Harry W. H. Wong, Jack P. K. Ma, Hoover H. F. Yin, Sherman S. M. Chow
{"title":"真实阈值ECDSA","authors":"Harry W. H. Wong, Jack P. K. Ma, Hoover H. F. Yin, Sherman S. M. Chow","doi":"10.14722/ndss.2023.24817","DOIUrl":null,"url":null,"abstract":"—Threshold ECDSA recently regained popularity due to decentralized applications such as DNSSEC and cryptocurrency asset custody. Latest (communication-optimizing) schemes often assume all n or at least n ′ ≥ t participating users remain honest throughout the pre-signing phase, essentially degenerating to n ′ -out-of- n ′ multiparty signing instead of t -out-of- n threshold signing. When anyone misbehaves, all signers must restart from scratch, rendering prior computation and communication in vain. This hampers the adoption of threshold ECDSA in time-critical situations and confines its use to a small signing committee. To mitigate such denial-of-service vulnerabilities prevalent in state-of-the-art, we propose a robust threshold ECDSA scheme that achieves the t -out-of- n threshold flexibility “for real” throughout the whole pre-signing and signing phases without assuming an honest majority. Our scheme is desirable when computational resources are scarce and in a decentralized setting where faults are easier to be induced. Our design features 4 - round pre-signing, O ( n ) cheating identification, and self-healing machinery over distributive shares. Prior arts mandate abort after an O ( n 2 ) -cost identification, albeit with 3 -round pre-signing (Canetti et al., CCS ’20), or O ( n ) using 6 rounds (Castagnos et al., TCS ’23). Empirically, our scheme saves up to ∼ 30% of the communication cost, depending on at which stage the fault occurred.","PeriodicalId":199733,"journal":{"name":"Proceedings 2023 Network and Distributed System Security Symposium","volume":"36 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Real Threshold ECDSA\",\"authors\":\"Harry W. H. Wong, Jack P. K. Ma, Hoover H. F. Yin, Sherman S. M. Chow\",\"doi\":\"10.14722/ndss.2023.24817\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"—Threshold ECDSA recently regained popularity due to decentralized applications such as DNSSEC and cryptocurrency asset custody. Latest (communication-optimizing) schemes often assume all n or at least n ′ ≥ t participating users remain honest throughout the pre-signing phase, essentially degenerating to n ′ -out-of- n ′ multiparty signing instead of t -out-of- n threshold signing. When anyone misbehaves, all signers must restart from scratch, rendering prior computation and communication in vain. This hampers the adoption of threshold ECDSA in time-critical situations and confines its use to a small signing committee. To mitigate such denial-of-service vulnerabilities prevalent in state-of-the-art, we propose a robust threshold ECDSA scheme that achieves the t -out-of- n threshold flexibility “for real” throughout the whole pre-signing and signing phases without assuming an honest majority. Our scheme is desirable when computational resources are scarce and in a decentralized setting where faults are easier to be induced. Our design features 4 - round pre-signing, O ( n ) cheating identification, and self-healing machinery over distributive shares. Prior arts mandate abort after an O ( n 2 ) -cost identification, albeit with 3 -round pre-signing (Canetti et al., CCS ’20), or O ( n ) using 6 rounds (Castagnos et al., TCS ’23). Empirically, our scheme saves up to ∼ 30% of the communication cost, depending on at which stage the fault occurred.\",\"PeriodicalId\":199733,\"journal\":{\"name\":\"Proceedings 2023 Network and Distributed System Security Symposium\",\"volume\":\"36 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"1900-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings 2023 Network and Distributed System Security Symposium\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.14722/ndss.2023.24817\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2023 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/ndss.2023.24817","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
摘要
由于DNSSEC和加密货币资产托管等去中心化应用,ECDSA最近重新流行起来。最新的(通信优化)方案通常假设所有n个或至少n '≥t个参与用户在预签名阶段保持诚实,本质上退化为n ' of n '多方签名,而不是t ' of n阈值签名。当任何一方行为不当时,所有签名者必须从头开始,使先前的计算和通信无效。这阻碍了在时间紧迫的情况下采用临界ECDSA,并将其限制在一个小型签署委员会中使用。为了减轻这种在最新技术中普遍存在的拒绝服务漏洞,我们提出了一个健壮的阈值ECDSA方案,该方案在整个预签名和签名阶段实现了“真实的”t- out- n阈值灵活性,而无需假设诚实多数。我们的方案在计算资源稀缺和分散的环境中更容易引起故障时是理想的。我们的设计具有4轮预签名、0 (n)欺骗识别和分配份额的自我修复机制。现有技术授权在O (n 2)成本识别后终止,尽管有3轮预签署(Canetti等人,CCS ' 20),或使用6轮预签署(Castagnos等人,TCS ' 23)。根据经验,我们的方案节省了高达30%的通信成本,具体取决于故障发生的阶段。
—Threshold ECDSA recently regained popularity due to decentralized applications such as DNSSEC and cryptocurrency asset custody. Latest (communication-optimizing) schemes often assume all n or at least n ′ ≥ t participating users remain honest throughout the pre-signing phase, essentially degenerating to n ′ -out-of- n ′ multiparty signing instead of t -out-of- n threshold signing. When anyone misbehaves, all signers must restart from scratch, rendering prior computation and communication in vain. This hampers the adoption of threshold ECDSA in time-critical situations and confines its use to a small signing committee. To mitigate such denial-of-service vulnerabilities prevalent in state-of-the-art, we propose a robust threshold ECDSA scheme that achieves the t -out-of- n threshold flexibility “for real” throughout the whole pre-signing and signing phases without assuming an honest majority. Our scheme is desirable when computational resources are scarce and in a decentralized setting where faults are easier to be induced. Our design features 4 - round pre-signing, O ( n ) cheating identification, and self-healing machinery over distributive shares. Prior arts mandate abort after an O ( n 2 ) -cost identification, albeit with 3 -round pre-signing (Canetti et al., CCS ’20), or O ( n ) using 6 rounds (Castagnos et al., TCS ’23). Empirically, our scheme saves up to ∼ 30% of the communication cost, depending on at which stage the fault occurred.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
