Skip to main content
Springer Nature Link
Log in

ParaDiSE: Efficient Threshold Authenticated Encryption in Fully Malicious Model

  • Conference paper
  • First Online:
Progress in Cryptology – INDOCRYPT 2022 (INDOCRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13774))

Included in the following conference series:

Abstract

Threshold cryptographic algorithms achieve robustness against key and access compromise by distributing secret keys among multiple entities. Most prior work focuses on threshold public-key primitives, despite extensive use of authenticated encryption in practice. Though the latter can be deployed in a threshold manner using multi-party computation (MPC), doing so incurs a high communication cost. In contrast, dedicated constructions of threshold authenticated encryption algorithms can achieve high performance. However to date, few such algorithms are known, most notably DiSE (distributed symmetric encryption) by Agrawal et al. (ACM CCS 2018). To achieve threshold authenticated encryption (TAE), prior work does not suffice, due to shortcomings in definitions, analysis, and design, allowing for potentially insecure schemes, an undesirable similarity between encryption and decryption, and insufficient understanding of the impact of parameters due to lack of concrete analysis. In response, we revisit the problem of designing secure and efficient TAE schemes. (1) We give new TAE security definitions in the fully malicious setting addressing the aforementioned concerns. (2) We construct efficient schemes satisfying our definitions and perform concrete and more modular security analyses. (3) We conduct an extensive performance evaluation of our constructions, against prior ones.

S. Agrawal, W. Dai and A. Luykx—Work done while at Visa Research.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Coinbase custody. custody.coinbase.com/. Use of secret sharing described in [9]

  2. Intel Software Guard Extensions. software.intel.com/en-us/sgx

  3. NIST tcg. csrc.nist.gov/Projects/threshold-cryptography

  4. Secure Enclave overview - Apple Support.support.apple.com/guide/security/secure-enclave-overview-sec59b0b31ff/1/web/1

  5. Titan M makes Pixel 3 our most secure phone yet. www.blog.google/products/pixel/titan-m-makes-pixel-3-our-most-secure-phone-yet/

  6. TrustZone. developer.arm.com/ip-products/security-ip/trustzone

  7. Unbound Tech. www.unboundtech.com/. Use of MPC mentioned in [15]

  8. Vault Seal. www.vaultproject.io/docs/concepts/seal.html

  9. [Podcast] Institutional Cryptoasset Custody w/Sam McIngvale of Coinbase Custody - (Eps. 0028–0029), July 2019. blog.nomics.com/flippening/coinbase-custody-sam-mcingvale/

  10. Agrawal, S., Dai, W., Luykx, A., Mukerjee, P., Rindal., P.: ParaDiSE: efficient threshold authenticated encryption in fully malicious model. Cryptology ePrint Archive, Report 2022/1449 (2022). https://eprint.iacr.org/2022/1449

  11. Agrawal, S., Mohassel, P., Mukherjee, P., Rindal, P.: DiSE: distributed symmetric-key encryption. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1993–2010. ACM Press, October 2018

    Google Scholar 

  12. Albrecht, M.R., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. Part I, volume 10031 of LNCS, pp. 191–219. Springer, Heidelberg (2016)

    Chapter  Google Scholar 

  13. Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. Part I, volume 9056 of LNCS, pp. 430–454. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  14. Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_6

    Chapter  MATH  Google Scholar 

  15. Archer, D.W., et al.: From keys to databases - real-world applications of secure multi-party computation. Comput. J. 61(12), 1749–1771 (2018)

    MathSciNet  Google Scholar 

  16. Barbosa, M., Farshim, P.: Indifferentiable authenticated encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. Part I, volume 10991 of LNCS, pp. 187–220. Springer, Heidelberg (2018)

    Chapter  Google Scholar 

  17. Bedrune, J.-B., Campana, G.: Everybody be cool, this is a robbery! www.sstic.org/media/SSTIC2019/SSTIC-actes/hsm/SSTIC2019-Article-hsm-campana_bedrune_neNSDyL.pdf

  18. Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: On-line ciphers and the hash-CBC constructions. J. Cryptol. 25(4), 640–679 (2012)

    Article  MathSciNet  MATH  Google Scholar 

  19. Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41

    Chapter  Google Scholar 

  20. Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053428

    Chapter  Google Scholar 

  21. Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_10

    Chapter  MATH  Google Scholar 

  22. Bendlin, R., Damgård, I.: Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 201–218. Springer, Heidelberg (2010)

    Google Scholar 

  23. Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_23

    Chapter  Google Scholar 

  24. Boyko, V.: On the security properties of OAEP as an all-or-nothing transform. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 503–518. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_32

    Chapter  Google Scholar 

  25. Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33

    Chapter  Google Scholar 

  26. Desmedt, Y.: Society and group oriented cryptography: a new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_8

    Chapter  Google Scholar 

  27. Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_28

    Chapter  Google Scholar 

  28. Dodis, Y.: Efficient construction of (distributed) verifiable random functions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 1–17. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_1

    Chapter  Google Scholar 

  29. Dodis, Y., Sahai, A., Smith, A.: On perfect and adaptive security in exposure-resilient cryptography. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 301–324. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_19

    Chapter  MATH  Google Scholar 

  30. Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for diffie-hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8

    Chapter  Google Scholar 

  31. Fouque, P.-A., Joux, A., Martinet, G., Valette, F.: Authenticated on-line encryption. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 145–159. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24654-1_11

    Chapter  Google Scholar 

  32. Freedman, M.J., Ishai, Y., Pinkas, B., Reingold, O.: Keyword search and oblivious pseudorandom functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 303–324. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_17

    Chapter  Google Scholar 

  33. Galindo, D., Liu, J., Ordean, M., Wong, J.-M.: Fully distributed verifiable random functions and their application to decentralised random beacons. Cryptology ePrint Archive, Report 2020/096 (2020). https://eprint.iacr.org/2020/096

  34. Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_2

    Chapter  Google Scholar 

  35. Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: TOPPSS: cost-minimal password-protected secret sharing based on threshold OPRF. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 39–58. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_3

    Chapter  Google Scholar 

  36. Jarecki, S., Liu, X.: Efficient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 577–594. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_34

    Chapter  MATH  Google Scholar 

  37. Keller, M., Orsini, E., Rotaru, D., Scholl, P., Soria-Vazquez, E., Vivek, S.: Faster secure multi-party computation of AES and DES using lookup tables. In: ACNS (2017)

    Google Scholar 

  38. Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: 40th IEEE Symposium on Security and Privacy (S &P’19) (2019)

    Google Scholar 

  39. Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18) (2018)

    Google Scholar 

  40. Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_2

    Chapter  Google Scholar 

  41. McGrew, D.A., Viega, J.: The security and performance of the galois/counter mode (GCM) of operation. In: INDOCRYPT (2004)

    Google Scholar 

  42. Micali, S., Sidney, R.: A simple method for generating and sharing pseudo-random functions, with applications to clipper-like key escrow systems. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 185–196. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_15

    Chapter  Google Scholar 

  43. Mukherjee, P.: Adaptively secure threshold symmetric-key encryption. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) INDOCRYPT 2020. LNCS, vol. 12578, pp. 465–487. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_21

    Chapter  Google Scholar 

  44. Myers, S., Shull, A.: Practical revocation and key rotation. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 157–178. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_9

    Chapter  Google Scholar 

  45. Naor, M., Pinkas, B., Reingold, O.: Distributed pseudo-random functions and KDCs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 327–346. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_23

    Chapter  Google Scholar 

  46. Rivest, R.L.: All-or-nothing encryption and the package transform. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 210–218. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052348

    Chapter  MATH  Google Scholar 

  47. Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press, November 2002

    Google Scholar 

  48. Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_22

    Chapter  MATH  Google Scholar 

  49. Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23

    Chapter  Google Scholar 

  50. Salowey, J.A., McGrew, D., Choudhury, A.: AES Galois Counter Mode (GCM) Cipher Suites for TLS. RFC 5288, August 2008

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Coinbase, San Jose, USA

    Shashank Agrawal

  2. Bain Capital Crypto, Foster, USA

    Wei Dai

  3. Google, Mountain View, USA

    Atul Luykx

  4. SupraOracles, San Francisco, USA

    Pratyay Mukherjee

  5. Visa Research, San Francisco, USA

    Peter Rindal

Authors
  1. Shashank Agrawal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wei Dai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Atul Luykx
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Pratyay Mukherjee
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Peter Rindal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Dai .

Editor information

Editors and Affiliations

  1. University of Hyogo, Hyogo, Japan

    Takanori Isobe

  2. Indian Institute of Technology Madras, Chennai, India

    Santanu Sarkar

Appendices

Appendix

A Performance Experiments

We implement our protocols \(\textsf{TAE1}\) of Fig. 2 and \(\textsf{TAE}3\) of Fig. ?? and report on their performance. All performance results are obtained on a single laptop with an Intel i7 9th Gen (9740H) CPU and 16GB of RAM. Network communication was routed over local host with a theoretical bandwidth of 10Gbps and a measured latency of 0.1 milliseconds. Each party is run on a single thread.

Table 1 contains the results of two experiments. 1) peak encryptions per second each scheme can perform. In particular, 32 byte messages are repeatedly encrypted in an asynchronous manner, where a single party repeatedly initiates 10 batches of 128 encryptions which are processed concurrently. 2) latency of one encryption by running multiple encryptions one at a time in a sequential manner. We report the average time required to perform a single encryption.

We compare with the less secure DiSE schemes [11]. In particular, DiSE was proven secure in an arguably weaker model and does not provide a way to distinguish if the initiating party is performing an decryption or encryption query. We consider the pure symmetric-key based DiSE protocol DiSE1 which utilizes an AES/PRF based DPRF. Like our \(\textsf{TAE1}\) Protocol, DiSE1 does not guarantee that a ciphertext output by encryption is “well formed” if some of the parties behave maliciously. We also consider the DDH-key based DiSE protocol DiSE2 which utilizes ZK-proofs to ensure the correctness of any ciphertext output by the encryption procedure.

Our protocols are very competitive given the added security guarantees. Our symmetric-key based protocol \(\textsf{TAE1}\) achieves a throughput of 778 thousand encryptions per second for \(n=3,t=2\) while our public-key based protocol \(\textsf{TAE}3\) achieves 346 encryptions per second. This is approximately 0.7 times the throughput of the weaker DiSE protocol. We observe a similar relative performance for other parameter choices when t is close to n or 2. The largest differences occurs for our \(\textsf{TAE1}\) protocol when n is large and \(t\approx n/2\). This results in the largest relative communication overhead compared to DiSE1 due to their protocol achieving O(t) communication while ours achieves \(O{n\atopwithdelims ()t}\) which is maximized for \(t=n/2\).

With respect to encryption latency our protocols perform similarly well. Both \(\textsf{TAE1}\) and DiSE1 achieve a latency of 0.1 milliseconds for \(n=3,t=2\) which is effectively the network latency of just sending the messages. For the public-key based protocol we again observe that the DiSE2 protocol achieves times 0.7 times improvement in latency compared to our \(\textsf{TAE}3\) protocol. This added overhead consists of performing the additional threshold signature.

We argue that the presented performance evaluation shows that our protocols achieve highly practical performance. In particular, the majority of the practical applications of threshold authenticated encryption only require relatively small n, e.g. \(n\in \{3,4,5\}\). For this range of parameters both of our protocols are highly competitive with the DiSE protocols while providing stronger security guarantees. Our schemes also preserve the property that the network communication overhead is independent of the length of the message being encryption. This property is not enjoyed by generic MPC based approaches, e.g. [37].

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Agrawal, S., Dai, W., Luykx, A., Mukherjee, P., Rindal, P. (2022). ParaDiSE: Efficient Threshold Authenticated Encryption in Fully Malicious Model. In: Isobe, T., Sarkar, S. (eds) Progress in Cryptology – INDOCRYPT 2022. INDOCRYPT 2022. Lecture Notes in Computer Science, vol 13774. Springer, Cham. https://doi.org/10.1007/978-3-031-22912-1_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22912-1_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22911-4

  • Online ISBN: 978-3-031-22912-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics