00a0for\u00a0code-based\u00a0game-playing\u00a0proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409\u2013426. Springer, Heidelberg (2006). https:\/\/doi.org\/10.1007\/11761679_25"},{"key":"8_CR11","unstructured":"Bellare, M., Tessaro, S., Zhu, C.: Stronger security for non-interactive threshold signatures: BLS and FROST. Cryptology ePrint Archive, Report 2022\/833 (2022). https:\/\/eprint.iacr.org\/2022\/833"},{"key":"8_CR12","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1007\/978-3-030-77870-5_2","volume-title":"Advances in Cryptology \u2013 EUROCRYPT 2021","author":"F Benhamouda","year":"2021","unstructured":"Benhamouda, F., Lepoint, T., Loss, J., Orr\u00f9, M., Raykova, M.: On the (in)security of ROS. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 33\u201353. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-77870-5_2"},{"key":"8_CR13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"416","DOI":"10.1007\/3-540-39200-9_26","volume-title":"Advances in Cryptology \u2014 EUROCRYPT 2003","author":"D Boneh","year":"2003","unstructured":"Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416\u2013432. Springer, Heidelberg (2003). https:\/\/doi.org\/10.1007\/3-540-39200-9_26"},{"key":"8_CR14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"514","DOI":"10.1007\/3-540-45682-1_30","volume-title":"Advances in Cryptology \u2014 ASIACRYPT 2001","author":"D Boneh","year":"2001","unstructured":"Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514\u2013532. Springer, Heidelberg (2001). https:\/\/doi.org\/10.1007\/3-540-45682-1_30"},{"issue":"4","key":"8_CR15","doi-asserted-by":"publisher","first-page":"297","DOI":"10.1007\/s00145-004-0314-9","volume":"17","author":"D Boneh","year":"2004","unstructured":"Boneh, D., Lynn, B., Shacham, H.: Short Signatures from the Weil Pairing. J. Cryptol. 17(4), 297\u2013319 (2004). https:\/\/doi.org\/10.1007\/s00145-004-0314-9","journal-title":"J. Cryptol."},{"key":"8_CR16","doi-asserted-by":"publisher","unstructured":"Brendel, J., Cremers, C., Jackson, D., Zhao, M.: The provable security of Ed25519: theory and practice. In: 2021 IEEE Symposium on Security and Privacy, pp. 1659\u20131676. IEEE Computer Society Press (2021). https:\/\/doi.org\/10.1109\/SP40001.2021.00042","DOI":"10.1109\/SP40001.2021.00042"},{"key":"8_CR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"246","DOI":"10.1007\/978-3-540-72540-4_14","volume-title":"Advances in Cryptology - EUROCRYPT 2007","author":"J Camenisch","year":"2007","unstructured":"Camenisch, J., Hohenberger, S., Pedersen, M.\u00d8.: Batch verification of short signatures. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 246\u2013263. Springer, Heidelberg (2007). https:\/\/doi.org\/10.1007\/978-3-540-72540-4_14"},{"key":"8_CR18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"577","DOI":"10.1007\/978-3-030-75539-3_24","volume-title":"Topics in Cryptology \u2013 CT-RSA 2021","author":"K Chalkias","year":"2021","unstructured":"Chalkias, K., Garillot, F., Kondi, Y., Nikolaenko, V.: Non-interactive half-aggregation of EdDSA and variants of Schnorr signatures. In: Paterson, K.G. (ed.) CT-RSA 2021. LNCS, vol. 12704, pp. 577\u2013608. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-75539-3_24"},{"key":"8_CR19","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"67","DOI":"10.1007\/978-3-030-64357-7_4","volume-title":"Security Standardisation Research","author":"K Chalkias","year":"2020","unstructured":"Chalkias, K., Garillot, F., Nikolaenko, V.: Taming the many EdDSAs. In: van der Merwe, T., Mitchell, C., Mehrnezhad, M. (eds.) SSR 2020. LNCS, vol. 12529, pp. 67\u201390. Springer, Cham (2020). https:\/\/doi.org\/10.1007\/978-3-030-64357-7_4"},{"issue":"2\u20133","key":"8_CR20","doi-asserted-by":"publisher","first-page":"141","DOI":"10.1007\/s10623-009-9334-7","volume":"55","author":"S Chatterjee","year":"2010","unstructured":"Chatterjee, S., Hankerson, D., Knapp, E., Menezes, A.: Comparing two pairing-based aggregate signature schemes. DCC 55(2\u20133), 141\u2013167 (2010). https:\/\/doi.org\/10.1007\/s10623-009-9334-7","journal-title":"DCC"},{"key":"8_CR21","doi-asserted-by":"publisher","unstructured":"Chen, Y., Zhao, Y.: Half-aggregation of Schnorr signatures with tight reductions. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) ESORICS\u00a02022, Part\u00a0II. LNCS, vol. 13555, pp. 385\u2013404. Springer, Cham (2022). https:\/\/doi.org\/10.1007\/978-3-031-17146-8_19","DOI":"10.1007\/978-3-031-17146-8_19"},{"key":"8_CR22","doi-asserted-by":"publisher","unstructured":"Chu, H., Gerhart, P., Ruffing, T., Schr\u00f6der, D.: Practical Schnorr threshold signatures without the algebraic group model. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO\u00a02023, Part\u00a0I. LNCS, vol. 14081, pp. 743\u2013773. Springer, Cham (2023). https:\/\/doi.org\/10.1007\/978-3-031-38557-5_24","DOI":"10.1007\/978-3-031-38557-5_24"},{"key":"8_CR23","unstructured":"Crites, E., Komlo, C., Maller, M.: How to prove Schnorr assuming Schnorr: Security of multi- and threshold signatures. Cryptology ePrint Archive, Report 2021\/1375 (2021). https:\/\/eprint.iacr.org\/2021\/1375"},{"key":"8_CR24","doi-asserted-by":"publisher","unstructured":"Crites, E.C., Katz, J., Komlo, C., Tessaro, S., Zhu, C.: On the adaptive security of FROST. In: Kalai, Y.T., Kamara, S.F. (eds.) CRYPTO\u00a02025, Part\u00a0VI. LNCS, vol. 16005, pp. 480\u2013511. Springer, Cham (2025). https:\/\/doi.org\/10.1007\/978-3-032-01887-8_16","DOI":"10.1007\/978-3-032-01887-8_16"},{"key":"8_CR25","doi-asserted-by":"publisher","unstructured":"Das, P., Erwig, A., Faust, S., Loss, J., Riahi, S.: The exact security of BIP32 wallets. In: Vigna, G., Shi, E. (eds.) ACM CCS 2021, pp. 1020\u20131042. ACM Press (2021). https:\/\/doi.org\/10.1145\/3460120.3484807","DOI":"10.1145\/3460120.3484807"},{"issue":"6","key":"8_CR26","doi-asserted-by":"publisher","first-page":"1373","DOI":"10.1007\/s10623-018-0535-9","volume":"87","author":"D Derler","year":"2018","unstructured":"Derler, D., Slamanig, D.: Key-homomorphic signatures: definitions and applications to multiparty signatures and non-interactive zero-knowledge. Des. Codes Crypt. 87(6), 1373\u20131413 (2018). https:\/\/doi.org\/10.1007\/s10623-018-0535-9","journal-title":"Des. Codes Crypt."},{"key":"8_CR27","doi-asserted-by":"publisher","unstructured":"Drijvers, M., et al.: On the security of two-round multi-signatures. In: 2019 IEEE Symposium on Security and Privacy, pp. 1084\u20131101. IEEE Computer Society Press (2019). https:\/\/doi.org\/10.1109\/SP.2019.00050","DOI":"10.1109\/SP.2019.00050"},{"key":"8_CR28","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"175","DOI":"10.1007\/0-387-34805-0_17","volume-title":"Advances in Cryptology \u2014 CRYPTO\u2019 89 Proceedings","author":"A Fiat","year":"1990","unstructured":"Fiat, A.: Batch RSA. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 175\u2013185. Springer, New York (1990). https:\/\/doi.org\/10.1007\/0-387-34805-0_17"},{"key":"8_CR29","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"301","DOI":"10.1007\/978-3-662-49384-7_12","volume-title":"Public-Key Cryptography \u2013 PKC 2016","author":"N Fleischhacker","year":"2016","unstructured":"Fleischhacker, N., Krupp, J., Malavolta, G., Schneider, J., Schr\u00f6der, D., Simkin, M.: Efficient unlinkable sanitizable signatures from signatures with re-randomizable keys. In: Cheng, C.-M., Chung, K.-M., Persiano, G., Yang, B.-Y. (eds.) PKC 2016. LNCS, vol. 9614, pp. 301\u2013330. Springer, Heidelberg (2016). https:\/\/doi.org\/10.1007\/978-3-662-49384-7_12"},{"key":"8_CR30","unstructured":"Fujita, Y., Sakai, Y., Yamashita, K., Hanaoka, G.: On key substitution attacks against aggregate signatures and multi-signatures. Cryptology ePrint Archive, Paper 2024\/1728 (2024). https:\/\/eprint.iacr.org\/2024\/1728"},{"key":"8_CR31","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"257","DOI":"10.1007\/11745853_17","volume-title":"Public Key Cryptography - PKC 2006","author":"C Gentry","year":"2006","unstructured":"Gentry, C., Ramzan, Z.: Identity-based aggregate signatures. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 257\u2013273. Springer, Heidelberg (2006). https:\/\/doi.org\/10.1007\/11745853_17"},{"key":"8_CR32","unstructured":"Jahr, F.: Cross-input signature aggregation for Bitcoin. Report of the Human Rights Foundation (2025). https:\/\/hrf.org\/latest\/cisa-research-paper\/"},{"key":"8_CR33","doi-asserted-by":"crossref","unstructured":"Khovratovich, D., Rothblum, R.D., Soukhanov, L.: How to prove false statements: Practical attacks on Fiat-Shamir. Cryptology ePrint Archive, Report 2025\/118 (2025). https:\/\/eprint.iacr.org\/2025\/118","DOI":"10.1007\/978-3-032-01887-8_1"},{"key":"8_CR34","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1007\/978-3-030-81652-0_2","volume-title":"Selected Areas in Cryptography","author":"C Komlo","year":"2021","unstructured":"Komlo, C., Goldberg, I.: FROST: flexible round-optimized Schnorr threshold signatures. In: Dunkelman, O., Jacobson, Jr., M.J., O\u2019Flynn, C. (eds.) SAC 2020. LNCS, vol. 12804, pp. 34\u201365. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-81652-0_2"},{"issue":"1","key":"8_CR35","doi-asserted-by":"publisher","first-page":"41","DOI":"10.1007\/S12095-017-0253-6","volume":"10","author":"M Lacharit\u00e9","year":"2018","unstructured":"Lacharit\u00e9, M.: Security of BLS and BGLS signatures in a multi-user setting. Cryptogr. Commun. 10(1), 41\u201358 (2018). https:\/\/doi.org\/10.1007\/S12095-017-0253-6","journal-title":"Cryptogr. Commun."},{"key":"8_CR36","unstructured":"Lombrozo, E., Lau, J., Wuille, P.: Segregated witness (consensus layer). Bitcoin Improvement Proposal 141 (2015). https:\/\/github.com\/bitcoin\/bips\/blob\/master\/bip-0141.mediawiki"},{"key":"8_CR37","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"465","DOI":"10.1007\/11761679_28","volume-title":"Advances in Cryptology - EUROCRYPT 2006","author":"S Lu","year":"2006","unstructured":"Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465\u2013485. Springer, Heidelberg (2006). https:\/\/doi.org\/10.1007\/11761679_28"},{"key":"8_CR38","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"74","DOI":"10.1007\/978-3-540-24676-3_5","volume-title":"Advances in Cryptology - EUROCRYPT 2004","author":"A Lysyanskaya","year":"2004","unstructured":"Lysyanskaya, A., Micali, S., Reyzin, L., Shacham, H.: Sequential aggregate signatures from trapdoor permutations. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 74\u201390. Springer, Heidelberg (2004). https:\/\/doi.org\/10.1007\/978-3-540-24676-3_5"},{"key":"8_CR39","unstructured":"Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple Schnorr multi-signatures with applications to Bitcoin. Cryptology ePrint Archive, Report 2018\/068 (2018). https:\/\/eprint.iacr.org\/2018\/068"},{"issue":"9","key":"8_CR40","doi-asserted-by":"publisher","first-page":"2139","DOI":"10.1007\/s10623-019-00608-x","volume":"87","author":"G Maxwell","year":"2019","unstructured":"Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple Schnorr multi-signatures with applications to Bitcoin. Des. Codes Crypt. 87(9), 2139\u20132164 (2019). https:\/\/doi.org\/10.1007\/s10623-019-00608-x","journal-title":"Des. Codes Crypt."},{"key":"8_CR41","doi-asserted-by":"publisher","unstructured":"Naccache, D., M\u2019Ra\u00efhi, D., Vaudenay, S., Raphaeli, D.: Can D.S.A. be improved? \u2014 Complexity trade-offs with the digital signature standard \u2014. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 77\u201385. Springer, Heidelberg (1995). https:\/\/doi.org\/10.1007\/BFb0053426","DOI":"10.1007\/BFb0053426"},{"key":"8_CR42","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"189","DOI":"10.1007\/978-3-030-84242-0_8","volume-title":"Advances in Cryptology \u2013 CRYPTO 2021","author":"J Nick","year":"2021","unstructured":"Nick, J., Ruffing, T., Seurin, Y.: MuSig2: simple two-round Schnorr multi-signatures. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 189\u2013221. Springer, Cham (2021). https:\/\/doi.org\/10.1007\/978-3-030-84242-0_8"},{"key":"8_CR43","unstructured":"Nick, J., Ruffing, T., Seurin, Y.: DahLIAS: discrete logarithm-based interactive aggregate signatures. Cryptology ePrint Archive, Report 2025\/692 (2025). https:\/\/eprint.iacr.org\/2025\/692, full version of this paper"},{"key":"8_CR44","unstructured":"Quan, N.T.M.: 0. Cryptology ePrint Archive, Report 2021\/323 (2021). https:\/\/eprint.iacr.org\/2021\/323"},{"key":"8_CR45","unstructured":"Quan, N.T.M.: Attacks and weaknesses of BLS aggregate signatures. Cryptology ePrint Archive, Report 2021\/377 (2021). https:\/\/eprint.iacr.org\/2021\/377"},{"key":"8_CR46","unstructured":"Ruffing, T.: The post-quantum security of Bitcoin\u2019s Taproot as a commitment scheme. Cryptology ePrint Archive, Report 2025\/1307 (2025). https:\/\/eprint.iacr.org\/2025\/1307"},{"key":"8_CR47","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"239","DOI":"10.1007\/0-387-34805-0_22","volume-title":"Advances in Cryptology \u2014 CRYPTO\u2019 89 Proceedings","author":"CP Schnorr","year":"1990","unstructured":"Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239\u2013252. Springer, New York (1990). https:\/\/doi.org\/10.1007\/0-387-34805-0_22"},{"issue":"3","key":"8_CR48","doi-asserted-by":"publisher","first-page":"161","DOI":"10.1007\/BF00196725","volume":"4","author":"CP Schnorr","year":"1991","unstructured":"Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161\u2013174 (1991). https:\/\/doi.org\/10.1007\/BF00196725","journal-title":"J. Cryptol."},{"key":"8_CR49","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"288","DOI":"10.1007\/3-540-45708-9_19","volume-title":"Advances in Cryptology \u2014 CRYPTO 2002","author":"D Wagner","year":"2002","unstructured":"Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288\u2013304. Springer, Heidelberg (2002). https:\/\/doi.org\/10.1007\/3-540-45708-9_19"},{"key":"8_CR50","unstructured":"Wuille, P.: Hierarchical deterministic wallets. Bitcoin Improvement Proposal 32 (2012). https:\/\/github.com\/bitcoin\/bips\/blob\/master\/bip-0032.mediawiki"},{"key":"8_CR51","unstructured":"Wuille, P., Nick, J., Ruffing, T.: Schnorr signatures for secp256k1. Bitcoin Improvement Proposal 340 (2020). https:\/\/github.com\/bitcoin\/bips\/blob\/master\/bip-0340.mediawiki"},{"key":"8_CR52","unstructured":"Wuille, P., Nick, J., Towns, A.: Taproot: Segwit version 1 spending rules. Bitcoin Improvement Proposal 341 (2020). https:\/\/github.com\/bitcoin\/bips\/blob\/master\/bip-0341.mediawiki"},{"key":"8_CR53","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1007\/BFb0034842","volume-title":"Advances in Cryptology \u2014 ASIACRYPT \u201996","author":"J Zhou","year":"1996","unstructured":"Zhou, J., Gollmann, D.: Observations on non-repudiation. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 133\u2013144. Springer, Heidelberg (1996). https:\/\/doi.org\/10.1007\/BFb0034842"}],"container-title":["Lecture Notes in Computer Science","Advances in Cryptology \u2013 EUROCRYPT 2026"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-25291-3_8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T14:56:21Z","timestamp":1778165781000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-25291-3_8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"ISBN":["9783032252906","9783032252913"],"references-count":53,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-25291-3_8","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]},"assertion":[{"value":"8 May 2026","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"EUROCRYPT","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Annual International Conference on the Theory and Applications of Cryptographic Techniques","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Rome","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Italy","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2026","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"10 May 2026","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 May 2026","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"45","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"eurocrypt2026","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/eurocrypt.iacr.org\/2026\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}