diff --git a/audits/certik-audit-okx-threshold-lib-20231011.pdf b/audits/certik-audit-okx-threshold-lib-20231011.pdf
new file mode 100644
index 0000000..fbfbe67
Binary files /dev/null and b/audits/certik-audit-okx-threshold-lib-20231011.pdf differ
diff --git a/crypto/pedersen/pedersen.go b/crypto/pedersen/pedersen.go
new file mode 100644
index 0000000..bbe7e3e
--- /dev/null
+++ b/crypto/pedersen/pedersen.go
@@ -0,0 +1,67 @@
+package pedersen
+
+import (
+	"math/big"
+	"runtime"
+
+	"github.com/okx/threshold-lib/crypto"
+)
+
+const (
+	PrimeBits = 1024
+)
+
+type (
+	// N = p * q, where p and q are safe primes
+	// s = rnd1^2 mod N
+	// t = rnd2^2 mod N
+	PedersenParameters struct {
+		S, T, Ntilde *big.Int
+	}
+)
+
+func NewPedersenParameters(concurrency ...int) (*PedersenParameters, error) {
+	var currency int
+	if 0 < len(concurrency) {
+		currency = concurrency[0]
+	} else {
+		currency = runtime.NumCPU()
+	}
+
+	var values = make(chan *big.Int, currency)
+	var p, q *big.Int
+	for p == q {
+		var quit = make(chan int)
+		for i := 0; i < currency; i++ {
+			go crypto.GenerateSafePrime(PrimeBits, values, quit)
+		}
+		p, q = <-values, <-values
+		close(quit)
+	}
+
+	// N = p * q, as described in the paper: https://eprint.iacr.org/2020/492.pdf Definition 1.2
+	N := new(big.Int).Mul(p, q)
+	rnd1 := crypto.RandomNum(N)
+	rnd2 := crypto.RandomNum(N)
+
+	s := new(big.Int).Mod(new(big.Int).Mul(rnd1, rnd1), N)
+	t := new(big.Int).Mod(new(big.Int).Mul(rnd2, rnd2), N)
+
+	return &PedersenParameters{Ntilde: N, S: s, T: t}, nil
+}
+
+// commit c = s^m * t^r mod N
+func (pedersen *PedersenParameters) Commit(m, r *big.Int) (*big.Int, error) {
+	a := new(big.Int).Exp(pedersen.S, m, pedersen.Ntilde)
+	b := new(big.Int).Exp(pedersen.T, r, pedersen.Ntilde)
+	c := new(big.Int).Mod(new(big.Int).Mul(a, b), pedersen.Ntilde)
+	return c, nil
+}
+
+// open c = s^m * t^r mod N
+func (pedersen *PedersenParameters) Open(c, m, r *big.Int) (bool, error) {
+	a := new(big.Int).Exp(pedersen.S, m, pedersen.Ntilde)
+	b := new(big.Int).Exp(pedersen.T, r, pedersen.Ntilde)
+	c1 := new(big.Int).Mod(new(big.Int).Mul(a, b), pedersen.Ntilde)
+	return c1.Cmp(c) == 0, nil
+}
diff --git a/crypto/pedersen/pedersen_test.go b/crypto/pedersen/pedersen_test.go
new file mode 100644
index 0000000..71c9089
--- /dev/null
+++ b/crypto/pedersen/pedersen_test.go
@@ -0,0 +1,23 @@
+package pedersen
+
+import (
+	"encoding/json"
+	"fmt"
+	"math/big"
+	"testing"
+)
+
+func TestPedersen(t *testing.T) {
+	parameters, _ := NewPedersenParameters(8)
+
+	m := big.NewInt(10)
+	r := big.NewInt(32)
+
+	c1, _ := parameters.Commit(m, r)
+	ok, _ := parameters.Open(c1, m, r)
+	fmt.Println("ok", ok)
+
+	ped, _ := json.Marshal(parameters)
+	fmt.Println("ped", string(ped))
+
+}
diff --git a/crypto/zkp/aff_g_proof.go b/crypto/zkp/aff_g_proof.go
new file mode 100644
index 0000000..e145575
--- /dev/null
+++ b/crypto/zkp/aff_g_proof.go
@@ -0,0 +1,169 @@
+package zkp
+
+import (
+	"math/big"
+
+	"github.com/decred/dcrd/dcrec/secp256k1/v2"
+	"github.com/okx/threshold-lib/crypto"
+	"github.com/okx/threshold-lib/crypto/curves"
+	"github.com/okx/threshold-lib/crypto/pedersen"
+)
+
+type (
+	AffGStatement struct {
+		N, C, D *big.Int
+		X, Y    *curves.ECPoint
+	}
+
+	AffGWitness struct {
+		X, Y, Rho *big.Int
+	}
+
+	AffGProof struct {
+		A, E, S, F, T, Z1, Z2, Z3, Z4, W *big.Int
+		Bx, By, X, Y                     *curves.ECPoint
+	}
+)
+
+var (
+	two           = big.NewInt(2)
+	curve         = secp256k1.S256()
+	L0_Aff_G      = 2 * 256
+	L1_Aff_G      = 3 * 256
+	Epsilon_Aff_G = 3 * 256
+)
+
+// https://eprint.iacr.org/2020/492.pdf 4.2 Paillier Operation with Group Commitment in Range ZK
+// y is committed in elliptic curve group instead of Paillier group
+func PaillierAffineProve(pedersen *pedersen.PedersenParameters, st *AffGStatement, wit *AffGWitness) *AffGProof {
+	N2 := new(big.Int).Mul(st.N, st.N)
+
+	// sample viaribles
+	rangeL0Epsilon := new(big.Int).Lsh(one, uint(L0_Aff_G+Epsilon_Aff_G))
+	rangeL1Epsilon := new(big.Int).Lsh(one, uint(L1_Aff_G+Epsilon_Aff_G))
+	rangeL0 := new(big.Int).Lsh(one, uint(L0_Aff_G))
+	// rangeL1 := new(big.Int).Lsh(one, uint(L1_Aff_G))
+
+	alpha := crypto.RandomNum(rangeL0Epsilon)
+	beta := crypto.RandomNum(rangeL1Epsilon)
+
+	r := crypto.RandomNum(st.N)
+	gamma := crypto.RandomNum(new(big.Int).Mul(rangeL0Epsilon, pedersen.Ntilde))
+	m := crypto.RandomNum(new(big.Int).Mul(rangeL0, pedersen.Ntilde))
+	// rangeL1 ?
+	delta := crypto.RandomNum(new(big.Int).Mul(rangeL0Epsilon, pedersen.Ntilde))
+	mu := crypto.RandomNum(new(big.Int).Mul(rangeL0, pedersen.Ntilde))
+
+	// compute A, Bx, By, E, S, F, T
+	// A = C^alpha * ((1+N)^beta * r^N) mod N2
+	A := new(big.Int).Exp(st.C, alpha, N2)
+	A = new(big.Int).Mod(new(big.Int).Mul(A, new(big.Int).Exp(new(big.Int).Add(one, st.N), beta, N2)), N2)
+	A = new(big.Int).Mod(new(big.Int).Mul(A, new(big.Int).Exp(r, st.N, N2)), N2)
+
+	// Bx = aplha * G
+	Bx := curves.ScalarToPoint(curve, alpha)
+
+	// By = beta * G
+	By := curves.ScalarToPoint(curve, beta)
+
+	// E = pedersen.Commit(alpha, gamma)
+	E, _ := pedersen.Commit(alpha, gamma)
+
+	// S = pedersen.Commit(x, m)
+	S, _ := pedersen.Commit(wit.X, m)
+
+	// F = pedersen.Commit(beta, delta)
+	F, _ := pedersen.Commit(beta, delta)
+
+	// T = pedersen.Commit(y, mu)
+	T, _ := pedersen.Commit(wit.Y, mu)
+
+	// compute challenge e
+	e := crypto.SHA256Int(st.N, st.C, st.D, st.X.X, st.Y.X, A, Bx.X, By.X, E, S, F, T)
+	e = new(big.Int).Mod(e, curve.N)
+
+	// compute Z1, Z2, Z3, Z4, W
+	// Z1 = alpha + e * x
+	Z1 := new(big.Int).Add(alpha, new(big.Int).Mul(e, wit.X))
+
+	// Z2 = beta + e * y
+	Z2 := new(big.Int).Add(beta, new(big.Int).Mul(e, wit.Y))
+
+	// Z3 = gamma + e * m
+	Z3 := new(big.Int).Add(gamma, new(big.Int).Mul(e, m))
+
+	// Z4 = delta + e * mu
+	Z4 := new(big.Int).Add(delta, new(big.Int).Mul(e, mu))
+
+	// W = r * rho^e mod N
+	W := new(big.Int).Mod(new(big.Int).Mul(r, new(big.Int).Exp(wit.Rho, e, st.N)), st.N)
+
+	return &AffGProof{A: A, Bx: Bx, By: By, E: E, S: S, F: F, T: T, Z1: Z1, Z2: Z2, Z3: Z3, Z4: Z4, W: W, X: st.X, Y: st.Y}
+}
+
+func PaillierAffineVerify(pedersen *pedersen.PedersenParameters, proof *AffGProof, st *AffGStatement) bool {
+	N2 := new(big.Int).Mul(st.N, st.N)
+	e := crypto.SHA256Int(st.N, st.C, st.D, st.X.X, st.Y.X, proof.A, proof.Bx.X, proof.By.X, proof.E, proof.S, proof.F, proof.T)
+	e = new(big.Int).Mod(e, curve.N)
+
+	// check A
+	// C^Z1 * ((1+N)^Z2 * w^N) = A * D^e mod N2
+	left0 := new(big.Int).Exp(st.C, proof.Z1, N2)
+	left0 = new(big.Int).Mod(new(big.Int).Mul(left0, new(big.Int).Exp(new(big.Int).Add(one, st.N), proof.Z2, N2)), N2)
+	left0 = new(big.Int).Mod(new(big.Int).Mul(left0, new(big.Int).Exp(proof.W, st.N, N2)), N2)
+	right0 := new(big.Int).Mod(new(big.Int).Mul(proof.A, new(big.Int).Exp(st.D, e, N2)), N2)
+	if left0.Cmp(right0) != 0 {
+		return false
+	}
+
+	// check Bx
+	// Z1 * G = Bx + e * X
+	left1 := curves.ScalarToPoint(curve, proof.Z1)
+	right1, err := proof.Bx.Add(st.X.ScalarMult(e))
+	if err != nil {
+		return false
+	}
+	if !left1.Equals(right1) {
+		return false
+	}
+
+	// check By
+	// Z2 * G = By + e * Y
+	left2 := curves.ScalarToPoint(curve, proof.Z2)
+	right2, err := proof.By.Add(st.Y.ScalarMult(e))
+	if err != nil {
+		return false
+	}
+	if !left2.Equals(right2) {
+		return false
+	}
+
+	// check E, S
+	// pedersen.Commit(Z1, Z3) = E * S^e mod N2
+	left3, _ := pedersen.Commit(proof.Z1, proof.Z3)
+	right3 := new(big.Int).Mod(new(big.Int).Mul(proof.E, new(big.Int).Exp(proof.S, e, pedersen.Ntilde)), pedersen.Ntilde)
+	if left3.Cmp(right3) != 0 {
+		return false
+	}
+
+	// check F, T
+	// pedersen.Commit(Z2, Z4) = F * T^e mod N2
+	left4, _ := pedersen.Commit(proof.Z2, proof.Z4)
+	right4 := new(big.Int).Mod(new(big.Int).Mul(proof.F, new(big.Int).Exp(proof.T, e, pedersen.Ntilde)), pedersen.Ntilde)
+	if left4.Cmp(right4) != 0 {
+		return false
+	}
+
+	// range check
+	// Z1 < 2^(L0 + Epsilon)
+	if proof.Z1.Cmp(new(big.Int).Lsh(one, uint(L0_Aff_G+Epsilon_Aff_G))) != -1 {
+		return false
+	}
+
+	// Z2 < 2^(L1 + Epsilon)
+	if proof.Z2.Cmp(new(big.Int).Lsh(one, uint(L1_Aff_G+Epsilon_Aff_G))) != -1 {
+		return false
+	}
+
+	return true
+}
diff --git a/crypto/zkp/aff_g_proof_test.go b/crypto/zkp/aff_g_proof_test.go
new file mode 100644
index 0000000..50ab30c
--- /dev/null
+++ b/crypto/zkp/aff_g_proof_test.go
@@ -0,0 +1,81 @@
+package zkp
+
+import (
+	"fmt"
+	"math/big"
+	"testing"
+
+	"github.com/okx/threshold-lib/crypto"
+	"github.com/okx/threshold-lib/crypto/curves"
+	"github.com/okx/threshold-lib/crypto/pedersen"
+)
+
+func TestAffGProof(t *testing.T) {
+	// -----------------------GeneratePreParams-------------------------------
+	fmt.Println("----------------------- TestAffGProof ---------------------------------")
+	pesersen, _ := pedersen.NewPedersenParameters(8)
+	// const bits = 512
+	const bits = 1024
+
+	concurrency := 4
+	var values = make(chan *big.Int, concurrency)
+	var p, q *big.Int
+	for p == q {
+		var quit = make(chan int)
+		for i := 0; i < concurrency; i++ {
+			go crypto.GenerateSafePrime(bits, values, quit)
+		}
+		p, q = <-values, <-values
+		close(quit)
+	}
+	N := new(big.Int).Mul(p, q)
+	N2 := new(big.Int).Mul(N, N)
+
+	rangeL0 := new(big.Int).Lsh(one, uint(L0_Aff_G))
+	rangeL1 := new(big.Int).Lsh(one, uint(L1_Aff_G))
+
+	x := crypto.RandomNum(rangeL0)
+	y := crypto.RandomNum(rangeL1)
+	rho := crypto.RandomNum(N)
+
+	witness := &AffGWitness{
+		X:   x,
+		Y:   y,
+		Rho: rho,
+	}
+
+	// C is an ciphertext of an Paillier encryption of a secret
+	C := crypto.RandomNum(N2)
+
+	// D = C^x * (1+N)^y * rho^N mod N^2
+	D := new(big.Int).Exp(C, x, N2)
+	D = new(big.Int).Mod(new(big.Int).Mul(D, new(big.Int).Exp(new(big.Int).Add(one, N), y, N2)), N2)
+	D = new(big.Int).Mod(new(big.Int).Mul(D, new(big.Int).Exp(rho, N, N2)), N2)
+
+	X := curves.ScalarToPoint(curve, x)
+	Y := curves.ScalarToPoint(curve, y)
+
+	st := &AffGStatement{
+		N: N,
+		C: C,
+		D: D,
+		X: X,
+		Y: Y,
+	}
+
+	proof := PaillierAffineProve(pesersen, st, witness)
+	verify := PaillierAffineVerify(pesersen, proof, st)
+
+	fmt.Println("PaillierAffineProof of honest prover:", verify)
+
+	x = crypto.RandomNum(N)
+	witness = &AffGWitness{
+		X:   x,
+		Y:   y,
+		Rho: rho,
+	}
+	proof = PaillierAffineProve(pesersen, st, witness)
+	verify = PaillierAffineVerify(pesersen, proof, st)
+	fmt.Println("PaillierAffineProof of malicious prover:", verify)
+
+}
diff --git a/tss/ecdsa/keygen/keygen_test.go b/tss/ecdsa/keygen/keygen_test.go
index 6d53f64..b364c58 100644
--- a/tss/ecdsa/keygen/keygen_test.go
+++ b/tss/ecdsa/keygen/keygen_test.go
@@ -3,12 +3,13 @@ package keygen
 import (
 	"encoding/json"
 	"fmt"
+	"testing"
+
 	"github.com/okx/threshold-lib/crypto/curves"
 	"github.com/okx/threshold-lib/crypto/paillier"
 	"github.com/okx/threshold-lib/tss"
 	"github.com/okx/threshold-lib/tss/key/bip32"
 	"github.com/okx/threshold-lib/tss/key/dkg"
-	"testing"
 )
 
 const (
@@ -50,6 +51,7 @@ func TestKeyGen(t *testing.T) {
 	if err != nil {
 		fmt.Println("preParams Unmarshal error, ", err)
 	}
+
 	// 1-->2   1--->3
 	paiPriKey, _, _ := paillier.NewKeyPair(8)
 	p1Data, _ := P1(p1SaveData.ShareI, paiPriKey, setUp1.DeviceNumber, setUp2.DeviceNumber, preParams)
diff --git a/tss/ecdsa/keygen/party2.go b/tss/ecdsa/keygen/party2.go
index f6677ee..88f0862 100644
--- a/tss/ecdsa/keygen/party2.go
+++ b/tss/ecdsa/keygen/party2.go
@@ -80,6 +80,7 @@ func P2(share2 *big.Int, publicKey *curves.ECPoint, msg *tss.Message, from, to i
 	if !slackVerify {
 		return nil, fmt.Errorf("PDLwSlackVerify fail")
 	}
+
 	// P2 additional save key information
 	p2SaveData := &P2SaveData{
 		From:      from,
diff --git a/tss/ecdsa/sign/party1.go b/tss/ecdsa/sign/party1.go
index 32480f3..6775779 100644
--- a/tss/ecdsa/sign/party1.go
+++ b/tss/ecdsa/sign/party1.go
@@ -11,7 +11,9 @@ import (
 	"github.com/okx/threshold-lib/crypto/commitment"
 	"github.com/okx/threshold-lib/crypto/curves"
 	"github.com/okx/threshold-lib/crypto/paillier"
+	"github.com/okx/threshold-lib/crypto/pedersen"
 	"github.com/okx/threshold-lib/crypto/schnorr"
+	"github.com/okx/threshold-lib/crypto/zkp"
 )
 
 var (
@@ -23,15 +25,17 @@ type P1Context struct {
 
 	publicKey *ecdsa.PublicKey
 	paiPriKey *paillier.PrivateKey
+	E_x1      *big.Int
 
 	k1      *big.Int
 	message string
 	R2      *curves.ECPoint // k2*G
 	cmtD    *commitment.Witness
+	ped     *pedersen.PedersenParameters
 }
 
 // NewP1 2-party signature, P1 init
-func NewP1(publicKey *ecdsa.PublicKey, message string, paiPriKey *paillier.PrivateKey) *P1Context {
+func NewP1(E_x1 *big.Int, publicKey *ecdsa.PublicKey, message string, paiPriKey *paillier.PrivateKey, ped *pedersen.PedersenParameters) *P1Context {
 	msg, err := hex.DecodeString(message)
 	if err != nil {
 		return nil
@@ -44,6 +48,8 @@ func NewP1(publicKey *ecdsa.PublicKey, message string, paiPriKey *paillier.Priva
 		message:   message,
 		paiPriKey: paiPriKey,
 		sessionID: sessionId,
+		ped:       ped,
+		E_x1:      E_x1,
 	}
 	return p1Context
 }
@@ -76,7 +82,19 @@ func (p1 *P1Context) Step2(p2Proof *schnorr.Proof, R2 *curves.ECPoint) (*schnorr
 	return proof, p1.cmtD, nil
 }
 
-func (p1 *P1Context) Step3(E_k2_h_xr *big.Int) (*big.Int, *big.Int, error) {
+func (p1 *P1Context) Step3(aff_g_proof *zkp.AffGProof, E_k2_h_xr *big.Int) (*big.Int, *big.Int, error) {
+	statement := &zkp.AffGStatement{
+		N: p1.paiPriKey.N,
+		C: p1.E_x1,
+		D: E_k2_h_xr,
+		X: aff_g_proof.X,
+		Y: aff_g_proof.Y,
+	}
+	verify := zkp.PaillierAffineVerify(p1.ped, aff_g_proof, statement)
+	if !verify {
+		return nil, nil, fmt.Errorf("paillier affine verify fail")
+	}
+
 	q := curve.N
 	// R = k1*k2*G, k = k1*k2
 	Rx, _ := curve.ScalarMult(p1.R2.X, p1.R2.Y, p1.k1.Bytes())
diff --git a/tss/ecdsa/sign/party2.go b/tss/ecdsa/sign/party2.go
index c8eb39b..6e9b5e4 100644
--- a/tss/ecdsa/sign/party2.go
+++ b/tss/ecdsa/sign/party2.go
@@ -10,7 +10,9 @@ import (
 	"github.com/okx/threshold-lib/crypto/commitment"
 	"github.com/okx/threshold-lib/crypto/curves"
 	"github.com/okx/threshold-lib/crypto/paillier"
+	"github.com/okx/threshold-lib/crypto/pedersen"
 	"github.com/okx/threshold-lib/crypto/schnorr"
+	"github.com/okx/threshold-lib/crypto/zkp"
 )
 
 type P2Context struct {
@@ -23,10 +25,11 @@ type P2Context struct {
 	message   string
 	k2        *big.Int
 	cmtC      *commitment.Commitment
+	ped       *pedersen.PedersenParameters
 }
 
 // NewP1 2-party signature, P2 init
-func NewP2(bobPri, E_x1 *big.Int, publicKey *ecdsa.PublicKey, paiPub *paillier.PublicKey, message string) *P2Context {
+func NewP2(bobPri, E_x1 *big.Int, publicKey *ecdsa.PublicKey, paiPub *paillier.PublicKey, message string, ped *pedersen.PedersenParameters) *P2Context {
 	msg, err := hex.DecodeString(message)
 	if err != nil {
 		return nil
@@ -41,6 +44,7 @@ func NewP2(bobPri, E_x1 *big.Int, publicKey *ecdsa.PublicKey, paiPub *paillier.P
 		PublicKey: publicKey,
 		message:   message,
 		sessionID: sessionId,
+		ped:       ped,
 	}
 	return p2Context
 }
@@ -59,33 +63,34 @@ func (p2 *P2Context) Step1(cmtC *commitment.Commitment) (*schnorr.Proof, *curves
 }
 
 // Step2 paillier encrypt compute, return E[(h+xr)/k2]
-func (p2 *P2Context) Step2(cmtD *commitment.Witness, p1Proof *schnorr.Proof) (*big.Int, error) {
+func (p2 *P2Context) Step2(cmtD *commitment.Witness, p1Proof *schnorr.Proof) (*zkp.AffGProof, *big.Int, error) {
 	q := curve.N
+	N2 := new(big.Int).Mul(p2.paiPub.N, p2.paiPub.N)
 	// check R1=k1*G commitment
 	commit := commitment.HashCommitment{}
 	commit.C = *p2.cmtC
 	commit.Msg = *cmtD
 	ok, commitD := commit.Open()
 	if !ok {
-		return nil, fmt.Errorf("commitment DeCommit fail")
+		return nil, nil, fmt.Errorf("commitment DeCommit fail")
 	}
 	if commitD[0].Cmp(p2.sessionID) != 0 {
-		return nil, fmt.Errorf("p2 Step2 commitment sessionId error")
+		return nil, nil, fmt.Errorf("p2 Step2 commitment sessionId error")
 	}
 	R1, err := curves.NewECPoint(curve, commitD[1], commitD[2])
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	verify := schnorr.VerifyWithId(p2.sessionID, p1Proof, R1)
 	if !verify {
-		return nil, fmt.Errorf("schnorr verify fail")
+		return nil, nil, fmt.Errorf("schnorr verify fail")
 	}
 	// R = k1*k2*G, k = k1*k2
 	Rx, _ := curve.ScalarMult(R1.X, R1.Y, p2.k2.Bytes())
 	r := new(big.Int).Mod(Rx, q)
 	bytes, err := hex.DecodeString(p2.message)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	k2_1 := new(big.Int).ModInverse(p2.k2, q)
 
@@ -96,20 +101,35 @@ func (p2 *P2Context) Step2(cmtD *commitment.Witness, p1Proof *schnorr.Proof) (*b
 	rhoq := new(big.Int).Mul(rho, q)
 	h_rhoq := new(big.Int).Add(h, rhoq) // h/k2 + rho*q
 
-	E_x, err := p2.paiPub.HomoAddPlain(p2.E_x1, p2.x2)
-	if err != nil {
-		return nil, err
-	}
-	r = new(big.Int).Mul(r, k2_1) //  r/k2
-	E_xr, err := p2.paiPub.HomoMulPlain(E_x, r)
-	if err != nil {
-		return nil, err
+	// s' = (h+r*(x1+x2))/k2 = a * x1 + b
+	// a = r/k2, b = h/k2 + rho * q + r/k2 * x2
+	a := new(big.Int).Mul(r, k2_1)                            // r/k2
+	b := new(big.Int).Add(h_rhoq, new(big.Int).Mul(a, p2.x2)) // h/k2 + rho*q + r/k2 * x2
+	rnd := crypto.RandomNum(p2.paiPub.N)
+
+	a_x1, _ := p2.paiPub.HomoMulPlain(p2.E_x1, a)
+	a_x1_b, _ := p2.paiPub.HomoAddPlain(a_x1, b)
+	E_k2_h_xr := new(big.Int).Mod(new(big.Int).Mul(a_x1_b, new(big.Int).Exp(rnd, p2.paiPub.N, N2)), N2)
+	A := curves.ScalarToPoint(curve, a)
+	B := curves.ScalarToPoint(curve, b)
+
+	st := &zkp.AffGStatement{
+		N: p2.paiPub.N,
+		C: p2.E_x1,
+		D: E_k2_h_xr,
+		X: A,
+		Y: B,
 	}
-	E_k2_h_xr, err := p2.paiPub.HomoAddPlain(E_xr, h_rhoq)
-	if err != nil {
-		return nil, err
+
+	wit := &zkp.AffGWitness{
+		X:   a,
+		Y:   b,
+		Rho: rnd,
 	}
-	return E_k2_h_xr, nil
+
+	aff_g_proof := zkp.PaillierAffineProve(p2.ped, st, wit)
+
+	return aff_g_proof, E_k2_h_xr, nil
 }
 
 func CalculateM(hash []byte) *big.Int {
diff --git a/tss/ecdsa/sign/sign_test.go b/tss/ecdsa/sign/sign_test.go
index 5011ec9..46cf67c 100644
--- a/tss/ecdsa/sign/sign_test.go
+++ b/tss/ecdsa/sign/sign_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/okx/threshold-lib/crypto"
 	"github.com/okx/threshold-lib/crypto/curves"
 	"github.com/okx/threshold-lib/crypto/paillier"
+	"github.com/okx/threshold-lib/crypto/pedersen"
 
 	"testing"
 
@@ -22,6 +23,7 @@ import (
 )
 
 const (
+	pedParamsStr = "{\"S\":13817395213773423665748976106069887563215400031989903034408049429189159623246888881612592317674727022888953512054385819429092977115403239906258157202244097241485415363298451415160695747089414269924804324563172126254731208935288395176853289248153163224344837947195551794352714372170241862006229745350720206100529568569903326706522465071953160407559249327843406829943397877417499624472421566341035438108378118335635756026876702727809585543003644182652106484868612447592410485489825417344886519578261106535281338786314136945870688227272056742451068061150072357667594255200825455371193294242284424803170897668949426555425,\"T\":12646452867496863933920518693245448076945324934065007179150675937842809462143388041137327217366863480604024164454053181476261134056508042173677396619091621046697295845899271429173694327241538528083559862042799634332752900457929032597135516603322969801330022552710943053979389903574351073197184678971851077867038477328389498837083801534992728001111781813986801825092859612842444546665472308805440478879962403831545378204083199782379489048179968109465785715883325834618148037339660146296886384179431949544922529706581349706257973164686615951349082129935811005980537931685280584875211268792796177935510214118753649879253,\"Ntilde\":31203981932332851330684971902204167683279436670222650769704368232932597705714815213178259489761831567249732027535018308556325009159384987976366013997949424098969119874421206142006896077007148702247620090092698015141805616903301830015820714685345412225561073461417430194324516227295135698439299870481751523667676431358649281499087889608995507141224753283985619068058187485838992611877407102364133884863015657088284949501806199503611081229593950592540379747602331347045247394118938229140216860250432071881042897379699134249065339561622661666095475238856269226548968314840715169536541404692806522202600968606674667098881}"
 	preParamsStr = "{\"NTildei\":24471520908795186059871345359891817090375082425235011162673163562293216820664510789828605476260176115517411842055396836257208343639030995277175322263758084624457414755788632175712521955658505919013279743494979368113272203677789463548602565981118301653800716121189384752156994925287997166225339564621441206438778955740393180221057367383300037154792187952963218391388563468946645409334612971210896085905056280930519856946112538908255424632924121317632150416586598586793214306932742138260070923446615537142905564533718729288946652140359207920360574975200706166078989291834969251532287540567858173716968846357015270138349,\"H1i\":20525427855544097812900242461323906064694844566721127908596308189362139634932796351990338037155331859755165166468225804820912268858944197770981804143947455994501442981149428098822310447470928457374682794682110850354710456200518000366554808847135225010507970105885978332438055746828580641608638198174105260354736906195605319753574667723013578689012516753815219539851516961366236404521980593518182365012603240654581994925529765101249024754689309931635963810794661571475581905272286571260842205785767159676205901368018463391470835581427837444426656612683690455228541028875229228051625995552836658561731443995968771287788,\"H2i\":14561886462801513025229647032463855918071292086106088637653093122443632316900764053418831163999153989988643257167279826735804838683222492162945450354760976026539895948631486301719383942423900097939116970423123551167467739873293443276733568908835651175478613657226786889798591766941448274568403953774018961350069278513251708000024532723935518612136374339804631761356041438752219980855367614912814730211618900394962484968025879140621313034875912024520604802101951780131868299628079385785798916363779339123951610598183476830672767548597981792629985786029649395570390192737424564998427393536184577476205531938017713907537,\"Alpha\":15562395633401930119640319530685053105534487592669191131770549017020512836227813395433398013401899672808149896260415156005395650961577495248684112199870239290842042560405884222603358515341370868923091465869971181089036403932954215982530133253275808649915955629978395955053483946662714544209903814385313430160541625128661561277888916430771363680920637690494652922130604979659273437231654682379800477479474793339467647687163077730878952413184314085561763375724610716711310748898159971608300807004602791622905928075714005483877645756072135214117404734704436395780584072358660771347598146098721453405712285848600410929912,\"Beta\":2395165474635562375328345168197470419270712853015774984255058066914332835031654638443038211809208885507287294824752534870350008496826826350516586118916243850537128710018544377070657961787021005710261809699685606781195081429046500235631252686233860824641938201591401143177392380699803128257310699979970380819582013645704325217394895352558949906568690971372208643798583918394057857288004538171668501365327120899644543818081629047710813539155106955681360755489819630513934947888711688521552671506732141320287584388268958167835966566882566177748042701818683114194170779163415799948893004383756208873564628601506303306733,\"P\":78946358809465488657785646401276462719477605320468420301685497279392498318081224458347091460869018078980790500414678741720386595780837578599171293477368521302224467006469988809257162522761685335900641074366451195515153523873921985410903393962006195879192213513994867756111011843999943944429711391222186861091,\"Q\":77494140571626675280459642381974308521056398681316094978062801680359479201622037388948094745850542427491783310684134503735540058334580018731497272439023435198860202702815565075741003080812047756218005315134111060182393701088010552028153733171070602610292439056776957470549025846108495103549355647541809857301}"
 )
 
@@ -37,17 +39,23 @@ func TestTwoSign(t *testing.T) {
 
 	paiPri, paiPub, _ := paillier.NewKeyPair(8)
 
-	p1 := NewP1(publicKey.ToECDSA(), hex.EncodeToString(message), paiPri)
 	E_x1, _, _ := paiPub.Encrypt(x1)
-	p2 := NewP2(x2, E_x1, publicKey.ToECDSA(), paiPub, hex.EncodeToString(message))
+	ped := &pedersen.PedersenParameters{}
+	err := json.Unmarshal([]byte(pedParamsStr), ped)
+	if err != nil {
+		fmt.Println("pedParams Unmarshal error, ", err)
+		return
+	}
+	p1 := NewP1(E_x1, publicKey.ToECDSA(), hex.EncodeToString(message), paiPri, ped)
+	p2 := NewP2(x2, E_x1, publicKey.ToECDSA(), paiPub, hex.EncodeToString(message), ped)
 
 	commit, _ := p1.Step1()
 	bobProof, R2, _ := p2.Step1(commit)
 
 	proof, cmtD, _ := p1.Step2(bobProof, R2)
-	E_k2_h_xr, _ := p2.Step2(cmtD, proof)
+	aff_g_proof, E_k2_h_xr, _ := p2.Step2(cmtD, proof)
 
-	r, s, _ := p1.Step3(E_k2_h_xr)
+	r, s, _ := p1.Step3(aff_g_proof, E_k2_h_xr)
 	fmt.Println(r, s)
 }
 
@@ -61,6 +69,12 @@ func TestEcdsaSign(t *testing.T) {
 		fmt.Println("preParams Unmarshal error, ", err)
 		return
 	}
+	ped := &pedersen.PedersenParameters{}
+	err = json.Unmarshal([]byte(pedParamsStr), ped)
+	if err != nil {
+		fmt.Println("pedParams Unmarshal error, ", err)
+		return
+	}
 
 	paiPrivate, _, _ := paillier.NewKeyPair(8)
 	p1Dto, _ := keygen.P1(p1Data.ShareI, paiPrivate, p1Data.Id, p2Data.Id, preParams)
@@ -79,16 +93,16 @@ func TestEcdsaSign(t *testing.T) {
 	hash.Write([]byte("hello"))
 	message := hash.Sum(nil)
 
-	p1 := NewP1(pubKey, hex.EncodeToString(message), paiPrivate)
-	p2 := NewP2(x2, p2SaveData.E_x1, pubKey, p2SaveData.PaiPubKey, hex.EncodeToString(message))
+	p1 := NewP1(p2SaveData.E_x1, pubKey, hex.EncodeToString(message), paiPrivate, ped)
+	p2 := NewP2(x2, p2SaveData.E_x1, pubKey, p2SaveData.PaiPubKey, hex.EncodeToString(message), ped)
 
 	commit, _ := p1.Step1()
 	bobProof, R2, _ := p2.Step1(commit)
 
 	proof, cmtD, _ := p1.Step2(bobProof, R2)
-	E_k2_h_xr, _ := p2.Step2(cmtD, proof)
+	aff_g_proof, E_k2_h_xr, _ := p2.Step2(cmtD, proof)
 
-	r, s, _ := p1.Step3(E_k2_h_xr)
+	r, s, _ := p1.Step3(aff_g_proof, E_k2_h_xr)
 	fmt.Println(r, s)
 }
 
diff --git a/tss/key/reshare/update_round_test.go b/tss/key/reshare/update_round_test.go
index 9dada0e..f950044 100644
--- a/tss/key/reshare/update_round_test.go
+++ b/tss/key/reshare/update_round_test.go
@@ -3,10 +3,11 @@ package reshare
 import (
 	"crypto/elliptic"
 	"fmt"
+	"testing"
+
 	"github.com/decred/dcrd/dcrec/secp256k1/v2"
 	"github.com/okx/threshold-lib/tss"
 	"github.com/okx/threshold-lib/tss/key/dkg"
-	"testing"
 )
 
 func TestRefresh(t *testing.T) {