0Pricing
Cryptology Academy · Lesson

Threshold ECDSA: Multi-Party Signing

Study GG18, GG20, and CGGMP protocols that enable distributed ECDSA signing without reconstructing the key.

Why ECDSA Is Hard to Threshold

ECDSA signatures require computing a random nonce k, the curve point R = k*G, and the signature s = k^{-1}(h + r*x) mod n where x is the private key and r is the x-coordinate of R. The inversion of k and the multiplication by the private key make ECDSA inherently non-linear, unlike Schnorr signatures where the response is a simple linear combination. This non-linearity makes distributing the computation among parties extremely challenging.

GG18: Gennaro-Goldfeder Threshold ECDSA

The GG18 protocol by Gennaro and Goldfeder (2018) was the first practical two-party and threshold ECDSA construction secure without a trusted dealer. The key insight is using Paillier homomorphic encryption to perform the multiplicative-to-additive (MtA) conversion needed for the non-linear ECDSA computation. GG18 provides simulation-based security against static semi-honest adversaries.

All lessons in this course

  1. Threshold Signature Schemes: Concepts
  2. Threshold ECDSA: Multi-Party Signing
  3. Distributed Key Generation Protocols
  4. Threshold Schemes in Blockchains and HSMs
← Back to Cryptology Academy