Problem: How can we identify non-responsive and cheating parties in MPC without invoking broadcast, in a manner that is certifiable to outside parties?
Result: We define the problem precisely, and show that in the absence of a broadcast channel (i.e. p2p channels only) even with a PKI, it is impossible to achieve this notion in the dishonest majority setting. We give a simple construction of a suitable broadcast-like primitive in the honest majority setting, and use it to construct a compiler that removes the dependence of any MPC protocol on broadcast when Identifiable Abort is desired. We report benchmarks of an implementation of our technique applied to threshold ECDSA signing, showing that with a signing threshold t = 10, the computational burden of the worst case execution path is under 500ms.

Problem: Under what conditions does a random oracle based NIZK permit an MPC protocol to distribute its computation?
Result: We investigate the conditions under which straight-line extractable NIZKs in the random oracle model (i.e. without a CRS) permit multiparty realizations that are black-box in the same random oracle. We show that even in the semi-honest setting, any MPC protocol to compute such a NIZK cannot make black-box use of the random oracle or a hash function instantiating it if security against all-but-one corruptions is desired, unless the size of the NIZK grows with the number of parties.

Problem: How much does it cost to identify cheaters in practical dishonest majority MPC?
Result: We show that standard protocols for dishonest majority MPC, when carefully augmented with the ability to open one of the party's inputs ("vindicating release"), yields identifiable abort. Our constructions are straightforward to analyze and use as they function in the real-ideal paradigm, in contrast to previous works that rely on concrete protocols as building blocks. We show that our simple abstractions do not pay a penalty in efficiency, by means of a concrete construction based on the PVW OT, plugged into SoftSpoken OT extension, which in turn is used to build VOLE and then MPC for any sampling functionality (such as correlated randomness consumed by MPC-IA protocols for private inputs).

Problem: Can we achieve efficient threshold ECDSA signing in three rounds?
Result: We give a simple such protocol that makes blackbox use of any two-round secure multiplication primitive. Roughly, we first generate a candidate "ECDSA tuple" [ANOSS22] in two rounds with straightforward use of VOLE, and then verify the correctness of the correlation via simple pairwise checks in the exponent. Each check is statistical, costs each party a couple of exponentiations, can be done in parallel with the VOLE, and requires no additional information or machinery. Once verified, the tuple then enables a simple non-interactive information-theoretic signature assembly phase. We give a cost analysis for OT based VOLE, although our protocol can in principle be instantiated with Additively Homomorphic Encryption, or even BGW/GRR to improve the state of the art in the honest majority setting.

Problem: Can we construct threshold Schnorr signing protocols that are resilient to state resets, while making only blackbox use of cryptography?
Result: We give a novel approach to resettable threshold Schnorr signing, by making only blackbox use of Pseudorandom Correlation Functions. This avoids having to prove statements about PRFs in ZK—which was the only previously known approach, and was bottlenecked by the circuit complexity of PRFs. We leverage recent progress in PCFs based on PRFs and Paillier, to obtain resettable threshold Schnorr protocols that are resilient to covert and malicious adversaries respectively. Our covert protocol is nearly as efficient as semi-honest signing, and the malicious protocol achieves the lowest known bandwidth consumption.

Problem: Is it feasible to obtain UC-secure witness-succinct SNARKs under well-studied setup assumptions?
Result: Yes---we give a compiler in the random oracle model that lifts any simulation extractable SNARK (with non-blackbox extraction) to a UC secure one, while preserving the same level of witness succinctness. This enables us to obtain the first constant-sized UC secure SNARK as a corollary.

Problem: Given the non-linear structure of BBS+ credentials, how can we distribute their issuance?
Result: Leveraging techniques developed in the context of Threshold ECDSA for secure inversion, we construct a distributed issuance protocol for BBS+ credentials. The protocol has a 'single roundtrip' interaction pattern: the client sends a message to the servers, the servers are able to compute shares of a credential within a single roundtrip of communication with each other, and finally these shares are communicated to the client, who then assembles the credential locally. Our benchmarks show that the "MPC overhead" of this distributed issuance structure is only a few milliseconds for common parameters.

Problem: Is Fischlin's transform computationally optimal, and is it inherently limited to Sigma protocols with quasi-unique responses?
Result: With EdDSA signature aggregation as a motivating application, we show how a multicollision based proof-of-work and a uniquely suited polynomial evaluation algorithm can improve the computation cost of the baseline construction [CGKN21] by 70x-200x. The multicollision based proof-of-work also improves the random oracle query complexity of Fischlin's NIZK, in some cases even matching a new lower bound that we present. Finally, we show by means of an attack that Fischlin's transform does not preserve Witness Indistinguishability in certain contexts. We also show how randomizing Fischlin's transform fixes the problem, thereby extending its applicability to any strong special sound Sigma protocol.