Steven Goldfeder

Threshold-Optimal DSA/ECDSA Signatures and an Application to Bitcoin Wallet Security

While threshold signature schemes have been presented before, there has never been an optimal threshold signature algorithm for DSA. The properties of DSA make it quite challenging to build a threshold version. In this paper, we present a threshold DSA scheme that is efficient and optimal. We also present a compelling application to use our scheme: securing Bitcoin wallets. Bitcoin thefts are on the rise, and threshold DSA is necessary to secure Bitcoin wallets. Our scheme is the first general threshold DSA scheme that does not require an honest majority and is useful for securing Bitcoin wallets.

Escrow Protocols for Cryptocurrencies: How to Buy Physical Goods Using Bitcoin

We consider the problem of buying physical goods with cryptocurrencies. There is an inherent circular dependency: should be the buyer trust the seller and pay before receiving the goods or should the seller trust the buyer and ship the goods before receiving payment? This dilemma is addressed in practice using a third party escrow service. However, we show that naive escrow protocols introduce both privacy and security issues. We formalize the escrow problem and present a suite of schemes with improved security and privacy properties. Our schemes are compatible with Bitcoin and similar blockchain-based cryptocurrencies.

When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies

Abstract We show how third-party web trackers can deanonymize users of cryptocurrencies. We present two distinct but complementary attacks. On most shopping websites, third party trackers receive information about user purchases for purposes of advertising and analytics. We show that, if the user pays using a cryptocurrency, trackers typically possess enough information about the purchase to uniquely identify the transaction on the blockchain, link it to the user’s cookie, and further to the user’s real identity. Our second attack shows that if the tracker is able to link two purchases of the same user to the blockchain in this manner, it can identify the user’s cluster of addresses and transactions on the blockchain, even if the user employs blockchain anonymity techniques such as CoinJoin. The attacks are passive and hence can be retroactively applied to past purchases. We discuss several mitigations, but none are perfect.

Fast Multiparty Threshold ECDSA with Fast Trustless Setup

A threshold signature scheme enables distributed signing among n players such that any subgroup of size

Elastic Ring Search for Ad Hoc Networks

t+1

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption

can sign, whereas any group with t or fewer players cannot. While there exist previous threshold schemes for the ECDSA signature scheme, we are the first protocol that supports multiparty signatures for any

Determining an optimal threshold on the online reserves of a bitcoin exchange

t łeq n

Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction

with an efficient dealerless key generation. Our protocol is faster than previous solutions and significantly reduces the communication complexity as well. We prove our scheme secure against malicious adversaries with a dishonest majority. We implemented our protocol, demonstrating its efficiency and suitability to be deployed in practice.

On Bitcoin as a public randomness source.

In highly dynamic mobile ad hoc networks, new paths between nodes can become available in a short amount of time. We show how to leverage this property in order to efficiently search for paths between nodes using a technique we call elastic ring search, modeled after the popular expanding ring search. In both techniques, a node searches up to a certain number of hops, waits long enough to know if a path was found, and searches again if no path was found. In elastic ring search, the delays between search attempts are long enough for shorter paths to become available, and therefore the optimal sequence of search extents may increase and even decrease. In this paper, we provide a framework to model this network behavior, define two heuristics for optimizing elastic ring search sequences, and show that elastic ring search can incur significantly lower search costs than expanding ring search.

Post-Quantum Zero-Knowledge and Signatures from Symmetric-Key Primitives

We develop a general approach to adding a threshold functionality to a large class of (non-threshold) cryptographic schemes. A threshold functionality enables a secret key to be split into a number of shares, so that only a threshold of parties can use the key, without reconstructing the key. We begin by constructing a threshold fully-homomorphic encryption scheme (ThFHE) from the learning with errors (LWE) problem. We next introduce a new concept, called a universal thresholdizer, from which many threshold systems are possible. We show how to construct a universal thresholdizer from our ThFHE. A universal thresholdizer can be used to add threshold functionality to many systems, such as CCA-secure public-key encryption (PKE), signature schemes, pseudorandom functions, and others primitives. In particular, by applying this paradigm to a (non-threshold) lattice signature system, we obtain the first single-round threshold signature scheme from LWE.