Threshold ECDSA with an Offline Recovery Party

A (t, n)-threshold signature scheme enables distributed signing among n players such that any subset of size at least t can sign, whereas any subset with fewer players cannot. Our goal is to produce digital signatures that are compatible with an existing centralized signature scheme: the key-generation and signature algorithms are replaced by a communication protocol between the players, but the verification algorithm remains identical to that of a signature issued using the centralized algorithm. Starting from the threshold scheme for the ECDSA signature due to Gennaro and Goldfeder, we present the first protocol that supports multiparty signatures with an offline participant during the key-generation phase and that does not rely on a trusted third party. Under standard assumptions on the underlying algebraic and geometric problems (e.g. the Discrete Logarithm Problem for an elliptic curve and the computation of eth root on semi-prime residue rings), we prove our scheme secure against adaptive malicious adversaries.