ZenGo-X/multi-party-ecdsa ZenGo-X/multi-party-ecdsa

  • Stars
    star
    975
  • Rank 46,967 (Top 1.0 %)
  • Language
    Rust
  • License
    GNU General Publi...
  • Created over 6 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ZenGo-X/multi-party-ecdsa
github

ZenGo-X

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Rust implementation of {t,n}-threshold ECDSA (elliptic curve digital signature algorithm).

Multi-party ECDSA

Build Status License: GPL v3

IMPORTANT NOTE

This repository is no longer maintained. Most specifically, Zengo will not provide any security updates or hotfixes (should an issue arise). This library was originally created to enable users to experiment with MPC and TSS functionality using different protocols, including such that are not used in production by Zengo wallet. Zengo wallet’s production MPC code can be found in ZenGo-X/gotham-city#64

Introduction

This project is a Rust implementation of {t,n}-threshold ECDSA (elliptic curve digital signature algorithm).

Threshold ECDSA includes two protocols:

  • Key Generation for creating secret shares.
  • Signing for using the secret shares to generate a signature.

ECDSA is used extensively for crypto-currencies such as Bitcoin, Ethereum (secp256k1 curve), NEO (NIST P-256 curve) and much more. This library can be used to create MultiSig and ThresholdSig crypto wallet. For a full background on threshold signatures please read our Binance academy article Threshold Signatures Explained.

Library Introduction

The library was built with four core design principles in mind:

  1. Multi-protocol support
  2. Built for cryptography engineers
  3. Foolproof
  4. Black box use of cryptographic primitives

To learn about the core principles as well as on the audit process and security of the library, please read our Intro to multiparty ecdsa library blog post.

Use It

The library implements four different protocols for threshold ECDSA. The protocols presents different tradeoffs in terms of parameters, security assumptions and efficiency.

Protocol High Level code
Lindell 17 [1] Gotham-city (accepted to CIW19) is a two party bitcoin wallet, including benchmarks. KMS is a Rust wrapper library that implements a general purpose two party key management system. thresh-sig-js is a Javascript SDK
Gennaro, Goldfeder 19 [2] (video) tss-ecdsa-cli is a wrapper CLI for full threshold access structure, including network and threshold HD keys (BIP32). See Demo in this library to get better low level understanding
Castagnos et. al. 19 [3] Currently enabled as a feature in this library. To Enable, build with --features=cclst. to Test, use cargo test --features=cclst -- --test-threads=1
Gennaro, Goldfeder 20 [4] A full threshold protocol that supports identifying malicious parties. If signing fails - a list of malicious parties is returned. The protocol requires only a broadcast channel (all messages are broadcasted)

Run GG20 Demo

In the following steps we will generate 2-of-3 threshold signing key and sign a message with 2 parties.

Setup

  1. You need Rust and GMP library (optionally) to be installed on your computer.

    • Run cargo build --release --examples
    • Don't have GMP installed? Use this command instead: 
      cargo build --release --examples --no-default-features --features curv-kzen/num-bigint
      But keep in mind that it will be less efficient.

    Either of commands will produce binaries into ./target/release/examples/ folder.

  3. cd ./target/release/examples/

Start an SM server

./gg20_sm_manager

That will start an HTTP server on http://127.0.0.1:8000. Other parties will use that server in order to communicate with each other. Note that communication channels are neither encrypted nor authenticated. In production, you must encrypt and authenticate parties messages.

Run Keygen

Open 3 terminal tabs for each party. Run:

  1. ./gg20_keygen -t 1 -n 3 -i 1 --output local-share1.json
  2. ./gg20_keygen -t 1 -n 3 -i 2 --output local-share2.json
  3. ./gg20_keygen -t 1 -n 3 -i 3 --output local-share3.json

Each command corresponds to one party. Once keygen is completed, you'll have 3 new files: local-share1.json, local-share2.json, local-share3.json corresponding to local secret share of each party.

Run Signing

Since we use 2-of-3 scheme (t=1 n=3), any two parties can sign a message. Run:

  1. ./gg20_signing -p 1,2 -d "hello" -l local-share1.json
  2. ./gg20_signing -p 1,2 -d "hello" -l local-share2.json

Each party will produce a resulting signature. -p 1,2 specifies indexes of parties who attends in signing (each party has an associated index given at keygen, see argument -i), -l file.json sets a path to a file with secret local share, and -d "hello" is a message being signed.

Running Demo on different computers

While previous steps show how to run keygen & signing on local computer, you actually can run each party on dedicated machine. To do this, you should ensure that parties can reach SM Server, and specify its address via command line argument, eg:

./gg20_keygen --address http://10.0.1.9:8000/ ...

Run GG18 Demo

The following steps are for setup, key generation with n parties and signing with t+1 parties.

Setup

  1. We use shared state machine architecture (see white city). The parameters parties and threshold can be configured by changing the file: param. a keygen will run with parties parties and signing will run with any subset of threshold + 1 parties. param file should be located in the same path of the client software.

  2. Install Rust. Run cargo build --release --examples (it will build into /target/release/examples/)

  3. Run the shared state machine: ./gg18_sm_manager. By default, it's configured to be in 127.0.0.1:8000, this can be changed in Rocket.toml file. The Rocket.toml file should be in the same folder you run sm_manager from.

KeyGen

run gg18_keygen_client as follows: ./gg18_keygen_client http://127.0.0.1:8000 keys.store. Replace IP and port with the ones configured in setup. Once n parties join the application will run till finish. At the end each party will get a local keys file keys.store (change filename in command line). This contains secret and public data of the party after keygen. The file therefore should remain private.

Sign

Run ./gg18_sign_client. The application should be in the same folder as the keys.store file (or custom filename generated in keygen). the application takes three arguments: IP:port as in keygen, filename and message to be signed: ./gg18_sign_client http://127.0.0.1:8001 keys.store "KZen Networks". The same message should be used by all signers. Once t+1 parties join the protocol will run and will output to screen signature (R,s).

The ./gg18_sign_client executable initially tries to unhex its input message (the third parameter). Before running ensure two things:

  1. If you want to pass a binary message to be signed - hex it.
  2. If you want to pass a textual message in a non-hex form, make sure it can't be unhexed. Simply put, the safest way to use the signing binary is to just always hex your messages before passing them to the ./gg18_sign_client executable.

Example

To sign the message hello world, first calculate its hexadecimal representation. This yields the 68656c6c6f20776f726c64. Then, run:

./gg18_sign_client http://127.0.0.1:8000 keys.store "68656c6c6f20776f726c64"

GG18 demo

Run ./run.sh (located in /demo folder) in the main folder. Move params file to the same folder as the executables (usually /target/release/examples). The script will spawn a shared state machine, clients in the number of parties and signing requests for the threshold + 1 first parties.

gg18_sm_manager rocket server runs in production mode by default. You may modify the ./run.sh to config it to run in different environments. For example, to run rocket server in development:

ROCKET_ENV=development ./target/release/examples/sm_manager

Contributions & Development Process

The contribution workflow is described in CONTRIBUTING.md, in addition the Rust utilities wiki contains information on workflow and environment set-up.

License

Multi-party ECDSA is released under the terms of the GPL-3.0 license. See LICENSE for more information.

Contact

Feel free to reach out or join ZenGo X Telegram for discussions on code and research.

References

[1] https://eprint.iacr.org/2017/552.pdf

[2] https://eprint.iacr.org/2019/114.pdf

[3] https://eprint.iacr.org/2019/503.pdf

[4] https://eprint.iacr.org/2020/540.pdf

More Repositories

1

awesome-tss

A curated list of distributed key generation and threshold signatures implementations
271
star
2

curv

Rust language general purpose elliptic curve cryptography.
Rust
264
star
3

gotham-city

Gotham city is a fully functional project to demonstrate real-life example of minimalist Bitcoin decentralized HD wallet using 2 party ECDSA
Rust
192
star
4

multi-party-schnorr

Rust implementation of multi-party Schnorr signatures over elliptic curves.
Rust
170
star
5

multi-party-eddsa

Rust implementation of multi party Ed25519 signature scheme.
Rust
132
star
6

zk-paillier

A collection of Paillier cryptosystem zero knowledge proofs
Rust
113
star
7

thresh-sig-js

Javascript threshold signatures SDK
TypeScript
110
star
8

white-city

Network layer for MPC (Secure Multi-Party Computation) based on Tendermint
Rust
103
star
9

mnemonic-recovery

Bitcoin and Ethereum mnemonic phrase recovery tool
HTML
81
star
10

kms-secp256k1

Multi Party Key Management System (KMS) for Secp256k1 Elliptic curve based digital signatures.
Rust
72
star
11

bulletproofs

Bulletproofs and Bulletproofs+ Rust implementation for Aggregated Range Proofs over multiple elliptic curves
Rust
71
star
12

multi-party-bls

Threshold BLS signatures in Rust
Rust
69
star
13

class

Rust library for building IQC: cryptography based on class groups of imaginary quadratic orders
C
63
star
14

mpc-over-signal

Secure transport for running MPC protocols backed by Signal
Rust
62
star
15

binance-thresh-wallet

Wallet for Binance chain powered by two-party ECDSA
TypeScript
51
star
16

ShareLock

ShareLock: mixing for cryptocurrencies from multiparty ECDSA
JavaScript
50
star
17

multi-hop-locks

ECDSA based construction for Anonymous Multi-Hop Locks (https://eprint.iacr.org/2018/472.pdf)
Rust
43
star
18

big-spender

A tool for checking BigSpender vulnerability in your Bitcoin wallet
JavaScript
38
star
19

JugglingSwap

Scriptless atomic cross-chain (and cross-curve) swap protocol based on a fair exchange of secrets.
TypeScript
33
star
20

fs-dkr

FS-DKR: One Round Distributed Key Rotation
Rust
32
star
21

solana-tss

PoC of TSS in Solana blockchain
Rust
27
star
22

round-based-protocol

Driver for round-based protocols in Rust
Rust
23
star
23

vdf

Simple RSA VDF in Rust
Rust
19
star
24

thresh-rust-u2f

U2f implementation with threshold signatures
Rust
16
star
25

terra-multisend

A multisend smart contract for the Terra blockchain using CosmWasm
Rust
16
star
26

inspirational-crypto

A list of exceptionally good cryptography libraries that inspire our work
16
star
27

emerald-city

WASM/HW-friendly lightweight client application for threshold ECDSA
Rust
15
star
28

zengo-will

Rust
15
star
29

vice-city

distributed RSA modulus generation in Rust
Rust
15
star
30

rust-elgamal

Rust implementation of ElGamal encryption
Rust
14
star
31

compound-playground

Basic interaction with the Compound suite of smart contracts
TypeScript
13
star
32

paradise-city

Rust implementation of Zcash multi-signautres
Rust
13
star
33

two-party-ecdsa

Rust
13
star
34

dlog-verifiable-enc

JS Implementation of Practical Verifiable Encryption and Decryption of Discrete Logarithms
Rust
13
star
35

two-party-musig2-eddsa

Rust
12
star
36

centipede

A scheme for instantiating KMS's with recovery
Rust
12
star
37

tss-bugs

supplement material for BlackHat2020 talk: Multiple Bugs in Multi-Party Computation: Breaking Cryptocurrency's Strongest Wallets
12
star
38

flippable-operator-filterer

Solidity
11
star
39

Ethereum2.0-Resources

A succinct list of the best Ethereum 2.0 resources
10
star
40

silent-ecdsa

Rust
10
star
41

extra-ordinaire

Inscription trading implementation in Rust
Rust
9
star
42

badger_dao_script_analysis

An ongoing analysis of Badger Dao's script
JavaScript
7
star
43

ZenGo

Repository related to ZenGo: Bitcoin & Crypto Wallet
6
star
44

signature-simulation

Solidity
6
star
45

cosmos-thresh-wallet

Cosmos full featured wallet working with 2 party ECDSA
TypeScript
5
star
46

random-beacon

Rust
5
star
47

terra-thresh-wallet

A new implementation for Terra wallet using the new sdk
TypeScript
5
star
48

crypto-key-calculator

This project is based on a paper by Ittai Eyal et al. that looked into different key configurations used for crypto wallets and their probability of being compromised.
JavaScript
5
star
49

two-party-eddsa-wrapper

Client-server wrapper for Two-Party EdDSA
Rust
4
star
50

taquito-taquito

TypeScript
4
star
51

gotham-engine

Traits for abstracting 2MPC signing infrastructure of gotham-city server
Rust
4
star
52

TLS-masterkey-recovery

Python
4
star
53

pps-gc

Rust
3
star
54

rust-utils

Utilities and documentation for coding in Rust
3
star
55

libs-core-bindings

Rust
2
star
56

CHILL-STORAGE-TM-bitcoin-export-privkey

Export a ZenGo constructed private key to WIF & address
JavaScript
2
star
57

pps

Stealth addresses based on inner product FE
Go
2
star
58

klaytn-thresh-wallet

Klaytn wallet powered by Two-Party ECDSA
JavaScript
2
star
59

Bad_randomness_tls_client_handshake_pure_python

Python
2
star
60

anchor-playground

Playground for basic functionality and explanation about the Anchor protocol
TypeScript
1
star
61

spec-multi-party-ecdsa

This project is a Haskell implementation of multi-party ECDSA protocol spec.
1
star
62

crypto-gmp

Rust
1
star
63

walletconnect-premint-test

TypeScript
1
star
64

smart-contracts-workshop

JavaScript
1
star
65

foundry-workshop

Solidity
1
star
66

public-docs

Zengo's repository of public docs, white papers, etc.
1
star
67

walletconnect-tokenproof-test

TypeScript
1
star