Promise Σ-protocol: How to Construct Efficient Threshold ECDSA from Encryptions Based on Class Groups.

Threshold Signatures allow n parties to share the ability of issuing digital signatures so that any coalition of size at least t + 1 can sign, whereas groups of t or fewer players cannot. The currently known class-group-based threshold ECDSA constructions are either inefficient (requiring parallel-repetition of the underlying zero knowledge proof with small challenge space) or requiring rather non-standard low order assumption. In this paper, we present efficient threshold ECDSA protocols from encryption schemes based on class groups with neither assuming the low order assumption nor parallel repeating the underlying zero knowledge proof , yielding a significant efficiency improvement in the key generation over previous constructions. Along the way we introduce a new notion of promise Σ -protocol that satisfies only a weaker soundness called promise extractability . An accepting promise Σ -proof for statements related to class-group-based encryptions does not establish the truth of the statement but provides security guarantees (promise extractability) that are sufficient for our applications. We also show how to simulate homomorphic operations on a (possibly invalid) class-group-based encryption whose correctness has been proven via our promise Σ -protocol. We believe that these techniques are of independent interest and applicable to other scenarios where efficient zero knowledge proofs for statements related to class-group is required.