Refresh When You Wake Up: Proactive Threshold Wallets with Offline Devices

Kondi, Yashvanth; Magri, Bernardo; Orlandi, Claudio; Shlomovits, Omer

doi:10.1109/sp40001.2021.00067

Cited by 14 publications

(7 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We model proactive security, similarly to [47], by each party in the system having an epoch tape which maintains an integer epoch initialized to 0 at the start of the execution. The execution proceeds in phases which alternate between an operational phase and a refreshing phase, starting with the operational phase.…”

Section: Modeling Proactive Securitymentioning

confidence: 99%

See 1 more Smart Citation

PAPR: Publicly Auditable Privacy Revocation for Anonymous Credentials

Brorsson

David

Gentile

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

We study the notion of anonymous credentials with Publicly Auditable Privacy Revocation (PAPR). PAPR credentials simultaneously provide conditional user privacy and auditable privacy revocation. The first property implies that users keep their identity private when authenticating unless and until an appointed authority requests to revoke this privacy, retroactively. The second property enforces that auditors can verify whether or not this authority has revoked privacy from an issued credential (i.e. learned the identity of the user who owns that credential), holding the authority accountable. In other words, the second property enriches conditionally anonymous credential systems with transparency by design, effectively discouraging such systems from being used for mass surveillance. In this work, we introduce the notion of a PAPR anonymous credential scheme, formalize it as an ideal functionality, and present constructions that are provably secure under standard assumptions in the Universal Composability framework. The core tool in our PAPR construction is a mechanism for randomly selecting an anonymous committee which users secret share their identity information towards, while hiding the identities of the committee members from the authority. As a consequence, in order to initiate the revocation process for a given credential, the authority is forced to post a request on a public bulletin board used as a broadcast channel to contact the anonymous committee that holds the keys needed to decrypt the identity connected to the credential. This mechanism makes the user de-anonymization publicly auditable.

show abstract

Section: Modeling Proactive Securitymentioning

confidence: 99%

“…The execution proceeds in phases which alternate between an operational phase and a refreshing phase, starting with the operational phase. In contrast to [47], we force every party to have the same value as epoch counter.…”

Section: Modeling Proactive Securitymentioning

confidence: 99%

PAPR: Publicly Auditable Privacy Revocation for Anonymous Credentials

Brorsson

David

Gentile

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Canetti et al [17] proposed a refresh protocol using Paillier encryption and zero-knowledge proofs, but they provided a description of the refresh protocol for (n, n) threshold ECDSA only and just stated that one can easily obtain a refresh protocol for (t, n) threshold ECDSA schemes with t < n by applying secret sharing techniques. In [26], Kondi et al presented refresh protocols where some of parties are offline. However, the aforementioned works did not consider a recovery protocol.…”

Section: B Related Workmentioning

confidence: 99%

“…They stated that their refresh protocol can be easily extended to (t, n) threshold settings for t ≤ n by applying the secret sharing technique, but the detail was not given. In [26], Kondi et al provided refresh protocols, but their protocols focused on the case where some of parties are offline. They presented the refresh protocol for (2, n) threshold schemes and showed that it is impossible to design refresh protocols for (t, n) if t > 2 where some of n parties are offline.…”

Section: Introductionmentioning

confidence: 99%

A Key Recovery Protocol for Multiparty Threshold ECDSA Schemes

et al. 2022

View full text Add to dashboard Cite

Recently, threshold ECDSA schemes have received much attention from the security community, due to the need of efficient key management in the blockchain system. For the practical use of threshold cryptosystem, a key recovery protocol is essential for users who lost their own secret shares to recover them. It was studied for a long time in the proactive secret sharing area, but the main aim of recent studies in that area is to achieve stronger security and so they are immoderate for the currently existing threshold ECDSA schemes. In this paper, we provide a new key recovery protocol for threshold ECDSA schemes that is secure against static corruptions by malicious adversaries, as in the common adversary model of the state-of-the-art threshold ECDSA schemes. Our proposed protocol reduces both the computational and communication costs to O(t 2 ) from O(t 3 ) where t is the threshold of the schemes, that is, the minimum number of users required for generating a valid signature. According to our experimental results, when t = 2 with 128-bit security, while the previous result takes 10.46 ms in total for all computations (excluding the transmission time on the network), our protocol takes 4.21 ms, which improves by a factor of about 2.48 times. The advantage of our protocol over the previous result is bigger when t is larger. For example, when t = 9 with 128-bit security, while the previous result requires 333.42 ms in total for all computations, our protocol requires 56.61 ms, which outperforms the previous result by a factor of about 5.89 times.

show abstract

“…The flexibility and security advantages of threshold protocols have become of central importance in the research for new cryptographic primitives [9]. Starting from the highly influential work of Gennaro et al [21], several authors proposed both novel schemes [31,30,12] and improvements to existing protocols [32,20,8,29,14,18,15,27].…”

Section: Introductionmentioning

confidence: 99%

A Provably-Unforgeable Threshold EdDSA with an Offline Recovery Party

Battagliola¹,

Longo²,

Meneghetti³

et al. 2020

Preprint

View full text Add to dashboard Cite

A (t, n)-threshold signature scheme enables distributed signing among n players such that any subset of size at least t can sign, whereas any subset with fewer players cannot. The goal is to produce threshold digital signatures that are compatible with an existing centralized signature scheme. Starting from the threshold scheme for the ECDSA signature due to Battagliola et al., we present the first protocol that supports EdDSA multi-party signatures with an offline participant during the key-generation phase, without relying on a trusted third party. Under standard assumptions we prove our scheme secure against adaptive malicious adversaries. Furthermore we show how our security notion can be strengthen when considering a rushing adversary. We discuss the resiliency of the recovery in the presence of a malicious party. Using a classical game-based argument, we prove that if there is an adversary capable of forging the scheme with non-negligible probability, then we can build a forger for the centralized EdDSA scheme with non-negligible probability.

show abstract

Refresh When You Wake Up: Proactive Threshold Wallets with Offline Devices

Cited by 14 publications

References 47 publications

PAPR: Publicly Auditable Privacy Revocation for Anonymous Credentials

PAPR: Publicly Auditable Privacy Revocation for Anonymous Credentials

A Key Recovery Protocol for Multiparty Threshold ECDSA Schemes

A Provably-Unforgeable Threshold EdDSA with an Offline Recovery Party

Contact Info

Product

Resources

About