Abstract
In a threshold symmetric-key encryption (\(\text {TSE}\)) scheme, encryption/decryption is performed by interacting with any threshold number of parties who hold parts of the secret-keys. Security holds as long as the number of corrupt (possibly colluding) parties stay below the threshold. Recently, Agrawal et al. [CCS 2018] (alternatively called DiSE) initiated the study of \(\text {TSE}\). They proposed a generic \(\text {TSE}\) construction based on any distributed pseudorandom function (DPRF). Instantiating with DPRF constructions by Naor, Pinkas and Reingold [Eurocrypt 1999] (also called NPR) they obtained several efficient TSE schemes with various merits. However, their security models and corresponding analyses consider only static (and malicious) corruption, in that the adversary fixes the set of corrupt parties in the beginning of the execution before acquiring any information (except the public parameters) and is not allowed to change that later.
In this work we augment the DiSE \(\text {TSE}\) definitions to the fully adaptive (and malicious) setting, in that the adversary is allowed to corrupt parties dynamically at any time during the execution. The adversary may choose to corrupt a party depending on the information acquired thus far, as long as the total number of corrupt parties stays below the threshold. We also augment DiSE’s DPRF definitions to support adaptive corruption. We show that their generic \(\text {TSE}\) construction, when plugged-in with an adaptive DPRF (satisfying our definition), meets our adaptive \(\text {TSE}\) definitions.
We provide an efficient instantiation of the adaptive DPRF, proven secure assuming decisional Diffie-Hellman assumption (DDH), in the random oracle model. Our construction borrows ideas from Naor, Pinkas and Reingold’s [Eurocrypt 1999] statically secure DDH-based DPRF (used in DiSE) and Libert, Joye and Yung’s [PODC 2014] adaptively secure threshold signature. Similar to DiSE, we also give an extension satisfying a strengthened adaptive DPRF definition, which in turn yields a stronger adaptive \(\text {TSE}\) scheme. For that, we construct a simple and efficient adaptive NIZK protocol for proving a specific commit-and-prove style statement in the random oracle model assuming DDH.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We note that, DiSE’s definition has a weak form of adaptivity, in that the corrupt set can be decided depending on the public parameters (but nothing else). Moreover, we do not have an adaptive attack against their scheme; instead their proof seems to rely crucially on the non-adaptivity.
- 2.
We remark that adaptive security is generically achieved from statically secure schemes using a standard complexity leveraging argument, in particular, just by guessing the corrupt set ahead of time. When \(n\atopwithdelims ()t\) is super-polynomial (in the security parameter), this technique naturally incurs a super-polynomial blow-up, for which super-polynomially hard assumptions are required. In contrast, all our constructions are based on polynomially hard assumptions.
- 3.
A privately verifiable version, similar to Figure 6 of [7] can be constructed analogously with similar efficiency. We do not elaborate on that.
- 4.
Note that, we assume a stronger erasure-free adaptive model, in that each party keeps its entire history from the beginning of execution in its internal state. Therefore, when the adversary corrupts a party, it gets access to the entire history. This compels the reduction to “explain” its earlier simulation of that party, before it was corrupt. In a weaker model, that assumes erasure, parties periodically removes their history.
- 5.
Note that j can be either honest or corrupt here. So both types of encryption queries are captured.
- 6.
Groth et al. [21] alternatively calls them zero-knowledge in erasure-free model.
References
Dyadic Security. https://www.dyadicsec.com
Porticor Cloud Security. Acquired by Intuit. http://www.porticor.com/
Sepior. https://sepior.com
Vault by HashiCorp. https://www.vaultproject.io/
Abdalla, M., Miner, S., Namprempre, C.: Forward-secure threshold signature schemes. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 441–456. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45353-9_32
Agrawal, S., Mohassel, P., Mukherjee, P., Rindal, P.: DiSE: distributed symmetric-key encryption. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1993–2010. ACM Press, October 2018
Agrawal, S., Mohassel, P., Mukherjee, P., Rindal, P.: DiSE: distributed symmetric-key encryption. Cryptology ePrint Archive, report 2018/727 (2018). https://eprint.iacr.org/2018/727
Bendlin, R., Damgård, I.: Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 201–218. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_13
Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_3
Boneh, D., Boyen, X., Halevi, S.: Chosen ciphertext secure public key threshold encryption without random oracles. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 226–243. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_15
Boneh, D., et al.: Threshold cryptosystems from threshold fully homomorphic encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 565–596. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_19
Canetti, R., Goldwasser, S.: An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack (extended abstract). In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 90–106. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_7
Damgård, I., Keller, M.: Secure multiparty AES. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 367–374. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14577-3_31
Damgård, I., Koprowski, M.: Practical threshold RSA signatures without a trusted dealer. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 152–165. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_10
De Santis, A., Desmedt, Y., Frankel, Y., Yung, M.: How to share a function securely. In: 26th ACM STOC, pp. 522–533. ACM Press, May 1994
Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_28
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Gennaro, R., Halevi, S., Krawczyk, H., Rabin, T.: Threshold RSA for dynamic and ad-hoc groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 88–107. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_6
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 354–371. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_31
Grassi, L., Rechberger, C., Rotaru, D., Scholl, P., Smart, N.P.: MPC-friendly symmetric key primitives. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 430–443. ACM Press, October 2016
Groth, J., Ostrovsky, R., Sahai, A.: New techniques for noninteractive zero-knowledge. J. ACM 59(3), 11:1–11:35 (2012)
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. Commun. ACM 63(7), 93–101 (2020)
Libert, B., Joye, M., Yung, M.: Born and raised distributively: fully distributed non-interactive adaptively-secure threshold signatures with short shares. In: Halldórsson, M.M., Dolev, S. (eds.) 33rd ACM PODC, pp. 303–312. ACM, July 2014
Libert, B., Joye, M., Yung, M.: Born and raised distributively: fully distributed non-interactive adaptively-secure threshold signatures with short shares. Theor. Comput. Sci. 645, 1–24 (2016)
Libert, B., Stehlé, D., Titiu, R.: Adaptively secure distributed PRFs from \(\sf LWE\). In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 391–421. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_15
Lipp, M., et al.: Meltdown: reading kernel memory from user space. Commun. ACM 63(6), 46–56 (2020)
Mukherjee, P.: Adaptively secure threshold symmetric-key encryption. Cryptology ePrint Archive, report 2020/1329 (2020). To appear in Indocrypt 2020. https://eprint.iacr.org/2020/1329
Naor, M., Pinkas, B., Reingold, O.: Distributed pseudo-random functions and KDCs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 327–346. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_23
Rotaru, D., Smart, N.P., Stam, M.: Modes of operation suitable for computing on encrypted data. Cryptology ePrint Archive, report 2017/496 (2017). http://eprint.iacr.org/2017/496
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. J. Cryptol. 15(2), 75–96 (2002). https://doi.org/10.1007/s00145-001-0020-9
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Our Adaptive Non-interactive Zero-Knowledge
Here we show a simple and efficient construction of adaptive NIZK for the specific commit-and-prove statement required for our construction \( \mathrm {\Pi }_\mathsf{str\text {-}adap}\). We provide the relevant definitions in the full version [27].
Consider a group G of prime order p where discrete log is hard. Let g be a generator. Let \(\mathsf {SCom}:=(\mathsf {Setup}_{\mathsf {com}}, \mathsf {Com})\) be a the Pederson’s commitment scheme where \(\mathsf {Setup}_{\mathsf {com}}\) returns (g, h) such that \(h = g^x\) and \(\mathsf {Com}(m;r):=g^m h^r\). It is easy to see that this is a statistically hiding commitment scheme. Let \(\mathcal {H}:\{0,1\}^\star \rightarrow G^2\) and \(\mathcal {H}':\{0,1\}^*\rightarrow \mathbb {Z}_p\) be hash functions modeled as random oracles. We construct a NIZK proof system for the relation \({R}_\mathsf{com\text {-}prov}= \{x,z,c_1,c_2~:~\exists ~(k_1,k_2,\rho _1,\rho _2)~\text {such that}~\forall ~i\in \{1,2\},~c_i = \mathsf {Com}(k_i;\rho _i)~\text {and}~z = w_1^{k_1}w_2^{k_2}~\text {where}~(w_1,w_2) :=\mathcal {H}(x)\}\).
The main idea is to use a Schnorr’s proof [30] along with Fiat-Shamir transformation [17]. Recall that, the Schnorr proof system can be used prove a knowledge of exponent, in this case knowledge of \(k_1,k_2\) for which \(z = w_1^{k_1}w_2^{k_2}\). Nevertheless, this does not prove anything about the individual \(k_i\). Separately, the commitment, when instantiated with Pederson’s, can also be thought of as knowledge of exponents of \(k_1,\rho _1\) and \(k_2,\rho _2\) individually and can be proven using Schnorr-like scheme–this is possible due to the homomorphic property of the commitment scheme, by which \(\mathsf {Com}(m_1;r_1)\) and \(\mathsf {Com}(m_2;r_2)\) can be combined to produce a commitment of \(\mathsf {Com}(m_1+m_2; r_1+r_2)\). These two separate proofs are bound together (that is, the same \(k_i\) are used) by using the same challenge \(e\) for verification.
\({\text {Prove}}^{\mathcal {H},\mathcal {H}'}((x,z,c_1,c_2),(k_1,k_2,\rho _1,\rho _2))\): The prover works as follows:
-
Sample randomnesses \(v_1,v_2,\hat{v}_1,\hat{v}_2\) from \(\mathbb {Z}_p\).
-
Let \((w_1,w_2) :=\mathcal {H}(x)\).
-
Compute \(t:=w_1^{v_1}w_2^{v_2}\); \(\hat{t}_1 :=\mathsf {Com}(v_1;\hat{v}_1)\) and \(\hat{t}_2 :=\mathsf {Com}(v_2;\hat{v}_2)\).
-
Generate the challenge (Fiat-Shamir) \(e:=\mathcal {H}'(t,\hat{t}_1,\hat{t}_2)\).
-
Compute \(u_i :=v_i + ek_i\) and \(\hat{u}_i :=\hat{v}_i + e \rho _i\) for all \(i\in \{1,2\}\).
-
Output \(\pi :=((t,\hat{t}_1,\hat{t}_2),e,(u_1,u_2,\hat{u}_1,\hat{u}_2))\).
\(\mathsf {Verify}^{\mathcal {H},\mathcal {H}'}(s:=(x,z,c_1,c_2),\pi :=((t,\hat{t}_1,\hat{t}_2),e,(u_1,u_2,\hat{u}_1,\hat{u}_2))\) The verifier computes \((w_1,w_2):=\mathcal {H}(x)\) and then checks the following and output 1 if and only if all of them succeeds, and 0 otherwise:
-
\(e= \mathcal {H}'(t,\hat{t}_1,\hat{t}_2)\).
-
\(w_1^{u_1}w_2^{u_2} = tz^e\).
-
\(h^{\hat{u}_1}g^{u_1} = \hat{t}_1c_1^e\).
-
\(h^{\hat{u}_2}g^{u_2} = \hat{t}_2c_2^e\).
Lemma 1
The above protocol is a adaptive NIZK argument system in the random oracle model assuming DDH.
Proof
Perfect completeness is obvious. The simulation soundness follows from a standard Fiat-Shamir rewinding argument in ROM. We show the adaptive zero-knowledge, for which we construct simulators \(\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3\) as follows:
-
This algorithm simulates fresh random oracle queries on x for \(\mathcal {H}\) by sampling \(\alpha ,\beta {\leftarrow }_{\$}\mathbb {Z}_p^2\), storing \((x,\alpha ,\beta )\) in table \(Q_1\) and finally returning the pair \((g^{\alpha },g^\beta )\). Furthermore, it also simulates fresh random oracle queries for \(\mathcal {H}'\) by returning a uniform random value in G and storing the input-output pair in \(Q_2\). Repeating queries are simulated using the tables \(Q,Q_2\) appropriately. Furthermore, \(\mathcal {S}_1\) can be asked by \(\mathcal {S}_2\) or \(\mathcal {S}_3\) to program both \(\mathcal {H}\), \(\mathcal {H}'\) with specific input-output pairs– if that pair is already defined (queried by \(\mathcal {A}\) earlier), then \(\mathcal {S}_1\) fails to program.
-
This algorithm, on input \((x,z,c_1,c_2)\) works as follows:
-
sample uniform random \(e,u_1,u_2,\hat{u}_1,\hat{u}_2\) from \(\mathbb {Z}_p\) and define \(\rho _{\mathcal {S}}:=(e,u_1,u_2,\hat{u}_1,\hat{u}_2)\);
-
compute \((w_1,w_2):=\mathcal {H}(x)\);
-
set \(t :=w_1^{u_1}w_2^{u_2}z^{-e}\), \(\{\hat{t}_i:=h^{\hat{u}_i}g^{u_i}c_i^{e}\}_{i\in \{1,2\}}\);
-
ask \(\mathcal {S}_1\) to program \(\mathcal {H}'\) for input \((t,\hat{t}_1,\hat{t}_2)\) and output \(e\);
-
returns \(\pi :=((t,\hat{t}_1,\hat{t}_2),e,(u_1,u_2,\hat{u}_1,\hat{u}_2))\).
-
-
This algorithm, on input statement \((x,z,c_1,c_2)\), witness \((k_1,k_2,\rho _1,\rho _2)\), and \(\mathcal {S}_2\)’s randomness \(\rho _{\mathcal {S}}= (e,u_1,u_2,\hat{u}_1,\hat{u}_2)\) works as follows:
-
use \(\mathcal {S}_2((x,z,c_1,c_2);\rho _{\mathcal {S}})\) to generate \(\pi = ((t,\hat{t}_1,\hat{t}_2),e,(u_1,u_2,\hat{u}_1,\hat{u}_2))\) as above;
-
then compute \(v_i :=u_i - ek_i\) and \(\hat{v}_i :=\hat{u}_i - e\rho _i\) for \(i\in \{1,2\}\);
-
output \(r:=(v_1,v_2,\hat{v}_1,\hat{v}_2)\)
-
It is straightforward to see that the above simulators indeed satisfy the adaptive zero-knowledge property. This concludes the proof.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Mukherjee, P. (2020). Adaptively Secure Threshold Symmetric-Key Encryption. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds) Progress in Cryptology – INDOCRYPT 2020. INDOCRYPT 2020. Lecture Notes in Computer Science(), vol 12578. Springer, Cham. https://doi.org/10.1007/978-3-030-65277-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-65277-7_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-65276-0
Online ISBN: 978-3-030-65277-7
eBook Packages: Computer ScienceComputer Science (R0)