閾值密碼學的研究與分類

國立臺灣大學理學院數學系 碩士論文

Department of Mathematics College of Science National Taiwan University

Master Thesis

閾值密碼學的研究與分類

Threshold Cryptography: A Survey and Taxonomy

吳秉宸 Ping-Chen Wu

指導教授：陳君明 博士 Advisor: Jiun-Ming Chen, Ph.D.

中華民國 108 年 7 月

July 2019

致謝

心的指導並給予一次又一次的機會之下，終於將論文完成。在過去的幾年，教授總能憑藉 著對密碼學的熟悉和對我的了解，給予我最恰到好處的任務，不會讓我無法完成,但也不 會太過輕而易舉。在完成教授指派的各項任務同時，讓我逐漸熟悉密碼學的各個領域，並 且在其中找到感興趣的主題開始鑽研。

另外我也要特別感謝蘇昱丞學長，以及唐爾晨、張凱傑、洪逸霖等學弟。感謝這些學 長學弟常常陪我討論讀論文時遇到的各種問題。互相腦力激盪，天馬行空，不拘泥於舊有 的限制。往往能讓我順利度過一個又一個研究時的瓶頸。

摘要

自區塊鏈問世以來，大眾對隱私的擔憂不斷提升。同時，密碼學的相關發展，如多方 計算（MPC）、零知識證明和同態加密等，為閾值密碼學發展奠定了穩固基礎。本研究

深入討論兩種主要類型的閾值 ECDSA，並以演算法為例進行驗證。此外，根據回合數 、

傳輸量以及計算量，對兩種算法進行全面性比較。另一方面，本研究進一步探討閾值加密

技術的各種應用，包括TOPRF、TPPSS 以及雲端計算中的各種應用。

關鍵詞：閾值密碼學，多方計算，ECDSA，同態加密，雲端計算

Abstract

Ever since the emergence of blockchain, the concerns to privacy have been rising among the public. Meanwhile, the advancements of cryptography, such as MPC (Multi Party Computation), zero-knowledge proof, and homomorphic encryption, etc., pave a consolidated foundation for the threshold cryptography development. In this study, two major types of threshold ECDSA were discussed in depth, and each of them was testified via an algorithm as an example. In addition, the two algorithms were also compared comprehensively based on the number of rounds, the amount of transmission, and the amount of calculation. Furthermore, various applications of threshold cryptography, including TOPRFs, TPPSS, and a variety of applications in cloud computing, were also explored in this study.

Key words: threshold cryptography, MPC, ECDSA, homomorphic encryption, cloud computing

Table of Contents

致謝 ··· ii

摘要 ··· iii

Abstract ··· iv

Table of figures ··· viii

Chapter 1. Introduction ··· 9

Chapter 2. Definition and Tools ··· 12

2.1 Decisional Composite Residuosity Assumption (DCRA) ··· 12

2.2 Paillier cryptosystem¹¹ ··· 12

2.3 Oblivious Transfer (OT) ··· 13

2.4 Multiplication into addition ··· 14

2.5 Schnorr’s zero-knowledge proof with Fiat–Shamir heuristic ··· 15

Chapter 3. Standardization, Applications and Challenges of Threshold Cryptography ··· 17

3.1 Standardization and recommendations of threshold cryptography ··· 17

3.2 Challenges and issues in standardization of threshold cryptography ··· 18

3.3 Security of threshold cryptography ··· 20

3.3.1 Threshold values ··· 20

3.3.2 Concerning tradeoff among security properties ··· 20

3.3.3 Confidentiality, integrity and availability ··· 20

3.3.4 Defining 𝑓_𝑥 ··· 21

3.4 Applications of threshold cryptography ··· 22

3.4.1 Threshold Oblivious Pseudo-Random Functions (TOPRFs) ··· 22

3.4.2 Threshold Oblivious Password Protected Secret Sharing (TOPPSS) ··· 25

Chapter 4. Applications of threshold signature ··· 27

4.1 Multi signature vs. Threshold signature ··· 27

4.2 Threshold ECDSA ··· 29

4.3 Securing Bitcoin wallets via a new DSA/ECDSA threshold signature scheme. ··· 29

4.3.1 R Gennaro’s algorithm ··· 30

4.3.2 Efficiency analysis ··· 32

4.4 Threshold ECDSA from ECDSA Assumptions^{14, 15} ··· 34

4.4.1 Doerner’s algorithm ··· 35

4.4.2 Efficiency analysis ··· 37

4.5 Comparisons between the two studies ··· 39

4.6 Other forms of threshold secret sharing ··· 40

4.6.1 Weighted threshold^47-51 ··· 40

Chapter 5. Threshold Cryptography on Cloud Computing ··· 42

5.1 Introduction of cloud computing ··· 42

5.2 The NIST definition of cloud computing ··· 42

5.3 Threshold Cryptography on Cloud Computing ··· 43

5.3.1 Threshold cryptography based on data security in cloud computing⁵⁵ ··· 44

5.3.2 A secured key for cloud computing using threshold cryptography in Kerberos⁵⁶ ··· 46

5.3.3 Searching for the optimal value for threshold on cloud computing⁵⁷ ··· 48

Chapter 6. Conclusions ··· 50

References ··· 52

Table of Figures

Figure 1………..23

Figure 2………..24

Figure 3………..45

Figure 4………..47

Figure 5………..47

Chapter 1. Introduction

Threshold cryptography is a technique that requires the number of participants to reach the threshold in order to sign or verify a message, and encrypt or decrypt data. To be more specific, t- out-of-n threshold represents any t (including above) participants can perform actions. Meanwhile, t-1 (or fewer) participants have little authorities, and they are not allowed to obtain any information

about signing, verifying, encrypting or decrypting. The concept of threshold cryptography was first proposed by Adi Shamir in "How to share a secret" in 1979¹. He indicated that, in the traditional scenario, cryptography consisted of one sender, one receiver, and an active or passive eavesdropper who was an opponent. However, the situation may be complex when a scenario with multiple transmitters or multiple receivers is considered. For example, a procurement department of a multinational company requires two supervisors to sign and agree to proceed the purchasing process. In this case, two transmitters will be included in such scenario. In order to cope with this issue, the study of threshold cryptography has been increasingly thriving^2-7. The National Institute of Standards and Technology (NIST) is also interested in the subfield of cryptography, and the institute released a series of reports to address its position on the threshold field⁸. NIST also held a threshold workshop in March 2019, which will be further described in a following chapter.

Among all the characteristics of threshold cryptography, the ability of ruling out single points of failure is worth noting. One can grasp the concept of single point of failure by borrowing the motto of the American Navy SEAL: ‘Two is one, one is none.’ In other words, two sets of equipment are usually prepared, while in fact only one set is accessible because one of them may malfunction at any time. If only one set is prepared, however, it means there is no equipment available at all. This motto best describes the concept of single point of failure. In the real word, a

Desmedt describe², there are only one transmitter and one receiver for traditional cryptography considerations. For instance, when it comes to the private key of Bitcoin, there is only one private key available. If the owner of the account loses the private key, the account can no longer be accessed. If threshold signature is applied, however, it is possible to allow the account to be accessed in cases where at most (n - t) the private key is lost.

In the Chapter 2, various tools used in threshold cryptography will be discussed, including oblivious transfer (OT), a technology heavily used in multiparty computation (MPC). For instance, Yao's Millionaires' Problem⁹ is one of the classic OT applications. In addition, there is also a method of converting addition to multiplication, a technique proposed by Niv Gilboa¹⁰. Based on OT, it is possible to change the relationship of the part owned by both parties from multiplication to addition. Besides, the Paillier cryptosystem¹¹, a cryptosystem that implements additive homomorphic encryption, will also be introduced. Finally, the Schnorr protocol¹², a fairly efficient zero-knowledge proof, will be discussed as well.

In Chapter 3, NIST's recommendations and comments of threshold cryptography will be primarily discussed, followed by the review of ‘National IRTIR 8214 Threshold Schemes for Cryptographic Primitives’ published by NIST in 2018⁸. Besides, several fundamental features of threshold will also be introduced. Finally, the NIST office's threshold workshop and various applications about threshold, including OPRF, TOPRF, PPSS, etc., will be addressed.

In Chapter 4, at first, the differences between multi signature and threshold signature will be discussed by comparing the advantages and disadvantages of the two signatures, followed by the introduction of the threshold ECDSA, a threshold version of the most popular digital signatures used on cryptocurrency. In addition, considering the strong motivation for threshold ECDSA, an in-depth analysis of the current two major types of threshold ECDSA was conducted in this study.

The amount of computation required to perform Paillier's encryption, decryption and homomorphic addition was firstly analyzed, followed by the introduction of Gennaro’s algorithm¹³. Meanwhile, the algorithm of Doerner^14,15, a threshold ECDSA algorithm that does not require additional hardness assumptions, was also explored in the discussion. Subsequently the comparisons between these two algorithms, including the number of rounds, the amount of information transmitted, the amount of calculation and the t-of-n model, were performed in the study as well. Ultimately, the part of the two algorithms that may be optimized in the future were also discussed.

Lastly, in Chapter 5, cloud computing will be focused and discussed. Similar to the threshold cryptography, it is also a field greatly thriving. Due to the significant demands for MPC, cloud computing and threshold can be granted as advantageous and promising fields. Hence, NIST also anticipated to develop standards for cloud computing. At the beginning of the chapter, the various definitions of cloud computing proposed by NIST¹⁷ will be discussed, followed by the challenges encountered during the course of developing the standards. Afterwards, the chapter will be concluded by introducing several studies of cloud computing and threshold cryptography.

Chapter 2. Definition and Tools

2.1 Decisional Composite Residuosity Assumption (DCRA)

 Definition. A number z is said to be a n-th residue modulo 𝑛² if there exist a number y ∈ 𝑍_𝑛∗2

such that

z = 𝑦^𝑛 𝑚𝑜𝑑 𝑛².

 Conjecture. There exists no polynomial time distinguisher for n-th residues modulo 𝑛².

This intractability hypothesis will be referred to as the Decisional Composite Residuosity Assumption (DCRA).

2.2 Paillier cryptosystem

Key Generation Generate two large prime P, Q of equal length, and set N=PQ.

Let λ(N)=lcm (P-1,Q-1) be the Carmichael function of N.

Finally choose Γ∈ 𝑍_𝑁∗2 such that its order is a multiple of N.

Public key (N,Γ) Secret key λ(N).

Encryption To encrypt a message m ∈ 𝑍_𝑁, choose x ∈_𝑅 𝑍_𝑁^∗. Compute c = 𝛤^𝑚𝑥^𝑁 𝑚𝑜𝑑 𝑁²

Send c

Decryption To decrypt a ciphertext c ∈ 𝑍_𝑁², let L be a function defined over the set {u ∈ 𝑍_𝑁2 : u ≡ mod N} computed as L(u) =^(𝑢−1)

𝑁

Compute

m = 𝐿(𝑐^𝜆(𝑁))

𝐿(𝛤^𝜆(𝑁)) 𝑚𝑜𝑑 𝑁

*Choose x ∈_𝑅 𝑍_𝑁^∗ means randomly choose x ∈ 𝑍_𝑁^∗.

 Additive Homomorphic Properties. As already seen, the two encryption

functions m |→𝛤^𝑚𝑟^𝑁 𝑚𝑜𝑑 𝑁² and m |→ 𝛤^{(𝑚+𝑁𝑟)} 𝑚𝑜𝑑 𝑁² are additively homomorphic on 𝑍_𝑁. Practically, this leads to the following identities:

∀𝑚₁, 𝑚₂ ∈ 𝑍_𝑁 and k ∈ N

 e(𝑚₁)+_𝐸e(𝑚₂) ≡ e(𝑚₁)e(𝑚₂) ≡ 𝑒(𝑚₁ + 𝑚₂) 𝑚𝑜𝑑 𝑁².

 k ×_𝐸 e(m) ≡ (e(m))^𝑘≡ 𝑒(𝑘𝑚) 𝑚𝑜𝑑 𝑁².

2.3 Oblivious Transfer (OT)

OT is a promising cryptographic primitive, which is a fairly important and basic technology in the field of secure multiparty computation. OT was originally invented by Michael O. Rabin in 1981¹⁷. The original version of OT is a message m sent by sender to the receiver. Receiver has a 1/2 probability to receive. Sender knows nothing about whether the receiver has received the message. If there is only such an effect, there is actually useless. Later, the better-used OT was invented by Shimon Even, Oded Goldreich, and Abraham Lempel¹⁸. This technique was invented to perform secure multiparty computation. After that, people continued to invent 1-of-n OT^19-22 and t-of-n OT^23-25. Furthermore, there is also an OT Extension available to improve OT efficiency^26.

In the study, the 1-of-2 OT system is applied. 1-of-2 OT is performed by two parties (sender and receiver). Sender masters two messages 𝑚₀ and 𝑚₁. Receiver masters 1 bit c (c = 0 or 1).

Sender will send two packages to the receiver, which contain 𝑚₀ and 𝑚₁ respectively. Although the receiver receives two packages, he or she can only open one of the packages (𝑚_𝑐), and the other package will only see a series of meaningless information if it is turned on. After the end, the sender will not know which message the receiver receives. The receiver only sees the target message (𝑚_𝑐) and knows nothing about the other message.

and Claudio Orlandi²⁷ based on the Diffie-Hellman key Exchange²⁸.

Sender Receiver

Input 𝑚₀, 𝑚₁ c

Output none 𝑚_𝑐

Sender Receiver

1. Choose a ∈_𝑅 𝑍_𝑝 Choose b ∈_𝑅 𝑍_𝑝

Compute A=𝑔^𝑎

Send A

2. Compute if c = 0, B = 𝑔^𝑏.

if c = 1, B = A𝑔^𝑏 𝑘_𝑟 = H(𝐴^𝑏)

Send B

3. Compute 𝑘₀ = 𝐻(𝐵^𝑎) 𝑘₁ = 𝐻((𝐵

𝐴)^𝑎) 𝑒₀ = 𝐸_𝑘0(𝑚₀) 𝑒₁ = 𝐸_𝑘1(𝑚₁) Send (𝑒₀, 𝑒₁)

4. Compute 𝑚_𝑐 = 𝐷_𝑘𝑟(𝑒_𝑐)

*H: hash function. E: symmetric encryption system. D: decryption of E.

2.4 Multiplication into addition

Multiplication into addition is used in the 𝐹_𝑚𝑢𝑙 part of Doerner's paper¹⁴. Multiplication into addition is a fairly critical technique in the paper. Because the final signature of ECDSA is in the form of (𝐻(𝑚) + 𝑠_𝑘∙ 𝑟)/𝑘. The part of k in the denominator causes ECDSA to be very unsuitable for performing threshold. So Doerner moved their attention to the 1/k and 𝑠𝑘 /k parts of the signature. Perform 𝐹𝑚𝑢𝑙 by 1/𝑘_𝑎 of Alice and 1/𝑘_𝑏 of Bob, it can let Alice and Bob get 𝑡𝑎1 and 𝑡_𝑏¹

respectively. Where 𝑡𝑎1+ 𝑡_𝑏¹ = (1/𝑘_𝑎) ∙ (1/𝑘_𝑏). Similarly, execute 𝐹𝑚𝑢𝑙 again, Alice and Bob can also get 𝑡_𝑎² and 𝑡_𝑏² whose sum is equal to(𝑠𝑘_𝑎/𝑘_𝑎) ∙ (𝑠𝑘_𝑏/𝑘_𝑏). This technique is based on Gilboa's paper¹⁰.See the following protocol for details.

Alice Bob

1. Choose 𝑠₀, … , 𝑠_𝑝−1 ∈_𝑅 𝑍_𝑞 Let 𝑡_𝑖⁰ = 𝑠_𝑖 for all i.

Compute 𝑡_𝑖¹ = 2^𝑖𝑎 + 𝑠_𝑖, for all i.

Send (𝑡₀⁰, 𝑡₀¹),….(𝑡_𝑝−1⁰ , 𝑡_𝑝−1¹ )

2. Let the binary representation of b be 𝑏_𝑝−1, … , 𝑏₀. Alice and Bob execute p times 1-of-2 OTs. In the i-th invocation Bob chooses 𝑡_𝑖^𝑏𝑖 from the pair (𝑡_𝑖⁰, 𝑡_𝑖¹).

3. Compute

x = − ∑ 𝑠_𝑖

𝑝−1

𝑖=0

Compute

y = ∑ 𝑡_𝑖^𝑏𝑖

𝑝−1

𝑖=0

2.5 Schnorr’s zero-knowledge proof with Fiat–Shamir heuristic

Schnorr’s zero-knowledge proof¹² is one of the simplest and frequently used proofs of knowledge. Fiat-Shamir heuristics²⁹ are seen as converting public-coin interactive knowledge proofs into non-interactive knowledge proofs. The following is the working process of the two together.

 The protocol is defined for a cyclic group 𝐺_𝑞 of order q with generator g.

 Prover wants to prove that he knows x of y = 𝑔^𝑥 𝑚𝑜𝑑 𝑞.

Prover Verifier 1. Choose r ∈_𝑅 𝑍_𝑞

Compute t = 𝑔^𝑟

c = H(g, y, t) s = r + c ∙ x Send (s,c,t)

2. Compute 𝑣₀ = 𝑔^𝑠

𝑣₁ = 𝑡 ∙ 𝑦^𝑐

Output Accept, if 𝑣₀ = 𝑣₁. Reject, if 𝑣₀ ≠ 𝑣₁.

* H: hash function.

Chapter 3. Standardization, Applications and Challenges of Threshold Cryptography

3.1 Standardization and recommendations of threshold cryptography

Due to the advanced development of threshold cryptography technology, studies on threshold cryptography have been increasingly dominant and thriving. Acting as one of the leading roles in cryptography, it is inevitable for National Institute of Standards and Technology (NIST) to establish its sophisticated guidelines and recommendations. NIST demonstrated its determination to standardize threshold encryption schemes in the report conducted by Brandão et el in 2019⁸, and the institute also revealed the benefits of standardized threshold encryption schemes.

Developing cryptographic primitives with a well-characterized threshold scheme provides significant advantages of security, intriguing the majority to be involved in the threshold scheme of the NIST-approved encryption primitives.

However, there are still concerns remained in terms of application and flexibility. For instance, what conditions should everyone adopt the guidelines as a standard for selecting standard threshold encryption schemes? What parameters and functional flexibility can the threshold encryption scheme standard tolerate? Should additional standardization and verification be set independently for some basic primitives? These issues are not directly resolved in the 2019 report. Instead, the report suggests people of interests to solve these problems and develop an objective basis at the user end. Meanwhile, the report also addresses a variety of representative issues that need to be considered, namely safety certification assessment, operational efficiency and implementation applicability. Nevertheless, the report also presents promising applications related to the standardization of threshold encryption schemes. Hence, the process of solving these issues may bring a significant leap forward to the security of the cryptographic primitives. Prior to the standard

establishment, there is still presence of various concerns, and several of them are listed in the NIST Internal Report (NISTIR) 8214⁸ and will be discussed in Chapter 3.2.

3.2 Challenges and issues in standardization of threshold cryptography

Question 1: Are the designated criteria able to properly describe the characteristics of the threshold scheme?

When it comes to such an issue, one is suggested to first clearly define the threshold scheme even under the circumstances where the representations such as f-out-of-n threshold are not unified.

In addition, although threshold cryptography is not considered as a state-of-the-art technology, it should be acknowledged that such advancement is considerably distinct from other cryptographic primitives. Besides ensuring cryptography to yield desirable characteristics of the threshold, one should also take security and efficiency into consideration.

Question 2: What is the efficiency and performance of the operation as a function of the threshold parameter?

Similar to the approaches to defining the optimal value (i.e. k) for threshold cryptography on cloud computing addressed in the NIST report, one is suggested to firstly consider the uses of security properties, including confidentiality, integrity and availability, and subsequently discuss the tradeoff of the security property and operational efficiency.

Question 3: Can the complexity of implementation possibly lead to new errors or misconfigurations?

Although threshold cryptography technology has the chances to tolerate a range of side channel attacks, such as differential power analysis (DPA) and differential fault analysis (DFA), its novelty may lead to unfamiliar challenges. After the standard guidelines and recommendations have been proposed, there may be possibilities where new attacks occur, or new errors appear due to the

complexity of the actual operation.

Question 4: Is the security verification reliable?

Despite the fact that the security verification of threshold cryptography was carefully implemented, it still takes time for a new cryptosystem to consolidate its reliability and authenticity.

The threshold cryptography scheme adopting the NIST standards is considered as a brand-new cryptosystem, where complete and rigorous proof is still desired to justify its safety assessment.

Question 5: How is its reliability compared to the traditional implementations?

The reliability of traditional implementations has been well understood and recognized. When it comes to that of a new system, however, one may be easily influenced and show moderate to low tolerance of corrupted nodes.

Question 6: Is the scheme applicable to NIST-approved cryptographic primitives?

According to the Federal Information Processing Standards Publication 186-4 (FIPS-186-4)³⁰, three NIST-approved digital signature algorithms have been specified, including: digital signature algorithm (DSA), algorithm developed by Rivest, Shamir and Adleman (RSA)³¹ and elliptic curve digital signature algorithm (ECDSA). Therefore, when one is anticipated to establish new standards, these digital signature algorithms should be aligned with the current modernization process and incorporate the structure of the testing methodology derived by the NIST cryptographic validation programs. This approach may greatly save time and efforts in updating resources.

In addition to the challenges described above, there are still many issues to be considered.

Overall, NIST expects its institute to drive an open and transparent process towards standardization of threshold schemes for cryptographic primitives. During the course of publishing official guidelines, the institute promised to consult cryptography research community as wells as

stakeholders in the government and industry to deliver sophisticated outcomes fulfilling the needs of all aspects.

3.3 Security of threshold cryptography

Overall, the total number n of components, or the ‘thresholds,’ can be expressed in two ways: a decent component (i.e., undamaged) of the minimum required number k and an undesirable component of a maximally allowable number f. It is worth noting that f + k does not necessarily equal n.

3.3.2 Concerning tradeoff among security properties

The question of whether threshold cryptography is more secured than traditional cryptography still remains unknown. If one performs analyses of various security properties on study cases, it will be found that while threshold cryptography may enhance the security nature of certain aspects, it can also reveal its additional weaknesses in security. Therefore, the tradeoff of various security properties among each other should also be considered when applying threshold cryptography.

Under such circumstances, the use of threshold cryptography should be carefully evaluated in real- world scenarios. The following is a tradeoff among various security features based on the three properties of information security: confidentiality, integrity and availability (CIA). Next, threshold values corresponding to the nature of CIA will be discussed.

3.3.3 Confidentiality, integrity and availability

Confidentiality, integrity and availability, or CIA, are the security triangle portfolio of information security. Any violation of the incident or behavior of the triangle will reduce the protection strength of the security mechanism and threaten the company's important assets or confidential information. Therefore, CIA is the core judgment criterion of information security.

Every employee of an entity is able to identify the events or behaviors requiring regulation and management based on CIA principles.

Confidentiality serves its main purpose to maintain the confidentiality of information, meaning any confidential information cannot be disclosed under unauthorized entities, including a person, a group or a system. In generally, the definition of f derived by threshold cryptography indicates the of property confidentiality is satisfied.

Integrity, on the other hand, implies its purpose to maintain the veracity, consistency and completeness of the information, meaning the modification of any confidential information must be authorized and not tampering.

Additional, availability presents its purpose of maintaining the smoothness of the work activities, meaning the authorized entity can obtain or use the information ‘opportunely’ and

‘without interruption.’

3.3.4 Defining 𝒇_𝒙

Threshold value 𝑓_𝑥 represents the maximum number of incorrectly operated members that can be tolerated under the property of maintaining x.

Example 1. Threshold signature agreement

Any kind of n-out-of-n threshold signing agreement shall be considered. According to the definition, whenever a signature is to be completed, n members must work together. If there are only n-1 members, the signature fails. In this case, if one would like to maintain the confidentiality (on the basis where the adversaries are able to complete the signature), the confidentiality can be managed by the system by failing the signature as long as one follows the specifications. Thus, 𝑓_𝑐= n – 1. On the other hand, concerning the integrity, if one does not use the original components for calculation deliberately, indicating that the signature was tampered with and will be identified

immediately the verifier. Hence, 𝑓_𝑖 = 0. Finally, when it comes to the availability, the signature cannot be completed as long as one refuses to perform the calculation. Therefore, 𝑓_𝑎 = 0.

According to the example described earlier, the agreement can obtain an optimal threshold for confidentiality (𝑓_𝑐= n − 1) while yielding a pessimal threshold for availability and integrity (𝑓_𝑎= 0 and 𝑓_𝑖 = 0).

Example 2. Threshold random number generator

A threshold random number generator is granted as an approach to outputting uniformly random bit-strings. The production can be achieved by using three different random number generators, where S is defined as the XOR value of the three generator bit streams 𝑆_𝑖 (i = 1.2.3). In this case, integrity, or i, means whether S is truly random, whereas availability, or a, indicates whether S can be successfully generated. A genuine random S can be achieved if one of the 𝑆_𝑖 is random and independent of other 𝑆_𝑖 . Hence, based on the assumption of independence, 𝑓_𝑖 = 2. Meanwhile, since S fails to be defined when one of 𝑆_𝑖 is missing, therefore, 𝑓_𝑎 = 0.

To summarize the two examples described earlier, under a similar scenario, it is revealed that the threshold value will change accordingly in the circumstances where the designated security properties have been altered. In respect of applications, it is necessary to analyze and identify the properties required in order to meet the needs. Such challenge is something practical and inevitable to confront when establishing new threshold standards.

3.4 Applications of threshold cryptography

3.4.1 Threshold Oblivious Pseudo-Random Functions (TOPRFs) Procedure 1. Pseudo-Random Functions (PRFs)^{32, 33}

Definition 1:

A function F : {0, 1}^𝑛 → {0, 1}^𝑛 is a random function if it is constructed as follows: For each x ∈ {0, 1}^𝑛 pick a random y ∈ {0, 1}^𝑛, and let F(x) = y.

Definition 2:

F ={𝑓_𝑠 : {0, 1}^|𝑠|→ {0, 1}^𝑛 | s ∈ {0, 1}^∗ } is a family of PRFs if:

• [Easy to compute]

given s ∈ {0, 1}^𝑛 and x ∈ {0, 1}^𝑛 , can efficiently compute 𝑓_𝑠(x).

• [Pseudo-randomness]

for all non-uniform PPT “oracle machines” D, there exists a negligible function ǫ(k) such that

|Pr[s←{0, 1}^𝑘: (𝐷^𝑓𝑠)(1^𝑘) = 1] − Pr[F←𝑅𝐹_𝑘 : (𝐷^𝑓)( 1^𝑘) = 1]|≤ ǫ(k) □.

In short, the purpose of PRF is to make it challenging to distinguish the differences between a PRF function and a truly random function, where the PRF simulates a genuine random function for ambiguity. An illustrated description is shown in Figure 1.

Figure.1

Procedure 2. Oblivious PRFs (OPRFs)³⁴

In terms of pseudo-random function, information is concealed from the two parties (server and user) that are involved in a PRF. Server holds the key (k) of the PRF and provides the service of the PRF. However, the server will not learn any information (including input and output) during the course of service. As for the user, one can get the output after the input is transferred and interacted with the server. Similarly, during the course of acquiring the output, the user will not receive any information about the function. An illustrated description is shown in Figure 2.

Figure.2

The extensive uses of OPRFs have been addressed in two studies conducted by Stanisław Jarecki, et al.^{35, 36}. Both studies discussed a variety of applications, including: private information retrieval (PIR), password protected secret sharing (PPSS), searchable encryption, file de- duplication, etc. OPRF can also be applied as the basis of PIR and oblivious transfer (OT).

Procedure 3. Diffie-Hellman based Oblivious Pseudo-Random Functions (DH- OPRFs) Among the various OPRFs, there is a particularly common type called DH-OPRF. As its name suggests, it is an OPRF based on Diffie-Hellman assumption²⁸. The implementation method is shown as follows.

User Sever

Input x 𝐹_𝑘

output 𝐹_𝑘(𝑥) none

1. Choose r ∈_𝑅 𝑍_𝑞 C a = (H′(𝑥))^𝑟

S a

2. C b = 𝑎^𝑘

S b

3. C 𝐹_𝑘(𝑥) = 𝐻(𝑥, 𝑏^1/𝑟)

Procedure 4. Threshold Oblivious PRFs (TO-PRFs)³⁶

Concerning that a user may correspond to multiple servers, threshold oblivious-PRFs, or TO- PRFs, are developed subsequently. As for a TO-PRF, the key (k) used by the PRF is composed of servers. These servers are combined via t-out-of-n threshold, finishing the threshold by using Shamir Secret Sharing. First, the user transfers the same a as the DH-OPRF to the t servers, which are selected by the users from the set [n]. Each server uses 𝑘_𝑖 to calculate 𝑏_𝑖 and send it to the user.

The user the subsequently applies Shamir Secret Sharing¹ to reassemble these 𝑏_𝑖 into a real output.

Similar to OPRF, the user is able to obtain the output at the end of the entire operation process accompanying with the condition where the sever will not know the information about the input and the output. As for TOPRF, each server will not learn about the complete k as long as the corrupt servers do not exceed t.

3.4.2 Threshold Oblivious Password Protected Secret Sharing (TOPPSS) Procedure 1. Password Protected Secret Sharing (PPSS)^37,38

Password Protected Secret Sharing, which is a protocol that allows a user to share his or her data secretly among n trustees. Imagine a scene where Alice wants to trade with bitcoin, and she stores the private key on a server because the key is too difficult to remember due to the length of the private key. Whenever a trade is needed, she can retrieve the private key by entering the correct password. However, there is an underlying downside of such approach. The password stored at the server’s end is vulnerable to a single point of failure. In this case, to recover the private key clandestinely, all it takes for the attacker is to break into the server and then install an offline dictionary attack to project the password created by the user. In order to cope with this flaw, one of the solutions is to store the secrets on multiple servers and have these servers share the private key. This mechanism is to ensure the attacker will need to break into multiple servers if one is

trying to fetch the private key. Nevertheless, there is another critical issue to be managed when taking this route. The situation can be complex when each server uses an individual password, while using a unified password is not desirable either because it is vulnerable to the attacks.

Fortunately, the use of PPSS can solve the issues addressed earlier. The PPSS scheme allows users to secretly share secrets between n servers (with threshold t) and only a single password needs to be memorized for authentication. In this case, even if the attacker cracks any of the t (including the following) servers, one still fails to get the access to any information related to the private key.

Procedure 2. TOPPSS: PPSS via Threshold OPRF[40]

In a scheme where each server holds a random key 𝑘_𝑖 for an OPRF f independently, the designated secret is processed with a (t, n) secret sharing scheme at initiation. Each share is stored at one of the n servers, whereas server 𝑆_𝑖 stores the i-th shares encrypted under 𝑓_𝑘𝑖 (password).

During the course of reconstruction, the user receives the encrypted shares from t + 1 servers and subsequently decrypts them by using the 𝑓_𝑘𝑖 (password) values run by the OPRF of each server.

Chapter 4. Applications of threshold signature

4.1 Multi signature vs. Threshold signature

When using virtual currency, such as Bitcoin, one will obtain a private key that can be considered as a bank account, and uses it to execute the signature and make a transaction. However, there may be underlying problems when using such approach. For instance, a user fails to get the access to the account of the private key is lost or stolen. In order to deal with this issues, multi signature is proposed as the solution^{40, 41}. In a nutshell, multi signature requires more than one key to execute the signature, and 2-of-2, 2-of-3 or 3-of-3 are commonly seen. Surely the use of t-of-n can also be applied.

2-of-2 can be applied to a joint account such as a husband and wife. Any transaction must be permitted by both husband and wife to be performed. The 2-of-3 scene can be a person with three keys. One of the keys is carried with an individual, another key is hidden in a safe and offline place (such as a safe), and the other one is handed over to the company that provides the service. When the individual performs a transaction, he or she uses both his or her own key and the key kept by the company to sign it. If the key is lost, one can retrieve the key hidden in the safe and the trading activities will not be impeded. This mechanism can also prevent the company from hacking the individual’s assets because there is only one key available.

However, there are also disadvantages of multi signature. First of all, the privacy is not sufficiently secured. All private keys required must be presented each time when individuals sign.

Similarly, the efficiency can also be insufficient. For instance, the multi signature of 2-of-3 represents two private keys must be provided in each signature. The verifier also needs to verify the two private keys each time. Moreover, there is lack of flexibility. If an asset owner is not

new private keys will be generated and all the inheritance will need to be transferred to the new account.

Therefore, threshold signature^42-45 is considered as an ideal approach to solve the problems.

Threshold signature does not generate a new private key. Instead, it distributes new parts to n users.

When a t-name user signs and the threshold signature algorithm is operated, one will receive a signature signed with the original private key (or to be clearer, the signatures are indistinguishable).

There are a number of advantages of threshold signature. First, the privacy is ensured and secured because the private keys are not required to be presented during the signing process, and no one else can identify who is involved in the transaction. Second, compared to multi signature, the use of threshold signature is more cost-effective because each transaction will only produce one signature. Thus, such application can save more resources than multi signature when transferring and verifying. Third, the use of threshold signature yields fair flexibility. If a user is not satisfied with the current t-of-n threshold signature and would like to switch to the a-of-b scheme, repeating the set-up steps alone is sufficient and no new private keys required.

Despite all the benefits discussed earlier, there are still disadvantages in regards to the use of threshold signature. First, the person who signs must be online. Performing the threshold signature algorithm requires the users to interact with each other. On the contrary, the multi signature users can send their signatures to the network in advance and then go offline. When other users come online, they can simply send their signatures along with the signatures of the offline signer.

However, this can also be considered as one of the disadvantages when using multi signature. Once a transaction is signed, the signature cannot be recovered. Thus, the last party signed has a slight advantage over the other parties. Second, due to the limitation of current technology, the efficiency of threshold signature is promisingly satisfying. In the real world, only a handful of practical

applications have been implemented.

4.2 Threshold ECDSA

ECDSA is one of the most commonly used digital signature algorithms in the worldwide. Many mainstream virtual currencies, including Bitcoin and Ethereum, use ECDSA. Therefore, the research on threshold ECDSA has been increasing, and the threshold signature introduced in this chapter will focus on threshold ECDSA. Currently, the Paillier cryptosystem has been widely adopted to implement threshold ECDSA. Paillier cryptosystem¹¹, invented by Pascal Paillier in 1999, addresses its sophisticated assumption based on the decisional composite residuosity assumption. Paillier cryptosystem is able to implement homomorphic encryption of additions and is therefore well utilized in the ECDSA threshold. However, the cryptosystem itself is extremely inefficient, so there are barely practical study cases in the real-world setting. On the other hand, Doerner proposed the threshold ECDSA algorithm in 2018¹⁴, using the technology of OT. One of the main outcomes discussed in the study is that a more promising efficiency could be achieved without the use of supernumerary assumptions than those using the Paillier cryptosystem.

4.3 Securing Bitcoin wallets via a new DSA/ECDSA threshold signature scheme.

In the study conducted by R Gennaro et al., a set of threshold ECDSA was designed based on the Paillier cryptosystem¹³. This paper claims that they presented the first threshold signature scheme compatible with Bitcoin’s ECDSA signatures. Meanwhile, the version of DSA was also introduced in the study. Therefore, the ECDSA version and the analysis of the efficiency R Gennaro’s algorithm will be discussed in this section. (this algorithm is called as R algorithm for convenience)

4.3.1 R Gennaro’s algorithm

*M: message. C: compute. S: send. H: hash function. E: encryption of Paillier cryptosystem.

D: decryption of Pailler cryptosystem. +_𝐸: additive Homomorphic of Pailler cryptosystem.

𝑃₁ 𝑃₂~𝑃_𝑡−1 𝑃_𝑡

setup Participant 𝑃_𝑖 choose 𝑥_𝑖 ∈_𝑅 𝑍_𝑞 Secret key x = ∏ 𝑥_𝑖

𝑖

𝑚𝑜𝑑 𝑞 Public key y = x ∙ G in G 1. Choose 𝑘₁ ∈_𝑅 𝑍_𝑞

C 𝑧₁=𝑘₁⁻¹mod q 𝑎₁= 𝐸(𝑧₁)

𝑏₁= 𝐸(𝑥₁𝑧₁mod q) Set 𝑎₁^∗=𝑏₁^∗=⊥

S M, 𝑎₁, 𝑏₁, 𝑎₁^∗, 𝑏₁^∗ to 𝑃₂ 2

to t-1.

At round i, participant 𝑃_𝑖. Abort if any input ∉ 𝐺_𝐸. Choose 𝑘_𝑖 ∈_𝑅 𝑍_𝑞. C 𝑧_𝑖=𝑘_𝑖⁻¹mod q 𝑎_𝑖=𝑧_𝑖×_𝐸 𝑎_𝑖−1

𝑏_𝑖= 𝐸(𝑥_𝑖𝑧_𝑖mod q) ×_𝐸 𝑏_𝑖−1 𝑎_𝑖^∗= 𝐸(𝑧_𝑖), 𝑏₁^∗= 𝐸(𝑥_𝑖𝑧_𝑖mod q) S 𝑀, 𝑎₁, … , 𝑎_𝑖,𝑏₁, … , 𝑏_𝑖,𝑎₁^∗, …,

𝑎_𝑖^∗, 𝑏₁^∗, … , 𝑏_𝑖^∗ to 𝑃_𝑖+1

t. Abort if any input ∉ 𝐺_𝐸.

Choose 𝑘_𝑡 ∈_𝑅 𝑍_𝑞. C 𝑧_𝑡=𝑘_𝑡⁻¹mod q 𝑅_𝑡=𝑘_𝑡G in G S 𝑅_𝑡 to 𝑃_𝑡−1

𝑃₁ 𝑃₂~𝑃_𝑡−1 𝑃_𝑡 t+1

to 2t-2.

At round t+i, participant 𝑃_𝑡−𝑖. C 𝑅_𝑡−𝑖=𝑘_𝑡−𝑖𝑅_{𝑡−𝑖+1} in G S 𝑅_𝑡, … , 𝑅_𝑡−𝑖 to 𝑃_{𝑡−𝑖−1} 2t-1. C 𝑅₁=𝑘₁𝑅₂ in G

ZK proof П₁ S 𝑅₁, П₁ to 𝑃₂ 2t

to 3t-3

At round 2t+i-2, participant 𝑃_𝑖. C ZK proof П_𝑖

S 𝑅₁, … , 𝑅_𝑖, П₁, … , П_𝑖 to 𝑃_𝑖+1

3t-2 Choose c ∈_𝑅 𝑍_𝑞

C m=H(M).

r=H’(𝑅₁) ∈ 𝑍_𝑞. 𝑢^∗=E(𝑧_𝑡).

u=[(m𝑧_𝑡 mod q)×_𝐸 𝑎_𝑡−1]+_𝐸 [(r𝑥_𝑡𝑧_𝑡 mod q) ×_𝐸𝑏_𝑡−1] +_𝐸 E(cq).

ZK proof П_𝑡

S u, 𝑢^∗, П₁, … , П_𝑡 to all the other participants.

final Let s = D(u) mod q.

The participants output (r,s) as the signature for M.

 ZK proof П_𝑖 which states

 ∃ 𝜂₁, 𝜂₂ ∈ [−𝑞³, 𝑞³] such that

 𝜂₁𝑅_𝑖=𝑅_𝑖+1 and ^𝜂2

𝜂₁𝐺=𝑦_𝑖

 D(𝑎_𝑖) = 𝜂₁𝐷(𝑎_𝑖−1) and D(𝑏_𝑖) = 𝜂₂𝐷(𝑏_𝑖−1)

 D(𝑎_𝑖^∗) = 𝜂₁ and D(𝑏_𝑖^∗) = 𝜂₂

4.3.2 Efficiency analysis

Analysis 1. Hardness assumption

Due to the basis of the Paillier cryptosystem, it is certainly that the algorithm confronts similar difficult assumption as the Paillier cryptosystem, where the problem of computing n-th residue classes is computationally difficult. Currently it is not directly proved that this assumption is more difficult than the assumption of ECDSA. Therefore, in theory, the R Gennaro’s algorithm may be likely less secured than ECDSA.

Analysis 2. Number of rounds

According to the study, the number of rounds required for the R algorithm to perform t-of-n threshold is 3t-2. However, it is also observed that the message delivered by the participants actually indicates no causal relationship in the 1 to t-1 round and t to 2t-2 round. The reason why such scheme designed in this study is that the zero-knowledge proof will come in handy if the previous t-1 round passes the commits for the following message. With the implementations of additional methods and restrictions, perhaps the reduction in the number of rounds can be broken from this place, reducing the number of rounds needed to 2t-1. In fact, R Gennaro et al. conducted the study of ‘Threshold-optimal DSA/ECDSA signatures and an application to Bitcoin wallet security’ in 2016⁴⁶. In this new algorithm, only 6 rounds are required.

Analysis 3. Zero-Knowledge proof

Among the uses of R algorithm, there have been many projects implementing zero-knowledge proof as an approach to confirmation. Therefore, the amount of calculations spent on zero- knowledge proof is considerable, and it is proved that a total of 20 values need to be calculated each time. Most of the calculations are O (𝑛³) level operations or elliptic curve multiplications. In terms of transmission, these 20 values need to be transmitted, and many of the messages are N or

𝑁² bits. As for the verifier, one is required to verify 10 equations, containing 6 O (𝑛³), 3 elliptic curve multiplications, and 1 hash calculation. Moreover, because of security considerations, all participants must verify the zero-knowledge proof of other participants. Overall, the zero- knowledge proof consumes a lot of computing resources in the R algorithm.

Analysis 4. Send messages

In many situations where the R algorithm is being applied, the message just received must be sent to the next participant. Therefore, the total amount of messages to be transmitted in the entire algorithm is considerably large (23𝑡²-21t-2), and most of them are N or 𝑁² bits. It is worth noting that 𝑃_𝑡 can practically make a full signature at the end of the algorithm. However, in R Gennaro’s study, 𝑃_𝑡 was designed to pass u, 𝑢^∗ and all zero-knowledge proofs to all participants. Although each participant has already obtained some information, this work still requires a great amount of traffic (10t (t-1) messages).

Analysis 5. The amount of calculation

Due to the fact that this algorithm is based on the Paillier cryptosystem, there will be a number of operations appear in the process, such as 𝑔^𝑎𝑥^𝑏 mod 𝑁². The complexity of the operation is O (𝑛³), which is about 4.68RSA^*. In addition, a lot of computation tasks required because all the participants must verify the zero-knowledge proof of all the other participants. The calculations required for different participants in a t-of-t thresholds ECDSA are shown as follows:

𝑃₁ 𝑃₂~𝑃_𝑡−1 𝑃_𝑡 average

RSA 50 66 58 66-24/t

(×) 5 5 5 5

(+) 1 1 1 1

Hash 0 0 2 1

RSA: Perform a calculation of RSA encryption.

(×): Perform a multiplication of points on elliptic curve.

(+): Perform an addition on elliptic curve.

Hash: Perform a hash operation.

* Definition: 1RSA is the amount of computation required to perform an RSA encryption, which is the amount of computation required to execute 𝑔^𝑎 mod N.

4.68RSA: Suppose a has as many bits as b. The i-th bit of a is called 𝑎_𝑖. Calculating 𝑔^𝑎𝑥^𝑏 is similar to the square and multiplication of (𝑔𝑥)^𝑐. The number of squares is the same, there are three cases when multiplying: (𝑎_𝑖, 𝑏_𝑖)=(1,1),(1,0),(0,1). So, the calculation of 𝑔^𝑎𝑥^𝑏 mod N is about 1.17RSA. However, the calculation here is mod 𝑁², so the total is 4.68RSA

Analysis 6. t-of-n threshold

In terms of the R algorithm, the method of executing the t-of-n threshold is to perform the t-of- n threshold (^𝑛_𝑡) times. In other words, a desirable way to perform t-of-n threshold was not developed in the study. In addition, as for the t-of-t case, R Gennaro also stated in the study that the proposed algorithm was only suitable for situations where t was not too large. Fortunately, thanks to statistics, the most commonly used multi signature forms in Bitcoin transactions are 2- of-2, 2-of-3 and 3-of-3.

4.4 Threshold ECDSA from ECDSA Assumptions

The study conducted by Doerner et al in 2018 proposed that 2-of-2 and 2-of-n threshold signatures could be achieved only on the assumption of ECDSA. Soon, in the study published in 2019, it was indicated that t-of-n threshold signature could be achieved when being on the basis of ECDSA assumption. The core technology of these different threshold protocols is the 2-of-2 version. The researchers used the OT technology to perform multiplication and addition to achieve

a combination of different signatures. The 2-of-n version is a setup of Lagrange Interpolation before signing. After the selection of any two participants, the two designated individuals perform the same as the 2-of-2 version. Similarly, the t-of-n version is also based on t-of-t. As for t-of-t, the main concept is to perform the multiplication of the t participants by performing the 𝐹_𝑚𝑢𝑙 in the 2- of-2 version repeatedly through some combination. The following focuses on the introduction of the 2-of-2 version of the threshold signature and the t-of-t 𝐹_𝑚𝑢𝑙 combination method. (this algorithm is called as D algorithm for convenience)

4.4.1 Doerner’s algorithm

Alice Bob

1. Choose instance key seed 𝑘_𝐴^′ ∈_𝑅 𝑍_𝑞 Choose instance key 𝑘_𝐵 ∈_𝑅 𝑍_𝑞 C 𝐷_𝐵 = 𝑘_𝐵∙ 𝐺

S 𝐷_𝐵

2. C 𝑅^′= 𝑘_𝐴^′ ∙ 𝐷_𝐵 𝑘_𝐴 = 𝐻(𝑅^′) + 𝑘_𝐴^′ R = 𝑘_𝐴 ∙ 𝐷_𝐵

S R

3-1.

𝐹_𝑚𝑢𝑙

Choose a pad φ ∈_𝑅 𝑍_𝑞

input 1/𝑘_𝐵 input φ + 1/𝑘_𝐴

output 𝑡_𝐴¹ output 𝑡_𝐵¹

3-2.

𝐹_𝑚𝑢𝑙

input 1/𝑠𝑘_𝐴 input 1/𝑠𝑘_𝐵

output 𝑡_𝐴² output 𝑡_𝐵²

Alice Bob

4. C R = H(R^′) ∙ 𝐷_𝐵+ 𝑅′

For both Alice and Bob let (𝑟_𝑥, 𝑟_𝑦) = R.

5.

𝐹_𝑍𝐾^𝑅𝐷𝐿

Submit (prove,𝑘_𝐴,𝐷_𝐵) Submit (prove,R ,𝐷_𝐵)

Bob receives a bit indicating whether the proof was sound. If it was not, he aborts.

6. C m^′= H(m) C m^′= H(m)

7. C 𝛤¹ = 𝐺 + φ ∙ 𝑘_𝐴∙ 𝐺 − 𝑡_𝐴¹∙ 𝑅 𝜂^𝜑= 𝐻(𝛤¹) + φ

𝑠𝑖𝑔_𝐴 = (𝑚^′∙ 𝑡_𝐴¹) + (𝑟_𝑥∙ 𝑡_𝐴²) 𝛤² = (𝑡_𝐴¹∙ 𝑝𝑘) − (𝑡_𝐴²∙ 𝐺) 𝜂^𝑠𝑖𝑔 = 𝐻(𝛤²) + 𝑠𝑖𝑔_𝐴 S 𝜂^𝜑 and 𝜂^𝑠𝑖𝑔

8. C 𝛤¹ = 𝑡_𝐵¹ ∙ 𝑅

φ = 𝜂^𝜑− 𝐻(𝛤¹) θ = 𝑡_𝐵¹− φ/𝑘_𝐵

𝑠𝑖𝑔_𝐵 = (𝑚^′∙ 𝜃) + (𝑟_𝑥∙ 𝑡_𝐵²) 𝛤² = (𝑡_𝐵²∙ 𝐺) − (𝜃 ∙ 𝑝𝑘) sig = 𝑠𝑖𝑔_𝐵+ 𝜂^𝑠𝑖𝑔− 𝐻(𝛤²) Final Bob uses the public key pk to verify that σ = (sig, 𝑟_𝑥) is a valid signature on message m.

If the verification fails, Bob aborts. If it succeeds, he outputs σ.

4.4.2 Efficiency analysis

Analysis 1. Difficult assumption

As what addressed in the study, the algorithm (or D algorithm) did not apply additional obscure assumptions. Instead, the use of OT technology was implemented to complete the threshold mechanism. However, it is difficult for the applied OT technology to discrete logarithm problem above the elliptic curve. In other words, using the D algorithm does not reduce the security of the signature.

Analysis 2. Number of rounds

According to the study, the number of rounds required for 2-of-2 and 2-of-n versions is 2.

However, in order to compare with the R algorithm, the round calculation of the two should adopts the same definition: If the i round has not been completed, the i + 1 round cannot be completed (for all i). In this way, the number of rounds of the D algorithm is 4.

Analysis 3. Zero-Knowledge proof

The zero-knowledge proof used in the D algorithm is based on the Schnorr protocol¹². This zero- knowledge proof, which is a fairly efficient zero-knowledge proof algorithm, was invented by Claus Schnorr in 1991. By incorporating the use Fiat–Shamir heuristic²⁹, Doerner et al made zero- knowledge proof converted to a non-interactive version. One can refer to Chapter 2.4 for the brief introduction.

Using the Schnorr protocol to make the zero-knowledge of the D algorithm saves a lot of computing resources. The prover's calculation consists of 1RSA and 1 hash, while the verifier's calculation is about 2RSA.

Analysis 4. Send messages

The number of messages that the D algorithm needs to transmit is mostly in 𝐹_𝑚𝑢𝑙, meaning the

technique of multiplication and addition will be required and the intensive use of OT is also needed.

In order to minimize the number of messages that need to be transmitted, the researchers also applied the OT extension²⁶, where the OT that has been process many times to k times (k is the security parameter of OT) can be reduced. In fact, in Gilboa's multiplication addition¹⁰, it is also possible to further reduce the number of messages to be transmitted by changing the 2-bit to 4-bit.

Analysis 5. t-of-n

Strictly speaking, Doerner et al did not propose a new t-of-n threshold scheme in the study.

Instead, they did some sorting combinations based on the 2-of-2 version. In terms of the version proposed in the study, t is preferably the power of 2. However, such arrangement is not an arbitrary choice. On the contrary, this method is designed to allow each participant to operate as much as possible. Although the number of times 𝐹_𝑚𝑢𝑙 needs to be performed remains unchanged, the number of rounds that need to be executed by t-of-n threshold to 𝑙𝑜𝑔₂𝑛 can be reduced. The algorithm is symmetrical for each participant. We show what participants 1 needs to do in the process.

Round1. 𝐹_𝑚𝑢𝑙 1

With 𝑃₂

Round2. 𝐹_𝑚𝑢𝑙 2

With 𝑃₃, 𝑃₄

Round3. 𝐹_𝑚𝑢𝑙 4

With 𝑃₅, 𝑃₆𝑃₇, 𝑃₈ Round ⌈𝑙𝑜𝑔₂𝑡⌉. 𝐹_𝑚𝑢𝑙 2^{(⌈𝑙𝑜𝑔2𝑡⌉−1)}

With 𝑃₂(⌈𝑙𝑜𝑔2𝑡⌉−1)+1, … , 𝑃_𝑡

4.5 Comparisons between the two studies

R D

2-of-2 4 4

2-of-n 4 4

t-of-t 3t-2 5+2𝑙𝑜𝑔₂𝑡

t-of-n 3t-2 5+2𝑙𝑜𝑔₂𝑡

* The t-of-t case and the t-of-n case of these two algorithms are almost the same, the main difference is in the setup part.

Communication (Bits):

R D

2-of-2 343κ** κ(κ^𝑂𝑇+ 16κ + 14s + 10) + 3

2-of-n 343κ κ(κ^𝑂𝑇+ 22κ + 20s + 11) + 3

t-of-t κ(155𝑡²− 122𝑡 − 33) ^{𝑡(𝑡 − 1)}

2 (7κ²+ 12κ ∙ s + κ ∙ κ^𝑂𝑇+ 28κ + 10)

t-of-n κ(155𝑡²− 122𝑡 − 33) ^{𝑡(𝑡 − 1)}

2 (9κ²+ 18κ ∙ s + κ ∙ κ^𝑂𝑇+ 30κ + 10)

*κ, κ^𝑂𝑇, 𝑠 are all security parameters.

** According to the paper¹³ , use N>κ⁸ in Paillier cryptosystem

Operation:

R D

2-of-2

(X) 10 (X) 8

(+) 4 (+) 2

Hash 2 Hash ^{2.5κ𝑂𝑇}+ 22κ + 17S + 9

RSA 58.97 RSA 2

2-of-n

(X) 10 (X) 8

(+) 4 (+) 2

Hash 2 Hash ^{2.5κ𝑂𝑇}+ 28κ + 23S + 9

RSA 58.97 RSA 2