Threshold ECDSA from ECDSA Assumptions The Multiparty Case

 title = {Threshold ECDSA from ECDSA Assumptions: The Multiparty Case},
 author = {Jack Doerner and Yashvanth Kondi and Eysa Lee and abhi shelat},
 booktitle = {Oakland S&P'2019},
 year = {2019},


Cryptocurrency applications have spurred a resurgence of interest in the computation of ECDSA signatures using threshold protocols—that is, protocols in which the signing key is secret-shared among n parties, of which any subset of size t must interact in order to compute a signature.

Among the resulting works to date, that of Doerner et al. [DKLs18] requires the most natural assumptions while also achieving the best practical signing speed. It is, however, limited to the setting in which the threshold is two.

We propose an extension of their scheme to arbitrary thresholds, and prove it secure against a malicious adversary corrupting up to one party less than the threshold under only the Computational Diffie-Hellman Assumption in the Global Random Oracle model, an assumption strictly weaker than those under which ECDSA is proven.

We implement our scheme and evaluate it among groups of up to 256 of co-located and geographically-distributed parties, and among small groups of embedded devices. In the LAN setting, our scheme outperforms all prior works by orders of magnitude, and that it is efficient enough for use even on smartphones or hardware tokens. In the WAN setting, our protocol outperforms the best constant-round protocols in realistic scenarios, despite its logarithmic round count.