Threshold ECDSA from ECDSA assumptions: the multiparty case Jack Doerner , Yashvanth Kondi , Eysa Lee , and abhi shelat j@ckdoerner.net ykondi@ccs.neu.edu eysa@ccs.neu.edu abhi@neu.edu Northeastern University
Traditional Signature ππ ππ
Threshold Signature { ππ π‘ , ππ π’ , ππ C } β Share( ππ ) ππ ππ π‘ ππ π£ ππ π’
3-of-n Signature Scheme ππ π¦ ππ π₯ ππ π‘ ππ ππ π’ ππ π€ ππ π£
3-of-n Signature Scheme ππ π¦ ππ π¦ ππ π₯ ππ π₯ ππ π‘ ππ π‘ ππ ππ π’ ππ π’ ππ π€ ππ π€ ππ π£ ππ π£
3-of-n Signature Scheme ππ π¦ ππ π¦ ππ π₯ ππ π₯ ππ π‘ ππ π‘ ππ ππ π’ ππ π’ ππ π€ ππ π€ ππ π£ ππ π£
3-of-n Signature Scheme ππ π¦ ππ π¦ ππ π₯ ππ π₯ ππ π‘ ππ π‘ ππ ππ π’ ππ π’ ππ π€ ππ π€ ππ π£ ππ π£
3-of-n Signature Scheme ππ π¦ ππ π₯ ππ π‘ ππ ππ π’ ππ π€ ππ π£
3-of-n Signature Scheme ππ π₯ ππ π‘ ππ ππ π’ ππ π€ ππ π£
Full Threshold β’ Scheme can be instantiated with any t <= n β’ Adversary corrupts up to t -1 parties
ECDSA β’ E lliptic C urve D igital S ignature A lgorithm β’ Devised by David Kravitz, standardized by NIST β’ Widespread adoption across the internet
Notation G q Elliptic curve parameters k Secret values ππ ππ R Public values
ECDSA Recap x-coordinate of R R = k β G + ππ β r x sign ( m , ππ , k ) = H ( m ) k Non-linearity makes βthresholdizationβ di ffi cult
Threshold ECDSA β’ Limited schemes based on Paillier encryption: [MacKenzie Reiter 04], [Gennaro Goldfeder Narayanan 16], [Lindell 17] β’ Practical key generation and e ffi cient signing (full threshold): - [Gennaro Goldfeder 18]: Paillier-based - [Lindell Nof Ranellucci 18]: El-Gamal based β’ Our work last year [DKLs18]: 2-of-n ECDSA under native assumptions β’ This work : Full-Threshold ECDSA under native assumptions
Our Approach β’ 2-party multipliers: Oblivious Transfer in ECDSA curve - Pros : - With OT Extension (no extra assumptions) just a few milliseconds - Native assumptions ( CDH in the same curve) - Con: Higher bandwidth ( 100s of KB/party )
Our Approach β’ OT-MUL secure up to choice of inputs β’ Light consistency check (unique to our protocol) : - Verify shares in the exponent before reveal - Costs 5 exponentiations+curve points /party - Subverting checks implies solving CDH in the same curve
Tradeoffs β’ Our work avoids expensive zero-knowledge proofs and assumptions foreign to ECDSA itself, required by other works in the area β’ Using OT-MUL is very light on computation, but more demanding of bandwidth than alternative approaches; we argue this is not an issue for most applications β’ Our wall clock times (even WAN) are an order of magnitude better than the next best concurrent work
Our Model β’ Universal Composability [Canetti β01] (static adv., local RO) β’ Functionality (trusted third party emulated by protocol) : - Store secret key - Compute ECDSA signature when enough parties ask β’ Assumption : CDH is hard in the ECDSA curve β’ Network : Synchronous, broadcast β’ Security with abort
Our Approach β’ Setup : MUL setup, VSS for [sk] β’ Signing : 1. Get candidate shares [ k ], [ 1/k ], and R=kΒ·G 2. Compute [sk /k ] = MUL([ 1/k ], [sk]) 3. Check relations in exponent 4. Reconstruct sig = [ 1/k ]Β· H ( m )+[sk /k ]
Setup β’ Fully distributed β’ MUL setup : Pairwise among parties (128 OTs) β’ Key generation : (Pedersen-style) - Every party Shamir-shares a random secret - Secret key is sum of partiesβ contributions - Verify in the exponent that partiesβ shares are on the same polynomial
Our Approach β’ Setup : MUL setup, VSS for [sk] β’ Signing : 1. Get candidate shares [ k ], [ 1/k ], and R=kΒ·G 2. Compute [sk /k ] = MUL([ 1/k ], [sk]) 3. Check relations in exponent 4. Reconstruct sig = [ 1/k ]Β· H ( m )+[sk /k ]
Obtaining Candidate Shares β’ Building Block : Two party MUL with full security [DKLs18] β’ One approach (implemented): - Each party starts with multiplicative shares of k and 1/k - Multiplicative to additive shares: log( t )+c rounds β’ Alternative : [Bar-Ilan&Beaver β89] approach yields constant round protocol (work in progress)
Our Approach β’ Setup : MUL setup, VSS for [sk] β’ Signing : 1. Get candidate shares [ k ], [ 1/k ], and R=kΒ·G 2. Compute [sk /k ] = MUL([ 1/k ], [sk]) 3. Check relations in exponent 4. Reconstruct sig = [ 1/k ]Β· H ( m )+[sk /k ]
Our Approach β’ Setup : MUL setup, VSS for [sk] β’ Signing : 1. Get candidate shares [ k ], [ 1/k ], and R=kΒ·G 2. Compute [sk /k ] = MUL([ 1/k ], [sk]) => Standard GMW 3. Check relations in exponent 4. Reconstruct sig = [ 1/k ]Β· H ( m )+[sk /k ]
Our Approach β’ Setup : MUL setup, VSS for [sk] β’ Signing : 1. Get candidate shares [ k ], [ 1/k ], and R=kΒ·G 2. Compute [sk /k ] = MUL([ 1/k ], [sk]) 3. Check relations in exponent 4. Reconstruct sig = [ 1/k ]Β· H ( m )+[sk /k ]
Major challenges from 2 to Multi-party 2-party check does not obviously generalize [LNR18] Canβt use Di ffi e-Hellman Exchange for R
Check in Exponent β’ There are three relations that have to be verified [ k ] [ k ] ππ 1 [ k ]
Check in Exponent [ k ] [ k ] 1 ππ [ k ] β’ Technique : Each equation is verified in the exponent, using βauxiliaryβ information thatβs already available β’ Cost : 5 exponentiations, 5 group elements per party independent of party count, and no ZK proofs
Check in Exponent β’ Task: verify relationship between [ k ] and [1/ k ] [ k ] [ k ] = 1 [ k ] [ k ] β G = G 1 1 β’ Idea : verify by verifying
Check in Exponent Attempt at a solution : Public R Ξ i = [ k ] i 1 β R Broadcast β Verify Ξ i = G i β [ n ]
Check in Exponent Adversary's contribution Attempt at a solution : Honest Party's contribution Public R = k A k h β G Ξ i = [ k h ] i 1 1 β R Broadcast k π‘ β Verify Ξ i = G i β [ n ]
Check in Exponent Adversary's contribution Attempt at a solution : Honest Party's contribution Public R = k A k h β G Ξ i = [ ( k h ] + Ο΅ ) 1 1 Broadcast β R k π‘ i β Verify Ξ i = G + Ο΅ k A β G Easy for Adv. to o ff set i β [ n ]
Idea: Randomize Target β Ξ i β’ Currently we expect to hit a fixed target G β’ Idea : randomize the multiplication so target is unpredictable [ k ] [ k ] Ο 1 β’ Compute instead of β’ Reveal only after every other value is committed Ο
Check in Exponent Adversary's contribution Attempt at a solution : Honest Party's contribution Public R = k A k h β G Ξ i = [ k h ] i 1 1 β R Broadcast k π‘
Check in Exponent Adversary's contribution Adversary's contribution Adversary's contribution Attempt at a solution : Honest Party's contribution Public R = k A k h β G Ξ i = [ k h ] i Ο A Ο h β R Broadcast k π‘ β Verify Ξ i = Ο A Ο h β G i β [ n ]
Check in Exponent Adversary's contribution Adversary's contribution Adversary's contribution Attempt at a solution : Honest Party's contribution Public R = k A k h β G Ξ i = [ k h ] i Ο A Ο h β R Broadcast k π‘ β Verify Ξ i = Ξ¦ i β [ n ]
Check in Exponent Adversary's contribution Adversary's contribution Adversary's contribution Attempt at a solution : Honest Party's contribution Public R = k A k h β G Ξ i = [ ( k h ] + Ο΅ ) Ο A Ο h Broadcast β R k π‘ i β Verify Ξ i = Ξ¦ + Ο΅Ο h k A β G Completely unpredictable i β [ n ]
Check in Exponent There are three relations that have to be verified ππ R Each costs, per party: [ k ] [ k ] ππ 1 -2 exponentiations [ k ] -2 field elements Two broadcast rounds R , ππ
Our Approach β’ Setup : MUL setup, VSS for [sk] β’ Signing : 1. Get candidate shares [ k ], [ 1/k ], and R=kΒ·G 2. Compute [sk /k ] = MUL([ 1/k ], [sk]) 3. Check relations in exponent Broadcast linear combination 4. Reconstruct sig = [ 1/k ]Β· H ( m )+[sk /k ] of shares
Dominant Costs Rounds Public Key Bandwidth 5 520 n 21 n KB Setup log( t )+6 5 <100 t KB Signing Journal version (in progress): 8 round signing (Γ la [Bar-Ilan Beaver 89])
Benchmarks β’ Implementation in Rust β’ Ran benchmarks on Google Cloud β’ One node per party β’ LAN and WAN tests (up to 16 zones ) β’ Low Power Friendliness : Raspberry Pi (~93ms for 3-of-3)
LAN Setup Broadcast PoK (DLog), Pairwise : 128 OTs
LAN Setup Broadcast PoK (DLog), Pairwise : 128 OTs
LAN Setup Broadcast PoK (DLog), Pairwise : 128 OTs
LAN Signing
LAN Signing
LAN Signing
WAN Nodes 87.1 ms 66.5 ms 348 ms 235 ms
WAN Benchmarks All time values in milliseconds Parties/Zones Signing Rounds Signing Time Setup Time 9 13 . 6 67 . 9 5/1 9 288 328 5/5 10 26 . 3 181 16/1 10 3045 1676 16/16 12 60 . 8 539 40/1 12 592 743 40/5 13 193 . 2 2300 128/1 13 4118 3424 128/16
Recommend
More recommend