Fast Secure Two-Party ECDSA Signing

Abstract

ECDSA is a standard digital signature scheme that is widely used in TLS, Bitcoin and elsewhere. Unlike other schemes like RSA, Schnorr signatures and more, it is particularly hard to construct efficient threshold signature protocols for ECDSA (and DSA). As a result, the best-known protocols today for secure distributed ECDSA require running heavy zero-knowledge proofs and computing many large-modulus exponentiations for every signing operation. In this paper, we consider the specific case of two parties (and thus no honest majority) and construct a protocol that is approximately two orders of magnitude faster than the previous best. Concretely, our protocol achieves good performance, with a single signing operation for curve P-256 taking approximately 37 ms between two standard machine types in Azure (utilizing a single core only). Our protocol is proven secure for sequential composition under standard assumptions using a game-based definition. In addition, we prove security by simulation under a plausible yet non-standard assumption regarding Paillier. We show that partial concurrency (where if one execution aborts, then all need to abort) can also be achieved.

Zero-Knowledge Range Proof

For the sake of completeness, in this appendix, we present the ZK-proof that \(x\in {\mathbb {Z}}_{q/3}\) where \(c=\mathsf{Enc}_{pk}(x)\). The value sid is a unique session identifier obtained from the application. Our proof is based on the proof described [4, Section 1.2.2], with adaptations as required for our setting here. We will prove for \(x\in \{0,\ldots ,\lfloor \frac{q}{3}\rfloor \}\) that it is in the range [0, q). Let \(\ell =\lfloor \frac{q}{3}\rfloor \). Stated differently, the input is \(x\in \{0,\ldots ,\ell \}\) and the proof guarantees that \(x\in {\mathbb {Z}}_q\).

• Input: The prover P has input (c, x, r) where \(c=\mathsf{Enc}_{pk}(x;r)\) and the Paillier key-pair \((N,\phi (N))\); the verifier V has input c and the Paillier public key N. Both parties have q and \(\ell =\lfloor \frac{q}{3}\rfloor \).

  Both parties have a parameter \(t=40\).

• The protocol:

  1. 1.

     \({\varvec{ V}}\)’s first message: V chooses a random \(e\leftarrow \{0,1\}^t\), computes \(com=\mathsf{commit}(e,sid)\) and sends com to P. Denote \(e=e_1,\ldots ,e_t\).

  2. 2.

     \({\varvec{ P}}\)’s first message:

     1. (a)

        P chooses random \(w_1^1,\ldots ,w_1^t\leftarrow \{\ell ,\ldots ,2\ell \}\) and computes \(w_2^i= w_1^i-\ell \) for every \(i=1,\ldots ,t\).

     2. (b)

        For every \(i=1,\ldots ,t\), P switches the values of \(w_1^i\) and \(w_2^i\) with probability 1/2 (independently for each i).

     3. (c)

        For every \(i=1,\ldots ,t\), P computes \(c_1^i= \mathsf{Enc}_{pk}(w_1^i;r_1^i)\) and \(c_2^i=\mathsf{Enc}_{pk}(w_2^i;r_2^i)\), where \(r_i^1,r_i^2\leftarrow {\mathbb {Z}}_N\) are the randomness used in Paillier encryption.

     4. (d)

        P sends \(c_1^1,c_2^1\ldots ,c_1^t,c_2^t\) to V.

  3. 3.

     \({\varvec{ V}}\)’s second message: Upon receiving \(c_1^1,c_2^1\ldots ,c_1^t,c_2^t\), V decommits to com, revealing (e, sid) to P.

  4. 4.

     \({\varvec{ P}}\)’s second message: For \(i=1,\ldots ,t\):

     1. (a)

        If \(e_i=0\) then P sets \(z_i=(w_1^i,r_1^i,w_2^i,r_2^i)\).

     2. (b)

        If \(e_i=1\) then P sets \(z_i\) as follows. Let \(j\in \{1,2\}\) be the unique value of j such that \(x+w_j^i \in \{\ell ,\ldots ,2\ell \}\). Then, \(S_1\) sets \(z_i=(j,x+w_j^i,r\cdot r_j^i\bmod N)\).

     3. (c)

        P sends \(z_1,\ldots ,z_t\) to V.

• \({\varvec{ V}}\)’s output: V parses \(z_i\) appropriately according to the value of \(e_i\). Then: For \(i=1,\ldots ,t\):

  1. 1.

     If \(e_i=0\) then V checks that \(c_1^i=\mathsf{Enc}_{pk}(w_1^i;r_1^i)\) and \(c_2^i=\mathsf{Enc}_{pk}(w_2^i;r_2^i)\) and that one of \({\hat{w}}_1^i,{\hat{w}}_2^i\in \{\ell ,\ldots ,2\ell \}\) while the other is in \(\{0,\ldots ,\ell \}\), where \(z_i=(w_1^i,r_1^i,w_2^i,r_2^i)\).

  2. 2.

     If \(e_i=1\) then V checks that \(c\oplus c_j^i = \mathsf{Enc}_{pk}(w_i;r_i)\) and \(w_i\in \{\ell ,\ldots ,2\ell \}\), where \(z_i=(j,w_i,r_i)\).

  V outputs 1 if and only if all of the checks pass.

Security. We sketch the proof here:

• Completeness: As long as there exists a \(j\in \{1,2\}\) such that \(x+w_j^i \in \{\ell ,\ldots ,2\ell \}\), for every i, it is clear that V will accept. In order to see why this holds, observe that by the way \(w_i^1\) and \(w_i^2\) are chosen we have \(w_i^1\in \{\ell ,\ldots ,2\ell \}\) and \(w_i^2\in \{0,\ldots ,\ell \}\).

  There are two cases. If \(x+w_i^1< 2\ell \) then since \(x+w_i^1\ge w_i^1\ge \ell \) we have \(x+w_i^1\in \{\ell ,\ldots ,2\ell \}\). In contrast, if \(x+w_i^1 \ge 2\ell \), then \(w_i^2 = w_i^1 - \ell \ge \ell \). Since \(x+w_i^2 \le 2\ell \) (since both \(0\le x \le \ell \) and \(0\le w_i^2 \le \ell \)), it follows that \(x+w_i^2\in \{\ell ,\ldots ,2\ell \}\), as required.

• Soundness: Let \(c=\mathsf{Enc}_{pk}(x)\) and assume that \(x\notin {\mathbb {Z}}_q\) and so in particular \(x \ge q\) (note that if x is negative then modulo q this is the same as \(x\ge q\)). We need to prove that V accepts with probability at most \(2^{-t}\). Let \(P^*\) be the cheating prover. We show that if \(P^*\) can provide an accepting answer for both \(e_i=0\) and \(e_i=1\) for the ith ciphertext, then \(x\in {\mathbb {Z}}_q\). This suffices since it implies that \(P^*\) can answer at most one of the \(e_i\) queries for each i, and thus the probability that it answers all is at most \(2^{-t}\).

  Fix i and assume that \(P^*\) can provide an accepting answer for both \(e_i=0\) and \(e_i=1\). Since \(P^*\) can answer for \(e_i=0\), this implies that \(c_1^i=\mathsf{Enc}{pk}(w_1^i)\) and \(c_2^i=\mathsf{Enc}_{pk}(w_2^i)\) and \(w_1^i\in \{\ell ,\ldots ,2\ell \}\) and \(w_2^i\in \{0,\ldots ,\ell \}\). Furthermore, since \(P^*\) can answer for \(e_i=1\) this implies that for some \(j\in \{1,2\}\) we have that \(c\oplus c_j^i = \mathsf{Enc}_{pk}(w_i)\) for some \(w_i\in \{\ell ,\ldots ,2\ell \}\). Note that by the perfect decryption correctness of Paillier (under the assumption that the Paillier key is valid, which is proven during key generation), it holds that \(w_i\in \{w_1^i,w_2^i\}\). We consider two cases:

  1. 1.

     Case 1—\(j=1\): In this case, we have that \(x+ w_1^i=w_i\) where \(w_1^i\in \{\ell ,\ldots ,2\ell \}\) and \(w_i\in \{\ell ,\ldots ,2\ell \}\). Since the minimal value of \(w_1^i\) is \(\ell \) and the maximal value of \(w_i\) is \(2\ell \), it follows that \(x\le \ell \).

  2. 2.

     Case 2—\(j=2\): In this case, we have that \(x+ w_2^i=w_i\) where \(w_2^i\in \{0,\ldots ,\ell \}\) and \(w_i\in \{\ell ,\ldots ,2\ell \}\). Since the minimal value of \(w_2^i\) is 0 and the maximal value of \(w_i\) is \(2\ell \), it follows that \(x\le 2\ell \).

• Zero knowledge: The simulator \({{\mathcal {S}}}\) extracts e from the commitment provided by the potentially cheating verifier \(V^*\). Then, for every i, if \(e_i=0\) then \({{\mathcal {S}}}\) generates \(c_1^i,c_2^i\) like the honest prover does. In contrast, if \(e_i=1\), then \({{\mathcal {S}}}\) chooses a random \(j\in \{1,2\}\), a random \(w_i\in \{\ell ,\ldots ,2\ell \}\) and a random \(r_i\in {\mathbb {Z}}_N\). Then, \({{\mathcal {S}}}\) sets \(c_j^i=\mathsf{Enc}_{pk}(w_i;r_i)\ominus c\) and sets \(c_{3-j}^i\) to be an encryption of 0. Finally, \({{\mathcal {S}}}\) hands \(V^*\) all of the encryptions, receives back the decommitment and provides the answers appropriately.

  We argue that the view generated by \({{\mathcal {S}}}\) is computationally indistinguishable from the view of \(V^*\) in a real proof. In order to see this, first observe that the ciphertexts are given in random order in a real proof. Next, observe that for every i for which \(e_i=1\), the ciphertext opened is an encryption of a value that is uniformly distributed in \(\{\ell ,\ldots ,2\ell \}\). This holds because \(w_1^i\) is uniformly distributed in \(\{\ell ,\ldots ,2\ell \}\) and \(w_2^i\) is uniformly distributed in \(\{0,\ldots ,\ell \}\). This implies that \(x+w_1^i\) is uniformly distributed in \(\{x+\ell ,\ldots ,x+2\ell \}\) and \(x+w_2^i\) is uniformly distributed in \(\{x,\ldots ,x+\ell \}\). Thus, the distribution over the subset of values between \(\ell \) and \(2\ell \) is uniform.