# Fast and secure 2 of 2 ECDSA using DKLs18

We have already discussed the general concepts of *digital signatures* And *threshold signatures* In a previous post. At Coinbase, we specifically focused our attention on the two-party threshold signature; We will discuss this setup in this post.

**DKLs: An Introduction. **While the threshold signature protocols for Schnorr and BLS plots are relatively simple, the ECDSA threshold is much more difficult. A number of protocols exist for signing 2 of 2 ECDSA; Some explicitly target it (i.e. they don’t support more general options for *NS* And *n*). In this purely introductory blog post, we’ll be examining one in particular: the 2018 protocol for Doerner, Conde, Lee, and Sheilat. This protocol builds on the previous work of Chou, Orlando, Keller, Orsini, and Scholl. This protocol – or “DKLs”, for short – allows both parties to securely generate an ECDSA signature in a few milliseconds, by exchanging just 3 messages, all while transmitting approximately 120KB of data. In the process, some interesting techniques are used in a mutually secure computation, and they represent a disciplined and amazing contribution to the field.

Now let’s say some technical stuff about how DKLs work. The main idea is related to *Double secret sharing* Elements of the main domain. If our two parties – Alice and Bob, for example – locally generate random metrics *SK_A* And *sk_B* in 𝔽_*NS*Then, after a Diffie-Hellman-like exchange, the parties may derive the jointly owned public key *s* = *SK_A* · *sk_B* · *NS*, without knowing anything about each other’s private key shares (or the shared secret key). The shared secret key is the product *Corona* : = *SK_A* · *sk_B* (modern *NS*). DKLs are unusual in their use of double sharing; The protocol fails to generalize to (*NS*And *n*) The setup is mainly for this reason.

Both parties initiate the ECDSA signature process for a specific message *NS* In a similar way. They create unexpected individual posts *k_a* And *k_b* Randomly, construct R: = *k_a *· *k_b* · *NS* as they did *s*; using R coordinates (*x*And *And*), both get the first signature component *s* : = *x* (modern *s*). It remains only for the parties to build a joint *s* : = *NS*(*NS*) · *NS*⁻¹ + *s* · *Corona* · *NS*⁻¹ (mod *NS*), as provided in the ECDSA definition. The problem is that only both parties have *Double stakes* of quantities *NS* And *Corona*, not the required values themselves.

DKLs note that an expression is a definition *s* It can be written as:

https://medium.com/media/2a0c40a041fc6a2fe623305df1fa751c/href

The first main idea is that *Will be* It is sufficient for both parties to obtain randomly added shares of the expressions of the producers 1 /*k_a *1 /*k_b* And *SK_A* / *k_a* · *sk_B* / *k_b* above. In fact, if both parties were to acquire such shares, then both could go ahead by multiplying these domestic shares by *NS*(*NS*) And *s*, respectively, and add the results (remember that both parties know *NS*(*NS*) And *s*). In doing so, both parties will receive additional shares of *s* themselves, which they can finally exchange securely (for example, without any additional information being leaked about it *s*individual summaries). Finally note that Alice can locally compute left multiples of 1/*k_a* And *SK_A*/*k_a*; Bob can also compute right multiples locally 1/*k_b* And *sk_B*/*k_b*.

Thus, it is sufficient to deal with the problem of “safe multiplication”, which is sometimes called “multiple to additive conversion”. In this problem, two parties present their input metrics *I to *And *I to*And it ends in randomness *Additive* Involved *t_a* And *t_b* product *I to* · *i_B* (modern *NS*). In other words, identity *t_A* + *t_B *= *I to* · *i_B* (modern *NS*) must be held, in addition to the outputs *t_A* And *t_B *It must be randomly subject to this condition; Finally, the parties must learn something about each other’s input *I to* And *i_B *In the process of implementing the protocol (even if they have been involved in malicious behavior).

DKLs describe a cool subprotocol for safe multiplication, using another primitive called *inattentive threaded transmission* (cot for acronym). In the cOT protocol, the parties Alice and Bob have unequal roles. Alice inserts an odd number, say ɑ, into 𝔽_*NS*; Bob only enters one piece *NS*. Each party receives an integer as an output; Let’s call this again *t_A* And *t_B *For now. As defined by cOT, the output *t_A *And *t_B* It should be random provided that *t_A* + *t_B* = ɑ *if* bob input bit *NS* is 1 and is randomized to *t_A* + *t_B* = 0 *if* The bob input bit is 0. In both cases, the sender must learn nothing about the receiver bit *NS*, and the receiver must learn nothing about the scalar number of the sender ɑ. The definition of inattentive coherent transport is shown in the figure below.

Assuming we have a cOT protocol in hand, how do we boot it into a multiplication protocol? Interestingly enough, Alice and Bob can use an algorithm from elementary school to do this. Let’s remember the so-called *long beating* algorithm. Roughly, the action shifts the top hit in succession to the left one place at a time; At each step, you also multiply that multiplier by the appropriate number for the bottom racket. Finally, it adds the resulting matrix of shifted and doubled numbers. In the binary system, things become much simpler, because the “numbers” of the lower multiples are either 0 or 1. The figure illustrating this process is shown below:

In each row of this figure, Alice’s original input is shifted one more step to the left. Further, when working from right to left with Bob’s input, we also cross out the rows corresponding to the bits where Bob’s input is 0. Finally, we sum the resulting numbers to get the product. (Actually, everything happens here *NS*, but let’s ignore that for the sake of clarity; We have also simplified various aspects of the multiplication protocol for illustrative purposes.)

The idea here is that we can use the crib to do this safely. In fact, all *Row* From the diagonal matrix above it can be treated with a single associated inattentive transfer. Alice enters her original input *I to*, appropriately by *y* Steps to the left Bob enters the file *y*ᵗʰ *Little* from his original input *i_B*. By defining cOT, the ends end up with a random-added stock model *NS* from *As for* 0 or 2*⁇* · *I to,* Depending on the bob part. By doing this for each row individually, the parties get stakes added for each row *Row* above, while learning nothing of each other’s input in the process. Finally, by adding the domestic added shares obtained in this way, both parties end up with added shares for the entire product *I to* · *i_B*. This is exactly what we wanted above.

**future work.** DKLs are powerful and interesting technologies; This makes their techniques easier to understand, generalize and possibly improve. The main drawback of DKLs is the bandwidth requirement, which stands at *relatively* High ~ 120 kB (total exchanged bytes). It would be interesting to try to reduce the bandwidth requirements, by improving the technologies of DKLs. We’ve considered trying to improve this bandwidth using a Karatsuba-like approach, but haven’t been able to piece together the details yet. Roughly, Karatsuba works by substituting intelligently *One* The result of multiplying whole numbers by *three* Half-digit products (and their handling *these products* frequently, etc.). The key fact that makes this approach faster is that multiplying two numbers by half the length requires only a *a fourth* than working as a multiplication of two whole numbers (due to the squared size of the work involved; see above). All that said, Karatsuba can double two *n*Bit numbers only

https://medium.com/media/4b4e72cc852ecf167dd90e8efa6f195e/href

Atomic operations, unlike O (*n*²) is required by naive multiplication. The problem with applying this technique to DKL is that the output of each cOT must be a random pattern *NS*. This forces each output to take the log *NS* Bit , *even in* When the actual numbers involved are much smaller than *NS*. This nullifies the benefits that Karatsuba is supposed to impart – because the length is halved *not longer* In return, it cuts the bandwidth in half. It is possible that this could be implemented using some new ideas.

**If you are interested in the latest encryption technology, ****Check out our open roles here.**

Fast, Secure 2-of-2 ECDSA with DKLs18 was originally posted on the Coinbase blog on Medium, where people continue the conversation by highlighting and responding to this story.