Two-party ECDSA signature generation

Initialization

Alice starts out with her share of the private key d1

And a Paillier keypair pk/sk

Bob starts out with his share d2 of the private key d

Protocol

First Alice generates her share of the one-time secret k1

And its inverse z1 = (k1)-1 mod n

She also calculates Q1 = k1G

She then encrypts z1 using Paillier to create α = Epk(z1)

And β = Epk(d1z1 mod n)

And also generates an encrypted blinding factor A = Epk(c) for some c ∈ [1, nP/nEC]

Alice composes the encrypted signature σ1 = (α ×pk e) +pk (β ×pk r) +pk (A ×pk n)

She deterministically rerandomizes it to receive σ1' = σ1HASH(σ1)n mod n2

And decrypts σ1' to receive s1

And v', the randomizing factor in σ1'

Q1, α, β, message, e, pk, A, s1, v'

Bob validates Q1 by ensuring that

  1. Q1 ≠ O
  2. xQ1 and yQ1 are in the interval [1,n - 1]
  3. yQ12 ≡ xQ13 + axQ1 + b (mod p)
  4. nQ1 = O

And verifies the message to be signed

He then verifies s1 as a valid signature

Bob also calculates σ1' from α, β and A

And verifies it matches Epk(s1, v')

He then generates his share k2 of the private one-time value k

And its inverse z2 = (k2)-1 mod n

He can calculate r = xQ where Q(xQ, yQ) = k2Q1

And Q2 = k2G

Bob prepares a random value B ∈ [1, nP/nEC] to use for blinding

Finally he calculates σ = (α ×pk z2e) +pk (β ×pk z2d2r) +pk Epk(BnEC)

Q2, r, σ

Alice confirms Q2 is a valid public point

  1. Q2 ≠ O
  2. xQ2 and yQ2 are in the interval [1,n - 1]
  3. yQ22 ≡ xQ23 + axQ2 + b (mod p)
  4. nQ2 = O

She now calculates r = xQ where Q = k1Q2 and matches it against what Bob claimed

She decrypts σ to receive s = Dsk(σ)

She verifies the signature using r and the combined public key before publishing.