ABSTRACT
Threshold ECDSA receives interest lately due to its widespread adoption in blockchain applications. A common building block of all leading constructions involves a secure conversion of multiplicative shares into additive ones, which is called the multiplicative-to-additive (MtA) function. MtA dominates the overall complexity of all existing threshold ECDSA constructions. Specifically, O(n2) invocations of MtA are required in the case of n active signers. Hence, improvement of MtA leads directly to significant improvements for all state-of-the-art threshold ECDSA schemes.
In this paper, we design a novel MtA by revisiting the Joye-Libert (JL) cryptosystem. Specifically, we revisit JL encryption and propose a JL-based commitment, then give efficient zero-knowledge proofs for JL cryptosystem which are the first to have standard soundness. Our new MtA offers the best time-space complexity trade-off among all existing MtA constructions. It outperforms state-of-the-art constructions from Paillier by a factor of 1.85 to 2 in bandwidth and 1.2 to 1.7 in computation. It is 7X faster than those based on Castagnos-Laguillaumie encryption only at the cost of 2X more bandwidth. While our MtA is slower than OT-based constructions, it saves 18.7X in bandwidth requirement. In addition, we also design a batch version of MtA to further reduce the amortised time and space cost by another 25%.
- Damiano Abram, Ariel Nof, Claudio Orlandi, Peter Scholl, and Omer Shlomovits. 2022. Low-bandwidth threshold ECDSA via pseudorandom correlation generators. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2554--2572.Google ScholarCross Ref
- Benedikt Auerbach and Bertram Poettering. 2018. Hashing solutions instead of generating problems: On the interactive certification of RSA moduli. In IACR International Workshop on Public Key Cryptography. Springer, 403--430.Google ScholarCross Ref
- Jean-Philippe Aumasson, Adrian Hamelink, and Omer Shlomovits. 2020. A Survey of ECDSA Threshold Signing. (2020). https://eprint.iacr.org/2020/1390.pdf.Google Scholar
- Elaine Barker, Elaine Barker, William Burr, William Polk, Miles Smid, et al. 2006. Recommendation for key management: Part 1: General. National Institute of Standards and Technology, Technology Administration.Google Scholar
- Carsten Baum, Daniel Escudero, Alberto Pedrouzo-Ulloa, Peter Scholl, and Juan Ramón Troncoso-Pastoriza. 2020. Efficient Protocols for Oblivious Linear Function Evaluation from Ring-LWE. In SCN. Springer, 130--149.Google Scholar
- Fabrice Benhamouda, Houda Ferradi, Rémi Géraud, and David Naccache. 2017a. Non-interactive provably secure attestations for arbitrary RSA prime generation algorithms. In European Symposium on Research in Computer Security. Springer, 206--223.Google ScholarCross Ref
- Fabrice Benhamouda, Javier Herranz Sotoca, Marc Joye, and Benoit Libert. 2017b. Efficient cryptosystems from 2k-th power residue symbols. Journal of cryptology, Vol. 30, 2 (2017), 519--549.Google ScholarDigital Library
- Fabrice Boudot. 2000. Efficient proofs that a committed number lies in an interval. In EUROCRYPT. Springer, 431--444.Google ScholarCross Ref
- Jan Camenisch and Markus Michels. 1999. Proving in zero-knowledge that a number is the product of two safe primes. In International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 107--122.Google ScholarCross Ref
- Ran Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, and Udi Peled. 2020. UC non-interactive, proactive, threshold ECDSA with identifiable aborts. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1769--1787.Google ScholarDigital Library
- Guilhem Castagnos, Dario Catalano, Fabien Laguillaumie, Federico Savasta, and Ida Tucker. 2019. Two-party ECDSA from hash proof systems and efficient instantiations. In Annual International Cryptology Conference. Springer, 191--221.Google ScholarDigital Library
- Guilhem Castagnos, Dario Catalano, Fabien Laguillaumie, Federico Savasta, and Ida Tucker. 2020. Bandwidth-efficient threshold EC-DSA. In IACR International Conference on Public-Key Cryptography. Springer, 266--296.Google ScholarDigital Library
- Guilhem Castagnos and Fabien Laguillaumie. 2015. Linearly homomorphic encryption from DDH. In CT-RSA. Springer, 487--505.Google Scholar
- Dario Catalano, Mario Di Raimondo, Dario Fiore, and Irene Giacomelli. 2020. Monℤ 2ka: Fast Maliciously Secure Two Party Computation on ℤ 2k. In IACR International Conference on Public-Key Cryptography. Springer, 357--386.Google Scholar
- Tung Chou and Claudio Orlandi. 2015. The simplest protocol for oblivious transfer. In International Conference on Cryptology and Information Security in Latin America. Springer, 40--58.Google ScholarDigital Library
- Geoffroy Couteau, Thomas Peters, and David Pointcheval. 2017. Removing the strong RSA assumption from arguments over the integers. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 321--350.Google ScholarCross Ref
- Ronald Cramer. 1996. Modular design of secure yet practical cryptographic protocols. Ph. D. Thesis, CWI and University of Amsterdam (1996).Google Scholar
- Ronald Cramer, Ivan Damgård, Daniel Escudero, Peter Scholl, and Chaoping Xing. 2018. SPDℤ2k: Efficient MPC mod 2k for Dishonest Majority. In Advances in Cryptology-CRYPTO.Google Scholar
- William M Daley and Raymond G Kammer. 2000. Digital signature standard (DSS). Technical Report. BOOZ-ALLEN AND HAMILTON INC MCLEAN VA.Google Scholar
- Ivan Damgård and Mads Jurik. 2002. Client/server tradeoffs for online elections. In International Workshop on Public Key Cryptography. Springer, 125--140.Google ScholarCross Ref
- Ivan Damgård, Marcel Keller, Enrique Larraia, Valerio Pastro, Peter Scholl, and Nigel P Smart. 2013. Practical covertly secure MPC for dishonest majority-or: breaking the SPDZ limits. In European Symposium on Research in Computer Security. Springer, 1--18.Google ScholarCross Ref
- Ivan Damgård, Valerio Pastro, Nigel Smart, and Sarah Zakarias. 2012. Multiparty computation from somewhat homomorphic encryption. In Annual Cryptology Conference. Springer, 643--662.Google ScholarDigital Library
- Yi Deng, Shunli Ma, Xinxuan Zhang, Hailong Wang, Xuyang Song, and Xiang Xie. 2021. Promise Sigma-Protocol: How to Construct Efficient Threshold ECDSA from Encryptions Based on Class Groups. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 557--586.Google Scholar
- Yvo Desmedt and Yair Frankel. 1989. Threshold cryptosystems. In Conference on the Theory and Application of Cryptology. Springer, 307--315.Google Scholar
- Jack Doerner, Yashvanth Kondi, Eysa Lee, and Abhi Shelat. 2018. Secure two-party threshold ECDSA from ECDSA assumptions. In IEEE Symposium on Security and Privacy. IEEE, 980--997.Google ScholarCross Ref
- Jack Doerner, Yashvanth Kondi, Eysa Lee, and Abhi Shelat. 2019. Threshold ECDSA from ECDSA assumptions: the multiparty case. In IEEE Symposium on Security and Privacy. IEEE, 1051--1066.Google ScholarCross Ref
- Amos Fiat and Adi Shamir. 1986. How to prove yourself: Practical solutions to identification and signature problems. In Conference on the theory and application of cryptographic techniques. Springer, 186--194.Google ScholarDigital Library
- Eiichiro Fujisaki and Tatsuaki Okamoto. 1997. Statistical zero knowledge protocols to prove modular polynomial relations. In Annual International Cryptology Conference. Springer, 16--30.Google ScholarDigital Library
- Rosario Gennaro and Steven Goldfeder. 2018. Fast multiparty threshold ECDSA with fast trustless setup. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1179--1194.Google ScholarDigital Library
- Satrajit Ghosh, Jesper Buus Nielsen, and Tobias Nilges. 2017. Maliciously secure oblivious linear function evaluation with constant overhead. In International Conference on the Theory and Application of Cryptology and Information Security. Springer, 629--659.Google ScholarCross Ref
- Marc Joye and Beno^it Libert. 2013. Efficient cryptosystems from 2 k-th power residue symbols. In Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 76--92.Google ScholarCross Ref
- Marcel Keller, Emmanuela Orsini, and Peter Scholl. 2015. Actively secure OT extension with optimal overhead. In Annual Cryptology Conference. Springer, 724--741.Google ScholarDigital Library
- C Kerry and P Gallagher. 2013. FIPS PUB 186-4: Digital Signature Standard (DSS). Federal Information Processing Standards Publication. National Institute of Standards and Technology (2013).Google Scholar
- Yehuda Lindell. 2017. Fast secure two-party ECDSA signing. In Annual International Cryptology Conference. Springer, 613--644.Google ScholarCross Ref
- Yehuda Lindell and Ariel Nof. 2018. Fast secure multiparty ECDSA with practical distributed key generation and applications to cryptocurrency custody. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1837--1854.Google ScholarDigital Library
- Philip MacKenzie and Michael K Reiter. 2001. Two-party generation of DSA signatures. In Annual International Cryptology Conference. Springer, 137--154.Google ScholarCross Ref
- Moni Naor and Moti Yung. 1990. Public-key cryptosystems provably secure against chosen ciphertext attacks. In Proceedings of the twenty-second annual ACM symposium on Theory of computing. 427--437.Google ScholarDigital Library
- NIST. 2022. Multi-Party Threshold Cryptography. https://csrc.nist.gov/Projects/threshold-cryptography.Google Scholar
- NIST. 2023. IR 8214C (Initial Public Draft), First Call for Multi-Party Threshold Schemes. https://nvlpubs.nist.gov/nistpubs/ir/2023/NIST.IR.8214C.ipd.pdf.Google Scholar
- Pascal Paillier. 1999. Public-key cryptosystems based on composite degree residuosity classes. In International conference on the theory and applications of cryptographic techniques. Springer, 223--238.Google ScholarDigital Library
- Torben Pryds Pedersen. 1991. Non-interactive and information-theoretic secure verifiable secret sharing. In Annual international cryptology conference. Springer, 129--140.Google Scholar
- Dmytro Tymokhanov and Omer Shlomovits. 2021. Alpha-rays: Key extraction attacks on threshold ecdsa implementations. Cryptology ePrint Archive (2021).Google Scholar
- ZenGo X. 2021. multi-party-ecdsa. https://github.com/ZenGo-X/multi-party-ecdsa.Google Scholar
- Haiyang Xue, Man Ho Au, Mengling Liu, Kwan Yin Chan, Handong Cui, Xiang Xie, Tsz Hon Yuen, and Chengru Zhang. 2023. Efficient Multiplicative-to-Additive Function from Joye-Libert Cryptosystem and Its Application to Threshold ECDSA. Cryptology ePrint Archive (2023). https://eprint.iacr.org/2023/1312.pdf.Google Scholar
- Haiyang Xue, Man Ho Au, Xiang Xie, Tsz Hon Yuen, and Handong Cui. 2021. Efficient Online-friendly Two-Party ECDSA Signature. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 558--573.Google ScholarDigital Library
- Tsz Hon Yuen, Handong Cui, and Xiang Xie. 2021. Compact zero-knowledge proofs for threshold ECDSA with trustless setup. In IACR International Conference on Public-Key Cryptography. Springer, 481--511.Google ScholarCross Ref
- Fan Zhang, Deepak Maram, Harjasleen Malvai, Steven Goldfeder, and Ari Juels. 2020. Deco: Liberating web data using decentralized oracles for tls. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 1919--1938.Google ScholarDigital Library
Index Terms
- Efficient Multiplicative-to-Additive Function from Joye-Libert Cryptosystem and Its Application to Threshold ECDSA
Recommendations
Proxy Confirmation Signatures
The undeniable signature, introduced by Chaum et al. in 1989, provides a nice property that the signer has an additional control over who will benefit from being convinced by the signature. However, a conspicuous drawback of undeniable signature is that ...
Efficient Threshold-Optimal ECDSA
Cryptology and Network SecurityAbstractThis paper proposes a threshold-optimal ECDSA scheme based on the first threshold signature scheme by Gennaro et al. with efficient non-interactive signing for any signers in the group, provided the total group size is more than twice the ...
Proof of plaintext knowledge for code-based public-key encryption revisited
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications securityIn a recent paper at Asiacrypt'2012, Jain et al point out that Veron code-based identification scheme is not perfect zero-knowledge. In particular, this creates a gap in security arguments of proof of plaintext knowledge (PPK) and verifiable encryption ...
Comments