U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Presentation

UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts

November 6, 2020

Presenters

Nikolaos Makriyannis - Fireblocks

Description

Abstract: Building on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS ’18), we present two threshold ECDSA protocols, for any number of signatories and any threshold, that improve as follows over the state of the art:

  • For both protocols, only the last round requires knowledge of the message, and the other rounds can take place in a preprocessing stage, lending to a non-interactive threshold ECDSA protocol.
  • Both protocols withstand adaptive corruption of signatories. Furthermore, they include a periodic refresh mechanism and offer full proactive security.
  • Both protocols realize an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, DDH, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA.
  • Both protocols achieve accountability by identifying corrupted parties in case of failure to generate a valid signature.

The two protocols are distinguished by the round-complexity and the identification process for detecting cheating parties. Namely:

  • For the first protocol, signature generation takes only 4 rounds (down from the current state of the art of 8 rounds), but the identification process requires computation and communication that is quadratic in the number of parties.
  • For the second protocol, the identification process requires computation and communication that is only linear in the number of parties, but signature generation takes 7 rounds.

These properties (low latency, compatibility with cold-wallet architectures, proactive security, identifiable abort and composable security) make the two protocols ideal for threshold wallets for ECDSA-based cryptocurrencies.

Presented at

NIST Workshop on Multi-Party Threshold Schemes (MPTS) 2020. https://csrc.nist.rip/events/2020/mpts2020

Based on joint work with Ran Canetti, Rosario Gennaro, Steven Goldfeder and Udi Peled.

Event Details

Location

    
                            

Related Topics

Security and Privacy: cryptography

Created May 04, 2021, Updated June 07, 2021