Definition
A generic G-DSA signature algorithm is defined as follows:
- The public parameters include a cyclic group of prime order generated by an element , a hash function defined from arbitrary strings into and another hash function defined from to .
- Key-Gen: On input the security parameter ,
- outputs a private key chosen uniformly at random in , and
- a public key computed in .
- Signature: On input an arbitrary message ,
- compute
- choose
- compute in and
- compute
- output
- Verification: On input , and ,
- check that
- compute in .
- accept (outupt 1) iff .
The traditional DSA algorithm is obtained by:
- choosing large primes such that and setting to be the subgroup of order
- in this case the multiplication operation in is multiplication modulo .
- the function is defined as .
The EC-DSA algorithm is obtained by:
- choosing as a group of points on an elliptic curve of cardinality .
- in this case the multiplication operation in is the group operation over the curve.
- the function is defined as where is the -coordinate of the point .
Threshold DSA
The main technical issue in constructing threshold DSA signatures is dealing with the fact that both the secret key and the nonce have to remain secret. This means that in a threshold scheme, they must be shared in some way among the servers.