A Key Recovery Protocol for Multiparty Threshold ECDSA Schemes

Recently, threshold ECDSA schemes have received much attention from the security community, due to the need of efficient key management in the blockchain system. For the practical use of threshold cryptosystem, a key recovery protocol is essential for users who lost their own secret shares to recover them. It was studied for a long time in the proactive secret sharing area, but the main aim of recent studies in that area is to achieve stronger security and so they are immoderate for the currently existing threshold ECDSA schemes. In this paper, we provide a new key recovery protocol for threshold ECDSA schemes that is secure against static corruptions by malicious adversaries, as in the common adversary model of the state-of-the-art threshold ECDSA schemes. Our proposed protocol reduces both the computational and communication costs to <inline-formula> <tex-math notation="LaTeX">$O(t^{2})$ </tex-math></inline-formula> from <inline-formula> <tex-math notation="LaTeX">$O(t^{3})$ </tex-math></inline-formula> where <inline-formula> <tex-math notation="LaTeX">$t$ </tex-math></inline-formula> is the threshold of the schemes, that is, the minimum number of users required for generating a valid signature. According to our experimental results, when <inline-formula> <tex-math notation="LaTeX">$t=2$ </tex-math></inline-formula> with 128-bit security, while the previous result takes 10.46 ms in total for all computations (excluding the transmission time on the network), our protocol takes 4.21 ms, which improves by a factor of about 2.48 times. The advantage of our protocol over the previous result is bigger when <inline-formula> <tex-math notation="LaTeX">$t$ </tex-math></inline-formula> is larger. For example, when <inline-formula> <tex-math notation="LaTeX">$t=9$ </tex-math></inline-formula> with 128-bit security, while the previous result requires 333.42 ms in total for all computations, our protocol requires 56.61 ms, which outperforms the previous result by a factor of about 5.89 times.

development of blockchain and cryptocurrencies, a threshold version of ECDSA schemes has received much attention from cryptography and security communities. Differently from other widely utilized signature schemes, like RSA [7] and Schnorr signatures [8], it was a difficult task to design efficient threshold signature schemes based on (DSA and) ECDSA [9], due to the form of signatures that includes an inverse of a randomly chosen element which should be secret to all parties. However, since the appearance of fascinating applications on blockchain and cryptocurrencies, recently there have been proposed various elegant results on designing threshold ECDSA schemes [10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20].
Though threshold signature schemes make an adversary harder, it is not the aegis for preventing it from attaining a secret key: Once it captures secret shares of at least t parties, it can generate a valid signature by itself. This type of potential threats was introduced by Ostovsky and Yung [21] and several solutions [22], [23], named proactive threshold signatures, were presented to avoid such type of attacks. Compared to traditional threshold signature schemes, proactive threshold signatures additionally provide two protocols, refresh and recovery: A refresh protocol updates secret shares of n parties without changing the corresponding secret and public keys of a group of n parties. So, if parties run the refresh protocol periodically, then an adversary should attain secret shares of at least t parties in the same period and it makes threshold signature schemes more secure. A recovery protocol is for a party who needs to recover his/her secret share for several reasons, e.g., an attacker's extortion and a party's simple loss. The protocol runs with the help of other honest parties and the party who needs to recover succeeds after executing the protocol.
Recently, proactivation has been also considered in threshold ECDSA schemes. In the open-source [24] of Doerner et al.'s threshold ECDSA schemes [15], the refresh protocol for (2, 2) threshold ECDSA schemes was provided, though the detailed description of the protocol was not explictly given. Later, Canetti et al. [17] presented the refresh protocol for (n, n) threshold ECDSA using Paillier additive homomorphic encryption scheme [25] and zero-knowledge proof techniques. They stated that their refresh protocol can be easily extended to (t, n) threshold settings for t ≤ n by applying the secret sharing technique, but the detail was not given. In [26], Kondi et al. provided refresh protocols, but their protocols focused on the case where some of parties are offline. They presented the refresh protocol for (2, n) threshold schemes and showed that it is impossible to design refresh protocols for (t, n) if t > 2 where some of n parties are offline. But, all aforementioned works did not consider a recovery protocol. To the best of our knowledge, there is only one recent result for a key recovery protocol [27] for threshold ECDSA schemes, but their protocol considered (1,3) threshold ECDSA schemes only.
Since each party in (t, n) threshold ECDSA schemes has the same type of secret shares with that of (t, n) secret sharing schemes, one may consider the approach to applying currently existing proactive secret sharing schemes [28], [29], [30] for threshold ECDSA schemes. However, recent studies on proactive secret sharing schemes mainly attempt to achieve robustness and fairness against active corruptions. So, almost all existing solutions achieve stronger security, but are rather inefficient. On the other hand, the currently existing ECDSA schemes exclude robustness and fairness, and consider static corruptions by malicious adversaries only. Thus, it is immoderate to apply the existing proactive secret sharing techniques directly to threshold ECDSA schemes.

A. OUR CONTRIBUTION
In this paper, we provide a new key recovery protocol for (t, n) threshold ECDSA schemes with t < n which is secure against static corruptions by malicious adversaries without considering robustness and fairness, as in the common adversary model of the currently existing threshold ECDSA schemes. In our protocol, there are t + 1 parties where one party, say P 1 , lost his/her secret share and wishes to recover it, whereas other t parties join with their own secret shares to help P 1 . At the beginning of the protocol, all parties, except P 1 , generate random values which will be shared with other parties and used for hiding his/her secret share before sending it to P 1 . This step can be understood as generating secret shares for zero. In the previous work [22] which achieves the same security level with ours, this step was realized by employing secret sharing techniques for zero. That is, each party generates a random polynomial of degree t − 1 whose constant term is zero, evaluates it at identities of other parties, and then shares them with other parties each. However, this brings about a relatively heavy verification step to check whether the received secret shares are generated correctly using verifiable secret sharing schemes [31], [32]. We bypass this verification step by generating just random values as shares and then letting each party add them to his/her own secret appropriately. In this modification, randomly selected shares play a role of masking secret shares and then they are removed after P 1 's simple calculation. As a result, we reduce both the computational and communication costs to We also present our implementation results of the proposed recovery protocol and the previous protocol [22] for various t and security levels. Our experimental results show that when t = 2 with 128-bit security, our protocol takes 4.21 ms in total for all computations excluding the data transmission time on the network, while the previous result takes 10.46 ms in total. Thus, ours reduces the required time by a factor of about 2.48 times. If t is larger, the advantage of our protocol over the previous result is bigger: When t = 9 with 128-bit security, our protocol requires 56.61 ms in total for all computations, while the previous result requires 333.42 ms in total. So, ours outperforms the previous result by a factor of about 5.89 times.

B. RELATED WORK
Since the concept of threshold cryptosystem was proposed by Desmedt and Frankel [6], there were various studies on constructing threshold signature schemes. However, it was a challenging problem to design efficient threshold DSA/ECDSA schemes for a long time. Due to the development of blockchain, the need of threshold ECDSA schemes was also raised. In 2016, Gennaro et al. [10] made a breakthrough using threshold additive homomorphic encryption [33], [34]. Later, there have been proposed various studies on designing threshold ECDSA schemes and they can be divided into two categories by exploited cryptographic tools.
The first category includes the schemes that use additive homomorphic encryption. Lindell [11] proposed two-party threshold ECDSA schemes using Paillier encryption [25]. Then, Lindell and Nof [13] extended it to the multi-party VOLUME 10, 2022 setting using additive ElGamal encryption [35]. Independently, Gennaro and Goldfeder [12] proposed multi-party threshold ECDSA schemes using Paillier encryption. Castagnos et al. [16] presented an efficient two-party ECDSA scheme using additive homomorphic encryption over class groups. Canetti et al. [17] proposed UC-secure and proactive multi-party ECDSA schemes using Paillier encryption. Recently, Deng et al. [19] proposed an efficient multi-party ECDSA protocol using additive homomorphic encryption over class groups by improving the corresponding sigma protocols.
The second category includes the schemes that use other cryptographic primitives. Doerner et al. [14] presented a two-party ECDSA scheme using oblivious transfer and subsequently they extended it to the multi-party setting [15]. Damgård et al. [20] proposed a multi-party ECDSA scheme using secret sharing techniques. Their protocol is efficient, but requires the honest majority assumption. Finally, Xue et al. [18] recently proposed a two-party online-friendly ECDSA scheme. Their construction can be applied for both cases that use additive homomorphic encryption and oblivious transfer each and improved the required online time. We remark that it is assumed that adversaries in all aforementioned schemes in both categories can corrupt parties at the onset of the execution. That is, they allow adversaries for static corruptions only. In addition, they did not consider robustness and fairness.
Though secret keys for threshold schemes are distributively stored, they still have a security issue once at least t secret shares for (t, n) threshold schemes are revealed. This type of threats was introduced by Ostrovsky and Yung [21]. To avoid such an attack, proactive threshold schemes were introduced in [22] and [23]. Following the original works, there have been proposed various studies [28], [29], [30] on proactive secret sharing that additionally provides refresh and recovery protocols, to enhance the security and improve the efficiency. However, the direction for recent proactive secret sharing schemes focuses on achieving stronger security, e.g., robustness and fairness against adaptive corruptions in the dynamic setting. Thus, they are excessive to apply directly for threshold ECDSA schemes.
Recently, there have been proposed several studies on providing the proactive security to threshold ECDSA schemes. In the open-source [24] of Doerner et al.'s protocol [15], a function for the refresh protocol was given, but it works only for (2, 2) threshold ECDSA schemes. Canetti et al. [17] proposed a refresh protocol using Paillier encryption and zero-knowledge proofs, but they provided a description of the refresh protocol for (n, n) threshold ECDSA only and just stated that one can easily obtain a refresh protocol for (t, n) threshold ECDSA schemes with t < n by applying secret sharing techniques. In [26], Kondi et al. presented refresh protocols where some of parties are offline. However, the aforementioned works did not consider a recovery protocol. As far as we know, the authors in [27] only considered the recovery protocol, but the proposed construction was for (1, 3) threshold ECDSA schemes only, not for general cases.

C. OUTLINE OF THE PAPER
Section II reviews the definitions and models for the problem that we consider in this paper and introduces building blocks for our construction. We provide our key recovery protocol with analysis in Section III. Several implementation results and concluding remarks are given in Section IV and Section V, respectively.

II. DEFINITIONS AND BUILDING BLOCKS
In this section, we provide our communication model and definitions for key recovery protocols. Then, we review commitment schemes and secret sharing schemes which are main building blocks of our recovery protocol as well as key generation for (t, n) threshold ECDSA schemes.

A. MODELS AND DEFINITIONS
Now, we briefly introduce our communication model, adversary types, and definitions for key recovery protocols.

1) COMMUNICATION MODEL
It is assumed that our computational model consists of a set of t + 1 parties, P 1 , . . . , P t+1 , and they are connected by a complete network of private point-to-point channels as well as a broadcast channel. For simplicity, we assume that a semantically secure encryption scheme [36] is employed for establishing a secure channel. We also assume that the network is partially synchronous and so an adversary speaks last in every communication round.

2) ADVERSARY TYPES
We assume that an adversary can corrupt up to t − 1 parties among t + 1 parties. (Since we focus on (t, n) threshold schemes, if t parties are corrupted, then the adversary can learn the secret information. On the other hand, we note that our protocol does not consider robustness and so does not require the honest majority assumption.) The adversary is a probabilistic polynomial-time (PPT) Turing machine and sets corrupted parties at the onset of the execution. In other words, the adversary is static. We consider a malicious adversary and so the parties corrupted by the adversary can behave in any way.

3) CRYPTOGRAPHIC ASSUMPTION
We use the discrete logarithm (DL) assumption [37, §3.5]. Throughout the paper, for any set X , we use x $ ← − X to denote a uniform random sampling of x from X .
Definition 1: Let G be an additive cyclic group of prime order q = q(λ) where λ is the security parameter. Let P be a random generator of G. Given an instance (P, aP) with randomly chosen a ∈ Z q , the discrete logarithm problem (DLP) is to find a ∈ Z q .
We say that the DL assumption holds if for any PPT adversary A is negligible in the security parameter λ.

4) (t , n)-SECRET SHARING
A secret sharing scheme allows a dealer to share a secret sk among n parties P 1 , . . . , P n , such that any authorized subset of parties can use all their shares to reconstruct the secret, whereas any other non-authorized subset learns nothing about the secret from their shares. More formally, we give a definition of (t, n) secret sharing. We begin by introducing a useful new notation: For an algorithm A, the expression a ← A(· · · ) denotes that A is executed on the elided inputs and a is assigned its output, throughout the paper.
Definition 2: A (t, n)-secret sharing scheme over message space M is a pair of algorithms (Share, Recon) such that: (sk 1 , . . . , sk n ) ← Share(sk) is run by a dealer to distribute shares. It is a randomized algorithm that takes as input a secret sk ∈ M and outputs an n-tuple of shares (sk 1 , sk 2 , . . . , sk n ). sk ← Recon(sk i 1 , . . . , sk i t ) is run by a subset of t or more parties to reconstruct the secret sk. It is a deterministic algorithm that given a t-tuple of shares outputs a secret sk ∈ M . There have been various (t, n) secret sharing schemes, e.g., see References [38], [39], [40], [41]. We will further discuss Shamir's secret sharing scheme among them because most of threshold ECDSA schemes rely on it (see Section II-C for the details).

5) A KEY RECOVERY PROTOCOL
In this paper, we consider the following scenario: There are t + 1 parties, P 1 , . . . , P t+1 , where each party has a secret share sk i for secret sk of (t, n) threshold ECDSA scheme with t < n. 2 Suppose a party, say P 1 , lost his/her secret share and wishes to recover it. The aim of a recovery protocol is to recover sk 1 with the help of other parties, P 2 , . . . , P t+1 , without revealing secret information of other parties and secret sk.
We formalize the syntax and security notion of key recovery protocol below.
Definition 3: A key recovery protocol K is a pair of polynomial time algorithms (Group, Recover) such that: G ← Group(n, t, i) is run by a party P i which lost his secret share sk i and wishes to recover it. This algorithm takes as input a pair of threshold parameters (t, n) and the index of the party P i , and outputs an ad-hoc group G ⊆ {P 1 , . . . , P n }\{P i } of cardinality ≥ t in which each party P j owns its secret share sk j . sk i ← Recover(pk, {sk j } j∈G ) is run by the parties P i and P j ∈ G\{i}. The algorithm takes as input the public key pk and a set of secret shares {sk j } of the parties in G, denoted by {sk j } j∈G , and outputs the restored secret share sk i to the party P i and nothing to the parties in G.
We remark that the public key pk is implicitly given from an algorithm at a higher level. Moreover, it satisfies the following correctness requirement: • Correctness: For all sk ∈ M and for all I = {i 1 , . . . , i k } {1, 2, . . . , n}\{i} of cardinality at least t − 1, We next define the security for such a key recovery protocol. Intuitively, we require that if the adversary is trying to learn any secret information about honest parties' secret share sk i and the secret sk, it will fail. Definition 4 Real Model: Let K be a key recovery protocol where each party P i has a secret input x i and a public input y i . Each P i returns an output z i after the execution of the protocol K. Let A be an adversary that can corrupt up to t − 1 parties. Let x = (x 1 , y 1 , . . . , x t+1 , y t+1 ), let r = (r 1 , . . . , r t+1 , r * ) be the random inputs the parties and the adversary respectively, let I * be the index set of the corrupted parties, and let a ∈ {0, 1} * be the auxiliary input. We denote the output of the adversary after the execution of the protocol as Real K,A (x, I * , a, r) and the output of the party P i as Real We define the Real K,A (x, I * , a, r) to be the random variable for a uniformly chosen r. Finally we define a distribution ensemble Real K,A indexed by (x, I * , a) as We define the output of f as: In the ideal model, parties send their input (x i , y i ) to a trusted party which computes f and returns P i its output value z i . The ideal model adversary B can see (y 1 , . . . , y t+1 ) and secret values {x j } j∈I * for the corrupted parties, and further replace We denote the output of the ideal model adversary after the evaluation as Ideal f ,B (x, I * , a, r) and the output of the party P i as Ideal , r). Then let , r), VOLUME 10, 2022 Ideal Similarly to the real model, we define a distribution ensemble Ideal f ,B indexed by (x, I * , a) as Definition 6: Let f be as in Definition 5 and K be a (t + 1)-party key recovery protocol for computing f . Then we say that K securely computes f in the statically corrupt setting if for all PPT algorithm A, there exists an ideal model adversary B whose running time is polynomial in the running time of A, and such that where c ≈ means computationally indistinguishable between two ensembles.
In addition to the above requirements, proactive secret sharing schemes generally are required to achieve the robustness. This property means that the adversary cannot deny their outputs to the honest parties. However, to the best of our knowledge, all currently existing ECDSA schemes do not consider the robustness. So, we exclude it from the security requirements for the recovery protocol.
We remark that more than t parties who have their own secret shares may join the key recovery protocol for (t, n) threshold schemes if n > t + 1. We can easily adjust our proposed protocol for this case. However, for simple explanation, we assume that exact t + 1 parties join the protocol where t parties among them have their own secret shares. In addition, two or more parties may lose their secret shares. In this case, we can recover secret shares by running the recovery protocol sequentially if there exist at least t parties who have their own secret shares. So, we assume that just a party loses his/her own secret share in the protocol.

B. COMMITMENT
We briefly review a commitment scheme to make our key recovery protocol secure even in the malicious model. Roughly, we let each party commit to a randomness to mask its secret share before it provides the secret share masked by the randomness.

1) COMMITMENT
A commitment scheme consists of two algorithms Kg and COM, which are defined as follows: ck ← Kg(1 λ ) is called the key generation algorithm that takes the security parameter λ and outputs the commitment key ck. The message space M ck , the randomness space R ck , and the commitment space C ck are specified in ck. B ← COM(ck, b; r) is called the commitment algorithm that takes b ∈ M ck and outputs a commitment B ∈ C ck using randomness r ∈ R ck . To commit to a message b ∈ M ck , the sender selects r $ ← − R ck and computes the commitment B = COM(ck, b; r). We omit ck when no confusions arise. We formally define two properties of the security for the commitment scheme.
Definition 7 Hiding property: A commitment scheme is hiding if for all polynomial-time interactive algorithms A, the following probability is negligible in the security parameter λ:

Definition 8 Binding property: A commitment scheme is binding if for all polynomial-time interactive adversaries
A, the following probability is negligible in the security parameter λ:

2) INSTANTIATIONS
Let P and Q be two random generators of a group G of prime order q. Consider a commitment scheme simply defined as COM(b; r) := bP. It is known as the Feldman commitment [31], and satisfies unconditionally binding and computationally hiding properties under the assumption that the DL problem is hard in G. Another scheme, known as the Pedersen commitment [32], is of the form COM(b; r) := bP + rQ, where r ∈ Z q . Pedersen commitments are unconditionally hiding and computationally binding under the DL assumption. Finally, a committer may use H (b) or H (b r) to commit to b for a collision-resistant hash function H . Refer to Section 3.5 of [42] that covers commitment schemes for details.
Remark 1: A popular way to achieve the malicious security is to combine a commitment scheme and zero-knowledge proof protocols. However, this approach is clearly quite effective at the price of computation and communication overheads. For this performance reason, we let a sender open a commitment to a value over a secure channel later. Then a receiver can test if the sender honestly committed to the value only by a simple calculation and more importantly, it can directly use the value in subsequent computation. This approach is more suitable for our setting.

C. SHAMIR SECRET SHARING
Secure key distribution is one of key components to design threshold cryptosystems. Among various techniques for key distribution, a Shamir secret sharing scheme [43] is the most well-known and widely utilized technique. It is based on polynomial evaluation and interpolation, and consists of two phases: key distribution and reconstruction.
Suppose n parties, P 1 , . . . , P n , would like to share a secret key sk with threshold t, that is, t − 1 or fewer parties cannot recover the secret key sk using their own secret shares sk i 's, whereas at least t parties can recover it jointly. In the key distribution phase, a dealer first generates a random polynomial f (x) of degree t − 1 with the constant term f (0) = sk. Then, he evaluates f (x) at i for each party P i and forwards sk i = f (i) to P i as his/her own secret share via a secure channel between the dealer and P i .
Next, once a need arises, t parties join the reconstruction phase to recover the secret key sk. In the reconstruction phase, each party computes the Lagrange coefficient where J is the set of indices of t parties, e.g., J = {1, 2, 4} if P 1 , P 2 , and P 4 join the key reconstruction phase for t = 3. Then, each party computes and shares sk i = J i (0) · sk i with all other parties. Once receiving sk i 's, each party succeeds in recovering the secret key sk by computing In fact, if t parties, excluding P 1 , join the key reconstruction phase with their own secret shares sk i , they can jointly recover the secret share of P 1 by replacing J i (0) and respectively.
In addition, there are several issues on using the Shamir secret sharing scheme. First, in the description of the scheme above, there is a dealer who knows the secret key sk. To remove the help of the dealer, each party P i performs as the dealer to share a secret s i which is selected by P i him/herself and privately sends s i,j to P j for 1 ≤ j ≤ n as the secret share of P j for s i . Then, each party P i sets his secret share sk i to n j=1 s j,i and regards sk as n i=1 s i , which is secret to all. This holds from the relation f (a) + g(a) = (f + g)(a) where f , g are polynomials and a is a point in the domain of f and g.
Second, after finishing the key reconstruction phase, one obtains the secret key sk. However, in the practical schemes that exploit the secret sharing scheme, the final result is the same as an outcome of algorithms which take the secret key as an input, not the secret key itself. For example, the party who join the signing protocol of threshold ECDSA schemes obtains a valid ECDSA signature of an input message, not the secret key itself. Thus, we can repeatedly use shared secrets in practice.

D. KEY GENERATION RESULT IN THRESHOLD ECDSA SCHEMES
Since this paper focuses on a key recovery protocol for (t, n) threshold ECDSA schemes, it is assumed that parties already share a secret by jointly executing a key generation protocol. The detailed descriptions of key generation protocols in threshold ECDSA schemes are not our interest, so we omit them. However, it is important to know that each party has which type of secret shares after the key generation protocol.
Let G be an additive cyclic group of prime order q over elliptic curve E and P be a generator of G. We assume that a threshold ECDSA scheme is defined over G. To execute a key recovery protocol, t + 1 parties already shared a secret with threshold t. So, n should be larger than t in (t, n) threshold ECDSA schemes. In this case, the Shamir secret sharing scheme is used for secret key sharing in all currently existing ECDSA schemes. As a result, each party has a secret share sk i where sk i = f (i) for a random polynomial f (x) which is hidden to all parties and whose constant term is a secret sk = f (0). Furthermore, X i = sk i P is a public key for party P i and X = skP is the common public key for n parties. We note that the relations sk = j∈J J j (0)sk j and X = j∈J J j (0)X j hold where J is a subset of indices of n parties with the size t or larger, and J j (0) is the Lagrange coefficient defined as in Equation (1) of Section II-C.

III. OUR KEY RECOVERY PROTOCOL
In this section, we first present the description of our key recovery protocol for threshold ECDSA schemes. We then provide security and efficiency analysis of the proposed construction.

A. PROTOCOL DESCRIPTION
The aim of the proposed protocol is to re-issue the secret share of the party who lost it for (t, n)-threshold ECDSA schemes where the re-issued share is the same as the previously issued one. More concretely, in our protocol there are t + 1 parties, P 1 , . . . , P t+1 , where one party, say P 1 , lost his secret share sk 1 and wishes to recover it with the help of all other parties P i 's who join the protocol with their own secret shares sk i 's each. We assume that X i = sk i P and X = skP are public to all parties, where P is a generator of an underlying additive cyclic group G over an elliptic curve E, as described in Section II-D.

1) PROTOCOL ABSTRACTION
We begin with presenting how our protocol works in the abstract level. To recover P 1 's secret share, P 1 should obtain where G = {2, 3, . . . , t + 1} and G j (1) is the Lagrange coefficient defined as in Equation (2) of Section II-D. At the same time, sk i should be hidden to P 1 . To hide sk i , at the beginning of the protocol, each party P i for i ∈ G generates random values b ij 's for j ∈ G\{i} and passes b ij to P j with the commitment to b ij via a secure channel. Then, each party P i for i ∈ G adds the shares generated by him/herself to

2) PROTOCOL DESCRIPTION
We are ready to describe our key recovery protocol in detail. Recall that a key recovery protocol consists of a pair of polynomial time algorithms-Group, Recover (see Definition 3).

a: THE AD-HOC GROUPING ALGORITHM Group(n, t , 1)
A subset of n parties groups together by aggregating the identities of parties that wish to engage in a key recovery process. Conceptually, an easy way to obtain such a subset is a public bulletin board for parties who wish to create an ad-hoc group.
We should notice that a single party that is allowed to set up a group may have a power that can easily be abused. For example, some corrupted party can always group a single honest party with other t − 1 parties that it can control over. Thus we consider a secure way to prevent the party from grouping the parties as it wishes. Informally, all parties run a sort of joint coin tossing protocol so that the parties controlled by the malicious adversary are uniformly distributed within all the groups running the protocol.
The algorithm starts with a request from party P 1 which wishes to recover its secret share. Then our grouping algorithm directly uses the group setup protocol proposed by Lindell  The secret share recovery algorithm jointly works as follows. For notational simplicity, we think of the group G as a set of indices rather than a set of identities, and thus we write simply G = {2, 3, . . . , t + 1}. As mentioned before, we assume that the party P 1 requests a recovery process. 1) Each P i , i ∈ G, performs the following steps: For each j ∈ G and j = i, a) Select a random element b ij from Z * q and a randomizer r ij from R ck . b) Compute and send B ij = COM(b ij ; r ij ) to P j .
2) Each P i , i ∈ G, opens B ij by sending (b ij , r ij ) to P j .
3) Each P i , i ∈ G, performs the following steps: For each j ∈ G and j = i, a) Check whether B ij is the commitment to b ij . Abort if it does not hold. b) Compute c) Send s i to P 1 over a secure channel. 4) P 1 performs the following steps: Abort if it does not hold. c) Output sk 1 .
We briefly check over the security property of our protocol first. For the correctness, while P 1 adds all received values, random values b ij 's that are added or subtracted by other parties are all cancelled since addition and subtraction of each value are performed once each. So, the correctness of the proposed protocol is guaranteed.
Let us move on the secrecy. We notice that P 1 needs the help of t − 1 parties to get rid of random values from the received values. However, because we allow the corruption of up to t − 1 parties including P 1 , P 1 cannot learn the information on sk. If P 1 is not corrupted, other parties cannot receive the secret information related to the target honest party because the values related to secret share are passed to P 1 only via a secure channel. So, the secrecy of the proposed protocol is also guaranteed.
In the next subsection, we will provide a detailed analysis of security evaluation. In Figure 1, we provide a toy example for better understanding how our key recovery protocol works, where we consider three parties, P 1 , P 2 , and P 3 , and suppose that the party P 1 lost his/her secret share sk 1 . Recall that for the secret share sk i of P i , the corresponding public key is written as X i = sk i P.
We assume that the Feldman commitment scheme [31] is employed as a commitment scheme for simple explanation.
At Step 1, the party P 2 begins with picking a random integer b 23 ∈ Z * q and computes a commitment to b 23 in B 23 = b 23 P. Then P 2 sends B 23 to P 3 . At the same time, P 3 picks a random integer b 32 ∈ Z * q , computes B 32 = b 32 P, and sends B 32 to P 2 . Subsequently, at Step 2, P 2 opens B 23 by sending b 23 to P 3 via a secure channel, while P 3 opens B 32 by sending b 32 to P 2 via a secure channel.
At Step 3, upon receiving b 32 from P 3 , P 2 checks if b 23 P equals to B 32 . If the two values are different, then it terminates the recovery process. Using the Lagrange coefficient polynomial G 2 (z), P 2 computes where G = {2, 3} and sends s 2 to P 1 via a secure channel. Similarly, P 3 sends to P 1 via a secure channel if B 23 is valid. Finally, at Step 4, P 1 is ready to find his/her secret share sk 1 . Firstly, it computes sk 1 = s 2 + s 3 and then it tests if the public key X 1 equals to the value sk 1 P. If the two values are different, then abort the protocol. Otherwise P 1 sets sk 1 to sk 1 = sk 1 . [22] The HJKY protocol presented by Herzberg et al. [22] achieves the similar security level to ours under the adversary model that we have considered. In fact, the construction idea is very similar to ours, but the main difference is that the HJKY protocol exploits verifiable secret sharing schemes [31], [32] to generate values for masking the secret share sk i . More precisely, in their protocol, each party P i for i ∈ G first generates a random polynomial r i (x) of degree t − 1 with r i (0) = 0, evaluates it at j for j ∈ G\{i}, and passes r i (j) to P j with homomorphic commitments to coefficients. Then, after receiving values, each party P i checks whether the received values r j (i)'s are correctly computed with the committed values. If all verification passes, each party adds the received values to his/her secret share and then sends the result to P 1 . Finally, P 1 obtains sk 1 by applying the Lagrange interpolation to the received values.

d: DIFFERENCES BETWEEN OURS AND THE HJKY PROTOCOL IN
In the above process, to verify values r i (j)'s, each party sends O(t) commitments to other parties each. So, the total communication cost for this step is O(t 3 ). Moreover, it takes O(t) group operations to check a value r i (j) using homomorphic commitment schemes, like Feldman and Pedersen commitment schemes [31], [32]. So, the total computational cost for this step is O(t 3 ) group operations as well.

B. SECURITY ANALYSIS
In this subsection, we look into the correctness and secrecy of our proposed construction.

1) CORRECTNESS
Now, we investigate the correctness of our proposed key recovery protocol. That is, we check that the party P 1 obtains his/her own secret share sk 1 once other parties P 2 , . . . , P t+1 follow the protocol as described faithfully.
The following theorem shows the correctness of our proposed protocol.
Theorem 1: In our recovery algorithm Recover(), P 1 obtains his/her exact secret share sk 1 that he/she lost if all parties behave as described faithfully. Therefore, our protocol satisfies the correctness of key recover protocol in Definition 3.
Proof: First, at Step 3, each party P i has b ji 's for all j ∈ G with j = i and the relation B ji = Com(b ji ; r ji ) holds for each j if the party P j generates B ji honestly. Next, each party P i generates for the set G = {2, . . . , t + 1} and sends s i to P 1 . Once receiving s i 's from P i , P 1 obtains sk 1 since The second equality holds if parties P 2 , . . . , P t+1 follow the protocol honestly. The fourth equality holds since in   , each b ij is added and subtracted exactly once and so the result is zero. Finally, the last equality holds from the relation of the Lagrange interpolation.
Since sk 1 is the exact secret share for P 1 that it lost, once at least t parties including P 1 jointly run Recon() algorithm, it returns the secret key sk. Therefore, it satisfies the correctness of Definition 3.

2) SECRECY
Next, we take a closer look at the secrecy of our proposed protocol. Since our protocol is designed to recover a secret share of a particular party in the (t, n)-threshold ECDSA scheme, all secrets are inherently revealed once t parties who have their own secret shares are corrupted. Thus, we assume that the adversary can corrupt up to t − 1 parties among t + 1 parties. Furthermore, a secret share sk i of P i who is not corrupted, should not be revealed to the adversary. Otherwise, the adversary can have t secret shares including them of corrupted parties and so the secret sk can be revealed.
The following theorem shows the secrecy of our proposed protocol.
Theorem 2: Suppose that P 1 wishes to recover the secret share of sk, and let G = {2, 3, . . . , t +1} be a group of parties given by algorithm Group(n, t, 1). The protocol described in Section III-A is secure against the malicious adversary which can corrupt at most t − 1 parties, assuming that the exploited secure channel is established by a semantically secure encryption scheme, and the employed commitment scheme satisfies hiding and binding properties.
Proof: In this simulation-based proof, we will construct an algorithm for an ideal model adversary B which is polynomial in the running time. The ideal model adversary B communicates with a set of corrupted parties I * ⊂ G, which is of cardinality at most t − 1, pretending a set of honest parties in such a way that the corrupted parties in I * cannot detect if he is either in the real protocol or in the ideal world. The incorruptible trusted party takes the input from B and the honest parties in the ideal world, and returns the output to B and/or the honest parties. Then B communicates with the malicious parties in I * , and thus they also learn the same output. We formally describe the algorithm as follows: 1) For each simulated honest party δ ∈ = G\I * , perform the followings: a) Choose a random value sk δ ∈ M where recall M is a message space for a secret sharing scheme. b) Pick random elements b δj ∈ Z * q and randomizers r δj ∈ R ck for each j ∈ G\{δ}.
2) Perform Steps 1 and 2 of the algorithm Recover(): a) Send the commitment B δj * to b δj * to each malicious party j * ∈ I * . b) Send an encryption of (b δj * , r δj * ), denotedb δj * , to each malicious party j * ∈ I * . c) Receive from each malicious party i * ∈ I * : i) commitment B i * j to b i * j ii) a pair of committed values (b i * j , r i * j ) and its encryptionb i * j iii) all pairs of committed values {(b δi * , r δi * )} δ∈ and a set of corresponding encryptions {b δi * } 3) B obtains {sk i * } i * ∈I * , {b δj * } j * ∈I * , and {b i * j } i * ∈I * . For all i * ∈ I * , build 4) B submits {s i * } i * ∈I * to the trusted third party. The honest parties submit their s δ to the trusted third party.
• Case 1 ∈ I * . The trusted party returns sk 1 to the honest party P 1 .
• Case 1 ∈ I * . The trusted party returns sk 1 to B. 5) B follows the rest of the protocol with the malicious parties as instructed. This completes the description of B. To check that B works as required, in the real and ideal worlds, we fix arbitrary values in the input and random tape of the environment Z, which forces the random choices of the players and those of B to be the only source of randomness. We now argue that for any set of fixed values, Z cannot computationally determine whether it interacts with the ideal world or with the real protocol, if we use B in the ideal world as described above.
Note that what Z can observe is the output generated by the parties, plus it sees the view of the corrupted parties. As a consequence, it will be clearly sufficient to prove the following.
Firstly, until Step 1 the only messages Z that will see from honest parties are random elements and randomizers they hold. This is perfectly simulated: Both in simulation and in the real protocol the adversary sees t − 1 independently random elements and values. Then it is straightforward to see that the rest of the values in the view follow in a correct way from the starting values.
At Step 2, Z will see results for all parties. In the ideal world, these results are computed according to the given function by functionality f from the inputs specified by Z.
In the real protocol, however it can check that all parties will compute the same function from the inputs specified by Z. In Step 2c, Z will see the corrupted parties' view of commitments, encryptions, and random elements. Security of the commitment scheme guarantees that the distribution of these commitments in the ideal is identical to that of in the real protocol. Similarly, the security of the exploited encryption scheme for constructing secure channels guarantees that the distribution of these encryptions is computationally indistinguishable from that in the real protocol. If these values go to the honest parties, nothing more is revealed. This covers the case where 1 ∈ I * . If these values go to the corrupted parties including P 1 (i.e., the case where 1 ∈ I * ), observe that in the real protocol, there are at least two or more honest parties, thus although the view of P 1 is given by The above value is uniformly random because sk δ and R are uniformly random. Here, R (resp., R I * ) is obtained by adding random elements of the honest parties (resp., corrupted parties) and subtracting random elements received by the honest parties from all other parties in G. It is now clear that the procedure used by B to recover a lost secret share sk 1 leads to the same distribution. This concludes the proof.

C. EFFICIENCY ANALYSIS
First, let us evaluate the computational cost of our protocol. For simplicity, we assume that the Feldman commitment scheme [31] is exploited in our key recovery protocol, and it requires a scalar multiplication of elliptic curve point for commitment generation and verification each. Then, the most expensive operation in our protocol is a scalar multiplication  of elliptic curve point. At Steps 1 and 3, each party, except P 1 , takes (t − 1) scalar multiplications, respectively. So, P 2 , . . . , P t+1 take 2(t − 1) scalar multiplications. On the other hand, P 1 takes only one scalar multiplication at the last step for verification. Thus, the total computational cost is 2(t−1)t+1 scalar multiplications, which correspond to O(t 2 ).
Next, let us consider the communication cost of our protocol. Again under assuming that the Feldman commitment scheme [31] is exploited in our key recovery protocol, at Steps 1 and 2, each party, except P 1 , sends two elements in Z q and G, respectively, to all other parties. At Step 3 each party, except P 1 , sends an element in Z q to P 1 . So, the total communication cost is t 2 |Z q |+t(t−1)|G|, which corresponds to O(t 2 ), where |Z q | and |G| are the bit lengths to represent elements in Z q and G, respectively.
In Table 1, we summarize the computational and communication complexities of our protocol and the HJKY protocol [22] that achieves the same security with ours.

IV. IMPLEMENTATION RESULTS
In this section, we present implementation results of ours and the HJKY protocol in [22] for various parameter settings.

A. EXPERIMENTAL ENVIRONMENTS
The source codes 3 of our implementation were written in C++ and compiled using g++ 9.4.0 compiler. We used the 3 https://github.com/CryptoLabCAU/KeyRecovery OpenSSL library [45] for using the symmetric key encryption, AES-256-GCM, to establish private peer-to-peer channels, and for implementing arithmetic of large numbers and elliptic curve operations in the protocols. However, we do not implement data transmission on the network. Instead, we store and read them on memory once party's computation at each step ends and begins, respectively. We have tested the programs on the modern PC with Intel(R) Core(TM) i7-11700 CPU at 2.50 GHz and 32 GB RAM. The operating system for our experiments was Ubuntu 20.04 LTS on Windows Subsystem for Linux (WSL) on Windows 10 pro 64-bits.

B. EXPERIMENTAL RESULTS
Now, we present our experimental results of ours and the HJKY protocol for various parameters. Each test was done 100 times and the results in the tables and graphs below are averages of those execution times. Table 2 gives computation times of our protocol and the HJKY protocol for small t and several security levels. In Table 2    protocol requires 10.467 ms for the same purpose. Ours reduces the computation time by a factor of about 2.49 times. Figures 2 and 3 pictorially present computation times of ours and the HJKY protocol, respectively, and the results tend to increase when t and security levels are increased, as expected.
When t is larger, the advantage of our protocol becomes higher: Table 3 provides several implementation results of ours and the HJKY protocol for larger t at 128-bit security. In the table, when t = 9, while the HJKY protocol takes 333.42 ms in total for computations, ours takes 56.61 ms for the same purpose which improves by a factor of 5.89 times. Figure 4 shows a pictorial description of total computation time of ours and the HJKY protocol. It shows that the gap between the results of ours and the HJKY protocol becomes larger as t is increased.

V. CONCLUSION
In this paper, we present a new key recovery protocol for a party who lost his/her secret share that is secure against static corruptions of up to (t − 1) parties by malicious adversaries in (t, n) threshold ECDSA schemes. Our proposed protocol improves the computational and communication costs from O(t 3 ) to O(t 2 ). We show the efficiency improvements of our proposed protocol by presenting implementation results.
Though our proposed protocol can be applied for other threshold cryptosystems, the security level that our protocol achieves is relatively weaker than those of recently proposed proactive secret sharing schemes: Our protocol has limitations that it does not achieve robustness and fairness. It does not consider the dynamic setting as well. As a future work, it may be interesting to improve the efficiency of currently existing proactive secret sharing schemes that achieve stronger security as well as to enhance the security level that threshold ECDSA schemes achieve.

APPENDIX A GROUP SETUP PROTOCOL
Let n denote the overall number of parties in the system, t − 1 denote the overall number of parties under the control of the adversary, and t be the size of each group running the key recovery protocol, except a party who lost his/her secret key.
The grouping protocol uses two hash functions F 1 and F 2 which will be considered as random oracles in the security proof. We provide a formal description of the protocol. 1) Each P i chooses a random r i and sends F 1 (ip i , pk i , r i ) to the public bulletin board (PBB) where ip i and pk i indicate P i 's IP address and public key, respectively. 2) After a short prefixed delay, each party queries the PBB for the table of parties which have registered. 3) Each party P i computes α = F 2 (F 1 (ip 1 , pk 1 , r 1 ), . . . , F 1 (ip n , pk n , r n )) and parses the result α into chunks of size log n, denoted α 1 , . . . , α n . Each party P i is associated with α i and the table is sorted by the α i values. 4) Grouping is performed by taking a group of t parties according to the sorting. Namely, for some i $ ← − {1, 2, . . . , n t }, a group G is set to be the parties associated with the values (α n·(i−1)+1 , . . . , α n·i ). 5) The PBB sends the IP addresses of the group members to the members of each group. 6) Members of each group send each other their IP address, public key and randomness that were used when registering with the PBB. 7) Each group member computes F 1 (ip j , pk j , r j ) for every party P j in its group and verifies that it matches what was recorded by the center during registration. In addition, it verifies that it received the IP address of all parties that are in its group, by the computation of F 2 . If no, then it sends abort to all the parties in its group.
According to the analysis in [44], the probability of a bad grouping is approximately t−1 n t−2 · n. For more details of the bound, see Section 5.2.2 of [44].
SANGRAE CHO received the B.Eng. degree in computing from Imperial College London, in 1996, and the M.Sc. degree in information security from the Royal Holloway, University of London, in 1997. He started his career as a Researcher at LG Corporate Technology Institute, in 1997, and he worked at the Electronics and Telecommunications Research Institute (ETRI), South Korea, as a Security Researcher for more than 15 years. During that time, he has been actively involved in constructing a national PKI infrastructure project, until 2001. He is currently a Senior Researcher with the Authentication Research Team, ETRI. In 2004, he has done several projects relating to digital identity management, including SAML v2.0 and authentication technology based on fast identity online (FIDO) specifications.
SEONGBONG CHOI received the B.Sc. degree in computer science and engineering from Jeonbuk National University, Republic of Korea, in 2020, and the M.S. degree in computer science and engineering from Chung-Ang University, Republic of Korea, in 2022, where he is currently pursuing the Ph.D. degree with the School of Computer Science and Engineering. His research interest includes public key cryptography.
YOUNG-SEOB CHO received the Ph.D. degree in computer science from Inha University, South Korea. Since 1998, he has been working on research projects with the Electronics and Telecommunications Research Institute (ETRI) and continuously conducted numerous projects on national and international level. He is currently a Principal Researcher with the Information Security Research Division, ETRI. His current research interests include multiparty computation, blockchain identity management, and AI security.