LAUSR

Dear editor, With the rapid development of digital currencies and blockchain technologies, an increasing number of countries are planning to launch or have already launched their own central bank-issued digital currency (CBDC). In addition to drawing on advanced technologies such as blockchain, the ideal CBDC should also reconcile the functional conflicts between the requirements of convenience and security, and address the technical conflicts among the requirements of privacy (such as confidentiality of financial intelligence), audit, supervision, tracking and cracking down on illegal acts. However, clearly, anonymity is an important reason for the popularity of digital currencies represented by Bitcoin [1], and it is achieved through the elliptic curve digital signature algorithm (ECDSA) embedded in the system. The public and private key pairs used in the ECDSA have no association with the user’s identity in real life. Thus, in the CBDC system, it is necessary to embed an identity-based digital signature, so that the government can associate the users’ identities with their addresses (public keys) in the blockchain network when necessary. Shamir [2] introduced the concept of identitybased cryptography in 1984, in which the user’s private key is generated by a key generation center (KGC) based on master keys and the user ID, and the user’s public key is uniquely identified by its own ID. Subsequently, Sakai et al. [3] and Boneh and Franklin [4] proposed different identity-based cryptographic schemes. In 2016, the State Cryptography Administration of China released the identity-based cryptography algorithm SM9, including a digital signature algorithm, key exchange protocol, key encapsulation mechanism, and public key encryption algorithm. It is worth mentioning that, in 2017, the digital signature algorithm of SM9 (SM9-DSA) was unanimously adopted as an international standard at the ISO/IEC JTC1 SC27 working group meeting. While SM9-DSA can be considered as a candidate for the identity-based digital signature used in the CBDC system, there is another problem in that key protection of the digital wallet needs to be handled. Unlike traditional banking transactions, digital “coin” transactions are authorized only with a digital signature generated by the user’s private key. Thus, one’s digital “coins” are only as secure as the private key that can authorize their transfers; if the private key is compromised, the “coins” are certainly stolen. Furthermore, once a digital “coin” transaction is enacted, it is irreversible because of the anti-tamper property of the blockchain, even though the “coins” are known to have been stolen. Recently, in 2017, Lindell [5] proposed a fast secure two-party signing protocol based on the ECDSA to protect the private key of Bitcoin’s wallet. In fact, two-party signing can be viewed as a special case of (t, n)threshold signature algorithms [6, 7], where t = 2, n = 2. We present a construction of the two-party sign-