Paper 2024/1831

Fast Two-party Threshold ECDSA with Proactive Security

Brian Koziel, TripleBlind, Inc., Ideem, Inc.
S. Dov Gordon, TripleBlind, Inc., George Mason University
Craig Gentry, TripleBlind, Inc., Cornami, Inc.
Abstract

We present a new construction of two-party, threshold ECDSA, building on a 2017 scheme of Lindell and improving his scheme in several ways. ECDSA signing is notoriously hard to distribute securely, due to non-linearities in the signing function. Lindell's scheme uses Paillier encryption to encrypt one party's key share and handle these non-linearities homomorphically, while elegantly avoiding any expensive zero knowledge proofs over the Paillier group during the signing process. However, the scheme pushes that complexity into key generation. Moreover, avoiding ZK proofs about Paillier ciphertexts during signing comes with a steep price -- namely, the scheme requires a ``global abort" when a malformed ciphertext is detected, after which an entirely new key must be generated. We overcome all of these issues with a proactive Refresh procedure. Since the Paillier decryption key is part of the secret that must be proactively refreshed, our first improvement is to radically accelerate key generation by replacing one of Lindell's ZK proofs -- which requires 80 Paillier ciphertexts for statistical security -- with a much faster "weak" proof that requires only 2 Paillier ciphertexts, and which proves a weaker statement about a Paillier ciphertext that we show is sufficient in the context of our scheme. Secondly, our more efficient key generation procedure also makes frequent proactive Refreshes practical. Finally, we show that adding noise to one party's key share suffices to avoid the need to reset the public verification key when certain bad behavior is detected. Instead, we prove that our Refresh procedure, performed after each detection, suffices for addressing the attack, allowing the system to continue functioning without disruption to applications that rely on the verification key. Our scheme is also very efficient, competitive with the best constructions that do not provide proactive security, and state-of-the-art among the few results that do. Our optimizations to ECDSA key generation speed up runtime and improve bandwidth over Lindell's key generation by factors of 7 and 13, respectively. Our Key Generation protocol requires 20% less bandwidth than existing constructions, completes in only 3 protocol messages, and executes much faster than all but OT-based key generation. For ECDSA signing, our extra Refresh protocol does add a 10X latency and 5X bandwidth overhead compared to Lindell. However, this still fits in 150 ms runtime and about 5.4 KB of messages when run in our AWS cluster benchmark.

Note: Extended version of the ACM CCS 2024 paper with the same name/authors.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Major revision. ACM CCS 2024
Keywords
Threshold SignaturesMPCECDSA
Contact author(s)
kozielbrian @ gmail com
gordon @ gmu edu
craigbgentry @ gmail com
History
2024-11-08: approved
2024-11-07: received
See all versions
Short URL
https://ia.cr/2024/1831
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2024/1831,
      author = {Brian Koziel and S. Dov Gordon and Craig Gentry},
      title = {Fast Two-party Threshold {ECDSA} with Proactive Security},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1831},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1831}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.