Threshold Schnorr with Stateless Deterministic Signing
FranΓ§ois Garillot, Yashvanth Kondi, Payman Mohassel, Valeria Nikolaenko
Northeastern University
Novi/Facebook Novi/Facebook
Threshold Schnorr with Stateless Deterministic Signing Franois - - PowerPoint PPT Presentation
Threshold Schnorr with Stateless Deterministic Signing Franois Garillot, Yash vanth Kondi, Payman Mohassel, Valeria Nikolaenko Northeastern University Facebook Novi/Facebook Novi/Facebook Schnorr: Practical Issues SchnorrSign( , m )
FranΓ§ois Garillot, Yashvanth Kondi, Payman Mohassel, Valeria Nikolaenko
Northeastern University
Novi/Facebook Novi/Facebook
Fresh randomness needed to sign
Fresh randomness needed to sign
Even a tiny amount of bias can completely wreck security
In practice: bad PRGs, software bugs, etc. Reliable entropy is scarce! Fresh randomness needed to sign
Even a tiny amount of bias can completely wreck security
Fresh randomness needed to sign
Even a tiny amount of bias can completely wreck security Solution: de-randomize r In practice: bad PRGs, software bugs, etc. Reliable entropy is scarce!
security is very sensitive to this
backed up on secure storage where frequent reliable updates may not be possible
Sampled during key generation
Sampled during key generation F is a pseudorandom function
i.e. after a one-time distributed key generation phase, parties interactively sign messages without sampling new randomness or updating their state
i.e. after a one-time distributed key generation phase, parties interactively sign messages without sampling new randomness or updating their state
Implicit: deterministic nonce derivation
sharing (small number of parties)
βthrow zero-knowledge proofs at itβ [Goldreich-Micali-
Wigderson 87]
[Jawurek-Kerschbaum-Orlandi 13] to prove these statements
like AES
free)
PRF evaluations online)
threshold ECDSA (100s of KB, estd. milliseconds/low tens of ms for 256-bit curve)
(paper coming soon)