Litcius/Paper detail

Real Threshold ECDSA

Harry W. H. Wong, P. K. Jack, Hoover H. F. Yin, Sherman S. M. Chow

202321 citationsDOI

Abstract

Threshold ECDSA recently regained popularity due to decentralized applications such as DNSSEC and cryptocurrency asset custody.Latest (communication-optimizing) schemes often assume all n or at least n ′ ≥ t participating users remain honest throughout the pre-signing phase, essentially degenerating to n ′ -out-of-n ′ multiparty signing instead of t-out-of-n threshold signing.When anyone misbehaves, all signers must restart from scratch, rendering prior computation and communication in vain.This hampers the adoption of threshold ECDSA in time-critical situations and confines its use to a small signing committee.To mitigate such denial-of-service vulnerabilities prevalent in state-of-the-art, we propose a robust threshold ECDSA scheme that achieves the t-out-of-n threshold flexibility "for real" throughout the whole pre-signing and signing phases without assuming an honest majority.Our scheme is desirable when computational resources are scarce and in a decentralized setting where faults are easier to be induced.Our design features 4round pre-signing, O(n) cheating identification, and self-healing machinery over distributive shares.Prior arts mandate abort after an O(n 2 )-cost identification, albeit with 3-round pre-signing (Canetti et al., CCS '20), or O(n) using 6 rounds (Castagnos et al., TCS '23).Empirically, our scheme saves up to ∼30% of the communication cost, depending on at which stage the fault occurred.

Topics & Concepts

Elliptic Curve Digital Signature AlgorithmComputer scienceComputer securityElliptic curve cryptographyPublic-key cryptographyEncryptionECG Monitoring and AnalysisBlind Source Separation Techniques