We have already discussed the general concepts of digital signatures And threshold signatures In a previous post. At Coinbase, we specifically focused our attention on the two-party threshold signature; We will discuss this setup in this post.
DKLs: An Introduction. While the threshold signature protocols for Schnorr and BLS plots are relatively simple, the ECDSA threshold is much more difficult. A number of protocols exist for signing 2 of 2 ECDSA; Some explicitly target it (i.e. they don’t support more general options for NS And n). In this purely introductory blog post, we’ll be examining one in particular: the 2018 protocol for Doerner, Conde, Lee, and Sheilat. This protocol builds on the previous work of Chou, Orlando, Keller, Orsini, and Scholl. This protocol – or “DKLs”, for short – allows both parties to securely generate an ECDSA signature in a few milliseconds, by exchanging just 3 messages, all while transmitting approximately 120KB of data. In the process, some interesting techniques are used in a mutually secure computation, and they represent a disciplined and amazing contribution to the field.
Now let’s say some technical stuff about how DKLs work. The main idea is related to Double secret sharing Elements of the main domain. If our two parties – Alice and Bob, for example – locally generate random metrics SK_A And sk_B in 𝔽_NSThen, after a Diffie-Hellman-like exchange, the parties may derive the jointly owned public key s = SK_A · sk_B · NS, without knowing anything about each other’s private key shares (or the shared secret key). The shared secret key is the product Corona : = SK_A · sk_B (modern NS). DKLs are unusual in their use of double sharing; The protocol fails to generalize to (NSAnd n) The setup is mainly for this reason.
Both parties initiate the ECDSA signature process for a specific message NS In a similar way. They create unexpected individual posts k_a And k_b Randomly, construct R: = k_a · k_b · NS as they did s; using R coordinates (xAnd And), both get the first signature component s : = x (modern s). It remains only for the parties to build a joint s : = NS(NS) · NS⁻¹ + s · Corona · NS⁻¹ (mod NS), as provided in the ECDSA definition. The problem is that only both parties have Double stakes of quantities NS And Corona, not the required values themselves.
DKLs note that an expression is a definition s It can be written as:
The first main idea is that Will be It is sufficient for both parties to obtain randomly added shares of the expressions of the producers 1 /k_a 1 /k_b And SK_A / k_a · sk_B / k_b above. In fact, if both parties were to acquire such shares, then both could go ahead by multiplying these domestic shares by NS(NS) And s, respectively, and add the results (remember that both parties know NS(NS) And s). In doing so, both parties will receive additional shares of s themselves, which they can finally exchange securely (for example, without any additional information being leaked about it sindividual summaries). Finally note that Alice can locally compute left multiples of 1/k_a And SK_A/k_a; Bob can also compute right multiples locally 1/k_b And sk_B/k_b.
Thus, it is sufficient to deal with the problem of “safe multiplication”, which is sometimes called “multiple to additive conversion”. In this problem, two parties present their input metrics I to And I toAnd it ends in randomness Additive Involved t_a And t_b product I to · i_B (modern NS). In other words, identity t_A + t_B = I to · i_B (modern NS) must be held, in addition to the outputs t_A And t_B It must be randomly subject to this condition; Finally, the parties must learn something about each other’s input I to And i_B In the process of implementing the protocol (even if they have been involved in malicious behavior).
DKLs describe a cool subprotocol for safe multiplication, using another primitive called inattentive threaded transmission (cot for acronym). In the cOT protocol, the parties Alice and Bob have unequal roles. Alice inserts an odd number, say ɑ, into 𝔽_NS; Bob only enters one piece NS. Each party receives an integer as an output; Let’s call this again t_A And t_B For now. As defined by cOT, the output t_A And t_B It should be random provided that t_A + t_B = ɑ if bob input bit NS is 1 and is randomized to t_A + t_B = 0 if The bob input bit is 0. In both cases, the sender must learn nothing about the receiver bit NS, and the receiver must learn nothing about the scalar number of the sender ɑ. The definition of inattentive coherent transport is shown in the figure below.
Assuming we have a cOT protocol in hand, how do we boot it into a multiplication protocol? Interestingly enough, Alice and Bob can use an algorithm from elementary school to do this. Let’s remember the so-called long beating algorithm. Roughly, the action shifts the top hit in succession to the left one place at a time; At each step, you also multiply that multiplier by the appropriate number for the bottom racket. Finally, it adds the resulting matrix of shifted and doubled numbers. In the binary system, things become much simpler, because the “numbers” of the lower multiples are either 0 or 1. The figure illustrating this process is shown below:
In each row of this figure, Alice’s original input is shifted one more step to the left. Further, when working from right to left with Bob’s input, we also cross out the rows corresponding to the bits where Bob’s input is 0. Finally, we sum the resulting numbers to get the product. (Actually, everything happens here NS, but let’s ignore that for the sake of clarity; We have also simplified various aspects of the multiplication protocol for illustrative purposes.)
The idea here is that we can use the crib to do this safely. In fact, all Row From the diagonal matrix above it can be treated with a single associated inattentive transfer. Alice enters her original input I to, appropriately by y Steps to the left Bob enters the file yᵗʰ Little from his original input i_B. By defining cOT, the ends end up with a random-added stock model NS from As for 0 or 2⁇ · I to, Depending on the bob part. By doing this for each row individually, the parties get stakes added for each row Row above, while learning nothing of each other’s input in the process. Finally, by adding the domestic added shares obtained in this way, both parties end up with added shares for the entire product I to · i_B. This is exactly what we wanted above.
future work. DKLs are powerful and interesting technologies; This makes their techniques easier to understand, generalize and possibly improve. The main drawback of DKLs is the bandwidth requirement, which stands at relatively High ~ 120 kB (total exchanged bytes). It would be interesting to try to reduce the bandwidth requirements, by improving the technologies of DKLs. We’ve considered trying to improve this bandwidth using a Karatsuba-like approach, but haven’t been able to piece together the details yet. Roughly, Karatsuba works by substituting intelligently One The result of multiplying whole numbers by three Half-digit products (and their handling these products frequently, etc.). The key fact that makes this approach faster is that multiplying two numbers by half the length requires only a a fourth than working as a multiplication of two whole numbers (due to the squared size of the work involved; see above). All that said, Karatsuba can double two nBit numbers only
Atomic operations, unlike O (n²) is required by naive multiplication. The problem with applying this technique to DKL is that the output of each cOT must be a random pattern NS. This forces each output to take the log NS Bit , even in When the actual numbers involved are much smaller than NS. This nullifies the benefits that Karatsuba is supposed to impart – because the length is halved not longer In return, it cuts the bandwidth in half. It is possible that this could be implemented using some new ideas.
If you are interested in the latest encryption technology, Check out our open roles here.
Fast, Secure 2-of-2 ECDSA with DKLs18 was originally posted on the Coinbase blog on Medium, where people continue the conversation by highlighting and responding to this story.