Provide authenticity and non repudiation assuming a secure public key infrastructure:
Party A signs a message m with a signature Sig using its secret key
Signatures are used in our everyday digital life to sign transactions, payments, contracts, documents, reports, etc. With the wide adoption of cryptocurrencies, the validity of a transactions lies on the signature of the issuer who holds its secret key to a wallet. Bitcoin,Ethereum use ECDSA digital signature algorithm.
A dealer wants to secret share a secret $s \in \mathbb{Z}q$ such that $t$ shares ${y_i}{i=0}^{t-1}$ out of total
To reconstruct Lagrange interpolation is used. We are looking for ways to identify a unique polynomial
Define the interpolation polynomial:
where the Lagrange polynomials
Finally the polynomial
Find the 2 degree polynomial from the following pairs
i | x | y |
---|---|---|
0 | 2 | 3 |
1 | 1 | 4 |
2 | -5 | 8 |
First construct the Lagrange polynomials
Compute the interpolating polynomial:
$p_{2}(x) = \sum_{j=0}^{2}y_j\mathcal{L}{2,j}=y_0\mathcal{L}{2,0}+y_1\mathcal{L}{2,1}+y_2\mathcal{L}{2,2}\=3\frac{1}{7}(x^2+4x-5)+4\frac{-1}{6}(x^2+3x-10)+8\frac{1}{42}(x^2-3x+2)\=\frac{3}{7}(x^2+4x-5)-\frac{2}{3}(x^2+3x-10)+\frac{4}{21}(x^2-3x+2)\=\frac{1}{3}x^2-\frac{18}{21}x+\frac{103}{21} = f(x)$
That does not seem correct :) I am missing sth.
Verifiable secret sharing allows the receivers of the shares to verify whether the dealer was giving consistent shares to the participants.
Dealer gives to every party
- Setup(): Output an elliptic curv group
$\mathbb{G}$ of order$q$ and an element G which generates$\mathbb{G}$ . - KeyGen(
$1^{\lambda}$ ): Choose uniformly at random$x\gets \mathbb{Z}_q$ . Set$\mathsf{sk} = x$ and publish the public key$\mathsf{pk} = G \cdot x$ - Sign(m,$\mathsf{sk} = x$)->
$\sigma$ :- Pick uniform at random
$k\gets \mathbb{Z}_q^*$ - Compute
$R = k \cdot G$ - Let
$R=(r_x,r_y)$ - Set
$r = r_x \mod q$ - s =
$k^{-1}(H(m) + x\cdot r)\mod q$ - Output
$\sigma = (r,s)$ , if$r=0$ or$s=0$ repeat the above steps.
- Pick uniform at random
- Verify(
$\sigma,\mathsf{pk}$ ):- Compute
$a=H(m)/s \mod \mathbb{Z}_q$ and$b=r/s \mod \mathbb{Z}_q$ $u = G \cdot a + G \cdot b \in \mathbb{G}$ - Let
$u=(u_x,u_y)$ $r' = u_x\mod \mathbb{Z}_q$ - if
$r==r'$ accept, otherwise reject
- Compute
To avoid single point of failure: stealing/loosing the secret signing key which authorizes transfers of assets - threshold signatures are adopted by FinTech industry to distribute trust among multiple signers holding a share of the secret key but never the secret key at each entire form.
Threshold ECDSA aglorithms in general are executed in two phases between
- ThresholdKeyGen: Each party
$P_j$ computes its share of random secret share$x_i^j$ - ThresholdSign: Each party computes its share of the signature
$\sigma_i^j$
[TODO]:Add appropriate security definitions. Basically unforgeability: malicious parties cannot produce signatures for messages they haven't seen their signatures. Depends on number of corrupted parties: honest/dishonest majority and malicious/passive adversaries
[MR04,GGN16,L17]: 2 parties setting
ThresholdKeyGen:
-
$P_1$ and$P_2$ hold$x_1$ and$x_2$ such that$x=x_1\cdot x_2$ -
$P_1,P_2$ compute$a=x_1\cdot G,b=x_2\cdot G$ , respectively and send each other$a,b$ -
$P_1,P_2$ compute$\mathsf{pk}=x_1 \cdot x_2\cdot G$
ThresholdSign:
-
$P_1$ chooses$k_1$ uniformly at random and$P_2$ choses$k_2$ uniformly at random - They both compute
$R = k_1\cdot k_2 \cdot G$ (DH) -
$P_1$ computes$k_1^{-1}$ and$P_2$ computes$k_2^{-1}$ - Each compute
$r_x = R \mod q$ - P1 computes Pailier public key
$pk1$ and secret key$sk1$ -
$P_1$ sends to$P_2$ :$c_1=E_{pk1}(k_1^{-1}\cdot H(m))$ and$c_2=E_{pk1}(k_1^{-1}\cdot x_1\cdot r)$ -
$P_2$ computes$\sigma_1 = c_2^{k_2^{-1}} = E_{pk1}(k_1^{-1}\cdot k_2^{-1}\cdot H(m))$ and$\sigma_2 = c_1^{k_2^{-1}\cdot x_2} = E_{pk1}(k_1^{-1}\cdot k_2^{-1}x_1\cdot x_2 \cdot r)$ - Finally
$\sigma(m) = Dec_{sk1}(\sigma_1\cdot \sigma_2)\ = Dec_{sk1}((E_{pk1}(k_1^{-1}\cdot k_2^{-1}\cdot H(m))\cdot E_{pk1}(k_1^{-1}\cdot k_2^{-1}x_1\cdot x_2 \cdot r))\=Dec_{sk1}(E_{pk1}(k^{-1}(H(m) + x\cdot r)\mod q))= k^{-1}(H(m) + x\cdot r)\mod q$
[MR04]: That works well for honest but curious adversaries. For malicious adversaries expensive ZKP are needed.
[L17] approach removes ZKP with some more preparation:
- ThresholdKeyGen is as above but
$P_1$ also sends to$P_2$ ,$x_1$ encrypted which$P_1$ pailllier public key$pk1: E_{pk1}(x_1)$ - The first
$4$ steps from ThresholdSign are executed as above, coupled with ZKP for DH exchanges: sender proves that it knows the secret exponent (fast and simple). - Interestengly
$P_2$ has almost an encrypted signature and it computes:$\sigma'=E_{pk1}(k_2^{-1}\cdot H(m))\cdot E_{pk1}(k_2^{-1}x_1\cdot x_2 \cdot r)$ . and sends$\sigma'$ to$P_1$ . -
$P_1$ decrypts$\sigma'$ and computes$\sigma=\sigma'\cdot k_1^{-1}$ -
$P_1$ verifies whether r,s is a valid ECDSA signature
Notice that if
If
- [GGN16]: Expensive key generation phase: distributed Paillier key generation.
- [GG18] Paillier
- [LNR18] Elgamal
- [DKLS19] OT based for multiplicative shareS: light computation, heavy bandwidth
- [FROST] Chelsea Komlo, Ian Goldberg: FROST: Flexible Round-Optimized Schnorr Threshold Signatures. SAC 20
- [MR04] Philip D. MacKenzie, Michael K. Reiter: Two-party generation of DSA signatures. Int. J. Inf. Sec
- [GGN16] Rosario Gennaro, Steven Goldfeder, Arvind Narayanan:Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security. ACNS 2016: 156-174
- [L17] Y Lindell:Fast secure two-party ECDSA signing Annual International Cryptology Conference, 2017
- [LNR18] Yehuda Lindell Ariel Nof Samuel Ranellucci: Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody
- [GG18] Rosario Gennaro and Steven Goldfeder: Fast Multiparty Threshold ECDSA with Fast Trustless Setup
- [Sepior] Ivan Damgard, Thomas Pelle Jakobsen,, Jesper Buus Nielsen, Jakob Illeborg, Pagter, and Michael Bæksvang Østergaard: Fast Threshold ECDSA with Honest Majority
- [GG20] Rosario Gennaro, Steven Goldfeder: One Round Threshold ECDSA with Identifiable Abort
- [Fireblocks] Ran Canetti, Rosario Gennaro, Steven Goldfeder, Nikolaos Makriyannis, Udi Peled: UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts
- [DKLS18] Jack Doerner, Yashvanth Kondi, Eysa Lee, Abhi Shelat: Secure two-party threshold ECDSA from ECDSA assumptions
- [DKLS19] Jack Doerner, Yashvanth Kondi, Eysa Lee, Abhi Shelat: Threshold ECDSA from ECDSA Assumptions: The Multiparty