International Association
for Cryptologic Research

Since the publication of the initial 2018 paper, the DKLs protocols [Doerner et al., IEEE S&P 2018 and 2019] have been deployed to secure cryptocurrency assets at considerable scale. In this time, much has changed in our understanding of industry needs, perspectives on protocol design, as well as the theory underlying our protocols. There is not at present an academic venue to announce such changes to the broader community as they do not constitute technical novelty, but they are important to communicate nonetheless. Until this point, we have communicated updates of this nature privately to developers on an ad-hoc basis. While this has been effective in supporting---and learning from---the developers with whom we have interacted directly, a more systematic approach is required for a dialogue with the broader community. We have therefore synthesized the information that is relevant to developers who wish to deploy and maintain our protocols today, and made the necessary resources available on a dedicated website. In this talk, we will give a summary of the resources that developers can expect to find on our site. Highlights include 1. Conservative Design Principles: We discuss standard vs non-standard functionalities for ECDSA, and what it takes to realize them. In response to criticism of our non-standard ideal functionality in our two-party paper, we provide a three-round version of our signing protocol that realizes the standard F_ECDSA functionality, along with recommendations for modes of operation. We additionally discuss the marginal cost of achieving UC security; in particular the efficiency of signing remains the same even with this improved security guarantee, due to an approach that avoids the use of zero-knowledge proofs. 2. Security of primitives: We make important recommendations for the instantiation of underlying primitives including Oblivious Transfer, and Secure Multiplication. Such recommendations include crucial non-obvious implementation details such as enforcing sequentiality of statistical checks on shared state, and random oracle tagging, as well as higher level advice in choice of protocols for building blocks. 3. Efficiency: We compare and contrast the efficiency profiles of homomorphic encryption based approaches to ECDSA, and OT based ones such as ours. Through benchmarks on diverse hardware and points of comparison in broadly relatable terms, we make the case that OT based threshold ECDSA achieves the best tradeoffs in many scenarios. Additionally, we present optimizations to our protocol that provide noticeable improvements in bandwidth. 4. Modes of operation: We discuss how to achieve proactive security---an industry best practice today---when using our protocols. Additionally, we discuss non-interactive signing in the preprocessing model, which is a mode of operation that has received much interest in the industry recently. 5. We discuss our experiences in helping several companies that have implemented, tested internally, and ultimately deployed our protocol to their users.

We present a new multiparty protocol for the distributed generation of biprime RSA moduli, with security against any subset of maliciously colluding parties assuming oblivious transfer and the hardness of factoring. Our protocol is highly modular, and its uppermost layer can be viewed as a template that generalizes the structure of prior works and leads to a simpler security proof. We introduce a combined sampling-and-sieving technique that eliminates both the inherent leakage in the approach of Frederiksen et al. (Crypto’18) and the dependence upon additively homomorphic encryption in the approach of Hazay et al. (JCrypt’19). We combine this technique with an efficient, privacy-free check to detect malicious behavior retroactively when a sampled candidate is not a biprime and thereby overcome covert rejection-sampling attacks and achieve both asymptotic and concrete efficiency improvements over the previous state of the art.

We present a new multiparty protocol for the distributed generation of biprime RSA moduli, with security against any subset of maliciously colluding parties assuming oblivious transfer and the hardness of factoring. Our protocol is highly modular, and its uppermost layer can be viewed as a template that generalizes the structure of prior works and leads to a simpler security proof. We introduce a combined sampling-and-sieving technique that eliminates both the inherent leakage in the approach of Frederiksen et al. (Crypto'18), and the dependence upon additively homomorphic encryption in the approach of Hazay et al. (JCrypt'19). We combine this technique with an efficient, privacy-free check to detect malicious behavior retroactively when a sampled candidate is not a biprime, and thereby overcome covert rejection-sampling attacks and achieve both asymptotic and concrete efficiency improvements over the previous state of the art.

At CRYPTO 2018, Cascudo et al. introduced Reverse Multiplication Friendly Embeddings (RMFEs). These are a mechanism to compute $\delta$ parallel evaluations of the same arithmetic circuit over a field $\mathbb{F}_q$ at the cost of a single evaluation of that circuit in $\mathbb{F}_{q^d}$, where $\delta < d$. Due to this inequality, RMFEs are a useful tool when protocols require to work over $\mathbb{F}_{q^d}$ but one is only interested in computing over $\mathbb{F}_q$. In this work we introduce Circuit Amortization Friendly Encodings (CAFEs), which generalize RMFEs while having concrete efficiency in mind. For a Galois Ring $R = GR(2^k,d)$, CAFEs allow to compute certain circuits over $\mathbb{Z}_{2^k}}$ at the cost of a single secure multiplication in $R$. We present three CAFE instantiations, which we apply to the protocol for MPC over $\mathbb{Z}_{2^k}}$ via Galois Rings by Abspoel et al. (TCC 2019). Our protocols allow for efficient switching between the different CAFEs, as well as between computation over $GR(2^k,d)$ and $\mathbb{F}_{2^{d}}$ in a way that preserves the CAFE in both rings. This adaptability leads to efficiency gains for e.g. Machine Learning applications, which can be represented as highly parallel circuits over $\mathbb{Z}_{2^k}}$ followed by bit-wise operations. From an implementation of our techniques, we estimate that an SVM can be evaluated on 250 images in parallel up to $\times 7$ as efficient using our techniques, compared to using the protocols from Abspoel et al. (TCC 2019).