Paper 2021/060

UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts

Ran Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, and Udi Peled


Building on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS '18), we present threshold ECDSA protocols, for any number of signatories and any threshold, that improve as follows over the state of the art: * Only the last round of our protocols requires knowledge of the message, and the other rounds can take place in a preprocessing stage, lending to a non-interactive threshold ECDSA protocol. * Our protocols withstand adaptive corruption of signatories. Furthermore, they include a periodic refresh mechanism and offer full proactive security. * Our protocols realize an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, DDH, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA. * Both protocols achieve accountability by identifying corrupted signatories in case of failure to generate a valid signature. The protocols provide a tradeoff between the number of rounds to generate a signature and the computational and communication overhead for the identification of corrupted signatories. Namely: * For one protocol, signature generation takes only 4 rounds (down from the current state of the art of 8 rounds), but the identification process requires computation and communication that is quadratic in the number of parties. * For the other protocol, the identification process requires computation and communication that is only linear in the number of parties, but signature generation takes 7 rounds. These properties (low latency, compatibility with cold-wallet architectures, proactive security, identifiable abort and composable security) make the two protocols ideal for threshold wallets for ECDSA-based cryptocurrencies.

Note: This work combines Canetti, Makriyannis & Peled (2020) and Gennaro & Goldfeder (2020). An extended abstract of this work appears in the proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS'20). Authors are listed in alphabetical order.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Major revision. 2020 ACM SIGSAC Conference on Computer and Communications Security (CCS'20)
composabilityaccountabilityidentifiable abortsignaturesthreshold cryptographydistributed cryptographymultiparty computationBlockchainMPCUCmalicious adversaries
Contact author(s)
n makriyannis @ gmail com
udi0peled @ gmail com
canetti @ bu edu
goldfeder @ cornell edu
rosario @ cs ccny cuny edu
2021-10-21: last of 2 revisions
2021-01-18: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ran Canetti and Rosario Gennaro and Steven Goldfeder and Nikolaos Makriyannis and Udi Peled},
      title = {UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts},
      howpublished = {Cryptology ePrint Archive, Paper 2021/060},
      year = {2021},
      doi = {10.1145/3372297.3423367},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.