research-article

Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody

Authors:

Yehuda Lindell,

Ariel NofAuthors Info & Claims

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 1837 - 1854

https://doi.org/10.1145/3243734.3243788

Published: 15 October 2018 Publication History

Abstract

ECDSA is a standardized signing algorithm that is widely used in TLS, code signing, cryptocurrency and more. Due to its importance, the problem of securely computing ECDSA in a distributed manner (known as threshold signing) has received considerable interest. However, despite this interest, there is still no full threshold solution for more than 2 parties (meaning that any t -out-of- n parties can sign, security is preserved for any t-1 or fewer corrupted parties, and tłeq n can be any value thus supporting an honest minority) that has practical key distribution. This is due to the fact that all previous solutions for this utilize Paillier homomorphic encryption, and efficient distributed Paillier key generation for more than two parties is not known. In this paper, we present the first truly practical full threshold ECDSA signing protocol that has both fast signing and fast key distribution. This solves a years-old open problem, and opens the door to practical uses of threshold ECDSA signing that are in demand today. One of these applications is the construction of secure cryptocurrency wallets (where key shares are spread over multiple devices and so are hard to steal) and cryptocurrency custody solutions (where large sums of invested cryptocurrency are strongly protected by splitting the key between a bank/financial institution, the customer who owns the currency, and possibly a third-party trustee, in multiple shares at each). There is growing practical interest in such solutions, but prior to our work these could not be deployed today due to the need for distributed key generation.

Supplementary Material

MP4 File (p1837-nof.mp4)

Download
341.99 MB

References

[1]

O. Blazy, C. Chevalier, D. Pointcheval and D. Vergnaud.Analysis and Improvement of Lindell's UC-Secure Commitment Schemes. In ACNS 2013, Springer (LNCS 7954), pages 534--551, 2013.

Digital Library

[2]

. Boyd. Digital Multisignatures. In Cryptography and Coding, pages 241--246, 1986.

[3]

D. Boneh, R. Gennaro and S. Goldfeder. Using Level-1 Homomorphic Encryption To Improve Threshold DSA Signatures For Bitcoin Wallet Security In Latincrypt 2017.

[4]

. Canetti. Security and Composition of Multiparty Cryptographic Protocols. Journal of Cryptology, 13(1):143--202, 2000.

Digital Library

[5]

. Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In 42nd FOCS, pages 136--145, 2001. Full version available at http://eprint.iacr.org/2000/067.

Digital Library

[6]

T. Chou and C. Orlandi.The Simplest Protocol for Oblivious Transfer. In LATINCRYPT 2015.

Digital Library

[7]

R.A. Croft and S.P. Harris. Public-Key Cryptography and Reusable Shared Secrets. In Cryptography and Coding, pages 189--201, 1989.

[8]

Y. Desmedt. Society and Group Oriented Cryptography: A New Concept. In CRYPTO'87, Springer (LNCS 293), pages 120--127, 1988.

Digital Library

[9]

Y. Desmedt and Y. Frankel. Threshold Cryptosystems. In CRYPTO'89, Springer (LNCS 435), pages 307--315, 1990.

Digital Library

[10]

J. Doerner, Y. Kondi, E. Lee and a. shelat.Secure Two-party Threshold ECDSA from ECDSA Assumptions, In the 39th IEEE Symposium on Security and Privacy, 2018.

[11]

A. Fiat and A. Shamir:How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In CRYPTO 1986, Springer (LNCS 263), pages 186--194, 1986.

Digital Library

[12]

T. Frederiksen, Y. Lindell, V. Osheter and B. Pinkas.Fast Distributed RSA Key Generation for Semi-Honest and Malicious Adversaries. To appear at CRYPTO 2018.

[13]

E. Fujisaki.Improving Practical UC-Secure Commitments Based on the DDH Assumption. In SCN 2016, Springer (LNCS 9841), pages 257--272, 2016.

Digital Library

[14]

R. Gennaro, S. Jarecki, H. Krawczyk and T. Rabin. Robust Threshold DSS Signatures. In EUROCRYPT'96, Springer (LNCS 1070), pages 354--371, 1996.

Digital Library

[15]

R. Gennaro, S. Goldfeder and A. Narayanan:Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security. In ACNS 2016, pages 156--174, 2016.

[16]

R. Gennaro and S. Goldfeder. Fast Multiparty Threshold ECDSA with Fast Trustless Setup. In ACM CCS 2018 (this proceedings).

Digital Library

[17]

N. Gilboa. Two Party RSA Key Generation. In CRYPTO 1999, Springer (LNCS 1666), pages 116--129, 1999

Digital Library

[18]

S. Goldberg, L. Reyzin, O. Sagga and F. Baldimtsi. Certifying RSA Public Keys with an Efficient NIZK. Cryptology ePrint Archive: Report 2018/057, 2018.

[19]

. Goldfeder. Personal communication, April 2018.

[20]

O. Goldreich. Foundations of Cryptography: Volume 2 -- Basic Applications. Cambridge University Press, 2004.

[21]

S. Goldwasser and Y. Lindell. Secure Computation Without Agreement. Journal of Cryptology, 18(3):247--287, 2005.

Digital Library

[22]

C. Hazay and Y. Lindell. Efficient Secure Two-Party Protocols: Techniques and Constructions. Springer, November 2010.

[23]

M. Keller, E. Orsini, and P. Scholl. Actively Secure OT Extension With Optimal Overhead. In CRYPTO 2015, Springer (LNCS 9215), 724--741, 2015.

[24]

Y. Lindell.Highly-Efficient Universally-Composable Commitments Based on the DDH Assumption. In EUROCRYPT 2011, Springer (LNCS 6632), pages 446--466, 2011.

Digital Library

[25]

Y. Lindell.Fast Secure Two-Party ECDSA Signing. In CRYPTO 2017, Springer (LNCS 10402), pages 613--644, 2017.

[26]

P.D. MacKenzie and M.K. Reiter.Two-party generation of DSA signatures. International Journal of Information Security, 2(3--4):218--239, 2004. An extended abstract appeared at CRYPTO 2001.

[27]

S. Micali, R. Pass and A. Rosen. Input-Indistinguishable Computation. In the 47th FOCS, pages 367--378, 2006.

Digital Library

[28]

P. Paillier. Cryptosystems Based on Composite Degree Residuosity Classes. In EUROCRYPT'99, Springer (LNCS 1592), pages 223--238, 1999.

Digital Library

[29]

C.P. Schnorr. Efficient Identification and Signatures for Smart Cards. In CRYPTO 1989, Springer (LNCS 435), pages 239--252, 1990.

Digital Library

[30]

V. Shoup. Practical Threshold Signatures. In EUROCRYPT 2000, Springer (LNCS 1807), pages 207--220, 2000.

Digital Library

[31]

V. Shoup and R. Gennaro.Securing Threshold Cryptosystems against Chosen Ciphertext Attack. In EUROCRYPT 1998, Springer (LNCS 1403), pages 1--16, 1998.

[32]

Porticor, www.porticor.com.

[33]

Unbound Tech, www.unboundtech.com.

[34]

Sepior, www.sepior.com.

Cited By

Chen YLindell Y(2024)Optimizing and Implementing Fischlin's Transform for UC-Secure Zero KnowledgeIACR Communications in Cryptology10.62056/a66chey6bOnline publication date: 8-Jul-2024
https://doi.org/10.62056/a66chey6b
Zyskind GYanai APentland AQuek TGao DZhou JCardenas A(2024)Unstoppable Wallets: Chain-assisted Threshold ECDSA and its ApplicationsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637657(1844-1860)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637657
Shi YLuo TLiang JAu MLuo X(2024)Obfuscating Verifiable Random Functions for Proof-of-Stake BlockchainsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.332105121:4(2982-2996)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3321051
Show More Cited By

Index Terms

Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Digital signatures

Recommendations

UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

Building on the Gennaro & Goldfeder and Lindell & Nof protocols (CCS '18), we present two threshold ECDSA protocols, for any number of signatories and any threshold, that improve as follows over the state of the art: -- For both protocols, only the last ...
Fast threshold ECDSA with honest majority¹
Selected papers from the 12th Conference on Security and Cryptography for Networks

ECDSA is a widely adopted digital signature standard. A number of threshold protocols for ECDSA have been developed that let a set of parties jointly generate the secret signing key and compute signatures, without ever revealing the signing key. Threshold ...
Fast Secure Two-Party ECDSA Signing
Abstract
ECDSA is a standard digital signature scheme that is widely used in TLS, Bitcoin and elsewhere. Unlike other schemes like RSA, Schnorr signatures and more, it is particularly hard to construct efficient threshold signature protocols for ECDSA (and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

2359 pages

ISBN:9781450356930

DOI:10.1145/3243734

General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

European Research Council

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

99
Total Citations
View Citations
1,370
Total Downloads

Downloads (Last 12 months)187
Downloads (Last 6 weeks)6

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chen YLindell Y(2024)Optimizing and Implementing Fischlin's Transform for UC-Secure Zero KnowledgeIACR Communications in Cryptology10.62056/a66chey6bOnline publication date: 8-Jul-2024
https://doi.org/10.62056/a66chey6b
Zyskind GYanai APentland AQuek TGao DZhou JCardenas A(2024)Unstoppable Wallets: Chain-assisted Threshold ECDSA and its ApplicationsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3637657(1844-1860)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3637657
Shi YLuo TLiang JAu MLuo X(2024)Obfuscating Verifiable Random Functions for Proof-of-Stake BlockchainsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.332105121:4(2982-2996)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3321051
Zhang HXie GZou XZhang CLi ZQin RXiong GWang F(2024)Asynchronous Threshold ECDSA With Batch ProcessingIEEE Transactions on Computational Social Systems10.1109/TCSS.2022.323090311:1(566-575)Online publication date: Feb-2024
https://doi.org/10.1109/TCSS.2022.3230903
Li RWang ZFang LPeng CWang WXiong H(2024)Efficient Blockchain-Assisted Distributed Identity-Based Signature Scheme for Integrating Consumer Electronics in MetaverseIEEE Transactions on Consumer Electronics10.1109/TCE.2024.337250670:1(3770-3780)Online publication date: Feb-2024
https://doi.org/10.1109/TCE.2024.3372506
Li XWang HChen JLi SSun YSu Y(2024)Secure Multi-party SM2 Signature Based on SPDZ ProtocolInformation Security and Cryptology10.1007/978-981-97-0942-7_5(85-103)Online publication date: 26-Feb-2024
https://doi.org/10.1007/978-981-97-0942-7_5
Cohen RDoerner JKondi YShelat A(2024)Secure Multiparty Computation with Identifiable Abort via Vindicating ReleaseAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68397-8_2(36-73)Online publication date: 16-Aug-2024
https://doi.org/10.1007/978-3-031-68397-8_2
Doerner JKondi YRosenbloom L(2024)Sometimes You Can’t Distribute Random-Oracle-Based ProofsAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68388-6_12(323-358)Online publication date: 17-Aug-2024
https://doi.org/10.1007/978-3-031-68388-6_12
Gur KKatz JSilde T(2024)Two-Round Threshold Lattice-Based Signatures from Threshold Homomorphic EncryptionPost-Quantum Cryptography10.1007/978-3-031-62746-0_12(266-300)Online publication date: 12-Jun-2024
https://dl.acm.org/doi/10.1007/978-3-031-62746-0_12
Bacho RLoss JTessaro SWagner BZhu C(2024)Twinkle: Threshold Signatures from DDH with Full Adaptive SecurityAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58716-0_15(429-459)Online publication date: 26-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58716-0_15
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents