On the security of ECDSA with additive key derivation and presignatures

Two common variations of ECDSA signatures are additive key derivation and presignatures. Additive key derivation is a simple mechanism for deriving many subkeys from a single master key, and is already widely used in cryptocurrency applications with the Hierarchical Deterministic Wallet mechanism standardized in Bitcoin Improvement Proposal 32 (BIP32). Because of its linear nature, additive key derivation is also amenable to efficient implementation in the threshold setting. With presignatures, the secret and public nonces used in the ECDSA signing algorithm are precomputed. In the threshold setting, using presignatures along with other precomputed data allows for an extremely efficient “online phase” of the protocol. Recent works have advocated for both of these variations, sometimes combined together. However, somewhat surprisingly, we are aware of no prior security proof for additive key derivation, let alone for additive key derivation in combination with presignatures. In this paper, we provide a thorough analysis of these variations, both in isolation and in combination. Our analysis is in the generic group model (GGM). Importantly, we do not modify ECDSA or weaken the standard notion of security in any way. Of independent interest, we also present a version of the GGM that is specific to elliptic curves. This EC-GGM better models some of the idiosyncrasies (such as the conversion function and malleability) of ECDSA. In addition to this analysis, we report security weaknesses in these variations that apparently have not been previously reported. For example, we show that when both variations are combined, there is a cube-root attack on ECDSA, which is much faster than the best known, square-root attack on plain ECDSA. We also present two mitigations against these weaknesses: re-randomized presignatures and homogeneous key derivation. Each of these mitigations is very lightweight, and when used in combination, the security is essentially the same as that of plain ECDSA (in the EC-GGM).

[1]  V. Nechaev Complexity of a determinate algorithm for the discrete logarithm , 1994 .

[2]  Ran Canetti,et al.  UC Non-Interactive, Proactive, Threshold ECDSA , 2020, IACR Cryptol. ePrint Arch..

[3]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[4]  Vivek Kapoor,et al.  Elliptic curve cryptography , 2008, UBIQ.

[5]  Jacques Stern,et al.  Flaws in Applying Proof Methodologies to Signature Schemes , 2002, CRYPTO.

[6]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[7]  Jean-Sébastien Coron,et al.  Merkle-Damgård Revisited: How to Construct a Hash Function , 2005, CRYPTO.

[8]  Sebastian Faust,et al.  The Exact Security of BIP32 Wallets , 2021, IACR Cryptol. ePrint Arch..

[9]  Tsz Hon Yuen,et al.  Strong Known Related-Key Attacks and the Security of ECDSA , 2019, NSS.

[10]  Peter Schwabe,et al.  Implementing Wagner's generalized birthday attack against the SHA-3 round-1 candidate FSB , 2009, IACR Cryptol. ePrint Arch..

[11]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[12]  Yu Sasaki,et al.  Refinements of the k-tree Algorithm for the Generalized Birthday Problem , 2015, ASIACRYPT.

[13]  Dominic Williams,et al.  DFINITY Technology Overview Series, Consensus System , 2018, ArXiv.

[14]  John P. Steinberger,et al.  To Hash or Not to Hash Again? (In)differentiability Results for H2 and HMAC , 2012, IACR Cryptol. ePrint Arch..

[15]  Ivan Damgård,et al.  Fast Threshold ECDSA with Honest Majority , 2020, IACR Cryptol. ePrint Arch..

[16]  Rosario Gennaro,et al.  One Round Threshold ECDSA with Identifiable Abort , 2020, IACR Cryptol. ePrint Arch..

[17]  Eike Kiltz,et al.  On the Provable Security of (EC)DSA Signatures , 2016, CCS.

[18]  Yevgeniy Dodis,et al.  Salvaging Merkle-Damgard for Practical Applications , 2009, IACR Cryptol. ePrint Arch..