accepted paper of 2018 ACM SIGSAC Conference on Computer and Communications Security by Rosario Gennaro and Steven Goldfeder

1. Fast Multiparty Threshold ECDSA with Fast Trustless
Setup
2018 ACM SIGSAC Conference on Computer and Communications Security
Rosario Gennaro and Steven Goldfeder
林彥賓
2020/10/21

2. Outline
Introduction
Definition
Threshold Signatures
Feldman's VSS Protocol
Schnorr's ZK Protocol
Short Proofs Of Knowledge For Factoring
Multiplicative To Additive With Check Protocol
The Proposal Scheme

3. Introduction
Previous Scheme
The secret key is encrypted under a public key encryption scheme E and secret key of
E that is shared among the players, where E is an additively homomorphic encryption
scheme(e.g. Paillier's)
Problem
Distributed generation of an RSA modulus are far from scalable and efficient
Expensive ZK Proofs in case of a Malicious Adversary
x
3

4. Definition
Existential unforgeability Signature Schemes
Adversary can produce a signature on a message be the set of
messages queried by adversary, except with negligible probability in
non-malleable commitment
If no adversary , given a commitment to a messages , is able to produce
another commitment such that after seeing the opening of to , A can
successfully decommit to a related message
m ∈ M, M
λ
A C m
C′
C m
m′
4

5. The Digital Signature Standard
Public Parameters: Cyclic group of prime order , a generator for , a hash
function , and another hash function
G q g G
H : {0, 1} → Zq H :′
G → Zq
g (y =ms−1
g ) =x rs−1
g =(m+xr)s−1
g =k−1
R
5

6. Threshold Signatures
Threshold secret sharing
-threshold secret sharing of a secret consists of shares that takes
as input of these shares and outputs the secret, but or fewer shares do not
reveal any information about the secret.
Threshold signature schemes.
Consider a signature scheme, S=(Key-Gen, Sig, Ver). A -threshold signature
scheme TS for S enables distributing the signing among a group of players,
such that any group of at least of these players can jointly generate a
signature, whereas groups of size or fewer cannot. More formally, TS consists of two
protocols
(t, n) x n x , ..., x1 n
t + 1 t
(t, n)
n
P , ..., P1 n t + 1
t
6

7. Feldman's VSS Protocol
Shamir's scheme
to share a secret , the dealer generates a random degree polynomial
over such that . Each player receives a share
Feldman's VSS
Feldman's VSS is an extension of Shamir secret sharing
the dealer also publishes for all
each player can check its share i for consistency by verifying:
g =σ
v ∈
j=0
∏
t
j
ij
G
σ ∈ Zq t(⋅) p(0)
Zq p(0) = σ Pi σ =i p(i) mod q
v =i g ∈ai
G i ∈ [1, t], v =0 g ∈σ G
Pi
7

8. Schnorr's ZK Protocol
System parameter:
is an order element in
the bit length of the challenge chosen by B
Public identity:
Private authenticator: where
1. A picks a random number and sends B
2. B sends random challenge
3. A sends B
4. B accepts if
p, q, g, t
q∣(p − 1)
g q Zp
∗
t
v
s v = g mods p
r ∈ {1, ...q − 1} x = g modr p
e ∈ {1, ..2 −t
1}
y = r + se mod q
x = g (v =(y=r+se)
g ) mods −e
p
8

9. Short Proofs Of Knowledge For Factoring
Let be integers
Let be elements randomly chosen in
A, B, ℓ, K
z , ...z1 k K Zn
∗
9

10. Multiplicative To Additive With Check Protocol
Alice and Bob holding two secrets
Alice is associated with a public key for an additively homomorphic scheme
over an integer , be a bound
Assume be public. Alice and Bob would like to compute secret additive
shares such that
1. Alice sending to Bob and proving in ZK that
2. Bob chosen at random and sets his share . He responds:
sending
proving in ZK that
public proving in ZK that he knows such that and
3. Alice decrypts to obtain and sets
a, b ∈ Z , x =q ab mod q
EA ϵ
N K q
B = gb
α + β = x = ab mod q
c =A E (a)A a K
β′ β = −β mod′ q
c =B b ×E c +A E E (β ) =A
′ E (ab +A β )′
b K
b, β′
B = gb
c =B b ×E
c +A E E (β )A
′
cB α′
α = α mod′
q 10

11. MtAwc
Simulation
If the adversary corrupts Bob, then Alice's message can be simulated without
knowledge of its input a. Indeed a simulator can just choose a random
and act as Alice
However if the range proofs are not used, a malicious Alice or Bob can cause the
protocol to fail by choosing large inputs.
a ∈′
Zq
11

12. ZK Range Proof
Input:A Paillier public key and a value
The prover knows such that , where is
the order of the DSA group.
At the end of the protocol the Verifier is convinced that
NΓ c ∈ ZN2
m ∈ Z , r ∈q ZN c = Γ r modm N
N2
q
m ∈ [q , q ]3 3
12

13. The Proposal Scheme
Initial
The players run on input G; g the cyclic group used by the DSA signature scheme
Assume that each player is associated with a public key for an additively
homomorphic encryption scheme
Key Generation
Phase 1:
i. Each Player selects
ii. Computes and broadcast
iii. Each Player broadcasts the public key for Paillier's cryptosystem
Pi Ei
ϵ
Pi u ∈i R Zq
[KGC , KGD ] =i i Com(g )ui
KGCi
Pi Ei
13

14. The Proposal Scheme
Key Generation
Phase 2:
i. Each Player broadcasts .
ii. Let be the value decommitted by
iii. The public key is set to and Each player adds the private shares
received during the Feldman VSS protocols
iv. The resulting values are a Shamir's secret sharing of the secret key
. $X_i = g^{x_i} are public
Phase 3:
i. Let be the RSA modulus associated with
ii. Each player proves in ZK that he knows using Schnorr's protocol and
that he knows using any proof of knowledge of integer factorization
Pi KGDi
yi Pi
y = y∏i i
n
xi (t, n)
x = u∑i i
N =i p qi i Ei
Pi xi
p , qi i
14

15. The Proposal Scheme
Signature Generation
Let be the set of players participating in the signature protocol. We
assume that for the signing protocol using a secret sharing scheme
Phase 1.
i. Each Player selects
ii. Computes $[C_i, D_i] = Com(g^{gamma_i}) and broadcast Ci
iii. Set
S ⊆ [1, ..., n]
∣S∣ = t (t, t)
Pi k γ ∈i i R Zq
k = k , γ =∑i∈S i γ∑i∈S i
15

16. Signature Generation
16

17. Signature Generation
Phase 4.
i. Each Player broadcasts
ii. Let be the values decommitted by who proves in ZK that he knows
using Schnorr's protocol
iii. compute
iv. Set
Phase 5. Each player sets a sharing of s
Note that
Pi Di
Γi Pi
γ , Γ =i i gγi
r = H (R)′
Pi s =i mk +i rσi (t, t)
17

18. Signature Generation
Phase 5.
18

19. Intuition of Phase 5
Naive approach without 5 phase Adversary can broadcast and check
that according to the DSA verication algorithm
The protocol the players mask with a random value
Let . Then and therefore .
The players cannot reveal to check the correctness of V as this would de-mask
so we randomize the aggregate value to
S =i Rsi
S =∏i i R =s
g ym r
Rsi
gℓi
V =i R gsi ℓi
V =∏i i R gs ℓ
V = gℓ
gℓi
Rsi
U = gℓp
19

20. The Zero-Knowledge Proofs In step (5B)
A player P outputs and must prove that he knows V = R g , A =s ℓ gρ s, ℓ, ρ
20

21. Removing the ZK proofs from the MtA protocol
The Attacker wins if he forges a signature on a message for which the Challenger
did not output a signature. The assumption is that winning this game is infeasible.
Thee author believe this assumption to be reasonable because it appears that the
Attacker receives only limited information about the values x, k
21