Date Published: August 12, 2022
Comments Due:
Email Comments to:
Author(s)
Luís T. A. N. Brandão (Strativia), Michael Davidson (NIST)
Announcement
This report considers signature schemes that are compatible with the verification phase of the Edwards Curve Digital Signature Algorithm (EdDSA) specified in Draft Federal Information Processing Standards (FIPS) publication 186-5. The report analyzes threshold schemes, where the private signing key is secret-shared across multiple parties, and signatures can be produced without the parties reconstructing the key. Security holds even if up to a threshold number of parties has been compromised.
The report reviews the properties of EdDSA/Schnorr deterministic and probabilistic signatures schemes, both in the conventional (non-threshold) and threshold setting, summarizing various known properties and approaches. These threshold signatures can allow for a drop-in replacement of conventional signatures without changing the legacy code used for verification. This work is useful to advance the NIST Multi-Party Threshold Cryptography project, which is also interested in other primitives. The document suggests that it is beneficial to further consult with the community of experts for security formulations, technical descriptions, and reference implementations.
The report includes a section for each of the following:
- Conventional setting: gives context of conventional EdDSA/Schnorr-style signature schemes and their security properties;
- Threshold approaches: summarizes various threshold approaches for deterministic and probabilistic schemes, at a high level;
- Further considerations: describes how various aspects only arise in the threshold setting, thus requiring a more sophisticated analysis with respect to the security formulation;
- Conclusions: identifies the need for additional analysis aided by the community of experts.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
This report considers threshold signature schemes interchangeable with respect to the verification mechanism of the Edwards-Curve Digital Signature Algorithm (EdDSA). Historically, EdDSA is known as a variant of Schnorr signatures, which are well-studied and suitable for efficient thresholdization, i.e., for being computed when the private signing key is secret-shared across multiple parties. In the threshold setting, signatures remain unforgeable even if up to some threshold number of the cosigners become compromised. The report analyzes the conventional (non-threshold) EdDSA specification from Draft FIPS 186-5, reviews important security properties, with an emphasis on strong unforgeability, and distinguishes various approaches for corresponding threshold schemes. Notably, while providing better security assurances, threshold signatures can be used as drop-in replacement for conventionally produced signatures, without changing legacy code for verification of authenticity. The report identifies various challenges and questions that would benefit from more attention, are of interest for future guidance and recommendations, and may be applicable beyond EdDSA.
This report considers threshold signature schemes interchangeable with respect to the verification mechanism of the Edwards-Curve Digital Signature Algorithm (EdDSA). Historically, EdDSA is known as a variant of Schnorr signatures, which are well-studied and suitable for efficient thresholdization,...
See full abstract
This report considers threshold signature schemes interchangeable with respect to the verification mechanism of the
Edwards-Curve
Digital
Signature
Algorithm (EdDSA). Historically, EdDSA is known as a variant of Schnorr signatures, which are well-studied and suitable for efficient thresholdization, i.e., for being computed when the private signing key is secret-shared across multiple parties. In the threshold setting, signatures remain unforgeable even if up to some threshold number of the cosigners become compromised. The report analyzes the conventional (non-threshold) EdDSA specification from Draft FIPS 186-5, reviews important security properties, with an emphasis on strong unforgeability, and distinguishes various approaches for corresponding threshold schemes. Notably, while providing better security assurances, threshold signatures can be used as drop-in replacement for conventionally produced signatures, without changing legacy code for verification of authenticity. The report identifies various challenges and questions that would benefit from more attention, are of interest for future guidance and recommendations, and may be applicable beyond EdDSA.
Hide full abstract
Keywords
digital signatures; EdDSA; secure multi-party computation; Schnorr; threshold cryptography; threshold schemes
Control Families
None selected