1 Introduction

In this work, we describe a suite of protocols that we callFootnote 1, aimed at generating many Schnorr signatures at a low amortized cost. SPRINT consists of a single interactive distributed key generation (DKG) for generating message-independent ephemeral randomness, followed by a non-interactive and robust signature generation for many messages. Here, robustness means that with a sufficient number of honest parties, the protocol is guaranteed to output the requested signatures.

Threshold Schnorr signature schemes have seen a revival due to applications in the blockchain space. However, the bulk of existing work focuses on the case of a small number of signers, targeting applications such as key custody and multi-signatures. For those cases, one can afford a non-robust scheme where a single misbehaving party can cause the protocol to abort: If the misbehaving party can be identified, then it can be removed before re-running the protocol. This is indeed the approach most recent schemes embrace (e.g., [8, 15, 27, 28]). However, the remove-and-restart approach does not scale well with the number of signers, since the protocol may need to be restarted as many times as the number of misbehaving parties. Also, this approach cannot be used in a fully asynchronous setting, where there is no distinction between a malicious party that refuses to participate and an honest party that is just slow. Here, we study robust threshold Schnorr signatures in scenarios with many messages and many signers (possibly hundreds of them), in an asynchronous setting.

One of the motivating scenarios for considering a large set of signers signing many messages is provided by blockchain settings, where the validator nodes should generate signatures on behalf of the blockchain (see more below). That use case precludes non-robust protocols, as it requires an asynchronous protocol that remains feasible for many signers. At the same time, public blockchains provide tools such as a broadcast channel and PKI, which can simplify the design of the signature protocol. Moreover, the large number of parties makes it reasonable to assume a large honest majority, a significant advantage when building robust protocols.

Let us recall Schnorr-type signatures. They work over a group of prime order p with a generator \(G\); a signature on a message \(M\) relative to secret key \(s\in \mathbb {Z}_{p}\) and public key \(S=s\cdot G\), has the form \((R, r+e\cdot s)\), where \(r\in \mathbb {Z}_{p}\) is an ephemeral random secret, \(R=r\cdot G\) is ephemeral randomness, and \(e=\textsf{Hash}(S, R, M) \in \mathbb {Z}_{p}\). A standard way to compute robust threshold Schnorr signatures among n parties who secret-share a long-term secret key \(s\) is to run a distributed key generation (DKG)Footnote 2 procedure [16] that produces a message-independent ephemeral randomness \(R=r\cdot G\) where \(r\) is a fresh random value secret-shared among the parties. This phase is often called preprocessing or just DKG, and the message-independent ephemeral randomness is often called presignatures. Then, the parties use their shares of \(s\) and \(r\) to produce signature shares that can be combined into a single standard Schnorr signature. The bulk of the cost for signature generation is the DKG procedure that has \(O(n^2)\) cost both in terms of bandwidth and computation.

Robust threshold Schnorr schemes have been known for over 20 years [16, 37], but they are less efficient than their non-robust counterparts. These robust protocols include at least 2–3 rounds to generate message-independent ephemeral randomness, and at least one additional round for signature generation. Moreover, the randomness-generation rounds are expensive, using a bandwidth of at least \(\varOmega (n^2)\) broadcasted group elements. Non-robust schemes can reduce the randomness generation part to a single round, performed before knowing the message to be signed, and a single non-interactive message-dependent round (where parties just output signature shares).

Our robust signature protocol features a two-round message-independent distributed ephemeral randomness generation, followed by a single non-interactive signature generation round. However, the latter non-interactive round can produce signatures for many messages, hence amortizing the cost of the randomness generation protocol over many signatures. The protocols we present can produce thousands of signatures in each run, at a communication cost similar to one execution of a synchronous non-robust protocol in prior work [16].

Our protocols are flexible: they are useful in the fixed-committee setting where the same set of parties is used repeatedly, but extends seamlessly to the dynamic/proactive setting where each run of the protocol is done by a different committee with refreshed shares of the secret key. They naturally support large systems, where committees are periodically sub-sampled from among the overall population of parties and the required shared secret state is transferred to the selected parties. The protocols are also modular: we present a high-level protocol based on a generic agreement protocol (for the parties to agree on a set of correctly dealt shares) instantiated on an asynchronous broadcast channel. Without tying the high-level signature protocol to the details of the agreement or the communication model, we are able to take advantage of systems (such as blockchain) that natively provide agreement and communication primitives.

This agreement protocol is instrumental in achieving one of our significant design goals, namely, to perform well in the optimistic case of normal network conditions, but also to avoid degrading performance unnecessarily when network delays (possibly adversarially induced) are significant. Crucial for ensuring this property is to achieve agreement as soon as possible among a sufficient number of parties. This calls for forgoing techniques such as complete secret sharing [32] where all honest parties must receive shares of the secret, hence adding longer delays (and latency) to the protocol completion.

We next describe techniques used to achieve the above functional and performance properties of our solution, starting with two main components: (a) an early agreement protocol allowing non-complete sharing and (b) “extreme packing” that combines packed secret sharing [13] with super-invertible matrices [24] to extend the number of signatures we get from a single ephemeral-randomness creation stage.

A Simple Early-agreement Protocol. Many threshold systems require complete secret sharing, i.e., all honest parties must receive shares of the secret. This means that honest parties cannot terminate until they ensure that all other honest parties will eventually learn their shares. The completeness requirement often adds significant complexity to the protocol and an opportunity for the adversary to create high-latency executions in the asynchronous setting. In our protocols we forgo completeness and its adverse effects by only requiring that a sufficiently large subset of honest parties learn their shares so that they can generate signatures; there is no need to ensure that all honest parties get shares.

Weakening the completeness requirement of secret sharing allows us to use a very simple agreement protocol over the underlying asynchronous broadcast channel. Furthermore, the use of a broadcast channel enables verifiable complaints by shareholders, namely proofs that a dealer sent bad shares. Our use of these complaints is markedly different than in prior works. In protocols that aim at complete sharing (such as [19]), a party uses the complaints to inform other parties that it is missing its share, triggering a complex protocol by which the other honest shareholders help them get their missing shares. In contrast, we use the complaint to disqualify the bad dealer, there is no need to help the complaining shareholder get any more shares. This technique simplifies the agreement protocol and saves rounds of broadcastFootnote 3 (see Sects. 2.2 and 4 and our full version [4, Appendix E] for details). We believe that this simple agreement protocol could find other uses beyond DKG and threshold signatures.

Extreme Packing. To maximize efficiency, we introduce an efficiency parameter a, such that each run of the protocol produces \(a(n-2t)\) signatures where t is the maximal number of corrupted parties supported by the protocol. In more detail, we use super-invertible matrices [24] to get a sharing of at least \(n-2t\) random polynomials for every run of the ephemeral randomness generation, and use packed secret sharing [13] to put a random values in each of these polynomials (see Sects. 2.4 and 2.5).Footnote 4

We pay for this extreme packing with a slight reduction in resilience: To withstand t corrupted parties, the number of nodes that we need is \(n\ge 3t+2a-1\), compared to \(n\ge 3t+1\) for a naive protocol that generates a single signature.Footnote 5 The result is a bandwidth-optimal protocol, up to some not-too-large constants: With n parties, it provides resilience against \(\varOmega (n)\) corrupted parties, using broadcast bandwidth of only O(1) group-elements/scalars per signature, in both the optimistic and the pessimistic cases (where the number of faulty parties is small or large, respectively). We stress that the odds of everybody participating honestly diminishes as the number of parties grows, so in the large-committee setting it becomes more important to have an efficient pessimistic path. In our protocol, the pessimistic case features additional complaints, but those add at most O(t/a) group-elements/scalars per signature.

For a few examples in the static-committee setting (and assuming no complaints), setting the efficiency parameter at \(a=n/5\), they withstand \(t=n/5\) corrupted parties and consume broadcast bandwidth of roughly 17.33 scalars/group-elements per signature. To support \(t=n/4\) we must reduce the efficiency parameter to \(a=n/8\), resulting in a per-signature bandwidth of about 34 scalars/group-elements. This O(1) complexity is to be contrasted with the \(O(n^2)\) complexity of the standard threshold Schnorr scheme [16]. See our full version [4, Appendix C] for details.

1.1 Other Techniques

Achieving high efficiency requires the use of many ideas and techniques, beyond the two main ones that we described above. Below is a list of these techniques, in no particular order. See Sect. 2 for a detailed overview of the entire protocol and the roles that these techniques play.

Local SIMD Computation. Working with packed secret sharing increases the number of secrets shared, but current MPC solutions for using packed secret sharing entail non-trivial protocols, even for simple functions [18]. For Schnorr signatures we need to compute \(s\cdot (e_1,\ldots ,e_a)+(r_1,\ldots ,r_a)\) where \(s\) and the \(r_v\)’s are secret and the \(e_v\)’s are public. While simple, an MPC protocol for computing that function still seems to require interaction, since it includes a product. Furthermore, when using simple Shamir sharing for \(s\), some joint processing is needed to create multiple signatures.

To enable a more efficient protocol with full advantage of packing and to avoid interaction, we introduce the following technique. We share the long-term secret key in a packed vector \((s,\ldots ,s)\) instead of just the single scalar \(s\). This enables SIMD generation of the partial signature, with each party using only a local multiplication (without degree reduction), with randomization done locally as well. Using this technique, signature generation becomes non-interactive: The only communication required is for the party to broadcast their partial signature, after which anyone can assemble the signatures themselves. The cost is a reduction in the resilience to \(t<(n-2a+2)/3\). See Sect. 2.6 for details.

Refreshing Packed Secrets. In the dynamic/proactive setting, we need to refresh the sharing of the packed vector \((s,\ldots ,s)\). This requires a generalization to the GRR protocol [17], see Sect. 2.7 and our full version [4, Appendix I]. We remark that in the current version of the writeup we only prove security of the static protocol. The proof for the dynamic/proactive protocol should be a fairly straightforward extension, using the same techniques. See a brief discussion in our full version [4, Appendix G.7].

Security of Distributed Parallel Schnorr Signatures. The starting point for our protocol is similar (though not quite identical) to the GJKR distributed Schnorr signature protocol from [16], which we extend and optimize to sign many messages. However, GJKR-like protocols [16] are known to fail in the concurrent setting where the protocol is run in parallel for multiple messages; specifically, such protocols are open to ROS-type attacks [5, 11]. Our work focuses on signing a given set of messages (a batch) in parallel. To enable this parallelism and avoid ROS-type attacks, we use a mitigation technique similar to prior work (e.g., [20, 27]). As far as we know, prior to our work this specific technique was only analyzed in the generic group model for ECDSA signatures [20]. In our case, we show it is sufficient for proving the security of our protocols (for signing a single batch of messages) via reduction to the hardness of the discrete logarithm problem in the programmable random-oracle model. See Sect. 2.3 and our full version [4, Appendix G]. These techniques do not guarantee concurrent security for signing multiple batches in parallel. For this, Shoup [36] shows that technique from FROST can be combined with our protocols to obtain full concurrent security (see detailed discussion on this in Sect. 1.3).

Robust Threshold Signatures. Our protocols provide robustness in a strong sense. They terminate with signatures for all \(a(n-2t)\) input messages as soon as \(t+2a-2\) honest parties output their shares. Invalid shares can be identified based on public information and discarded. This holds in both synchronous and asynchronous networks. In the former case, after two rounds of broadcast for generating ephemeral randomness, parties generate non-interactively the shares from which all signatures are recovered.

Smaller Sub-sampled Committees Using a Beacon. To use our protocols in massive systems with a huge number of nodes, one needs some mechanism to sub-sample the committees from among all the nodes in the system. One natural approach is to use self-selection via verifiable random functions (VRFs), as done, e.g., in [7]. However, this results in somewhat loose tail bounds and thus somewhat-too-big committees.

Instead, we note that we can get smaller committees by using a randomness beacon to implement the sub-sampling, resulting in better bounds and smaller committees. Thus, when acting in this large dynamic committee settings, we augment the signature protocol to implement this beacon, which turns out to be almost for free in our case. See Sect. 2.8 for more details. See also our full version [4, Appendix A] for an additional optimization in this setting: using smaller optimistic parameters by default with a safe fallback mechanism to pessimistic parameters.

1.2 Prior Work

Recent years saw a lot of activity trying to improve the efficiency of threshold signature schemes, including underlying techniques such as verifiable secret sharing (VSS) and distributed key generation (DKG), much of which focused on asynchronous protocols and some emphasizing robustness (guaranteed output delivery). Below we focus on some of the more recent works on these subjects.

Threshold Signatures. Komlo and Goldberg described FROST [27], a non-robust threshold Schnorr signature protocol that requires a single-round signing protocol after a single-round preprocessing phase. The improved round complexity comes at the expense of robustness, as it uses additive sharings and requires correct participation of all prescribed signers. In our case, we use two rounds of interaction in a message-independent phase but can then generate multiple signatures non-interactively and with guaranteed output delivery. Our schemes are designed to work in an asynchronous regime hence requiring a super-majority of honest parties (see details in our full version [4, Appendix H]).

ROAST [35] presents a wrapper technique that can transform concurrently secure non-robust threshold signature schemes with a single signing round and identifiable abort into a protocol with the same properties but also robust in the asynchronous model. In particular, this applies to the FROST protocol resulting in a scheme with concurrent security for any threshold \(t<n\) and optimal robustness for up to \(n-t\) parties. The price for this strengthening is significant: it involves \(O(tn^2 +tn\lambda )\) per-signature transmitted bits (\(\lambda \) is a security parameter) assuming a trusted coordinator and \(O(tn^3 +tn^2\lambda )\) without the coordinator; whereas we only require \(O(\lambda )\) broadcasted bits (strictly better even when considering a quadratic overhead of the underlying broadcast).

Garillot et al. [15] implement a threshold Schnorr signature based on deterministic signing, e.g., EdDSA, in order to avoid the potential risks of randomness reuse. They present a dishonest-majority non-robust scheme using zero-knowledge proof and garbling techniques that, while optimized for this specific application, is much more expensive than protocols that do not offer deterministic signing (like FROST and our SPRINT protocols).

Lindell [28] presents a threshold Schnorr signature scheme proven under standard assumptions in the UC model. The focus of that work was conceptual simplicity and UC security rather than optimal efficiency. As in FROST, it utilizes additive sharing, hence necessitating the choice of a new set of signers when a chosen set fails to generate a signature.

For ECDSA signatures, Groth and Shoup [19] recently described a rather efficient ECDSA signing protocol, with emphasis on guaranteed output delivery over asynchronous channels. (The underlying VSS in their work achieves completeness, which is not needed in our case.) They use verifiable complaints in order to notify other parties that they do not have a share. These complaints trigger a complex protocol, by which honest shareholders help each other to get all their missing shares.

Joshi et al. [25] address the lack of concurrent security in the basic threshold Schnorr scheme from [16] by running two DKG executions per signature and using a mitigation technique similar to the one we use here to bind a batch of messages to be signed. However, while our solution generates multiple signatures with a single DKG run, theirs requires two such runs per single signed message.

Distributed Randomness Generation (DKG).Footnote 6 As we said, a key distinction between our work and previous DKG protocols in the signature setting [1, 30, 38], is that we do not require complete sharing (where all honest parties must receive their shares). While completeness may be desired in traditional MPC applications, eschewing this requirement is not a weakness but a feature in our case, as it enables more efficient signature protocols.

Neji et al. [30] design a DKG intended to avoid the need to reveal the shares of inactive (or slow) shareholders for disqualification as required in the GJKR [16] solution. However, they do so by requiring additional rounds of interaction and significant extra computational cost, namely the party who gets complained does O(n) group additions and each other party does O(t) scalar multiplications where t is the corruption threshold (these costs are merely for handling complaints beyond the verification). We achieve higher performance by using publicly verifiable complaints: in our protocols, each party can verify that a complaint is valid by doing a constant number of group operations and without any additional interaction.

Yurek et al. [38] described a randomness generation protocol over asynchronous communication channels, in the context of the offline phase of generic secure MPC. They provide completeness for secret sharing needed for their MPC applications. As in a recent work by Groth and Shoup [19], they use verifiable complaints, yet unlike our work, they do not disqualify dealers upon a verifiable complaint—they instead complete the set of shares. Their asynchronous VSS has an amortized network bandwidth \(O(n\log n)\) in the optimistic case and \(O(n^2 \log n)\) in the pessimistic case.

Abraham et al. describe Bingo [1], a packed method for asynchronous secret sharing that allows a dealer to generate many sharings at an amortized communication cost of \(O(\lambda n)\) per secret. This solution requires KZG-style polynomial commitments [26] to get completeness (and thus relies on pairing-friendly groups). Specifically, the dealer performs a KZG commitment to a polynomial of degree 2t (where \(n=3t+1\)), which concretely is slightly more expensive than our protocol. Also, our agreement sub-protocol makes a more direct usage of the underlying broadcast channel than the agreement in Bingo, and is more efficient.

Various other papers (e.g., [9, 10]) deal with the question of asynchronous DKG. However, they do not directly relate to our paper as the main thrust of their work is reaching an agreement in the asynchronous setting. In contrast, we assume an underlying broadcast channel, simplifying the agreement significantly.

1.3 Subsequent Work

There have been several papers published after our paper was first made public.

Shoup’s Many Faces of Schnorr. In [36], Shoup presents a unifying framework for obtaining robust concurrently-secure threshold Schnorr signatures combining techniques from our work and FROST [29]. This framework applies to two-phase protocols, like ours, consisting of an offline phase for generating “presignatures” (a.k.a., ephemeral randomness), and then an online phase for generating signatures from those presignatures. The concurrent-security aspect of these protocols means that many copies of the online phase can be run concurrently, as long as sufficiently many unused presignatures are available. Shoup shows that concurrent security can be added to any protocol within this framework (including ours) in one of two ways: either using two fresh DKG-generated secret sharing of ephemeral randomness à-la-FROST (thus doubling the cost), or using a randomness beacon (which adds rounds of communication).

Groth-Shoup Asynchronous Robust DKG. In [21], Groth and Shoup present an asynchronous robust DKG protocol which can be used as a basis for a threshold signature protocol, that require a total of \(O(n\lambda )\) bits of point-to-point communication per signature over the optimistic path (roughly when all parties behave honestly), amortized over \(O(n^2)\) signatures. The optimistic path communication complexity matches (asymptotically) our communication complexity of \(O(\lambda )\) bits broadcast per signature.Footnote 7

However, the Groth-Shoup protocol is a lot less efficient on the pessimistic path, when parties misbehave: Its communication complexity increases by a factor \(O(t')\) where \(t'\) is the number of actual misbehaving parties. In contrast, the communication complexity of our protocol increases by at most a small constant factor, no matter how many parties misbehave (as long as there are at most t of them). On the other hand, the Groth-Shoup protocol can withstand up to \((n-1)/3\) misbehaving parties, compared to our \(t\le (n-2a+1)/3\). Our protocol is therefore a better choice in the large-committee setting, where consistent performance also on the pessimistic path is important, and where it is reasonable to assume a larger honest majority. The Groth-Shoup protocol may be better in the small-committee setting, where higher resilience is more important and assuming the optimistic path makes more sense.

The main difference between our protocol and Groth-Shoup stems from the fact that the latter requires complete secret sharing, where all the honest parties get their shares. In particular, if a dealer misbehaves and does not appropriately distribute shares to some honest parties, these honest parties need other honest parties to help them reconstruct their shares, whereas our protocol just disqualifies that dealer. On the other hand, the Groth-Shoup protocol uses complete secret sharing to eliminate the need for polynomial commitments in the sharing phase. Instead, they use error correction to reconstruct signature shares at the end of the protocol without having to check validity against some public commitment.

Another difference is that [21] uses a construction based on Pascal triangle for super-invertible matrices, which is better than the small Vandermonde construction (see details in [4, Appendix B]). This way, they reduce the cost of evaluating the product by the super-invertible matrix from \(\approx (b-1) n \log n / \log p\) scalar-element products in that solution to \(\approx b (n-(b+1)/2) + 1\) group additions (which correspond to about \((b (n-(b+1)/2) + 1)/(1.5 \log p)\) scalar-element products). Our proposal to use the ECFFT-EXTEND algorithm (see Sect. 2.4) is more efficient asymptotically (\(O(k \log k)\) scalar-element products, for \(k = \max (b,n-b)\)) but the Pascal solution would most likely perform better up to \(n\approx 8000\).

1.4 Organization

The rest of this manuscript is organized as follows: In Sect. 2, we provide a high-level step-by-step overview of our protocols and the various components that are used in them. In Sect. 3, we describe in more detail our high-level protocol for the static (fixed-committee) and dynamic settings. In Sect. 4, we describe the basic agreement protocol that we use in the static-committee setting, the agreement in the dynamic setting can be found in our full version [4, Appendix E]. Security proofs and additional details are deferred to appendices. In particular, in the full version [4, Appendix D], we discuss how to use SPRINT in one of our motivating applications to implement a large-scale signature service over a public blockchain.

2 Technical Overview

We consider a static setting where the set of parties (a shareholder committee) is fixed and a dynamic one where shareholder committees change over time while keeping the system’s signing key (in particular, its public verification key) unchanged. In the latter case, shares are refreshed and proactivized between committees. We begin by describing our protocols in the static committee setting, and discuss only towards the end the extra components for the dynamic/proactive settings. The basic protocols for these two settings are shown in Figs. 1 and 2.

In the static case, we have a committee that holds shares of the long-term secret key \(s\), shared via a degree-d polynomial \(\textbf{F}(X)\) with party i holding \(\sigma _i=\textbf{F}(i)\) (for some degree d that we determine later) and where \(s= \textbf{F}(0)\). They first run a distributed key-generation (DKG) protocol to generate a sharing of ephemeral randomness, then use their shares of the long-term secret and ephemeral randomness to generate Schnorr-type signatures on messages. The DKG and signature protocols can be pipelined, where the committee uses the randomness that was received in the previous run to sign messages, and at the same time prepares the randomness for the next run.

While the static setting features just a single committee, we still often refer to parties as dealers when they share secrets to others, and as shareholders when they receive those shares. In the dynamic setting, these will indeed be different parties, but in the static case, they may be the same.

Notations. We use Greek letters (e.g., \(\sigma ,\rho ,\pi ,\phi \)) and lowercase English letters (e.g., \(e,r,s\)) to denote scalars in \(\mathbb {Z}_{p}\), and also use some English lowercase letters to denote indexes (\(i,j,k,\ell ,u,v\)) and parameters (abnt). We denote the set of integers from x to y (inclusive) by [xy], and also denote \([x]=[1,x]\). We rely on a group of prime order p generated by \(G\). We use the additive notation for this group. Group elements are denoted by uppercase English letters (\(G,S,R\), etc.). Polynomials are denoted by bold Uppercase English letters (\(\textbf{F},\textbf{H},\textbf{I},\textbf{Y},\textbf{Z}\)), and commitments to them are sometimes denoted with a hat (\(\hat{\textbf{F}},\hat{\textbf{H}}\)).

2.1 Starting Point: The GJKR Protocol

Our starting point is the protocol of Gennaro et al. [16] for distributed key generation (DKG), and a variation on their use of that protocol for Schnorr signatures. In their DKG protocol, each dealer uses Verifiable Secret Sharing (VSS) to share a random value; parties then add all the shares from dealers that shared their values correctly (thus requiring an agreement protocol on which dealers fall in this set, denoted \(\textsf{QUAL}\)). Specifically, each dealer \(D_i\) shares a random ephemeral secret (which is later used to compute ephemeral randomness and partial signatures) using a degree-\(d'\) polynomial \(\textbf{H}_i\) (for some degree \(d'\) that we define later), and commits publicly to this polynomial. Concretely, \(D_i\) shares the random ephemeral secret \(\textbf{H}_i(0)\) by sending shares \(\textbf{H}_j(i)\) to each shareholder \(P_i\).

The shareholders then agree on a set \(\textsf{QUAL}\) of “qualified dealers” whose values will be used, and a corresponding shareholder set \(\textsf{HOLD}\) that were able to receive valid shares. Shareholders in \(\textsf{HOLD}\) can compute shares for the ephemeral secrets from the shares that they received from these qualified dealers. Namely, each shareholder can add the shares (i.e., the Shamir shares of ephemeral secrets of dealers) that they received from dealers in \(\textsf{QUAL}\), and the resulting ephemeral secret is shared via the polynomial \(\textbf{H}=\sum _{i\in \textsf{QUAL}} \textbf{H}_i\).

In our protocol, shareholders use their shares on polynomials \(\textbf{H}\) (the ephemeral secret) and \(\textbf{F}\) (the long-term secret) to compute Shamir shares of the signatures, and then reconstruct the signatures themselves. We note that this is somewhat different from the signature protocol in [16]: there, it is the dealers in \(\textsf{QUAL}\) that generate the signature (and \(\textsf{HOLD}\) is only used as a backup to reconstruct the input of misbehaving dealers), whereas we let the shareholders in \(\textsf{HOLD}\) generate the signature directly. Our variant could be more round-efficient in some cases, and is easier to deploy in a proactive setting where the long-term key is shared using Shamir sharing (as opposed to additive sharing as used in the GJKR protocol). But otherwise these protocols are very similar.

Pedersen vs. Feldman Commitments. It was pointed out by Gennaro et al. [16] that sharing randomness usually requires the dealers to commit to their sharing polynomials using statistically-hiding commitments such as Pedersen’s [33]. Using the less expensive Feldman secret sharing, where dealers commit to coefficients \(h_{ij}\) of their polynomials by broadcasting the group elements \(h_{ij}\cdot G\), are susceptible to rushing attacks in the DKG setting. Luckily, Gennaro et al. prove in [16, Sec 5] that for the purpose of generating the ephemeral randomness for Schnorr signatures, it is safe to use Feldman secret-sharing, and their proof techniques extend to our signature protocol as well.

We note that for efficiency reasons, in our protocols we use commitments to the value of the polynomials at certain evaluation points rather than to the coefficients as done in [16] (see details in [4, Appendix A]).

2.2 The Agreement Protocol

We utilize the \(\textsf{QUAL}\)-agreement protocol in two different settings: for generation of ephemeral randomness (in both the static and dynamic setting), and for re-sharing of the long-term key (in the dynamic setting only). We observe that randomness generation is less demanding of the agreement protocol than key-refresh: For key-refresh we need the shareholders to have shares from at least \(d+1\) dealers (d is the degree of the sharing polynomials), whereas randomness generation can work even with a single honest dealer. Therefore, in the static setting we use a weaker (and more efficient) agreement protocol than in the dynamic setting. Both protocols use PKI, and both operate over a total-order (aka atomic) broadcast channel, providing eventual delivery of messages from honest parties, sender authentication, and prefix consistency (i.e., the views of any two honest parties are such that one is a prefix of the other).

We start with the more efficient (but weaker) protocol for the static setting. The protocol begins with the dealers distributing their shares, and then the shareholders engage in a protocol to agree on sets of “qualified” and “bad” dealers \(\textsf{QUAL},\textsf{BAD}\), and a set of shareholders \(\textsf{HOLD}\). We want the following properties: (i) every shareholder in \(\textsf{HOLD}\) received valid shares from every dealer in \(\textsf{QUAL}\), and (ii) \(\textsf{BAD}\) consists entirely of dishonest dealers. This protocol is parameterized by \(d_0,d_1\) (to be defined later as a function of the number of corrupt parties and some additional parameters), and it ensures that \(|\textsf{HOLD}|\ge d_0\) and \(|\textsf{QUAL}|+|\textsf{BAD}| \ge d_1\).

In more detail, each dealer \(D_i\) broadcasts all the shares that it deals, encrypted under the keys of their intended recipients, together with commitments to the sharing polynomial \(\textbf{H}_i\). As this information is visible to all, shareholders that receive shares that are inconsistent with the commitments can broadcast a verifiable complaint against a dealer, consisting of a proof that the dealer has sent them a bad share.

The shareholders initially set \(\textsf{QUAL}\) to the first \(d_1\) dealers whose messages appeared on the broadcast channel. Then each shareholder broadcasts verifiable complaints if they have any, and otherwise they broadcast the empty set (signifying that they have all the shares from dealers in \(\textsf{QUAL}\)). Now, \(\textsf{QUAL}\) contracts by eliminating all the dealers who have a valid verifiable complaint against them on the broadcast channel, moving them to the set \(\textsf{BAD}\). The set \(\textsf{HOLD}\) is fixed to the first \(d_0\) shareholders who broadcast verifiable complaints (or the empty set) that were verified as valid complaints. By construction, we have \(|\textsf{HOLD}|\ge d_0\) and \(|\textsf{QUAL}|+|\textsf{BAD}|\ge d_1\), and the set \(\textsf{BAD}\) contains only (verifiably) dishonest dealers. Also, since \(\textsf{QUAL},\textsf{BAD}\), and \(\textsf{HOLD}\) are determined by what is visible on the broadcast channel, then all honest shareholders that read up to some point in the channel will agree on these sets. This protocol’s specification can be found in Fig. 3, and the proof is provided in Theorem 4.1.

In the dynamic setting (that includes also key-refresh), we need to ensure \(|\textsf{QUAL}|\ge d_1\) (as opposed to just \(|\textsf{QUAL}|+|\textsf{BAD}|\ge d_1\)). To that end, we run iterations of the basic protocol above. At the beginning of the \(i+1\)’st iteration, we add to \(\textsf{QUAL}\) as many new dealers as the number of dealers that were added to \(\textsf{BAD}\) in the i’th iteration. Once no more dealers are added to \(\textsf{BAD}\), we have \(|\textsf{QUAL}|\ge d_1\), and we are done. A full specification is in our full version [4, Appendix E].

2.3 Signing Many Messages in Parallel

Our large-scale signature service needs to handle signing many messages in parallel, which brings up a security problem: The proof of security from [16, Sec 5] when using Feldman commitments for Schnorr signatures, requires that the reduction algorithm makes a guess about which random oracle query the adversary intends to use for the signature. When signing many messages in parallel, the reduction will need to guess one random-oracle query per message, leading to exponential security loss. Moreover, Benhamouda et al. demonstrated in [5] that this is not just a problem with the reduction, indeed this protocol is vulnerable to an actual forgery attack when many messages are signed in parallel. To fix this problem, we use a mitigation technique somewhat similar to [20, 27], where the ephemeral secrets are all “shifted” by a public random value \(\delta \), which is only determined after all the messages and commitments are known.

As recalled in the introduction, a Schnorr signature on a message \(M^v\) relative to secret key \(s\) and public key \(S=s\cdot G\), has the form \((R^v, r^v+e^v\cdot s)\), where \(r^v\) is an ephemeral random secret, \(R^v=r^v\cdot G\), and \(e^v=\textsf{Hash}(S, R^v, M^v)\), where \(\textsf{Hash}\) maps arbitrary strings into \(\mathbb {Z}_{p}\). (We are using a superscript v to indicate a plurality of messages and their respective signatures.) In our context, we first run DKG to generate all the required \(r^v\)’s and corresponding \(R^v\)’s, and get from the calling application all the messages \(M^v\)’s to be signed. Then we compute \(\delta =\textsf{Hash}(S,(R^1,M^1),(R^2,M^2),\ldots )\) and \(\varDelta =\delta \cdot G\). The signature on \(M^v\) is then set as \((R^v+\varDelta ,r^v+\delta +e^v\cdot s)\), where \(e^v=\textsf{Hash}(S,R^v+\varDelta ,M^v)\).

With this mitigation technique, the reduction only needs to guess the random-oracle query in which \(\delta \) is computed, recovering the argument from [16, Sec 5] and reducing security to the hardness of computing discrete logarithms in the random-oracle model. See our full version [4, Appendix G.3]. We note that our specific mitigation techniques provide security for a single run of the protocol on input a set of multiple messages to be signed, but it does not imply concurrent security for multiple parallel runs of the protocol on different sets of messages. Following [36], we can obtain concurrent security by either adopting the FROST mitigation (that requires doubling the DKG cost) or by relying on a beacon (which would add one broadcast round).

2.4 Using Super-Invertible Matrices

As described so far, we would need to run a separate copy of the DKG protocol to generate each ephemeral secret \(r^v\), but we can do much better. For starters, assume that we can ensure many honest dealers in the set \(\textsf{QUAL}\) (say at least b of them). Then we can use a (public) super-invertible matrix [24] to generate b random ephemeral values in each run of the protocol.

Recall that the DKG protocol has each dealer \(D_i\) share a random polynomial \(\textbf{H}_i\), then the shareholders compute a single random polynomial \(\textbf{H}'=\sum _{i\in \textsf{QUAL}}\textbf{H}_i\) and the ephemeral random secret is \(\textbf{H}'(0)\). Intuitively, the polynomial \(\textbf{H}'\) is random if even a single \(\textbf{H}_i\) is random, so a single honest dealer in \(\textsf{QUAL}\) is enough to get a random ephemeral value. But if we have many honest dealers in \(\textsf{QUAL}\), then we can get many random polynomials. Specifically, suppose we have b honest dealers in \(\textsf{QUAL}\) and let \(\varPsi =[\psi ^u_{i}]\) be a b-by-n super-invertible matrix, i.e., each b-by-b sub-matrix of \(\varPsi \) is invertible. Then we still have each dealer \(D_i\) share just a single polynomial \(\textbf{H}_i\), but now the shareholders can construct b random polynomials \(\textbf{H}^1,\ldots ,\textbf{H}^b\), by setting \(\textbf{H}^u=\sum _{i\in \textsf{QUAL}}\psi ^u_i \textbf{H}_i\) for all \(u\in [b]\). By the same reasoning as before, if we have b honest dealers in \(\textsf{QUAL}\) with random input polynomials \(\textbf{H}_i\), then the b output polynomials will also be random and independent since the b-by-b matrix corresponding to the rows of these b honest dealers is invertible.

The actual proof is more involved since we still use Feldman commitments in the protocol, which means that a rushing adversary can bias the output polynomials somewhat. But using essentially the same reduction as before, we can still reduce the security of the Schnorr signature protocol to the hardness of computing discrete logarithms in the random oracle model. One technical point is that the security proof in the asynchronous communication model requires that the set \(\textsf{QUAL}\) is included in the hash function query that determines \(\delta \). That is, we compute \(\delta =\textsf{Hash}(S,\textsf{QUAL},(R^1,M^1),(R^2,M^2),\ldots )\). The reason is that in the asynchronous case, we cannot guarantee that all honest dealers will be included in \(\textsf{QUAL}\). If we didn’t include it in the hash query, then the simulator would have to guess the set \(\textsf{QUAL}\), incurring at least an \(n\atopwithdelims ()b\) loss factor in security.

We note that to ensure b honest dealers in \(\textsf{QUAL}\), it is enough to run the “weaker” agreement protocol (Fig. 3) with \(d_1=b+t\), where t is an upper bound on the number of dishonest dealers. Indeed, that protocol ensures that \(|\textsf{QUAL}|+|\textsf{BAD}|\ge d_1=b+t\), and \(\textsf{BAD}\) contains only dishonest dealers. Therefore, the number of dishonest dealers in \(\textsf{QUAL}\) is at most \(t-|\textsf{BAD}|\), and the number of honest dealers is at least \(|\textsf{QUAL}|-(t-|\textsf{BAD}|)=|\textsf{QUAL}|+|\textsf{BAD}|-t=d_1-t=b\).

Faster Multiplication by a Super-Invertible Matrix. While the use of super-invertible matrices enables us to produce many more random shared secrets without increasing bandwidth, computing all these sharings requires that each shareholder multiply their sub-shares by that super-invertible matrix “in the exponent”.Footnote 8 The super-invertible matrix multiplication is the most computationally intensive operation in the protocol. We thus should carefully implement the matrix multiplication to have good computational efficiency in practice.

We propose two solutions to make these operations more efficient. The first solution, pointed out to us by Victor Shoup, is to use a Vandermonde matrix \(\varPsi \) corresponding to the powers of small scalars. We show in our full version [4, Appendix B.1], that a variant of the Horner’s rule allows to evaluate the multiply-by-\(\varPsi \) operation using \((b-1)n\) scalar-by-element products with \(\log n\)-bit scalars (instead of full-length scalars, that is \(\log p\)-bit scalars). This is equivalent to about \((b-1)n \log n/\log p\) full scalar-by-element product, that is a \(\log n/\log p\) speed-up over the naive solution. In practice, \(p\) has at least 256 bits, while \(n=b+t\) varies but is unlikely to be higher than 10 bits, so this is a more than \(25\times \) speed-up.

Our second solution is new and consists of selecting \(\varPsi \) so that it corresponds to FFT-related operations. However, when implementing Schnorr signatures over the elliptic curve ED25519, the scalar field \(\mathbb {Z}_{p}\) does not even have a \(2^3\)-th root of unity.Footnote 9 Instead, we show that we can use the ECFFT-EXTEND algorithm from Ben-Sasson et al. [3], resulting in \(O(k \log k)\) scalar-by-element products, where \(k = \max (b,t)\) and \(n=b+t\). This is asymptotically better than the first solution. Details are provided in the full version [4, Appendix B.2].

We implemented both solutions, benchmarked them, and report results in [4, Appendix B.3]. In short, for ED25519, when \(b=t\) is a power of 2, the small Vandermonde matrix solution is better in practice for up to \(b=t=2^8=256\), after which the ECFFT solution is more efficient.Footnote 10 The benchmarking code is available from https://github.com/fabrice102/ecfft-group, under the MIT license. This code is based on the code [6] and adapts it to work with polynomials with coefficients in a group, instead of in the base field.

2.5 Using Packed Secret Sharing

Similarly to above, we can also assume many honest parties among the set \(\textsf{HOLD}\) of shareholders, and use packed secret sharing [13] to get even more ephemeral shared values: If \(\textsf{HOLD}\) contains at least \(2t+a\) shareholders (for some \(a\ge 1\)), then we can let each shared polynomial pack a values rather than just one: Each shared polynomial \(\textbf{H}^u\) will have degree \(d'\ge t+a-1\) (rather than \(d' = t\)) and will encode the a values \(\textbf{H}^u(0),\textbf{H}^u(-1),\ldots ,\textbf{H}^u(-a+1)\). (Below we denote these scalar values by \(r^{u,v}=\textbf{H}^u(1-v)\), with the corresponding group elements \(R^{u,v}=r^{u,v}\cdot G\).)

Importantly, this amplifies the effect of using super-invertible matrices: We have each dealer \(D_i\) sharing a single random polynomial \(\textbf{H}_i\) of degree \(d'\), packing a values, and we derive b random degree-\(d'\) polynomials \(\textbf{H}^u\) from these sharings, which gives us \(a\cdot b\) shared random scalars.

2.6 More Efficient Signing

Once the ephemeral secrets are shared, we use them—together with the shared long-term secret key—to generate many signatures. Computing on the packed ephemeral secrets would generically require a full-blown secure-MPC protocol among the shareholders, but we observe that we can generate all the a signatures from each packed random polynomial with only a single share-reconstruction operation.

To see how, recall again that a Schnorr-type signature has the form \((R^v, r^v+e^v\cdot s)\).Footnote 11 Our shareholders hold Shamir sharings of the secret key \(s\) and the vector \((r^1,r^2,\ldots ,r^a)\) of ephemeral secrets (where \(r^v = \textbf{H}(1-v)\) for \(v \in [a]\)). Also, the public key \(S\), the messages \(M^v\)’s, and the group elements \(R^v\)’s are publicly known, so everyone can compute all the scalars \(e^v=\textsf{Hash}(S,R^v,M^v)\). To improve efficiency, we also share the long-term key \(s\) in a packed form, namely the shareholders hold a Shamir sharing of the vector \((s,s,\ldots ,s)\), via a polynomial \(\textbf{F}\) of degree \(d=t+a-1\) (i.e., \(\textbf{F}(1-v) = s\) for \(v \in [a]\)). All they need to do, therefore, is compute the pointwise linear function \((r^1,r^2,\ldots ,r^a)+(e^1,e^2,\ldots ,e^a)\odot (s,s,\ldots ,s)\).

While pointwise addition can be computed locally, computing the pointwise product \((e^1,e^2,\ldots ,e^a)\odot (s,s,\ldots ,s)\) seems like still requiring a nontrivial interactive protocol, even for a known vector of \(e^v\)’s. But we can eliminate even this little interaction, by assuming a larger honest majority and using higher-degree polynomials for the ephemeral randomness. Specifically, we assume that \(\textsf{HOLD}\) contains at least \(2t+2a-1\) shareholders (so at least \(t+2a-1\) honest ones), and modify the DKG protocol so that the sharing of the ephemeral secrets is done with random polynomials of degree \(d'=d+a-1=t+2a-2\) (rather than degree \(t+a-1\)).

Since the \(e^v\)’s are known, each shareholder can interpolate the unique degree-\((a-1)\) polynomial that packs the vector \((e^1,\ldots ,e^a)\). Denote this polynomial as \(\textbf{Z}\) (we have \(\textbf{Z}(1-v) = e^v\) for \(v \in [a]\)). Then each shareholder j with a share \(\sigma _j=\textbf{F}(j)\) for the long-term secret, can locally compute \(\sigma '_j=\textbf{Z}(j)\cdot \sigma _j\). Note now that the \(\sigma '_j\)’s lie on the polynomial \(\textbf{Z}\cdot \textbf{F}\) of degree \(d+a-1\) that packs the vector \((e^1\cdot s,\ldots ,e^a\cdot s)\), since \((\textbf{Z}\cdot \textbf{F})(1-v) = e^v \cdot s\) for \(v \in [a]\).

Each shareholder j, with share \(\rho _j\) on an ephemeral-randomness polynomial, computes and broadcasts \(\pi _j=\sigma '_j+\rho _j\), and we note that these \(\pi _j\)’s lie on a polynomial of degree \(d'\) that packs all the values \((r^1+e^1 s, \ldots , r^a+e^a s)\). Moreover, if the ephemeral secrets were shared via a random degree-\(d'\) polynomial, then the \(\pi _j\)’s constitute a random sharing of that vector. After seeing \(d'+1 =t+2a-1\) valid shares of these broadcast values, everyone can reconstruct the polynomial and read out all the scalars \(\phi ^v=r^v+e^v \cdot s\) that are needed for these a signatures.

2.7 The Dynamic Setting

So far, we have described our protocols for the static (fixed committee) setting. Here we present the additional components that we need in the dynamic case, where we have different committees for the dealers and shareholders. Importantly, in all the protocols above we never assumed that the dealers and shareholders are the same committee, so they all still work as-is also in the dynamic setting. What is missing is a share-refresh protocol where the dealers can pass to the shareholders a sharing of the long-term secret \(s\). Here we essentially just use the GRR protocols of Gennaro et al. from [17], with a minor adaptation since we need to share it in a packed manner.Footnote 12

Each dealer \(D_i\) begins with a share \(\sigma _i\) of the long-term secret key \(s\), shared using a “packed” polynomial \(\textbf{F}(X)\) of degree \(d=t+a-1\). Namely, \(\sigma _i=\textbf{F}(i)\), and \(\textbf{F}(0)=\textbf{F}(-1)=\cdots =\textbf{F}(1-a)=s\). In addition, everyone knows a commitment to \(\textbf{F}\). \(D_i\) reshares its share using a fresh random degree-d polynomial \(\textbf{F}_i\) with \(\textbf{F}_i(0)=\textbf{F}_i(-1)=\cdots =\textbf{F}_i(1-a)=\sigma _i\), and also commits publicly to \(\textbf{F}_i\).

This is done in parallel to the sharing of the random, degree-\(d'\), polynomial \(\textbf{H}_i\). The shareholders then engage in an agreement protocol (full protocol description can be found in [4, Appendix E]) to determine the sets \(\textsf{HOLD}\) of shareholders, \(\textsf{QUAL}_1,\textsf{BAD}_1\) for the \(\textbf{H}\) dealers, and \(\textsf{QUAL}_2,\textsf{BAD}_2\) for the \(\textbf{F}\) dealers, with \(|\textsf{HOLD}|\ge n-t\), \(|\textsf{QUAL}_1|\ge n-t\), and \(|\textsf{QUAL}_2|\ge d+1\).Footnote 13 Having received \(\sigma _{ij}=\textbf{F}_i(j)\) from each dealer \(D_i\in \textsf{QUAL}_2\), \(P_j\) then computes their share of the long-term secret as \(\sigma '_j=\sum _{i\in \textsf{QUAL}_2} \lambda _i\sigma _{ij}\). The \(\lambda _{i}\)’s are the Lagrange coefficients for recovering Q(0) from \(\{Q(i):i\in \textsf{QUAL}_2\}\) for degree-d polynomials Q. As usual, denoting \(\textbf{F}'=\sum _{i\in \textsf{QUAL}_2} \lambda _i \textbf{F}_i\), the shares of shareholders in \(\textsf{HOLD}\) satisfy \(\sigma '_j=\textbf{F}'(j)\), and also

$$ \textbf{F}'(0)=\sum _{i\in \textsf{QUAL}_2} \lambda _i \textbf{F}_i(0) =\sum _{i\in \textsf{QUAL}_2} \lambda _i \textbf{F}(i) = \textbf{F}(0). $$

Moreover, since all the \(\textbf{F}_i\)’s satisfy \(\textbf{F}_i(0)=\textbf{F}_i(-1)=\cdots =\textbf{F}_i(1-a)\), then so does \(\textbf{F}'\).

2.8 Sub-sampling the Committees

One of the main use cases for our protocol is an open system (such as a public blockchain), which could be very large. In this use case, the committees in each epoch must be sub-sampled from the entire population, and be large enough to ensure a sufficiently large honest majority with overwhelming probability.

One way of implementing this sub-sampling would be to use verifiable random functions (VRFs), but this would result in rather loose tail bounds and large committees. We can get smaller committees by having the committees implement also a randomness beacon, outputting a (pseudo)random value that the adversary cannot influence at the end of each run of the protocol. At the beginning of the \(T+1\)’st protocol, everyone therefore knows the value \(U_T\) that was produced by the beacon in the T’th run. Members of the \(T+1\)’st committee determine the members of the \(T+2\)’nd committee by applying a PRG on \(U_T\).

To see why this helps, note that when the total population is very large, the number of honest parties in a committee chosen by VRFs is approximated by a Poisson random variable with parameter \(\lambda = (1-f)n\), where f is the fraction of faulty parties in the overall population (and n is the expected committee size). On the other hand, the number of honest parties in a committee when using the randomness beacon follows a Binomial distribution with parameters \(n, p=1-f\). The Binomial turns out to be much more concentrated than the Poisson, hence the number of honest parties is much closer to \((1-f)n\) with the beacon than with the VRF.

Implementing the randomness beacon for our protocol turns out to be very easy. Since the T’th committee held a sharing of the long-term secret scalar \(s\), they could locally compute a “sharing in the exponent” of \(s\cdot \textsf{Hash}'(T)\) (with \(\textsf{Hash}'\) hashing into the group). Namely, everyone computes the group element \(E=\textsf{Hash}'(T)\), then each dealer \(D_i\) in the T’th committee with share \(\sigma _i\) can compute and broadcast \(U_{T,i}=\sigma _i\cdot E\), together with a Fiat-Shamir zero-knowledge proof that \(U_{T,i}\) is consistent with the (public) Feldman commitment of \(\sigma _i\) (which is a proof of equality of discrete logarithms).Footnote 14 Once the qualified set \(\textsf{QUAL}_2\) is determined, everyone can interpolate “in the exponent” and compute \(U_T=\sum _{i\in \textsf{QUAL}'} \lambda _i \cdot U_{T,i} = s\cdot E\), where the \(\lambda _i\)’s are the Lagrange interpolation coefficients. The group element \(U_T\) is the next output of the beacon. Note that the adversary has no influence over the \(U_T\)’s, they are always set as \(U_T=s\cdot \textsf{Hash}'(T)\). On the other hand, before the shares \(U_{T,i}\) are broadcast, the value \(U_T\) is unpredictable (indeed pseudorandom) from the adversary’s point of view.

2.9 More Optimizations

While quite efficient as-is, in many settings there are additional optimizations that can significantly improve the performance of our protocols, such as committing to evaluation points (rather than coefficients) and using optimistic parameters with safe fallback when sub-sampling committees (See details in [4, Appendix A]). Also, in the full version [4, Appendix H] we discuss the dishonest majority case for a mixed malicious/semi-honest adversary model.

2.10 Parameters and Performance

Various parameters and performance analysis are provided in the full version [4, Appendix C], here we give a very brief overview.

To get enough honest parties in \(\textsf{HOLD}\), we need to have \(n\ge 3t+2a-1\), and we often assume that this holds with equality. Then we set \(d_1=|\textsf{QUAL}|=n-t\) and get \(b=n-2t\), hence we can get as many as \(ab=a(n-2t)\) signatures for each run of the protocol. Some example numbers are \(n=10,t=2,a=2,b=6\) (12 signatures per run), or \(n=64,t=15,a=10,b=34\) (340 signatures per run). In the setting of a large open system where committees are sub-sampled, we can even sign more messages in each run without reducing resiliency: for example, assuming \(80\%\) honest parties, we can sub-sample a committee of size \(n=992\) with \(t=336, a=40, b=320\), and sign 12880 messages in each run.Footnote 15

If we set \(t=a=n/5\), we can sign \(3n^2/25\) messages per run, with an amortized bandwidth of fewer than 35 scalars/group elements broadcasted per signature. For the sub-sampling parameters above with \(n=992\) (with a group of size  \(\approx 2^{256}\)), the total broadcast bandwidth is only under 100MB.

Given parameters nta, the parties broadcast less than \(4n^2\) scalars and group elements (in total). If we set \(t=a=n/5\), we can sign \(3n^2/25\) messages per run, with an amortized bandwidth of fewer than 35 scalars/group elements broadcasted per signature. For the sub-sampling parameters above with \(n=992\) (with a group of size  \(\approx 2^{256}\)), the total broadcast bandwidth is only under 100MB.

In terms of computation, the most expensive part is multiplying the super-invertible matrix in the exponent (which is needed to compute the public R’s). This part takes at most \(at(n-2t)\) products (using a naive algorithm), which is t scalar-elements multiplications per signature. But as we explain in Sect. 2.4, we can use much more efficient matrix-multiplication to reduce it, or just use small scalars. With the small-scalar Vandermonde optimization from above, the computation is about 1 min.

Since the super-invertible matrix multiplication is the most expensive part of the protocol, we wrote code to benchmark actual performances for both our possible optimizations from Sect. 2.4. In the full version [4, Appendix B.3], we show the results for various values of b. For \(b=t=256\), our first solution provides a 29\(\times \) speed up compared to the naive solution and only takes 682ms when \(a=1\) (on a single core of a 2.20GHZ AMD EPIC 7601 CPU). Even with \(a=64\), the total super-invertible matrix multiplication would take less than 1 min on a single-core. In addition, this operation is trivially parallelizable, computations for each of the a packed values are completely independent of each other and can be run on different threads.

For \(b=t=512\), our second solution becomes faster and provides a \(28\times \) speed up compared to the naive solution. It only takes 2.80 s to compute the super-invertible matrix multiplication in that setting for \(a=1\), on a single core.

3 The SPRINT Protocols

3.1 Static-Committee Setting

We begin with our base protocol shown in Fig. 1, namely, a robust threshold Schnorr signature scheme for the static-committee case where the set of parties is fixed. It follows the design and rationale presented in Sect. 2 (particularly, till Sect. 2.6), resulting in a two-round ephemeral randomness generation phase (dependent on the number of messages to be signed but not on the messages themselves) followed by a non-interactive signing procedure. It considers n parties of which at most t are corrupted, and is given a packing parameter a and an amplification (via a super-invertible matrix) parameter b. It assumes an asynchronous broadcast channel. The protocol consists of three parts. An initial setup stage where parties obtain shares \(\sigma _i\) of a long-term secret key \(s\), and corresponding public key \(S=s\cdot G\), and \(S_i= \sigma _i \cdot G\) are made public. We assume that sharing the secret key uses packed secret sharing, namely, the parties’ shares \(\sigma _i\) lie on a polynomial \(\textbf{F}\) of degree \(d=t+a-1\), such that \(\textbf{F}(0)=\textbf{F}(-1)=\ldots =\textbf{F}(-a+1)=s\). This initial setup can be done via a distributed key generation (DKG) protocol or another secure procedure.

Fig. 1.
figure 1

SPRINT Scheme in the Static-Committee Setting

Full size image

The second part is the generation of ephemeral randomness for Schnorr signatures. Following the DKG blueprint of [16, 34], each party \(P_i\) shares a random polynomial \(\textbf{H}_i\) by transmitting the value \(\textbf{H}_i(j)\) to each other party \(P_j\) and committing to \(\textbf{H}_i(\cdot )\) over a public broadcast channel. Our application allows for the use of the more efficient Feldman secret sharing [12]. In our case, parties commit to their polynomials \(\textbf{H}\) by broadcasting values \(\textbf{H}(v)\cdot G\) for \(d'+1\) different evaluation points v where \(d'\) is the degree of \(\textbf{H}\) (specifically, in our case, this set is defined as the interval \([-a+1,t+a-1]\)).

A central part of such a protocol is for the parties to agree on sets of dealers (denoted \(\textsf{QUAL},\textsf{BAD}\)) that shared their polynomials correctly/badly, and a large enough set of parties (denoted \(\textsf{HOLD}\)) that received correct sharings from all parties in \(\textsf{QUAL}\). In Sect. 4.1 we describe an implementation of such a protocol over an asynchronous atomic broadcast channel.

The source of efficiency for SPRINT is the use of packing to share a secrets at a little more cost than sharing just one and attaining further amplification, by a factor of b, using super-invertible matrices [24] (see Sect. 2.4). Here, b is the number of rows in the super-invertible matrix \(\varPsi \), e.g., a Vandermonde matrix, and is set to its largest possible value (as analysis shows), \(b=|\textsf{QUAL}|-(t-|\textsf{BAD}|)\). (Smaller values of b can be used too, if fewer messages need to be signed.) Once the randomness generation procedure is completed, each party in \(\textsf{HOLD}\) generates (non-interactively) signature shares consisting of a point on a polynomial \(\textbf{Y}\) that when reconstructed (via interpolation of \(d'+1\) signature shares) can be evaluated on a points to achieve a signatures. Remarkably, using super-invertible matrices one can generate b different polynomials \(\textbf{Y}\), hence resulting in \(a\cdot b\) signatures at the cost of a single execution of the (interactive) randomness generation procedure.

In all, we have that after the randomness generation procedure, parties generate their shares of the signatures without any further interaction. Each party \(P_j\) computes locally their signature shares \(\pi ^u_j, u\in [b]\) and publishes them. Reconstructing the signature for each batch of a messages \(M^{u1},\ldots M^{ua}\) can be done by interpolation from any \(d'+1\) correct signature shares \(\pi ^u_j\). Moreover, signature shares can be verified individually by a Schnorr-like validation \(\pi ^u_j \cdot G= \textbf{Z}^u(j)\cdot S_j + \rho ^u_j\cdot G\), where all the required information is public. Thus, invalid signature shares can be discarded.

An additional ingredient in the protocol is the use of the “mitigation value" \(\delta =\textsf{Hash}(S,\textsf{QUAL},\{(R^{u,v},M^{u,v}):u\in [b],v\in [a]\})\) needed to achieve security when running the \(a\cdot b\) signatures in parallel, as explained in Sect. 2.3.

We prove the security of the SPRINT protocol in Fig. 1 in the full version [4, Appendix G].

3.2 The Dynamic/Proactive Setting

The adaptation of SPRINT to the dynamic setting is shown in Fig. 2. See also Sect. 2.7. It requires two types of sharings. One is ephemeral randomness generation as in the static setting, where dealers have no input, and they just share random polynomials. The other is a share refresh (i.e., proactive resharing), in which the dealers have shares of the long-term secret, and they refresh the sharing of that secret to the shareholders. These two sharings are enabled by (almost) the same DKG-like protocol, both using the agreement protocol (see details in [4]) with the same set \(\textsf{HOLD}\) and two \(\textsf{QUAL}\) sets for the two sharings. Note that the use of the same set \(\textsf{HOLD}\) for both sharings is crucial to guarantee that enough parties (those in \(\textsf{HOLD}\)) have both shares of the secret \(s\) and of the ephemeral randomness as needed for generating signatures. Proving security of this protocol is very similar to the static case; see more details in our full version [4, Appendix G.7].

Fig. 2.
figure 2

SPRINT Scheme in the Dynamic-Committee Setting

Full size image

A Note on the “Traditional” Proactive Setting. The proactive setting [22, 23, 31] was originally envisioned as a periodic operation, say every week, in order to heal the system from active and passive corruptions. When running SPRINT in such a scenario, one would not want to perform a share refresh with each run of the signature generation protocol (Fig. 1) but only at the end of a full proactive period. However, by decoupling the two sharings (refresh and randomness generation), we lose the ability to use the same set \(\textsf{HOLD}\) for both cases. This raises a liveness issue: If the share refresh ends with a set \(\textsf{HOLD}\) of size \(n-t\) and a subsequent execution of SPRINT ends with a different set \(\textsf{HOLD}'\) of the same size, then it may be the case that the intersection of these two sets will have less than \(t+1\) uncorrupted parties, hence unable to create signatures.

However, the traditional proactive setting already assumes the share refresh to happen within a more controlled environment.Footnote 16 Thus, it makes sense to consider a more synchronous setting (with monitored and resolved delays) during refresh in which case the share refresh operation can be assumed to be completed after a defined amount of time for non-adversarial servers. In this case, parties that did not make it to \(\textsf{HOLD}\) by that time will be disqualified from participating in signature generation until the next proactive execution and be counted towards the bound t on corrupted parties. This guarantees that all honest parties in sets \(\textsf{HOLD}\) created by runs of SPRINT until the next refresh period will have valid shares of the secret \(s\).

4 The Agreement Protocol

For agreement, we observe that in the static setting we can have a more efficient agreement protocol than in the proactive/dynamic setting. As a result, we present two protocols of a very similar flavor for the task of reaching agreement. In this section we describe in detail the base agreement protocol, which achieves the best results for the static setting. Then we sketch the enhancements that we need for the dynamic/proactive setting in what we refer to as the full protocol, which is described in the full version [4, Appendix E].

This protocol is designed to work over an asynchronous total-order (aka atomic) broadcast channel. Recall that a total-order broadcast channel provides the following guarantees:

  • Eventual delivery. A message broadcasted by an honest party will eventually be seen (unmodified) by all honest parties. However, the adversary can change the order in which messages are delivered to the broadcast channel.

  • Prefix consistency. Considering the views of the broadcast channel at a given time by two different honest parties, the view of one is a prefix of the other.

  • Authenticity. Messages that are received on behalf of honest parties were indeed sent by those honest parties.

We also assume a PKI, i.e., each party has an encryption public key that is known to all other parties. The protocol below uses only the broadcast channel for communication, private messages are sent by encrypting them and broadcasting the ciphertext.

Time and Steps. While a total-order broadcast channel is not synchronous, and thus it has no absolute notion of time, we are still ensured that the parties all see the same messages in the same order. We can therefore define a “step T” as the time when the T’th message is delivered. Even though different parties may see it at different times, they will all agree on the message that was delivered at step T. If we have a protocol action that is based only on the messages that appeared on the broadcast channel up to (and including) the T’th message, we are ensured that all the honest parties will take the same action, and they will all know that they did it at “step T”.

In the description below we distinguish between dealers and shareholders. The protocol begins with the dealers broadcasting messages, then the shareholders engage in a protocol among themselves based on the dealer messages that they see on the channel. For every dealer message and every shareholder, the shareholder either accepts this message or complains about it.

An important technique in our protocol is the use of “verifiable complaints”: This is a complaint by a shareholder about a dealer, that will be accepted by all other honest shareholders. (In our context, it will be implemented by proving that the message sent by that dealer is invalid.) We say that a dealer message is “locally bad” for shareholder \(P_j\), if that shareholder is able to generate a verifiable complaint against it. Importantly, we assume that it is impossible to produce a verifiable complaint against messages sent by honest dealers.

We denote the number of dealers as \(n_1\), at least \(d_1\) of them are assumed to be honest. The protocol is run among a set of \(n_0\) shareholders, at least \(d_0\) of which are assumed to be honest. We require that this base protocol terminates, and that all honest shareholders output the same sets \(\textsf{HOLD}\), \(\textsf{QUAL},\textsf{BAD}\), where \(\textsf{HOLD}\) is a subset of the shareholder set with \(|\textsf{HOLD}|\ge d_0\), and \(\textsf{QUAL},\textsf{BAD}\) are disjoint subsets of the dealer set with \(|\textsf{QUAL}|+|\textsf{BAD}|\ge d_1\).

The base protocol is described in Fig. 3 and proven in Theorem 4.1 (details in [4, Appendix F]). Here each shareholder initially sets \(\textsf{QUAL}\) to the first \(d_1\) dealers whose broadcast message they receive. Then each shareholder broadcasts a message specifying which of these \(d_1\) dealers sent correct shares and complaining about the ones that did not. Thereafter, each shareholder continuously adds to \(\textsf{HOLD}\) the shareholders whose message appeared on the channel, and moves dealers from \(\textsf{QUAL}\) to \(\textsf{BAD}\) when they see a verifiable complaint against them on the channel. The protocol terminates once \(\textsf{HOLD}\) reaches size \(d_0\).

Fig. 3.
figure 3

Base protocol for agreeing on \(\textsf{QUAL},\textsf{BAD},\textsf{HOLD}\)

Full size image

Theorem 4.1

Consider an execution of the base agreement protocol from Fig. 3 over a total-order broadcast channel, among a set of \(n_0\) shareholders of which at least \(d_0\) are honest. Assume that at most \(n_1\) dealers broadcast messages, at least \(d_1\) of these dealers are honest, and no verifiable complaint can be constructed against any honest dealer. Then all honest shareholders will eventually terminate, all outputting the same sets with \(|\textsf{HOLD}|\ge d_0\) and \(|\textsf{QUAL}|+|\textsf{BAD}| \ge d_1\). Moreover:

  • No shareholder in \(\textsf{HOLD}\) complained against any dealer in \(\textsf{QUAL}\); and

  • Every dealer in \(\textsf{BAD}\) has at least one shareholder in \(\textsf{HOLD}\) that lodged a verifiable complaint against them.

4.1 Agreement in SPRINT, the Static Case

To instantiate the base agreement protocol in SPRINT, we need to set the parameters \(n_0,d_0,n_1,d_1\) and specify how the dealer’s messages and verifiable complaints are generated and verified.

In our protocols, a dealer’s message is just a Shamir sharing of secrets via polynomials. In the static case, we have one pair of \(\textsf{QUAL},\textsf{BAD}\) for the DKG polynomials. We assume a PKI, and the dealers encrypt and broadcast all the shares under the public keys of their intended recipient, and also broadcast Feldman commitments to the polynomials themselves.

There are checks that all shareholders can perform on public information that the dealers broadcast, i.e. verifying that the committed polynomials are of the right degree, and that the dealer’s message includes all the ciphertexts that it is supposed to. However, each shareholder is the only one who can check if the share encrypted under their public key is consistent with the committed polynomial.

If the encrypted share is not consistent with the committed polynomial, the shareholder will create a verifiable complaint, using the fact that the dealer’s message is visible to all. A verifiable complaint from shareholder \(P_j\), denoted \(\pi _{ji}\), consists of the decrypted value from the ciphertext that \(D_i\) sent to \(P_j\), and a proof-of-correct-decryption relative to \(P_j\)’s public key.Footnote 17 Once other parties see the decrypted value they can all verify that the share indeed is not consistent with the committed polynomial.

The dealer messages and shareholder complaints are described in Fig. 4.

Fig. 4.
figure 4

Dealer messages and shareholder complaints

Full size image

Parameters in the Static-committee Setting. In the static-committee setting, each dealer shares a single random polynomial \(H_i\) of degree \(d'=t+2a-2\). To ensure that the resulting random polynomials can be recovered we need at least \(d'+1\) honest parties in \(\textsf{HOLD}\), so we have to set \(d_0\ge t+d'+1=2t+2a-1\). But we can set it even bigger, it can be as large as \(n-t\) since we know that there are at least as many honest shareholders. (This implies that we need \(n-t\ge 2t+2s-1\), namely \(n\ge 3t+2a-1\).)

We note that for the DKG protocol, the size of \(\textsf{QUAL}\) is unrelated to the degree of the polynomials \(H_i\). The only constraint on it is that to get b output random polynomials we need \(|\textsf{QUAL}|+|\textsf{BAD}|=d_1\ge b+t\). To get the best amortized cost, we want to make b as large as possible, which means using as large an initial set \(\textsf{QUAL}\cup \textsf{BAD}\) as we can get. Every party can serve as a dealer for the DKG protocol, so we have at least \(n-t\) honest dealers and can set \(d_1=n-t\) (and therefore \(b=n-2t\)).

Hence, we run the agreement protocol with parameters \(d_0=d_1=n-t\). (If we have fewer messages to sign, we can do with a smaller b, which means smaller \(d_1\), any value \(d_1>t\) would work.)

4.2 Agreement in the Dynamic/Proactive Setting

In this setting, dealers share two types of polynomials, random polynomials \(\textbf{H}_i\) of degree \(d'=t+2a-2\) for the DKG, and packed re-sharing polynomials \(\textbf{F}_i\) of degree \(d=t+a-1\).

Here we must rely on stronger agreement guarantees. For the static case, it was enough to ensure that in a setting with \(d_1\) honest dealers, we will end up with \(|\textsf{QUAL}|+|\textsf{BAD}|\ge d_1\), this was enough to ensure \(d_1-t\) honest dealers in \(\textsf{QUAL}\) (which is the best we can so in the worst case, and is what’s needed for the DKG). Now, however, we need to ensure the stronger condition \(|\textsf{QUAL}|\ge d_1\), since this is what’s needed for re-sharing the secret.

We therefore augment the agreement by running multiple iterations of the base protocol. In every iteration, we enlarge \(\textsf{QUAL}\) until it reaches side \(d_1\), then have one round of complaints and potentially move some more dealers from \(\textsf{QUAL}\) to \(\textsf{BAD}\). This is repeated until no more dealers are added to \(\textsf{BAD}\), at which point we have \(|\textsf{QUAL}|\ge d_1\). (Note that at the beginning of each iteration, we always have enough honest dealers whose messages were not yet incorporated in the protocol to reach \(\textsf{QUAL}\) of size-\(d_1\) in this iteration.)

Another enhancement to the protocol is that we now have two separate \(\textsf{QUAL}\)’s (and corresponding two \(\textsf{BAD}\)’s): one pair \(\textsf{QUAL}_1,\textsf{BAD}_1\) for the \(H_i\)’s, and another pair \(\textsf{QUAL}_2,\textsf{BAD}_2\) for the \(F_i\)’s. We however only have one shareholder set \(\textsf{HOLD}\) (since we need the same shareholders to get both a share of the key and a share of the ephemeral secrets). The protocol is in the full version [4, Appendix E].

Parameters in the Dynamic-committee Setting. Here we have parameters \(n_0,d_0\) for \(\textsf{HOLD}\) and \(n_1,d_1\) for \(\textsf{QUAL},\textsf{BAD}\) as before (for the \(H_i\)’s), but in addition also \(n_2,d_2\) for \(\textsf{QUAL}',\textsf{BAD}'\). For the \(\textbf{H}_i\)’s we have the same parameters as above, \(n_0=n_1=n\) and \(d_0=d_1=n-t\). For the \(\textbf{F}_i\)’s, we need \(d+1=t+a\) dealers in \(\textsf{QUAL}'\) in order for shareholders in \(\textsf{HOLD}\) to be able to recover their shares, so we set \(d_2=t+a\).

All the dealers in \(\textsf{QUAL}'\) must have shares of the long-term secret, so they had to be in \(\textsf{HOLD}\) in the previous epoch. Hence, the pool of dealers could be as small as \(n_2=d_0=n-t\), and t of them could be corrupted, so we cannot set \(d_2\) any larger than \(n-2t\). This implies the constraint \(d_2=n-2t\ge t+a\) or \(n\ge 3t+a\). This constraint is weaker than the constraint \(n\ge 3t+2a-1\) from above.