One Round Threshold ECDSA Without Roll Call

Abstract

With the growing popularity of cryptocurrencies, interest in digital signatures is also on the rise. Researchers have been attempting since the 90s to enhance known signature schemes with new properties useful in specific cases. One such property of threshold schemes is non-interactivity: allowing a subset of a group of people to generate a signature without having to interact. A solution to the quest for non-interactivity is to divide the signature into two steps: the presigning (or offline) phase condenses most communication rounds and can be performed long before the signature is needed, while the signing (or online) phase takes only a single round and happens after the message is chosen. Most protocols however require that the subset of the signers be fixed before presigning, since they are the only ones who participate in it.

In this paper, we present a non-interactive threshold ECDSA protocol that removes the need for this assumption entirely and works for any number of participants and threshold value. The security of this scheme is proven in a simulation-based definition. To evaluate the performance of the protocol, it has been implemented in Rust and benchmarked.

Supported by IRT SystemX, Radboud University, and La Caisse des Dépôts.

Security Proof

Because our protocols are very similar, our proof is largely based on those presented in [12, 13]. We attempt to prove the following:

Theorem 1

Assuming that:

• The strong RSA assumption holds;

• \(\{\text {KG}, \text {Com}, \text {Ver}, \text {Equiv}\}\) is a non-malleable equivocable commitment scheme;

• \(\mathscr {E}\) is a semantically secure encryption scheme

then our threshold DSA protocol is simulatable.

The key generation and presigning phases are performed by all the players, but the signing only involves \(P_1, \dots , P_{t+1}\). The ordering of the players has no effect on the protocol, provided that it remains constant.

We assumed the existence of an adversary \(\mathcal {A}\) who controls players \(P_2, \dots , P_{t+1}\). The simulator plays \(\mathcal {S}\) the role of \(P_1\). The key generation and presigning phases are performed by all the players, but the signing only involves \(P_1, \dots , P_{t+1}\).

For simplicity’s sake, we focus on the case where there is only one honest player and \(n=t+1\). The proof is valid for any number of corrupted players up to the threshold t and does not differ if we add other honest players, so long as \(P_1\) is both a signer and takes part in the computing of R.

Because \(\mathcal {A}\) is a rushing adversary, the corrupted players will speak last in every round. \(\mathcal {A}\) will have the players generate a public/private key pair ([x], y) and will then asks the players to sign a certain number of messages \((m_1, \dots , m_l)\). Using the information gathered during those signings, \(\mathcal {A}\) then tries to forge a signature to a new message \(m \ne m_j\) for the public key y.

1.1 Key Generation

The key generation protocol we use is strictly identical to that of [12, 13], we refer to their own proof and only recall a shortened version of it here.

Simulation

• \(P_1\) selects \(u_1 \in _R \mathbb {Z}_q\) and computes \([KGC_1, KGD_1]=\text {Com}(g^{u_1})\). He then broadcasts \(KGC_1\) as well as \(E_1\), his public key for Paillier’s cryptosystem.

  • \(\rightarrow \) \(\mathcal {A}\) broadcasts commitments \((KGC_i, E_i)\) for \(i>1\).

• \(P_1\) broadcasts \(KGD_1\) (\(y_1\) is the decommitted value) and performs a Feldman-VSS with \(y_1\) as the free term in the exponent.

  • \(\rightarrow \) \(\mathcal {A}\) broadcasts commitments \(KGD_i\) for \(i>1\) (\(y_i\) is the decommitted value) and performs a Feldman-VSS with free term \(y_i\).

• The simulator rewinds back to the decommitment step and changes \(P_1\)’s opening to \(\widehat{KGD_1}\) so that the decommitted value becomes \(\hat{y}_1 = y \cdot \prod _{i=2}^n y_i^{-1}\). He then simulates the Feldman-VSS with free term \(\hat{y}_1\).

  • \(\rightarrow \) \(\mathcal {A}\) broadcasts commitments \(\widehat{KGD_i}\) for \(i>1\). Let \(\hat{y}_i\) be the decommitted value, which can be \(\perp \) if \(\mathcal {A}\) chooses to abort.

• The players compute \(\hat{y} = \prod _{i=1}^n \hat{y}_i\) (the product is set to \(\perp \) if any \(\hat{y}_i\) is set to \(\perp \)).

Lemma 1

The simulation is indistinguishable from the real protocol and it either outputs y or it aborts.

Proof

\(\text {Sim-Key-Gen}\) uses a simulated Feldman-VSS with free term \(\hat{y}_1\). This simulation is however identical to the real Feldman-VSS in its distribution. The simulation is therefore indistinguishable from the real protocol. Because of the rewinding step, it will always either abort (output \(\perp \)) or output a valid y. Details of the proof are given by [12]. \(\square \)

1.2 Protocol

Now that a key has been generated, \(\mathcal {A}\) will ask the players to sign a certain number of messages.

\(\mathcal {S}\) must simulate the threshold signature protocol while still playing as \(P_1\): on input R it simulates the presigning (or offline phase, Sect. 3.2), on input the signature (r, s) it simulates the signing (or online phase, Sect. 3.3).

Note that \(\mathcal {S}\) does not have access to the private state of \(P_1\): it does not know \(P_1\)’s share \(x_1\) of the secret key [x] nor the private key associated to \(P_1\)’s public key \(E_1\).

Presignature Simulation

• Step 1. The generation of k is identical to that of x. Recall that R is given as an input and that \(R=g^{(k^{-1})}\). \(\mathcal {S}\) does not know k or \(g^k\) and is unable to force the group to generate the right value k.

  \(P_1\) proceeds as he did during the Key Generation simulation without the rewinding step. The random secret generated by the group is \(k'\). The values \(g^{k'}\) and \(g^{k_i}\) are public. As before, \(P_1\) does not know its own share \(k_1\).

• Step 2. \(\mathcal {S}\) must simulate the sharing of [kx] without knowing either \(k_1\) or \(x_1\). \(P_1\) chooses new random values for \(\hat{k}_1\) and \(\hat{x}_1\) to participate in the MtAwc protocol. He also generates the local Shamir secrets \([u_1]\) and \([v_1]\) of shares \((u_{1\rightarrow j})\) and \((u_{1\rightarrow j})\).

  • \(\underline{Initiator for k_1 and x_j.}\) \(\mathcal {S}\) does not know \(k_1\). \(P_1\) participates using his random value \(\hat{k}_1\). It must simulate the ZK proof of consistency between \(E_1(\hat{k}_1)\) and \(g^{k_1}\). \(\mathcal {S}\) is unable to decrypt \(c_{j\rightarrow 1}\). It extracts \(P_j\)’s shares \(x_j\) and \(u_{j\rightarrow 1}\) from the ZK proofs and computes \(a_{1\rightarrow j} = \hat{k}_1 x_j + u_{j\rightarrow 1} + v_{1\rightarrow j}\) before broadcasting it.

  • \(\underline{Respondent for k_j and x_1.}\) Similarly, \(\mathcal {S}\) does not know \(x_1\). \(P_1\) participates using his random value \(\hat{x}_1\). It must simulate the ZK proof of consistency with \(g^{x_1}\). \(\mathcal {S}\) knows \(u_{1\rightarrow j}\) and can extract the value \(k_j\) from the range proof. Once \(P_j\) broadcasts \(a_{j\rightarrow 1}\), \(\mathcal {S}\) can compute \(v_{j\rightarrow 1} = a_{j\rightarrow 1} - (k_j \hat{x}_1 + u_{1\rightarrow j})\).

  • Finally, \(\mathcal {S}\) broadcasts \(a_{1\rightarrow 1} = \hat{x}_1 \hat{k}_1 + u_{1\rightarrow 1} + v_{1\rightarrow 1}\) and the other players broadcast \(a_{j\rightarrow j}\). \(\mathcal {S}\) can compute \((u_{j\rightarrow j} + v_{j\rightarrow j}) = a_{j\rightarrow j} - x_j k_j\)

  Using the broadcasted values, \(\mathcal {S}\) can also compute \((u_{j\rightarrow i} + v_{i\rightarrow j}) = a_{i\rightarrow j} - k_i x_j\). Note that \(\mathcal {S}\) cannot be sure that the values \((a_{j\rightarrow \cdot })\) published by the other players are consistent and define a valid Shamir secret, but this is fine since we do not try to achieve robustness. If \(\mathcal {A}\) misbehaves, the protocol will abort.

• Step 3. Because we only consider the case \(n=t+1\), \(P_1\) must participate in the computing of R. \(\mathcal {S}\) can therefore ensure that the group will end up with the value of R given as input.

  \(P_1\) chooses his share \(\gamma _1\) normally. All players broadcast \(C_i\). They then calculate their local share \(k_{i,S}\) to participate in the MtA protocol (\(S'=S=P\) in this situation).

  • \(\underline{Initiator for k_{1,S} and \gamma _j.}\) \(\mathcal {S}\) does not know \(k_{1,S}\), it uses \(\hat{k}_{1,S}\) calculated from his previously chosen random share. It is consistent with the share used previously since \(E_1(\hat{k}_{1,S}) = \lambda _{1,S} \times _E E_1(\hat{k}_1)\).

    \(\mathcal {S}\) is unable to decrypt \(\alpha _{1\rightarrow j}\). It can extract \(P_j\)’s shares \(\gamma _j\) and \(\beta _{j\rightarrow 1}\) from the ZK range proof and computes \(\alpha _{1\rightarrow j} = \gamma _j \hat{k}_{1,S} - \beta _{j\rightarrow 1}\).

  • \(\underline{Respondent for k_{j,S} and \gamma _1.}\) \(\mathcal {S}\) has \(P_1\) execute the protocol correctly and already knows \(k_{j,S}\).

    Since \(\mathcal {S}\) knows \(\beta _{1\rightarrow j}\), it computes \(\alpha _{j\rightarrow 1} = \gamma _1 k_{j,S} - \beta _{1\rightarrow j}\).

  The group can now calculate R, this is done in a series of steps:

  • They first have to compute \(\delta \). \(P_1\) broadcasts:

    $$ \hat{\delta }_1 = \hat{k}_{1,S} \gamma _1 + \sum _{j > 1}(\alpha _{1\rightarrow j} + \beta _{1\rightarrow j}) \mod q $$

    The other players then broadcast their share:

    $$ \delta _i=k_{i,S} \gamma _i + \sum _{j\ne i}(\alpha _{i\rightarrow j} + \beta _{i\rightarrow j}) \mod q $$

    The players can compute \(\hat{\delta } = \hat{\delta }_1 + \sum _{j\ne i}\delta _j = \hat{k} \gamma \).

  • The players then broadcast the values \(D_i\) to decommit \(\varGamma _i\) and compute \(\varGamma \).

At this point, \(\mathcal {S}\) can verify that the shares published by the adversary up to this point are coherent by making sure that

$$\begin{aligned} \varGamma ^{\hat{k}} {\mathop {=}\limits ^{?}} g^{\hat{\delta }} \end{aligned}$$

(1)

The simulation branches into two versions depending on weather this assertion is true (semi-correct execution) or false (non semi-correct execution):

• Semi-correct execution. S knows all the values \(\gamma _i\). It rewinds to just before the decommitment step and has \(P_1\) broadcast a simulated opening \(\widehat{D_1}\) such that the decommitted value is:

  $$ \widehat{\varGamma }_1 = R^{\hat{\delta }} \prod _{i>1}\varGamma _i^{-1} $$

  The other players broadcast \(D_i\) to decommit \(\varGamma _i\). The players compute

  $$ \widehat{\varGamma }=\widehat{\varGamma }_1 \prod _{i>1}\varGamma _i \text { and } R=\varGamma ^{\hat{\delta }^{-1}} $$

  Finally, \(P_1\) broadcasts \(\widehat{\varLambda }_1 = g^{\hat{\delta }} \prod _{i>1}\varGamma ^{k_{i,S}}\) with a simulated ZK proof of consistency with \(E_1(\hat{k_{1,S}})\) published during the MtA. The other players broadcast \(\varLambda _i = \varGamma ^{k_{i,S}}\). They can all verify that:

  $$ \widehat{\varLambda } = \widehat{\varLambda }_1 \prod _{i>1}\varLambda _i {\mathop {=}\limits ^{?}} g^{\hat{\delta }} $$

• Non semi-correct execution. \(P_1\) broadcast \(\varLambda _1 = \varGamma ^{\hat{k}_{1,S}}\) with the correct ZK proof of consistency with \(E_1(\hat{k}_{1,S})\). Since we know Assertion 1 failed, one of \(\mathcal {A}\)’s ZK proofs is sure to fail and the protocol will abort.

Signature Simulation. Here, \(\mathcal {S}\) receives the correct signature (r, s) as input, where \(r=H'(R)\). Here the simulator also knows the subset since \(S=P\). In a situation where it isn’t known in advance, the simulator can just reveal an incorrect \(s_1\), wait for the other signers to reveal themselves, and rewind up to before having sent his share.

Let \(s_\mathcal {A}\) be the sum of the other players’ shares and of the public values:

$$\begin{aligned} \begin{aligned} s_\mathcal {A}&= \sum _{i>1}s_{i,S} + r\sum _{i,j \in S}a_{i\rightarrow j, S}\\&= m\sum _{i>1}k_{i,S} - r\sum _{i>1}(u_{i,S} + v_{i,S}) + r\sum _{i,j \in S}a_{i\rightarrow j, S} \end{aligned} \end{aligned}$$

\(\mathcal {S}\) already knows the public values \((a_{i\rightarrow j, S})\) and the private shares \((k_{i,S})\). The simulator also knows \((u_{j\rightarrow 1})\), \((v_{j\rightarrow 1})\) and \((u_{j\rightarrow i} + v_{i\rightarrow j})\) for \(i,j > 1\). It can therefore calculate the sum of the local Shamir secrets:

$$\begin{aligned} \sum _{i>1}(u_{i,S} + v_{i,S}) = \sum _{i>1}\left( \sum _{j\in S} u_{j\rightarrow i,S} + v_{j\rightarrow i,S}\right) \end{aligned}$$

(2)

\(\mathcal {S}\) broadcasts his share of the signature \(s_1 = s - s_\mathcal {A}\). The other players broadcast their share \(s_i\) and the group can verify that (r, s) is a valid signature. If not, the protocol aborts.

Lemma 2

Assuming that:

• The strong RSA assumption holds;

• \(\{\text {KG}, \text {Com}, \text {Ver}, \text {Equiv}\}\) is a non-malleable equivocable commitment scheme;

• \(\mathscr {E}\) is a semantically secure encryption scheme

then the simulation of the protocol without roll call has the following properties:

1. 1.

   It is computationally indistinguishable from a real execution;

2. 2.

   On input m, it either outputs a valid signature (r, s) or it aborts.

Proof

Semi-correct execution. The only way that \(\mathcal {A}\) could differentiate between a real execution and a simulated one would be to verify whether \(P_1\) is using the right values \(x_1\) and \(k_1\). Recall that the values \(g^{x_1}\) and \(g^{k_1}\) are public.

In the real protocol, \(R=g^{(k^{-1})}\) and the “public key” published during the generation of k is \(g^k\). In the simulation, \(R=g^{(k^{-1})}\) is given as input thereby indirectly fixing the value of k while the public key published by the group is \(g^{k'}\). This is computationally indistinguishable assuming inverse-DDH.

In the MtA protocols, \(P_1\) publishes \(E_1(\hat{k}_1)\) and \(E_1(\hat{k}_{1,S})=\lambda _{1,S} E_1(\hat{k}_1)\). Since S simulates the ZK proofs, these do not give any more information. Distinguishing between the real value and the simulated one is infeasible under the semantic security of the encryption scheme.

At the end of the modified MtA, we make the values \(a_{i\rightarrow j} = k_i x_j + u_{j\rightarrow i} + v_{i\rightarrow j}\). The adversary could try to extract \(k_1\) or \(x_1\). However, it does not know \(u_{1\rightarrow j}\) and \(u_{1\rightarrow j}\). \(\mathcal {A}\) could try to verify the consistency of \(g^{a_{i\rightarrow j}}\), but it does not know \(g^{u_{1\rightarrow j}}\) nor \(g^{v_{1\rightarrow j}}\).

The adversary could also decide to use inconsistent values \(u_{i\rightarrow j}\) and \(v_{i\rightarrow j}\) that do not define a functional Shamir secret. This is akin to \(\mathcal {A}\) publishing the wrong values of \(s_i\), using the wrong \(\sigma _i\) in the previous protocol. The Eq. 2 used by \(P_1\) to generate \(s_1\) would be null and the produced signature would be invalid. The protocol aborts during the last verification step.

During signing, we know that the shares \(k_i\) used by the adversary are correct and (r, s) is a correct signature of m by y. Therefore, the share \(s_1\) is consistent with a correct share for \(P_1\). If the protocol terminates, it outputs (r, s).

Non semi-correct execution. If the adversary misbehaves during the presignature, the execution is non semi-correct. Both the protocol and the simulation will abort when one of the ZK proofs published by \(\mathcal {A}\) fails.