"Preview Talk" (by Team SplitForge) @ MPTS 2026, in reply to the NIST Threshold Call
Abstract. This talk showcases a set of signing an decryption protocols for two (main) parties, the descriptions, prototype implementations and benchmarking results of which we intend to package and submit to the Threshold Call of the National Institute of Standards and Technology (NIST). The commonality of the showcased protocols lies in the roles and the security capabilities of the two parties. We consider the setting where one of the parties initiates protocol runs and the second one responds while trying to authenticate the first party. Additionally, in the considered setting, the first party's ability to protect its keyshare is less than adequate --- its encrypted memory may leak to the adversary, and the encryption key may only have low entropy. We discuss the security properties that a protocol deployed in this setting (which we call "server-assisted" signing / decryption) should satisfy, and justify the interest towards this setting by existing large-scale deployments. We show protocols for signing with RSA, signing with ECDSA, and for (non-standard) decryption, all with these properties. Finally, we present a protocol for two-party ML-DSA signing (with a third, offline party creating correlated random values). This protocol has not (yet) been designed for server-assisted setting, but should be easy to adapt.
Joint work: Peeter Laud, Alisa Pankova, Nikita Snetkov, Jelizaveta Vakarjuk, Petr Muzikant, Aivo Kalu, Burak Can Kus, Semjon/Sona Kravtšenko, Raul-Martin Rebane, Mart Oruaas.
[Slides] Suggested readings:
- Preview Writeup: SplitKey: Two-Party Signing and Decryption with Extra Features
- Trilithium: Efficient and Universally Composable Distributed ML-DSA Signing (ia.cr/2025/675)
- Universally Composable Server-Supported Signatures for Smartphones (ia.cr/2024/1941)
