Sparkle Revisited: Proving Tight Adaptive Security of a Simple Schnorr Threshold Scheme

Abstract. In this talk, we revisit the security of the three-round threshold Schnorr signature scheme Sparkle, introduced by Crites, Komlo, and Maller (CRYPTO 2023). Sparkle has a simple and elegant design and was proposed to achieve security under adaptive corruptions. Subsequent work by Bacho et al. (EUROCRYPT 2024), however, identified a gap in the original security proof, even in the static corruption model. To address this issue, the authors proposed a modified construction, Sparkle+, which requires each party to sign its protocol view, introducing significant overhead. While static security of Sparkle+ was proven under the discrete-logarithm assumption, its adaptive-security proof was later shown to be flawed by Crites and Stewart (CRYPTO 2025). We show that no such modification is necessary. We provide new—and in fact tight—security proofs for the original Sparkle construction in both the static and adaptive corruption models. Our analysis resolves the gap identified by Bacho et al. via a novel reduction that correctly simulates the adversary's view. Static security is obtained via a tight reduction to our circular discrete-logarithm (CDL) assumption (CRYPTO 2025), and full adaptive security is obtained via a tight reduction to an interactive extension of CDL. We justify these assumptions in the elliptic-curve generic group model of Groth and Shoup (EUROCRYPT 2022).

Joint work: Ojaswi Acharya, Gavin Cho, Georg Fuchsbauer, Adam O'Neill, Marek Sefranek.

[Slides]