Real Threshold ECDSA

Abstract

—Threshold ECDSA recently regained popularity due to decentralized applications such as DNSSEC and cryptocurrency asset custody. Latest (communication-optimizing) schemes often assume all n or at least n ′ ≥ t participating users remain honest throughout the pre-signing phase, essentially degenerating to n ′ -out-of- n ′ multiparty signing instead of t -out-of- n threshold signing. When anyone misbehaves, all signers must restart from scratch, rendering prior computation and communication in vain. This hampers the adoption of threshold ECDSA in time-critical situations and confines its use to a small signing committee. To mitigate such denial-of-service vulnerabilities prevalent in state-of-the-art, we propose a robust threshold ECDSA scheme that achieves the t -out-of- n threshold flexibility “for real” throughout the whole pre-signing and signing phases without assuming an honest majority. Our scheme is desirable when computational resources are scarce and in a decentralized setting where faults are easier to be induced. Our design features 4 - round pre-signing, O ( n ) cheating identification, and self-healing machinery over distributive shares. Prior arts mandate abort after an O ( n 2 ) -cost identification, albeit with 3 -round pre-signing (Canetti et al., CCS ’20), or O ( n ) using 6 rounds (Castagnos et al., TCS ’23). Empirically, our scheme saves up to ∼ 30% of the communication cost, depending on at which stage the fault occurred.