Abstract
Distributing the Elliptic Curve Digital Signature Algorithm (ECDSA) has received increased attention in past years due to the wide range of applications that can benefit from this, particularly after the popularity that the blockchain technology has gained. Many schemes have been proposed in the literature to improve the efficiency of multiparty ECDSA. Most of these schemes either require heavy homomorphic encryption computation or multiple executions of a functionality that transforms Multiplicative shares to Additive shares (MtA). Xue et al. (CCS 2021) proposed a 2-party ECDSA protocol secure against malicious adversaries and only requires one execution of MtA, with an online phase that consists of only one party sending one field element to the other party with a computational overhead dominated by the verification step of the signature scheme. We propose a novel protocol, based on the assumption that the Computational Diffie-Hellman problem is hard, that offers the same online phase performance as the protocol of Xue et al., but improves the offline phase by reducing the computational cost by one elliptic curve multiplication and the communication cost by two field elements. To the best of our knowledge, our protocol offers the most efficient offline phase for a two-party ECDSA protocol with such an efficient online phase.
Y.T. Alaoui—Most of the work done while at imec-COSIC, KU Leuven, Belgium.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bao, F., Deng, R.H., Zhu, H.F.: Variations of diffie-hellman problem. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 301–312. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-39927-8_28
Canetti, R., Gennaro, R., Goldfeder, S., Makriyannis, N., Peled, U.: UC non-interactive, proactive, threshold ECDSA with identifiable aborts. IACR Cryptol. ePrint Arch, p. 60 (2021). https://eprint.iacr.org/2021/060
Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I.: Two-party ECDSA from hash proof systems and efficient instantiations. In: Boldyreva, A., Micciancio, D. (eds.) Advances in Cryptology - CRYPTO 2019, pp. 191–221. Springer International Publishing, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_7
Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from \(\sf DDH\). In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_26
Dalskov, A., Orlandi, C., Keller, M., Shrishak, K., Shulman, H.: Securing DNSSEC keys via threshold ECDSA from Generic MPC. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds.) ESORICS 2020. LNCS, vol. 12309, pp. 654–673. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59013-0_32
Damgård, I., Jakobsen, T.P., Nielsen, J.B., Pagter, J.I., Østergaard, M.B.: Fast threshold ECDSA with honest majority. In: Galdi, C., Kolesnikov, V. (eds.) SCN 2020. LNCS, vol. 12238, pp. 382–400. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-57990-6_19
Desmedt, Y.: Society and group oriented cryptography: a new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_8
Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Secure two-party threshold ECDSA from ECDSA assumptions. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 980–997. IEEE (2018)
Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Threshold ECDSA from ECDSA assumptions: The multiparty case. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1051–1066 (2019)
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31(4), 469–472 (1985)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gennaro, R., Goldfeder, S.: Fast multiparty threshold ECDSA with fast trustless setup. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1179–1194 (2018)
Kondi, Y., Magri, B., Orlandi, C., Shlomovits, O.: Refresh when you wake up: proactive threshold wallets with offline devices. In: 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24–27 May 2021, pp. 608–625. IEEE (2021). https://doi.org/10.1109/SP40001.2021.00067, https://doi.org/10.1109/SP40001.2021.00067
Lindell, Y.: Fast secure two-party ECDSA signing. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 613–644. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_21
Lindell, Y.: Secure multiparty computation. Commun. ACM 64(1), 86–96 (2020)
Lindell, Y., Nof, A.: Fast secure multiparty ECDSA with practical distributed key generation and applications to cryptocurrency custody. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1837–1854 (2018)
MacKenzie, P., Reiter, M.K.: Two-party generation of DSA signatures. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 137–154. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_8
Makriyannis, N., Peled, U.: A note on the security of GG18 (2021)
Mitsunari, S., Sakai, R., Kasahara, M.: A new traitor tracing. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 85(2), 481–484 (2002)
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Rabin, M.O.: How to exchange secrets with oblivious transfer. Technical Report TR-81, Aiken Computation Lab (1981). https://www.iacr.org/museum/rabin-obt/obtrans-eprint187.pdf
Schnorr, C.: Efficient signature generation by smart cards. In: Advances in Cryptology – CRYPTO 1987, pp. 161–174 (1991)
Smart, N.P., Talibi Alaoui, Y.: Distributing any elliptic curve based protocol. In: Albrecht, M. (ed.) IMACC 2019. LNCS, vol. 11929, pp. 342–366. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-35199-1_17
Wigderson, A., Goldreich, O., Micali, S.: How to play any mental game. In: Proceedings the 19th Annual ACM Symposium on the Theory of Computing, pp. 218–229 (1987)
Xue, H., Au, M.H., Xie, X., Yuen, T.H., Cui, H.: Efficient online-friendly two-party ECDSA signature. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 558–573 (2021)
Yao, A.C.: Protocols for secure computations. In: 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982), pp. 160–164. IEEE (1982)
Acknowledgments
Authors would like to thank the anonymous reviewers for their valuable comments, as well as Muhammed Ali Bingol and Daniele Cozzo for the valuable discussions over the protocol security. This work has been supported by TUBITAK under 2244 project, and by CyberSecurity Research Flanders with reference number VR20192203. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of any of the funders.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Theorem 1
The proof below is taken from [19].
Let us assume we can solve the Diffie-Hellman problem, then given the tuple (P,\([x]{\cdot } P)\) one can obtain \([x^{-1}] {\cdot } P = [x^{-1} {\cdot } x^{-1}] {\cdot } ([x] {\cdot } P)\) from solving the Diffie-Hellman problem over the tuple \(([x]{\cdot }P\), \(P=x^{-1}{\cdot }([x]{\cdot }P)\), \(P=x^{-1}{\cdot }([x]{\cdot }P))\).
Conversely, let us assume we can solve the 1-Weak Diffie-Hellman problem, then given the tuple (P, \([a]{\cdot }P\), \([b]{\cdot }P)\), one can obtain \(([a^2]{\cdot }P)\) from solving the 1-Weak Diffie-Hellman problem over the tuple \(([a]{\cdot }P\), \(P=a^{-1}{\cdot }([a]{\cdot } P))\). Similarly, one can obtain \(([b^2] {\cdot } P)\) and \(([(a+b)^2] {\cdot } P)\) from the tuples \(([b]{\cdot }P\), P) and \(([a + b] {\cdot }P\), P) respectively. Next, one can obtain (\([a {\cdot } b] {\cdot } P\)) by calculating \(2^{-1} {\cdot } [((a+b)^2 - (a)^2 - (b)^2)] {\cdot } P\).
B Proof of Theorem 2
In Fig. 8, we build a simulator \(\mathcal {S}\), to simulate \(\mathcal {P}_1\) when \(\mathcal {P}_2\) is corrupt, and to simulate \(\mathcal {P}_2\) when \(\mathcal {P}_1\) is corrupt. Below, we sketch a proof to demonstrate why the views in a real and a simulated execution will be indistinguishable for an adversary \(\mathcal {A}\).
1.1 B.1 Corrupted \(\mathcal {P}_1\)
Key Generation Phase. The difference between the real execution and the simulated execution is the generation of \(Q_2\). In the case of a real execution, \(Q_2\) is computed as \([x_2] \cdot P\) where \(x_2\) is randomly generated, while in the case of a simulated run, \(Q_2\) is computed by calculating \(Q_2 \leftarrow Q - Q_1\). Since Q is randomly generated by the \(\mathcal {F}_{\scriptstyle \textsf{2ECDSA}}\) functionality of Fig. 1 (\(Q \leftarrow [x] \cdot P\) for a randomly generated x), then the distributions from which \(Q_2\) is generated in the real and simulated executions are indistinguishable.
Signing Phase. In the nonce generation, a similar argument can be given to show that the views are indistinguishable. That is in a real execution, \(R_2\) is computed as \([k_2] \cdot P\) where \(k_2\) is randomly generated, while in the case of a simulated run, \(R_2\) is computed by calculating \(R_2 \leftarrow [k_1^{-1}] \cdot R \). Since R is randomly generated by \(\mathcal {F}_{\scriptstyle \textsf{2ECDSA}}\) (\(R \leftarrow [k] \cdot P\) for a randomly generated k), then the distributions from which \(R_2\) is generated in the real and simulated executions are indistinguishable.
In the MtA call, both in the real and simulated executions, \(\mathcal {P}_1\) is intended to receive a randomly generated a, thus the views are indistinguishable. Afterwards, \(\mathcal {P}_1\) sends Z to \(\mathcal {P}_2\). In a simulated execution, \(\mathcal {P}_2\) aborts if \(\mathcal {P}_1\) has provided to the MtA functionality a different input than \(x_1\), or if he sends a different value than \([a] \cdot P\). This behaviour is equivalent to what happens in a real execution, where \(\mathcal {P}_2\) checks whether \(k_2 \cdot (Z + [b] \cdot P) = Q_1\). That is, let us denote by \(\epsilon _1\), the additive error that \(\mathcal {P}_1\) can introduce to x, namely, \(\mathcal {P}_1\) sends to MtA the value \(x' \leftarrow x + \epsilon \mod q \), and by E, the additive error that \(\mathcal {P}_1\) can introduce to Z, namely, \(\mathcal {P}_1\) sends \(\mathcal {P}_2\) the value \(Z' \leftarrow Z + E\). To pass the check of \(\mathcal {P}_2\), the following equation needs to be satisfied:
which implies that \(k_2 \cdot E + \epsilon _1 \cdot P = 0\). If \(E = \mathcal {O}\), then \(\epsilon _1 = 0\) mod q. Also if \(\epsilon _1 = 0\) mod q, then \(E = \mathcal {O}\) as \(k_2 \ne 0\) mod q. Thus \(E = \mathcal {O}\) or \(\epsilon _1 = 0\) mod q implies that the adversary has not cheated, as we end up with a case where he does not modify the values he is supposed to send.
Let us look at the case where \(E \ne \mathcal {O}\) and \(\epsilon _1 \ne 0\) mod q. The equation holds if the adversary chooses \(\epsilon _1\) in such a way that \(E = \epsilon _1 \cdot [k_2^{-1}]\cdot P = \mathcal {O}\). While \(R_2 = [k_2]\cdot P\) is known to the adversary, obtaining \([k_2^{-1}]\cdot P\) from it would mean breaking the 1-Weak Diffie-Hellman problem, which as we have seen is equivalent to the Computational Diffie-Hellman problem which is believed to be hard.
Thus to summarize, the adversary will not be able to make the check pass if he cheats, either in the MtA call or the step afterward.
In the online signing:
If the parties reach this stage, \(\mathcal {P}_1\) will be receiving in the simulated execution \(s_2 = s \cdot k_1 - a \cdot r \mod q \), which is equal to
which is what \(\mathcal {P}_1\) receives in a real execution.
1.2 B.2 Corrupted \(\mathcal {P}_2\)
Key Generation Phase. Similarly to the case of a corrupted \(\mathcal {P}_1\), the difference between the real execution and the simulated execution is the generation of \(Q_1\). In the case of a real execution, \(Q_1\) is computed as \([x_1] \cdot P\) where \(x_1\) is randomly generated, while in the case of a simulated run, \(Q_1\) is computed by calculating \(Q_1 \leftarrow Q - Q_2\). Since Q is randomly generated by the \(\mathcal {F}_{\scriptstyle \textsf{2ECDSA}}\) functionality of Fig. 1 (\(Q \leftarrow [x] \cdot P\) for a randomly generated x), then the distributions from which \(Q_1\) is generated in the real and simulated executions are indistinguishable.
Signing Phase. Similarly to the case of a corrupted \(\mathcal {P}_1\), in the nonce generation, a similar argument can be given to show that the views are indistinguishable. That is in a real execution, \(R_1\) is computed as \([k_1] \cdot P\) where \(k_1\) is randomly generated, while in the case of a simulated run, \(R_1\) is computed by calculating \(R_1 \leftarrow [k_2^{-1}] \cdot R \). Since R is randomly generated by \(\mathcal {F}_{\scriptstyle \textsf{2ECDSA}}\) (\(R \leftarrow [k] \cdot P\) for a randomly generated k), then the distributions from which \(R_1\) is generated in the real and simulated executions are indistinguishable.
In the MtA call, both in a real and simulated executions, \(\mathcal {P}_2\) is intended to receive a randomly generated b (In the simulated execution \(b = x_1 \cdot k_2^{-1} - a \mod q \) for a randomly generated a. Note that the Simulator uses here and in what follows the \(k_2\) he received at the MtA call, and not the one received during the nonce generation), thus the views are indistinguishable. In the step afterwards, in the simulated execution, \(\mathcal {P}_2\) receives \([k^{-1}_2] \cdot Q_1 - [b] \cdot P \), which is the same as what he receives in a real execution, as \([k^{-1}_2] \cdot Q_1 - [b] \cdot P = [k^{-1}_2 \cdot x_1] \cdot P - [b] \cdot P = [a] \cdot P\). Thus the views are indistinguishable.
In the online signing:
-
if \(\mathcal {P}_2\) does not cheat at all during the protocol, he will be able to calculate \(s_2 = k_2^{-1} \cdot (H(m) + x_2 \cdot r) + b \cdot r \mod q \) and send it to \(\mathcal {P}_1\). In the real execution \(\mathcal {P}_1\) will add it to its share \(s_1\), and the sum will yield a valid signature which will be published by \(\mathcal {P}_1\). In the simulated execution, \(s_2\) will pass the check of the simulator and therefore he will publish the signature.
-
if \(\mathcal {P}_2\) cheated at the MtA call, or does not send the correct \(s_2\), in the real execution, \(\mathcal {P}_1\) will not find a valid signature after summing up its share with the one of \(\mathcal {P}_2\), thus \(\mathcal {P}_1\) will send the abort signal. In the simulated execution, either \(\textsf{cheat}\) flag will be equal to 1 at this stage, or \(s_2\) will not pass the check of the simulator. In both cases the simulator will abort. That is, the only case where the views will be distinguishable, is when the adversary cheats on the MtA call, and yet manages to send the correct \(s_2\). Let us denote by \(\epsilon \), the additive error that the adversary introduces to his input to MtA, namely he sends \(k_2^{-1} + \epsilon \) instead of \(k_2^{-1}\). In this case \(a+b = x_1 \cdot (k_2^{-1} + \epsilon )\). In order to pass the check, \(\mathcal {P}_2\) needs to send \(s_2\) such that \(s \cdot k_1 = s_2 + a \cdot r \mod q\). This implies that:
$$\begin{aligned} s_2 & = s \cdot k_1 - a \cdot r \\ & = k^{-1} \cdot (H(m) + r \cdot x) \cdot k_1 - a \cdot r \\ & = k_2^{-1} \cdot (H(m) + r \cdot x_1 + r \cdot x_2) - a \cdot r \\ & = k_2^{-1} \cdot (H(m) + r \cdot x_2 ) + k_2^{-1} \cdot r \cdot x_1 - a \cdot r \\ & = k_2^{-1} \cdot (H(m) + r \cdot x_2 ) + r \cdot b - x_1 \cdot r \cdot \epsilon \\ \end{aligned}$$As \(x_1\) is unknown to the adversary, he can satisfy this equation only if \(\epsilon = 0\), i.e., the case where he does not cheat in the MtA call. Thus the behaviour of the simulator will make the real execution and the simulated one indistinguishable.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kocaman, S., Talibi Alaoui, Y. (2024). Efficient Secure Two Party ECDSA. In: Quaglia, E.A. (eds) Cryptography and Coding. IMACC 2023. Lecture Notes in Computer Science, vol 14421. Springer, Cham. https://doi.org/10.1007/978-3-031-47818-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-031-47818-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-47817-8
Online ISBN: 978-3-031-47818-5
eBook Packages: Computer ScienceComputer Science (R0)