Paper 2024/1831
Fast Two-party Threshold ECDSA with Proactive Security
Abstract
We present a new construction of two-party, threshold ECDSA, building on a 2017 scheme of Lindell and improving his scheme in several ways.
ECDSA signing is notoriously hard to distribute securely, due to non-linearities in the signing function. Lindell's scheme uses Paillier encryption to encrypt one party's key share and handle these non-linearities homomorphically, while elegantly avoiding any expensive zero knowledge proofs over the Paillier group during the signing process. However, the scheme pushes that complexity into key generation. Moreover, avoiding ZK proofs about Paillier ciphertexts during signing comes with a steep price -- namely, the scheme requires a ``global abort" when a malformed ciphertext is detected, after which an entirely new key must be generated.
We overcome all of these issues with a proactive Refresh procedure. Since the Paillier decryption key is part of the secret that must be proactively refreshed, our first improvement is to radically accelerate key generation by replacing one of Lindell's ZK proofs -- which requires 80 Paillier ciphertexts for statistical security
Note: Extended version of the ACM CCS 2024 paper with the same name/authors.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. Major revision. ACM CCS 2024
- Keywords
- Threshold SignaturesMPCECDSA
- Contact author(s)
-
kozielbrian @ gmail com
gordon @ gmu edu
craigbgentry @ gmail com - History
- 2024-11-08: approved
- 2024-11-07: received
- See all versions
- Short URL
- https://ia.cr/2024/1831
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/1831, author = {Brian Koziel and S. Dov Gordon and Craig Gentry}, title = {Fast Two-party Threshold {ECDSA} with Proactive Security}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/1831}, year = {2024}, url = {https://eprint.iacr.org/2024/1831} }