Efficient Secure Two Party ECDSA

Abstract

Distributing the Elliptic Curve Digital Signature Algorithm (ECDSA) has received increased attention in past years due to the wide range of applications that can benefit from this, particularly after the popularity that the blockchain technology has gained. Many schemes have been proposed in the literature to improve the efficiency of multiparty ECDSA. Most of these schemes either require heavy homomorphic encryption computation or multiple executions of a functionality that transforms Multiplicative shares to Additive shares (MtA). Xue et al. (CCS 2021) proposed a 2-party ECDSA protocol secure against malicious adversaries and only requires one execution of MtA, with an online phase that consists of only one party sending one field element to the other party with a computational overhead dominated by the verification step of the signature scheme. We propose a novel protocol, based on the assumption that the Computational Diffie-Hellman problem is hard, that offers the same online phase performance as the protocol of Xue et al., but improves the offline phase by reducing the computational cost by one elliptic curve multiplication and the communication cost by two field elements. To the best of our knowledge, our protocol offers the most efficient offline phase for a two-party ECDSA protocol with such an efficient online phase.

Y.T. Alaoui—Most of the work done while at imec-COSIC, KU Leuven, Belgium.

Appendices

A Proof of Theorem 1

The proof below is taken from [19].

Let us assume we can solve the Diffie-Hellman problem, then given the tuple (P,\([x]{\cdot } P)\) one can obtain \([x^{-1}] {\cdot } P = [x^{-1} {\cdot } x^{-1}] {\cdot } ([x] {\cdot } P)\) from solving the Diffie-Hellman problem over the tuple \(([x]{\cdot }P\), \(P=x^{-1}{\cdot }([x]{\cdot }P)\), \(P=x^{-1}{\cdot }([x]{\cdot }P))\).

Conversely, let us assume we can solve the 1-Weak Diffie-Hellman problem, then given the tuple (P, \([a]{\cdot }P\), \([b]{\cdot }P)\), one can obtain \(([a^2]{\cdot }P)\) from solving the 1-Weak Diffie-Hellman problem over the tuple \(([a]{\cdot }P\), \(P=a^{-1}{\cdot }([a]{\cdot } P))\). Similarly, one can obtain \(([b^2] {\cdot } P)\) and \(([(a+b)^2] {\cdot } P)\) from the tuples \(([b]{\cdot }P\), P) and \(([a + b] {\cdot }P\), P) respectively. Next, one can obtain (\([a {\cdot } b] {\cdot } P\)) by calculating \(2^{-1} {\cdot } [((a+b)^2 - (a)^2 - (b)^2)] {\cdot } P\).

B Proof of Theorem 2

In Fig. 8, we build a simulator \(\mathcal {S}\), to simulate \(\mathcal {P}_1\) when \(\mathcal {P}_2\) is corrupt, and to simulate \(\mathcal {P}_2\) when \(\mathcal {P}_1\) is corrupt. Below, we sketch a proof to demonstrate why the views in a real and a simulated execution will be indistinguishable for an adversary \(\mathcal {A}\).

Fig. 8.

2-party ECDSA Simulator

1.1 B.1 Corrupted \(\mathcal {P}_1\)

Key Generation Phase. The difference between the real execution and the simulated execution is the generation of \(Q_2\). In the case of a real execution, \(Q_2\) is computed as \([x_2] \cdot P\) where \(x_2\) is randomly generated, while in the case of a simulated run, \(Q_2\) is computed by calculating \(Q_2 \leftarrow Q - Q_1\). Since Q is randomly generated by the \(\mathcal {F}_{\scriptstyle \textsf{2ECDSA}}\) functionality of Fig. 1 (\(Q \leftarrow [x] \cdot P\) for a randomly generated x), then the distributions from which \(Q_2\) is generated in the real and simulated executions are indistinguishable.

Signing Phase. In the nonce generation, a similar argument can be given to show that the views are indistinguishable. That is in a real execution, \(R_2\) is computed as \([k_2] \cdot P\) where \(k_2\) is randomly generated, while in the case of a simulated run, \(R_2\) is computed by calculating \(R_2 \leftarrow [k_1^{-1}] \cdot R \). Since R is randomly generated by \(\mathcal {F}_{\scriptstyle \textsf{2ECDSA}}\) (\(R \leftarrow [k] \cdot P\) for a randomly generated k), then the distributions from which \(R_2\) is generated in the real and simulated executions are indistinguishable.

In the MtA call, both in the real and simulated executions, \(\mathcal {P}_1\) is intended to receive a randomly generated a, thus the views are indistinguishable. Afterwards, \(\mathcal {P}_1\) sends Z to \(\mathcal {P}_2\). In a simulated execution, \(\mathcal {P}_2\) aborts if \(\mathcal {P}_1\) has provided to the MtA functionality a different input than \(x_1\), or if he sends a different value than \([a] \cdot P\). This behaviour is equivalent to what happens in a real execution, where \(\mathcal {P}_2\) checks whether \(k_2 \cdot (Z + [b] \cdot P) = Q_1\). That is, let us denote by \(\epsilon _1\), the additive error that \(\mathcal {P}_1\) can introduce to x, namely, \(\mathcal {P}_1\) sends to MtA the value \(x' \leftarrow x + \epsilon \mod q \), and by E, the additive error that \(\mathcal {P}_1\) can introduce to Z, namely, \(\mathcal {P}_1\) sends \(\mathcal {P}_2\) the value \(Z' \leftarrow Z + E\). To pass the check of \(\mathcal {P}_2\), the following equation needs to be satisfied:

$$\begin{aligned} Q_1 & = k_2 \cdot (Z' + [b] \cdot P) \\ & = k_2 \cdot (E + Z + [b] \cdot P) \\ & = k_2 \cdot (E + [a] \cdot P + [b] \cdot P) \\ & = k_2 \cdot (E + (x_1 + \epsilon _1) \cdot k_2^{-1} \cdot P ) \\ & = k_2 \cdot (E + x_1 \cdot k_2^{-1} \cdot P + \epsilon _1 \cdot k_2^{-1} \cdot P) \\ & = Q_1 + k_2 \cdot (E + \epsilon _1 \cdot k_2^{-1} \cdot P) \\ \end{aligned}$$

which implies that \(k_2 \cdot E + \epsilon _1 \cdot P = 0\). If \(E = \mathcal {O}\), then \(\epsilon _1 = 0\) mod q. Also if \(\epsilon _1 = 0\) mod q, then \(E = \mathcal {O}\) as \(k_2 \ne 0\) mod q. Thus \(E = \mathcal {O}\) or \(\epsilon _1 = 0\) mod q implies that the adversary has not cheated, as we end up with a case where he does not modify the values he is supposed to send.

Let us look at the case where \(E \ne \mathcal {O}\) and \(\epsilon _1 \ne 0\) mod q. The equation holds if the adversary chooses \(\epsilon _1\) in such a way that \(E = \epsilon _1 \cdot [k_2^{-1}]\cdot P = \mathcal {O}\). While \(R_2 = [k_2]\cdot P\) is known to the adversary, obtaining \([k_2^{-1}]\cdot P\) from it would mean breaking the 1-Weak Diffie-Hellman problem, which as we have seen is equivalent to the Computational Diffie-Hellman problem which is believed to be hard.

Thus to summarize, the adversary will not be able to make the check pass if he cheats, either in the MtA call or the step afterward.

In the online signing:

If the parties reach this stage, \(\mathcal {P}_1\) will be receiving in the simulated execution \(s_2 = s \cdot k_1 - a \cdot r \mod q \), which is equal to

$$\begin{aligned} s_2 & = s \cdot k_1 - a \cdot r \\ & = k^{-1} \cdot (H(m) + r \cdot x) \cdot k_1 - a \cdot r \\ & = k_2^{-1} \cdot (H(m) + r \cdot x) - a \cdot r) \\ & = k_2^{-1} \cdot (H(m) + r \cdot x_1 + r \cdot x_2) - a \cdot r \\ & = k_2^{-1} \cdot (H(m) + r \cdot x_2 ) + k_2^{-1} \cdot r \cdot x_1 - a \cdot r \\ & = k_2^{-1} \cdot (H(m) + r \cdot x_2 ) + r \cdot (a + b) - a \cdot r \\ & = k_2^{-1} \cdot (H(m) + r \cdot x_2 ) + r \cdot b \\ \end{aligned}$$

which is what \(\mathcal {P}_1\) receives in a real execution.

1.2 B.2 Corrupted \(\mathcal {P}_2\)

Key Generation Phase. Similarly to the case of a corrupted \(\mathcal {P}_1\), the difference between the real execution and the simulated execution is the generation of \(Q_1\). In the case of a real execution, \(Q_1\) is computed as \([x_1] \cdot P\) where \(x_1\) is randomly generated, while in the case of a simulated run, \(Q_1\) is computed by calculating \(Q_1 \leftarrow Q - Q_2\). Since Q is randomly generated by the \(\mathcal {F}_{\scriptstyle \textsf{2ECDSA}}\) functionality of Fig. 1 (\(Q \leftarrow [x] \cdot P\) for a randomly generated x), then the distributions from which \(Q_1\) is generated in the real and simulated executions are indistinguishable.

Signing Phase. Similarly to the case of a corrupted \(\mathcal {P}_1\), in the nonce generation, a similar argument can be given to show that the views are indistinguishable. That is in a real execution, \(R_1\) is computed as \([k_1] \cdot P\) where \(k_1\) is randomly generated, while in the case of a simulated run, \(R_1\) is computed by calculating \(R_1 \leftarrow [k_2^{-1}] \cdot R \). Since R is randomly generated by \(\mathcal {F}_{\scriptstyle \textsf{2ECDSA}}\) (\(R \leftarrow [k] \cdot P\) for a randomly generated k), then the distributions from which \(R_1\) is generated in the real and simulated executions are indistinguishable.

In the MtA call, both in a real and simulated executions, \(\mathcal {P}_2\) is intended to receive a randomly generated b (In the simulated execution \(b = x_1 \cdot k_2^{-1} - a \mod q \) for a randomly generated a. Note that the Simulator uses here and in what follows the \(k_2\) he received at the MtA call, and not the one received during the nonce generation), thus the views are indistinguishable. In the step afterwards, in the simulated execution, \(\mathcal {P}_2\) receives \([k^{-1}_2] \cdot Q_1 - [b] \cdot P \), which is the same as what he receives in a real execution, as \([k^{-1}_2] \cdot Q_1 - [b] \cdot P = [k^{-1}_2 \cdot x_1] \cdot P - [b] \cdot P = [a] \cdot P\). Thus the views are indistinguishable.

In the online signing:

• if \(\mathcal {P}_2\) does not cheat at all during the protocol, he will be able to calculate \(s_2 = k_2^{-1} \cdot (H(m) + x_2 \cdot r) + b \cdot r \mod q \) and send it to \(\mathcal {P}_1\). In the real execution \(\mathcal {P}_1\) will add it to its share \(s_1\), and the sum will yield a valid signature which will be published by \(\mathcal {P}_1\). In the simulated execution, \(s_2\) will pass the check of the simulator and therefore he will publish the signature.

• if \(\mathcal {P}_2\) cheated at the MtA call, or does not send the correct \(s_2\), in the real execution, \(\mathcal {P}_1\) will not find a valid signature after summing up its share with the one of \(\mathcal {P}_2\), thus \(\mathcal {P}_1\) will send the abort signal. In the simulated execution, either \(\textsf{cheat}\) flag will be equal to 1 at this stage, or \(s_2\) will not pass the check of the simulator. In both cases the simulator will abort. That is, the only case where the views will be distinguishable, is when the adversary cheats on the MtA call, and yet manages to send the correct \(s_2\). Let us denote by \(\epsilon \), the additive error that the adversary introduces to his input to MtA, namely he sends \(k_2^{-1} + \epsilon \) instead of \(k_2^{-1}\). In this case \(a+b = x_1 \cdot (k_2^{-1} + \epsilon )\). In order to pass the check, \(\mathcal {P}_2\) needs to send \(s_2\) such that \(s \cdot k_1 = s_2 + a \cdot r \mod q\). This implies that:

  $$\begin{aligned} s_2 & = s \cdot k_1 - a \cdot r \\ & = k^{-1} \cdot (H(m) + r \cdot x) \cdot k_1 - a \cdot r \\ & = k_2^{-1} \cdot (H(m) + r \cdot x_1 + r \cdot x_2) - a \cdot r \\ & = k_2^{-1} \cdot (H(m) + r \cdot x_2 ) + k_2^{-1} \cdot r \cdot x_1 - a \cdot r \\ & = k_2^{-1} \cdot (H(m) + r \cdot x_2 ) + r \cdot b - x_1 \cdot r \cdot \epsilon \\ \end{aligned}$$

  As \(x_1\) is unknown to the adversary, he can satisfy this equation only if \(\epsilon = 0\), i.e., the case where he does not cheat in the MtA call. Thus the behaviour of the simulator will make the real execution and the simulated one indistinguishable.