Abstract
ECDSA is a widely adopted digital signature standard. A number of threshold protocols for ECDSA have been developed that let a set of parties jointly generate the secret signing key and compute signatures, without ever revealing the signing key. Threshold protocols for ECDSA have seen recent interest, in particular due to the need for additional security in cryptocurrency wallets where leakage of the signing key is equivalent to an immediate loss of money.
We propose a threshold ECDSA protocol secure against an active adversary in the honest majority model with abort. Our protocol is efficient in terms of both computation and bandwidth usage, and it allows the parties to pre-process parts of the signature, such that once the message to sign becomes known, the they can compute a secret sharing of the signature very efficiently, using only local operations. We also show how to obtain fairness in the online phase at the cost of some additional work in the pre-processing, i.e., such that it either aborts during pre-processing phase, in which case nothing is revealed, or the signature is guaranteed to be delivered to all honest parties.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
- 2.
- 3.
It still holds that no interaction is required among the parties in the online phase. But the trick used in our basic protocol of blinding [s] with \(m[d]+[e]\) only works for degree 2t sharings. So unlike our basic protocol, we here require that the honest parties agree on M.
- 4.
Interpolating in the exponent requires \(t+1\) exponentiations, but the exponents in this case are Lagrange coefficients, which for realistic parameters are quite small. For example, for \(n=3\) and \(t=1\) the exponents are \((\lambda _1,\lambda _2)=(-1, 2)\), and so these are not considered “long” curve multiplications.
- 5.
In the WAN setting, since we use only three different regions, with \(n>3\) this means that some of the parties run in the same region. However, since the overall latency of the protocol is determined by the pair-wise connection with the largest latency, this makes no difference.
References
Andresen, G.: BIP-11: M-of-n standard transactions. https://github.com/bitcoin/bips/blob/master/bip-0011.mediawiki. Accessed 15 Apr 2020
Beerliová-Trubíniová, Z., Hirt, M.: Perfectly-secure MPC with linear communication complexity. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 213–230. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_13
Boneh, D., Gennaro, R., Goldfeder, S.: Using level-1 homomorphic encryption to improve threshold DSA signatures for bitcoin wallet security. In: Lange, T., Dunkelman, O. (eds.) LATINCRYPT 2017. LNCS, vol. 11368, pp. 352–377. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25283-0_19
Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Des. Codes Cryptography 35(1), 119–152 (2005). https://doi.org/10.1007/s10623-003-6154-z
Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_2
Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I.: Two-party ECDSA from hash proof systems and efficient instantiations. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 191–221. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_7
Chida, K., et al.: Fast large-scale honest-majority MPC for malicious adversaries. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 34–64. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_2
Cramer, R., Damgård, I., Ishai, Y.: Share conversion, pseudorandom secret-sharing and applications to secure computation. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 342–362. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_19
Dalskov, A.P.K., Keller, M., Orlandi, C., Shrishak, K., Shulman, H.: Securing DNSSEC keys via threshold ECDSA from generic MPC. IACR Cryptology ePrint Archive, vol. 2019, p. 889 (2019). https://eprint.iacr.org/2019/889
Damgård, I., Jakobsen, T.P., Nielsen, J.B., Pagter, J.I., Østergård, M.B.: Fast threshold ECDSA with honest majority. IACR Cryptology ePrint Archive, vol. 2020, p. 501 (2020). https://eprint.iacr.org/2020/501
Desmedt, Y.: Society and group oriented cryptography: a new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_8
Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_28
Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Secure two-party threshold ECDSA from ECDSA assumptions. In: 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, San Francisco, California, USA, 21–23 May 2018, pp. 980–997. IEEE Computer Society (2018). https://doi.org/10.1109/SP.2018.00036
Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Threshold ECDSA from ECDSA assumptions: the multiparty case. In: 2019 IEEE Symposium on Security and Privacy, SP 2019, San Francisco, CA, USA, 19–23 May 2019, pp. 1051–1066. IEEE (2019). https://doi.org/10.1109/SP.2019.00024
Furukawa, J., Lindell, Y., Nof, A., Weinstein, O.: High-throughput secure three-party computation for malicious adversaries and an honest majority. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017, Part II. LNCS, vol. 10211, pp. 225–255. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_8
Gennaro, R., Goldfeder, S.: Fast multiparty threshold ECDSA with fast trustless setup. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 1179–1194. ACM (2018). https://doi.org/10.1145/3243734.3243859
Gennaro, R., Goldfeder, S., Narayanan, A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 156–174. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_9
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 354–371. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_31
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 295–310. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_21
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. Inf. Comput. 164(1), 54–84 (2001). https://doi.org/10.1006/inco.2000.2881
Johnson, D., Menezes, A., Vanstone, S.A.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Sec. 1(1), 36–63 (2001). https://doi.org/10.1007/s102070100002
Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. CRC Press, Boca Raton (2014)
Kerry, C.F., Secretary, A., Director, C.R.: FIPS PUB 186-4: Digital Signature Standard (DSS), July 2013. http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
Lindell, Y.: Fast secure two-party ECDSA signing. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 613–644. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_21
Lindell, Y., Nof, A.: A framework for constructing fast MPC over arithmetic circuits with malicious adversaries and an honest-majority. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, 30 October–03 November 2017, pp. 259–276. ACM (2017). https://doi.org/10.1145/3133956.3133999
Lindell, Y., Nof, A.: Fast secure multiparty ECDSA with practical distributed key generation and applications to cryptocurrency custody. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 1837–1854. ACM (2018). https://doi.org/10.1145/3243734.3243788
MacKenzie, P., Reiter, M.K.: Two-party generation of DSA signatures. Int. J. Inf. Secur. 2(3), 218–239 (2004). https://doi.org/10.1007/s10207-004-0041-0
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Perrin, T.: The noise protocol framework (2015). http://www.noiseprotocol.org
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979). https://doi.org/10.1145/359168.359176. http://doi.acm.org/10.1145/359168.359176
Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_15
Smart, N.P., Talibi Alaoui, Y.: Distributing any elliptic curve based protocol. In: Albrecht, M. (ed.) IMACC 2019. LNCS, vol. 11929, pp. 342–366. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35199-1_17
Stinson, D.R., Strobl, R.: Provably secure distributed Schnorr signatures and a (t, n) threshold scheme for implicit certificates. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 417–434. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-47719-5_33
Wuille, P.: BIP-32: hierarchical deterministic wallets. https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki. Accessed 15 Apr 2020
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Basic Tools and Definitions
A Basic Tools and Definitions
1.1 A.1 Signature Schemes
Recall that a signature scheme is defined by three efficient algorithms: \(pk,sk\leftarrow \texttt {Gen}(1^\kappa )\); \(\sigma \leftarrow \texttt {Sign}_{sk}(M)\); \(b\leftarrow \texttt {Verify}_{pk}(M,\sigma )\) [22]. A signature scheme satisfies two properties:
-
Correctness. With overwhelmingly high probability (in the security parameter \(\kappa \)) it must hold that all valid signatures must verify.
-
Existential unforgeability. This is modeled with the following game \(\texttt {G}_{\texttt {FORGE}}\):
-
Run \(pk,sk\leftarrow \texttt {Gen}(1^\kappa )\); input pk to the adversary \(A\).
-
On \((\texttt {SIGN}, M)\) from \(A\):
Return \(\sigma \leftarrow \texttt {Sign}_{sk}(M)\) to \(A\) and add M to a set Q.
-
On \((\texttt {FORGE}, M', \sigma ')\) from \(A\):
If \(M'\notin Q\) and \(\texttt {Verify}_{pk}(M',\sigma ')=\top \), output \(\top \) and halt; else output \(\bot \) and halt.
The signature scheme is existentially unforgeable if for any PPT \(A\) the probability \(\texttt {Pr}[\texttt {G}_{\texttt {FORGE}}=\top ]\) is negligible in \(\kappa \). That is, even with access to a signing oracle, no adversary can produce a valid signature.
-
A correct and existentially unforgeable signature scheme is simply called secure.
1.2 A.2 The DSA/ECDSA Standard
An instance of the DSA signature scheme [21, 23] has the parameters
where G is a cyclic group of order q with generator \(g\in G\), H a hash function \(H:\{0,1\}^*\mapsto Z_q\) and F a function \(F:G\mapsto Z_q\).
For \(a,b\in G\) we will let ab denote the group operation (multiplicative notation). For \(c\in Z_q\) and \(g\in G\) we let \(g^c\) denote \(gg\cdots g\), i.e., the group operation applied c times on g.
A key pair is generated by sampling uniformly the private key \(x\in Z_q\) and computing the public key as \(y=g^x\). Given a message \(M\in \{ 0, 1 \}^*\) a signature is computed as follows: Let \(m=H(M)\). Pick a random \(k\in Z_q\), set \(R=g^k\), \(r=F(R)\), \(s=k^{-1}(m+rx)\). The resulting signature is r, s. Given a public key y, a message M and signature r, s, one can verify the signature by computing \(m=H(M)\) and checking that \(r=F(g^{ms^{-1}}y^{rs^{-1}})\).
In DSA G is \(Z_p\) for some prime \(p>q\). In ECDSA G is generated by a point g on an elliptic curve over \(Z_p\) for some \(p>q\). In this case \(F:G\mapsto Z_q\) is the function that given \(R=(R_x,R_y)\in G\subset Z_p \times Z_p\) outputs \(R_x \mod q\).
ECDSA has been proved secure in the Generic Group Model assuming that computing the discrete log in G is hard, and assuming that H is collision resistant and uniform [4].
Our protocol works for both DSA and ECDSA. In particular, it is suitable for ECDSA with the “Bitcoin” curve secp256k1 that is believed to have a 128-bit security level.
1.3 A.3 Shamir’s Secret Sharing
Recall that in Shamir’s secret sharing scheme [30] a dealer can secret share a value \(m\in Z_q\) (for a prime number q) among n parties by choosing a random degree t polynomial f(x) over \(Z_q\) subject to \(f(0)=m\). The dealer then sends a share \(m_i=f(i)\) to each party \(P_i\). This reveals no information about m as long as at most t parties are corrupted. We will use [m] to denote such a sharing where each party \(P_i\) holds a share \(m_i\).
If the dealer is honest, any subset of \(t+1\) parties can reconstruct the secret using Lagrange interpolation. More generally, one can compute the value f(j) for any value \(j\in Z_q\) on a degree t polynomial f() using Lagrange interpolation given values \(y_i=f(x_i)\) for any \(t+1\) distinct values \(x_i\). For the specific values \(f(1), f(2), \dots , f(t+1)\) we can efficiently compute f(j) for any \(j\in Z_q\) as
where the Lagrange coefficients are defined as
For example, for \(n=3\), \(t=1\) and \(j=3\) we have \(\lambda _1 = (3-2)/(1-2)=-1\) and \(\lambda _2=(3-1)/(2-1)=2\) so for any degree-1 polynomial \(f(x)=ax+b\) we can compute \(f(3)=-1\cdot f(1)+2 \cdot f(2)\).
For \(g\in G\) we will sometimes do Lagrange interpolation in “the exponent” as follows: For \(Y_1=g^{f(1)}, Y_2=g^{f(2)}, \dots , Y_{t+1}=g^{f(t+1)}\) define
We will also need to interpolate the value p(0) on a degree 2t polynomial p(x) from the \(2t+1\) values \(p(1), p(2), \dots , p(2t+1)\). We denote this function
Recall that Shamir’s secret sharing scheme is linear. This means that once sharings \([m_1]\) and \([m_2]\) are established, and if the parties agree on a public constant \(a\in Z_q\) then they can compute \([a\cdot m_1]\) and \([m_1+m_2]\) efficiently, without communicating. We use \(a\cdot [m_1]\) and \([m_1] + [m_2]\) to denote these operations.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Damgård, I., Jakobsen, T.P., Nielsen, J.B., Pagter, J.I., Østergaard, M.B. (2020). Fast Threshold ECDSA with Honest Majority. In: Galdi, C., Kolesnikov, V. (eds) Security and Cryptography for Networks. SCN 2020. Lecture Notes in Computer Science(), vol 12238. Springer, Cham. https://doi.org/10.1007/978-3-030-57990-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-57990-6_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57989-0
Online ISBN: 978-3-030-57990-6
eBook Packages: Computer ScienceComputer Science (R0)