# Fast Secure Two-Party ECDSA Signing

@article{Lindell2021FastST, title={Fast Secure Two-Party ECDSA Signing}, author={Yehuda Lindell}, journal={Journal of Cryptology}, year={2021}, volume={34} }

ECDSA is a standard digital signature scheme that is widely used in TLS, Bitcoin and elsewhere. Unlike other schemes like RSA, Schnorr signatures and more, it is particularly hard to construct efficient threshold signature protocols for ECDSA (and DSA). As a result, the best-known protocols today for secure distributed ECDSA require running heavy zero-knowledge proofs and computing many large-modulus exponentiations for every signing operation. In this paper, we consider the specific case of…

## 128 Citations

### Fast Threshold ECDSA with Honest Majority

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This work proposes a threshold ECDSA protocol secure against an active adversary in the honest majority model with abort, which is efficient in terms of both computation and bandwidth usage, and it allows the parties to pre-process parts of the signing, such that once the message to sign becomes known, they can compute a secret sharing of the signature very efficiently, using only local operations.

### Secure Two-party Threshold ECDSA from ECDSA Assumptions

- Computer Science, Mathematics2018 IEEE Symposium on Security and Privacy (SP)
- 2018

This work proposes new protocols for multi-party ECDSA key-generation and signing with a threshold of two, which prove secure against malicious adversaries in the random oracle model using only the Computational Diffie-Hellman Assumption and the assumptions already implied by E CDSA itself.

### Simple Three-Round Multiparty Schnorr Signing with Full Simulatability

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

A simple three-round multiparty protocol for Schnorr signatures that is fully simulatable, secure under concurrent composition, and proven secure in the standard model or random-oracle model (depending on the instantiations of the commitment and zero-knowledge primitives).

### Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody

- Computer Science, MathematicsCCS
- 2018

This paper presents the first truly practical full threshold ECDSA signing protocol that has both fast signing and fast key distribution, which solves a years-old open problem, and opens the door to practical uses of threshold E CDSA signing that are in demand today.

### Efficient Threshold-Optimal ECDSA

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This paper proposes a threshold-optimal ECDSA scheme based on the first threshold signature scheme by Gennaro et al. with efficient non-interactive signing for any t + 1 signers in the group,…

### A Multiparty Computation Approach to Threshold ECDSA

- Computer Science, Mathematics
- 2018

New protocols for multi-party ECDSA key-generation and signing with arbitrary thresholds, that are secure against malicious adversaries in the Random Oracle Model assuming only the Computational Diffie-Hellman Assumption are reported on.

### Threshold ECDSA from ECDSA Assumptions: The Multiparty Case

- Computer Science, Mathematics2019 IEEE Symposium on Security and Privacy (SP)
- 2019

This work proposes an extension of Doerner et al.'s scheme to arbitrary thresholds, and proves it secure against a malicious adversary corrupting up to one party less than the threshold under only the Computational Diffie-Hellman assumption in the Random Oracle model, an assumption strictly weaker than those under which ECDSA is proven.

### On the Adaptive Security of the Threshold BLS Signature Scheme

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

This work revisits the security of the threshold BLS signature by giving a modular security proof that follows a two-step approach and introduces a new security notion for distributed key generation protocols (DKG), which is satisfied by several protocols that previously only had a static security proof.

### A provable-secure and practical two-party distributed signing protocol for SM2 signature algorithm

- Computer Science, MathematicsFrontiers of Computer Science
- 2019

This paper proposes an efficient and secure two-party distributed signing protocol for the SM2 signature algorithm, mandated by the Chinese government for all electronic commerce applications and proves that the protocol is secure under nonstandard assumption.

### Compact Zero-Knowledge Proofs for Threshold ECDSA with Trustless Setup

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2021

This paper proposes compact zero-knowledge proofs for threshold ECDSA to lower the communication bandwidth, as well as the computation cost, and proposes an all-rounded performance improvement for the key generation algorithm.

## References

SHOWING 1-10 OF 36 REFERENCES

### Highly-Efficient Universally-Composable Commitments based on the DDH Assumption

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2011

This paper constructs highly efficient UC-secure commitments from the standard DDH assumption, in the common reference string model, where the latter construction has an effective additional cost of just 5 1/3 exponentiations.

### Using Level-1 Homomorphic Encryption to Improve Threshold DSA Signatures for Bitcoin Wallet Security

- Computer Science, MathematicsLATINCRYPT
- 2017

Recently Gennaro et al. (ACNS ’16) presented a threshold-optimal signature algorithm for DSA that requires six rounds which is already an improvement over the eight rounds of the classic threshold DSA of Gennario et al (Eurocrypt ’99) (which is not threshold optimal).

### Efficient Secure Two-Party Protocols: Techniques and Constructions

- Computer Science, Mathematics
- 2010

The authors present a comprehensive study of efficient protocols and techniques for secure two-party computation both general constructions that can be used to securely compute any functionality, and…

### Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security

- Computer Science, MathematicsACNS
- 2016

This paper presents the first general threshold DSA scheme that does not require an honest majority and is useful for securing Bitcoin wallets, and presents a compelling application to use the scheme: securingBitcoin wallets.

### Analysis and Improvement of Lindell's UC-Secure Commitment Schemes

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2013

This work modifications the proof of the original paper and presents a more efficient commitment scheme secure in the UC framework, with the same level of security as Lindell's protocol: adaptive corruptions, with erasures.

### A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System

- Mathematics, Computer SciencePublic Key Cryptography
- 2001

We propose a generalisation of Paillier's probabilistic public key system, in which the expansion factor is reduced and which allows to adjust the block length of the scheme even after the public key…

### Robust Threshold DSS Signatures

- Computer Science, MathematicsInf. Comput.
- 1996

This work presents threshold DSS (digital signature standard) signatures where the power to sign is shared by n players such that for a given parameter t there is a consensus that n players should have the right to sign.

### Security and Composition of Multiparty Cryptographic Protocols

- Computer Science, MathematicsJournal of Cryptology
- 2000

In the computational model, this work provides the first definition of security of protocols that is shown to be preserved under composition, and follows the general paradigm of known definitions.

### Two-party generation of DSA signatures

- Computer Science, MathematicsInternational Journal of Information Security
- 2004

We describe a means of sharing the DSA signature function, so that two parties can efficiently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain…

### Improving Practical UC-Secure Commitments Based on the DDH Assumption

- Computer Science, MathematicsSCN
- 2016

At Eurocrypt 2011, Lindell presented practical static and adaptively UC-secure commitment schemes based on the DDH assumption. Later, Blazy eti¾?al. at ACNS 2013 improved the efficiency of the…