# Using Level-1 Homomorphic Encryption to Improve Threshold DSA Signatures for Bitcoin Wallet Security

@inproceedings{Boneh2017UsingLH, title={Using Level-1 Homomorphic Encryption to Improve Threshold DSA Signatures for Bitcoin Wallet Security}, author={Dan Boneh and Rosario Gennaro and Steven Goldfeder}, booktitle={International Conference on Cryptology and Information Security in Latin America}, year={2017} }

Recently Gennaro et al. (ACNS ’16) presented a threshold-optimal signature algorithm for DSA. Threshold-optimality means that if security is set so that it is required to have \(t+1\) servers to cooperate to sign, then it is sufficient to have \(n=t+1\) honest servers in the network. Obviously threshold optimality compromises robustness since if \(n=t+1\), a single corrupted player can prevent the group from signing. Still, in their protocol, up to t corrupted players cannot produce valid…

## 40 Citations

### Bandwidth-efficient threshold EC-DSA

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

A new variant of the Gennaro and Goldfeder protocol from ACM CCS 2018 that avoids all the required range proofs, while retaining provable security against malicious adversaries in the dishonest majority setting is presented.

### Fast Threshold ECDSA with Honest Majority

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This work proposes a threshold ECDSA protocol secure against an active adversary in the honest majority model with abort, which is efficient in terms of both computation and bandwidth usage, and it allows the parties to pre-process parts of the signing, such that once the message to sign becomes known, they can compute a secret sharing of the signature very efficiently, using only local operations.

### Threshold ECDSA from ECDSA Assumptions: The Multiparty Case

- Computer Science, Mathematics2019 IEEE Symposium on Security and Privacy (SP)
- 2019

This work proposes an extension of Doerner et al.'s scheme to arbitrary thresholds, and proves it secure against a malicious adversary corrupting up to one party less than the threshold under only the Computational Diffie-Hellman assumption in the Random Oracle model, an assumption strictly weaker than those under which ECDSA is proven.

### Fast Secure Two-Party ECDSA Signing

- Computer Science, MathematicsJournal of Cryptology
- 2021

This paper considers the specific case of two parties (and thus no honest majority) and construct a protocol that is approximately two orders of magnitude faster than the previous best and is proven secure for sequential composition under standard assumptions using a game-based definition.

### Threshold ECDSA with an Offline Recovery Party

- Computer Science, MathematicsMediterranean Journal of Mathematics
- 2021

This work presents the first protocol that supports multiparty signatures with an offline participant during the key-generation phase and that does not rely on a trusted third party, and proves the scheme secure against adaptive malicious adversaries.

### Secure Two-party Threshold ECDSA from ECDSA Assumptions

- Computer Science, Mathematics2018 IEEE Symposium on Security and Privacy (SP)
- 2018

This work proposes new protocols for multi-party ECDSA key-generation and signing with a threshold of two, which prove secure against malicious adversaries in the random oracle model using only the Computational Diffie-Hellman Assumption and the assumptions already implied by E CDSA itself.

### On the Adaptive Security of the Threshold BLS Signature Scheme

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

This work revisits the security of the threshold BLS signature by giving a modular security proof that follows a two-step approach and introduces a new security notion for distributed key generation protocols (DKG), which is satisfied by several protocols that previously only had a static security proof.

### A Provably-Unforgeable Threshold EdDSA with an Offline Recovery Party

- Computer Science, MathematicsArXiv
- 2020

This work presents the first protocol that supports EdDSA multi-party signatures with an offline participant during the key-generation phase, without relying on a trusted third party, and proves the scheme secure against adaptive malicious adversaries.

### Promise Σ-protocol: How to Construct Efficient Threshold ECDSA from Encryptions Based on Class Groups

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2022

This paper presents efficient threshold ECDSA protocols from encryption schemes based on class groups with neither assuming the low order assumption nor parallel repeating the underlying zero knowledge proof, yielding a significant efficiency improvement in the key generation over previous constructions.

### UC Non-Interactive, Proactive, Threshold ECDSA

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2020

This protocol realizes an ideal threshold signature functionality within the UC framework, in the global random oracle model, assuming Strong RSA, semantic security of the Paillier encryption, and a somewhat enhanced variant of existential unforgeability of ECDSA.

## References

SHOWING 1-10 OF 40 REFERENCES

### Fast Secure Two-Party ECDSA Signing

- Computer Science, MathematicsJournal of Cryptology
- 2021

This paper considers the specific case of two parties (and thus no honest majority) and construct a protocol that is approximately two orders of magnitude faster than the previous best and is proven secure for sequential composition under standard assumptions using a game-based definition.

### Robust Threshold DSS Signatures

- Computer Science, MathematicsInf. Comput.
- 1996

This work presents threshold DSS (digital signature standard) signatures where the power to sign is shared by n players such that for a given parameter t there is a consensus that n players should have the right to sign.

### Secure Distributed Key Generation for Discrete-Log Based Cryptosystems

- Computer Science, MathematicsJournal of Cryptology
- 2006

This paper shows that a widely used dlog-based DKG protocol suggested by Pedersen does not guarantee a uniformly random distribution of generated keys, and presents a new protocol which proves to satisfy the security requirements from DKG protocols and ensures a uniform distribution of the generated keys.

### Adaptive Security for Threshold Cryptosystems

- Computer Science, MathematicsCRYPTO
- 1999

We present adaptively-secure efficient solutions to several central problems in the area of threshold cryptography. We prove these solutions to withstand adaptive attackers that choose parties for…

### Adaptively Secure Threshold Cryptography: Introducing Concurrency, Removing Erasures

- Computer Science, MathematicsEUROCRYPT
- 2000

Two new measures of security for threshold schemes secure in the adaptive adversary model are put forward: security under concurrent composition; and security without the assumption of reliable erasure, the first efficient implementation of secure channels in erasure-free adaptive model.

### Two Round Multiparty Computation via Multi-key FHE

- Computer Science, MathematicsEUROCRYPT
- 2016

A general multiparty computation MPC protocol with only two rounds of interaction in the common random string model, which is known to be optimal in the honest-but-curious setting and fully malicious setting, is constructed.

### On the Portability of Generalized Schnorr Proofs

- Computer Science, MathematicsEUROCRYPT
- 2009

The notion of "protocol portability," a property that identifies input and verifier state distributions under which a protocol becomes a ZKP when called as a subroutine in a sequential execution of a larger application, is introduced.

### Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations

- Mathematics, Computer ScienceCRYPTO
- 1997

This paper proposes a bit commitment scheme, BC(·), and efficient statistical zero knowledge (in short, SZK) protocols in which, for any given multi-variable polynomial f(X 1,..,X t) and any given…

### Non-interactive and reusable non-malleable commitment schemes

- Mathematics, Computer ScienceSTOC '03
- 2003

It is shown how to construct non-interactive NM commitments that remain non-malleable even if the adversary has access to an arbitrary number of commitments from honest players - rather than one, as in several previous schemes.

### Using Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

- Mathematics, Computer ScienceCCS
- 2014

A technique to transform a linearly-homomorphic encryption into a scheme capable of evaluating degree-2 computations on ciphertexts and is extended to build a protocol for outsourcing computation on encrypted data using two (non-communicating) servers.