Abstract:
The adaptor signature scheme is an extension of the standard digital signature, which can create a “pre-signature” that implies the state of a hard relation (such as discrete logarithm problems) and can be transformed into a completed signature by the witness of the hard relation. The completed signature can be verified by the verification algorithm of a standard signature scheme. Intuitively, an adaptor signature has two properties: 1)only users who know the witness can transform the pre-signature into a completed signature; 2)any user may extract the witness through a pre-signature and a completed signature. Thus, the adaptor signature scheme can provide the atomic exchange property in the blockchain, and has been proved to be very widely used in practice. Based on the SM2 digital signature algorithm, a new adaptor signature scheme (SM2-AS) is constructed in this paper. This scheme can effectively match the SM2 signature scheme’s key generation, signature generation and signature verification algorithms. Moreover, under the random oracle model, we prove that the SM2-AS scheme is secure, that is, it satisfies the pre-signature correctness, pre-signature adaptability, existential unforgeability under chosen plaintext attacks, and witness extractability. Through theoretical analysis and experimental test, the performance of the SM2-AS scheme is comparable to that of ECDSA-based adaptor signature scheme, but obviously weaker than that of the Schnorr-based adaptor signature scheme.