1. Secure Two-party Threshold ECDSA from ECDSA Assumptions 2018 Oakland Signatures
    J. Doerner and Y. Kondi and E. Lee and A. Shelat
    [View PDF on ieeexplore.ieee.org]
    [Show BibTex Citation]

    author={J. {Doerner} and Y. {Kondi} and E. {Lee} and A. {Shelat}},
    booktitle={2018 IEEE Symposium on Security and Privacy (SP)},
    title={Secure Two-party Threshold ECDSA from ECDSA Assumptions},
    keywords={digital signatures;public key cryptography;cryptographic algorithms;Paillier encryption scheme;multiparty ECDSA key-generation;random oracle model;local signatures;two-party threshold ECDSA;ECDSA assumptions;binary authentication;web security;cryptographic assumptions;elliptic curve digital signature algorithm;computational Diffie-hellman assumption;Protocols;Elliptic curves;Digital signatures;Encryption;Standards;ECDSA;Multiparty Computation;Threshold Cryptography;Elliptic Curve Cryptography;Concrete Efficiency},

The Elliptic Curve Digital Signature Algorithm (ECDSA) is one of the most widely used schemes in deployed cryptography. Through its applications in code and binary authentication, web security, and cryptocurrency, it is likely one of the few cryptographic algorithms encountered on a daily basis by the average person. However, its design is such that executing multi-party or threshold signatures in a secure manner is challenging: unlike other, less widespread signature schemes, secure multi-party ECDSA requires custom protocols, which has heretofore implied reliance upon additional cryptographic assumptions such as the Paillier encryption scheme.

We propose new protocols for multi-party ECDSA key-generation and signing with a threshold of two, which we prove secure against malicious adversaries in the random oracle model using only the Computational Diffie-Hellman Assumption and the assumptions already implied by ECDSA itself. Our scheme requires only two messages, and via implementation we find that it outperforms the best prior results in practice by a factor of 55 for key generation and 16 for signing, coming to within a factor of 12 of local signatures. Concretely, two parties can jointly sign a message in just over two milliseconds.