Compact Zero-Knowledge Proofs for Threshold ECDSA with Trustless Setup

Abstract

Threshold ECDSA signatures provide a higher level of security to a crypto wallet since it requires more than t parties out of n parties to sign a transaction. The state-of-the-art bandwidth efficient threshold ECDSA used the additive homomorphic Castagnos and Laguillaumie (CL) encryption based on an unknown order group G, together with a number of zero-knowledge proofs in G. In this paper, we propose compact zero-knowledge proofs for threshold ECDSA to lower the communication bandwidth, as well as the computation cost. The proposed zero-knowledge proofs include the discrete-logarithm relation in G and the well-formedness of a CL ciphertext.

When applied to two-party ECDSA, we can lower the bandwidth of the key generation algorithm by 47%, and the running time for the key generation and signing algorithms are boosted by about 35% and 104% respectively. When applied to threshold ECDSA, our first scheme is more optimized for the key generation algorithm (about 70% lower bandwidth and 85% faster computation in key generation, at a cost of 20% larger bandwidth in signing), while our second scheme has an all-rounded performance improvement (about 60% lower bandwidth, 46% faster computation in key generation without additional cost in signing).

Appendices

A Background

1.1 A.1 Definitions for Argument Systems

An argument system for a relation \(\mathcal {R} \subset \mathcal {X} \times \mathcal {W}\) is a triple of randomized polynomial time algorithms \((\mathsf{Setup}, \mathsf{P}, \mathsf{V})\), where:

• Setup takes a security parameter \(1^\lambda \) and outputs a common reference string (CRS) crs.

• P takes as input the crs, a statement \(x \in \mathcal {X}\) and a witness \(w \in \mathcal {W}\). V takes as input the crs and x and after interaction with P outputs 0 or 1.

The transcript between the prover and the verifier is denoted as \(\langle \mathsf{V}(\mathsf{crs}, x), \mathsf{P}(\mathsf{crs}\), \(x, w)\rangle \), and it is equal to 1 if the verifier accepted the transcript.

Definition 1 (Completeness)

An argument system \((\mathsf{Setup}, \mathsf{P}, \mathsf{V})\) for a relation \(\mathcal {R}\) is complete if for all \((x,w) \in \mathcal {R}\):

$$ \Pr [\langle \mathsf{V}(\mathsf{crs}, x), \mathsf{P}(\mathsf{crs}, x, w)\rangle = 1: \mathsf{crs} \xleftarrow {\$} \mathsf{Setup}(1^\lambda ) ] = 1. $$

We follow the soundness definition for trapdoorless crs from [1].

Definition 2 (Soundness)

An argument system \((\mathsf{Setup}, \mathsf{P}, \mathsf{V})\) is sound if for all polynomial time adversaries \(\mathcal {A} = (\mathcal {A}_0, \mathcal {A}_1)\):

$$ \Pr \left[ \begin{array}{l} \langle \mathsf{V}(\mathsf{crs}, x), \mathcal {A}_1(\mathsf{crs}, x, \mathsf{state})\rangle = 1 \\ \text{ and } \not \exists w ~s.t.~ (x,w) \in \mathcal {R} \end{array} : \begin{array}{l} \mathsf{crs} \xleftarrow {\$} \mathsf{Setup}(1^\lambda ) \\ (x, \mathsf{state}) \leftarrow \mathcal {A}_0(\mathsf{crs}) \end{array} \right] = \mathsf{negl}(\lambda ). $$

Additionally, the argument system is an argument of knowledge if for all polynomial time adversaries \(\mathcal {A}_1\) there exists a polynomial time extractor Ext such that for all polynomial time adversaries \(\mathcal {A}_0\):

$$ \Pr \left[ \begin{array}{l} \langle \mathsf{V}(\mathsf{crs}, x), \mathcal {A}_1(\mathsf{crs},x, \mathsf{state})\rangle = 1 \\ \text{ and } (x,w') \notin \mathcal {R} \end{array} : \begin{array}{l} \mathsf{crs} \xleftarrow {\$} \mathsf{Setup}(1^\lambda )\\ (x, \mathsf{state}) \leftarrow \mathcal {A}_0(\mathsf{crs}) \\ w' \xleftarrow {\$} \mathsf{Ext}(\mathsf{crs}, x, \mathsf{state}) \end{array} \right] = \mathsf{negl}(\lambda ). $$

Definition 3 (Zero Knowledge)

An argument system \((\mathsf{Setup}, \mathsf{P}, \mathsf{V})\) is statistical zero-knowledge if there exists a polynomial time simulator Sim such that for all \((x, w) \in \mathcal {R}\), the following two distributions are statistically indistinguishable:

$$\begin{aligned} D_1&= \{ \langle \mathsf{V}(\mathsf{crs}, x), \mathsf{P}(\mathsf{crs}, x, w)\rangle , \mathsf{crs} \xleftarrow {\$} \mathsf{Setup}(1^\lambda ) \},\\ D_2&= \{ \langle \mathsf{V}(\mathsf{crs}, x), \mathsf{Sim}(\mathsf{crs}, x)\rangle , \mathsf{crs} \xleftarrow {\$} \mathsf{Setup}(1^\lambda ) \}. \end{aligned}$$

1.2 A.2 Generalized Schnorr Proofs

The Sigma protocol based on Schnorrs proof can be generalized for proving DL in groups of unknown order [3]. It can be done by introducing appropriate range checking and using computations over the integers. The proof size is dominated by the response of size \((\epsilon _s + \epsilon _d) \cdot \) ord(G), and hence it is not practical. By taking \(\epsilon _s = \epsilon _d = 80\), the proof size is in the order of MBytes.

B More Implementation Results for Threshold ECDSA

We also implemented the threshold ECDSA schemes for the setting of (t, n) = (2,4) and (2,5) and the security level of 112-bit and 128-bit. The complete comparison tables for these cases are given in Tables 6, 7, 8 and 9.

Table 6. (2, 4)-Threshold ECDSA for 112 bit security

Table 7. (2, 4)-Threshold ECDSA for 128 bit security

Table 8. (2, 5)-Threshold ECDSA for 112 bit security

Table 9. (2, 5)-Threshold ECDSA for 128 bit security