Skip to main content

Bandwidth-Efficient Threshold EC-DSA

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12111)

Abstract

Threshold Signatures allow n parties to share the power of issuing digital signatures so that any coalition of size at least \(t+1\) can sign, whereas groups of t or less players cannot. Over the last few years many schemes addressed the question of realizing efficient threshold variants for the specific case of EC-DSA signatures. In this paper we present new solutions to the problem that aim at reducing the overall bandwidth consumption. Our main contribution is a new variant of the Gennaro and Goldfeder protocol from ACM CCS 2018 that avoids all the required range proofs, while retaining provable security against malicious adversaries in the dishonest majority setting. Our experiments show that – for all levels of security – our signing protocol reduces the bandwidth consumption of best previously known secure protocols for factors varying between 4.4 and 9, while key generation is consistently two times less expensive. Furthermore compared to these same protocols, our signature generation is faster for 192-bits of security and beyond.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-45388-6_10
  • Chapter length: 31 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-3-030-45388-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   139.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.

Notes

  1. 1.

    But still twice as slow as the stripped down [GG18] protocol.

  2. 2.

    This can be done as in [CCL+19] (without relying on the strong root assumption).

  3. 3.

    For correctness Bob also needs to multiply the signed message \(m'\) by \(y\mod q\), during the signature algorithm.

  4. 4.

    These are the best performing protocols using similar construction techniques to us (from homomorphic encryption), and achieving the same functionality, i.e. (tn)-threshold ECDSA for any t s.t. \(n \ge t + 1\). We do not compare to [DKLs18, DKLs19] as they use OT which leads to protocols with a much higher communication cost. Similarly, and as noted in [DKO+19] a direct comparison to [DKO+19, SA19] is difficult as they rely on preprocessing to achieve efficient signing, which is a level of optimisation we have not considered. We don’t compare to [GGN16, BGG17] as [GG18] is already faster and cheaper in terms of communication complexity.

  5. 5.

    Broadcasting one element is counted as sending one element.

References

  1. Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part I. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25

    CrossRef  Google Scholar 

  2. Boneh, D., Bünz, B., Fisch, B.: A survey of two verifiable delay functions. Cryptology ePrint Archive, Report 2018/712 (2018)

    Google Scholar 

  3. Biehl, I., Buchmann, J., Hamdy, S., Meyer, A.: A signature scheme based on the intractability of computing roots. Des. Codes Crypt. 25(3), 223–236 (2002)

    MathSciNet  CrossRef  Google Scholar 

  4. Belabas, K.: On quadratic fields with large 3-rank. Math. Comput. 73(248), 2061–2074 (2004)

    MathSciNet  CrossRef  Google Scholar 

  5. Boneh, D., Gennaro, R., Goldfeder, S.: Using level-1 homomorphic encryption to improve threshold DSA signatures for bitcoin wallet security. In: Lange, T., Dunkelman, O. (eds.) LATINCRYPT 2017. LNCS, vol. 11368, pp. 352–377. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25283-0_19

    CrossRef  Google Scholar 

  6. Buchmann, J., Hamdy, S.: A survey on IQ cryptography. In: Public Key Cryptography and Computational Number Theory. De Gruyter Proceedings in Mathematics (2001)

    Google Scholar 

  7. Biasse, J.-F., Jacobson, M.J., Silvester, A.K.: Security estimates for quadratic field based cryptosystems. In: Steinfeld, R., Hawkes, P. (eds.) ACISP 2010. LNCS, vol. 6168, pp. 233–247. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14081-5_15

    CrossRef  Google Scholar 

  8. Boyd, C.: Digital multisignature. In: Cryptography and Coding (1986)

    Google Scholar 

  9. Buell, D.A.: Class groups of quadratic fields. Math. Comput. 30(135), 610–623 (1976)

    MathSciNet  CrossRef  Google Scholar 

  10. Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I.: Two-party ECDSA from hash proof systems and efficient instantiations. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 191–221. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_7

    CrossRef  Google Scholar 

  11. Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I.: Bandwidth-efficient threshold EC-DSA. Cryptology ePrint Archive, Report 2020/084 (2020)

    Google Scholar 

  12. Croft, R.A., Harris, S.P.: Public-key cryptography and reusable shared secret. In: Cryptography and Coding (1989)

    Google Scholar 

  13. Castagnos, G., Imbert, L., Laguillaumie, F.: Encryption switching protocols revisited: switching modulo p. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 255–287. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_9

    CrossRef  Google Scholar 

  14. Camenisch, J., Kiayias, A., Yung, M.: On the portability of generalized Schnorr proofs. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 425–442. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_25

    CrossRef  Google Scholar 

  15. Cohen, H., Lenstra, H.W.: Heuristics on class groups. In: Chudnovsky, D.V., Chudnovsky, G.V., Cohn, H., Nathanson, M.B. (eds.) Number Theory. LNM, vol. 1052, pp. 26–36. Springer, Heidelberg (1984). https://doi.org/10.1007/BFb0071539

    CrossRef  Google Scholar 

  16. Castagnos, G., Laguillaumie, F.: Linearly homomorphic encryption from \(\sf DDH\). In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 487–505. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16715-2_26

    CrossRef  Google Scholar 

  17. Castagnos, G., Laguillaumie, F., Tucker, I.: Practical fully secure unrestricted inner product functional encryption modulo p. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018, Part II. LNCS, vol. 11273, pp. 733–764. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_25

    CrossRef  Google Scholar 

  18. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052252

    CrossRef  Google Scholar 

  19. Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_8

    CrossRef  Google Scholar 

  20. Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)

    MathSciNet  CrossRef  Google Scholar 

  21. Desmedt, Y.: Society and group oriented cryptography: a new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_8

    CrossRef  Google Scholar 

  22. Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_28

    CrossRef  Google Scholar 

  23. Damgård, I., Fujisaki, E.: A statistically-hiding integer commitment scheme based on groups with hidden order. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 125–142. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_8

    CrossRef  Google Scholar 

  24. Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Secure two-party threshold ECDSA from ECDSA assumptions. In: 2018 IEEE Symposium on Security and Privacy. IEEE Computer Society Press (2018)

    Google Scholar 

  25. Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Threshold ECDSA from ECDSA assumptions: the multiparty case. In: 2019 IEEE Symposium on Security and Privacy. IEEE Computer Society Press (2019)

    Google Scholar 

  26. Dalskov, A.P.K., Keller, M., Orlandi, C., Shrishak, K., Shulman, H.: Securing DNSSEC keys via threshold ECDSA from generic MPC. IACR Cryptology ePrint Archive, 2019:889 (2019)

    Google Scholar 

  27. Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: Proceedings of FOCS 1987. IEEE Computer Society (1987)

    Google Scholar 

  28. Gennaro, R., Goldfeder, S.: Fast multiparty threshold ECDSA with fast trustless setup. In: ACM CCS 2018. ACM Press (2018)

    Google Scholar 

  29. Gennaro, R., Goldfeder, S., Narayanan, A.: Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 156–174. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_9

    CrossRef  MATH  Google Scholar 

  30. Gilboa, N.: Two party RSA key generation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 116–129. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_8

    CrossRef  Google Scholar 

  31. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust and efficient sharing of RSA functions. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 157–172. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68697-5_13

    CrossRef  Google Scholar 

  32. Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 354–371. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_31

    CrossRef  Google Scholar 

  33. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)

    MathSciNet  CrossRef  Google Scholar 

  34. Hamdy, S., Saidak, F.: Arithmetic properties of class numbers of imaginary quadratic fields. JP J. Algebra Number Theory Appl. 6(1), 129–148 (2006)

    MathSciNet  MATH  Google Scholar 

  35. Lagarias, J.: Worst-case complexity bounds for algorithms in the theory of integral quadratic forms. J. Algorithms 1(2), 142–186 (1980)

    MathSciNet  CrossRef  Google Scholar 

  36. Lindell, Y.: Fast secure two-party ECDSA signing. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 613–644. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_21

    CrossRef  Google Scholar 

  37. Lipmaa, H.: Secure accumulators from euclidean rings without trusted setup. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 224–240. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31284-7_14

    CrossRef  Google Scholar 

  38. Lindell, Y., Nof, A.: Fast secure multiparty ECDSA with practical distributed key generation and applications to cryptocurrency custody. In: ACM CCS 2018. ACM Press (2018)

    Google Scholar 

  39. MacKenzie, P.D., Reiter, M.K.: Two-party generation of DSA signatures. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 137–154. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_8

    CrossRef  Google Scholar 

  40. Pietrzak, K.: Simple verifiable delay functions. In: ITCS 2019. LIPIcs (2019)

    Google Scholar 

  41. Pass, R., Rosen, A.: Concurrent non-malleable commitments. In: 46th FOCS. IEEE Computer Society Press (2005)

    Google Scholar 

  42. Poupard, G., Stern, J.: Short proofs of knowledge for factoring. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 147–166. Springer, Heidelberg (2000). https://doi.org/10.1007/978-3-540-46588-1_11

    CrossRef  Google Scholar 

  43. Quer, J.: Corps quadratiques de 3-rang 6 et courbes elliptiques de rang 12. C. R. Acad. Sci. Paris Sér. I 305, 215–218 (1987)

    MathSciNet  MATH  Google Scholar 

  44. Smart, N.P., Alaoui, Y.T.: Distributing any elliptic curve based protocol: with an application to MixNets. IACR Cryptology ePrint Archive 2019:768 (2019)

    Google Scholar 

  45. Schnorr, C.-P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991)

    CrossRef  Google Scholar 

  46. Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 1–16. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054113

    CrossRef  Google Scholar 

  47. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)

    MathSciNet  CrossRef  Google Scholar 

  48. Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_15

    CrossRef  Google Scholar 

  49. Vanstone, S.: Responses to NIST’s proposal. Commun. ACM 35, 41–54 (1992). (communicated by John Anderson)

    Google Scholar 

  50. Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part III. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13

    CrossRef  Google Scholar 

Download references

Acknowledgements

We thank Rosario Gennaro and Steven Goldfeder for fruitful discussions. We also thank Omer Shlomovits for interesting insight on issues related to the practical implementation of threshold EC-DSA. This work was supported by the French ANR ALAMBIC project (ANR-16-CE39-0006). The research of Dario Catalano was partially supported by the Università degli Studi di Catania, “Piano della Ricerca 2016/2018—Linea di intervento 2”.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ida Tucker .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Castagnos, G., Catalano, D., Laguillaumie, F., Savasta, F., Tucker, I. (2020). Bandwidth-Efficient Threshold EC-DSA. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds) Public-Key Cryptography – PKC 2020. PKC 2020. Lecture Notes in Computer Science(), vol 12111. Springer, Cham. https://doi.org/10.1007/978-3-030-45388-6_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-45388-6_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-45387-9

  • Online ISBN: 978-3-030-45388-6

  • eBook Packages: Computer ScienceComputer Science (R0)