Threshold ECDSA in Three Rounds

We present a three-round protocol for threshold ECDSA signing with malicious security against a dishonest majority, which information-theoretically UC-realizes a standard threshold signing functionality, assuming only ideal commitment and two-party multiplication primitives. Our protocol combines an intermediate representation of ECDSA signatures that was recently introduced by Abram et al. [2] with an efficient statistical consistency check reminiscent of the ones used by the protocols of Doerner et al. [3], [4]. We show that shared keys for our signing protocol can be generated using a simple commit-release-and-complain procedure, without any proofs of knowledge, and to compute the intermediate representation of each signature, we propose a two-round vectorized multiplication protocol based on oblivious transfer that outperforms all similar constructions. We demonstrate empirically that our protocol outperforms those of Doerner et al. by factors of as much as six in high-latency environments, and that it is multiple orders of magnitude faster than Paillier-based approaches.