Threshold ECDSA: Multi-Party Signing
Study GG18, GG20, and CGGMP protocols that enable distributed ECDSA signing without reconstructing the key.
Why ECDSA Is Hard to Threshold
ECDSA signatures require computing a random nonce k, the curve point R = k*G, and the signature s = k^{-1}(h + r*x) mod n where x is the private key and r is the x-coordinate of R. The inversion of k and the multiplication by the private key make ECDSA inherently non-linear, unlike Schnorr signatures where the response is a simple linear combination. This non-linearity makes distributing the computation among parties extremely challenging.
GG18: Gennaro-Goldfeder Threshold ECDSA
The GG18 protocol by Gennaro and Goldfeder (2018) was the first practical two-party and threshold ECDSA construction secure without a trusted dealer. The key insight is using Paillier homomorphic encryption to perform the multiplicative-to-additive (MtA) conversion needed for the non-linear ECDSA computation. GG18 provides simulation-based security against static semi-honest adversaries.
All lessons in this course
- Threshold Signature Schemes: Concepts
- Threshold ECDSA: Multi-Party Signing
- Distributed Key Generation Protocols
- Threshold Schemes in Blockchains and HSMs