Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston - - PowerPoint PPT Presentation
UC Non-Interactive, Proactive, Threshold ECDSA w/ Identifiable Aborts Ran Canetti (Boston University), Rosario Gennaro (City College, CUNY), Steven Goldfeder (Cornell Tech), Nikolaos Makriyannis (Fireblocks), Udi Peled (Fireblocks) To appear
Ran Canetti (Boston University), Rosario Gennaro (City College, CUNY), Steven Goldfeder (Cornell Tech), Nikolaos Makriyannis (Fireblocks), Udi Peled (Fireblocks)
To appear in
CCS’20
Secure Multiparty Computation Distrustful parties compute correlated outputs on their (secret) inputs and only reveal what the outputs suggest. Powerful Feasibility Results
Yao’82, Goldreich-Micali-Widgerson’86, Chaum-Crepeau-Damgard’88, Ben Or-Goldwasser-Wigderson’88
Any traditional signature scheme can be “thresholdized”, in principle MPC theory is not a panacea
Signature generation boils down to a single message (w/ preprocess).
Especially relevant for “cold wallets”.
Signature generation boils down to a single message (w/ preprocess).
Faulty/malicious signatories are identified in case of failure.
Known as security w/ identifiable abort in MPC literature.
Signature generation boils down to a single message (w/ preprocess).
Faulty/malicious signatories are identified in case of failure.
Long-haul security against adaptive adversaries.
Adaptive vs Static Adversaries
Signature generation boils down to a single message (w/ preprocess).
Faulty/malicious signatories are identified in case of failure.
Long-haul security against adaptive adversaries.
Security preserved under composition.
Even when multiple different sessions are
Signature generation boils down to a single message (w/ preprocess).
Faulty/malicious signatories are identified in case of failure.
Long-haul security against adaptive adversaries.
Security preserved under composition.
We show how to achieve all of these properties in one protocol!
Honest Majority:
Gennaro-Jarecki-Krawcyk-Rabin’96
Two-Party Dishonest Majority:
Mackenzie-Reiter’01 Lindell’17, Doerner-Shelat’18, Castagnos-Catalano-Laguillaumie-Savasta-Tucker’19
Multiparty Dishonest Majority:
Gennaro-Goldfeder-Narayanan’16, Boneh-Gennaro-Goldfeder’17 Lindell-Nof’19, Gennaro-Goldfeder’19, Doerner-Kondi-Lee-Shelat’20 Castagnos-Catalano-Laguillaumie-Savasta-Tucker’20
Honest Majority:
Gennaro-Jarecki-Krawcyk-Rabin’96
Two-Party Dishonest Majority:
Mackenzie-Reiter’01 Lindell’17, Doerner-Shelat’18, Castagnos-Catalano-Laguillaumie-Savasta-Tucker’19
Multiparty Dishonest Majority:
Gennaro-Goldfeder-Narayanan’16, Boneh-Gennaro-Goldfeder’17 Lindell-Nof’19, Gennaro-Goldfeder’19, Doerner-Kondi-Lee-Shelat’20 Castagnos-Catalano-Laguillaumie-Savasta-Tucker’20 Dalskov-Keller-Orlandi-Shrishak-Shulman’20 Gagol-Kula-Straszak-Swietek’20 Damgard-Jakobsen-Nielsen-Pagter-Ostergaard’20
We present two related protocols for threshold ECDSA. Communication Model: We rely on synchronous broadcast channel
Key-Generation Key-Refresh Presigning Signing Key-Generation Key-Refresh Presigning Signing
Protocol 1 Protocol 2
PROTOCOL 1 PROTOCOL 2 Non-Interactive Signing ✔ ✔ Full Proactive Security ✔ ✔ Accountability ✔ ✔ UC - Security ✔ ✔
We present two related protocols for threshold ECDSA.
PROTOCOL 1 PROTOCOL 2 Non-Interactive Signing ✔ ✔ Full Proactive Security ✔ ✔ Accountability ✔ ✔ UC - Security ✔ ✔ Round-Complexity (Signing) 4 i.e. 3 + 1 7 i.e. 6 + 1 Accountability Overhead 𝑃(𝑜2) 𝑃(𝑜)
We present two related protocols for threshold ECDSA.
Overhead kicks in only when a fault is detected
Most Round-Efficient
Most Round-Efficient
Most Round-Efficient ~2 as expensive in comp & com compared to the most com-efficient protocols
For 𝑈 ∈ ℕ, let ±𝑈 denote {−𝑈, … , 0, … , 𝑈}. Non Standard Notation!! Index disappearance denotes summation e.g. if 𝑦𝑗, 𝑙𝑘, 𝜀ℓ … becomes 𝑦, 𝑙, 𝜀 … it means σ𝑗 𝑦𝑗 , σ𝑘 𝑙𝑘 , σℓ 𝜀ℓ … Also for double indices!
𝑠 = 𝑙−1ȁx−axis and 𝜏 = 𝑙(𝑛 + 𝑠𝑦).
where 𝑙 ← 𝔾𝑟 and 𝑛 = ℋ(msg).
where 𝑙 ← 𝔾𝑟 and 𝑛 = ℋ(msg).
𝑠 = 𝑙−1ȁx−axis and 𝜏 = 𝑙 ⋅ 𝑛 + 𝑠(𝑙 ⋅ 𝑦).
where 𝑙 ← 𝔾𝑟 and 𝑛 = ℋ(msg).
𝑠 = 𝑙−1ȁx−axis and 𝜏 = 𝑙 ⋅ 𝑛 + 𝑠(𝑙 ⋅ 𝑦).
(Gist of) MPC sign: Sample shares 𝑙1 … 𝑙𝑜 of 𝑙 and compute shares of 𝑙 ⋅ 𝑦 via pairwise multiplication with 𝑦1 … 𝑦𝑜.
𝑠 = 𝑙−1ȁx−axis and 𝜏 = 𝑙 ⋅ 𝑛 + 𝑠(𝑙 ⋅ 𝑦).
where 𝑙 ← 𝔾𝑟 and 𝑛 = ℋ(msg).
Easy to deduce 𝑛 knowing 𝜒(𝑂) Where 𝜍 ← ℤ𝑂
∗
∗
=
C𝜒(𝑂)−1 mod 𝑂2 𝑂
⋅ 𝜚 𝑂 −1 mod 𝑂
∗
=
C𝜒(𝑂)−1 mod 𝑂2 𝑂
⋅ 𝜚 𝑂 −1 mod 𝑂
enc𝑂 𝑛1 + 𝑛2 = enc𝑂 𝑛1) ⋅ enc𝑂 (𝑛2 enc𝑂 𝛽 ⋅ 𝑛 = enc𝑂 𝑛 𝛽
Easy to deduce 𝑛 knowing 𝜒(𝑂) Where 𝜍 ← ℤ𝑂
∗
and ℬ wish to compute 𝑏, 𝑐 ↦ (𝑡1, 𝑡2) such that 𝑡1 + 𝑡2 = 𝑏 ⋅ 𝑐
Output: outputs 𝑡1 = dec (𝐸) and ℬ outputs 𝑡2.
dec(𝐸) = 𝑏𝑐 − 𝑡2 is associated with Paillier public key 𝑂
From 𝒬𝑗 perspective - Each 𝒬𝑗 holds secret key-share 𝑦𝑗
1. Sample 𝑙𝑗, 𝛿𝑗 ← 𝔾𝑟 and send 𝐿𝑗 = enc𝑗(𝑙𝑗) to all.
𝑘,𝑗 = 𝐿 𝑘 𝑦𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 for 𝛾𝑗,𝑘 ← ±2ℓ ⋅ 𝑟
𝑘,𝑗 ′ = 𝐿 𝑘 𝛿𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 ′
for 𝛾𝑗,𝑘
′ ← ±2ℓ ⋅ 𝑟
Send (𝐸
𝑘,𝑗, 𝐸 𝑘,𝑗 ′ ) to 𝒬 𝑘.
𝑗 = 𝛿𝑗 and send Γ 𝑗, 𝜀𝑗 to all
ς𝑘 Γ
𝑘 𝜀−1
and send 𝜏𝑗 = 𝑙𝑗 𝑛 + 𝑠𝜓𝑗 to all.
Write 𝜓𝑗,𝑘 and 𝜀𝑗,𝑘 for 𝒬𝑗’s output in each mult. NB → 𝜀 = 𝑙 ⋅ 𝛿 and 𝜓 = 𝑙 ⋅ 𝑦
Output 𝑠, 𝜏 .
𝛿 ⋅ 𝜀−1 = 𝑙−1
We are embedding values of 𝔾𝑟 into ℤ𝑂 (𝑟 & 𝑂 are coprime) enc 𝛿 ⋅ 𝑙 + 𝛾 mod 𝑟 = enc 𝛿 ⋅ 𝑙 + 𝛾 mod 𝑟 In case of equality → signature verifies Otherwise → signature does not verify
Carefull choice of 𝛿 & 𝛾 reveals a bit of information per protocol execution.
(†)
We are embedding values of 𝔾𝑟 into ℤ𝑂 (𝑟 & 𝑂 are coprime) enc 𝛿 ⋅ 𝑙 + 𝛾 mod 𝑟 = enc 𝛿 ⋅ 𝑙 + 𝛾 mod 𝑟 In case of equality → signature verifies Otherwise → signature does not verify Solution: Enforce a “range policy” on all secret data i.e. values can only be chosen from some range ±2ℓ ≪ 𝑂
Carefull choice of 𝛿 & 𝛾 reveals a bit of information per protocol execution.
(†)
ZK-Proofs for ℛ = 𝑂, 𝐷; 𝑦 𝐷 = enc𝑂 𝑦 ∧ 𝑦 ∈ ±2ℓ}
Also in Lindell-Nof’18 and Gennaro-Goldfeder’18
Prove that 𝑙𝑗 is small. Prove that 𝐸
𝑘,𝑗 and 𝐸 𝑘,𝑗 ′ were
computed as prescribed using sm small ll values
1. Sample 𝑙𝑗, 𝛿𝑗 ← 𝔾𝑟 and send 𝐿𝑗 = enc𝑗(𝑙𝑗) to all.
𝑘,𝑗 = 𝐿 𝑘 𝑦𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 for 𝛾𝑗,𝑘 ← ±2ℓ ⋅ 𝑟
𝑘,𝑗 ′ = 𝐿 𝑘 𝛿𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 ′
for 𝛾𝑗,𝑘
′ ← ±2ℓ ⋅ 𝑟
Send 𝐸
𝑘,𝑗, 𝐸 𝑘,𝑗 ′
to 𝒬
𝑘.
𝑗 = 𝑙𝑗 and send Γ 𝑗, 𝜀𝑗 to all
ς𝑘 Γ
𝑘 𝜀−1
and send 𝜏𝑗 = 𝑙𝑗 𝑛 + 𝑠𝜓𝑗 to all
Verify that 𝑆 is well-formed
Prove that 𝑙𝑗 is small. Prove that 𝐸
𝑘,𝑗 and 𝐸 𝑘,𝑗 ′ were
computed as prescribed using sm small ll values
NEW! Special algebraic check for 𝑆.
1. Sample 𝑙𝑗, 𝛿𝑗 ← 𝔾𝑟 and send 𝐿𝑗 = enc𝑗(𝑙𝑗) to all.
𝑘,𝑗 = 𝐿 𝑘 𝑦𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 for 𝛾𝑗,𝑘 ← ±2ℓ ⋅ 𝑟
𝑘,𝑗 ′ = 𝐿 𝑘 𝛿𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 ′
for 𝛾𝑗,𝑘
′ ← ±2ℓ ⋅ 𝑟
Send 𝐸
𝑘,𝑗, 𝐸 𝑘,𝑗 ′
to 𝒬
𝑘.
𝑗 = 𝑙𝑗 and send Γ 𝑗, 𝜀𝑗 to all
ς𝑘 Γ
𝑘 𝜀−1
and send 𝜏𝑗 = 𝑙𝑗 𝑛 + 𝑠𝜓𝑗 to all
1. Sample 𝑙𝑗, 𝛿𝑗 ← 𝔾𝑟 and send 𝐿𝑗 = enc𝑗(𝑙𝑗) to all.
𝑗 = 𝛿𝑗 and for each 𝑘 ≠ 𝑗 do
𝑘,𝑗 = 𝐿 𝑘 𝑦𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 for 𝛾𝑗,𝑘 ← ±2ℓ ⋅ 𝑟
𝑘,𝑗 ′ = 𝐿 𝑘 𝛿𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 ′
for 𝛾𝑗,𝑘
′ ← ±2ℓ ⋅ 𝑟
Send Γ𝑗, 𝐸
𝑘,𝑗, 𝐸 𝑘,𝑗 ′
to 𝒬
𝑘.
𝑘 𝑙𝑗 and send Δ𝑗, 𝜀𝑗 to all
ς𝑘 Γ
𝑘 𝜀−1
and send 𝜏𝑗 = 𝑙𝑗 𝑛 + 𝑠𝜓𝑗 to all
Prove that 𝑙𝑗 is small. Prove that 𝐸
𝑘,𝑗 and 𝐸 𝑘,𝑗 ′ were
computed as prescribed using sm small ll values
NEW! Special algebraic check for 𝑆.
1. Sample 𝑙𝑗, 𝛿𝑗 ← 𝔾𝑟 and send 𝐿𝑗 = enc𝑗(𝑙𝑗) to all.
𝑗 = 𝛿𝑗 and for each 𝑘 ≠ 𝑗 do
𝑘,𝑗 = 𝐿 𝑘 𝑦𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 for 𝛾𝑗,𝑘 ← ±2ℓ ⋅ 𝑟
𝑘,𝑗 ′ = 𝐿 𝑘 𝛿𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 ′
for 𝛾𝑗,𝑘
′ ← ±2ℓ ⋅ 𝑟
Send Γ𝑗, 𝐸
𝑘,𝑗, 𝐸 𝑘,𝑗 ′
to 𝒬
𝑘.
𝑘 𝑙𝑗 and send Δ𝑗, 𝜀𝑗 to all
ς𝑘 Γ
𝑘 𝜀−1
and send 𝜏𝑗 = 𝑙𝑗 𝑛 + 𝑠𝜓𝑗 to all
Prove that 𝑙𝑗 is small. Prove that 𝐸
𝑘,𝑗 and 𝐸 𝑘,𝑗 ′ were
computed as prescribed using sm small ll values Prove that you use the right 𝑙𝑗.
Check that 𝜀 = ς𝑘 Δ𝑘
Prove that 𝑙𝑗 is small. Prove that 𝐸
𝑘,𝑗 and 𝐸 𝑘,𝑗 ′ were
computed as prescribed using sm small ll values
Check that 𝜀 = ς𝑘 Δ𝑘
Prove that you use the right 𝑙𝑗.
1. Sample 𝑙𝑗, 𝛿𝑗 ← 𝔾𝑟 and send 𝐿𝑗 = enc𝑗(𝑙𝑗) to all.
𝑗 = 𝛿𝑗 and for each 𝑘 ≠ 𝑗 do
𝑘,𝑗 = 𝐿 𝑘 𝑦𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 and 𝐺 𝑘,𝑗 = enc𝑗 𝛾𝑗,𝑘
𝑘,𝑗 ′ = 𝐿 𝑘 𝛿𝑗 ⋅ enc𝑘 𝛾𝑗,𝑘 ′
and 𝐺
𝑘,𝑗 ′ = enc𝑗 𝛾𝑗,𝑘 ′
Send Γ𝑗, 𝐸
𝑘,𝑗, 𝐸 𝑘,𝑗 ′ , 𝐺 𝑘,𝑗 , 𝐺 𝑘,𝑗 ′
to 𝒬
𝑘.
𝑘 𝑙𝑗 and send Δ𝑗, 𝜀𝑗 to all
ς𝑘 Γ
𝑘 𝜀−1
and send 𝜏𝑗 = 𝑙𝑗 𝑛 + 𝑠𝜓𝑗 to all
Output (𝑠, 𝜏) if it’s a valid sig
𝑃(𝑜2) comp/comm
style accountability”
If nonce 𝑆 is malformed: a) Open* all the ciphertexts {𝐸𝑗,𝑘
′ }𝑘≠𝑗.
b) Verify which party sent the wrong 𝜀
𝑘.
If signature-string does not verify Not possible to reveal the underlying plaintexts. Our Solution for Protocol 2 a) Reveal 𝑇
𝑘 = 𝑆𝑙𝑘 and 𝑍 𝑘 = 𝑆𝜓𝑘 during presigning.
Check that they are well-formed**.
b) Once 𝑛 is known check 𝑆𝜏𝑗 = 𝑇𝑗
𝑛 ⋅ 𝑍 𝑗 𝑠.
Includes long- term secrets 𝑦1 … 𝑦𝑜 Incurs a round- complexity penalty.
𝑃(𝑜) comp/comm overhead!
Previous works show security either via
THIS WORK (New) Our protocol(s) UC-realize an ideal threshold signature functionality.
1. Authorized sets can generate valid signatures. 2. Unauthorized sets cannot generate valid signatures.
Crux of the proof: UC simulation is indistinguishable unless non-threshold ECDSA is forgeable.
Scheme is provably secure against adaptive adversary
Reduces round-complexity and enables concurrent signings.
Reduces complexity penalty for accountability.
Security against adaptive adv. to gain full proactive security.