Threshold ECDSA from ECDSA Assumptions: The Multiparty Case

Jack Doerner, Yashvanth Kondi, Eysa Lee, Abhi Shelat
{"title":"Threshold ECDSA from ECDSA Assumptions: The Multiparty Case","authors":"Jack Doerner, Yashvanth Kondi, Eysa Lee, Abhi Shelat","doi":"10.1109/SP.2019.00024","DOIUrl":null,"url":null,"abstract":"Cryptocurrency applications have spurred a resurgence of interest in the computation of ECDSA signatures using threshold protocols---that is, protocols in which the signing key is secret-shared among n parties, of which any subset of size t must interact in order to compute a signature. Among the resulting works to date, that of Doerner et al. requires the most natural assumptions while also achieving the best practical signing speed. It is, however, limited to the setting in which the threshold is two. We propose an extension of their scheme to arbitrary thresholds, and prove it secure against a malicious adversary corrupting up to one party less than the threshold under only the Computational Diffie-Hellman assumption in the Random Oracle model, an assumption strictly weaker than those under which ECDSA is proven. Whereas the best current schemes for threshold-two ECDSA signing use a Diffie-Hellman Key Exchange to calculate each signature's nonce, a direct adaptation of this technique to a larger threshold t would incur a round count linear in t; thus we abandon it in favor of a new mechanism that yields a protocol requiring log(t)+6 rounds in total. We design a new consistency check, similar in spirit to that of Doerner et al., but suitable for an arbitrary number of participants, and we optimize the underlying two-party multiplication protocol on which our scheme is based, reducing its concrete communication and computation costs. We implement our scheme and evaluate it among groups of up to 256 of co-located and 128 geographically-distributed parties, and among small groups of embedded devices. We find that in the LAN setting, our scheme outperforms all prior works by orders of magnitude, and that it is efficient enough for use even on smartphones or hardware tokens. In the WAN setting we find that, despite its logarithmic round count, our protocol outperforms the best constant-round protocols in realistic scenarios.","PeriodicalId":272713,"journal":{"name":"2019 IEEE Symposium on Security and Privacy (SP)","volume":"35 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"91","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2019.00024","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 91

Abstract

Cryptocurrency applications have spurred a resurgence of interest in the computation of ECDSA signatures using threshold protocols---that is, protocols in which the signing key is secret-shared among n parties, of which any subset of size t must interact in order to compute a signature. Among the resulting works to date, that of Doerner et al. requires the most natural assumptions while also achieving the best practical signing speed. It is, however, limited to the setting in which the threshold is two. We propose an extension of their scheme to arbitrary thresholds, and prove it secure against a malicious adversary corrupting up to one party less than the threshold under only the Computational Diffie-Hellman assumption in the Random Oracle model, an assumption strictly weaker than those under which ECDSA is proven. Whereas the best current schemes for threshold-two ECDSA signing use a Diffie-Hellman Key Exchange to calculate each signature's nonce, a direct adaptation of this technique to a larger threshold t would incur a round count linear in t; thus we abandon it in favor of a new mechanism that yields a protocol requiring log(t)+6 rounds in total. We design a new consistency check, similar in spirit to that of Doerner et al., but suitable for an arbitrary number of participants, and we optimize the underlying two-party multiplication protocol on which our scheme is based, reducing its concrete communication and computation costs. We implement our scheme and evaluate it among groups of up to 256 of co-located and 128 geographically-distributed parties, and among small groups of embedded devices. We find that in the LAN setting, our scheme outperforms all prior works by orders of magnitude, and that it is efficient enough for use even on smartphones or hardware tokens. In the WAN setting we find that, despite its logarithmic round count, our protocol outperforms the best constant-round protocols in realistic scenarios.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
基于ECDSA假设的阈值ECDSA:多方案例
加密货币应用程序刺激了人们对使用阈值协议计算ECDSA签名的兴趣的复苏——也就是说,签名密钥在n方之间秘密共享的协议,其中任何大小为t的子集都必须交互才能计算签名。在迄今为止的成果中,Doerner等人的工作需要最自然的假设,同时也达到了最佳的实际签名速度。然而,它仅限于阈值为2的设置。我们将他们的方案扩展到任意阈值,并证明它在随机Oracle模型中的计算Diffie-Hellman假设下是安全的,可以防止恶意对手破坏到小于阈值的一方,该假设严格弱于证明ECDSA的假设。尽管当前最佳的阈值- 2 ECDSA签名方案使用Diffie-Hellman密钥交换来计算每个签名的随机数,但将该技术直接应用于更大的阈值t将导致整数计数在t中呈线性;因此,我们放弃了它,转而采用一种新的机制,该机制产生的协议总共需要log(t)+6轮。我们设计了一个新的一致性检查,类似于Doerner等人的精神,但适用于任意数量的参与者,我们优化了我们方案所基于的底层双方乘法协议,降低了其具体的通信和计算成本。我们实现了我们的方案,并在多达256个共址和128个地理分布方的组中以及在小型嵌入式设备组中对其进行了评估。我们发现,在局域网设置中,我们的方案在数量级上优于所有先前的工作,并且即使在智能手机或硬件令牌上使用它也足够有效。在广域网设置中,我们发现,尽管其对数轮询计数,但我们的协议在实际场景中优于最佳的恒轮询协议。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
The 9 Lives of Bleichenbacher's CAT: New Cache ATtacks on TLS Implementations CaSym: Cache Aware Symbolic Execution for Side Channel Detection and Mitigation PrivKV: Key-Value Data Collection with Local Differential Privacy Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1