International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

SPRINT: High-Throughput Robust Distributed Schnorr Signatures

Authors:
Fabrice Benhamouda , Amazon Web Services
Shai Halevi , Amazon Web Services
Hugo Krawczyk , Amazon Web Services
Yiping Ma , University of Pennsylvania
Tal Rabin , Amazon Web Services and University of Pennsylvania
Download:
Search ePrint
Search Google
Conference: EUROCRYPT 2024
Abstract: We describe robust high-throughput threshold protocols for generating Schnorr signatures in an asynchronous setting with potentially hundreds of parties. The protocols run a single message-independent interactive ephemeral randomness generation procedure (i.e., DKG) followed by \emph{non-interactive} signature generation for multiple messages, at a communication cost similar to one execution of a synchronous non-robust protocol in prior work (e.g., Gennaro et al.) and with a large number of parties (ranging from few tens to hundreds and more). Our protocols extend seamlessly to the dynamic/proactive setting where each run of the protocol uses a new committee with refreshed shares of the secret key; in particular, they support large committees periodically sampled from among the overall population of parties and the required secret state is transferred to the selected parties. The protocols work over a broadcast channel and are robust (provide guaranteed output delivery) even over asynchronous networks. The combination of these features makes our protocols a good match for implementing a signature service over a public blockchain with many validators, where guaranteed output delivery is an absolute must. In that setting, there is a system-wide public key, where the corresponding secret signature key is distributed among the validators. Clients can submit messages (under suitable controls, e.g. smart contracts), and authorized messages are signed relative to the global public key. Asymptotically, when running with committees of $n$ parties, our protocols can generate $\Omega(n^2)$ signatures per run, while providing resilience against $\Omega(n)$ corrupted nodes and broadcasting only $O(n^2)$ group elements and scalars (hence $O(1)$ elements per signature). We prove the security of our protocols via a reduction to the hardness of the discrete logarithm problem in the random oracle model.
BibTeX
@inproceedings{eurocrypt-2024-33894,
  title={SPRINT: High-Throughput Robust Distributed Schnorr Signatures},
  publisher={Springer-Verlag},
  author={Fabrice Benhamouda and Shai Halevi and Hugo Krawczyk and Yiping Ma and Tal Rabin},
  year=2024
}