Bandwidth-efficient threshold EC-DSA, extensions and enhanced security


Séminaire AMAC: CASC

4/02/2021 - 09:30 Ida Tucker (IMDEA Software Institute) Salle 106 - Batiment IMAG

Threshold signatures allow n parties to share the power of issuing digital signatures so that any coalition of t+1 or more can sign, whereas groups of t or less parties cannot. Over the last few years many schemes have addressed the question of realizing efficient threshold variants for the specific case of the elliptic curve signature standard, i.e. EC-DSA signatures. In this talk I will present new solutions to the problem that aim at reducing the overall bandwidth consumption.

I will present a full threshold EC-DSA protocol whose security relies on cryptographic assumptions in class groups of imaginary quadratic fields. Our protocol avoids range proofs required in comparable protocols, while retaining provable security against malicious adversaries in the dishonest majority setting. Its' bandwidth consumption is significantly lower than that of best previously known secure protocols, for a similar speed.
Crucial to the efficiency of our protocol are zero knowledge arguments of knowledge which we designed for our protocol. These arguments of knowledge, which we believe to be of independent interest, tackle issues due to the unknown order of  groups we work in.

Finally, I will discuss some recent improvements to the protocol. Namely pre-processing techniques which allow us to massively reduce the online cost of signing, so that once parties know the message to be signed, one broadcast per party suffices to safely compute a valid signature. As well as new functionalities enhancing the protocols' security, and further discouraging parties from misbehaving.


Link for the video: