An Efficient Two-Party ECDSA Scheme for Cryptocurrencies

Abstract

Threshold signatures have emerged as a promising solution to secure cryptocurrencies. While some signature algorithms like Schnorr, BLS, EdDSA are threshold-friendly, the structure of ECDSA makes it challenging to construct such schemes. As such the known threshold ECDSA schemes use complex zero-knowledge proofs. However, these impact their performance negatively. Further, these schemes have attempted to achieve efficiency in signature computation part while accepting complexity in the key generation. To be more specific, in the known 2-of-2 schemes the two parties need to perform key generation together to be able to run signature computation. In this work, we propose an efficient two-party ECDSA protocol that enables two parties to “aggregate” their ECDSA signature (on a single message) without participating in any kind of key generation process. Our protocol is based on additive sharing of (ECDSA) private keys and homomorphic properties of Paillier encryption. All the zero-knowledge proof we use are non-interactive. As a result, our key generation is 7x faster than state-of-the-art. In terms of overall time complexity, our scheme is comparable with state of the art 2-of-2 ECDSA scheme.

Appendices

Appendix 1. Elliptic Curve Digital Signature Algorithm

The ECDSA algorithm is parameterized by a group \(\mathcal {G} \) of order q generated by a point \(\texttt{G} \) on an elliptic curve over the finite field \(\mathbb {Z}_q\) of integers modulo a prime q. The curve coordinates and scalars are represented in \(\kappa = |q|\) bits, which is also the security parameter. The algorithm makes use of a hash function which we denote by \(\texttt{HASH} \). The ECDSA scheme consists of the following algorithms:

• KeyGen: The key generation algorithm consists of the following steps:

  • Select private-key: \(a \xleftarrow {\$} {\mathbb {Z}_q}\)

  • Compute public-key as the point (on \(\mathcal {G} \)) given by \(A = a\cdot \texttt{G} \).

• Sig: The signature generation algorithm takes as input a message \(\texttt{M} \) and computes the signature as below:

  • Hash \(\texttt{M} \) onto \({\mathbb {Z}_q}\): \(m \longleftarrow \texttt{HASH} (\texttt{M})\).

  • Generate nonce: \(k \xleftarrow {\$} {\mathbb {Z}_q}\).

  • Compute \(k \cdot \texttt{G} = R = (x_R, y_R, 1)\) and set \(r = x_R \pmod q\).

  • Set: .

  • Output \(\sigma =(r, \textbf{s})\) as a signature on \(\texttt{M} \)

• Ver: The signature verification algorithm takes as input a message \(\texttt{M} \) and signature \(\sigma =(r,\textbf{s})\) and verifies it as below:

  • Compute

  • Obtain hash of \(\texttt{M} \): \(m \longleftarrow \texttt{HASH} (\texttt{M})\).

  • Set (which simplifies to \(k \texttt{G} \))

  • If \(x_{R'} = r\) then return ‘signature valid’ else return ‘signature not valid’.

Appendix 2. NIZK Proof of Knowledge of Plaintext using Paillier Encryption

We use a NIZK protocol from [7] to prove knowledge of plaintexts \(X_1\) and \(X_2\) in zero knowledge, in Sect. 3.3, under ThreshSig algorithm. The following \(\sum \)-protocol provides a non-interactive ZKP that the prover has knowledge of the plaintext without revealing the plaintext to the approver. Let the input encryption be \(C_1=X_1\cdot G+N\cdot r\mod N^2\), where \(X_1\) is encrypted using randomness r. The proof proceeds as below:

1. 1.

   Prover P chooses \(x\in \mathbb {Z}_N\), \(u\in \mathbb {Z}_{N^2}^*\) at random and computesthefollowing and sends to the verifier:

   $$\begin{aligned} A=x\cdot G +N\cdot u \mod N^2 \end{aligned}$$
2. 2.

   The verifier picks a random challenge e and sends to the prover P.

3. 3.

   The prover P computes the following and sends to the verifier:

   $$\begin{aligned} w=x+eX_1 \mod N,\ z=u+e\cdot r \mod N^2 \end{aligned}$$
4. 4.

   The verifier checks the following:

   $$\begin{aligned} w\cdot G+N\cdot z {\mathop {=}\limits ^{?}} A+e\cdot C_1\mod N^2 \end{aligned}$$

   The verifier accepts the proof if and only if the above check passes.

   The above \(\sum \) protocol proves knowledge of \(X_1,r\) such that \(C_1=X_1\cdot G+N\cdot r\). A similar protocol is run to prove the knowledge of the plaintext \(X_2\) for ciphertext \(C_2\) with zero knowledge.

Appendix 3. Schnorr’s ZKP for Discrete Log

We give a zero-knowledge proof of discrete logarithm [10] given as input the description of a prime-order group \(\mathbb {G}\) of order q and a generator G, and a group element h. The prover has a witness a value \(x\in \mathbb {Z}_q\) such that \(x\cdot G=h\). The proof of discrete log without revealing the logarithm value proceeds as below:

1. 1.

   Prover P picks \(r\in \mathbb {Z}_q\), computes the value \(\rho =r\cdot G\) and \(e= \texttt{HASH} (\rho ,G,h)\).

2. 2.

   Next, it computes \(d=e\cdot x +r \mod q\) and sends \((d,\rho ,h)\) to the verifier.

3. 3.

   The verifier computes \(f=\texttt{HASH} (\rho , G,h)\) and accepts the proof if and only if the following check is satisfied:

   $$\begin{aligned} d\cdot P{\mathop {=}\limits ^{?}} f\cdot h +\rho \end{aligned}$$

The protocol proves the verifier that the prover knows the discrete log of h in zero knowledge.