Paper 2020/492

UC Non-Interactive, Proactive, Threshold ECDSA

Ran Canetti, Nikolaos Makriyannis, and Udi Peled


Building on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS ’18), we present a threshold ECDSA protocol, for any number of signatories and any threshold, that improves as follows over the state of the art: * Signature generation takes only 4 rounds (down from the current 8 rounds), with a comparable computational cost. Furthermore, 3 of these rounds can take place in a preprocessing stage before the signed message is known, lending to a non-interactive threshold ECDSA protocol. * The protocol withstands adaptive corruption of signatories. Furthermore, it includes a periodic refresh mechanism and offers full proactive security. * The protocol realizes an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA. These properties (low latency, compatibility with cold-wallet architectures, proactive security, and composable security) make the protocol ideal for threshold wallets for ECDSA-based cryptocurrencies.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
ECDSAproactivecomposabilitysignaturesthreshold cryptographydistributed cryptography
Contact author(s)
n makriyannis @ gmail com
udi0peled @ gmail com
canetti @ bu edu
2021-10-21: last of 5 revisions
2020-04-28: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ran Canetti and Nikolaos Makriyannis and Udi Peled},
      title = {UC Non-Interactive, Proactive, Threshold ECDSA},
      howpublished = {Cryptology ePrint Archive, Paper 2020/492},
      year = {2020},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.