[Resource Topic] 2022/1296: Efficient Asymmetric Threshold ECDSA for MPC-based Cold Storage

Welcome to the resource topic for 2022/1296

Efficient Asymmetric Threshold ECDSA for MPC-based Cold Storage

Authors: Constantin Blokh, Nikolaos Makriyannis, Udi Peled


Motivated by applications to cold-storage solutions for ECDSA-based cryptocurrencies, we present a new ECDSA protocol between n online'' parties and a single offline’’ party. Our protocol tolerates all-but-one adaptive corruptions, and it achieves full proactive security. Our protocol improves as follows over the state of the art.

** The preprocessing phase for calculating preprocessed data for future signatures is lightweight and non-interactive; it consists of each party sending a single independently-generated short message per future signature per online party (approx.~300B for typical choice of parameters).

** The signing phase is asymmetric in the following sense; to calculate the signature, it is enough for the offline party to receive a single short message from the online ``world’’ (approx.~300B).

We note that all previous ECDSA protocols require many rounds of interaction between all parties, and thus all previous protocols require extensive ``interactive time’’ from the offline party. In contrast, our protocol requires minimal involvement from the offline party, and it is thus ideal for MPC-based cold storage.

Our main technical innovation for achieving the above is twofold: First, building on recent protocols, we design a two-party protocol that we non-generically compile into a highly efficient (n+1)-party protocol. Second, we present a new batching technique for proving in zero-knowledge that the plaintext values of practically any number of Paillier ciphertexts lie in a given range. The cost of the resulting (batched) proof is very close to the cost of the underlying single-instance proof of MacKenzie and Reiter (CRYPTO’01, IJIS’04).

We prove security in the UC framework, in the global random oracle model, assuming Strong RSA, semantic security of Paillier encryption, DDH, and enhanced existential unforgeability of ECDSA; these assumptions are widely used in the threshold-ECDSA literature and many commercially-available MPC-based wallets.

ePrint: https://eprint.iacr.org/2022/1296

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .