Multi-user (mu) security considers large-scale attackers that, given access to a number of cryptosystem instances, attempt to compromise at least one of them. We initiate the study of mu security of the so-called GGM tree that stems from the pseudorandom generator to pseudorandom function transformation of Goldreich, Goldwasser, and Micali, with a goal to provide references for its recently popularized use in applied cryptography. We propose a generalized model for GGM trees and analyze its mu prefix-constrained pseudorandom function security in the random oracle model. Our model allows to derive concrete bounds and improvements for various protocols, and we showcase on the Bitcoin-Improvement-Proposal standard Bip32 hierarchical wallets and function secret sharing protocols. In both scenarios, we propose improvements with better performance and concrete security bounds at the same time. Compared with the state-of-the-art designs, our SHACAL3- and Keccak-p-based Bip32 variants reduce the communication cost of MPC-based implementations by 73.3% to 93.8%, whereas our AES-based function secret sharing substantially improves mu security while reducing computations by 50%.

多用户 (mu) 安全考虑大规模攻击者，这些攻击者在获得对多个密码系统实例的访问权限后，会尝试破坏至少其中一个实例。我们发起了所谓GGM树的mu安全性研究，该树源于Goldreich、Goldwasser和Micali的伪随机生成器到伪随机函数变换，旨在为其最近在应用密码学中的普及提供参考。我们提出了 GGM 树的广义模型，并分析了其在随机预言模型中的mu 前缀约束伪随机函数安全性。我们的模型允许为各种协议导出具体的界限和改进，并且我们展示了比特币改进提案标准比普32分层钱包和功能秘密共享协议。在这两种情况下，我们同时提出更好的性能和具体的安全界限的改进。与最先进的设计相比，我们的沙卡尔3- 和Keccak -p 为基础比普32变体将基于 MPC 的实现的通信成本降低了 73.3% 至 93.8%，而我们的AES基于函数秘密共享的技术大大提高了 mu 的安全性，同时减少了 50% 的计算量。