<!doctype html>
<html>
<head>
<title>Two-party ECDSA signature generation</title>
<link rel="stylesheet" type="text/css" href="demo.css"/>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script>
<script type="text/javascript">
jQuery(function ($) {
var worker = new Worker("split-key.js");
worker.onmessage = function (event) {
var data = event.data;
switch (data.cmd) {
case "ff":
$("#"+data.field).val(data.value);
break;
case "log":
if (console && "function" === typeof console.log) {
console.log.apply(console, data.args);
}
break;
}
};
worker.onerror = function (error) {
console.error(error);
};
worker.postMessage("start");
});
</script>
</head>
<body>
<h1>Two-party ECDSA signature generation</h1>
<p><strong>Initialization</strong></p>
<div class="alice">
<p>Alice starts out with her share of the private key d<sub>1</sub></p>
<div>
<label for="d1">d<sub>1</sub>=</label>
<input id="d1" type="text" readonly="readonly"/>
</div>
<p>And a Paillier keypair pk/sk</p>
<div>
<label for="p1_n">n=</label>
<input id="p1_n" type="text" readonly="readonly"/>
</div>
<div>
<label for="p1_g">g=</label>
<input id="p1_g" type="text" readonly="readonly"/>
</div>
<div>
<label for="p1_l">λ=</label>
<input id="p1_l" type="text" readonly="readonly"/>
</div>
<div>
<label for="p1_m">μ=</label>
<input id="p1_m" type="text" readonly="readonly"/>
</div>
</div>
<div class="bob">
<p>Bob starts out with his share d<sub>2</sub> of the private key d</p>
<div>
<label for="d2">d<sub>2</sub>=</label>
<input id="d2" type="text" readonly="readonly"/>
</div>
</div>
<p><strong>Protocol</strong></p>
<div class="alice">
<p>First Alice generates her share of the one-time secret k<sub>1</sub></p>
<div>
<label for="k1">k<sub>1</sub>=</label>
<input id="k1" type="text" readonly="readonly"/>
</div>
<p>And its inverse z<sub>1</sub> = (k<sub>1</sub>)<sup>-1</sup> mod n</p>
<div>
<label for="z1">z<sub>1</sub>=</label>
<input id="z1" type="text" readonly="readonly"/>
</div>
<p>She also calculates Q<sub>1</sub> = k<sub>1</sub>G</p>
<div>
<label for="q1">Q<sub>1</sub>=</label>
<input id="q1" type="text" readonly="readonly"/>
</div>
<p>She then encrypts z<sub>1</sub> using Paillier to create α = E<sub>pk</sub>(z<sub>1</sub>)</p>
<div>
<label for="alpha">α=</label>
<input id="alpha" type="text" readonly="readonly"/>
</div>
<p>And β = E<sub>pk</sub>(d<sub>1</sub>z<sub>1</sub> mod n)</p>
<div>
<label for="beta">β=</label>
<input id="beta" type="text" readonly="readonly"/>
</div>
<p>And also generates an encrypted blinding factor A = E<sub>pk</sub>(c) for some c ∈ [1, n<sub>P</sub>/n<sub>EC</sub>]</p>
<div>
<label for="A">A=</label>
<input id="A" type="text" readonly="readonly"/>
</div>
<p>Alice composes the encrypted signature σ<sub>1</sub> = (α ×<sub>pk</sub> e) +<sub>pk</sub> (β ×<sub>pk</sub> r) +<sub>pk</sub> (A ×<sub>pk</sub> n)</p>
<div>
<label for="sigma_1">σ<sub>1</sub>=</label>
<input id="sigma_1" type="text" readonly="readonly"/>
</div>
<p>She deterministically rerandomizes it to receive σ<sub>1</sub>' = σ<sub>1</sub>HASH(σ<sub>1</sub>)<sup>n</sub> mod n<sup>2</sup></p>
<div>
<label for="sigma_1n">σ<sub>1</sub>'=</label>
<input id="sigma_1n" type="text" readonly="readonly"/>
</div>
<p>And decrypts σ<sub>1</sub>' to receive s<sub>1</sub></p>
<div>
<label for="s_1">s<sub>1</sub>=</label>
<input id="s_1" type="text" readonly="readonly"/>
</div>
<p>And v', the randomizing factor in σ<sub>1</sub>'</p>
<div>
<label for="v_n">v<sub>'</sub>=</label>
<input id="v_n" type="text" readonly="readonly"/>
</div>
</div>
<div class="messageright"><div class="arrow"></div>
Q<sub>1</sub>, α, β, message, e, pk, A, s<sub>1</sub>, v'
</div>
<div class="bob">
<p>Bob validates Q<sub>1</sub> by ensuring that
<ol>
<li>Q<sub>1</sub> ≠ O</li>
<li>x<sub>Q<sub>1</sub></sub> and y<sub>Q<sub>1</sub></sub> are in the interval [1,n - 1]</li>
<li>y<sub>Q<sub>1</sub></sub><sup>2</sup> ≡ x<sub>Q<sub>1</sub></sub><sup>3</sup> + ax<sub>Q<sub>1</sub></sub> + b (mod p)</li>
<li>nQ<sub>1</sub> = O</li>
</ol></p>
<p>And verifies the message to be signed</p>
<p>He then verifies s<sub>1</sub> as a valid signature</p>
<p>Bob also calculates σ<sub>1</sub>' from α, β and A</p>
<div>
<label for="sigma_1n_b">σ<sub>1</sub>'=</label>
<input id="sigma_1n_b" type="text" readonly="readonly"/>
</div>
<p>And verifies it matches E<sub>pk</sub>(s<sub>1</sub>, v')</p>
<p>He then generates his share k<sub>2</sub> of the private one-time value k</p>
<div>
<label for="k2">k<sub>2</sub>=</label>
<input id="k2" type="text" readonly="readonly"/>
</div>
<p>And its inverse z<sub>2</sub> = (k<sub>2</sub>)<sup>-1</sup> mod n</p>
<div>
<label for="z2">z<sub>2</sub>=</label>
<input id="z2" type="text" readonly="readonly"/>
</div>
<p>He can calculate r = x<sub>Q</sub> where Q(x<sub>Q</sub>, y<sub>Q</sub>) = k<sub>2</sub>Q<sub>1</sub></p>
<div>
<label for="r">r=</label>
<input id="r" type="text" readonly="readonly"/>
</div>
<p>And Q<sub>2</sub> = k<sub>2</sub>G</p>
<div>
<label for="q2">Q<sub>2</sub>=</label>
<input id="q2" type="text" readonly="readonly"/>
</div>
<p>Bob prepares a random value B ∈ [1, n<sub>P</sub>/n<sub>EC</sub>] to use for blinding<p>
<div>
<label for="B">B=</label>
<input id="B" type="text" readonly="readonly"/>
</div>
<p>Finally he calculates σ = (α ×<sub>pk</sub> z<sub>2</sub>e) +<sub>pk</sub> (β ×<sub>pk</sub> z<sub>2</sub>d<sub>2</sub>r) +<sub>pk</sub> E<sub>pk</sub>(Bn<sub>EC</sub>)</p>
<div>
<label for="sigma">σ=</label>
<input id="sigma" type="text" readonly="readonly"/>
</div>
</div>
<div class="messageleft"><div class="arrow"></div>
Q<sub>2</sub>, r, σ
</div>
<div class="alice">
<p>Alice confirms Q<sub>2</sub> is a valid public point
<ol>
<li>Q<sub>2</sub> ≠ O</li>
<li>x<sub>Q<sub>2</sub></sub> and y<sub>Q<sub>2</sub></sub> are in the interval [1,n - 1]</li>
<li>y<sub>Q<sub>2</sub></sub><sup>2</sup> ≡ x<sub>Q<sub>2</sub></sub><sup>3</sup> + ax<sub>Q<sub>2</sub></sub> + b (mod p)</li>
<li>nQ<sub>2</sub> = O</li>
</ol></p>
<p>She now calculates r = x<sub>Q</sub> where Q = k<sub>1</sub>Q<sub>2</sub> and matches it against what Bob claimed</p>
<p>She decrypts σ to receive s = D<sub>sk</sub>(σ)</p>
<div>
<label for="s">s=</label>
<input id="s" type="text" readonly="readonly"/>
</div>
<p>She verifies the signature using r and the combined public key before publishing.</p>
<div>
<label for="result"></label>
<input id="result" type="text" readonly="readonly"/>
</div>
</div>
</body>
</html>