On the Security of ECDSA with Additive Key Derivation and Presignatures

Groth, Jens; Shoup, Victor

doi:10.1007/978-3-031-06944-4_13

On the Security of ECDSA with Additive Key Derivation and Presignatures

Jens Groth⁹ &
Victor Shoup⁹

Conference paper
First Online: 25 May 2022

1901 Accesses
3 Citations

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13275))

Abstract

Two common variations of ECDSA signatures are additive key derivation and presignatures. Additive key derivation is a simple mechanism for deriving many subkeys from a single master key, and is already widely used in cryptocurrency applications with the Hierarchical Deterministic Wallet mechanism standardized in Bitcoin Improvement Proposal 32 (BIP32). Because of its linear nature, additive key derivation is also amenable to efficient implementation in the threshold setting. With presignatures, the secret and public nonces used in the ECDSA signing algorithm are precomputed. In the threshold setting, using presignatures along with other precomputed data allows for an extremely efficient “online phase” of the protocol. Recent works have advocated for both of these variations, sometimes combined together. However, somewhat surprisingly, we are aware of no prior security proof for additive key derivation, let alone for additive key derivation in combination with presignatures.

In this paper, we provide a thorough analysis of these variations, both in isolation and in combination. Our analysis is in the generic group model (GGM). Importantly, we do not modify ECDSA or weaken the standard notion of security in any way. Of independent interest, we also present a version of the GGM that is specific to elliptic curves. This EC-GGM better models some of the idiosyncrasies (such as the conversion function and malleability) of ECDSA. In addition to this analysis, we report security weaknesses in these variations that apparently have not been previously reported. For example, we show that when both variations are combined, there is a cube-root attack on ECDSA, which is much faster than the best known, square-root attack on plain ECDSA. We also present two mitigations against these weaknesses: re-randomized presignatures and homogeneous key derivation. Each of these mitigations is very lightweight, and when used in combination, the security is essentially the same as that of plain ECDSA (in the EC-GGM).

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 99.00; Price excludes VAT (USA)

Softcover Book: USD 129.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

Bar-Ilan, J., Beaver, D.: Non-cryptographic fault-tolerant computing in constant number of rounds of interaction. In: PODC 1989, pp. 201–209 (1989)
Google Scholar
Bernstein, D.J., Lange, T., Niederhagen, R., Peters, C., Schwabe, P.: Implementing Wagner’s generalized birthday attack against the SHA-3 round-1 candidate FSB. Cryptology ePrint Archive, Report 2009/292 (2009). https://ia.cr/2009/292
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Chapter Google Scholar
Brown, D.R.L.: Generic groups, collision resistance, and ECDSA. Des. Codes Crypt. 35, 119–152 (2002)
Article MathSciNet Google Scholar
Canetti, R., Makriyannis, N., Peled, U.: UC non-interactive, proactive, threshold ECDSA. Cryptology ePrint Archive, Report 2020/492 (2020). https://ia.cr/2020/492
Certicom Research: Sec 2: Recommended elliptic curve domain parameters (2010). version 2.0, http://www.secg.org/sec2-v2.pdf
Damgård, I., Jakobsen, T.P., Nielsen, J.B., Pagter, J.I., Østergård, M.B.: Fast threshold ECDSA with honest majority. Cryptology ePrint Archive, Report 2020/501 (2020). https://ia.cr/2020/501
Das, P., Erwig, A., Faust, S., Loss, J., Riahi, S.: The exact security of BIP32 wallets. Cryptology ePrint Archive, Report 2021/1287 (2021). https://ia.cr/2021/1287
The DFINITY Team: The internet computer for geeks. Cryptology ePrint Archive, Report 2022/087 (2022). https://ia.cr/2022/087
Fersch, M., Kiltz, E., Poettering, B.: On the provable security of (EC)DSA signatures. In: 2016 ACM SIGSAC, pp. 1651–1662. ACM (2016)
Google Scholar
Gennaro, R., Goldfeder, S.: One round threshold ECDSA with identifiable abort. Cryptology ePrint Archive, Report 2020/540 (2020). https://ia.cr/2020/540
Groth, J., Shoup, V.: On the security of ECDSA with additive key derivation and presignatures. Cryptology ePrint Archive, Report 2021/1330 (2021). https://ia.cr/2021/1330
Gutoski, G., Stebila, D.: Hierarchical deterministic bitcoin wallets that tolerate key leakage. Cryptology ePrint Archive, Report 2014/998 (2014), https://ia.cr/2014/998
Nechaev, V.I.: Complexity of a determinate algorithm for the discrete logarithm. Math. Notes 55(2), 165–172 (1994). translated from Matematicheskie Zametki, 55(2):91–101, 1994
Google Scholar
Nikolić, I., Sasaki, Yu.: Refinements of the k-tree algorithm for the generalized birthday problem. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9453, pp. 683–703. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48800-3_28
Chapter Google Scholar
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Chapter Google Scholar
National Institute of Standards and Technology: Digital signature standard (DSS). Federal Information Processing Publication 186–4 (2013). https://doi.org/10.6028/NIST.FIPS.186-4
Stern, J., Pointcheval, D., Malone-Lee, J., Smart, N.P.: Flaws in applying proof methodologies to signature schemes. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 93–110. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_7
Chapter MATH Google Scholar
Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_19
Chapter Google Scholar
Wuille, P.: Hierarchical deterministic wallets (2020). https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki
Yuen, T.H., Yiu, S.-M.: Strong known related-key attacks and the security of ECDSA. In: Liu, J.K., Huang, X. (eds.) NSS 2019. LNCS, vol. 11928, pp. 130–145. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36938-5_8
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

DFINITY, Zurich, Switzerland
Jens Groth & Victor Shoup

Authors

Jens Groth
View author publications
You can also search for this author in PubMed Google Scholar
Victor Shoup
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Victor Shoup .

Editor information

Editors and Affiliations

University of Haifa, Haifa, Haifa, Israel
Orr Dunkelman
University of Warsaw, Warsaw, Poland
Stefan Dziembowski

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Groth, J., Shoup, V. (2022). On the Security of ECDSA with Additive Key Derivation and Presignatures. In: Dunkelman, O., Dziembowski, S. (eds) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol 13275. Springer, Cham. https://doi.org/10.1007/978-3-031-06944-4_13

Download citation

DOI: https://doi.org/10.1007/978-3-031-06944-4_13
Published: 25 May 2022
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-06943-7
Online ISBN: 978-3-031-06944-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)