Fast Threshold ECDSA with Honest Majority

Abstract

ECDSA is a widely adopted digital signature standard. A number of threshold protocols for ECDSA have been developed that let a set of parties jointly generate the secret signing key and compute signatures, without ever revealing the signing key. Threshold protocols for ECDSA have seen recent interest, in particular due to the need for additional security in cryptocurrency wallets where leakage of the signing key is equivalent to an immediate loss of money.

We propose a threshold ECDSA protocol secure against an active adversary in the honest majority model with abort. Our protocol is efficient in terms of both computation and bandwidth usage, and it allows the parties to pre-process parts of the signature, such that once the message to sign becomes known, the they can compute a secret sharing of the signature very efficiently, using only local operations. We also show how to obtain fairness in the online phase at the cost of some additional work in the pre-processing, i.e., such that it either aborts during pre-processing phase, in which case nothing is revealed, or the signature is guaranteed to be delivered to all honest parties.

A Basic Tools and Definitions

1.1 A.1 Signature Schemes

Recall that a signature scheme is defined by three efficient algorithms: \(pk,sk\leftarrow \texttt {Gen}(1^\kappa )\); \(\sigma \leftarrow \texttt {Sign}_{sk}(M)\); \(b\leftarrow \texttt {Verify}_{pk}(M,\sigma )\) [22]. A signature scheme satisfies two properties:

• Correctness. With overwhelmingly high probability (in the security parameter \(\kappa \)) it must hold that all valid signatures must verify.

• Existential unforgeability. This is modeled with the following game \(\texttt {G}_{\texttt {FORGE}}\):

  • Run \(pk,sk\leftarrow \texttt {Gen}(1^\kappa )\); input pk to the adversary \(A\).

  • On \((\texttt {SIGN}, M)\) from \(A\):

    Return \(\sigma \leftarrow \texttt {Sign}_{sk}(M)\) to \(A\) and add M to a set Q.

  • On \((\texttt {FORGE}, M', \sigma ')\) from \(A\):

    If \(M'\notin Q\) and \(\texttt {Verify}_{pk}(M',\sigma ')=\top \), output \(\top \) and halt; else output \(\bot \) and halt.

  The signature scheme is existentially unforgeable if for any PPT \(A\) the probability \(\texttt {Pr}[\texttt {G}_{\texttt {FORGE}}=\top ]\) is negligible in \(\kappa \). That is, even with access to a signing oracle, no adversary can produce a valid signature.

A correct and existentially unforgeable signature scheme is simply called secure.

1.2 A.2 The DSA/ECDSA Standard

An instance of the DSA signature scheme  [21, 23] has the parameters

$$(G,q,g,H,F)\leftarrow \texttt {Gen}(1^\kappa )$$

where G is a cyclic group of order q with generator \(g\in G\), H a hash function \(H:\{0,1\}^*\mapsto Z_q\) and F a function \(F:G\mapsto Z_q\).

For \(a,b\in G\) we will let ab denote the group operation (multiplicative notation). For \(c\in Z_q\) and \(g\in G\) we let \(g^c\) denote \(gg\cdots g\), i.e., the group operation applied c times on g.

A key pair is generated by sampling uniformly the private key \(x\in Z_q\) and computing the public key as \(y=g^x\). Given a message \(M\in \{ 0, 1 \}^*\) a signature is computed as follows: Let \(m=H(M)\). Pick a random \(k\in Z_q\), set \(R=g^k\), \(r=F(R)\), \(s=k^{-1}(m+rx)\). The resulting signature is r, s. Given a public key y, a message M and signature r, s, one can verify the signature by computing \(m=H(M)\) and checking that \(r=F(g^{ms^{-1}}y^{rs^{-1}})\).

In DSA G is \(Z_p\) for some prime \(p>q\). In ECDSA G is generated by a point g on an elliptic curve over \(Z_p\) for some \(p>q\). In this case \(F:G\mapsto Z_q\) is the function that given \(R=(R_x,R_y)\in G\subset Z_p \times Z_p\) outputs \(R_x \mod q\).

ECDSA has been proved secure in the Generic Group Model assuming that computing the discrete log in G is hard, and assuming that H is collision resistant and uniform  [4].

Our protocol works for both DSA and ECDSA. In particular, it is suitable for ECDSA with the “Bitcoin” curve secp256k1 that is believed to have a 128-bit security level.

1.3 A.3 Shamir’s Secret Sharing

Recall that in Shamir’s secret sharing scheme [30] a dealer can secret share a value \(m\in Z_q\) (for a prime number q) among n parties by choosing a random degree t polynomial f(x) over \(Z_q\) subject to \(f(0)=m\). The dealer then sends a share \(m_i=f(i)\) to each party \(P_i\). This reveals no information about m as long as at most t parties are corrupted. We will use [m] to denote such a sharing where each party \(P_i\) holds a share \(m_i\).

If the dealer is honest, any subset of \(t+1\) parties can reconstruct the secret using Lagrange interpolation. More generally, one can compute the value f(j) for any value \(j\in Z_q\) on a degree t polynomial f() using Lagrange interpolation given values \(y_i=f(x_i)\) for any \(t+1\) distinct values \(x_i\). For the specific values \(f(1), f(2), \dots , f(t+1)\) we can efficiently compute f(j) for any \(j\in Z_q\) as

$$f(j)=\lambda _1 f(1) + \lambda _2 f(2) + \cdots + \lambda _{t+1} f(t+1)$$

where the Lagrange coefficients are defined as

$$\lambda _i := \prod _{1<m<t+1, m\ne i} \frac{j-m}{i-m}\,.$$

For example, for \(n=3\), \(t=1\) and \(j=3\) we have \(\lambda _1 = (3-2)/(1-2)=-1\) and \(\lambda _2=(3-1)/(2-1)=2\) so for any degree-1 polynomial \(f(x)=ax+b\) we can compute \(f(3)=-1\cdot f(1)+2 \cdot f(2)\).

For \(g\in G\) we will sometimes do Lagrange interpolation in “the exponent” as follows: For \(Y_1=g^{f(1)}, Y_2=g^{f(2)}, \dots , Y_{t+1}=g^{f(t+1)}\) define

$$ \texttt {ExpInt}(Y_1, Y_2, \dots Y_{t+1}; j) := \prod _{i=1}^{t+1}Y_i^{\lambda _i}=g^{\sum _{i=1}^{t+1}\lambda _i y_i} =g^{f(j)} \, .$$

We will also need to interpolate the value p(0) on a degree 2t polynomial p(x) from the \(2t+1\) values \(p(1), p(2), \dots , p(2t+1)\). We denote this function

$$\texttt {Int2t}(p(1), p(2), \dots , p(2t+1)) \, .$$

Recall that Shamir’s secret sharing scheme is linear. This means that once sharings \([m_1]\) and \([m_2]\) are established, and if the parties agree on a public constant \(a\in Z_q\) then they can compute \([a\cdot m_1]\) and \([m_1+m_2]\) efficiently, without communicating. We use \(a\cdot [m_1]\) and \([m_1] + [m_2]\) to denote these operations.