ABSTRACT
ECDSA is a standardized signing algorithm that is widely used in TLS, code signing, cryptocurrency and more. Due to its importance, the problem of securely computing ECDSA in a distributed manner (known as threshold signing) has received considerable interest. However, despite this interest, there is still no full threshold solution for more than 2 parties (meaning that any t -out-of- n parties can sign, security is preserved for any t-1 or fewer corrupted parties, and tłeq n can be any value thus supporting an honest minority) that has practical key distribution. This is due to the fact that all previous solutions for this utilize Paillier homomorphic encryption, and efficient distributed Paillier key generation for more than two parties is not known. In this paper, we present the first truly practical full threshold ECDSA signing protocol that has both fast signing and fast key distribution. This solves a years-old open problem, and opens the door to practical uses of threshold ECDSA signing that are in demand today. One of these applications is the construction of secure cryptocurrency wallets (where key shares are spread over multiple devices and so are hard to steal) and cryptocurrency custody solutions (where large sums of invested cryptocurrency are strongly protected by splitting the key between a bank/financial institution, the customer who owns the currency, and possibly a third-party trustee, in multiple shares at each). There is growing practical interest in such solutions, but prior to our work these could not be deployed today due to the need for distributed key generation.
Supplemental Material
- O. Blazy, C. Chevalier, D. Pointcheval and D. Vergnaud.Analysis and Improvement of Lindell's UC-Secure Commitment Schemes. In ACNS 2013, Springer (LNCS 7954), pages 534--551, 2013. Google ScholarDigital Library
- . Boyd. Digital Multisignatures. In Cryptography and Coding, pages 241--246, 1986.Google Scholar
- D. Boneh, R. Gennaro and S. Goldfeder. Using Level-1 Homomorphic Encryption To Improve Threshold DSA Signatures For Bitcoin Wallet Security In Latincrypt 2017.Google Scholar
- . Canetti. Security and Composition of Multiparty Cryptographic Protocols. Journal of Cryptology, 13(1):143--202, 2000. Google ScholarDigital Library
- . Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In 42nd FOCS, pages 136--145, 2001. Full version available at http://eprint.iacr.org/2000/067. Google ScholarDigital Library
- T. Chou and C. Orlandi.The Simplest Protocol for Oblivious Transfer. In LATINCRYPT 2015. Google ScholarDigital Library
- R.A. Croft and S.P. Harris. Public-Key Cryptography and Reusable Shared Secrets. In Cryptography and Coding, pages 189--201, 1989.Google Scholar
- Y. Desmedt. Society and Group Oriented Cryptography: A New Concept. In CRYPTO'87, Springer (LNCS 293), pages 120--127, 1988. Google ScholarDigital Library
- Y. Desmedt and Y. Frankel. Threshold Cryptosystems. In CRYPTO'89, Springer (LNCS 435), pages 307--315, 1990. Google ScholarDigital Library
- J. Doerner, Y. Kondi, E. Lee and a. shelat.Secure Two-party Threshold ECDSA from ECDSA Assumptions, In the 39th IEEE Symposium on Security and Privacy, 2018.Google Scholar
- A. Fiat and A. Shamir:How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In CRYPTO 1986, Springer (LNCS 263), pages 186--194, 1986. Google ScholarDigital Library
- T. Frederiksen, Y. Lindell, V. Osheter and B. Pinkas.Fast Distributed RSA Key Generation for Semi-Honest and Malicious Adversaries. To appear at CRYPTO 2018.Google Scholar
- E. Fujisaki.Improving Practical UC-Secure Commitments Based on the DDH Assumption. In SCN 2016, Springer (LNCS 9841), pages 257--272, 2016. Google ScholarDigital Library
- R. Gennaro, S. Jarecki, H. Krawczyk and T. Rabin. Robust Threshold DSS Signatures. In EUROCRYPT'96, Springer (LNCS 1070), pages 354--371, 1996. Google ScholarDigital Library
- R. Gennaro, S. Goldfeder and A. Narayanan:Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security. In ACNS 2016, pages 156--174, 2016.Google Scholar
- R. Gennaro and S. Goldfeder. Fast Multiparty Threshold ECDSA with Fast Trustless Setup. In ACM CCS 2018 (this proceedings). Google ScholarDigital Library
- N. Gilboa. Two Party RSA Key Generation. In CRYPTO 1999, Springer (LNCS 1666), pages 116--129, 1999 Google ScholarDigital Library
- S. Goldberg, L. Reyzin, O. Sagga and F. Baldimtsi. Certifying RSA Public Keys with an Efficient NIZK. Cryptology ePrint Archive: Report 2018/057, 2018.Google Scholar
- . Goldfeder. Personal communication, April 2018.Google Scholar
- O. Goldreich. Foundations of Cryptography: Volume 2 -- Basic Applications. Cambridge University Press, 2004. Google ScholarCross Ref
- S. Goldwasser and Y. Lindell. Secure Computation Without Agreement. Journal of Cryptology, 18(3):247--287, 2005. Google ScholarDigital Library
- C. Hazay and Y. Lindell. Efficient Secure Two-Party Protocols: Techniques and Constructions. Springer, November 2010. Google ScholarCross Ref
- M. Keller, E. Orsini, and P. Scholl. Actively Secure OT Extension With Optimal Overhead. In CRYPTO 2015, Springer (LNCS 9215), 724--741, 2015.Google Scholar
- Y. Lindell.Highly-Efficient Universally-Composable Commitments Based on the DDH Assumption. In EUROCRYPT 2011, Springer (LNCS 6632), pages 446--466, 2011. Google ScholarDigital Library
- Y. Lindell.Fast Secure Two-Party ECDSA Signing. In CRYPTO 2017, Springer (LNCS 10402), pages 613--644, 2017.Google Scholar
- P.D. MacKenzie and M.K. Reiter.Two-party generation of DSA signatures. International Journal of Information Security, 2(3--4):218--239, 2004. An extended abstract appeared at CRYPTO 2001.Google ScholarCross Ref
- S. Micali, R. Pass and A. Rosen. Input-Indistinguishable Computation. In the 47th FOCS, pages 367--378, 2006. Google ScholarDigital Library
- P. Paillier. Cryptosystems Based on Composite Degree Residuosity Classes. In EUROCRYPT'99, Springer (LNCS 1592), pages 223--238, 1999. Google ScholarDigital Library
- C.P. Schnorr. Efficient Identification and Signatures for Smart Cards. In CRYPTO 1989, Springer (LNCS 435), pages 239--252, 1990. Google ScholarDigital Library
- V. Shoup. Practical Threshold Signatures. In EUROCRYPT 2000, Springer (LNCS 1807), pages 207--220, 2000. Google ScholarDigital Library
- V. Shoup and R. Gennaro.Securing Threshold Cryptosystems against Chosen Ciphertext Attack. In EUROCRYPT 1998, Springer (LNCS 1403), pages 1--16, 1998.Google ScholarCross Ref
- Porticor, www.porticor.com.Google Scholar
- Unbound Tech, www.unboundtech.com.Google Scholar
- Sepior, www.sepior.com.Google Scholar
Index Terms
- Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody
Recommendations
UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityBuilding on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS '18), we present two threshold ECDSA protocols, for any number of signatories and any threshold, that improve as follows over the state of the art: -- For both protocols, only the last ...
Fast threshold ECDSA with honest majority1
Selected papers from the 12th Conference on Security and Cryptography for NetworksECDSA is a widely adopted digital signature standard. A number of threshold protocols for ECDSA have been developed that let a set of parties jointly generate the secret signing key and compute signatures, without ever revealing the signing key. Threshold ...
Fast Secure Two-Party ECDSA Signing
AbstractECDSA is a standard digital signature scheme that is widely used in TLS, Bitcoin and elsewhere. Unlike other schemes like RSA, Schnorr signatures and more, it is particularly hard to construct efficient threshold signature protocols for ECDSA (and ...
Comments