Threshold ECDSA for Decentralized Asset Custody

The surge of interest in decentralization-enabling technologies sparked by the recent success of Bitcoin and other blockchains has led to several new challenges in cryptography and protocol design. One such challenge concerns the widely used digital signature scheme – ECDSA – that has in particular been chosen to secure transactions in Bitcoin and several other blockchain systems. To empower decentralized interoperability between such blockchains one would like to implement distributed custody over Bitcoin accounts, which technically can be realized via a threshold ECDSA protocol. Even though several threshold ECDSA protocols already exist, as we argue, due to lack of robustness in signature generation, they are not well suited for deployment scenarios with large committees of parties, out of which a significant fraction might be malicious or prone to DDoS attacks. We propose a new threshold ECDSA protocol that improves upon the state-of-the-art solutions by enabling robustness and fault attributability during signature generation. In addition to that, we improve the signing time and bandwidth of previous solutions by moving expensive operations that are oblivious to the signed message to a separate setup phase. Finally, we back our theoretical results via an empirical evaluation of our protocol in large-scale experiments in LAN and WAN settings.

[1]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[2]  Avi Wigderson,et al.  Completeness Theorems for Non-Cryptographic Fault-Tolerant Distributed Computation (Extended Abstract) , 1988, STOC.

[3]  Silvio Micali,et al.  Input-Indistinguishable Computation , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[4]  Ivan Damgård,et al.  Practical Threshold RSA Signatures without a Trusted Dealer , 2000, EUROCRYPT.

[5]  Elaine Shi,et al.  The Honey Badger of BFT Protocols , 2016, CCS.

[6]  Hugo Krawczyk,et al.  Robust Threshold DSS Signatures , 1996, Inf. Comput..

[7]  Dan Boneh,et al.  Using Level-1 Homomorphic Encryption to Improve Threshold DSA Signatures for Bitcoin Wallet Security , 2017, LATINCRYPT.

[8]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[9]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[10]  Dan Boneh,et al.  Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[11]  Manuel Blum,et al.  Non-Interactive Zero-Knowledge and Its Applications (Extended Abstract) , 1988, STOC 1988.

[12]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[13]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[14]  Damian Lesniak,et al.  Aleph: Efficient Atomic Broadcast in Asynchronous Networks with Byzantine Nodes , 2019, AFT.

[15]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[16]  Douglas R. Stinson,et al.  Provably Secure Distributed Schnorr Signatures and a (t, n) Threshold Scheme for Implicit Certificates , 2001, ACISP.

[17]  Marcel Keller,et al.  Overdrive: Making SPDZ Great Again , 2018, IACR Cryptol. ePrint Arch..

[18]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[19]  Yehuda Lindell,et al.  Fairness Versus Guaranteed Output Delivery in Secure Multiparty Computation , 2014, Journal of Cryptology.

[20]  Yehuda Lindell,et al.  Fast Secure Two-Party ECDSA Signing , 2017, Journal of Cryptology.

[21]  Joan Feigenbaum Advances in Cryptology - CRYPTO '91, 11th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11-15, 1991, Proceedings , 1992, CRYPTO.

[22]  Rosario Gennaro,et al.  Fast Multiparty Threshold ECDSA with Fast Trustless Setup , 2018, CCS.

[23]  Nancy A. Lynch,et al.  Consensus in the presence of partial synchrony , 1988, JACM.

[24]  Ivan Damgård,et al.  Scalable and Unconditionally Secure Multiparty Computation , 2007, CRYPTO.

[25]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[26]  Donald Beaver,et al.  Correlated pseudorandomness and the complexity of private computations , 1996, STOC '96.

[27]  Jens Groth,et al.  Short Pairing-Based Non-interactive Zero-Knowledge Arguments , 2010, ASIACRYPT.

[28]  Nancy A. Lynch,et al.  Easy impossibility proofs for distributed consensus problems , 1985, PODC '85.

[29]  Ran Canetti,et al.  UC Non-Interactive, Proactive, Threshold ECDSA , 2020, IACR Cryptol. ePrint Arch..

[30]  Rosario Gennaro,et al.  One Round Threshold ECDSA with Identifiable Abort , 2020, IACR Cryptol. ePrint Arch..

[31]  Benjamin Wesolowski,et al.  Efficient Verifiable Delay Functions , 2019, Journal of Cryptology.

[32]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[33]  Michael K. Reiter,et al.  Two-party generation of DSA signatures , 2001, International Journal of Information Security.

[34]  Yehuda Lindell,et al.  Highly-Efficient Universally-Composable Commitments based on the DDH Assumption , 2011, IACR Cryptol. ePrint Arch..

[35]  Yehuda Lindell,et al.  Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody , 2018, CCS.

[36]  Ivan Damgård,et al.  Semi-Homomorphic Encryption and Multiparty Computation , 2011, IACR Cryptol. ePrint Arch..

[37]  Ivan Damgård,et al.  Multiparty Computation from Somewhat Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[38]  Niv Gilboa,et al.  Two Party RSA Key Generation , 1999, CRYPTO.

[39]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[40]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[41]  Ivan Damgård,et al.  Fast Threshold ECDSA with Honest Majority , 2020, IACR Cryptol. ePrint Arch..

[42]  Fabien Laguillaumie,et al.  Bandwidth-efficient threshold EC-DSA , 2020, IACR Cryptol. ePrint Arch..

[43]  Arvind Narayanan,et al.  Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security , 2016, ACNS.

[44]  Ittai Abraham,et al.  HotStuff: BFT Consensus with Linearity and Responsiveness , 2019, PODC.

[45]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[46]  Donald Beaver,et al.  Efficient Multiparty Protocols Using Circuit Randomization , 1991, CRYPTO.

[47]  Gabriel Bracha,et al.  Asynchronous Byzantine Agreement Protocols , 1987, Inf. Comput..

[48]  Satoshi Nakamoto Bitcoin : A Peer-to-Peer Electronic Cash System , 2009 .

[49]  Yehuda Lindell,et al.  How To Simulate It - A Tutorial on the Simulation Proof Technique , 2016, IACR Cryptol. ePrint Arch..