EN FR
Homepage Inria website


Section: New Results

Cryptographic Protocols

Participants : Guilhem Castagnos, Ida Tucker.

In [20], G. Castagnos, D. Catalano, F. Laguillaumie, F. Savasta and I. Tucker propose a new cryptographic protocol to compute ECDSA signatures with two parties.

ECDSA (Elliptic Curves Digital Signature Algorithm) is a widely adopted standard for electronic signatures. For instance, it is used in the TLS (Transport Layer Security) protocol and in many cryptocurrencies such as Bitcoin. For cryptocurrencies, ECDSA is used in order to sign the transactions: if Alice wants to give n bitcoins to Bob, she uses her secret key to sign with ECDSA a bit string encoding this information.

As a result, if the secret key of Alice is stolen, for example if her computer is compromised, an attacker can stole all her bitcoins. A common solution to this problem is to share the key on multiple devices, for example a laptop and a mobile phone. Both devices must collaborate in order to issue a signature, and if only one device is compromised, no information on the key is leaked. This setting belongs to the area of secure multiparty computation.

There have been recent proposals to construct 2 party variants of ECDSA signatures but constructing efficient protocols proved to be much harder than for other signature schemes. The main reason comes from the fact that the ECDSA signing protocol involves a complex equation compared to other signatures schemes. Lindell recently managed to get an efficient solution using the linearly homomorphic cryptosystem of Paillier. However his solution has some drawbacks, for example the security proof resorts to a non-standard interactive assumption.

By using another approach based on hash proofs systems we obtain a proof that relies on standard assumptions. Moving to concrete constructions, we show how to instantiate our framework using class groups of imaginary quadratic fields. Our implementations show that the practical impact of dropping such interactive assumptions is minimal. Indeed, while for 128-bit security our scheme is marginally slower than Lindell's, for 256-bit security it turns out to be better both in key generation and signing time. Moreover, in terms of communication cost, our implementation significantly reduces both the number of rounds and the transmitted bits without exception.

This paper was presented at the CRYPTO Conference 2019, and is part of the Alambic project.