English

upTPM: Unbounded Preprocessing for Schnorr Multi-Signatures on TPM

Cryptography and Security 2026-04-28 v2

Abstract

Schnorr-based multi-signature schemes support offline preprocessing of nonce commitments to reduce online signing to a single round. However, preprocessing is inherently bounded: each preprocessed nonce pair consumes signer-side storage, and once exhausted, an interactive commitment round is required to refill. This limitation is particularly severe for TPM~2.0 devices, where usable NVRAM is typically 6--16\,KB and connectivity is intermittent. This paper presents upTPM, a framework that achieves unbounded preprocessing with constant signer storage. Each TPM stores a single 32-byte secret seed from which an unlimited sequence of nonce commitments is deterministically derived. Commitments are published to an untrusted coordinator before use; nonce scalars never leave the TPM. We formalize three properties not provided by existing schemes: (1)~unbounded deterministic preprocessing with constant storage; (2)~asynchronous commitment refill, allowing any signer to unilaterally extend its commitment pool; and (3)~TPM-attested commitments, a hardware-backed authenticity and state-binding mechanism that strengthens resistance to host-software compromise. We prove EU-CMA security in the random oracle model under the discrete logarithm assumption and Pseudo Random Function (PRF) security, with a one-time-use invariant enforced by TPM hardware state. We extend the construction to (t,n)(t,n)-threshold signatures and provide a detailed analysis of coordinator trust, crash recovery, and performance evaluations.

Cite

@article{arxiv.2602.09707,
  title  = {upTPM: Unbounded Preprocessing for Schnorr Multi-Signatures on TPM},
  author = {Yunusa Simpa Abdulsalam and Mustapha Hedabou},
  journal= {arXiv preprint arXiv:2602.09707},
  year   = {2026}
}

Comments

This version substantially revises the earlier PiTPM design. The protocol and security model were redesigned to remove the earlier dependences and security flaws

R2 v1 2026-07-01T10:29:36.490Z