Context
Thanks to Dan Boneh for suggesting this problem for the database!
Many cryptographic objects involve a secret key that allows for some privileged functionality, e.g. a decryption key allows decrypting private messages and a signature key allows for authenticating messages on behalf of a digital identity. When such secret keys get compromised, the security of the cryptographic objects is lost and for this reason it is important to store secret key material in a secure manner.
Threshold cryptography allows for splitting secret keys into multiple pieces that can be stored on separate machines. If enough of those machines cooperate, then they can still perform the desired functionality, e.g. signing or decrypting, but as long as not too many machines are corrupt, the private key material remains secure from the adversary.
Open Research Questions
Towards building better threshold crypto systems in practice, several research questions seem relevant.
Constructing more efficient universal thresholdizers:
In a recent work by Boneh et al., the authors introduce the concept of a universal thresholdizer from a threshold fully-homomorphic encryption (FHE) scheme, which allows for somewhat generically augmenting existing crypto systems with a threshold functionality. This is a powerful tool, enabling a unified approach toward threshold cryptography and as such it is important to improve the concrete efficiency of those universal thresholdizers as much as possible. An interesting question is to understand the efficiency of the currently existing construction of universal thresholdizers and to develop faster ones.
Faster threshold signing for ECDSA:
The ECDSA (Elliptic Curve Digital Signature Algorithm) is a popular digital signature scheme that is used in both Bitcoin and Ethereum. Due to its importance in real-world distributed systems, it is an important question of how to ``thresholdize'' the scheme efficiently and securely.
Existing works, such as [eprint 2021/060] and references therein, make significant progress towards answering this question. Unfortunately, these works have one important drawback in that they all require a multi-round signing process, requiring different signers to interact over multiple rounds for each signature they wish to produce. Ideally, each signer sends a signature share non-interactively, such that enough signature shares allow for recovering the full signature.
An interesting research question is to explore the specific combination of the universal thresholdizer from Boneh et al. in combination with ECDSA to construct a concretely efficient non-interactive threshold signature protocol for ECDSA.
