Abstract
We witness an increase in applications like cryptocurrency wallets, which involve users issuing signatures using private keys. To protect these keys from loss or compromise, users commonly outsource them to a custodial server. This creates a new point of failure, because compromise of such a server leaks the user’s key, and if user authentication is implemented with a password then this password becomes open to an offline dictionary attack (ODA). A better solution is to secret-share the key among a set of servers, possibly including user’s own device(s), and implement password authentication and signature computation using threshold cryptography.
We propose a notion of augmented password-protected threshold signature (aptSIG) scheme which captures the best possible security level for this setting. Using standard threshold cryptography techniques, i.e. threshold password authentication and threshold signatures, one can guarantee that compromising up to t out of n servers reveals no information on either the key or the password. However, we extend this with a novel property, that compromising even all n servers also does not leak any information, except via an unavoidable ODA attack, which reveals the key only if the attacker guesses the password.
We define aptSIG in the Universally Composable (UC) framework and show that it can be constructed very efficiently, using a black-box composition of any UC threshold signature [13] and a UC augmented Password-Protected Secret Sharing (aPPSS), which we define as an extension of prior notion of PPSS [30]. As concrete instantiations we obtain secure aptSIG schemes for ECDSA (in the case of \(t=n-1\)) and BLS signatures with very small overhead over the respective threshold signature.
Finally, we note that both the notion and our generic solution for augmented password-protected threshold signatures can be generalized to password-protecting MPC for any keyed functions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Authenticated channels between user and servers are needed at initialization in order for the user to identify the servers it is communicating with, but such channels, or PKI, are not needed for later signature generation.
- 2.
McQuoid et al. [36] made a related observation, that a (non-threshold) OPRF implements secure 2PC for evaluating (non-secret-shared) obfuscated point functions, and used it to costruct 2PC on obfuscated inputs for a larger class of functions.
- 3.
\(\mathcal {F} _{\textrm{aptSIG}}\) lets \(\mathcal {A}^*\) set the user instance’s message \(\textsf{m}\) to arbitrary \(\textsf{m}^*\) in the finalization of the signing protocol, but only for adversarial user instances, i.e. we allow adversarial signing instances to “late-commit” to their messages.
- 4.
Due to space constraints we defer to the full version of the paper, which captures the top-level view of these interactions in the real-world and ideal-world executions.
References
Agrawal, S., Miao, P., Mohassel, P., Mukherjee, P.: PASTA: PASsword-based threshold authentication. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018. pp. 2042–2059. ACM Press (Oct 2018)
Arapinis, M., Gkaniatsou, A., Karakostas, D., Kiayias, A.: A formal treatment of hardware wallets. In: Goldberg, I., Moore, T. (eds.) Financial Cryptography and Data Security - 23rd International Conference, FC 2019, Frigate Bay, St. Kitts and Nevis, February 18-22, 2019, Revised Selected Papers. Lecture Notes in Computer Science, vol. 11598, pp. 426–445. Springer (2019). https://doi.org/10.1007/978-3-030-32101-7_26, https://doi.org/10.1007/978-3-030-32101-7_26
Aumasson, J., Hamelink, A., Shlomovits, O.: A survey of ECDSA threshold signing. IACR Cryptol. ePrint Arch. p. 1390 (2020), https://eprint.iacr.org/2020/1390
Bacho, R., Loss, J.: On the adaptive security of the threshold BLS signature scheme. In: Yin, H., Stavrou, A., Cremers, C., Shi, E. (eds.) ACM CCS 2022. pp. 193–207. ACM Press (Nov 2022). https://doi.org/10.1145/3548606.3560656
Bagherzandi, A., Jarecki, S., Saxena, N., Lu, Y.: Password-protected secret sharing. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM CCS 2011. pp. 433–444. ACM Press (Oct 2011)
Baum, C., Frederiksen, T., Hesse, J., Lehmann, A., Yanai, A.: Pesto: Proactively secure distributed single sign-on, or how to trust a hacked server. In: 2020 IEEE European Symposium on Security and Privacy (EuroSP). pp. 587–606 (2020)
Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In: Desmedt, Y. (ed.) Public Key Cryptography - PKC 2003, 6th International Workshop on Theory and Practice in Public Key Cryptography, Miami, FL, USA, January 6-8, 2003, Proceedings. Lecture Notes in Computer Science, vol. 2567, pp. 31–46. Springer (2003). https://doi.org/10.1007/3-540-36288-6_3, https://doi.org/10.1007/3-540-36288-6_3
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. J. Cryptol. 17(4), 297–319 (2004). https://doi.org/10.1007/s00145-004-0314-9, https://doi.org/10.1007/s00145-004-0314-9
Boyd, C.: Digital multisignatures. Cryptography and Coding (1986)
Camenisch, J., Lehmann, A., Neven, G., Samelin, K.: Virtual smart cards: How to sign with a password and a server. In: Zikas, V., De Prisco, R. (eds.) SCN 16. LNCS, vol. 9841, pp. 353–371 (Aug / Sep 2016)
Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 14-17 October 2001, Las Vegas, Nevada, USA. pp. 136–145. IEEE Computer Society (2001). https://doi.org/10.1109/SFCS.2001.959888, https://doi.org/10.1109/SFCS.2001.959888
Canetti, R.: Universally composable signatures, certification and authentication. Cryptology ePrint Archive, Report 2003/239 (2003), https://eprint.iacr.org/2003/239
Canetti, R., Gennaro, R., Goldfeder, S., Makriyannis, N., Peled, U.: UC non-interactive, proactive, threshold ECDSA with identifiable aborts. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 2020. pp. 1769–1787. ACM Press (Nov 2020)
Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I.: Bandwidth-efficient threshold EC-DSA. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020, Part II. LNCS, vol. 12111 (May 2020)
Das, P., Erwig, A., Faust, S., Loss, J., Riahi, S.: Bip32-compatible threshold wallets. IACR Cryptol. ePrint Arch. p. 312 (2023), https://eprint.iacr.org/2023/312
Das, S., Ren, L.: Adaptively secure BLS threshold signatures from DDH and co-CDH. In: Reyzin, L., Stebila, D. (eds.) CRYPTO 2024, Part VII. LNCS, vol. 14926, pp. 251–284. Springer, Cham (Aug 2024)
Desmedt, Y.: Society and group oriented cryptography: A new concept. In: Pomerance, C. (ed.) CRYPTO’87. LNCS, vol. 293 (Aug 1988)
Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO’89. LNCS, vol. 435 (Aug 1990)
Desmedt, Y., Frankel, Y.: Shared generation of authenticators and signatures (extended abstract). In: Feigenbaum, J. (ed.) CRYPTO’91. LNCS, vol. 576 (Aug 1992)
Doerner, J., Kondi, Y., Lee, E., shelat, a.: Threshold ECDSA from ECDSA assumptions: The multiparty case. In: 2019 IEEE Symposium on Security and Privacy. IEEE Computer Society Press (May 2019)
Dziembowski, S., Jarecki, S., Kedzior, P., Krawczyk, H., Ngo, C.N., Xu, J.: Password-protected threshold signatures. Cryptology ePrint Archive, Paper number TBD (2024), TBD
Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 33–62 (Aug 2018). https://doi.org/10.1007/978-3-319-96881-0_2
Ganesan, R.: Yaksha: augmenting kerberos with public key cryptography. In: Proceedings of the Symposium on Network and Distributed System Security. pp. 132–143 (1995)
Gennaro, R., Goldfeder, S.: Fast multiparty threshold ECDSA with fast trustless setup. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018. ACM Press (Oct 2018)
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. J. Cryptol. 20(1), 51–83 (2007). https://doi.org/10.1007/s00145-006-0347-3, https://doi.org/10.1007/s00145-006-0347-3
Gentry, C., MacKenzie, P.D., Ramzan, Z.: A method for making password-based key exchange resilient to server compromise. In: Dwork, C. (ed.) Advances in Cryptology - CRYPTO 2006, 26th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4117, pp. 142–159. Springer (2006). https://doi.org/10.1007/11818175_9, https://doi.org/10.1007/11818175_9
Gjøsteen, K., Thuen, Ø.: Password-based signatures. In: Petkova-Nikova, S., Pashalidis, A., Pernul, G. (eds.) Public Key Infrastructures, Services and Applications. Springer Berlin Heidelberg, Berlin, Heidelberg (2012)
Gu, Y., Jarecki, S., Kedzior, P., Nazarian, P., Xu, J.: Threshold PAKE with security against compromise of all servers. In: Advances in Cryptology – ASIACRYPT 2024 (2024)
Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014, Proceedings, Part II. Lecture Notes in Computer Science, vol. 8874, pp. 233–253. Springer (2014). https://doi.org/10.1007/978-3-662-45608-8_13, https://doi.org/10.1007/978-3-662-45608-8_13
Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: Highly-efficient and composable password-protected secret sharing (or: How to protect your bitcoin wallet online). In: 2016 IEEE European Symposium on Security and Privacy (EuroSP). pp. 276–291 (2016). https://doi.org/10.1109/EuroSP.2016.30
Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: TOPPSS: cost-minimal password-protected secret sharing based on threshold OPRF. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) Applied Cryptography and Network Security - 15th International Conference, ACNS 2017, Kanazawa, Japan, July 10-12, 2017, Proceedings. Lecture Notes in Computer Science, vol. 10355, pp. 39–58. Springer (2017). https://doi.org/10.1007/978-3-319-61204-1_3, https://doi.org/10.1007/978-3-319-61204-1_3
Jarecki, S., Krawczyk, H., Xu, J.: OPAQUE: an asymmetric PAKE protocol secure against pre-computation attacks. In: Nielsen, J.B., Rijmen, V. (eds.) Advances in Cryptology - EUROCRYPT 2018 - 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part III. Lecture Notes in Computer Science, vol. 10822, pp. 456–486. Springer (2018). https://doi.org/10.1007/978-3-319-78372-7_15, https://doi.org/10.1007/978-3-319-78372-7_15
Lindell, Y., Nof, A.: Fast secure multiparty ECDSA with practical distributed key generation and applications to cryptocurrency custody. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018. ACM Press (Oct 2018)
MacKenzie, P.D., Reiter, M.K.: Networked cryptographic devices resilient to capture. In: 2001 IEEE Symposium on Security and Privacy. pp. 12–25. IEEE Computer Society Press (May 2001)
MacKenzie, P.D., Shrimpton, T., Jakobsson, M.: Threshold password-authenticated key exchange. J. Cryptol. 19(1), 27–66 (2006). https://doi.org/10.1007/s00145-005-0232-5, https://doi.org/10.1007/s00145-005-0232-5
McQuoid, I., Rosulek, M., Xu, J.: How to obfuscate MPC inputs. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, Part II. LNCS, vol. 13748, pp. 151–180. Springer, Cham (Nov 2022)
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO’91. LNCS, vol. 576, pp. 129–140 (Aug 1992)
Wikström, D.: Universally composable DKG with linear number of exponentiations. In: Blundo, C., Cimato, S. (eds.) Security in Communication Networks, 4th International Conference, SCN 2004, Amalfi, Italy, September 8-10, 2004, Revised Selected Papers. Lecture Notes in Computer Science, vol. 3352, pp. 263–277. Springer (2004). https://doi.org/10.1007/978-3-540-30598-9_19, https://doi.org/10.1007/978-3-540-30598-9_19
Xu, S., Sandhu, R.S.: Two efficient and provably secure schemes for server-assisted threshold signatures. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 355–372 (Apr 2003)
Acknowledgments
Stefan Dziembowski, Pawel Kedzior, Chan Nam Ngo: This work is part of a project that received funding from the European Research Council (ERC) under the European Union’s Horizon 2020 research and innovation program (grants PROCONTRA-885666). Stefan Dziembowski was also partly supported by the Polish NCN Grant 2019/35/B/ST6/04138 and the Nicolaus Copernicus Polish-German Research Award 2020 COP/01/2020. Stanislaw Jarecki: This work was supported by NSF SaTC TTP award 2030575. Hugo Krawczyk: This work was done while the author was at the Algorand Foundation. Chan Nam Ngo: The majority of this work was done while the author was with the University of Warsaw, Poland.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 International Association for Cryptologic Research
About this paper
Cite this paper
Dziembowski, S., Jarecki, S., Kedzior, P., Krawczyk, H., Ngo, C.N., Xu, J. (2025). Password-Protected Threshold Signatures. In: Chung, KM., Sasaki, Y. (eds) Advances in Cryptology – ASIACRYPT 2024. ASIACRYPT 2024. Lecture Notes in Computer Science, vol 15486. Springer, Singapore. https://doi.org/10.1007/978-981-96-0891-1_6
Download citation
DOI: https://doi.org/10.1007/978-981-96-0891-1_6
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-96-0890-4
Online ISBN: 978-981-96-0891-1
eBook Packages: Computer ScienceComputer Science (R0)