Abstract—Multi-signature is a protocol where a set of signatures jointly sign a message so that the final signature is significantly
shorter than concatenating individual signatures together. Recently, it finds applications in blockchain, where several users want to
jointly authorize a payment through a multi-signature. However, in this setting, there is no centralized authority and it could suffer from a
rogue key attack where the attacker can generate his own public keys. Further, to minimize the storage on blockchain, it is desired that
the aggregated public-key and the aggregated signature are both as short as possible. In this paper, we find a compiler that converts a
kind of identification (ID) scheme (which we call a linear ID) to a multi-signature so that both the aggregated public-key and the
aggregated signature have a size independent of the number of signers. Our compiler is provably secure. The advantage of our result
is that we reduce a multi-party problem to a weakly secure two-party problem. We realize our compiler with two ID schemes. The first is
Schnorr ID. The second is a new lattice-based ID scheme, which via our compiler gives the first regular lattice-based multi-signature
scheme with a key-and-signature size independent of the number of signers without a restart during the signing process.
