Have you do range proofs in the Mta functions？

[MaggieNgWu]

There's a range check in Mta function, but no range proof, is that right? What kind of attacks can happen if not do range proof?

[cychuang0924]

Hi MaggieNgWu,

The original algorithm of GG18 without ZK range proof is insecure. More details can be found in

A Note on the Security of GG18

and

Alpha-Rays: Key Extraction Attacks on Threshold ECDSA Implementations

In brief, this version of Mta has a risk of losing the private key.

Therefore, the authors of section 5 in GG18 revised their algorithm.

They claimed that replace sMtA of the MtA and MtAwc protocols, then their new protocol is safe (ref. Theorem 2).

In our implementation of GG18, we implement this version of GG18 (i.e. sMta).

If you still have some concerns of this Mta without range proof, then you can use CGGMP. In this version, our

implementations includes all range proofs. If you have any questions, please let me know. Thank you!

[MaggieNgWu]

Do you mean that:

1. Your GG18 implementation is using sMta, that is safe.
2. The CGGMP includes all range proofs.

Is that right?

[MaggieNgWu]

Thank you for answering my questions.

Does sMta safe enough to prevent information leak or other related attacks?

How does the performance of CGGMP (signature time and key generation time) compare with GG18 with sMta?

[cychuang0924]

Do you mean that:

1. Your GG18 implementation is using sMta, that is safe.
2. The CGGMP includes all range proofs.

Is that right?

Right!

The performance of CGGMP is faster except for Reshare protocol. Because reshare protocol in CGGMP will renew Paillier private key, which is a product of two safe primes.