Real Threshold ECDSA

Abstract

Threshold ECDSA recently regained popularity due to decentralized applications such as DNSSEC and cryptocurrency asset custody. Latest (communication-optimizing) schemes often assume all n or at least n′ ≥ t participating users remain honest throughout the pre-signing phase, essentially degenerating to n′-out-of-n′ multiparty signing instead of t-out-of-n threshold signing. When anyone misbehaves, all signers must restart from scratch, rendering prior computation and communication in vain. This hampers the adoption of threshold ECDSA in time-critical situations and confines its use to a small signing committee. To mitigate such denial-of-service vulnerabilities prevalent in state-of-the-art, we propose a robust threshold ECDSA scheme that achieves the t-out-of-n threshold flexibility “for real” throughout the whole pre-signing and signing phases without assuming an honest majority. Our scheme is desirable when computational resources are scarce and in a decentralized setting where faults are easier to be induced. Our design features 4-round pre-signing, O(n) cheating identification, and self-healing machinery over distributive shares. Prior arts mandate abort after an O(n2)-cost identification, albeit with 3-round pre-signing (Canetti et al., CCS’20), or O(n) using 6 rounds (Castagnos et al., TCS’23). Empirically, our scheme saves up to ∼30% of the communication cost, depending on at which stage the fault occurred.