Paper 2018/499

Secure Two-party Threshold ECDSA from ECDSA Assumptions

Jack Doerner, Technion – Israel Institute of Technology
Yashvanth Kondi, Aarhus University
Eysa Lee, Northeastern University
abhi shelat, Northeastern University

The Elliptic Curve Digital Signature Algorithm (ECDSA) is one of the most widely used schemes in deployed cryptography. Through its applications in code and binary authentication, web security, and cryptocurrency, it is likely one of the few cryptographic algorithms encountered on a daily basis by the average person. However, its design is such that executing multi-party or threshold signatures in a secure manner is challenging: unlike other, less widespread signature schemes, secure multi-party ECDSA requires custom protocols, which has heretofore implied reliance upon additional cryptographic assumptions and primitives such as the Paillier cryptosystem. We propose new protocols for multi-party ECDSA key-generation and signing with a threshold of two, which we prove secure against malicious adversaries in the Random Oracle Model using only the Computational Diffie-Hellman Assumption and the assumptions already relied upon by ECDSA itself. Our scheme requires only two messages, and via implementation we find that it outperforms the best prior results in practice by a factor of 56 for key generation and 11 for signing, coming to within a factor of 18 of local signatures. Concretely, two parties can jointly sign a message in just over three milliseconds. This document is an updated version. A new preface includes errata and notes relevant to the original work, and a brief description of a revised protocol with a revised proof. The original paper appears in unedited form at the end. The authors consider this work to be fully subsumed by the more recent three-round protocol of Doerner, Kondi, Lee, and shelat (2023), and direct new readers to that work.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Major revision. IEEE Security and Privacy 2018
threshold cryptographyelliptic curve cryptographymulti-party computationECDSAconcrete efficiency
Contact author(s)
j @ ckdoerner net
yash @ ykondi net
lee ey @ northeastern edu
abhi @ neu edu
2023-07-20: last of 2 revisions
2018-05-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Jack Doerner and Yashvanth Kondi and Eysa Lee and abhi shelat},
      title = {Secure Two-party Threshold ECDSA from ECDSA Assumptions},
      howpublished = {Cryptology ePrint Archive, Paper 2018/499},
      year = {2018},
      doi = {10.1109/SP.2018.00036},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.