Efficient Online-friendly Two-Party ECDSA Signature

Two-party ECDSA signatures have received much attention due to their widespread deployment in cryptocurrencies. Depending on whether or not the message is required, we could divide two-party signing into two different phases, namely, offline and online. Ideally, the online phase should be made as lightweight as possible. At the same time, the cost of the offline phase should remain similar to that of a normal signature generation. However, the existing two-party protocols of ECDSA are not optimal: either their online phase requires decryption of a ciphertext, or their offline phase needs at least two executions of multiplicative-to-additive conversion which dominates the overall complexity. This paper proposes an online-friendly two-party ECDSA with a lightweight online phase and a single multiplicative-to-additive function in the offline phase. It is constructed by a novel design of a re-sharing of the secret key and a linear sharing of the nonce. Our scheme significantly improves previous protocols based on either oblivious transfer or homomorphic encryption. We implement our scheme and show that it outperforms prior online-friendly schemes (i.e., those have lightweight online cost) by a factor of roughly 2 to 9 in both communication and computation. Furthermore, our two-party scheme could be easily extended to the 2-out-of-n threshold ECDSA.

[1]  Michael K. Reiter,et al.  Two-party generation of DSA signatures , 2001, International Journal of Information Security.

[2]  Marcel Keller,et al.  Implementing AES via an Actively/Covertly Secure Dishonest-Majority MPC Protocol , 2012, SCN.

[3]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[4]  Dirk Fox,et al.  Digital Signature Standard (DSS) , 2001, Datenschutz und Datensicherheit.

[5]  Yehuda Lindell,et al.  Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody , 2018, CCS.

[6]  Tsz Hon Yuen,et al.  Compact Zero-Knowledge Proofs for Threshold ECDSA with Trustless Setup , 2021, IACR Cryptol. ePrint Arch..

[7]  Jean-Philippe Aumasson,et al.  A Survey of ECDSA Threshold Signing , 2020, IACR Cryptol. ePrint Arch..

[8]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[9]  Peter Scholl,et al.  Efficient Protocols for Oblivious Linear Function Evaluation from Ring-LWE , 2020, IACR Cryptol. ePrint Arch..

[10]  Kai Sorensen,et al.  Federal Information Processing Standards Publication , 1985 .

[11]  Abhi Shelat,et al.  Threshold ECDSA from ECDSA Assumptions: The Multiparty Case , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[12]  Claus-Peter Schnorr,et al.  Efficient signature generation by smart cards , 2004, Journal of Cryptology.

[13]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[14]  Fabien Laguillaumie,et al.  Bandwidth-efficient threshold EC-DSA , 2020, IACR Cryptol. ePrint Arch..

[15]  Yehuda Lindell,et al.  Fast Secure Two-Party ECDSA Signing , 2017, Journal of Cryptology.

[16]  Tobias Nilges,et al.  Maliciously Secure Oblivious Linear Function Evaluation with Constant Overhead , 2017, ASIACRYPT.

[17]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[18]  Carmit Hazay,et al.  Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting , 2017, Journal of Cryptology.

[19]  Rosario Gennaro,et al.  Fast Multiparty Threshold ECDSA with Fast Trustless Setup , 2018, CCS.

[20]  Abhi Shelat,et al.  Secure Two-party Threshold ECDSA from ECDSA Assumptions , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[21]  Marcel Keller,et al.  Actively Secure OT Extension with Optimal Overhead , 2015, CRYPTO.

[22]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[23]  Fabien Laguillaumie,et al.  Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations , 2019, IACR Cryptol. ePrint Arch..

[24]  Fabien Laguillaumie,et al.  Linearly Homomorphic Encryption from DDH , 2015, IACR Cryptol. ePrint Arch..

[25]  Niv Gilboa,et al.  Two Party RSA Key Generation , 1999, CRYPTO.

[26]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[27]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[28]  Yvo Desmedt,et al.  Society and Group Oriented Cryptography: A New Concept , 1987, CRYPTO.

[29]  Claudio Orlandi,et al.  The Simplest Protocol for Oblivious Transfer , 2015, IACR Cryptol. ePrint Arch..

[30]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[31]  Ran Canetti,et al.  UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts , 2020, CCS.