Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST Threshold Cryptography Workshop 2019

Two days of presentations about threshold schemes for multi-party and single-device settings.

Open the "Agenda" below to find links to the videos (Youtube icon) and slide-decks of the presentations.

Click here for a printable PDF version of the workshop schedule.

Agenda

All talks take place in the Green Auditorium in the Main Building (101) at the NIST campus in Gaithersburg, MD, USA

Badge pick-up (for on time and late arrivals) is done in front of the the Green auditorium — attendees need to pre-register to attend the conference.

Expected speakers are highlighted in bold.

Monday, March 11, 2019

8:00am--9:00am

Badge pick-up; light refreshments available.

Opening
9:00am--9:10am

NIST Computer Security Division welcoming Video
Matthew Scholl (NIST, USA)

Session I.1: Threshold Schemes

Chair: Rene Peralta (NIST, USA)

9:10am--9:25am
  1. Enter the Threshold (The NIST Threshold Cryptography Project) Video

Luís Brandão (NIST, USA)

9:25am--10:15am
  1. Invited Keynote: Threshold Cryptography: Ready for Prime Time? Video

Hugo Krawczyk (IBM Research, USA)

10:15am--10:40am
  1. Platform for Robust Threshold Cryptography Video

Christian Cachin (University of Bern, Switzerland), Hugo Krawczyk (IBM Research, USA), Tal Rabin (IBM Research, USA), Jason Resch (IBM, USA), Chrysoula Stathakopoulou (IBM research, Zurich, Switzerland)

10:40am--11:10am Coffee break
Session I.2: NIST Standards

 Chair: Andrew Regenscheid (NIST, USA)

11:10am--11:40am
  1. The NIST Standardization Approach on Cryptography ─ Past, Present, and Future Video

Lily Chen (NIST, USA)

11:40am--12:00pm
  1. NIST Status Update on Elliptic Curves and Post-Quantum Crypto Video

Dustin Moody (NIST, USA)

Session I.3: Threshold Post-Quantum

Chair: Daniel Apon (NIST, USA)

12:00pm--12:25pm
  1. Adding Distributed Decryption and Key Generation to a Ring-LWE Based CCA Encryption Scheme Video

Michael Kraitsberg (Unbound Technology, Israel), Yehuda Lindell (Bar-Ilan University, Israel; Unbound Technology, Israel), Valery Osheter (Unbound Technology, Israel), Nigel P. Smart (KU Leuven, Belgium; University of Bristol, UK), Younes Talibi Alaoui (KU Leuven, Belgium)

12:25pm--1:45pm Lunch
Session I.4: Threshold Signatures

Chair: Daniel Apon (NIST, USA)

1:45pm--2:10pm
  1. Fully Distributed Non-Interactive Adaptively-Secure Threshold Signature Scheme with Short Shares: Efficiency Considerations and Implementation Video

Benoît Libert (CNRS and ENS de Lyon, France), Marc Joye (OneSpan, Belgium), Moti Yung (Google Inc. and Columbia University, USA), Fabrice Mouhartem (ENS de Lyon, France)

2:10pm--2:35pm
  1. A Multiparty Computation Approach to Threshold ECDSA Video

Jack Doerner (Northeastern University, USA), Yashvanth Kondi (Northeastern University, USA), Eysa Lee (Northeastern University, USA), abhi shelat (Northeastern University, USA)

Session I.5: Panel on Threshold for DSS

 Chair: Hugo Krawczyk (IBM Research, USA) 

2:35pm--3:35pm

Threshold Protocols for the Digital Signature Standard Video


There were three introductory talks (the first one being the last talk of the previous session: I.4):

  1. A Multiparty Computation Approach to Threshold ECDSA. Yashvanth Kondi (Northeastern University, USA). Video
  2. Fast Secure Multiparty ECDSA. Samuel Ranellucci (Unbound Tech, Israel). Video
  3. Fast Multiparty Threshold ECDSA with Fast Trustless Setup. Rosario Gennaro (CUNY, USA). Video

Panel discussion: Video

  • Panelists: Samuel Ranellucci (Unbound Tech, Israel); Rosario Gennaro (CUNY, USA); abhi shelat (Northeastern University, USA)
  • Moderator: Hugo Krawczyk (IBM Research, USA)
3:35pm--4:05pm Coffee break
Session I.6: Validation

Chair: Michael Cooper (NIST, USA)

4:05pm--4:45pm
  1. Quo Vadis, Crypto Validation? Video

Apostol Vassilev (NIST, USA)

Session I.7: Discussion

Chair: Michael Cooper (NIST, USA)

4:45pm--5:30pm

Open discussion Video

Moderator: Nicky Mouha (NIST, USA)

Tuesday, March 12, 2019

8:00am--8:45am

Light refreshments available

Session II.1: Threshold Circuit Design

   Chair: Meltem S. Turan (NIST, USA)

8:45am--9:10am
  1. Optimized Threshold Implementations: Number of Shares and Area/Latency Trade-off Video

Dušan Božilov (NXP Semiconductors, Belgium; COSIC KU Leuven and imec, Belgium), Miroslav Knežević (NXP Semiconductors, Belgium), Ventzislav Nikov (NXP Semiconductors, Belgium)

9:10am--9:35am
  1. The pitfalls of threshold cryptography in hardware Video

Marco Macchetti (Kudelski Group, Switzerland), Karine Villegas (Kudelski Group, Switzerland), Claudio Favi (Kudelski Group, Switzerland)

09:35am--10:00am
  1. Threshold Cryptography against Combined Physical Attacks Video

Lauren De Meyer (KU Leuven, Belgium)

10:00am--10:25am
  1. VerMI: Verification Tool for Masked Implementations Video

Victor Arribas (KU Leuven, imec-COSIC, Belgium), Svetla Nikova (KU Leuven, imec-COSIC, Belgium), Vincent Rijmen (KU Leuven, imec-COSIC, Belgium)

10:25am--10:55am Coffee break
Session II.2: Panel on TIS

Chair: Svetla Nikova and Vincent Rijmen (KU Leuven, Belgium)

10:55am--12:10am

Theory of Implementation Security Panel Video

Moderators:

  • Svetla Nikova (KU Leuven, Belgium)
  • Vincent Rijmen (KU Leuven, Belgium)

Panelists:

  • Nigel Smart (KU Leuven, Belgium)
  • Ventzislav Nikov (NXP Semiconductors, Belgium)
  • Mike Hutter (Rambus, USA)
  • Junfeng Fan (Open Security Research, China)
  • Ruggero Susella (ST Microelectronics, Italy)
  • Emmanuel Prouff (ANSSI, France)
12:10pm--1:30pm Lunch
Session II.3: Other Threshold Primitives

 Chair: John Kelsey (NIST, USA)

1:30pm--1:55pm
  1. Efficient Leakage Resilient Secret Sharing Video

Peihan Miao (UC Berkeley, USA), Akshayaram Srinivasan (UC Berkeley, USA), Prashant Nalini Vasudevan (UC Berkeley, USA)

1:55pm--2:20pm
  1. DiSE: Distributed Symmetric-key Encryption Video

Shashank Agrawal (Visa Research, USA), Payman Mohassel (Visa Research, USA), Pratyay Mukherjee (Visa Research, USA), Peter Rindal (Visa Research, USA)

Session II.4:  Threshold Cryptography Applications and Experience

Chair: Michael Davidson (NIST, USA)

2:20am--3:10pm
  1. Invited Keynote: Challenges for Multisignature and Threshold Signature Implementation in a Bitcoin Context Video

Andrew Poelstra (Blockstream, USA)

3:10pm-3:40pm

Coffee break

3:40pm--4:05pm
  1. SplitKey Case Study Video

Maximiliaan van de Poll (Cybernetica AS, Estonia), Aivo Kalu (Cybernetica AS, Estonia)

4:05pm--4:30pm
  1. Practical Threshold Cryptography for Cloud and Cryptocurrencies Video

Jakob Pagter (Sepior, Denmark)

4:30pm--4:55pm
  1. Practice Based Recommendations for Standardization of Threshold Cryptography Video

Daniel Shumow (Microsoft Research, USA)

Closing
4:55pm--5:15pm

Final remarks

Moderator:  Luís Brandão (NIST, USA) Video

Keynote 1 (Monday, March 11)

Speaker: Hugo Krawczyk (IBM Research, USA)

Title: Threshold Cryptography: Ready for Prime Time?

Abstract: The trend in trust decentralization together with the ever increasing value of digital assets (cryptocurrencies, blockchains, mega data repositories, key (mis)management, intellectual property, privacy, etc.) and the need to protect these assets for secrecy and availability, make threshold cryptography a most relevant technology whose time has come. We need to see more targeted applications as well as software platforms on which to build solutions that take into account real-world considerations such as asynchronous networks, support for diversified architectures, hardware enclaves, and more. Additionally, we need to refresh the set of techniques supporting threshold cryptography with advances in areas such as multi-party computation, quantum-resistant primitives, and blockchain-inspired consensus protocols. In addition to arguing these points, the talk will discuss some recent applications of threshold cryptography in the domain of key and password management, blockchain, and how threshold cryptography can be relevant to the #metoo movement.

Bio: Hugo Krawczyk is an IBM Fellow and Distinguished Research Staff Member with the Cryptography Group at the IBM T.J. Watson Research Center whose interests span theoretical and applied aspects of cryptography. He has contributed to the cryptographic design of numerous Internet standards, particularly IPsec, IKE, and SSL/TLS, and is a co-inventor of the HMAC message authentication algorithm. His most recent work in this area includes designs for TLS 1.3, the next generation TLS, and HKDF, the emerging standard for key derivation adopted by TLS 1.3, Signal, WhatsApp, Facebook Messenger and more. He has contributed to multiple areas of cryptography including to the theory and practice of key exchange, threshold and proactive cryptosystems, password authentication, and search on encrypted data. He is a Fellow of the International Association of Cryptologic Research (IACR) and the recipient of the 2015 RSA Conference Award for Excellence in the Field of Mathematics, the 2018 Levchin Prize for Contributions to Real-World Cryptography, and of multiple IBM awards, including two corporate awards.

 

Keynote 2 (Tuesday, March 12)

Speaker: Andrew Poelstra (Blockstream, USA)

Title: Challenges for Multisignature and Threshold Signature Implementation in a Bitcoin Context

Abstract: Bitcoin, started in 2009, is a digital currency in which all activity is publicly verifiable. Coins are controlled by spending policies expressed in Bitcoin Script, a simple stack-based programming language which supports hash preimage challenges and digital signatures. Included in Bitcoin Script is a basic form of threshold ECDSA signature: a list of public keys and a threshold is specified; the coins can then be moved if threshold-many valid ECDSA signatures are provided in sequence.

This threshold scheme is inefficient in terms of both signature size and verification time (both linear in the threshold size), which are the two most important considerations for cryptosystems designed for inclusion on blockchains. Being explicitly specified, they also represent a fungibility loss as threshold-controlled coins are visibly distinct from non-threshold-controlled coins. However, they achieve several practical goals which have proved difficult to preserve in more efficient threshold schemes: they are noninteractive; they require no persistent state during signing; they work in the plain public-key model and require no interactive key setup; their security follows immediately from the security of the underlying ECDSA scheme even when signing counterparties are considered to be adversarial.

In this talk we describe our work in developing a multisignature scheme for Bitcoin, called MuSig, which supports an extension to threshold signatures, over the last several years. We describe how consideration of both practical use cases and formal security models guided the evolution of our goals, and the unexpected tradeoffs that we found ourselves forced to make.

Bio: Andrew Poelstra is a Mathematician at Blockstream. He has dabbled in software development for the last twenty years, in open-source cryptography for ten. He became involved in Bitcoin in late 2011, and joined Blockstream cofounders Greg Maxwell and Pieter Wuille in developing the high-performance cryptography library libsecp256k1. His latest major project has been Mimble Wimble which is described as a blockchain design with no script support and blinded amounts. Like proverbial black holes, transaction outputs have no hair. This simplicity allows aggressive compaction and aggregation, resulting in a blockchain with much better scalability than any other design to date. He has a Bachelor of Science in Mathematics from Simon Fraser University. While completing his Masters of Arts at the University of Texas at Austin, he wrote and co-wrote several papers about Bitcoin, practical cryptography and mathematics.

Call for submissions

NIST is interested in promoting the security of implementations of cryptographic primitives. This security depends not only on the theoretical properties of the primitives but also on the ability to withstand attacks on their implementations. It is thus important to mitigate breakdowns that result from differences between ideal and real implementations of cryptographic algorithms.

Threshold schemes for cryptographic primitives have the potential to strengthen the secrecy of cryptographic keys, as well as to enhance integrity and availability of the implemented primitives, including providing resistance against side-channel and fault attacks.

NIST seeks to discuss aspects of threshold cryptography (used as an umbrella term) in a wide range of application environments and the potential future standardization of threshold schemes for cryptographic primitives. Therefore, NIST is soliciting papers, presentations, panel proposals, and participation from any interested parties. NIST will post the accepted papers and presentations on the workshop website; however, no formal workshop proceedings will be published.

Topics include, but are not limited to:

  • Security criteria, resource requirements and characteristics of real-world applications of threshold cryptographic systems

  • Threshold techniques, including techniques related to secure multi-party computation and intrusion-tolerant distributed systems, both in hardware and software

  • Case studies of deployed threshold systems

  • Evaluation of security, reliability, threats and attacks in threshold cryptography

  • Design, analysis and implementation of threshold schemes for cryptographic primitives

  • Challenges in testing and validation of threshold cryptographic systems

  • Benchmarking of threshold schemes in hardware and software

  • Countermeasures against side-channel and fault attacks using threshold approaches

  • Threshold cryptography for blockchain, cloud computing, hardware security modules (HSMs), and the Internet of Things (IoT)

Important dates

Submission deadline: December 17, 2018

Notification deadline: (Tentative) February 08, 2019 (previous January 15 deadline was postponed due to Government Shutdown)

Registration deadline: February 18, 2019 Extended to March 04, 2019 and is now closed. 

Workshop: March 11-12, 2019

How to submit

Submissions must be provided electronically in PDF format. Paper submissions should not exceed 15 pages. Proposals for presentations or panels should be no longer than 5 pages; panel proposals should identify possible panelists and an indication of which panelists have confirmed their participation.

Please submit to ntcw2019@nist.gov:

  • Contact details of the authors
  • The paper, presentation or panel proposal in PDF format as an attachment.

Click here for a PDF of this call for submissions.

Accepted panels:

  • Threshold Protocols for the Digital Signature Standard. Organizer: Rosario Gennaro. Panelists: Rosario Gennaro1, abhi shelat2, Samuel Ranellucci3, Hugo Krawczyk4 (moderator). (1 CUNY, USA; 2 Northeastern University, USA; 3 Unbound Tech, Israel; 4 IBM Research, USA)
  • Theory of Implementation Security Panel. Organizers: Organizers: Svetla Nikova1, Vincent Rijmen1. Panelists: Nigel Smart1, Ventzislav Nikov2, Mike Hutter3, Junfeng Fan4, Ruggero Susella5, Emmanuel Prouff6. (1 KU Leuven, Belgium; 2 NXP Semiconductors; 3 Rambus, USA; 4 Open Security Research; 5 ST Microelectronics; 6 ANSSI, France)

Accepted papers:

Presentation proposals:

  • Platform for Robust Threshold Cryptography. Christian Cachin1, Hugo Krawczyk2, Tal Rabin2, Jason Resch3, Chrysoula Stathakopoulou4. (1 University of Bern, Switzerland; 2 IBM Research, USA; 3 IBM, USA; 4 IBM research, Zurich, Switzerland)
  • Optimized Threshold Implementations: Number of Shares and Area/Latency Trade-off. Dušan Božilov1,2, Miroslav Knežević1, Ventzislav Nikov1. (1 NXP Semiconductors, Belgium; 2 COSIC KU Leuven and imec, Belgium)
  • The pitfalls of threshold cryptography in hardware. Marco Macchetti, Karine Villegas, Claudio Favi. (Kudelski Group, Switzerland)
  • Threshold Cryptography against Combined Physical Attacks. Lauren De Meyer (KU Leuven, Belgium)
  • VerMI: Verification Tool for Masked Implementations. Victor Arribas, Svetla Nikova, Vincent Rijmen. (KU Leuven, imec-COSIC, Belgium)
  • SplitKey Case Study. Maximiliaan van de Poll, Aivo Kalu. (Cybernetica AS, Estonia)
  • Practical Threshold Cryptography for Cloud and Cryptocurrencies. Jakob Pagter. (Sepior, Denmark)
  • Practice Based Recommendations for Standardization of Threshold Cryptography. Daniel Shumow. (Microsoft Research, USA)

NIST presentations

  • NIST Computer Security Division welcoming. Matthew Scholl
  • Enter the Threshold (The NIST Threshold Cryptography Workshop). Luís Brandão
  • The NIST Standardization Approach on Cryptography ─ Past, Present, and Future. Lily Chen
  • NIST Status Update on Elliptic Curves and Post-Quantum Crypto. Dustin Moody
  • Quo Vadis, Crypto Validation? Apostol Vassilev
  • Open discussion. Nicky Mouha

Organization (NIST Computer Security Division)

  • Co-chairs and program committee: Luís Brandão, Nicky Mouha, Apostol Vassilev
  • Administrative organization: Sara Kermans, Pauline Truong, Mary Lou Norris
  • (Non-panel) Session Chairs: Rene Peralta, Andrew Regenscheid, Daniel Apon, Michael Cooper, Meltem Sönmez Turan, John Kelsey, Michael Davidson

Information for attendees

In-person registration has closed. 

WEBCAST option: Webcast registration is not required to view the live stream, but registered viewers will receive a reminder and updates prior to the webcast. You may participate by emailing your questions or comments to ntcw2019@nist.gov or join our Twitter chat using #NTCW2019.

Requirements: You will need a broadband connection and a current browser with Adobe Flash and/or HTML 5 support. Caption features may not be available on iOS or Android devices. If you're having trouble viewing the live stream, please try refreshing the page to reconnect to the live video. You can also try another browser such as Chrome. If you still can't see the video you may have a firewall issue. Each live webcast will provide an alternate You Tube link the day of the event. A full recording will also be available within one week of the event.

All visitors to the NIST campus must be pre-registered.  There is no onsite registration for meetings held at NIST.

A block of rooms has been reserved for the NIST Threshold Cryptography Workshop 2019:

Courtyard by Marriott Washingtonian Center --- 204 Boardwalk Place  Gaithersburg  MD  20878

Room Rate: $179/night + applicable taxes

The rate includes breakfast for one person each morning and transportation to/from NIST in the morning and at the close of the meeting each day.

Room reservations must be made by February 19, 2019, to guarantee the discounted room block rate (click the following link):

CLICK HERE to book your group rate for NIST Threshold Cryptography Workshop Room Block

To reserve by phone, please call 1-800-321-2211 and reference the “NIST Threshold Cryptography Workshop” room block.

Tentative Shuttle Schedule

  • 3/11—7:30AM Hotel to NIST;       5:45PM NIST to Hotel
  • 3/12—7:30AM Hotel to NIST;       5:30PM NIST to Hotel

Please see the “NIST Visitor Information” webpage --- https://www.nist.gov/about-nist/visit --- for local information (directions, parking, additional area hotels)

All visitors to the NIST campus must be pre-registered. There is no onsite registration for meetings at NIST.

All attendees must be pre-registered to gain entry to the NIST campus. Photo identification must be presented at the main gate to be admitted to the conference. International attendees are required to present a passport. Attendees must wear their conference badge at all times while on the campus.

We offered a free live webcast option: link full video 1st day; link full video 2nd day.

Join the conversation about this workshop using #NTCW2019.

Selected Presentations
March 11, 2019 Type
9:10 AM NTCW2019 Enter the Threshold (The NIST Threshold Cryptography Workshop)
Luís T.A.N. Brandão - NIST

Opening talk of the NIST Threshold Cryptography Workshop (NTCW) 2019, explaining the scope of the project and showing the agenda for the workshop.

NTCW2019 Enter the Threshold. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
9:25 AM Threshold Cryptography: Ready for Prime Time?
Hugo Krawczyk - IBM Research

Abstract: The trend in trust decentralization together with the ever increasing value of digital assets (cryptocurrencies, blockchains, mega data repositories, key (mis)management, intellectual property, privacy, etc.) and the need to protect these assets for secrecy and availability, make threshold cryptography a most relevant technology whose time has come. We need to see more targeted applications as well as software platforms on which to build solutions that take into account real-world considerations such as asynchronous networks, support for diversified architectures, hardware enclaves, and more. Additionally, we need to refresh the set of techniques supporting threshold cryptography with advances in areas such as multi-party computation, quantum-resistant primitives, and blockchain-inspired consensus protocols. In addition to arguing these points, the talk will discuss some recent applications of threshold cryptography in the domain of key and password management, blockchain, and how threshold cryptography can be relevant to the #metoo movement.

Threshold Cryptography: Ready for Prime Time? Click to watch the video.

(Click the above image to see video on Youtube)

Keynote
10:15 AM Platform for Robust Threshold Cryptography
Jason Resch - IBM

Joint work with Christian Cachin, Hugo Krawczyk, Tal Rabin, Chrysoula Stathakopoulou

Partial abstract: We introduce ‘PROTECT’ a Platform for Robust Threshold Cryptography. It’s a freely available open-source project [1], and it can be readily deployed to implement a number of threshold-secure services. PROTECT implements cryptographic functionality as operations on shares of a physically distributed key. The implementation is robust in the sense that it tolerates and recovers from Byzantine faults, while preserving availability and confidentiality of the shared secret through share recovery and proactive share renewal operations.

Platform for Robust Threshold Cryptography. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
11:10 AM The NIST Standardization Approach on Cryptography ─ Past, Present, and Future
Lily Chen - NIST

The NIST Standardization Approach on Cryptography ─ Past, Present, and Future. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
11:40 AM NIST Status Update on Elliptic Curves and Post-Quantum Crypto
Dustin Moody - NIST

NIST Status Update on Elliptic Curves and Post-Quantum Crypto. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
12:25 PM Adding Distributed Decryption and Key Generation to a Ring-LWE Based CCA Encryption Scheme
Nigel Smart - KU Leuven & University of Bristol

Joint work with: Michael Kraitsberg, Yehuda Lindell, Valery Osheter, Younes Talibi Alaoui.

Abstract: We show how to build distributed key generation and distributed decryption procedures for the LIMA Ring-LWE based post-quantum cryptosystem. Our protocols implement the CCA variants of distributed decryption and are actively secure (with abort) in the case of three parties and honest majority. Our protocols make use of a combination of problem specific MPC protocols, generic garbled circuit based MPC and generic Linear Secret Sharing based MPC. We also, as a by-product, report on the first run-times for the execution of the SHA-3 function in an MPC system.

Adding Distributed Decryption and Key Generation to a Ring-LWE Based CCA Encryption Scheme. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
1:45 PM Fully Distributed Non-Interactive Adaptively-Secure Threshold Signature Scheme with Short Shares: Efficiency Considerations and Implementation
Fabrice Mouhartem - ENS de Lyon

Joint work with: Benoı̂t Libert, Marc Joye, Moti Yung.

Partial Abstract. We present a practical fully distributed non-interactive scheme — where the servers can compute their partial signatures without communication with other servers —with adaptive security (i.e., the adversary corrupts servers dynamically based on its full view of the history of the system). Our scheme is very efficient in terms of computation, communication, and scalable storage (with private key shares of size O(1), where certain solutions incur O(n) storage costs at each server). Unlike other adaptively secure schemes, our scheme is erasure-free. Of particular interest is the fact that Pedersen’s traditional distributed key generation (DKG) protocol can be safely employed in the initial key generation phase when the system is set up although it is well-known not to ensure uniformly distributed public keys. An advantage of this is that this protocol only takes one round in the absence of faulty player.

Fully Distributed Non-Interactive Adaptively-Secure Threshold Signature Scheme with Short Shares: Efficiency Considerations and Implementation. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
2:10 PM A Multiparty Computation Approach to Threshold ECDSA
Yashvanth Kondi - Northeastern University

Joint work with: Jack Doerner, Eysa Lee, abhi Shelat

Note: this also counted as the 1st (out of three) introductory presentation to the panel "Threshold Protocols for the Digital Signature Standard"

Partial abstract: This paper reports on new protocols (appearing in [DKLs18, DKLs19]) for multi-party ECDSA key-generation and signing with arbitrary thresholds, that are secure against malicious adversaries in the Random Oracle Model assuming only the Computational Die-Hellman Assumption. We instantiate our protocols using the same hash function and elliptic curve group used by the ECDSA signature being computed. Our threshold t scheme requires log(t) + 6 rounds of communication with scope for adjustment to constant rounds if desired, and when t = 2 we provide an optimized two message protocol. We evaluate our implementations and nd that the wall-clock time for computing a signature through our two-party protocol comes to within a factor of 18 of local signatures. Concretely, two parties can jointly sign a message in just over three milliseconds. We also demonstrate the feasibility of signing with a low-power device (as in the setting of 2-factor authentication) by computing a signature between two Raspberry Pi devices in under 60 milliseconds.

A Multiparty Computation Approach to Threshold ECDSA. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
2:40 PM Fast Secure Multiparty ECDSA
Samuel Ranellucci - Unbound Tech

This was the 2nd of three introductory talks in the panel discussion "Threshold Protocols for the Digital Signature Standard".

Fast Secure Multiparty ECDSA. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
2:55 PM Fast Multiparty Threshold ECDSA with Fast Trustless Setup
Rosario Gennaro - The City College of New York/CUNY

This was the 3rd of three introductory talks in the panel discussion "Threshold Protocols for the Digital Signature Standard".

Fast Multiparty Threshold ECDSA with Fast Trustless Setup. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
2:55 PM Panel: Threshold Protocols for the Digital Signature Standard
Hugo Krawczyk - IBM Research
Rosario Gennaro - The City College of New York/CUNY
Samuel Ranellucci - Unbound Tech
Abhi Shelat - Northeastern University

Partial abstract from the panel proposal: Due to the intense commercial interest in threshold protocols for DSA based signatures, we believe that a panel on the status of threshold protocols for DSA, and its maturity for standardization would be a very relevant and interesting addition to the NIST Workshop.

The panel, introduced by Hugo Krawczyk (IBM Research, USA), was composed of three introductory talks (the first of which is from the previous session, by Yashvanth Kondi), followed by a panel discussion.


Introduction talks:

  1. [Merged with previous session] A Multiparty Computation Approach to Threshold ECDSA. Speaker: Yashvanth Kondi. Joint work with: Jack Doerner, Eysa Lee, abhi shelat. (Northeastern University, USA).
  2. Fast Secure Multiparty ECDSA. Speaker: Samuel Ranellucci (Unbound Tech, Israel).
  3. Fast Multiparty Threshold ECDSA with Fast Trustless Setup. Speaker: Rosario Gennaro (CUNY, USA). Joint work with Steven Goldfeder.

Panel discussion. Moderator: Hugo Krawczyk (IBM Research, USA). Panelists: Samuel Ranellucci (Unbound Tech, Israel); Rosario Gennaro (CUNY, USA); abhi shelat (Northeastern University, USA).

Panel: Threshold Protocols for the Digital Signature Standard. Click to watch the video.

(Click the above image to see video on Youtube)

 

Panel
4:05 PM Quo Vadis, Crypto Validation?
Apostol Vassilev - NIST

Quo Vadis, Crypto Validation? Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
4:45 PM Open discussion
Meltem Sönmez Turan - NIST

Open discussion. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
March 12, 2019 Type
8:45 AM Optimized Threshold Implementations: Number of Shares and Area/Latency Trade-off
Ventzislav Nikov - NXP Semiconductors

Joint work with: Dušan Božilov, Miroslav Knežević.

Abstract. Threshold implementation (TI) is a popular hardware masking technique, being used in some of the current most efficient side-channel secure designs. Earlier versions of TI are characterized by the number of input shares being dependant on both security order d and algebraic degree of a function t, namely td + 1. Later, the bound was reduced to d + 1, with the cost of increasing the number of output shares and requirements of the input shares. In this work, we utilize the optimized sharing method to investigate the impact of the number of S-box stages on the area and latency of the final design, with the two extreme cases of fully decomposed S-box and a single stage S-box. Finally, we show the trade-off on d+1 and td + 1 TI, for first- and second-order secure, low-latency and low-energy implementations of the PRINCE block cipher.

Optimized Threshold Implementations: Number of Shares and Area/Latency Trade-off. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
9:10 AM The Pitfalls of Threshold Cryptography in Hardware
Marco Macchetti - Kudelski Group

Joint work with: Karine Villegas, Claudio Favi.

Partial abstract. This presentation will discuss the interaction between side channel protections and high-speed hardware implementations; we will show that in some way these objectives are contradictory by discussing concrete examples. By deriving conclusions, we will state an important open problem, that we think must be considered in the threshold standardization effort.

The Pitfalls of Threshold Cryptography in Hardware. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
9:35 AM Threshold Cryptography against Combined Physical Attacks
Lauren De Meyer - KU Leuven

Partial abstract. In this talk we will discuss two recent proposals in this area: CAPA and M&M, which both start from passively secure threshold schemes and extend those with information-theoretic MAC tags for protection against active adversaries. While similar in their most basic structure, the two proposals explore very different adversary models and thus employ completely different implementation techniques. CAPA considers the field-probe-and-fault model, which is the embedded analogue of multiple parties jointly computing a function with at least one of the parties honest. Accordingly, CAPA is strongly based on the actively secure MPC protocol SPDZ and inherits its provable security properties in this model. Since this results in very expensive implementations, M&M works in a similar but more realistic adversary model and uses existing building blocks from previous passively secure implementations to build more efficient actively secure threshold cryptography.

Threshold Cryptography against Combined Physical Attacks. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
10:00 AM VerMI: Verification Tool for Masked Implementations
Victor Arribas - KU Leuven

Joint work with: Sveta Nikova, Vincent Rijmen.

Abstract. Masking is a widely used countermeasure against Side-Channel Attacks, nonetheless, the implementation of these countermeasures is challenging. Experimental security evaluation requires special equipment, a considerable amount of time, and extensive technical knowledge. Therefore, to automate and to speed up this process, a formal verification can be performed to asses the security of a design. In this work we present VerMI, a verification tool in the form of a logic simulator that checks the properties defined in Threshold Implementations to address the security of a hardware implementation for meaningful orders of security. The tool is designed so that any masking scheme can be evaluated. It accepts combinational and sequential logic and is able to analyze an entire cipher in short time. With the tool we have managed to spot a flaw in the round-based KECCAK implementation by Gross et al., published in DSD 2017.

VerMI: Verification Tool for Masked Implementations. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
10:55 AM Panel: Theory of Implementation Security
Svetla Nikova - KU Leuven
Vincent Rijmen - KU Leuven
Nigel Smart - KU Leuven
Ventzislav Nikov - NXP Semiconductors
Mike Hutter - Rambus
Junfeng Fan - Open Security Research
Ruggero Susella - ST Microelectronics
Emmanuel Prouff - ANSSI

Partial abstract (from the proposal): The panel will include panelists from industry, academia and security evaluation labs. We aim to discus the security levels and cost efficiency associated with such countermeasures from industry point of view and recent on research challenges and opportunities for standardization.

Moderators: Svetla Nikova (KU Leuven, Belgium); Vincent Rijmen (KU Leuven, Belgium).

Panelists: Nigel Smart (KU Leuven, Belgium); Ventzislav Nikov (NXP Semiconductors, Belgium); Mike Hutter (Rambus, USA); Junfeng Fan (Open Security Research, China); Ruggero Susella (ST Microelectronics, Italy); Emmanuel Prouff (ANSSI, France).

Panel: Theory of Implementation Security. Click to watch the video.

(Click the above image to see video on Youtube)

Panel
1:30 PM Efficient Leakage Resilient Secret Sharing
Prashant Vasudevan - University of California, Berkeley

Joint work with: Peihan Miao (UC Berkeley, USA), Akshayaram Srinivasan (UC Berkeley, USA).

Partial abstract. In this work, we present local leakage resilient threshold secret sharing schemes with constant rate for any threshold. Furthermore, our scheme has optimal leakage-resilience rate, i.e., the ratio between the leakage tolerated and the size of each share can be made arbitrarily close to 1. We implement a variant of our scheme (that has worse rate and leakage-resilience rate, but better computational efficiency), and present comparisons of its performance to that of Shamir’s secret sharing scheme (Shamir, Commun. ACM 1979). Our construction generalizes to a rate-preserving compiler that adds local leakage-resilience to any secret sharing scheme for any monotone access structure.

Efficient Leakage Resilient Secret Sharing. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
1:55 PM DiSE: Distributed Symmetric-key Encryption
Shashank Agrawal - Visa Research

Joint work with: Payman Mohassel (Visa Research, USA), Pratyay Mukherjee (Visa Research, USA), Peter Rindal (Visa Research, USA)

Partial abstract: We put forth the first formal treatment for distributed symmetric-key encryption, proposing new notions of correctness, privacy and authenticity in presence of malicious attackers. We provide strong and intuitive game-based definitions that are easy to understand and yield efficient constructions. We propose a generic construction of threshold authenticated encryption based on any distributed pseudorandom function (DPRF). When instantiated with the two different DPRF constructions proposed by Naor, Pinkas and Reingold (Eurocrypt 1999) and our enhanced versions, we obtain several efficient constructions meeting different security definitions. We implement these variants and provide extensive performance comparisons. Our most efficient instantiation uses only symmetric-key primitives and achieves a throughput of upto 1 million encryptions/decryptions per seconds, or alternatively a sub-millisecond latency with upto 18 participating parties.

DiSE: Distributed Symmetric-key Encryption. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
2:20 PM Challenges for Multisignature and Threshold Signature Implementation in a Bitcoin Context
Andrew Poelstra - Blockstream

Abstract: Bitcoin, started in 2009, is a digital currency in which all activity is publicly verifiable. Coins are controlled by spending policies expressed in Bitcoin Script, a simple stack-based programming language which supports hash preimage challenges and digital signatures. Included in Bitcoin Script is a basic form of threshold ECDSA signature: a list of public keys and a threshold is specified; the coins can then be moved if threshold-many valid ECDSA signatures are provided in sequence.

This threshold scheme is inefficient in terms of both signature size and verification time (both linear in the threshold size), which are the two most important considerations for cryptosystems designed for inclusion on blockchains. Being explicitly specified, they also represent a fungibility loss as threshold-controlled coins are visibly distinct from non-threshold-controlled coins. However, they achieve several practical goals which have proved difficult to preserve in more efficient threshold schemes: they are noninteractive; they require no persistent state during signing; they work in the plain public-key model and require no interactive key setup; their security follows immediately from the security of the underlying ECDSA scheme even when signing counterparties are considered to be adversarial.

In this talk we describe our work in developing a multisignature scheme for Bitcoin, called MuSig, which supports an extension to threshold signatures, over the last several years. We describe how consideration of both practical use cases and formal security models guided the evolution of our goals, and the unexpected tradeoffs that we found ourselves forced to make.

Challenges for Multisignature and Threshold Signature Implementation in a Bitcoin Context. Click to watch the video.

(Click the above image to see video on Youtube)

Keynote
3:40 PM SplitKey Case Study
Maximiliaan van de Poll - Cybernetica AS
Aivo Kalu - Cybernetica AS

Partial abstract: Cybernetica would like to present the case study of the SplitKey Authentication and Digital Signature Platform, which is based on the threshold cryptography digital signature scheme. The document outlines the cryptographical design of the scheme, the key pair generation and the signing and also explains how the security of SplitKey has been formally evaluated.

SplitKey Case Study. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
4:05 PM Practical Threshold Cryptography for Cloud and Cryptocurrencies
Jakob Pagter - Sepior

Abstract. In this presentation we report on the efforts of Danish company Sepior on commercializing solutions based on Threshold Cryptography (TC). The contribution of this presentation is to:

  1. Present the “historical” lineage of Sepior going back to the sugar beet auction in 2008 [8]
  2. Two commercial case studies for TC
  3. Discuss challenges for commercial application of TC

Practical Threshold Cryptography for Cloud and Cryptocurrencies. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
4:30 PM Practice Based Recommendations for Standardization of Threshold Cryptography
Dan Shumow - Microsoft Research

Abstract. This talk will make recommendations for the standardization of Threshold Cryptography (TC) based on experiences of investigating and designing uses of TC in deployed software systems. The talk will present representative examples of TC solutions considered for deployed software systems. In most cases, these solutions were not chosen, and the talk will present an analysis of the reasons for this. Finally, this talk will discuss recommendations for standardization of TC motivated by these lessons learned.

Practice Based Recommendations for Standardization of Threshold Cryptography. Click to watch the video.

(Click the above image to see video on Youtube)

Presentation
4:55 PM NTCW19 Final remarks
Various intervenients

Thank you notes; a recollection of the discussed topics; an opportunity for final remarks by the audience.

NTCW Final Remarks. Click to watch the video.

(Click on the above image to see video on Youtube)

Presentation

Event Details

Starts: March 11, 2019 - 08:00 AM EDT
Ends: March 12, 2019 - 05:15 PM EDT

Format: Both Type: Workshop

Agenda

Attendance Type: Open to public
Audience Type: Industry,Government,Academia


Location

NIST, Gaithersburg campus

Created August 16, 2018, Updated June 16, 2021