Compact Zero-Knowledge Proofs for Threshold ECDSA with Trustless Setup

Threshold ECDSA signatures provide a higher level of security to a crypto wallet since it requires more than t parties out of n parties to sign a transaction. The state-of-the-art bandwidth efficient threshold ECDSA used the additive homomorphic Castagnos and Laguillaumie (CL) encryption based on an unknown order group G, together with a number of zero-knowledge proofs in G. In this paper, we propose compact zero-knowledge proofs for threshold ECDSA to lower the communication bandwidth, as well as the computation cost. The proposed zero-knowledge proofs include the discrete-logarithm relation in G and the well-formedness of a CL ciphertext. When applied to two-party ECDSA, we can lower the bandwidth of the key generation algorithm by 47%, and the running time for the key generation and signing algorithms are boosted by about 35% and 104% respectively. When applied to threshold ECDSA, our first scheme is more optimized for the key generation algorithm (about 70% lower bandwidth and 85% faster computation in key generation, at a cost of 20% larger bandwidth in signing), while our second scheme has an all-rounded performance improvement (about 60% lower bandwidth, 46% faster computation in key generation without additional cost in signing).

[1]  Fabien Laguillaumie,et al.  Bandwidth-efficient threshold EC-DSA , 2020, IACR Cryptol. ePrint Arch..

[2]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[3]  Aggelos Kiayias,et al.  On the Portability of Generalized Schnorr Proofs , 2009, EUROCRYPT.

[4]  Fabien Laguillaumie,et al.  Linearly Homomorphic Encryption from DDH , 2015, IACR Cryptol. ePrint Arch..

[5]  Fabien Laguillaumie,et al.  Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations , 2019, IACR Cryptol. ePrint Arch..

[6]  Yehuda Lindell,et al.  Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody , 2018, CCS.

[7]  Abhi Shelat,et al.  Threshold ECDSA from ECDSA Assumptions: The Multiparty Case , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[8]  Yehuda Lindell,et al.  Fast Secure Two-Party ECDSA Signing , 2017, Journal of Cryptology.

[9]  Fabien Laguillaumie,et al.  On the Security of Cryptosystems with Quadratic Decryption: The Nicest Cryptanalysis , 2009, EUROCRYPT.

[10]  Ivan Damgård,et al.  Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups , 2002, EUROCRYPT.

[11]  Rosario Gennaro,et al.  One Round Threshold ECDSA with Identifiable Abort , 2020, IACR Cryptol. ePrint Arch..

[12]  Rosario Gennaro,et al.  Fast Multiparty Threshold ECDSA with Fast Trustless Setup , 2018, CCS.

[13]  Abhi Shelat,et al.  Secure Two-party Threshold ECDSA from ECDSA Assumptions , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[14]  Dan Boneh,et al.  Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains , 2019, IACR Cryptol. ePrint Arch..