We’d love to split the ECDSA signing operation into two steps:
- an “offline” step that is independent on the message,
- an “online” step that depends on the message.
The advantage here is that the offline step can be precomputed arbitrarily early and do “most of the computational work”. This is very useful for signers that have a lot of idle time before the signing request comes in, but little time to compute and return the signature. For example, hardware wallets.
In ECDSA, the offline step can essentially compute nonce generation + scalar multiplication + nonce modular inversion. These values (“precomputed material”) are input to the online part. The online part just finishes the ECDSA computation. The online part is extremely fast (we’re seeing around 5000x faster than the offline phase in a non-libsecp256k1 proof-of-concept).
The precomputed material is secret, can only be used once and needs to be wiped after usage.
API-wise this would probably mean adding two functions:
secp256k1_ecdsa_sign_split_phase_precompute()
secp256k1_ecdsa_sign_split_phase_online()
The composition of the two functions compute secp256k1_ecdsa_sign()
. The input/output behavior does not change.
Is there any appetite for this? Happy to write the code for this.