Adaptively Secure Threshold Symmetric-Key Encryption

Abstract

In a threshold symmetric-key encryption (\(\text {TSE}\)) scheme, encryption/decryption is performed by interacting with any threshold number of parties who hold parts of the secret-keys. Security holds as long as the number of corrupt (possibly colluding) parties stay below the threshold. Recently, Agrawal et al. [CCS 2018] (alternatively called DiSE) initiated the study of \(\text {TSE}\). They proposed a generic \(\text {TSE}\) construction based on any distributed pseudorandom function (DPRF). Instantiating with DPRF constructions by Naor, Pinkas and Reingold [Eurocrypt 1999] (also called NPR) they obtained several efficient TSE schemes with various merits. However, their security models and corresponding analyses consider only static (and malicious) corruption, in that the adversary fixes the set of corrupt parties in the beginning of the execution before acquiring any information (except the public parameters) and is not allowed to change that later.

In this work we augment the DiSE \(\text {TSE}\) definitions to the fully adaptive (and malicious) setting, in that the adversary is allowed to corrupt parties dynamically at any time during the execution. The adversary may choose to corrupt a party depending on the information acquired thus far, as long as the total number of corrupt parties stays below the threshold. We also augment DiSE’s DPRF definitions to support adaptive corruption. We show that their generic \(\text {TSE}\) construction, when plugged-in with an adaptive DPRF (satisfying our definition), meets our adaptive \(\text {TSE}\) definitions.

We provide an efficient instantiation of the adaptive DPRF, proven secure assuming decisional Diffie-Hellman assumption (DDH), in the random oracle model. Our construction borrows ideas from Naor, Pinkas and Reingold’s [Eurocrypt 1999] statically secure DDH-based DPRF (used in DiSE) and Libert, Joye and Yung’s [PODC 2014] adaptively secure threshold signature. Similar to DiSE, we also give an extension satisfying a strengthened adaptive DPRF definition, which in turn yields a stronger adaptive \(\text {TSE}\) scheme. For that, we construct a simple and efficient adaptive NIZK protocol for proving a specific commit-and-prove style statement in the random oracle model assuming DDH.

Appendices

Appendix

A Our Adaptive Non-interactive Zero-Knowledge

Here we show a simple and efficient construction of adaptive NIZK for the specific commit-and-prove statement required for our construction \( \mathrm {\Pi }_\mathsf{str\text {-}adap}\). We provide the relevant definitions in the full version [27].

Consider a group G of prime order p where discrete log is hard. Let g be a generator. Let \(\mathsf {SCom}:=(\mathsf {Setup}_{\mathsf {com}}, \mathsf {Com})\) be a the Pederson’s commitment scheme where \(\mathsf {Setup}_{\mathsf {com}}\) returns (g, h) such that \(h = g^x\) and \(\mathsf {Com}(m;r):=g^m h^r\). It is easy to see that this is a statistically hiding commitment scheme. Let \(\mathcal {H}:\{0,1\}^\star \rightarrow G^2\) and \(\mathcal {H}':\{0,1\}^*\rightarrow \mathbb {Z}_p\) be hash functions modeled as random oracles. We construct a NIZK proof system for the relation \({R}_\mathsf{com\text {-}prov}= \{x,z,c_1,c_2~:~\exists ~(k_1,k_2,\rho _1,\rho _2)~\text {such that}~\forall ~i\in \{1,2\},~c_i = \mathsf {Com}(k_i;\rho _i)~\text {and}~z = w_1^{k_1}w_2^{k_2}~\text {where}~(w_1,w_2) :=\mathcal {H}(x)\}\).

The main idea is to use a Schnorr’s proof [30] along with Fiat-Shamir transformation [17]. Recall that, the Schnorr proof system can be used prove a knowledge of exponent, in this case knowledge of \(k_1,k_2\) for which \(z = w_1^{k_1}w_2^{k_2}\). Nevertheless, this does not prove anything about the individual \(k_i\). Separately, the commitment, when instantiated with Pederson’s, can also be thought of as knowledge of exponents of \(k_1,\rho _1\) and \(k_2,\rho _2\) individually and can be proven using Schnorr-like scheme–this is possible due to the homomorphic property of the commitment scheme, by which \(\mathsf {Com}(m_1;r_1)\) and \(\mathsf {Com}(m_2;r_2)\) can be combined to produce a commitment of \(\mathsf {Com}(m_1+m_2; r_1+r_2)\). These two separate proofs are bound together (that is, the same \(k_i\) are used) by using the same challenge \(e\) for verification.

\({\text {Prove}}^{\mathcal {H},\mathcal {H}'}((x,z,c_1,c_2),(k_1,k_2,\rho _1,\rho _2))\): The prover works as follows:

• Sample randomnesses \(v_1,v_2,\hat{v}_1,\hat{v}_2\) from \(\mathbb {Z}_p\).

• Let \((w_1,w_2) :=\mathcal {H}(x)\).

• Compute \(t:=w_1^{v_1}w_2^{v_2}\); \(\hat{t}_1 :=\mathsf {Com}(v_1;\hat{v}_1)\) and \(\hat{t}_2 :=\mathsf {Com}(v_2;\hat{v}_2)\).

• Generate the challenge (Fiat-Shamir) \(e:=\mathcal {H}'(t,\hat{t}_1,\hat{t}_2)\).

• Compute \(u_i :=v_i + ek_i\) and \(\hat{u}_i :=\hat{v}_i + e \rho _i\) for all \(i\in \{1,2\}\).

• Output \(\pi :=((t,\hat{t}_1,\hat{t}_2),e,(u_1,u_2,\hat{u}_1,\hat{u}_2))\).

\(\mathsf {Verify}^{\mathcal {H},\mathcal {H}'}(s:=(x,z,c_1,c_2),\pi :=((t,\hat{t}_1,\hat{t}_2),e,(u_1,u_2,\hat{u}_1,\hat{u}_2))\) The verifier computes \((w_1,w_2):=\mathcal {H}(x)\) and then checks the following and output 1 if and only if all of them succeeds, and 0 otherwise:

• \(e= \mathcal {H}'(t,\hat{t}_1,\hat{t}_2)\).

• \(w_1^{u_1}w_2^{u_2} = tz^e\).

• \(h^{\hat{u}_1}g^{u_1} = \hat{t}_1c_1^e\).

• \(h^{\hat{u}_2}g^{u_2} = \hat{t}_2c_2^e\).

Lemma 1

The above protocol is a adaptive NIZK argument system in the random oracle model assuming DDH.

Proof

Perfect completeness is obvious. The simulation soundness follows from a standard Fiat-Shamir rewinding argument in ROM. We show the adaptive zero-knowledge, for which we construct simulators \(\mathcal {S}_1,\mathcal {S}_2,\mathcal {S}_3\) as follows:

• This algorithm simulates fresh random oracle queries on x for \(\mathcal {H}\) by sampling \(\alpha ,\beta {\leftarrow }_{\$}\mathbb {Z}_p^2\), storing \((x,\alpha ,\beta )\) in table \(Q_1\) and finally returning the pair \((g^{\alpha },g^\beta )\). Furthermore, it also simulates fresh random oracle queries for \(\mathcal {H}'\) by returning a uniform random value in G and storing the input-output pair in \(Q_2\). Repeating queries are simulated using the tables \(Q,Q_2\) appropriately. Furthermore, \(\mathcal {S}_1\) can be asked by \(\mathcal {S}_2\) or \(\mathcal {S}_3\) to program both \(\mathcal {H}\), \(\mathcal {H}'\) with specific input-output pairs– if that pair is already defined (queried by \(\mathcal {A}\) earlier), then \(\mathcal {S}_1\) fails to program.

•  This algorithm, on input \((x,z,c_1,c_2)\) works as follows:

  • sample uniform random \(e,u_1,u_2,\hat{u}_1,\hat{u}_2\) from \(\mathbb {Z}_p\) and define \(\rho _{\mathcal {S}}:=(e,u_1,u_2,\hat{u}_1,\hat{u}_2)\);

  • compute \((w_1,w_2):=\mathcal {H}(x)\);

  • set \(t :=w_1^{u_1}w_2^{u_2}z^{-e}\), \(\{\hat{t}_i:=h^{\hat{u}_i}g^{u_i}c_i^{e}\}_{i\in \{1,2\}}\);

  • ask \(\mathcal {S}_1\) to program \(\mathcal {H}'\) for input \((t,\hat{t}_1,\hat{t}_2)\) and output \(e\);

  • returns \(\pi :=((t,\hat{t}_1,\hat{t}_2),e,(u_1,u_2,\hat{u}_1,\hat{u}_2))\).

• This algorithm, on input statement \((x,z,c_1,c_2)\), witness \((k_1,k_2,\rho _1,\rho _2)\), and \(\mathcal {S}_2\)’s randomness \(\rho _{\mathcal {S}}= (e,u_1,u_2,\hat{u}_1,\hat{u}_2)\) works as follows:

  • use \(\mathcal {S}_2((x,z,c_1,c_2);\rho _{\mathcal {S}})\) to generate \(\pi = ((t,\hat{t}_1,\hat{t}_2),e,(u_1,u_2,\hat{u}_1,\hat{u}_2))\) as above;

  • then compute \(v_i :=u_i - ek_i\) and \(\hat{v}_i :=\hat{u}_i - e\rho _i\) for \(i\in \{1,2\}\);

  • output \(r:=(v_1,v_2,\hat{v}_1,\hat{v}_2)\)

It is straightforward to see that the above simulators indeed satisfy the adaptive zero-knowledge property. This concludes the proof.