Abstract
Distributed parameter and key generation plays a fundamental role in cryptographic applications and is motivated by the need to relax the trust assumption on a single authority that is responsible for producing the necessary keys for cryptographic algorithms to operate. There are many well-studied distributed key generation protocols for the discrete logarithm problem. In this paper, building upon previous distributed key generation protocols for discrete logarithms, we provide two new building blocks that one can use them in a sequential fashion to derive distributed parameter generation protocols for a class of problems in the bilinear groups setting, most notably the n-Bilinear Diffie Hellman Exponentiation problem. Based on this we present new applications in distributed multi-party oriented cryptographic schemes including decentralized broadcast encryption, revocation systems and identity based encryption.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Abe, M.: Robust distributed multiplication without interaction. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 130–147. Springer, Heidelberg (1999)
Attrapadung, N., Furukawa, J., Imai, H.: Forward-secure and searchable broadcast encryption with short ciphertexts and private keys. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 161–177. Springer, Heidelberg (2006)
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: STOC 1988 (1988)
Benaloh, J.C., Yung, M.: Distributing the power of a government to enhance the privacy of voters. In: PODC 1986, pp. 52–62. ACM, New York (1986)
Blakley, G.: Safeguarding cryptographic keys. In: AFIPS National Computer Conference, pp. 313–317. AFIPS Press, Monval (1979)
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)
Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. IACR Cryptology ePrint Archive 2005, 15 (2005)
Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)
Canny, J., Sorkin, S.: Practical large-scale distributed key generation. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 138–152. Springer, Heidelberg (2004)
Chaum, D., Crépeau, C., Damgard, I.: Multiparty unconditionally secure protocols. In: STOC 1988, pp. 11–19. ACM, New York (1988)
Chu, C.-K., Weng, J., Chow, S.S.M., Zhou, J., Deng, R.H.: Conditional proxy broadcast re-encryption. In: Boyd, C., González Nieto, J. (eds.) ACISP 2009. LNCS, vol. 5594, pp. 327–342. Springer, Heidelberg (2009)
Cramer, R., Fehr, S.: Optimal black-box secret sharing over arbitrary abelian groups. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 272–287. Springer, Heidelberg (2002)
Cramer, R., Fehr, S., Stam, M.: Black-box secret sharing from primitive sets in algebraic number fields. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 344–360. Springer, Heidelberg (2005)
De Santis, A., Desmedt, Y., Frankel, Y., Yung, M.: How to share a function securely. In: Proceedings of the Twenty-Sixth Annual ACM Symposium on Theory of Computing, STOC 1994, pp. 522–533. ACM, New York (1994)
Desmedt, Y.G., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, Heidelberg (1990)
Desmedt, Y.G., Frankel, Y.: Perfect homomorphic zero-knowledge threshold schemes over any finite abelian group (1994)
Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: FOCS 1987. IEEE Computer Society (1987)
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994)
Frankel, Y., MacKenzie, P.D., Yung, M.: Robust efficient distributed rsa-key generation. In: STOC 1998, pp. 663–672. ACM, New York (1998)
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. J. Cryptol. 20(1), 51–83 (2007)
Gennaro, R., Raimondo, M.D.: Secure multiplication of shared secrets in the exponent. Inf. Process. Lett. 96(2), 71–79 (2005)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in np have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)
Izabachène, M., Libert, B., Vergnaud, D.: Block-wise P-signatures and non-interactive anonymous credentials with efficient attributes. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 431–450. Springer, Heidelberg (2011)
Jarecki, S.: Efficient Threshold Cryptosystems. Ph.D. thesis, MIT (2001)
Kate, A., Goldberg, I.: Distributed private-key generators for identity-based cryptography. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 436–453. Springer, Heidelberg (2010)
Kiayias, A., Xu, S., Yung, M.: Privacy preserving data mining within anonymous credential systems. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 57–76. Springer, Heidelberg (2008)
Lewko, A., Sahai, A., Waters, B.: Revocation systems with very small private keys. In: SP 2010, pp. 273–285. IEEE Computer Society, Washington, DC (2010)
Liu, Z., Li, J., Chen, X., Yang, J., Jia, C.: TMDS: thin-model data sharing scheme supporting keyword search in cloud storage. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 115–130. Springer, Heidelberg (2014)
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)
Phan, D.H., Pointcheval, D., Strefler, M.: Decentralized dynamic broadcast encryption. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 166–183. Springer, Heidelberg (2012)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Wu, Q., Mu, Y., Susilo, W., Qin, B., Domingo-Ferrer, J.: Asymmetric group key agreement. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 153–170. Springer, Heidelberg (2009)
Wu, Q., Qin, B., Zhang, L., Domingo-Ferrer, J.: Ad hoc broadcast encryption. In: CCS 2010 (2010)
Wu, Q., Qin, B., Zhang, L., Domingo-Ferrer, J.: Fully distributed broadcast encryption. In: Boyen, X., Chen, X. (eds.) ProvSec 2011. LNCS, vol. 6980, pp. 102–119. Springer, Heidelberg (2011)
Wu, Q., Qin, B., Zhang, L., Domingo-Ferrer, J., Farràs, O.: Bridging broadcast encryption and group key agreement. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 143–160. Springer, Heidelberg (2011)
Acknowledgment
The first author was supported by the ERC project CODAMODA and the project FINER of the Greek Secretariat of Research and Technology.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Preliminaries
Parties (Servers and an Adversary): Let \(\mathcal {P}\) is a set of parties \(\mathcal {P}=\{1,..,n\}\). Party \(i\in \mathcal {P}\) is assumed to be probabilistic polynomial time Turing Machine. Among those parties, there are up to t corrupt parties completely controlled by a static adversary and the adversary is active.
Input and Output: Each party is given private and public input. The input of each party includes the number of parties n. At the end of the computation each party will produce private and public output that should be equal among all honest parties (global public output). The private input of corrupted servers as well as the public input is given to the adversary at the start of the protocol.
Communication Model: We assume that the communication is synchronous and protocol execution proceeds in rounds. In each round the each party using its current state and all history of communication from all rounds produces two types of messages to be delivered to other parties: (1) private messages that are sent to other parties by using private channel network where a message is assured of being delivered in a fixed period. The network is assumed to be secure and complete, that is every pair of parties is connected by an untappable and mutually authenticated channel; (2) broadcast message that will be delivered to all parties at the beginning of the next round. At each round a party produces private messages for all other parties as well as a public broadcast message.
Adversarial Operation: Each round, after adversary sees all broadcast messages and secret messages from honest parties that are received by corrupted parties, he sends public and private messages depending on those received messages (public and private) as well as all information that the corrupted parties have had from previous rounds.
Computational Assumption: We use the large primes p, q that satisfy \(q|p-1\). We represent by G the subgroup of elements of order q in \(Z^{*}_p\). It is assumed that solving the discrete logarithm problem in G is intractable.
Feldman’s Verifiable Secret Sharing (FVSS): FVSS [17] allows a malicious adversary which corrupts up to \(\frac{\left( n-1\right) }{2}\) parties including the dealer. The dealer generates a random t-degree polynomial \(f\left( .\right) \), where \(f\left( 0\right) =x\) which is the secret value, and sends to each party i a share \(s_{i}=f\left( i\right) \) mod q. The dealer also broadcasts values \(V_{k}=g^{a_{k}}\), where \(a_{k}\) is the kth coefficient of \(f\left( .\right) \). This will allow the parties to check if the values \(s_{i}\) really define a secret by checking that \(g^{s_{i}}=\prod _{k=0}^{t} V_{k}^{i^{k}}\) mod p \((\mathbf{Eq. 1 })\), where \(k=0,...,t\). If this equation is not satisfied, party i complains and asks the dealer to reveal his share. If more than t parties complain then the dealer is clearly bad and he is disqualified. Otherwise, he reveals the share \(s_{i}\) matching Equation \(\mathbf{Eq. 1 }\) for each complaining i. Equation \(\mathbf{Eq. 1 }\) also allows detection of incorrect shares \(s'_{i}\) at reconstruction time. Notice that the value of the secret is only computationally secure, e.g., the value \(g^{a_{0}}=g^{x}\) is leaked. However, it can be shown that an adversary that learns t or less shares cannot obtain any information on the secret x beyond what can be derived from \(g^{x}\). We will use the following notation to describe the execution of a FVSS protocol: \(FVSS\left( x\right) \left( g\right) \xrightarrow {f,n,t} \left( s_{i}\right) \left( V_{k}\right) \), \(k=0,...,t\).
Pedersen’s Verifiable Secret Sharing (PVSS): We now recall a VSS protocol that provides information theoretic secrecy for the shared secret. This is in contrast to FVSS protocol which leaks the value of \(g^{x}\). PVSS [29] uses the parameters p, q, g as defined for FVSS. In addition, it uses an element \(h\in Z_{p}^{*}\) such that h belongs to the subgroup generated by g and the discrete log of h in base g is unknown (and assumed hard to compute). The dealer first chooses two t-degree random polynomials \(f\left( .\right) ,f'\left( .\right) \), with random coefficients over \(Z_{q}\), subject to \(f\left( 0\right) =x\), which is the secret. The dealer sends to each party i the values \(x_{i}=f\left( i\right) \) mod q and \(x'_{i}=f'\left( i\right) \) mod q. The dealer then commits to each coefficient of the polynomials f and \(f'\) publishing the values \(V_{k}=g^{a_{k}}h^{b_{k}}\), where \(a_{k}\) (resp. \(b_{k}\)) is the kth coefficient of f (resp. \(f'\)). This allows the parties to verify the received shares by checking that \(g^{s_{i}}h^{s'_{i}}=\prod _{k=0}^{t} V_{k}^{i^{k}}\) mod p \((\mathbf{Eq. 2 })\). If the shares that do not satisfy the equation \(\mathbf{Eq. 2 }\) broadcast a complaint. If more than t parties complain the dealer is disqualified. Otherwise the dealer broadcasts the values \(x_{i}\) and \(x'_{i}\) matching the equation for each complaining party i. At reconstruction time the parties are required to reveal both \(x_{i}\) and \(x'_{i}\) and Equation \(\mathbf{Eq. 2 }\) is used to validate the shares. Indeed in order to have an incorrect share \(t_{i}\) accepted at reconstruction time, it can be shown that party i has to compute the discrete log of h in base g. Notice that the value of the secret is unconditionally protected since the only value revealed is \(V_{0}=g^{s}h^{r}\) (it can be seen that for any value \(x'\) there is exactly one value \(r'\) such that \(V_{0}=g^{s'}h^{r'}\) thus \(V_{0}\) gives no information on s). We will use the following notation to denote an execution of PVSS: \(PVSS\left( x,x'\right) \left( g,h\right) \xrightarrow {f,f',n,t} \left( x_{i},x'_{i}\right) \left( V_{k}\right) \) \((\mathbf{Eq. 3 })\), \(k=0,...,t\).
Bilinear Maps: (1) G and \(G'\) are two multiplicative cyclic groups of prime order q; (2) g is a generator of G; (3) \(e:G \times G \rightarrow G'\). Let G and \(G'\) be two groups as above. A bilinear map is a map \(e:G \times G \rightarrow G'\) with the following properties: (1) for all \(u,v \in G\) and \(a,b \in Z\), we have \(e\left( u^{a},v^{b}\right) = e\left( u,v\right) ^{ab}\); (2) the map is not degenerate, i.e., \(e\left( g,g\right) \not =1\)
1.2 A.2 Proof of Theorem 2
Definition 7
( t -Secure Distributed n -BDHE Protocol).
\({D}^{n-BDHE }\) is an n-party sequentially composable 2n protocols (each protocol generates one instance of n-BDHE parameter). Each party takes public parameter set PP as input, and sequentially outputs \(n-BDHE =\left( g_{1},..,g_{n},g_{n+2},..,g_{2n}\right) \), where \(g_{i}=g^{x^{i}}\) for some random value x with the presence of at most t corrupted parties. t-Secure Distributed n-BDHE protocol satisfies the following properties from [20]:
Correctness: (1) x is uniformly distributed in \(Z_{q}\); (2) All subsets of \(t+1\) shares provided by honest players define the same unique secret key x; (3) All honest parties have the same public values \(g_{1},..,g_{n},g_{n+2},..,g_{2n}\); (4) If at least \(2t+1\) parties follow the protocol, shares are accepted with probability 1.
Secrecy: No information on x can be learned by the adversary except for what is implied by the values \(g_{1},..,g_{n},g_{n+2},..,g_{2n}\). More formally, we state this condition in terms of simulatability: for every PPT adversary \(\mathcal {A}\) that corrupts up to t parties, there exists a PPT simulator \(\mathcal {S}\), such that on input an elements \(g_{1},..,g_{n},g_{n+2},..,g_{2n}\), produces an output distribution which is polynomially indistinguishable from \(\mathcal {A}\)’s view (Definition 1) of a run of the n-BDHE protocol that ends with \(g_{1},..,g_{n},g_{n+2},..,g_{2n}\) as its public key output.
Proof
Correctness: The correctness properties (1), (2), (3) for \(g_{1}\) can be shown by following [20], the other instances \(g_{2},..,g_{n}\) can be obtained by the presence of at least \(t+1\) honest parties that use their share of secret \(x_{i}\) and recover the value x in the exponent sequentially. Basically, they raise sequentially their shares (\(x_{i}\)) to recover x value in the exponent using Lagrange interpolation. The share \(g_{i}^{x_{j}}\), where \(i=1,2,..,n\) can be verified publicly using bilinear map. To show the value \(g_{n+2}\) is obtained from \(g_{n}\) by any \(t+1\) honest parties, at least \(2t+1\) parties are needed that they follow \(\mathcal {RECSQ}\) sub-protocol. The process can be followed in a similar way in [1] (Lemma 2). The difference is that we have \(x^{2}\) in the exponent. To do that parties need to run one more PVSS and one more FVSS to show they share the correct value of their \(c_{i}\)s in the exponent using g and \(g_{n}\) as the bases. The other instances \(g_{n+2},..,g_{2n}\) also can be obtained as the same way with at least \(t+1\) honest parties.
Secrecy: It follows from Theorem 1 since it is the special protocol of \(\varUpsilon _{\mathcal {A}}^{GSuite}\). \(\square \)
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kiayias, A., Oksuz, O., Tang, Q. (2015). Distributed Parameter Generation for Bilinear Diffie Hellman Exponentiation and Applications. In: Lopez, J., Mitchell, C. (eds) Information Security. ISC 2015. Lecture Notes in Computer Science(), vol 9290. Springer, Cham. https://doi.org/10.1007/978-3-319-23318-5_30
Download citation
DOI: https://doi.org/10.1007/978-3-319-23318-5_30
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23317-8
Online ISBN: 978-3-319-23318-5
eBook Packages: Computer ScienceComputer Science (R0)