Bandwidth-Efficient Zero-Knowledge Proofs For Threshold ECDSA

In most threshold Elliptic Curve Digital Signature Algorithm (ECDSA) signatures using additively homomorphic encryption, the zero-knowledge (ZK) proofs related to the ciphertext or the message space are the bottleneck in terms of bandwidth as well as computation time. In this paper, we propose a compact ZK proof for relations related to the Castagnos-Laguillaumie (CL) encryption, which is 33% shorter and 29% faster than the existing work in PKC 2021. We also give new ZK proofs for relations related to homomorphic operations over the CL ciphertext. These new ZK proofs are useful to construct a bandwidth-efficient universal composable-secure threshold ECDSA without compromising the proactive security and the non-interactivity. In particular, we lowered the communication and computation cost of the key refresh algorithm in the Paillier-based counterpart from $O(n<^>3)$ to $O(n<^>2)$. Considering a 5-signer setting, the bandwidth is better than the Paillier-based counterpart for up to 99, 95 and 35% for key generation, key refreshment and pre-signing, respectively.