For the sake of simplicity, we use a simpler key generation and triple protocol as ideal functionalities, to isolate the analysis of our presignature and signature protocols.

Presigning

Definition (Presignatures):

P [Presign] P_{i} \underline{(1) Presign_{i}^{τ} () :} (a_{i}, b_{i}, c_{i}, A, B, C) \leftarrow Triple_{i}^{(τ, 0)} () (k_{i}, d_{i}, kd_{i}, K, D, KD) \leftarrow Triple_{i}^{(τ, 1)} () ↱_{i}^{τ} (⋆, λ (P) \cdot kd_{i}, 1) ↱_{i}^{τ} (⋆, λ (P) \cdot (k_{i} + a_{i}), 2) ↱_{i}^{τ} (⋆, λ (P) \cdot (x_{i} + b_{i}), 3) kd_∙ ↰_{i}^{τ} (⋆, 1) ka_∙ ↰_{i}^{τ} (⋆, 2) xb_∙ ↰_{i}^{τ} (⋆, 3) kd \leftarrow j \sum kd_{j} if kd \cdot G \neq = KD : stop (⋆, 1) ka \leftarrow j \sum ka_{j} if ka \cdot G \neq = K + A : stop (⋆, 2) xb \leftarrow j \sum xb_{j} if xb \cdot G \neq = X + B : stop (⋆, 3) R \leftarrow \frac{1}{kd} \cdot D σ_{i} \leftarrow ka \cdot x_{i} - xb \cdot a_{i} + c_{i} return (X, x_{i}, R, k_{i}, σ_{i}) f F_{q} [X]_\leq t - 1 \underline{() :} return (f (0) \cdot G, f (i)) \otimes f, f F_{q} [X]_\leq t - 1 f {f \in F_{q} [X]_\leq t - 1 ∣ f (0) = f (0) \cdot f} \underline{() :} (a_{i}, b_{i}, c_{i}) \leftarrow (f (i), f (i), f (i)) (A, B, C) \leftarrow (f (0) \cdot G, f (0) \cdot G, f (0) \cdot G) return (a_{i}, b_{i}, c_{i}, A, B, C) \otimes F [Triple] \otimes F [SyncComm]^{N} ⊚ F [Stop] Leakage := {stop}

$□$

The functionalities we use here are perfect, in essence. The idea behind the presignature functionality is relatively simple. One triple is used to help multiply $k$ and $x$ , and the other contains $k$ itself, which we use to help invert $k$ for the signature formula.

For convenience, we make it so that the presignature gives us $X$ and $x$ (secret shared).

Another convention is that the same key $x$ is used for an arbitrary number of signatures, hence $N$ instances. We use $τ$ as index to denote this instances.

Definition (Ideal Presignatures):

P [IdealPresign] P_{i} \underline{(1) Presign_{i}^{τ} () :} Sync_{i}^{τ} (⋆, 0) WaitSync_{i}^{τ} (⋆, 0) return Presign_{i}^{τ} () f^{X}, f, F_{q} [X]_\leq t - 1 f, {f \in F_{q} [X]_\leq t - 1 ∣ f (0) = 0} \underline{() :} X \leftarrow f^{X} (0) \cdot G x_{i} \leftarrow f^{X} (i) R \leftarrow \cdot G k_{i} \leftarrow f (i) σ_{i} \leftarrow f^{X} (0) \cdot f (0) + f (i) return (X, x_{i}, R, k_{i}, σ_{i}) \underline{() :} return f (0) \cdot G \underline{() :} return f (0) \cdot f (0) \cdot G \otimes F [Sync]^{N} ⊚ F [Stop] Leakage := {stop}

$□$

The ideal functionality basically spits out presignatures at will, all under the same key. We also get access to $k \cdot G$ and $k x \cdot G$ , in addition to $k^{- 1} \cdot G$ . $k x \cdot G$ is actually something you learn from a signature anyhow, once it’s completed.

Lemma: For a negligible $ϵ$ , and up to $t - 1$ malicious corruptions, we have:

P [Presign] ⇝ ϵ P [IdealPresign]

Proof:

First, we note that $P [Presign] ⇝ P^{0}$ , which modifies $P_{i}$ to consolidate message sending:

P_{i} \underline{(1) Presign_{i}^{τ} () :} (a_{i}, b_{i}, c_{i}, A, B, C) \leftarrow Triple_{i}^{(τ, 0)} () (k_{i}, d_{i}, kd_{i}, K, D, KD) \leftarrow Triple_{i}^{(τ, 1)} () ↱_{i}^{τ} (⋆, (λ (P) \cdot kd_{i}, λ (P) \cdot (k_{i} + a_{i}), λ (P) \cdot (x_{i} + b_{i})), 0) (kd_∙, ka_∙, xb_∙) ↰_{i}^{τ} (⋆, 0) kd \leftarrow j \sum kd_{j} if kd \cdot G \neq = KD : stop (⋆, 0) ka \leftarrow j \sum ka_{j} if ka \cdot G \neq = K + A : stop (⋆, 0) xb \leftarrow j \sum xb_{j} if xb \cdot G \neq = X + B : stop (⋆, 0) R \leftarrow \frac{1}{kd} \cdot D σ_{i} \leftarrow ka \cdot x_{i} - xb \cdot a_{i} + c_{i} return (X, R, k_{i}, σ_{i})

A sketch of the simulator here would be to delay sending messages from malicious to honest parties until all three bundles have been sent, and to detect failures early to make all aborts look the same.

From $P^{0}$ , we can jump to $P [IdealPresign]$ directly.

Γ_{H}^{0} \dots \otimes S α_{j}^{τ}, β_{j}^{τ}, d_{j}^{τ}, δ_{j}^{τ} $ F_{q} α^{τ} \leftarrow j \sum α_{j}^{τ}, β^{τ} \leftarrow j \sum β_{j}^{τ}, δ^{τ} \leftarrow j \sum δ_{j}^{τ} γ_{j}^{τ} $ {(γ_{1}, \dots, γ_{n}) ∣ j \sum γ_{j} = α \cdot β} (X, x_{k}^{τ}, R^{τ}, k_{k}^{τ}, σ_{k}^{τ}) \leftarrow Presign_{k}^{τ} () K^{τ} \leftarrow K^{τ} (), XK^{τ} \leftarrow XK^{τ} () A^{τ} \leftarrow α^{τ} \cdot G - K^{τ} B^{τ} \leftarrow β^{τ} \cdot G - X C^{τ} \leftarrow α^{τ} β^{τ} - α^{τ} \cdot X - β^{τ} \cdot K^{τ} + XK^{τ} D^{τ} \leftarrow δ^{τ} \cdot R^{τ}, KD^{τ} \leftarrow δ^{τ} \cdot G \underline{Triple_{k}^{τ, 0} () :} a_{k} \leftarrow α_{k}^{τ} - k_{k}^{τ} b_{k} \leftarrow β_{k}^{τ} - k_{k}^{τ} c_{k} \leftarrow γ_{k}^{τ} - α \cdot x - β \cdot k + σ_{k}^{τ} return (a_{k}, b_{k}, c_{k}, A^{τ}, B^{τ}, C^{τ}) \underline{Triple_{k}^{τ, 1} () :} return (k_{k}^{τ}, d_{k}^{τ}, δ_{k}^{τ}, K^{τ}, D^{τ}, KD^{τ}) m^{τ}_ij \leftarrow ⊥ \underline{↱_{k}^{τ} (S, \overset{m}{^}_∙ = (kd_∙, ka_∙, xb_∙), 0) :} m^{τ}_kj \leftarrow \overset{m}{^}_kj (\forall j \in S) Sync_{k} (S \cap H, 0) for j \in H . \forall k \in M . m^{τ}_kj \neq = ⊥ : (kd_{k}, ka_{k}, xb_{k}) \leftarrow m_kj \hat{kd} = \sum_j \in H δ_{j}^{τ} + \sum_k \in M kd_{k} \hat{ka} = \sum_j \in H α_{j}^{τ} + \sum_k \in M ka_{k} \hat{xb} = \sum_j \in H β_{j}^{τ} + \sum_k \in M xb_{k} if \hat{kd} \cdot G \neq = KD^{τ} \lor \hat{ka} \cdot G \neq = K^{τ} + A^{τ} \lor \hat{xb} \cdot G \neq = X + B^{τ} : stop ({j}, 0) \underline{↰_{k}^{τ} (S, 0) :} WaitSync_{k} (S \cap H, 0) wait_(k, 0) \forall j \in S . m^{τ}_jk \neq = ⊥ r_{j} \leftarrow m^{τ}_jk (j \in S \cap M) r_{j} \leftarrow (δ_{j}^{τ}, α_{j}^{τ}, β_{j}^{τ}) (j \in S \cap H) return r_∙ \dots \circ F [Presign] ⊚ F [Stop]

The idea behind the simulator is that you generate random values for the messages you’re going to receive, and then use those to reverse engineer what the large values like $A, B$ should be.

$■$

Signing

Signatures are pretty straightforward once you have presignatures.

Definition (Signing):

P [Sign] P_{i} \underline{(1) Sign_{i}^{τ} () :} (X, ∙, R, k_{i}, σ_{i}) \leftarrow Presign_{i}^{τ} () m \leftarrow GetMessage^{τ} () s_{i} \leftarrow Hash (m) \cdot k_{i} + x (R) \cdot σ_{i} ↱_{i} (⋆, s_{i}, 1) s_∙ \leftarrow ↰_{i} (⋆, 1) s \leftarrow j \sum s_{j} if \neg ECDSA . Verify (X, m, (R, s)) : stop (⋆, 1) return s m^{τ} \leftarrow ⊥ \underline{(m) :} if m^{τ} = ⊥ : m^{τ} \leftarrow m \underline{() :} wait m^{τ} = ⊥ return m^{τ} \otimes F [SyncComm]^{N} ⊚ F [Stop] Leakage := {stop, SetMessage^{τ}} ⊲ P [Presign]

$□$

We assume that there’s a separate functionality which provides consensus on the message to sign in each instance.

Definition (Ideal Signing):

P [IdealSign] P_{i} \underline{(1) Sign_{i}^{τ} () :} Sync_{i}^{τ} (⋆, 0) WaitSync_{i}^{τ} (⋆, 0) Ready_{i}^{τ} (⋆) return Sig_{i}^{τ} () ready_ij^{τ} \leftarrow false x, k^{τ} F_{q} \underline{(S) :} ready^{τ}_ij \leftarrow true (\forall j \in S) \underline{(S) :} wait_(i, 1) \forall j \in S . ready^{τ}_ji \underline{() :} wait_(i, 1) \forall j \in P .\exists i . ready^{τ}_ji m \leftarrow GetMessage^{τ} () R \leftarrow \cdot G s \leftarrow k \cdot (Hash (m) + x (R) \cdot x) return (R, s) \underline{() :} return (x \cdot G, x k^{τ} \cdot G, k^{τ} \cdot G, \cdot G) ⊚ F [Messages] \otimes F [Sync]^{N} ⊚ F [Stop] Leakage := {stop, SetMessage^{τ}, GetMessage^{τ}, Leak^{τ}} ⊲ P [Presign]

The ideal functionality unfortunately has to reflect the round timing of the protocol itself.

Lemma:

For a negligible $ϵ$ , and up to $t - 1$ malicious corruptions, we have:

P [Sign] ⇝ ϵ P [IdealSign]

Proof:

First, we can replace $P [Presign]$ with $P [IdealPresign]$ .

From there, we can use a similar simulator as last time:

Γ_{H}^{0} \dots \otimes S x_{i}, k^{τ}_i, σ^{τ}_i $ F_{q} (i \in M) k^{τ}_i, σ^{τ}_i \leftarrow ⊥ (i \in H) s_ij \leftarrow ⊥ (X, XK^{τ}, K^{τ}, R^{τ}) \leftarrow Leak^{τ} () \underline{Presign_{k}^{τ} () :} Ready_{k}^{τ} (M) return (X, x_{i}, K^{τ}, R^{τ}, k_{k}^{τ}, σ_{k}^{τ}) \underline{K^{τ} () :} return K^{τ} \underline{XK^{τ} () :} return XK^{τ} \underline{↰_{k}^{τ} (S, m_∙, 1) :} wait_(k, 1) \forall j \in S \cap M . s_jk \neq = ⊥ r_∙ \leftarrow ⊥ r_{j} \leftarrow s_jk (j \in S \cap M) WaitReady_{k}^{τ} (S \cap H) for j \in S \cap H : m \leftarrow GetMessage^{τ} () if ∣ {i \in H ∣ k_{i}^{τ} = ⊥} ∣ = 1 : k_{j}^{τ} $ F_{q} s \leftarrow Sig_{k}^{τ} () σ_{j}^{τ} \leftarrow \frac{1}{x ( R )} \cdot (s - Hash (m) \cdot i \sum k_{i}^{τ} - x (R) \cdot \sum_i \neq = j σ_{j}^{τ}) else : k_{j}^{τ}, σ_{j}^{τ} $ F_{q} r_{j} \leftarrow Hash (m) \cdot k_{j}^{τ} + x (R) \cdot σ_{j}^{τ} return r_∙ \underline{↱_{k}^{τ} (S, m_∙, 1) :} Ready_{k}^{τ} (S) for j \in S . s_kj = ⊥ : s_kj \leftarrow m_{j} for j \in H .\forall k \in M . s_kj \neq = ⊥ : if \sum_k \in M s_kj \neq = Hash (m^{τ}) \cdot k \sum k_{k}^{τ} + x (R^{τ}) \cdot k \sum σ_{k}^{τ} : stop ({j}, 1) \dots \circ F [Messages] ⊚ F [Stop]

The strategy is the same as other simulators in this section, where we use the fact that only the sum has to verify correctly, in order to give junk values up until the last moment.

$■$

The security of using presignatures

Here, we’ve limited ourselves to showing that our protocol implements “ECDSA with presignatures”, as far as the security of “ECDSA with presignatures” as a threshold signature scheme, see Groth & Shoup 2021.

cronokirby

Explorer

Cait-Sith Security (4): Signing

Presigning

Signing

The security of using presignatures

Graph View

Table of Contents