IACR News item: 30 September 2022
Constantin Blokh, Nikolaos Makriyannis, Udi Peled
ePrint Report
Motivated by applications to cold-storage solutions for ECDSA-based cryptocurrencies, we present a new ECDSA protocol between $n$ ``online'' parties and a single ``offline'' party. Our protocol tolerates all-but-one adaptive corruptions, and it achieves full proactive security. Our protocol improves as follows over the state of the art.
** The preprocessing phase for calculating preprocessed data for future signatures is lightweight and non-interactive; it consists of each party sending a single independently-generated short message per future signature per online party (approx.~300B for typical choice of parameters).
** The signing phase is asymmetric in the following sense; to calculate the signature, it is enough for the offline party to receive a single short message from the online ``world'' (approx.~300B).
We note that all previous ECDSA protocols require many rounds of interaction between all parties, and thus all previous protocols require extensive ``interactive time'' from the offline party. In contrast, our protocol requires minimal involvement from the offline party, and it is thus ideal for MPC-based cold storage.
Our main technical innovation for achieving the above is twofold: First, building on recent protocols, we design a two-party protocol that we non-generically compile into a highly efficient $(n+1)$-party protocol. Second, we present a new batching technique for proving in zero-knowledge that the plaintext values of practically any number of Paillier ciphertexts lie in a given range. The cost of the resulting (batched) proof is very close to the cost of the underlying single-instance proof of MacKenzie and Reiter (CRYPTO'01, IJIS'04). We prove security in the UC framework, in the global random oracle model, assuming Strong RSA, semantic security of Paillier encryption, DDH, and enhanced existential unforgeability of ECDSA; these assumptions are widely used in the threshold-ECDSA literature and many commercially-available MPC-based wallets.
** The preprocessing phase for calculating preprocessed data for future signatures is lightweight and non-interactive; it consists of each party sending a single independently-generated short message per future signature per online party (approx.~300B for typical choice of parameters).
** The signing phase is asymmetric in the following sense; to calculate the signature, it is enough for the offline party to receive a single short message from the online ``world'' (approx.~300B).
We note that all previous ECDSA protocols require many rounds of interaction between all parties, and thus all previous protocols require extensive ``interactive time'' from the offline party. In contrast, our protocol requires minimal involvement from the offline party, and it is thus ideal for MPC-based cold storage.
Our main technical innovation for achieving the above is twofold: First, building on recent protocols, we design a two-party protocol that we non-generically compile into a highly efficient $(n+1)$-party protocol. Second, we present a new batching technique for proving in zero-knowledge that the plaintext values of practically any number of Paillier ciphertexts lie in a given range. The cost of the resulting (batched) proof is very close to the cost of the underlying single-instance proof of MacKenzie and Reiter (CRYPTO'01, IJIS'04). We prove security in the UC framework, in the global random oracle model, assuming Strong RSA, semantic security of Paillier encryption, DDH, and enhanced existential unforgeability of ECDSA; these assumptions are widely used in the threshold-ECDSA literature and many commercially-available MPC-based wallets.
Additional news items may be found on the IACR news page.