2011-08-29 12:10:28 +01:00
<!doctype html>
< html >
< head >
< title > Two-party ECDSA signature generation< / title >
< link rel = "stylesheet" type = "text/css" href = "demo.css" / >
< script type = "text/javascript" src = "https://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js" > < / script >
< script type = "text/javascript" >
jQuery(function ($) {
var worker = new Worker("split-key.js");
worker.onmessage = function (event) {
var data = event.data;
switch (data.cmd) {
case "ff":
$("#"+data.field).val(data.value);
break;
case "log":
if (console & & "function" === typeof console.log) {
console.log.apply(console, data.args);
}
break;
}
};
worker.onerror = function (error) {
console.error(error);
};
worker.postMessage("start");
});
< / script >
< / head >
< body >
< h1 > Two-party ECDSA signature generation< / h1 >
< p > < strong > Initialization< / strong > < / p >
< div class = "alice" >
< p > Alice starts out with her share of the private key d< sub > 1< / sub > < / p >
< div >
< label for = "d1" > d< sub > 1< / sub > =< / label >
< input id = "d1" type = "text" readonly = "readonly" / >
< / div >
< p > And a Paillier keypair pk/sk< / p >
< div >
< label for = "p1_n" > n=< / label >
< input id = "p1_n" type = "text" readonly = "readonly" / >
< / div >
< div >
< label for = "p1_g" > g=< / label >
< input id = "p1_g" type = "text" readonly = "readonly" / >
< / div >
< div >
< label for = "p1_l" > λ =< / label >
< input id = "p1_l" type = "text" readonly = "readonly" / >
< / div >
< div >
< label for = "p1_m" > μ =< / label >
< input id = "p1_m" type = "text" readonly = "readonly" / >
< / div >
< / div >
< div class = "bob" >
< p > Bob starts out with his share d< sub > 2< / sub > of the private key d< / p >
< div >
< label for = "d2" > d< sub > 2< / sub > =< / label >
< input id = "d2" type = "text" readonly = "readonly" / >
< / div >
< / div >
< p > < strong > Protocol< / strong > < / p >
< div class = "alice" >
< p > First Alice generates her share of the one-time secret k< sub > 1< / sub > < / p >
< div >
< label for = "k1" > k< sub > 1< / sub > =< / label >
< input id = "k1" type = "text" readonly = "readonly" / >
< / div >
< p > And its inverse z< sub > 1< / sub > = (k< sub > 1< / sub > )< sup > -1< / sup > mod n< / p >
< div >
< label for = "z1" > z< sub > 1< / sub > =< / label >
< input id = "z1" type = "text" readonly = "readonly" / >
< / div >
< p > She also calculates Q< sub > 1< / sub > = k< sub > 1< / sub > G< / p >
< div >
< label for = "q1" > Q< sub > 1< / sub > =< / label >
< input id = "q1" type = "text" readonly = "readonly" / >
< / div >
2011-09-03 19:36:45 +01:00
< p > She then encrypts z< sub > 1< / sub > using Paillier to create α = E< sub > pk< / sub > (z< sub > 1< / sub > )< / p >
2011-08-29 12:10:28 +01:00
< div >
< label for = "alpha" > α =< / label >
< input id = "alpha" type = "text" readonly = "readonly" / >
< / div >
< p > And β = E< sub > pk< / sub > (d< sub > 1< / sub > z< sub > 1< / sub > mod n)< / p >
< div >
< label for = "beta" > β =< / label >
< input id = "beta" type = "text" readonly = "readonly" / >
< / div >
2011-09-03 19:36:45 +01:00
< p > And also generates an encrypted blinding factor A = E< sub > pk< / sub > (c) for some c ∈ [1, n< sub > P< / sub > /n< sub > EC< / sub > ]< / p >
< div >
< label for = "A" > A=< / label >
< input id = "A" type = "text" readonly = "readonly" / >
< / div >
< p > Alice composes the encrypted signature σ < sub > 1< / sub > = (α × < sub > pk< / sub > e) +< sub > pk< / sub > (β × < sub > pk< / sub > r) +< sub > pk< / sub > (A × < sub > pk< / sub > n)< / p >
< div >
< label for = "sigma_1" > σ < sub > 1< / sub > =< / label >
< input id = "sigma_1" type = "text" readonly = "readonly" / >
< / div >
< p > She deterministically rerandomizes it to receive σ < sub > 1< / sub > ' = σ < sub > 1< / sub > HASH(σ < sub > 1< / sub > )< sup > n< / sub > mod n< sup > 2< / sup > < / p >
< div >
< label for = "sigma_1n" > σ < sub > 1< / sub > '=< / label >
< input id = "sigma_1n" type = "text" readonly = "readonly" / >
< / div >
< p > And decrypts σ < sub > 1< / sub > ' to receive s< sub > 1< / sub > < / p >
< div >
< label for = "s_1" > s< sub > 1< / sub > =< / label >
< input id = "s_1" type = "text" readonly = "readonly" / >
< / div >
< p > And v', the randomizing factor in σ < sub > 1< / sub > '< / p >
< div >
< label for = "v_n" > v< sub > '< / sub > =< / label >
< input id = "v_n" type = "text" readonly = "readonly" / >
< / div >
2011-08-29 12:10:28 +01:00
< / div >
< div class = "messageright" > < div class = "arrow" > < / div >
2011-09-03 19:36:45 +01:00
Q< sub > 1< / sub > , α , β , message, e, pk, A, s< sub > 1< / sub > , v'
2011-08-29 12:10:28 +01:00
< / div >
< div class = "bob" >
< p > Bob validates Q< sub > 1< / sub > by ensuring that
< ol >
< li > Q< sub > 1< / sub > ≠ O< / li >
< li > x< sub > Q< sub > 1< / sub > < / sub > and y< sub > Q< sub > 1< / sub > < / sub > are in the interval [1,n - 1]< / li >
< li > y< sub > Q< sub > 1< / sub > < / sub > < sup > 2< / sup > ≡ x< sub > Q< sub > 1< / sub > < / sub > < sup > 3< / sup > + ax< sub > Q< sub > 1< / sub > < / sub > + b (mod p)< / li >
< li > nQ< sub > 1< / sub > = O< / li >
< / ol > < / p >
< p > And verifies the message to be signed< / p >
2011-09-03 19:36:45 +01:00
< p > He then verifies s< sub > 1< / sub > as a valid signature< / p >
< p > Bob also calculates σ < sub > 1< / sub > ' from α , β and A< / p >
< div >
< label for = "sigma_1n_b" > σ < sub > 1< / sub > '=< / label >
< input id = "sigma_1n_b" type = "text" readonly = "readonly" / >
< / div >
< p > And verifies it matches E< sub > pk< / sub > (s< sub > 1< / sub > , v')< / p >
2011-08-29 12:10:28 +01:00
< p > He then generates his share k< sub > 2< / sub > of the private one-time value k< / p >
< div >
< label for = "k2" > k< sub > 2< / sub > =< / label >
< input id = "k2" type = "text" readonly = "readonly" / >
< / div >
< p > And its inverse z< sub > 2< / sub > = (k< sub > 2< / sub > )< sup > -1< / sup > mod n< / p >
< div >
< label for = "z2" > z< sub > 2< / sub > =< / label >
< input id = "z2" type = "text" readonly = "readonly" / >
< / div >
< p > He can calculate r = x< sub > Q< / sub > where Q(x< sub > Q< / sub > , y< sub > Q< / sub > ) = k< sub > 2< / sub > Q< sub > 1< / sub > < / p >
< div >
< label for = "r" > r=< / label >
< input id = "r" type = "text" readonly = "readonly" / >
< / div >
< p > And Q< sub > 2< / sub > = k< sub > 2< / sub > G< / p >
< div >
< label for = "q2" > Q< sub > 2< / sub > =< / label >
< input id = "q2" type = "text" readonly = "readonly" / >
< / div >
2011-09-03 19:36:45 +01:00
< p > Bob prepares a random value B ∈ [1, n< sub > P< / sub > /n< sub > EC< / sub > ] to use for blinding< p >
2011-08-29 12:10:28 +01:00
< div >
2011-09-03 19:36:45 +01:00
< label for = "B" > B=< / label >
< input id = "B" type = "text" readonly = "readonly" / >
2011-08-29 12:10:28 +01:00
< / div >
2011-09-03 19:36:45 +01:00
< p > Finally he calculates σ = (α × < sub > pk< / sub > z< sub > 2< / sub > e) +< sub > pk< / sub > (β × < sub > pk< / sub > z< sub > 2< / sub > d< sub > 2< / sub > r) +< sub > pk< / sub > E< sub > pk< / sub > (Bn< sub > EC< / sub > )< / p >
2011-08-29 12:10:28 +01:00
< div >
< label for = "sigma" > σ =< / label >
< input id = "sigma" type = "text" readonly = "readonly" / >
< / div >
< / div >
< div class = "messageleft" > < div class = "arrow" > < / div >
Q< sub > 2< / sub > , r, σ
< / div >
< div class = "alice" >
< p > Alice confirms Q< sub > 2< / sub > is a valid public point
< ol >
< li > Q< sub > 2< / sub > ≠ O< / li >
< li > x< sub > Q< sub > 2< / sub > < / sub > and y< sub > Q< sub > 2< / sub > < / sub > are in the interval [1,n - 1]< / li >
< li > y< sub > Q< sub > 2< / sub > < / sub > < sup > 2< / sup > ≡ x< sub > Q< sub > 2< / sub > < / sub > < sup > 3< / sup > + ax< sub > Q< sub > 2< / sub > < / sub > + b (mod p)< / li >
< li > nQ< sub > 2< / sub > = O< / li >
< / ol > < / p >
< p > She now calculates r = x< sub > Q< / sub > where Q = k< sub > 1< / sub > Q< sub > 2< / sub > and matches it against what Bob claimed< / p >
< p > She decrypts σ to receive s = D< sub > sk< / sub > (σ )< / p >
< div >
< label for = "s" > s=< / label >
< input id = "s" type = "text" readonly = "readonly" / >
< / div >
< p > She verifies the signature using r and the combined public key before publishing.< / p >
2011-09-03 19:36:45 +01:00
< div >
< label for = "result" > < / label >
< input id = "result" type = "text" readonly = "readonly" / >
< / div >
2011-08-29 12:10:28 +01:00
< / div >
< / body >
< / html >