Hongxin Zhang,Guanghuan Xie,Xin Zou,Chi Zhang,Zhuo Li,Rui Qin,Gang Xiong,Fei-Yue Wang

DOI: https://doi.org/10.1109/tcss.2022.3230903

2024-01-01

IEEE Transactions on Computational Social Systems

Abstract:Threshold Elliptic Curve Digital Signature Algorithm (ECDSA) has attracted a lot of attention due to the wide applications of ECDSA in crypto asset. Although several variants of threshold signature protocols can provide functions, such as key generation and signing, they suffer from two shortfalls. First, these schemes only discuss a single signature computation task in a synchronous algorithm context, which is difficult to adapt to real crypto-asset applications, such as custody. Second, these schemes are computing intensive and not scalable, hence can hardly support large-scale processing operations in real life even after traditional optimization, such as multithreading, is applied. In this article, we propose an innovative computation method called asynchronous threshold ECDSA with batch processing, based on the interactive threshold signature protocols. The method provides a reliable solution for critical operational scenarios, such as threshold signing and distributed key generation (DKG) in crypto-asset custody, and can be a future reference in secure data distribution mechanisms. The performance and scalability of our methods are validated through a benchmark testing.

Stephan Verbücheln

DOI: https://doi.org/10.48550/arXiv.1501.00447

2015-01-03

Abstract:ECDSA has become a popular choice as lightweight alternative to RSA and classic DL based signature algorithms in recent years. As standardized, the signature produced by ECDSA for a pair of a message and a key is not deterministic. This work shows how this non-deterministic choice can be exploited by an attacker to leak private information through the signature without any side channels, an attack first discovered by Young and Yung for classic DL-based cryptosystems in 1997, and how this attack affects the application of ECDSA in the Bitcoin protocol.

Cryptography and Security

Huiqiang Liang,Jianhua Chen

DOI: https://doi.org/10.1007/s11704-022-2288-x

IF: 2.6688

2024-01-01

Frontiers of Computer Science

Abstract:A threshold signature is a special digital signature in which the N-signer share the private key x and can construct a valid signature for any subset of the included t-signer, but less than t-signer cannot obtain any information. Considering the breakthrough achievements of threshold ECDSA signature and threshold Schnorr signature, the existing threshold SM2 signature is still limited to two parties or based on the honest majority setting, there is no more effective solution for the multiparty case. To make the SM2 signature have more flexible application scenarios, promote the application of the SM2 signature scheme in the blockchain system and secure cryptocurrency wallets. This paper designs a non-interactive threshold SM2 signature scheme based on partially homomorphic encryption and zero-knowledge proof. Only the last round requires the message input, so make our scheme non-interactive, and the pre-signing process takes 2 rounds of communication to complete after the key generation. We allow arbitrary threshold t≤n and design a key update strategy. It can achieve security with identifiable abort under the malicious majority, which means that if the signature process fails, we can find the failed party. Performance analysis shows that the computation and communication costs of the pre-signing process grows linearly with the parties, and it is only 1/3 of the Canetti’s threshold ECDSA (CCS'20).

Xuan Hong,Ke-fei Chen,Yu Long

DOI: https://doi.org/10.1007/s12204-008-0659-6

2008-01-01

Abstract:Recently some efforts were made towards capturing the security requirements within the composable security framework. This modeling has some significant advantages in designing and analyzing complex systems. The threshold signature was discussed and a definition was given based on the universal composability framework, which is proved to be equivalent to the standard security definition. Furthermore, a simple, efficient and proactive threshold RSA signature protocol was presented. It is proved to be correct, consistent and unforgeable relative to the environment that at most t − 1 parties are corrupted in each proactive stage. It is also secure under the universal composability framework. It is a UC based security and is proved to be equivalent to the standard security.

Liu Duan-yang,Pan Xue-zeng,Ping Ling-di

DOI: https://doi.org/10.1631/jzus.2003.0555

2003-01-01

Abstract:Distributed certification via threshold cryptography is much more secure than other ways to protect certification authority (CA)'s private key, and can tolerate some intrusions. As the original system such as ITTC, etc., is unsafe, inefficient and impracitcal in actual network environment, this paper brings up a new distributed certification scheme, which although it generates key shares concentratively, it updates key shares distributedly, and so, avoids single-point failure like ITTC. It not only enhances robustness with Feldman verification and SSL protocol, but can also change the threshold (t, k) flexibly and robustly, and so, is much more practical. In this work, the authors implement the prototype system of the new scheme and test and analyze its performance.

Michele Battagliola,Riccardo Longo,Alessio Meneghetti,Massimiliano Sala

DOI: https://doi.org/10.48550/arXiv.2009.01631

2020-09-02

Cryptography and Security

Abstract:A $(t,n)$-threshold signature scheme enables distributed signing among $n$ players such that any subset of size at least $t$ can sign, whereas any subset with fewer players cannot. The goal is to produce threshold digital signatures that are compatible with an existing centralized signature scheme. Starting from the threshold scheme for the ECDSA signature due to Battagliola et al., we present the first protocol that supports EdDSA multi-party signatures with an offline participant during the key-generation phase, without relying on a trusted third party. Under standard assumptions we prove our scheme secure against adaptive malicious adversaries. Furthermore we show how our security notion can be strengthen when considering a rushing adversary. We discuss the resiliency of the recovery in the presence of a malicious party. Using a classical game-based argument, we prove that if there is an adversary capable of forging the scheme with non-negligible probability, then we can build a forger for the centralized EdDSA scheme with non-negligible probability.

Fan Zhang,Philip Daian,Iddo Bentov

2018-01-01

Abstract:Conventional (M,N )-threshold signature schemes leave users with a painful choice. SettingM = N offers maximum resistance to key compromise. With this choice, though, loss of a single key renders the signing capability unavailable, creating paralysis in systems that use signatures for access control. Lower M improves availability, but at the expense of security. For example, a (3, 3)-multisignature cryptocurrency wallet experiences access-control paralysis upon loss of a single key, but a (2, 3)-multisig allows any two players to collude and steal funds from the third. In this paper, we introduce techniques that address this impasse by making general cryptographic access structures dynamic. Our schemes permit, e.g., a (3, 3)-multisig, to be downgraded to a (2, 3)multisig if a player goes missing. This downgrading is secure in the sense that it occurs only if a player is provably unavailable. Our main tool is what we call a Paralysis Proof, evidence that players, i.e., key holders, are unavailable or incapacitated. Using Paralysis Proofs, we show how to construct a Dynamic Access Structure System, which can securely and flexibly update target access structures without a trusted third party such as a system administrator. We present DASS constructions that combine a trust anchor (a trusted execution environment or smart contract) with a censorshipresistant channel in the form of a blockchain. We offer a formal framework for specifying DASS policies, and define and show how to achieve critical security and usability properties (safety, liveness, and paralysis-freeness) in a DASS. Paralysis Proofs can help address pervasive key-management challenges in many different settings. We present DASS schemes for three important example use cases: recovery of cryptocurrency funds should players become unavailable, returning funds to users when cryptocurrency custodians fail, and remediating critical smartcontract failures such as frozen funds. We report on practical implementations for Bitcoin and Ethereum.

Changshe Ma,Kefei Chen,Dong Zheng,Shengli Liu

DOI: https://doi.org/10.1007/11556992_17

2005-01-01

Abstract:To make the system more secure and robust, threshold schemes are proposed to avoid single point failure. At the same time, there are more and more applications which utilize the two basic blocks encryption and digital signature to secure message delivery (such as SSL, SSH). Combining the three tools organically leads to an interesting security tool termed as threshold signcryption which can be used in distributed systems especially the mobile networks. In this paper, we present an efficient threshold signcryption scheme. The scheme is designed for an asynchronous network model which may better present practical distributed systems, especially Internet or mobile ad hoc networks. In order to resist mobile attacks, we add proactive property to our scheme. To the best of our knowledge, the proposed scheme is the first threshold signcryption scheme which is noninteractive, proactive and provably secure and works on asynchronous network models.

Yumeng Xie,Qing Fan,Chuan Zhang,Tong Wu,Yuao Zhou,Debiao He,Liehuang Zhu

DOI: https://doi.org/10.1109/tifs.2024.3428848

IF: 7.231

2024-07-26

IEEE Transactions on Information Forensics and Security

Abstract:Threshold signatures as a method to realize multi-party cooperation and trust distribution in blockchain have been widely studied in recent years. However, among these researches, few threshold signature schemes achieve all the properties of accountability, privacy, and key protection for the EdDSA-based blockchain systems. To fill this gap, we propose an EdDSA-based accountable threshold signature protocol with privacy and proactive refresh, named TAPS-PR. Meanwhile, we define new security models and give a detailed analysis to prove protocol security. In TAPS-PR, the threshold is variable and hidden with the signing quorum from the public view. However, the signing quorum can be traced when threshold signatures related to fraudulent events are generated. We also enhance the key security of each signer by proactive refresh, which realizes updating the private key while the public key remains unchanged. Apart from that, we present ATS-PR with increased efficiency and reduced communication cost at the cost of weaker security. The theoretical analysis and experimental results indicate that our protocols perform efficiently in terms of communication and computation overhead. Furthermore, we use Tezos, a blockchain project employing EdDSA, as a case study to demonstrate the compatibility of our protocol with real-world blockchain applications.

computer science, theory & methods,engineering, electrical & electronic

Zhelei Zhou,Bingsheng Zhang,Hong-Sheng Zhou,Kui Ren

DOI: https://doi.org/10.1007/978-3-031-30545-0_11

2023-01-01

Abstract:The notion of Endemic Oblivious Transfer (EOT) was introduced by Masny and Rindal (CCS’19). EOT offers a weaker security guarantee than the conventional random OT; namely, the malicious parties can fix their outputs arbitrarily. The authors presented a 1-round UC-secure EOT protocol under a tailor-made and non-standard assumption, Choose-and-Open DDH, in the RO model. In this work, we systematically study EOT in the UC/GUC framework. We present a new 1-round UC-secure EOT construction in the RO model under the DDH assumption. Under the GUC framework, we propose the first 1-round EOT construction under the CDH assumption in the Global Restricted Observable RO (GroRO) model proposed by Canetti et al. (CCS’14). We also provide an impossibility result, showing there exist no 1-round GUC-secure EOT protocols in the Global Restricted Programmable RO (GrpRO) model proposed by Camenisch et al. (Eurocrypt’18). Subsequently, we provide the first round-optimal (2-round) EOT protocol with adaptive security under the DDH assumption in the GrpRO model. Finally, we investigate the relations between EOT and other cryptographic primitives. As side products, we present the first 2-round GUC-secure commitment in the GroRO model as well as a separation between the GroRO and the GrpRO models, which may be of independent interest.

Handong Cui,Kwan Yin Chan,Tsz Hon Yuen,Xin Kang,Cheng-Kang Chu

DOI: https://doi.org/10.1093/comjnl/bxad057

2024-01-01

Abstract:In most threshold Elliptic Curve Digital Signature Algorithm (ECDSA) signatures using additively homomorphic encryption, the zero-knowledge (ZK) proofs related to the ciphertext or the message space are the bottleneck in terms of bandwidth as well as computation time. In this paper, we propose a compact ZK proof for relations related to the Castagnos-Laguillaumie (CL) encryption, which is 33% shorter and 29% faster than the existing work in PKC 2021. We also give new ZK proofs for relations related to homomorphic operations over the CL ciphertext. These new ZK proofs are useful to construct a bandwidth-efficient universal composable-secure threshold ECDSA without compromising the proactive security and the non-interactivity. In particular, we lowered the communication and computation cost of the key refresh algorithm in the Paillier-based counterpart from O(n boolean AND 3) to O(n boolean AND 2). Considering a 5-signer setting, the bandwidth is better than the Paillier-based counterpart for up to 99, 95 and 35% for key generation, key refreshment and pre-signing, respectively.

Jing Wang,Xue Yuan,Yingjie Xu,Yudi Zhang

DOI: https://doi.org/10.1049/2024/2252865

2024-10-19

IET Information Security

Abstract:Large language models (LLMs) have brought significant advancements to artificial intelligence, particularly in understanding and generating human language. However, concerns over management burden and data security have grown alongside their capabilities. To solve the problem, we design a blockchain‐based distributed LLM framework, where LLM works in the distributed mode and its outputs can be stored and verified on a blockchain to ensure integrity, transparency, and traceability. In addition, a multiparty signature‐based authentication mechanism is necessary to ensure stakeholder consensus before publication. To address these requirements, we propose a threshold elliptic curve digital signature algorithm that counters malicious adversaries in environments with three or more participants. Our approach relies on discrete logarithmic zero‐knowledge proofs and Feldman verifiable secret sharing, reducing complexity by forgoing multiplication triple protocols. When compared with some related schemes, this optimization speeds up both the key generation and signing phases with constant rounds while maintaining security against malicious adversaries.

computer science, information systems, theory & methods

Chunping Zhu,Xingkai Wang,Zhen Liu

DOI: https://doi.org/10.1007/978-981-97-0942-7_3

2024-01-01

Abstract:In recent years, the rapid development of blockchain-based applications, such as cryptocurrencies, has raised concerns about privacy preservation within the blockchain community. One widely adopted technique for privacy preservation is the use of Stealth Address, which serves as a crucial component of Monero’s Ring Confidential Transaction (RingCT) protocol. Liu et al. (EuroS &P’19) introduced and formalized a new signature variant called the Key-Insulated and Privacy-Preserving Signature Scheme with Publicly Derived Public Key (PDPKS), and gave a systematically definition on the Stealth Address in both syntax and security definition. This signature variant goes beyond defining the necessary functionality but also capturing safety and privacy requirements, by introducing two game-based security definitions respectively. Rather than in a standalone mode, PDPKS protocol is typically executed alongside other secure components within a complex blockchain system to achieve various security objectives. However, achieving security of a comprehensive system requires additional analysis on the entire system, considering mutual impacts among protocols. Hence, it is crucial to introduce a unified and systematic definition that can describe the security in a universally composable (UC) manner. This paper focuses on formalizing the security of PDPKS in the UC framework, which provides a stronger security definition and ensures that the protocol can be designed and analyzed modularly, so that any specific constructions that satisfy the security requirements defined in the proposed UC model can be securely used as building blocks in complex blockchain systems, without any security concerns. To have a concrete construction that satisfies the UC-security proposed in this paper, we conducted an analysis of the conventional game-based security definitions put forth by Liu et al., and proved that the equivalence between the UC-security of PDPKS and the simultaneous satisfaction of the two game-based security definitions. As a result, this implies that the construction proposed by Liu et al. is a UC-secure PDPKS construction. Besides, the proved equivalence also contributes to a general framework wherein any PDPKS construction that satisfies Liu et al.’s security definition will also satisfies UC-security. This framework enables the use of these PDPKS constructions as secure building blocks in the design and implementation of UC-secure blockchain systems.

Guofeng Tang,Bo Pang,Long Chen,Zhenfeng Zhang

DOI: https://doi.org/10.1109/tifs.2023.3293408

IF: 7.231

2023-07-22

IEEE Transactions on Information Forensics and Security

Abstract:A threshold signature scheme distributes the ability to generate signatures through distributed key generation and signing protocols. A threshold signature scheme should be functionally interchangeable, meaning that a signature produced by a threshold scheme should be verifiable by the same algorithm used for non-threshold signatures. To resist future attacks from quantum adversaries, lattice-based threshold signatures are desirable. However, the performance of existing lattice-based threshold signing protocols is still far from practical. This paper presents the first lattice-based -out-of- threshold signature scheme with functional interchangeability that has been implemented. To build an -out-of- access structure for arbitrary , we first present a novel -out-of- version of the SPDZ MPC protocol. We avoid using the MPC protocol to evaluate hash operations for high concrete efficiency. Moreover, we design an efficient distributed rejection sampling protocol. Consequently, the online phase of our distributed signing protocol takes only 0.5 seconds in the two-party setting and 7.3 seconds in the 12-party setting according to our implementation. As a byproduct, our scheme also presents a periodic key refreshment mechanism and offers proactive security.

computer science, theory & methods,engineering, electrical & electronic

Dingyi Pei,Moti Yung,Dongdai Lin,Chuankun Wu

DOI: https://doi.org/10.1007/978-3-642-34704-7

2008-01-01

Abstract:Threshold cryptography aims at enhancing the availability and security of decryption and signature schemes by splitting private keys into several (say n) shares (typically, each of size comparable to the original secret key). In these schemes, a quorum of at least (d ≤ n) servers needs to act upon a message to produce the result (decrypted value or signature), while corrupting less than d servers maintains the scheme’s security. For about two decades, extensive study was dedicated to this subject, which created a number of notable results. So far, most practical threshold signatures, where servers act non-interactively, were analyzed in the limited static corruption model (where the adversary chooses which servers will be corrupted at the system’s initialization stage). Existing threshold encryption schemes that withstand the strongest combination of adaptive malicious corruptions (allowing the adversary to corrupt servers at any time based on its complete view), and chosenciphertext attacks (CCA) all require interaction (in the non-idealized model) and attempts to remedy this problem resulted only in relaxed schemes. The same is true for threshold signatures secure under chosenmessage attacks (CMA). It was open (for about 10 years) whether there are non-interactive threshold schemes providing the highest security (namely, CCA-secure encryption and CMA-secure signature) with scalable shares (i.e., as short as the original key) and adaptive security. This paper first surveys our ICALP 2011 work which answers this question affirmatively by presenting such efficient decryption and signature schemes within a unified algebraic framework. The paper then describes how to design on top of the surveyed system the first “forward-secure non-interactive threshold cryptosystem with adaptive security.”

Xin Liu,Willy Susilo,Joonsang Baek

DOI: https://doi.org/10.1007/978-3-030-89432-0_10

2021-01-01

Abstract:There has been renewed attention to threshold signature in recent years as the threshold version of the ECDSA and SM2 Elliptic Curve Cryptographic Algorithm (SM2) could be used in Bitcoin as an underlying digital signature scheme to protect users' private keys that guarantees transactions. A (t, n) threshold signature scheme means in a set of n parties, at least t players can exercise the right of generating signatures on behalf of the group, and any less than t of the players' cooperation cannot generate a valid signature for the message nor obtain any information about the shared secret key. Thus, it is meaningful to construct a purely (t, n) threshold SM2 signature scheme (purely (t, n) means in the whole signature scheme, the threshold value is fixed to t). We propose a robust multiplication protocol of shared secrets to resolve the "multiplication of shared secrets" problem in existing threshold signature schemes. Using the proposed multiplication protocol, we improve the existing secret reciprocal computation protocol and show how to get a purely (t, n) threshold SM2 signature scheme.

Bargav Jayaraman,Hannah Li,David Evans

DOI: https://doi.org/10.48550/arXiv.1706.03370

2017-10-10

Abstract:The security of TLS depends on trust in certificate authorities, and that trust stems from their ability to protect and control the use of a private signing key. The signing key is the key asset of a certificate authority (CA), and its value is based on trust in the corresponding public key which is primarily distributed by browser vendors. Compromise of a CA private key represents a single point-of-failure that could have disastrous consequences, so CAs go to great lengths to attempt to protect and control the use of their private keys. Nevertheless, keys are sometimes compromised and may be misused accidentally or intentionally by insiders. We propose splitting a CA's private key among multiple parties, and producing signatures using a generic secure multi-party computation protocol that never exposes the actual signing key. This could be used by a single CA to reduce the risk that its signing key would be compromised or misused. It could also enable new models for certificate generation, where multiple CAs would need to agree and cooperate before a new certificate can be generated, or even where certificate generation would require cooperation between a CA and the certificate recipient (subject). Although more efficient solutions are possible with custom protocols, we demonstrate the feasibility of implementing a decentralized CA using a generic two-party secure computation protocol with an evaluation of a prototype implementation that uses secure two-party computation to generate certificates signed using ECDSA on curve secp192k1.

Cryptography and Security

Yiliang Han,Xiaoyuan Yang,Jun Sun,Delong Li

DOI: https://doi.org/10.1109/ICCNMC.2003.1243064

2003-01-01

Abstract:Verifiable (t, n) threshold ECSA (elliptic curve signature verification) signature algorithm and verifiable (t, n) threshold ECES (elliptic curve encrypt scheme) encryption algorithm are presented according to a secret sharing scheme for elliptic curve using Lagrange polynomial interpolation as access structure. A group of n players share an ECC (elliptic curve cryptosystem) secret key. Every qualified subset of the group, including t out of n players, could recover the secret key, so that they can sign and decrypt as well as the whole group, while no subset of t-1 players can accomplish it. The algorithms are perfect and secure verifiable secret shared schemes and their complexity is less than the same schemes based on DLP.

Kiarash Sedghighadikolaei,Attila Altay Yavuz

2024-09-17

Abstract:Threshold digital signatures enable a distributed execution of signature functionalities and will play a crucial role in the security of emerging decentralized next-generation networked systems and applications. In this paper, we provide a comprehensive and systematic survey of threshold and distributed signatures with advanced features. Our survey encompasses threshold signatures in conventional and post-quantum cryptography (PQC) settings and captures custom-design and standard signatures (e.g., conventional NIST and NIST-PQC). We examine both generic (via secure multi-party computation) and custom thresholding techniques for a myriad of signature families while investigating exotic signatures, real-life applications, and potential future research direction.

Cryptography and Security

Shuai Han,Shengli Liu,Dawu Gu

DOI: https://doi.org/10.1007/978-3-031-57728-4_1

2024-01-01

Abstract:In this paper, we study the design of efficient signature and public-key encryption (PKE) schemes in the presence of both leakage and tampering attacks. Firstly, we formalize the strong leakage and tamper-resilient (sLTR) security model for signature, which provides strong existential unforgeability, and deals with bounded leakage and restricted tampering attacks, as a counterpart to the sLTR security introduced by Sun et al. (ACNS 2019) for PKE. Then, we present direct constructions of signature and chosen-ciphertext attack (CCA) secure PKE schemes in the sLTR model, based on the matrix decisional Diffie-Hellman (MDDH) assumptions (which covers the standard symmetric external DH (SXDH) and k-Linear assumptions) over asymmetric pairing groups. Our schemes avoid the use of heavy building blocks such as the true-simulation extractable non-interactive zero-knowledge proofs (tSE-NIZK) proposed by Dodis et al. (ASIACRYPT 2010), which are usually needed in constructing schemes with leakage and tamper-resilience. Especially, our SXDH-based signature and PKE schemes are more efficient than the existing schemes in the leakage and tamper-resilient setting: our signature scheme has only 4 group elements in the signature, which is about 5x similar to 8x shorter, and our PKE scheme has only 6 group elements in the ciphertext, which is about 1.3x similar to 3.3x shorter. Finally, we note that our signature scheme is the first one achieving strong existential unforgeability in the leakage and tamper-resilient setting, where strong existential unforgeability has important applications in building more complex primitives such as signcryption and authenticated key exchange.