Abstract
Threshold cryptographic algorithms achieve robustness against key and access compromise by distributing secret keys among multiple entities. Most prior work focuses on threshold public-key primitives, despite extensive use of authenticated encryption in practice. Though the latter can be deployed in a threshold manner using multi-party computation (MPC), doing so incurs a high communication cost. In contrast, dedicated constructions of threshold authenticated encryption algorithms can achieve high performance. However to date, few such algorithms are known, most notably DiSE (distributed symmetric encryption) by Agrawal et al. (ACM CCS 2018). To achieve threshold authenticated encryption (TAE), prior work does not suffice, due to shortcomings in definitions, analysis, and design, allowing for potentially insecure schemes, an undesirable similarity between encryption and decryption, and insufficient understanding of the impact of parameters due to lack of concrete analysis. In response, we revisit the problem of designing secure and efficient TAE schemes. (1) We give new TAE security definitions in the fully malicious setting addressing the aforementioned concerns. (2) We construct efficient schemes satisfying our definitions and perform concrete and more modular security analyses. (3) We conduct an extensive performance evaluation of our constructions, against prior ones.
S. Agrawal, W. Dai and A. Luykx—Work done while at Visa Research.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Coinbase custody. custody.coinbase.com/. Use of secret sharing described in [9]
Intel Software Guard Extensions. software.intel.com/en-us/sgx
Secure Enclave overview - Apple Support.support.apple.com/guide/security/secure-enclave-overview-sec59b0b31ff/1/web/1
Titan M makes Pixel 3 our most secure phone yet. www.blog.google/products/pixel/titan-m-makes-pixel-3-our-most-secure-phone-yet/
TrustZone. developer.arm.com/ip-products/security-ip/trustzone
Unbound Tech. www.unboundtech.com/. Use of MPC mentioned in [15]
Vault Seal. www.vaultproject.io/docs/concepts/seal.html
[Podcast] Institutional Cryptoasset Custody w/Sam McIngvale of Coinbase Custody - (Eps. 0028–0029), July 2019. blog.nomics.com/flippening/coinbase-custody-sam-mcingvale/
Agrawal, S., Dai, W., Luykx, A., Mukerjee, P., Rindal., P.: ParaDiSE: efficient threshold authenticated encryption in fully malicious model. Cryptology ePrint Archive, Report 2022/1449 (2022). https://eprint.iacr.org/2022/1449
Agrawal, S., Mohassel, P., Mukherjee, P., Rindal, P.: DiSE: distributed symmetric-key encryption. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 1993–2010. ACM Press, October 2018
Albrecht, M.R., Grassi, L., Rechberger, C., Roy, A., Tiessen, T.: MiMC: efficient encryption and cryptographic hashing with minimal multiplicative complexity. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. Part I, volume 10031 of LNCS, pp. 191–219. Springer, Heidelberg (2016)
Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. Part I, volume 9056 of LNCS, pp. 430–454. Springer, Heidelberg (2015)
Andreeva, E., Bogdanov, A., Luykx, A., Mennink, B., Mouha, N., Yasuda, K.: How to securely release unverified plaintext in authenticated encryption. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 105–125. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_6
Archer, D.W., et al.: From keys to databases - real-world applications of secure multi-party computation. Comput. J. 61(12), 1749–1771 (2018)
Barbosa, M., Farshim, P.: Indifferentiable authenticated encryption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. Part I, volume 10991 of LNCS, pp. 187–220. Springer, Heidelberg (2018)
Bedrune, J.-B., Campana, G.: Everybody be cool, this is a robbery! www.sstic.org/media/SSTIC2019/SSTIC-actes/hsm/SSTIC2019-Article-hsm-campana_bedrune_neNSDyL.pdf
Bellare, M., Boldyreva, A., Knudsen, L.R., Namprempre, C.: On-line ciphers and the hash-CBC constructions. J. Cryptol. 25(4), 640–679 (2012)
Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44448-3_41
Bellare, M., Rogaway, P.: Optimal asymmetric encryption. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 92–111. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053428
Bellare, M., Tackmann, B.: The multi-user security of authenticated encryption: AES-GCM in TLS 1.3. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 247–276. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_10
Bendlin, R., Damgård, I.: Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 201–218. Springer, Heidelberg (2010)
Boneh, D., Lewi, K., Montgomery, H., Raghunathan, A.: Key homomorphic PRFs and their applications. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 410–428. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40041-4_23
Boyko, V.: On the security properties of OAEP as an all-or-nothing transform. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 503–518. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_32
Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33
Desmedt, Y.: Society and group oriented cryptography: a new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_8
Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_28
Dodis, Y.: Efficient construction of (distributed) verifiable random functions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 1–17. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_1
Dodis, Y., Sahai, A., Smith, A.: On perfect and adaptive security in exposure-resilient cryptography. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 301–324. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_19
Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for diffie-hellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_8
Fouque, P.-A., Joux, A., Martinet, G., Valette, F.: Authenticated on-line encryption. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 145–159. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24654-1_11
Freedman, M.J., Ishai, Y., Pinkas, B., Reingold, O.: Keyword search and oblivious pseudorandom functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 303–324. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_17
Galindo, D., Liu, J., Ordean, M., Wong, J.-M.: Fully distributed verifiable random functions and their application to decentralised random beacons. Cryptology ePrint Archive, Report 2020/096 (2020). https://eprint.iacr.org/2020/096
Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_2
Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: TOPPSS: cost-minimal password-protected secret sharing based on threshold OPRF. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 39–58. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_3
Jarecki, S., Liu, X.: Efficient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 577–594. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_34
Keller, M., Orsini, E., Rotaru, D., Scholl, P., Soria-Vazquez, E., Vivek, S.: Faster secure multi-party computation of AES and DES using lookup tables. In: ACNS (2017)
Kocher, P., et al.: Spectre attacks: exploiting speculative execution. In: 40th IEEE Symposium on Security and Privacy (S &P’19) (2019)
Lipp, M., et al.: Meltdown: reading kernel memory from user space. In: 27th USENIX Security Symposium (USENIX Security 18) (2018)
Maurer, U., Renner, R., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_2
McGrew, D.A., Viega, J.: The security and performance of the galois/counter mode (GCM) of operation. In: INDOCRYPT (2004)
Micali, S., Sidney, R.: A simple method for generating and sharing pseudo-random functions, with applications to clipper-like key escrow systems. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 185–196. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_15
Mukherjee, P.: Adaptively secure threshold symmetric-key encryption. In: Bhargavan, K., Oswald, E., Prabhakaran, M. (eds.) INDOCRYPT 2020. LNCS, vol. 12578, pp. 465–487. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65277-7_21
Myers, S., Shull, A.: Practical revocation and key rotation. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 157–178. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76953-0_9
Naor, M., Pinkas, B., Reingold, O.: Distributed pseudo-random functions and KDCs. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 327–346. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_23
Rivest, R.L.: All-or-nothing encryption and the package transform. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 210–218. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052348
Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM CCS 2002, pp. 98–107. ACM Press, November 2002
Rogaway, P.: Nonce-based symmetric encryption. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 348–358. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-25937-4_22
Rogaway, P., Shrimpton, T.: A provable-security treatment of the key-wrap problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 373–390. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_23
Salowey, J.A., McGrew, D., Choudhury, A.: AES Galois Counter Mode (GCM) Cipher Suites for TLS. RFC 5288, August 2008
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Performance Experiments
We implement our protocols \(\textsf{TAE1}\) of Fig. 2 and \(\textsf{TAE}3\) of Fig. ?? and report on their performance. All performance results are obtained on a single laptop with an Intel i7 9th Gen (9740H) CPU and 16GB of RAM. Network communication was routed over local host with a theoretical bandwidth of 10Gbps and a measured latency of 0.1 milliseconds. Each party is run on a single thread.
Table 1 contains the results of two experiments. 1) peak encryptions per second each scheme can perform. In particular, 32 byte messages are repeatedly encrypted in an asynchronous manner, where a single party repeatedly initiates 10 batches of 128 encryptions which are processed concurrently. 2) latency of one encryption by running multiple encryptions one at a time in a sequential manner. We report the average time required to perform a single encryption.
We compare with the less secure DiSE schemes [11]. In particular, DiSE was proven secure in an arguably weaker model and does not provide a way to distinguish if the initiating party is performing an decryption or encryption query. We consider the pure symmetric-key based DiSE protocol DiSE1 which utilizes an AES/PRF based DPRF. Like our \(\textsf{TAE1}\) Protocol, DiSE1 does not guarantee that a ciphertext output by encryption is “well formed” if some of the parties behave maliciously. We also consider the DDH-key based DiSE protocol DiSE2 which utilizes ZK-proofs to ensure the correctness of any ciphertext output by the encryption procedure.
Our protocols are very competitive given the added security guarantees. Our symmetric-key based protocol \(\textsf{TAE1}\) achieves a throughput of 778 thousand encryptions per second for \(n=3,t=2\) while our public-key based protocol \(\textsf{TAE}3\) achieves 346 encryptions per second. This is approximately 0.7 times the throughput of the weaker DiSE protocol. We observe a similar relative performance for other parameter choices when t is close to n or 2. The largest differences occurs for our \(\textsf{TAE1}\) protocol when n is large and \(t\approx n/2\). This results in the largest relative communication overhead compared to DiSE1 due to their protocol achieving O(t) communication while ours achieves \(O{n\atopwithdelims ()t}\) which is maximized for \(t=n/2\).
With respect to encryption latency our protocols perform similarly well. Both \(\textsf{TAE1}\) and DiSE1 achieve a latency of 0.1 milliseconds for \(n=3,t=2\) which is effectively the network latency of just sending the messages. For the public-key based protocol we again observe that the DiSE2 protocol achieves times 0.7 times improvement in latency compared to our \(\textsf{TAE}3\) protocol. This added overhead consists of performing the additional threshold signature.
We argue that the presented performance evaluation shows that our protocols achieve highly practical performance. In particular, the majority of the practical applications of threshold authenticated encryption only require relatively small n, e.g. \(n\in \{3,4,5\}\). For this range of parameters both of our protocols are highly competitive with the DiSE protocols while providing stronger security guarantees. Our schemes also preserve the property that the network communication overhead is independent of the length of the message being encryption. This property is not enjoyed by generic MPC based approaches, e.g. [37].
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Agrawal, S., Dai, W., Luykx, A., Mukherjee, P., Rindal, P. (2022). ParaDiSE: Efficient Threshold Authenticated Encryption in Fully Malicious Model. In: Isobe, T., Sarkar, S. (eds) Progress in Cryptology – INDOCRYPT 2022. INDOCRYPT 2022. Lecture Notes in Computer Science, vol 13774. Springer, Cham. https://doi.org/10.1007/978-3-031-22912-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-22912-1_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22911-4
Online ISBN: 978-3-031-22912-1
eBook Packages: Computer ScienceComputer Science (R0)