Hi, Referring to ecdsa Share Refresh as described in text <a href="u

Regarding your first point, thank you for catching this. Indeed,

some observations on Share Refresh about blockchain-crypto-mpc HOT 1 CLOSED

omershlo commented on August 19, 2024

some observations on Share Refresh

from blockchain-crypto-mpc.

Samuel-Ranellucci commented on August 19, 2024

Regarding your first point, thank you for catching this. Indeed, the zero-knowledge proof that the Paillier key is generated correctly was mistakenly omitted from the refresh, but obviously must be included (as in key generation). We have added this zero-knowledge proof to the refresh.
Regarding your second point: no bits can be leaked by the addition of r in refresh. In order to see this, observe that by not doing a modular reduction, the encrypted value can increase by at most q each time. Now, by the ECDSA two-party paper (https://eprint.iacr.org/2017/552.pdf, Protocol 3.2, Step 4c), the second party must choose noise \rho in \Z_{q^2} in the signing protocol to ensure no leakage. Thus, for an encryption of the private key of size up to q, the amount of noise needed is random in \Z_{q^2}. However, in our implementation, we add noise \rho in \Z_{q^2 * 2^80}. This means that we prevent leakage as long as the encryption of the private key is a value at most q* 2^{80}. This means that as long as the number of refreshes done is at most 2^{80} (can never feasibly be reached), the amount of noise added is sufficient to prevent any leakage.

Thank you again for your review and help in improving our library.

from blockchain-crypto-mpc.

Recommend Projects