A Multiparty Computation Approach to Threshold ECDSA

Joint work with: Jack Doerner, Eysa Lee, abhi Shelat

Note: this also counted as the 1st (out of three) introductory presentation to the panel "Threshold Protocols for the Digital Signature Standard"

Partial abstract: This paper reports on new protocols (appearing in [DKLs18, DKLs19]) for multi-party ECDSA key-generation and signing with arbitrary thresholds, that are secure against malicious adversaries in the Random Oracle Model assuming only the Computational Die-Hellman Assumption. We instantiate our protocols using the same hash function and elliptic curve group used by the ECDSA signature being computed. Our threshold t scheme requires log(t) + 6 rounds of communication with scope for adjustment to constant rounds if desired, and when t = 2 we provide an optimized two message protocol. We evaluate our implementations and nd that the wall-clock time for computing a signature through our two-party protocol comes to within a factor of 18 of local signatures. Concretely, two parties can jointly sign a message in just over three milliseconds. We also demonstrate the feasibility of signing with a low-power device (as in the setting of 2-factor authentication) by computing a signature between two Raspberry Pi devices in under 60 milliseconds.

(Click the above image to see video on Youtube)