research-article

ROAST: Robust Asynchronous Schnorr Threshold Signatures

Authors:

Viktoria Ronge,

Jonas Schneider-Bensch,

Dominique SchröderAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 2551 - 2564

https://doi.org/10.1145/3548606.3560583

Published: 07 November 2022 Publication History

Abstract

Bitcoin and other cryptocurrencies have recently introduced support for Schnorr signatures whose cleaner algebraic structure, as compared to ECDSA, allows for simpler and more practical constructions of highly demanded ''t-of-n'' threshold signatures. However, existing Schnorr threshold signature schemes still fall short of the needs of real-world applications due to their assumption that the network is synchronous and due to their lack of robustness, i.e., the guarantee that t honest signers are able to obtain a valid signature even in the presence of other malicious signers who try to disrupt the protocol. This hinders the adoption of threshold signatures in the cryptocurrency ecosystem, e.g., in second-layer protocols built on top of cryptocurrencies.

In this work, we propose ROAST, a simple wrapper that turns a given threshold signature scheme into a scheme with a robust and asynchronous signing protocol, as long as the underlying signing protocol is semi-interactive (i.e., has one preprocessing round and one actual signing round), provides identifiable aborts, and is unforgeable under concurrent signing sessions. When applied to the state-of-the-art Schnorr threshold signature scheme FROST, which fulfills these requirements, we obtain a simple, efficient, and highly practical Schnorr threshold signature scheme.

Supplementary Material

MP4 File (roast-ccs.mp4)

Presentation video - 20 min version

Download
56.23 MB

References

[1]

Damiano Abram, Ariel Nof, Claudio Orlandi, Peter Scholl, and Omer Shlomovits. 2022. Low-bandwidth threshold ECDSA via pseudorandom correlation generators. In 2022 IEEE Symposium on Security and Privacy.

[2]

Handan Kilinç Alper and Jeffrey Burdges. 2021. Two-round trip schnorr multisignatures via delinearized witnesses. In CRYPTO 2021, Part I. (2021).

Digital Library

[3]

Ali Bagherzandi, Jung Hee Cheon, and Stanislaw Jarecki. 2008. Multisignatures secure under the discrete logarithm assumption and a generalized forking lemma. In ACM CCS 2008. (2008).

Digital Library

[4]

Mihir Bellare, Elizabeth Crites, Chelsea Komlo, Mary Maller, Stefano Tessaro, and Chenzhi Zhu. 2022. Better than advertised security for non-interactive threshold signatures. In CRYPTO 2022. Merger of [12] and [6].

Digital Library

[5]

Mihir Bellare and Gregory Neven. 2006. Multi-signatures in the plain publickey model and a general forking lemma. In ACM CCS 2006. (2006). 5/1180405.1180453.

[6]

Mihir Bellare, Stefano Tessaro, and Chenzhi Zhu. 2022. Stronger security for non-interactive threshold signatures: BLS and FROST. Cryptology ePrint Archive, Report 2022/833. https://eprint.iacr.org/2022/833. One of two full versions of [4]. (2022).

[7]

Daniel J. Bernstein, Niels Duif, Tanja Lange, Peter Schwabe, and Bo-Yin Yang. 2012. High-speed high-security signatures. Journal of Cryptographic Engineering, 2, 2, (2012).

[8]

Dan Boneh,Manu Drijvers, and Gregory Neven. 2018. Compact multi-signatures for smaller blockchains. In ASIACRYPT 2018, Part II. (2018). -030-03329--3_15.

[9]

Ran Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, and Udi Peled. 2020. UC non-interactive, proactive, threshold ECDSA with identifiable aborts. In ACM CCS 2020. (2020).

Digital Library

[10]

Ran Canetti and Tal Rabin. 1993. Fast asynchronous byzantine agreement with optimal resilience. In STOC'93.

Digital Library

[11]

Guilhem Castagnos, Dario Catalano, Fabien Laguillaumie, Federico Savasta, and Ida Tucker. 2020. Bandwidth-efficient threshold EC-DSA. In PKC 2020, Part II. (2020).

[12]

Elizabeth Crites, Chelsea Komlo, and Mary Maller. 2021. How to prove Schnorr assuming Schnorr: security of multi- and threshold signatures. Cryptology ePrint Archive, Report 2021/1375. https://eprint.iacr.org/2021/1375. One of two full versions of [4]. (2021).

[13]

Anders P. K. Dalskov, Claudio Orlandi, Marcel Keller, Kris Shrishak, and Haya Shulman. 2020. Securing DNSSEC keys via threshold ECDSA from generic MPC. In ESORICS 2020, Part II. (2020).

[14]

Ivan Damgård, Thomas Pelle Jakobsen, Jesper Buus Nielsen, Jakob Illeborg Pagter, and Michael Bæksvang Østergaard. 2020. Fast threshold ECDSA with honest majority. In SCN 2020.

[15]

Jack Doerner, Yashvanth Kondi, Eysa Lee, and abhi shelat. 2019. Threshold ECDSA from ECDSA assumptions: the multiparty case. In 2019 IEEE Symposium on Security and Privacy. (2019).

[16]

Manu Drijvers, Kasra Edalatnejad, Bryan Ford, Eike Kiltz, Julian Loss, Gregory Neven, and Igors Stepanovs. 2019. On the security of two-round multisignatures. In 2019 IEEE Symposium on Security and Privacy. (2019). 09/SP.2019.00050.

[17]

Nils Fleischhacker, Johannes Krupp, Giulio Malavolta, Jonas Schneider, Dominique Schröder, and Mark Simkin. 2016. Efficient unlinkable sanitizable signatures from signatures with re-randomizable keys. In PKC 2016, Part I. (2016).

[18]

Damian Straszak. 2020. Threshold ECDSA for decentralized asset custody. Cryptology ePrint Archive, Report 2020/498. https://eprint.iacr.org/2020/498. (2020).

[19]

Rosario Gennaro and Steven Goldfeder. 2018. Fast multiparty threshold ECDSA with fast trustless setup. In ACM CCS 2018. (2018). 59.

[20]

Rosario Gennaro and Steven Goldfeder. 2020. One round threshold ECDSA with identifiable abort. Cryptology ePrint Archive, Report 2020/540. https://ep rint.iacr.org/2020/540. (2020).

[21]

Rosario Gennaro, Steven Goldfeder, and Arvind Narayanan. 2016. Thresholdoptimal DSA/ECDSA signatures and an application to bitcoin wallet security. In ACNS 16. (2016).

[22]

Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and Tal Rabin. 1999. Secure distributed key generation for discrete-log based cryptosystems. In EUROCRYPT'99. (1999).

[23]

Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and Tal Rabin. 2007. Secure distributed key generation for discrete-log based cryptosystems. Journal of Cryptology, 20, 1, (2007).

[24]

Alonso González, Hamy Ratoanina, Robin Salen, Setareh Sharifian, and Vladimir Soukharev. 2021. Identifiable cheating entity flexible round-optimized schnorr threshold (ICE FROST) signature protocol. Cryptology ePrint Archive, Report 2021/1658. https://eprint.iacr.org/2021/1658. (2021).

[25]

Jens Groth and Victor Shoup. 2022. Design and analysis of a distributed ecdsa signing service. Cryptology ePrint Archive, Report 2022/506. https://eprint.iac r.org/2022/506. (2022).

[26]

Daira Hopwood, Sean Bowe, Taylor Hornby, and Nathan Wilcox. 2022. Zcash protocol specification, version 2022.3.8 [NU5]. https://zips.z.cash/protocol/prot

[27]

Yuval Ishai, Rafail Ostrovsky, and Vassilis Zikas. 2014. Secure multi-party computation with identifiable abort. In CRYPTO 2014, Part II. (2014).

[28]

Snehil Joshi, Durgesh Pandey, and Kannan Srinathan. 2021. ATSSIA: Asynchronous truly-threshold Schnorr signing for inconsistent availability. In ICISC 2021.

[29]

Chelsea Komlo and Ian Goldberg. 2020. FROST: Flexible round-optimized Schnorr threshold signatures. In.

[30]

[SW] Anton Kueltz et al., fastecdsa Python libary. 2016. url: https://github.c om/AntonKueltz/fastecdsa.

[31]

Sergio Demian Lerner. 2019. RSK: Bitcoin powered smart contracts. Revision 11. https://www.rsk.co/Whitepapers/RSK-White-Paper-Updated.pdf.

[32]

Sergio Demian Lerner. [n. d.] The cutting edge of sidechains: Liquid and RSK. https://blog.rsk.co/noticia/the-cutting-edge-of-sidechains-liquid-and-rsk/.

[33]

Yehuda Lindell. 2022. Simple three-round multiparty Schnorr signing with full simulatability. Cryptology ePrint Archive, Report 2022/374. https://eprint.iacr .org/2022/374. (2022).

[34]

Yehuda Lindell and Ariel Nof. 2018. Fast secure multiparty ECDSA with practical distributed key generation and applications to cryptocurrency custody. In ACM CCS 2018. (2018).

Digital Library

[35]

Eric Lombrozo, Johnson Lau, and Pieter Wuille. 2015. Segregated witness (consensus layer). Bitcoin Improvement Proposal 141. See https://github.com/bitco in/bips/blob/master/bip-0141.mediawiki. (2015).

[36]

Gregory Maxwell, Andrew Poelstra, Yannick Seurin, and Pieter Wuille. 2019. Simple Schnorr multi-signatures with applications to Bitcoin. Des. Codes Cryptogr., 87, 9. https://eprint.iacr.org/2018/068.

Digital Library

[37]

Jonas Nick, Andrew Poelstra, and Gregory Sanders. 2020. Liquid: A Bitcoin Sidechain. Tech. rep. https://blockstream.com/assets/downloads/pdf/liquid-w hitepaper.pdf.

[38]

Jonas Nick, Tim Ruffing, and Yannick Seurin. 2021. MuSig2: Simple two-round Schnorr multi-signatures. In CRYPTO 2021, Part I. (2021). 30--84242-0_8.

Digital Library

[39]

Jonas Nick, Tim Ruffing, Yannick Seurin, and Pieter Wuille. 2020. MuSig-DN: Schnorr multi-signatures with verifiably deterministic nonces. In ACM CCS 2020. (2020).

Digital Library

[40]

Torben P. Pedersen. 1992. Non-interactive and information-theoretic secure verifiable secret sharing. In CRYPTO'91. (1992).

[41]

Michaella Pettit. 2021. Efficient threshold-optimal ECDSA. In CANS 2021.

Digital Library

[42]

[SW Rel.], ROAST prototype implementation and raw benchmark data provided along with this work. Version 429e693b79c9ff1b63b1015317bcd0bc41a77ccc, 2022. url: https://github.com/robot-dreams/roast.

[43]

Tim Ruffing, Viktoria Ronge, Elliott Jin, Jonas Schneider-Bensch, and Dominique Schröder. 2022. ROAST: Robust asynchronous Schnorr threshold signatures. Cryptology ePrint Archive, Report 2022/550. https://eprint.iacr.org/2022/550.

[44]

Eric Sirion. 2021. FediMint: Federated e-cash on Bitcoin. https://fedimint.org.

[45]

Douglas R. Stinson and Reto Strobl. 2001. Provably secure distributed Schnorr signatures and a (t,n) threshold scheme for implicit certificates. In ACISP 01. (2001).

[46]

[SW] Pieter Wuille et al., libsecp256k1 C library. 2013. url: https://github.co m/bitcoin-core/secp256k1.

[47]

Pieter Wuille, Jonas Nick, and Tim Ruffing. 2020. Schnorr signatures for secp256k1. Bitcoin Improvement Proposal 340. https://github.com/bitcoin/bips/blob/mast er/bip-0340.mediawiki. (2020).

[48]

Tsz Hon Yuen, Handong Cui, and Xiang Xie. 2021. Compact zero-knowledge proofs for threshold ECDSA with trustless setup. In PKC 2021, Part I. (2021).

Digital Library

Cited By

Yang DTsai W(2024)Linear Consensus Protocol Based on Vague Sets and Multi-Attribute Decision-Making MethodsElectronics10.3390/electronics1313246113:13(2461)Online publication date: 24-Jun-2024
https://doi.org/10.3390/electronics13132461
Xie YFan QZhang CWu TZhou YHe DZhu L(2024)Accountable and Secure Threshold EdDSA Signature and Its ApplicationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.342884819(7033-7046)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3428848
Deng HZhang CZhang WLiang JWang LZhu L(2024)IoTAuth: A Decentralized Cross-Chain Identity Authentication Scheme for 6G Non-Terrestrial IoT NetworksIEEE Network10.1109/MNET.2024.338108138:4(55-62)Online publication date: Jul-2024
https://doi.org/10.1109/MNET.2024.3381081
Show More Cited By

Recommendations

Practical Schnorr Threshold Signatures Without the Algebraic Group Model
Advances in Cryptology – CRYPTO 2023
Abstract
Threshold signatures are digital signature schemes in which a set of n signers specify a threshold t such that any subset of size t is authorized to produce signatures on behalf of the group. There has recently been a renewed interest in this ...
FROST: Flexible Round-Optimized Schnorr Threshold Signatures
Selected Areas in Cryptography
Abstract
Unlike signatures in a single-party setting, threshold signatures require cooperation among a threshold number of signers each holding a share of a common private key. Consequently, generating signatures in a threshold setting imposes overhead due ...
Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model
Advances in Cryptology – EUROCRYPT 2020
Abstract
The Schnorr blind signing protocol allows blind issuing of Schnorr signatures, one of the most widely used signatures. Despite its practical relevance, its security analysis is unsatisfactory. The only known security proof is informal and in the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Deutsche Forschungsgemeinschaft
State of Bavaria

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
414
Total Downloads

Downloads (Last 12 months)170
Downloads (Last 6 weeks)25

Reflects downloads up to 07 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yang DTsai W(2024)Linear Consensus Protocol Based on Vague Sets and Multi-Attribute Decision-Making MethodsElectronics10.3390/electronics1313246113:13(2461)Online publication date: 24-Jun-2024
https://doi.org/10.3390/electronics13132461
Xie YFan QZhang CWu TZhou YHe DZhu L(2024)Accountable and Secure Threshold EdDSA Signature and Its ApplicationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.342884819(7033-7046)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3428848
Deng HZhang CZhang WLiang JWang LZhu L(2024)IoTAuth: A Decentralized Cross-Chain Identity Authentication Scheme for 6G Non-Terrestrial IoT NetworksIEEE Network10.1109/MNET.2024.338108138:4(55-62)Online publication date: Jul-2024
https://doi.org/10.1109/MNET.2024.3381081
Li XZhou LYin XNing J(2024)A Security-Enhanced Certificateless Designated Verifier Aggregate Signature Scheme for HWMSNs in the YOSO ModelIEEE Internet of Things Journal10.1109/JIOT.2023.332750511:6(10865-10879)Online publication date: 15-Mar-2024
https://doi.org/10.1109/JIOT.2023.3327505
Khattat MKromes R(2024)Completely FROST-ed: IoT issued FROST signature for Hyperledger Fabric blockchain2024 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)10.1109/ICBC59979.2024.10634347(200-204)Online publication date: 27-May-2024
https://doi.org/10.1109/ICBC59979.2024.10634347
Das SRen L(2024)Adaptively Secure BLS Threshold Signatures from DDH and co-CDHAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68394-7_9(251-284)Online publication date: 18-Aug-2024
https://doi.org/10.1007/978-3-031-68394-7_9
Espitau TNiot GPrest T(2024)Flood and Submerse: Distributed Key Generation and Robust Threshold Signature from LatticesAdvances in Cryptology – CRYPTO 202410.1007/978-3-031-68394-7_14(425-458)Online publication date: 18-Aug-2024
https://dl.acm.org/doi/10.1007/978-3-031-68394-7_14
Benhamouda FHalevi SKrawczyk HMa YRabin T(2024)SPRINT: High-Throughput Robust Distributed Schnorr SignaturesAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58740-5_3(62-91)Online publication date: 26-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58740-5_3
Bacho RLoss JTessaro SWagner BZhu C(2024)Twinkle: Threshold Signatures from DDH with Full Adaptive SecurityAdvances in Cryptology – EUROCRYPT 202410.1007/978-3-031-58716-0_15(429-459)Online publication date: 26-May-2024
https://dl.acm.org/doi/10.1007/978-3-031-58716-0_15
Feng QYang KMa MHe D(2023)Efficient Multi-Party EdDSA Signature With Identifiable Aborts and its Applications to BlockchainIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.325671018(1937-1950)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3256710
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents