Cryptology ePrint Archive: Report 2022/318

Efficient Online-friendly Two-Party ECDSA Signature

Haiyang Xue and Man Ho Au and Xiang Xie and Tsz Hon Yuen and Handong Cui

Abstract: Two-party ECDSA signatures have received much attention due to their widespread deployment in cryptocurrencies. Depending on whether or not the message is required, we could divide two-party signing into two different phases, namely, offline and online. Ideally, the online phase should be made as lightweight as possible. At the same time, the cost of the offline phase should remain similar to that of a normal signature generation. However, the existing two-party protocols of ECDSA are not optimal: either their online phase requires decryption of a ciphertext, or their offline phase needs at least two executions of multiplicative-to-additive conversion which dominates the overall complexity. This paper proposes an online-friendly two-party ECDSA with a lightweight online phase and a single multiplicative-to-additive function in the offline phase. It is constructed by a novel design of a {\em re-sharing} of the secret key and a {\em linear sharing} of the nonce. Our scheme significantly improves previous protocols based on either oblivious transfer or homomorphic encryption. We implement our scheme and show that it outperforms prior online-friendly schemes (i.e., those have lightweight online cost) by a factor of roughly 2 to 9 in both communication and computation. Furthermore, our two-party scheme could be easily extended to the $2$-out-of-$n$ threshold ECDSA.

Category / Keywords: cryptographic protocols / ECDSA, threshold signature, two-party signature, blockchain, zero-knowledge proof

Original Publication (with major differences): ACM CCS 2021
DOI:
10.1145/3460120.3484803

Date: received 7 Mar 2022

Contact author: haiyangxc at gmail com, allenau at cs hku hk, xiexiang at matrixelements com, thyuen at cs hku hk, hdcui at cs hku hk

Available format(s): PDF | BibTeX Citation

Note: This includes the full proof of security.

Version: 20220308:124952 (All versions of this report)

Short URL: ia.cr/2022/318


[ Cryptology ePrint archive ]