Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston - PowerPoint PPT Presentation

UC Non-Interactive, Proactive, Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City College, CUNY), Steven Goldfeder (Cornell Tech), Nikolaos Makriyannis (Fireblocks), Udi Peled (Fireblocks) To appear in CCS’20

Background (MPC) Secure Multiparty Computation Distrustful parties compute correlated outputs on their (secret) inputs and only reveal what the outputs suggest.  Powerful Feasibility Results Y ao’82 , Goldreich-Micali- Widgerson’86, Chaum-Crepeau- Damgard’88, Ben Or-Goldwasser- Wigderson’88  Any traditional signature scheme can be “ thresholdized ”, in principle  MPC theory is not a panacea

Desiderata  Non-Interactive Signing Signature generation boils down to a single message (w/ preprocess). Especially relevant for “cold wallets”.

Desiderata  Non-Interactive Signing Signature generation boils down to a single message (w/ preprocess).  Accountability Faulty/malicious signatories are identified in case of failure. Known as security w/ identifiable abort in MPC literature.

Desiderata  Non-Interactive Signing Signature generation boils down to a single message (w/ preprocess).  Accountability Faulty/malicious signatories are identified in case of failure.  Proactive Security Long-haul security against adaptive adversaries. Adaptive vs Static Adversaries

Desiderata  Non-Interactive Signing Signature generation boils down to a single message (w/ preprocess).  Accountability Faulty/malicious signatories are identified in case of failure.  Proactive Security Long-haul security against adaptive adversaries.  UC Security Security preserved under composition. Even when multiple different sessions are occurring simultaneously.

Desiderata  Non-Interactive Signing Signature generation boils down to a single message (w/ preprocess).  Accountability Faulty/malicious signatories are identified in case of failure.  Proactive Security Long-haul security against adaptive adversaries.  UC Security Security preserved under composition. We show how to achieve all of these properties in one protocol!

Previous/Concurrent Work on t-ECDSA Honest Majority: Gennaro-Jarecki-Krawcyk- Rabin’96 Two-Party Dishonest Majority: Mackenzie- Reiter’01 Lindell’17, Doerner - Shelat’18, Castagnos -Catalano-Laguillaumie-Savasta- Tucker’19 Multiparty Dishonest Majority: Gennaro-Goldfeder- Narayanan’16, Boneh-Gennaro- Goldfeder’17 Lindell- Nof’19, Gennaro - Goldfeder’19, Doerner -Kondi-Lee- Shelat’20 Castagnos-Catalano-Laguillaumie-Savasta- Tucker’20

Previous/Concurrent Work on t-ECDSA Honest Majority: Damgard-Jakobsen-Nielsen-Pagter- Ostergaard’20 Gennaro-Jarecki-Krawcyk- Rabin’96 Two-Party Dishonest Majority: Mackenzie- Reiter’01 Lindell’17, Doerner - Shelat’18, Castagnos -Catalano-Laguillaumie-Savasta- Tucker’19 Multiparty Dishonest Majority: Gennaro-Goldfeder- Narayanan’16, Boneh-Gennaro- Goldfeder’17 Lindell- Nof’19, Gennaro - Goldfeder’19, Doerner -Kondi-Lee- Shelat’20 Castagnos-Catalano-Laguillaumie-Savasta- Tucker’20 Dalskov-Keller-Orlandi-Shrishak- Shulman’20 Gagol-Kula-Straszak- Swietek’20

Our Results We present two related protocols for threshold ECDSA. Protocol 1 Protocol 2 Key-Generation Key-Refresh Key-Generation Key-Refresh Signing Signing Presigning Presigning Communication Model: We rely on synchronous broadcast channel

Our Results (cont’d) We present two related protocols for threshold ECDSA. PROTOCOL 1 PROTOCOL 2 ✔ ✔ Non-Interactive Signing ✔ ✔ Full Proactive Security ✔ ✔ Accountability ✔ ✔ UC - Security

Our Results (cont’d) We present two related protocols for threshold ECDSA. PROTOCOL 1 PROTOCOL 2 ✔ ✔ Non-Interactive Signing ✔ ✔ Full Proactive Security ✔ ✔ Accountability ✔ ✔ UC - Security Round-Complexity (Signing) 4 i.e. 3 + 1 7 i.e. 6 + 1 𝑃(𝑜 2 ) Accountability Overhead 𝑃(𝑜) Overhead kicks in only when a fault is detected

Comparison Most Round-Efficient

Comparison Most Round-Efficient

~2 as expensive in comp & com compared to the most Comparison com-efficient protocols Most Round-Efficient

Background

Preliminaries (Notation) For 𝑈 ∈ ℕ, let ±𝑈 denote {−𝑈, … , 0, … , 𝑈}. Non Standard Notation!! Index disappearance denotes summation e.g. if 𝑦 𝑗 , 𝑙 𝑘 , 𝜀 ℓ … becomes 𝑦, 𝑙, 𝜀 … it means σ 𝑗 𝑦 𝑗 , σ 𝑘 𝑙 𝑘 , σ ℓ 𝜀 ℓ … Also for double indices!

Preliminaries (ECDSA) • Parameters:  (𝔿, 𝑕, 𝑟) group-generator-order and hash ℋ: {0,1} ∗ → 𝔾 𝑟 . • Algorithms:  keygen() = 𝑦 ← 𝔾 𝑟 , 𝑌 = 𝑕 𝑦 ∈ 𝔿 where 𝑙 ← 𝔾 𝑟 and 𝑛 = ℋ(msg) .  sign 𝑦 msg = 𝑠, 𝜏 s.t. 𝑠 = 𝑕 𝑙 −1 ȁ x−axis and 𝜏 = 𝑙(𝑛 + 𝑠𝑦) .

Preliminaries (ECDSA) • Parameters:  (𝔿, 𝑕, 𝑟) group-generator-order and hash ℋ: {0,1} ∗ → 𝔾 𝑟 . • Algorithms:  keygen() = 𝑦 ← 𝔾 𝑟 , 𝑌 = 𝑕 𝑦 ∈ 𝔿 where 𝑙 ← 𝔾 𝑟 and 𝑛 = ℋ(msg) .  sign 𝑦 msg = 𝑠, 𝜏 s.t. 𝑠 = 𝑕 𝑙 −1 ȁ x−axis and 𝜏 = 𝑙 ⋅ 𝑛 + 𝑠(𝑙 ⋅ 𝑦) .

Preliminaries (ECDSA) • Parameters:  (𝔿, 𝑕, 𝑟) group-generator-order and hash ℋ: {0,1} ∗ → 𝔾 𝑟 . • Algorithms:  keygen() = 𝑦 ← 𝔾 𝑟 , 𝑌 = 𝑕 𝑦 ∈ 𝔿 where 𝑙 ← 𝔾 𝑟 and 𝑛 = ℋ(msg) .  sign 𝑦 msg = 𝑠, 𝜏 s.t. 𝑠 = 𝑕 𝑙 −1 ȁ x−axis and 𝜏 = 𝑙 ⋅ 𝑛 + 𝑠(𝑙 ⋅ 𝑦) . (Gist of) MPC sign : Sample shares 𝑙 1 … 𝑙 𝑜 of 𝑙 and compute shares of 𝑙 ⋅ 𝑦 via pairwise multiplication with 𝑦 1 … 𝑦 𝑜 .

Preliminaries (ECDSA) • Parameters:  (𝔿, 𝑕, 𝑟) group-generator-order and hash ℋ: {0,1} ∗ → 𝔾 𝑟 . • Algorithms:  keygen() = 𝑦 ← 𝔾 𝑟 , 𝑌 = 𝑕 𝑦 ∈ 𝔿 where 𝑙 ← 𝔾 𝑟 and 𝑛 = ℋ(msg) .  sign 𝑦 msg = 𝑠, 𝜏 s.t. 𝑠 = 𝑕 𝑙 −1 ȁ x−axis and 𝜏 = 𝑙 ⋅ 𝑛 + 𝑠(𝑙 ⋅ 𝑦) .  vrfy 𝑌 msg; 𝑠, 𝜏 = 1 if and only if g 𝑛 ⋅ 𝑌 𝑠 𝜏 −1 ȁ x−axis = 𝑠 .

Preliminaries (Paillier Encryption) • Algorithms:  keygen() = RSA Modulus & Factors (𝑂; 𝑞 1 , 𝑞 2 )  enc 𝑂 𝑛 ∈ ℤ 𝑂 = 1 + 𝑂 𝑛 ⋅ 𝜍 𝑂 mod 𝑂 2 ∗ Where 𝜍 ← ℤ 𝑂 C 𝜒(𝑂) −1 mod 𝑂 2 ⋅ 𝜚 𝑂 −1 mod 𝑂 ∗  dec 𝜒(𝑂) 𝐷 ∈ ℤ 𝑂 2 = 𝑂 Easy to deduce 𝑛 knowing 𝜒(𝑂)

Preliminaries (Paillier Encryption) • Algorithms:  keygen() = RSA Modulus & Factors (𝑂; 𝑞 1 , 𝑞 2 )  enc 𝑂 𝑛 ∈ ℤ 𝑂 = 1 + 𝑂 𝑛 ⋅ 𝜍 𝑂 mod 𝑂 2 ∗ Where 𝜍 ← ℤ 𝑂 C 𝜒(𝑂) −1 mod 𝑂 2 ⋅ 𝜚 𝑂 −1 mod 𝑂 ∗  dec 𝜒(𝑂) 𝐷 ∈ ℤ 𝑂 2 = 𝑂 Easy to deduce 𝑛 • Paillier is additive homomorphic: knowing 𝜒(𝑂) enc 𝑂 𝑛 1 + 𝑛 2 = enc 𝑂 𝑛 1 ) ⋅ enc 𝑂 (𝑛 2 enc 𝑂 𝛽 ⋅ 𝑛 = enc 𝑂 𝑛 𝛽

Preliminaries (Multiplication via Paillier) 𝒝 and ℬ wish to compute 𝑏, 𝑐 ↦ (𝑡 1 , 𝑡 2 ) such that 𝑡 1 + 𝑡 2 = 𝑏 ⋅ 𝑐 𝒝 is associated with Paillier public key 𝑂 1. 𝒝 sends 𝐷 = enc(𝑏) 2. ℬ samples 𝑡 2 and replies with 𝐸 = 𝐷 𝑐 ⋅ enc (−𝑡 2 ) Output: 𝒝 outputs 𝑡 1 = dec (𝐸) and ℬ outputs 𝑡 2 . dec(𝐸) = 𝑏𝑐 − 𝑡 2

Protocol (Honest-But-Curious) From 𝒬 𝑗 perspective - Each 𝒬 𝑗 holds secret key-share 𝑦 𝑗 Sample 𝑙 𝑗 , 𝛿 𝑗 ← 𝔾 𝑟 and send 𝐿 𝑗 = enc 𝑗 (𝑙 𝑗 ) to all. 1. 2. For each 𝑘 ≠ 𝑗 do Write 𝜓 𝑗,𝑘 and 𝜀 𝑗,𝑘 for 𝒬 𝑗 ’s output in each mult. 𝑦 𝑗 ⋅ enc 𝑘 𝛾 𝑗,𝑘 for 𝛾 𝑗,𝑘 ← ±2 ℓ ⋅ 𝑟  Set 𝐸 𝑘,𝑗 = 𝐿 NB → 𝜀 = 𝑙 ⋅ 𝛿 and 𝜓 = 𝑙 ⋅ 𝑦 𝑘 ′ = 𝐿 ′ ← ±2 ℓ ⋅ 𝑟 𝛿 𝑗 ⋅ enc 𝑘 𝛾 𝑗,𝑘 ′  Set 𝐸 for 𝛾 𝑗,𝑘 𝑘,𝑗 𝑘 ′ ) to 𝒬 Send (𝐸 𝑘,𝑗 , 𝐸 𝑘 . 𝑘,𝑗 𝑗 = 𝑕 𝛿 𝑗 and send Γ 3. Set Γ 𝑗 , 𝜀 𝑗 to all 𝜀 −1 ς 𝑘 Γ 4. Set 𝑆 = and send 𝜏 𝑗 = 𝑙 𝑗 𝑛 + 𝑠𝜓 𝑗 to all. 𝑘 Output 𝑠, 𝜏 . 𝛿 ⋅ 𝜀 −1 = 𝑙 −1

Malicious Security Challenges We are embedding values of 𝔾 𝑟 into ℤ 𝑂 ( 𝑟 & 𝑂 are coprime) ( † ) enc 𝛿 ⋅ 𝑙 + 𝛾 mod 𝑟 = enc 𝛿 ⋅ 𝑙 + 𝛾 mod 𝑟 In case of equality → signature verifies Carefull choice of 𝛿 & 𝛾 Otherwise → signature does not verify reveals a bit of information per protocol execution.

Malicious Security Challenges We are embedding values of 𝔾 𝑟 into ℤ 𝑂 ( 𝑟 & 𝑂 are coprime) ( † ) enc 𝛿 ⋅ 𝑙 + 𝛾 mod 𝑟 = enc 𝛿 ⋅ 𝑙 + 𝛾 mod 𝑟 In case of equality → signature verifies Carefull choice of 𝛿 & 𝛾 Otherwise → signature does not verify reveals a bit of information per protocol execution.  Solution: Enforce a “range policy” on all secret data i.e. values can only be chosen from some range ±2 ℓ ≪ 𝑂 Also in Lindell- Nof’18 and 𝑂, 𝐷; 𝑦 𝐷 = enc 𝑂 𝑦 ∧ 𝑦 ∈ ±2 ℓ } ZK-Proofs for ℛ = Gennaro- Goldfeder’18

Our Protocol(s)