ECDSA Signing Process

The Process of ECDSA Signing in a Two-Party System

Last updated 1 year ago

Was this helpful?

ECDSA Signing Process

The Process of ECDSA Signing in a Two-Party System

The Elliptic Curve Digital Signature Algorithm (ECDSA) involves a two-party process where neither party knows the private key $x$ , yet they can jointly create a signature on a message $m$ . Here's an overview of the ECDSA signing function:

Nonce Generation and Computation:
- A random nonce $k$ is chosen, and $R=k⋅G$ is computed.
- The "x-coordinate" of the elliptic-curve point $R$ is denoted as $r$ .
Signature Computation:
- The signature component $s$ is calculated as $s=k−1⋅(H(m)+r⋅x)modq$ .
Signature Output:
- The signature is output as a pair $(r,s)$ .

Additively Homomorphic Encryption in ECDSA

Encryption Type: The process uses additively homomorphic encryption, which allows for encrypted values to be efficiently added or multiplied by a scalar without decryption. Paillier encryption, a common form of this encryption, is often used.

Two-Party Computation Steps

Key Generation:
- Parties choose random $1x1$ and $2x2$ and exchange $Q1=x1⋅G$ and $Q2=x2⋅G$ . Commitment schemes are used for security.
- $1P1$ generates a Paillier key-pair $(pk,sk)$ and sends $ckey=Encpk(x1)$ to $2P2$ , along with a zero-knowledge proof.
Signature Generation on Message $m$ :
- Parties independently generate $1k1$ and $2k2$ , and exchange $R1=k1⋅G$ and $R2=k2⋅G$ .
- The nonce $k$ and $R$ are set as $k=k1⋅k2$ and $R=k1⋅R2=k2⋅R1$ .
- $2P2$ computes a "partial signature" using the homomorphic properties of the encryption, performing a series of encrypted operations.
- $1P1$ decrypts the received ciphertext, multiplies it by $1−1k1−1$ to obtain $s$ , and verifies the signature $(r,s)$ .

Security Considerations

Last updated 1 year ago

Was this helpful?

Nonce Generation and Computation:
- A random nonce $k$ is chosen, and $R=k⋅G$ is computed.
- The "x-coordinate" of the elliptic-curve point $R$ is denoted as $r$ .
Signature Computation:
- The signature component $s$ is calculated as $s=k−1⋅(H(m)+r⋅x)modq$ .
Signature Output:
- The signature is output as a pair $(r,s)$ .

Additively Homomorphic Encryption in ECDSA

Encryption Type: The process uses additively homomorphic encryption, which allows for encrypted values to be efficiently added or multiplied by a scalar without decryption. Paillier encryption, a common form of this encryption, is often used.

Two-Party Computation Steps

Key Generation:
- Parties choose random $1x1$ and $2x2$ and exchange $Q1=x1⋅G$ and $Q2=x2⋅G$ . Commitment schemes are used for security.
- $1P1$ generates a Paillier key-pair $(pk,sk)$ and sends $ckey=Encpk(x1)$ to $2P2$ , along with a zero-knowledge proof.
Signature Generation on Message $m$ :
- Parties independently generate $1k1$ and $2k2$ , and exchange $R1=k1⋅G$ and $R2=k2⋅G$ .
- The nonce $k$ and $R$ are set as $k=k1⋅k2$ and $R=k1⋅R2=k2⋅R1$ .
- $2P2$ computes a "partial signature" using the homomorphic properties of the encryption, performing a series of encrypted operations.
- $1P1$ decrypts the received ciphertext, multiplies it by $1−1k1−1$ to obtain $s$ , and verifies the signature $(r,s)$ .

Security Considerations

Protection Against Private Key Exposure: The protocol ensures neither party knows $k$ or the private key $x$ .
Handling Corrupt Parties: If $2P2$ is corrupt, it can provide incorrect encryption, but since $1P1$ verifies the signature first, no advantage is gained by $2P2$ from this.

Protection Against Private Key Exposure: The protocol ensures neither party knows $k$ or the private key $x$ .

Handling Corrupt Parties: If $2P2$ is corrupt, it can provide incorrect encryption, but since $1P1$ verifies the signature first, no advantage is gained by $2P2$ from this.