Following recent comments in a NIST document related to threshold cryptographic standards, we examine the case of thresholdizing the HashEdDSA signature scheme. This is a deterministic signature scheme based on Edwards elliptic curves. Unlike DSA, it has a Schnorr-like signature equation, which is an advantage for threshold implementations, but it has the disadvantage of having the ephemeral secret obtained by hashing the secret key and the message. We show that one can obtain relatively efficient implementations of threshold HashEdDSA with no modifications to the behaviour of the signing algorithm; we achieve this using a doubly authenticated bit (daBit) generation protocol tailored for \(\mathcal {Q}_2\) access structures that is more efficient than prior work. However, if one was to modify the standard algorithm to use an MPC-friendly hash function, such as Rescue, the performance becomes very fast indeed.

在NIST文档中有关阈值加密标准的最新评论之后，我们研究了阈值化HashEdDSA签名方案的情况。这是基于Edwards椭圆曲线的确定性签名方案。与DSA不同，它具有类似于Schnorr的签名方程式，这对于阈值实现是一个优点，但是它的缺点是，通过对密钥和消息进行散列来获得临时密钥。我们表明，在不修改签名算法行为的情况下，可以获得相对有效的阈值HashEdDSA实现；我们使用针对\（\ mathcal {Q} _2 \）量身定制的双重认证位（daBit）生成协议来实现此目标访问结构比以前的工作更有效率。但是，如果要修改标准算法以使用MPC友好的哈希函数（例如Rescue），则性能的确会非常快。