seminar of One Round Threshold ECDSA with Identifiable Abort IACR Cryptol. ePrint Arch. 2020 by Rosario Gennaro, Steven Goldfeder

1. One Round Threshold ECDSA with Identifiable Abort
IACR Cryptol. ePrint Arch. 2020
Rosario Gennaro, Steven Goldfeder
The City University of New York
Cornell Tech/Ochain Labs
林彥賓
2021/1/16

2. Contribution
Noninteractive online phase: The protocol can be split into an offline
preprocessing stage with most of the computation and communication, and an
online stage when the message is known, consisting of a single communication
round where each player performs a single scalar multiplication
Identifiable Abort: The protocol allows the efficient detection of aborting parties
2

3. Definition
Existential unforgeability Signature Schemes
Adversary can produce a signature on a message be the set of
messages queried by adversary, except with negligible probability in
non-malleable commitment
If no adversary , given a commitment to a messages , is able to produce
another commitment such that after seeing the opening of to , A can
successfully decommit to a related message
m ∈ M, M
λ
A C m
C′
C m
m′
3

4. The Digital Signature Standard
Public Parameters: Cyclic group of prime order , a generator for , a hash
function , and another hash function
G q g G
H : {0, 1} → Zq H :
′
G → Zq
g (y =
ms−1
g ) =
x rs−1
g =
(m+xr)s−1
g =
k−1
R
4

5. Threshold Signatures
Threshold secret sharing
-threshold secret sharing of a secret consists of shares that takes
as input of these shares and outputs the secret, but or fewer shares do not
reveal any information about the secret.
Threshold signature schemes.
Consider a signature scheme, S=(Key-Gen, Sig, Ver). A -threshold signature
scheme TS for S enables distributing the signing among a group of players,
such that any group of at least of these players can jointly generate a
signature, whereas groups of size or fewer cannot. More formally, TS consists of two
protocols
(t, n) x n x , ..., x
1 n
t + 1 t
(t, n)
n
P , ..., P
1 n t + 1
t
5

6. Feldman's VSS Protocol
Shamir's scheme
to share a secret , the dealer generates a random degree polynomial
over such that . Each player receives a share
Feldman's VSS
Feldman's VSS is an extension of Shamir secret sharing
the dealer also publishes for all
each player can check its share i for consistency by verifying:
g =
σ
v ∈
j=0
∏
t
j
ij
G
σ ∈ Zq t(⋅) p(0)
Zq p(0) = σ Pi σ =
i p(i) mod q
v =
i g ∈
ai
G i ∈ [1, t], v =
0 g ∈
σ G
Pi
6

7. Multiplicative To Additive With Check Protocol
Alice and Bob holding two secrets
Alice is associated with a public key for an additively homomorphic scheme
over an integer , be a bound
Assume be public. Alice and Bob would like to compute secret additive
shares such that
1. Alice sending to Bob and proving in ZK that
2. Bob chosen at random and sets his share . He responds:
sending
proving in ZK that
public proving in ZK that he knows such that and
3. Alice decrypts to obtain and sets
a, b ∈ Z , x =
q ab mod q
EA ϵ
N K q
B = gb
α + β = x = ab mod q
c =
A E (a)
A a K
β′ β = −β mod
′ q
c =
B b ×E c +
A E E (β ) =
A
′ E (ab +
A β )
′
b K
b, β′
B = gb
c =
B b ×E
c +
A E E (β )
A
′
cB α′
α = α mod
′
q 7

8. MtAwc
Simulation
If the adversary corrupts Bob, then Alice's message can be simulated without
knowledge of its input a. Indeed a simulator can just choose a random
and act as Alice
However if the range proofs are not used, a malicious Alice or Bob can cause the
protocol to fail by choosing large inputs.
a ∈
′
Zq
8

9. The Proposal Scheme
Initial
The players run on input G; g the cyclic group used by the DSA signature scheme
Assume that each player is associated with a public key for an additively
homomorphic encryption scheme
Key Generation
Phase 1:
i. Each Player selects
ii. Computes and broadcast
iii. Each Player broadcasts the public key for Paillier's cryptosystem
Pi Ei
ϵ
Pi u ∈
i R Zq
[KGC , KGD ] =
i i Com(g )
ui
KGCi
Pi Ei
9

10. The Proposal Scheme
Key Generation
Phase 2:
i. Each Player broadcasts .
ii. Let be the value decommitted by
iii. The public key is set to and Each player adds the private shares
received during the Feldman VSS protocols
iv. The resulting values are a Shamir's secret sharing of the secret key
are public
Phase 3:
i. Let be the RSA modulus associated with
ii. Each player proves in ZK that he knows using Schnorr's protocol and
that he knows using any proof of knowledge of integer factorization
Pi KGDi
yi Pi
y = y
∏i i
n
xi (t, n)
x = u , X =
∑i i i gxi
N =
i p q
i i Ei
Pi xi
p , q
i i
10

11. The Proposal Scheme
Signature Generation
Let be the set of players participating in the signature protocol. We
assume that for the signing protocol using a secret sharing scheme
Phase 1.
i. Each Player selects
ii. Computes and broadcast
iii. Set
S ⊆ [1, ..., n]
∣S∣ = t (t, t)
Pi k γ ∈
i i R Zq
[C , D ] =
i i Com(g )
γi
Ci
k = k , γ =
∑i∈S i γ
∑i∈S i
11

12. Signature Generation
12

13. Phase 3.
Every player broadcasts where
and proves in ZK that he knows
Phase 4.
i. Each Player broadcasts
ii. Let be the values decommitted by who proves in ZK that he knows
using Schnorr's protocol. Set
iii. compute
iv. Set
Pi T =
i g h , h =
σi ℓi
Hash(x, r) r, ℓ ∈
i R Zq
σ , ℓ
i i
Pi Di
Γi Pi
γ , Γ =
i i gγi
Γ = Γ
∏i∈S i
r = H (R)
′
13

14. R =
∏i∈S
ki
R =
k
∑i∈S i
(g ) =
k−1
k
g
R =
∏i∈S
σi
R =
σ
∑i∈S i
(g ) =
k−1
kx
g =
x
y
14

15. g (y =
ms−1
g ) =
x rs−1
g =
ms +xrs
−1 −1
g =
(m+xr)(m k +r σ )
∑ i ∑ i
−1
g =
(m+xr)(m+xr) k
−1 −1
gk−1
15

16. Zero-Knowledge Proofs
g h =
t=a+cσ u=b+cℓ
g h (g h ) =
a b σ ℓ c
αTc
16

17. R =
t=a+cσ R R =
a σc
αSc
g h =
t=a+cσ u=b+cℓ g h (g h ) =
a b σ ℓ βTc
17

18. Identifying aborts in the Key Generation protocol
Abort
Phase 2: If a player complains that the Feldman share it received from is
inconsistent and therefore does not verify correctly
Phase 3: When each player is proving knowledge of and proving the correctness
of their Paillier key, if one of these proofs fails to verify.
Identifying
Phase 2: ambiguity as if the bad player is (dealing a bad Feldman VSS) or
(trying to frame )
publish the share that he received from for everyone to check
Phase 3: If a ZK proof fails, then we immediately know who the bad player is
Pj Pi
xi
Pi Pj
Pi
Pj Pi
18

19. Identifying aborts in the signing protocol
Abort
19

20. Identifying
For 1, 2, 3, 4, 6, check ZK proof and commitment to identify
For 8, we can check each palyer hold
For 5: Since is not release, we don't need to hide to protect secrete
Each player publishes its values to let other player verify
R =
si
⋅
Ri
m
Si
r
si ki xi
Pi k , γ , α , β
i i i,j i,j δi
20

21. For 7: should be secrete, but we can reveal to check
i. Each player publishes and private key to decrypt
ii. Every other player can verify that the value send to was and the
value sent send to was
iii. for all , since are public, everyone can now compute
using the equation . Now they can compute
g =
σi
g g g
w k
i i
j=i

∏ μi,j
j=i

∏ vj,i
iv. Each player proves in zero knowledge for consistency between and
. If for any player this does not hold, the abort is attributed to that
player
wi ui,j σi
Pi k , μ
i i,j
Pℓ Pi Pj ki
Pj Pi μi,j
j g (X =
wj
i g ), k , μ
xi
i i,j
gvj,i
g =
μi,j
g g
w k
j i −vi,j
Pi gσi
S =
i Rσi
21

22. ZK Proof for identifying of phase 7
The Prover has two values and
He sends and for
The Verier sends
The Prover answers with
The Verier checks and
=
∑ gσ
S = Rσ
α = ga
β = Ra
a ∈R Zq
c ∈R Zq
t = a + cσ mod q
g =
t
α ∑
c
R =
t
βSc
g =
t
g g =
a σc
α ∑
c
R =
t
R R =
a σc
βSc
22

23. After identifying?
revoke
why we need revoke but not reshare?
cost for reshare is expensive
why reshare is expensive?
large number of participate
23