Efficient multiplicative-to-additive function from Joye-Libert cryptosystem and its application to threshold ECDSA

Haiyang Xue; Man Ho Au; Mengling Liu; Kwan Yin Chan; Handong Cui; Xiang Xie; Tsz Hon Yuen; Chengru Zhang

doi:10.1145/3576915.3616595

Efficient multiplicative-to-additive function from Joye-Libert cryptosystem and its application to threshold ECDSA

Haiyang Xue
, Man Ho Au
, Mengling Liu
, Kwan Yin Chan
, Handong Cui
, Xiang Xie
, Tsz Hon Yuen
, Chengru Zhang

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

15 Citations (Scopus)

Abstract

Threshold ECDSA receives interest lately due to its widespread adoption in blockchain applications. A common building block of all leading constructions involves a secure conversion of multiplicative shares into additive ones, which is called the multiplicative-to-additive (MtA) function. MtA dominates the overall complexity of all existing threshold ECDSA constructions. Specifically, O(n²) invocations of MtA are required in the case of n active signers. Hence, improvement of MtA leads directly to significant improvements for all state-of-the-art threshold ECDSA schemes. In this paper, we design a novel MtA by revisiting the Joye-Libert (JL) cryptosystem. Specifically, we revisit JL encryption and propose a JL-based commitment, then give efficient zero-knowledge proofs for JL cryptosystem which are the first to have standard soundness. Our new MtA offers the best time-space complexity trade-off among all existing MtA constructions. It outperforms state-of-the-art constructions from Paillier by a factor of 1.85 to 2 in bandwidth and 1.2 to 1.7 in computation. It is 7× faster than those based on Castagnos-Laguillaumie encryption only at the cost of 2× more bandwidth. While our MtA is slower than OT-based constructions, it saves 18.7× in bandwidth requirement. In addition, we also design a batch version of MtA to further reduce the amortised time and space cost by another 25%.

Original language	English
Title of host publication	Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security
Editors	Cas Cremers, Engin Kirda
Place of Publication	New York NY USA
Publisher	Association for Computing Machinery (ACM)
Pages	2974-2988
Number of pages	15
ISBN (Electronic)	9798400700507
DOIs	https://doi.org/10.1145/3576915.3616595
Publication status	Published - 2023
Externally published	Yes
Event	ACM Conference on Computer and Communications Security 2023 - Copenhagen, Denmark Duration: 26 Nov 2023 → 30 Nov 2023 Conference number: 30th https://dl.acm.org/doi/proceedings/10.1145/3576915 (Proceedings) https://www.sigsac.org/ccs/CCS2023/ (Website)

Conference

Conference	ACM Conference on Computer and Communications Security 2023
Abbreviated title	CCS 2023
Country/Territory	Denmark
City	Copenhagen
Period	26/11/23 → 30/11/23
Internet address	https://dl.acm.org/doi/proceedings/10.1145/3576915 (Proceedings) https://www.sigsac.org/ccs/CCS2023/ (Website)

Keywords

Joye-Libert cryptosystem
Multiplicative-to-Additive function
Threshold ECDSA
Zero-knowledge proof

Access to Document

10.1145/3576915.3616595

Cite this

Xue, H., Au, M. H., Liu, M., Chan, K. Y., Cui, H., Xie, X., Yuen, T. H., & Zhang, C. (2023). Efficient multiplicative-to-additive function from Joye-Libert cryptosystem and its application to threshold ECDSA. In C. Cremers, & E. Kirda (Eds.), Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (pp. 2974-2988). Association for Computing Machinery (ACM). https://doi.org/10.1145/3576915.3616595

Xue, Haiyang ; Au, Man Ho ; Liu, Mengling et al. / Efficient multiplicative-to-additive function from Joye-Libert cryptosystem and its application to threshold ECDSA. Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. editor / Cas Cremers ; Engin Kirda. New York NY USA : Association for Computing Machinery (ACM), 2023. pp. 2974-2988

@inproceedings{0f3ac30a18a2458484bf7cd09a79dd8b,

title = "Efficient multiplicative-to-additive function from Joye-Libert cryptosystem and its application to threshold ECDSA",

abstract = "Threshold ECDSA receives interest lately due to its widespread adoption in blockchain applications. A common building block of all leading constructions involves a secure conversion of multiplicative shares into additive ones, which is called the multiplicative-to-additive (MtA) function. MtA dominates the overall complexity of all existing threshold ECDSA constructions. Specifically, O(n2) invocations of MtA are required in the case of n active signers. Hence, improvement of MtA leads directly to significant improvements for all state-of-the-art threshold ECDSA schemes. In this paper, we design a novel MtA by revisiting the Joye-Libert (JL) cryptosystem. Specifically, we revisit JL encryption and propose a JL-based commitment, then give efficient zero-knowledge proofs for JL cryptosystem which are the first to have standard soundness. Our new MtA offers the best time-space complexity trade-off among all existing MtA constructions. It outperforms state-of-the-art constructions from Paillier by a factor of 1.85 to 2 in bandwidth and 1.2 to 1.7 in computation. It is 7× faster than those based on Castagnos-Laguillaumie encryption only at the cost of 2× more bandwidth. While our MtA is slower than OT-based constructions, it saves 18.7× in bandwidth requirement. In addition, we also design a batch version of MtA to further reduce the amortised time and space cost by another 25\%.",

keywords = "Joye-Libert cryptosystem, Multiplicative-to-Additive function, Threshold ECDSA, Zero-knowledge proof",

author = "Haiyang Xue and Au, \{Man Ho\} and Mengling Liu and Chan, \{Kwan Yin\} and Handong Cui and Xiang Xie and Yuen, \{Tsz Hon\} and Chengru Zhang",

note = "Funding Information: Haiyang Xue is supported by the National Natural Science Foundation of China (No. 62172412), and would like to thank LatticeX Fundation and Huawei for their support. Man Ho Au is supported by the Research Grant Council of Hong Kong (No. 17201421, 15211120, R1012-21), the National Natural Science Foundation of China (No. 61972332). Tsz Hon Yuen is supported by Huawei Shield Lab. Publisher Copyright: {\textcopyright} 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM; ACM Conference on Computer and Communications Security 2023, CCS 2023 ; Conference date: 26-11-2023 Through 30-11-2023",

year = "2023",

doi = "10.1145/3576915.3616595",

language = "English",

pages = "2974--2988",

editor = "Cas Cremers and Engin Kirda",

booktitle = "Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery (ACM)",

address = "United States of America",

url = "https://dl.acm.org/doi/proceedings/10.1145/3576915, https://www.sigsac.org/ccs/CCS2023/",

}

Xue, H, Au, MH, Liu, M, Chan, KY, Cui, H, Xie, X, Yuen, TH & Zhang, C 2023, Efficient multiplicative-to-additive function from Joye-Libert cryptosystem and its application to threshold ECDSA. in C Cremers & E Kirda (eds), Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery (ACM), New York NY USA, pp. 2974-2988, ACM Conference on Computer and Communications Security 2023, Copenhagen, Denmark, 26/11/23. https://doi.org/10.1145/3576915.3616595

Efficient multiplicative-to-additive function from Joye-Libert cryptosystem and its application to threshold ECDSA. / Xue, Haiyang; Au, Man Ho; Liu, Mengling et al.
Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. ed. / Cas Cremers; Engin Kirda. New York NY USA: Association for Computing Machinery (ACM), 2023. p. 2974-2988.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Efficient multiplicative-to-additive function from Joye-Libert cryptosystem and its application to threshold ECDSA

AU - Xue, Haiyang

AU - Au, Man Ho

AU - Liu, Mengling

AU - Chan, Kwan Yin

AU - Cui, Handong

AU - Xie, Xiang

AU - Yuen, Tsz Hon

AU - Zhang, Chengru

N1 - Conference code: 30th

PY - 2023

Y1 - 2023

N2 - Threshold ECDSA receives interest lately due to its widespread adoption in blockchain applications. A common building block of all leading constructions involves a secure conversion of multiplicative shares into additive ones, which is called the multiplicative-to-additive (MtA) function. MtA dominates the overall complexity of all existing threshold ECDSA constructions. Specifically, O(n2) invocations of MtA are required in the case of n active signers. Hence, improvement of MtA leads directly to significant improvements for all state-of-the-art threshold ECDSA schemes. In this paper, we design a novel MtA by revisiting the Joye-Libert (JL) cryptosystem. Specifically, we revisit JL encryption and propose a JL-based commitment, then give efficient zero-knowledge proofs for JL cryptosystem which are the first to have standard soundness. Our new MtA offers the best time-space complexity trade-off among all existing MtA constructions. It outperforms state-of-the-art constructions from Paillier by a factor of 1.85 to 2 in bandwidth and 1.2 to 1.7 in computation. It is 7× faster than those based on Castagnos-Laguillaumie encryption only at the cost of 2× more bandwidth. While our MtA is slower than OT-based constructions, it saves 18.7× in bandwidth requirement. In addition, we also design a batch version of MtA to further reduce the amortised time and space cost by another 25%.

AB - Threshold ECDSA receives interest lately due to its widespread adoption in blockchain applications. A common building block of all leading constructions involves a secure conversion of multiplicative shares into additive ones, which is called the multiplicative-to-additive (MtA) function. MtA dominates the overall complexity of all existing threshold ECDSA constructions. Specifically, O(n2) invocations of MtA are required in the case of n active signers. Hence, improvement of MtA leads directly to significant improvements for all state-of-the-art threshold ECDSA schemes. In this paper, we design a novel MtA by revisiting the Joye-Libert (JL) cryptosystem. Specifically, we revisit JL encryption and propose a JL-based commitment, then give efficient zero-knowledge proofs for JL cryptosystem which are the first to have standard soundness. Our new MtA offers the best time-space complexity trade-off among all existing MtA constructions. It outperforms state-of-the-art constructions from Paillier by a factor of 1.85 to 2 in bandwidth and 1.2 to 1.7 in computation. It is 7× faster than those based on Castagnos-Laguillaumie encryption only at the cost of 2× more bandwidth. While our MtA is slower than OT-based constructions, it saves 18.7× in bandwidth requirement. In addition, we also design a batch version of MtA to further reduce the amortised time and space cost by another 25%.

KW - Joye-Libert cryptosystem

KW - Multiplicative-to-Additive function

KW - Threshold ECDSA

KW - Zero-knowledge proof

UR - https://www.scopus.com/pages/publications/85179855618

U2 - 10.1145/3576915.3616595

DO - 10.1145/3576915.3616595

M3 - Conference Paper

AN - SCOPUS:85179855618

SP - 2974

EP - 2988

BT - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

A2 - Cremers, Cas

A2 - Kirda, Engin

PB - Association for Computing Machinery (ACM)

CY - New York NY USA

T2 - ACM Conference on Computer and Communications Security 2023

Y2 - 26 November 2023 through 30 November 2023

ER -

Xue H, Au MH, Liu M, Chan KY, Cui H, Xie X et al. Efficient multiplicative-to-additive function from Joye-Libert cryptosystem and its application to threshold ECDSA. In Cremers C, Kirda E, editors, Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. New York NY USA: Association for Computing Machinery (ACM). 2023. p. 2974-2988 doi: 10.1145/3576915.3616595

Efficient multiplicative-to-additive function from Joye-Libert cryptosystem and its application to threshold ECDSA

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this