The MPTS2020 workshop is intended as an informal consultation step about the development of criteria for evaluating multi-party threshold schemes for the cryptographic primitives identified in NISTIR 8214A. The organizers are asking the community of stakeholders to participate by providing examples, suggestions and recommendations for the multi-party track of the standardization process considered by the NIST Threshold Cryptography (TC) project. The collected feedback will be taken into consideration in the development process.

• What: NIST workshop on multi-party threshold schemes.
• Goal: Collect feedback for the multi-party track of the TC project.
• How: Invited talks (~20 min each) + Q&A; and submitted briefs (~5 min).
• Logistics: Participation by video-conference; free attendance based on early registration.
• When: November 4--6 (9:30am -- 13:00+).

Primitives (see NISTIR 8214A, Section 4.1): 1. RSA signing; 2. RSA decryption; 3. RSA key generation; 4. EdDSA signing; 5. ECDSA signing; 6. ECC-CDH primitive; 7. Keygen for ECC; 8. AES enciphering/deciphering

Some related topics (see NISTIR 8214A, Section 5): 1. Configurability (threshold numbers, ...); 2. Practical feasibility; 3. Security models; 4. Security properties; 5. Gadgets and modularity; 6. Validation suitability.

The Threshold Cryptography (TC) project at the National Institute of Standards and Technology (NIST) is exploring the potential for standardization of threshold schemes for cryptographic primitives. The goal of the multi-party track (see NISTIR 8214A) is to enable the distributed execution of key-based primitives when the keys are secret-shared across multiple parties. By applying a threshold scheme, the confidentiality of the original key is preserved even if some threshold number of parties are compromised. A threshold property can also extend to other security aspects,such as integrity and availability of the operation.

The current focus of the project is on devising criteria for evaluation of threshold schemes that may be proposed in the future for consideration in the TC multi-party track. To develop such criteria, it is essential to obtain meaningful and timely feedback from expert stakeholders. The NIST Workshop on Multi-Party Threshold Schemes (MPTS 2020) is organized as a step to enable the organizers to collect useful feedback from the community. The organizers ask the community to aim at recommendations that promote security, practicality and interoperability, under the umbrella of improving best practices and fostering innovation, within the scope of standardization.

Workshop structure. MPTS 2020 will be a virtual workshop. The presentations and comments will be recorded and made publicly available after the event. The workshop will last three days,with up to four hours per day. The program will be based on two types of contributions:

• Talks: Invited talks (~20 min talk + ~5 min Q&A), focused on recommendations for criteria for threshold schemes or their elements (e.g., gadgets); each talk is followed by a short period of moderated comments and Q&A.
• Briefs: Short talks (up to 5 min each), related to the goal of the workshop (requires submitting a title and short description).

We invite the community of stakeholders to participate in the workshop and share their views on threshold schemes for the multi-party track of NISTIR 8214A, and give recommendations on criteria for their standardization. We will publish the collected feedback after the workshop.

Content scope. This workshop and the multi-party track of the TC project cover the cryptographic primitives highlighted in Section 4.1 of NISTIR 8214A. The organizers are interested in characterizing potential threshold schemes with respect to the features in Section 5 of NISTIR 81214A. See also the Sections 2.3--2.5, 6.1 and 7.2.

Disclaimer (standards). The use of the words "standards" and "standardization" in the TC project does not imply a goal of producing new Federal Information Processing Standards (FIPS) publications. For example, the final products may include Recommendations or implementation guidelines to be incorporated in other documentation, such as (but not necessarily) Special Publications in Computer Security (SP 800).

(Note: Statistics updated on 2020-Nov-9. Identified duplicates were not counted.)

Overall workshop registrations (including all speakers): 292 individuals (includes 20 from NIST), across 40+ countries.

Webex registrations (including panelists/hosts) per event: 162 in 1st day: 158 in 2nd day; 140 in 3rd day.

Speakers (19) of invited talks: Berry Schoenmakers, Ivan Damgård, Tal Rabin, Nigel Smart, Chelsea Komlo, Yehuda Lindell, Ran Canetti, Yuval Ishai, Emmanuela Orsini, Peter Scholl, Vladimir Kolesnikov, Xiao Wang, Jean-Philippe Aumasson, Omer Shlomovits, Kris Shrishak, Nikolaos Makriyannis, Schuyler Rosefield, Muthu Venkitasubramaniam, Marcella Hastings.

Speakers (11) of accepted briefs: Yashvanth Kondi, Akira Takahashi, Jan Willemson, Saikrishna Badrinarayanan, Xiao Wang, Jakob Pagter, Phillip Hallam-Baker, Ronald Tse, Frank Wiener, Damian Straszak, Jack Doerner.

Session chairs (5): Luís Brandão, Michael Davidson, Dustin Moody, René Peralta, Apostol Vassilev.

Workshop/program chair (1): Luís Brandão.

(Each listing of names follows the order of the corresponding talks/briefs/sessions at the workshop.)

Thanks to Donal Whitfield for explaining, prior to the workshop, the workings of the video-conference platform.

Statistics based on answers provided in the workshop registration form

Deadlines:

• September 30: early registration (free)
• September 30: submission of title + abstract for brief intervention (submissions phase 1)
• October 28: late registration (also free -- the video-conference platform allows it)
• October 28: submission of title + abstract for brief intervention (submissions phase 2)
• November 6: We will accept registrations arriving after Oct 28, but there may be a delay in allowing the connection to the virtual event

How to register as an attendee for MPTS 2020:

There are two needed (sequential) registrations for attendees:

Registration 1. Submit the workshop registration form:

https://docs.google.com/forms/d/e/1FAIpQLScY7P4HOG-GhaX5FiaP_DGudiwcyBIqk9cJRzXotCrCg79y-w/viewform

After someone reads your submitted form, you will receive (from a nist.gov email) a "registration password" for the Webex events, as well as the Webex event password.

Registration 2. Apply for a Webex Registration ID for each day of the event:

https://nist-secure.webex.com/nist-secure/onstage/g.php?PRID=a6b80f9da4bda97b06dbaf47a2f6fe4f

The workshop occurs as three Webex virtual events (one per day of the workshop). To connect as an attendee in each event day, first register (with Webex) your email address for the event. You will then receive an email from Webex with a "registration " id, which you'll need (along with the event password, received in step 1) to login to the virtual event.

Note: If you are a presenter, your role in the webex event will be as "Panelist", instead of "Attendee". In such case you will receive different instructions by email.

Submit a proposal for a "brief":

To submit a proposed "brief", please email workshop-MPTS-2020@nist.gov, preferably by September 30 (phase 1) or October 28 (phase 2):

• Use email subject "MPTS2020 brief: "

• Include the contact details of the speaker.

• Attach a 1-page file in PDF format containing: title, name, and abstract.

Lodging Info:

Virtual workshop

Session 1a (talks). Session chair: Luís Brandão.

• 09:15--10:00: Talk 1a1: Let’s talk about multi-party threshold schemes. Luís Brandão (NIST)

• 10:00--10:25: Talk 1a2: Publicly Verifiable Secret Sharing and Its Use in Threshold Cryptography. Berry Schoenmakers (TU Eindhoven)

• 10:25--10:50: Talk 1a3: Optimizing honest majority threshold cryptosystems. Ivan Damgård (Aarhus University)

• 10:50--11:05: Break

Session 1b (talks). Session chair: Michael Davidson.

• 11:05--11:30: Talk 1b1: You Only Speak Once – Secure MPC with Stateless Ephemeral Roles. Tal Rabin (Algorand Foundation)

• 11:30--11:55: Talk 1b2: Thresholdizing DSA, Schnorr, EdDSA, HashEdDSA, .... Nigel Smart (KU Leuven)

• 11:55--12:20: Talk 1b3: FROST: Flexible Round-Optimized Schnorr Threshold Signatures and Extensibility to EdDSA. Chelsea Komlo (University of Waterloo)

• 12:20--12:30: Break

Session 1c (briefs): Session chair: Dustin Moody.

• 12:30--12:36: Brief 1c1: Threshold Schnorr with Stateless Deterministic Signing. Yashvanth Kondi (Northeastern University)

• 12:36--12:42: Brief 1c2: Lattice-based Distributed Signing Protocols from the Fiat-Shamir with Aborts Paradigm. Akira Takahashi (Aarhus University)

• 12:42--12:48: Brief 1c3: On the need for threshold post-quantum (signature) schemes. Jan Willemson (Cybernetica)

• 12:48--12:54: Brief 1c4: BETA: Biometric Enabled Threshold Authentication. Saikrishna Badrinarayanan (Visa Research)

• 12:50--13:00+: Day closing

09:15--09:35: Virtual arrival

Session 2a (talks): Session chair: Luís Brandão.

• 09:35--10:00: Talk 2a1: Settings and Considerations for Standardizing Multi-Party Threshold Schemes. Yehuda Lindell (Unbound Tech; Bar-Ilan University)

• 10:00--10:25: Talk 2a2: Standardizing Security: The case of threshold cryptography. Ran Canetti (Boston University)

• 10:25--10:50: Talk 2a3: Pseudorandom Correlation Generators: Secure Computation with Silent Preprocessing. Yuval Ishai (Technion)

• 10:50--11:05: Break

Session 2b (talks): Session chair: Rene Peralta.

• 11:05--11:30: Talk 2b1: Efficient Actively Secure OT Extension: 5 Years Later. Emmanuela Orsini (KU Leuven) & Peter Scholl (Aarhus University)

• 11:30--11:55: Talk 2b2: Let’s Standardize Garbled Circuits!. Vladimir Kolesnikov (Georgia Tech)

• 11:55--12:20: Talk 2b3: Global-Scale Threshold AES (and SHA256). Xiao Wang (Northeastern University)

• 12:20--12:30: Break

Session 2c (briefs): Session chair: Apostol Vassilev.

• 12:30--12:36: Brief 2c1: Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting). Xiao Wang (Northeastern University)

• 12:36--12:42: Brief 2c2: MPC-based key management – using threshold trust to address different threat models. Jakob Pagter (Sepior)

• 12:42--12:48: Brief 2c3: Towards a Threshold Key Infrastructure. Phillip Hallam-Baker (Threshold Secrets)

• 12:48--12:54: Brief 2c4: Confium: an open source framework to support threshold cryptography standardization. Ronald Tse (Ribose)

• 12:54--13:00: Brief 2c5: The MPC Alliance (MPCA), Status and Roadmap. Frank Wiener (MPC Alliance)

• 13:00--13:00+: Day closing

09:15--09:35: Virtual arrival

Session 3a (talks): Session chair: Apostol Vassilev.

• 09:35--10:00: Talk 3a1: Attacks to deployed threshold signatures. Jean-Philippe Aumasson (ZenGo) and Omer Shlomovits (Taurus)

• 10:00--10:25: Talk 3a2: Securing DNSSEC Keys via Threshold ECDSA from generic MPC. Kris Shrishak (TU Darmstadt)

• 10:25--10:50: Talk 3a3: UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts. Nikolaos Makriyannis (Fireblocks)

• 10:50--11:05: Break

Session 3b (talks): Session chair: Rene Peralta.

• 11:05--11:30: Talk 3b1: Multiparty Generation of an RSA Modulus. Schuyler Rosefield (Northeastern University)

• 11:30--11:55: Talk 3b2: Scaling Distributed RSA Modulus Generation with a Dishonest Majority. Muthu Venkitasubramaniam (Ligero; University of Rochsters)

• 11:55--12:20: Talk 3b3: How MPC Frameworks Use Threshold Cryptography. Marcella Hastings (University of Pennsylvania)

• 12:20--12:30: Break

Session 3c (briefs): Session chair: Luís Brandão.

• 12:30--12:36: Brief 3c1: Robustness for Dishonest Majority in Threshold ECDSA. Damian Straszak (Cardinal Cryptography)

• 12:36--12:42: Brief 3c2: A Multiparty Computation Approach to Threshold ECDSA. Jack Doerner (Northeastern University)

• 12:42--13:00+: Final comments