Two-party ECDSA signature generation

Initialization

Alice starts out with her share of the private key d1

And a Paillier keypair pk/sk

Bob starts out with his share d2 of the private key d

Protocol

First Alice generates her share of the one-time secret k1

And its inverse z1 = (k1)-1 mod n

She also calculates Q1 = k1G

She then encrypts z1 with her Paillier secret to create α = Epk(z1)

And β = Epk(d1z1 mod n)

Q1, α, β, message, e, pk

Bob validates Q1 by ensuring that

  1. Q1 ≠ O
  2. xQ1 and yQ1 are in the interval [1,n - 1]
  3. yQ12 ≡ xQ13 + axQ1 + b (mod p)
  4. nQ1 = O

And verifies the message to be signed

He then generates his share k2 of the private one-time value k

And its inverse z2 = (k2)-1 mod n

He can calculate r = xQ where Q(xQ, yQ) = k2Q1

And Q2 = k2G

Bob prepares a random value c to use for blinding

Finally he calculates σ = (α ×pk z2e) +pk (β ×pk z2d2r) +pk Epk(cn)

Q2, r, σ

Alice confirms Q2 is a valid public point

  1. Q2 ≠ O
  2. xQ2 and yQ2 are in the interval [1,n - 1]
  3. yQ22 ≡ xQ23 + axQ2 + b (mod p)
  4. nQ2 = O

She now calculates r = xQ where Q = k1Q2 and matches it against what Bob claimed

She decrypts σ to receive s = Dsk(σ)

She verifies the signature using r and the combined public key before publishing.