November 6, 2020
Nikolaos Makriyannis - Fireblocks
Abstract: Building on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS ’18), we present two threshold ECDSA protocols, for any number of signatories and any threshold, that improve as follows over the state of the art:
- For both protocols, only the last round requires knowledge of the message, and the other rounds can take place in a preprocessing stage, lending to a non-interactive threshold ECDSA protocol.
- Both protocols withstand adaptive corruption of signatories. Furthermore, they include a periodic refresh mechanism and offer full proactive security.
- Both protocols realize an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, DDH, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA.
- Both protocols achieve accountability by identifying corrupted parties in case of failure to generate a valid signature.
The two protocols are distinguished by the round-complexity and the identification process for detecting cheating parties. Namely:
- For the first protocol, signature generation takes only 4 rounds (down from the current state of the art of 8 rounds), but the identification process requires computation and communication that is quadratic in the number of parties.
- For the second protocol, the identification process requires computation and communication that is only linear in the number of parties, but signature generation takes 7 rounds.
These properties (low latency, compatibility with cold-wallet architectures, proactive security, identifiable abort and composable security) make the two protocols ideal for threshold wallets for ECDSA-based cryptocurrencies.
NIST Workshop on Multi-Party Threshold Schemes (MPTS) 2020. https://csrc.nist.gov/events/2020/mpts2020
Based on joint work with Ran Canetti, Rosario Gennaro, Steven Goldfeder and Udi Peled.