Skip to main content
Springer Nature Link
Log in

Tiresias: Large Scale, UC-Secure Threshold Paillier

  • Conference paper
  • First Online:
Advances in Cryptology – ASIACRYPT 2024 (ASIACRYPT 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 15486))

Abstract

In the threshold version of Paillier’s encryption scheme, a set of parties collectively holds the secret decryption key through a secret sharing scheme. Whenever a ciphertext is to be decrypted, the parties send their decryption shares, which are then verified for correctness and combined into the plaintext. The scheme has been widely adopted in various applications, from secure voting to general purpose MPC protocols. However, among the handful of existing proposals for a maliciously secure scheme, one must choose between an efficient implementation that relies on non-standard assumptions or a computationally expensive implementation that relies on widely acceptable assumptions.

In this work, we show that one can enjoy the benefits of both worlds. Specifically, we adjust a scheme by Damgård et al. (Int. J. Inf. Secur. 2010) to get a practical distributed key generation (DKG). While the original scheme was only known to be secure under ad-hoc non-standard assumptions, we prove that the adjusted scheme is in fact secure under the decisional composite residuosity (DCR) assumption alone, required for the semantic security of the Pallier encryption scheme itself. This is possible thanks to a novel reduction technique, from computing and proving a false decryption share, to the factoring problem. Specifically, while there may exist false decryption shares for which the zk-proof verifies with non-negligible probability, they are computationally hard to find. Furthermore, we use similar ideas to prove that batching techniques by Aditya et al. (ACNS 2004), which allows a prover to batch several statements into a single proof, can be applied to our adjusted scheme. This enables a batched threshold Paillier decryption in the fully distributed setting for the first time.

Until now, verifying that a decryption share is correct was the bottleneck of threshold Paillier schemes and hindered real world deployments (unless one is willing to rely on a trusted dealer). Our work accumulates to shifting the bottleneck back to the plaintext reconstruction, just like in the semi-honest setting, and renders threshold Paillier practical for the first time, supporting large scale deployments.

We exemplify this shift by implementing the scheme and report our evaluation with up to 1000 parties, in the dishonest majority setting. Over an EC2 c6i machine, we get a throughput of about 50 and 3.6 decryptions per second, when run over a network of 100 and 1000 parties, respectively.

This research was conducted by the Cryptography Research team at dWallet Labs, as part of the research and development of the Odsy Network, a decentralized and universal access control layer launched by the Odsy Foundation.

For the full and most up-to-date version of this work, see [FMM+23].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We remark that distributed generation of a product of general primes is due to Boneh and Franklin [BF97] and its improvements [DdSGMRT21, CHI+21, BDF+23].

  2. 2.

    Specifically, in [BDTZ16] such decryption is happening only in the pre-processing phase of a generic MPC protocol, in which case, neither an abort nor leakage of r gives the adversary any advantage. Alternatively, the same work proposes a method to avoid denial of decryption at the cost of two additional rounds and assuming the primes are safe, a property we wish to avoid in the first place.

  3. 3.

    That being said, while similar techniques may be applied to remove the requirement of safe primes in other cases as well, in some protocols the requirement that the primes are safe might be crucial, so every protocol must be analyzed on its own.

  4. 4.

    There are several choices for the exact form of the secret key, which are all variants of the one described above.

  5. 5.

    Some works assume secret sharing over the ring \(\mathbb {Z}_{N\phi (N)}\) but this is harder to achieve without a trusted dealer.

  6. 6.

    When the threshold is smaller than the number of parties each exponent is multiplied by the appropriate Lagrange coefficient.

  7. 7.

    We do require \(N=PQ\) to satisfy \(\gcd (P-1,Q-1)=2\), which is a much weaker condition than the common requirement that \((P-1)/2\) and \((Q-1)/2\) are prime. This property has a small impact on the efficiency of the key generation protocol, does not affect the efficiency of the threshold decryption, and does not introduce additional cryptographic assumptions.

  8. 8.

    Since Diogenes protocol applies thousands of GCD tests internally, the computational overhead of \(\gcd \left( N-1,Q-1\right) \) is negligible (\(<.1\%\)).

  9. 9.

    Note that if \(\mathcal {P}^*\) is PPT, we have that \(1/\varepsilon \) is \(\textsf {poly}(\kappa )\), and \(i<\log _2(1/\varepsilon )\) (to get probability \(\le 1\)), and so \(2^i=\textsf {poly}(\kappa )\).

  10. 10.

    https://github.com/RustCrypto/crypto-bigint.

  11. 11.

    https://github.com/rayon-rs/rayon.

  12. 12.

    https://aws.amazon.com/ec2/instance-types/c6i/.

References

  1. Joy Algesheimer, Jan Camenisch, and Victor Shoup. Efficient computation modulo a shared secret with application to the generation of shared safe-prime products. In Advances in Cryptology-CRYPTO 2002: 22nd Annual International Cryptology Conference Santa Barbara, California, USA, August 18-22, 2002 Proceedings 22, pages 417–432. Springer, 2002.

  2. Thomas Attema, Serge Fehr, and Michael Klooß. Fiat-shamir transformation of multi-round interactive proofs. In Theory of Cryptography: 20th International Conference, TCC 2022, Chicago, IL, USA, November 7-10, 2022, Proceedings, Part I, pages 113–142. Springer, 2022.

  3. Thomas Attema, Serge Fehr, and Michael Klooß. Fiat-shamir transformation of multi-round interactive proofs. In Theory of Cryptography: 20th International Conference, TCC 2022, Chicago, IL, USA, November 7-10, 2022, Proceedings, Part I, pages 113–142. Springer, 2022.

  4. Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. Verifiable delay functions. In Advances in Cryptology–CRYPTO 2018: 38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19–23, 2018, Proceedings, Part I, pages 757–788. Springer, 2018.

  5. Jakob Burkhardt, Ivan Damgård, Tore Kasper Frederiksen, Satrajit Ghosh, and Claudio Orlandi. Improved Distributed RSA Key Generation Using the Miller-Rabin Test. Cryptology ePrint Archive, 2023.

  6. Lennart Braun, Ivan Damgård, and Claudio Orlandi. Secure multiparty computation from threshold encryption based on class groups. In Annual International Cryptology Conference, pages 613–645. Springer, 2023.

  7. Carsten Baum, Ivan Damgård, Tomas Toft, and Rasmus Zakarias. Better preprocessing for secure multiparty computation. In Applied Cryptography and Network Security: 14th International Conference, ACNS 2016, Guildford, UK, June 19-22, 2016. Proceedings 14, pages 327–345. Springer, 2016.

  8. Dan Boneh and Matthew Franklin. Efficient generation of shared RSA keys. In Advances in Cryptology-CRYPTO 97: 17th Annual International Cryptology Conference Santa Barbara, California, USA August 17-21, 1997 Proceedings 17, pages 425–439. Springer, 1997.

  9. Dan Boneh and Matthew Franklin. Efficient generation of shared RSA keys. In Advances in Cryptology-CRYPTO 97: 17th Annual International Cryptology Conference Santa Barbara, California, USA August 17-21, 1997 Proceedings 17, pages 425–439. Springer, 1997.

  10. Mihir Bellare, Juan A Garay, and Tal Rabin. Fast batch verification for modular exponentiation and digital signatures. In Advances in Cryptology-EUROCRYPT98: International Conference on the Theory and Application of Cryptographic Techniques Espoo, Finland, May 31-June 4, 1998 Proceedings 17, pages 236–250. Springer, 1998.

  11. Omar Rafik Merad Boudia and Sidi Mohammed Senouci. An Efficient and Secure Multidimensional Data Aggregation for Fog-Computing-Based Smart Grid. IEEE Internet Things J., 2021.

  12. Ran Canetti, Yilei Chen, Justin Holmgren, Alex Lombardi, Guy N Rothblum, and Ron D Rothblum. Fiat-Shamir from simpler assumptions. Cryptology ePrint Archive, 2018.

  13. Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, Abhi Shelat, Muthu Venkitasubramaniam, and Ruihan Wang. Diogenes: Lightweight scalable RSA modulus generation with a dishonest majority. In 2021 IEEE Symposium on Security and Privacy (SP), pages 590–607. IEEE, 2021.

  14. Jan Camenisch, Aggelos Kiayias, and Moti Yung. On the Portability of Generalized Schnorr Proofs. In EUROCRYPT, volume 5479, pages 425–442. Springer, 2009.

  15. Cyprien Delpech de Saint Guilhem, Eleftheria Makri, Dragos Rotaru, and Titouan Tanguy. The return of eratosthenes: Secure generation of rsa moduli using distributed sieving. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 594–609, 2021.

  16. Ivan Damgård, Mads Jurik, and Jesper Buus Nielsen. A generalization of Paillier’s public-key system with applications to electronic voting. International Journal of Information Security, 9:371–385, 2010.

  17. Ivan Damgård and Maciej Koprowski. Practical threshold RSA signatures without a trusted dealer. In Advances in Cryptology-EUROCRYPT 2001: International Conference on the Theory and Application of Cryptographic Techniques Innsbruck, Austria, May 6-10, 2001 Proceedings 20, pages 152–165. Springer, 2001.

  18. Ivan Damgård and Jesper Buus Nielsen. Universally Composable Efficient Multiparty Computation from Threshold Homomorphic Encryption. In CRYPTO, volume 2729 of Lecture Notes in Computer Science, pages 247–264. Springer, 2003.

  19. Ivan Damgård, Valerio Pastro, Nigel P. Smart, and Sarah Zakarias. Multiparty Computation from Somewhat Homomorphic Encryption. In CRYPTO, volume 7417, pages 643–662. Springer, 2012.

  20. Offir Friedman, Avichai Marmor, Dolev Mutzari, Yehonatan C Scaly, Yuval Spiizer, and Avishay Yanai. Tiresias: Large scale, maliciously secure threshold paillier. Cryptology ePrint Archive, 2023.

  21. Pierre-Alain Fouque, Guillaume Poupard, and Jacques Stern. Sharing decryption in the context of voting or lotteries. In Financial Cryptography: 4th International Conference, FC 2000 Anguilla, British West Indies, February 20-24, 2000 Proceedings 4, pages 90–104. Springer, 2001.

  22. Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Advances in Cryptology-CRYPTO86: Proceedings 6, pages 186–194. Springer, 1987.

  23. Pierre-Alain Fouque and Jacques Stern. Fully distributed threshold RSA under standard assumptions. In Advances in Cryptology-ASIACRYPT 2001: 7th International Conference on the Theory and Application of Cryptology and Information Security Gold Coast, Australia, December 9-13, 2001 Proceedings 7, pages 310–330. Springer, 2001.

  24. Rosario Gennaro, Steven Goldfeder, and Arvind Narayanan. Threshold-optimal DSA/ECDSA signatures and an application to bitcoin wallet security. In Applied Cryptography and Network Security: 14th International Conference, ACNS 2016, Guildford, UK, June 19-22, 2016. Proceedings 14, pages 156–174. Springer, 2016.

  25. Oded Goldreich and Yair Oren. Definitions and properties of zero-knowledge proof systems. Journal of Cryptology, 7(1):1–32, 1994.

    Google Scholar 

  26. Godfrey H Hardy and John E Littlewood. Some problems of ‘partitio numerorum’; iii: On the expression of a number as a sum of primes. Acta Mathematica, 44(1):1–70, 1923.

    Google Scholar 

  27. Carmit Hazay, Gert Læssøe Mikkelsen, Tal Rabin, Tomas Toft, and Angelo Agatino Nicolosi. Efficient RSA key generation and threshold paillier in the two-party setting. Journal of Cryptology, 32:265–323, 2019.

  28. Jonathan Katz and Yehuda Lindell. Introduction to Modern Cryptography. CRC Press, 2nd edition, 2014.

    Google Scholar 

  29. Ralf Küsters, Julian Liedtke, Johannes Müller, Daniel Rausch, and Andreas Vogt. Ordinos: A Verifiable Tally-Hiding E-Voting System. In EuroS &P, 2020.

  30. Dimitris Mouris and Nektarios Georgios Tsoutsos. Masquerade: Verifiable Multi-Party Aggregation with Secure Multiplicative Commitments. 2021.

    Google Scholar 

  31. Hugh L. Montgomery and Robert C. Vaughan. Multiplicative Number Theory I: Classical Theory. Cambridge Studies in Advanced Mathematics. Cambridge University Press, 2006.

  32. Takashi Nishide and Kouichi Sakurai. Distributed Paillier Cryptosystem without Trusted Dealer. In Information Security Applications - 11th International Workshop, WISA 2010, Jeju Island, Korea, August 24-26, 2010, Revised Selected Papers, volume 6513 of Lecture Notes in Computer Science, pages 44–60. Springer, 2010.

  33. Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes. In Advances in Cryptology-EUROCRYPT 99: International Conference on the Theory and Application of Cryptographic Techniques Prague, Czech Republic, May 2-6, 1999 Proceedings 18, pages 223–238. Springer, 1999.

  34. Nicholas Pippenger. On the evaluation of powers and monomials. SIAM Journal on Computing, 9(2):230–250, 1980.

  35. John M Pollard. Theorems on factorization and primality testing. In Mathematical Proceedings of the Cambridge Philosophical Society, volume 76, pages 521–528. Cambridge University Press, 1974.

  36. Tal Rabin. A Simplified Approach to Threshold and Proactive RSA. In CRYPTO, volume 1462 of Lecture Notes in Computer Science, pages 89–104. Springer, 1998.

  37. Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 1978.

  38. István András Seres and Péter Burcsi. A note on low order assumptions in RSA groups. Rad Hrvatske akademije znanosti i umjetnosti. Matematičke znanosti, (546= 25):15–31, 2021.

  39. Adi Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.

  40. Victor Shoup. Practical threshold signatures. In Advances in Cryptology-EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques Bruges, Belgium, May 14–18, 2000 Proceedings 19, pages 207–220. Springer, 2000.

  41. Thijs Veugen, Thomas Attema, and Gabriele Spini. An implementation of the Paillier crypto system with threshold decryption without a trusted dealer. ePrint, 2019.

Download references

Author information

Authors and Affiliations

  1. dWallet Labs, Tel Aviv, Israel

    Offir Friedman, Avichai Marmor, Dolev Mutzari, Yehonatan C. Scaly, Yuval Spiizer & Avishay Yanai

Authors
  1. Offir Friedman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Avichai Marmor
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dolev Mutzari
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yehonatan C. Scaly
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yuval Spiizer
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Avishay Yanai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Offir Friedman .

Editor information

Editors and Affiliations

  1. Academia Sinica, Taipei, Taiwan

    Kai-Min Chung

  2. NTT Social Informatics Laboratories, Tokyo, Japan

    Yu Sasaki

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 530 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2025 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Friedman, O., Marmor, A., Mutzari, D., Scaly, Y.C., Spiizer, Y., Yanai, A. (2025). Tiresias: Large Scale, UC-Secure Threshold Paillier. In: Chung, KM., Sasaki, Y. (eds) Advances in Cryptology – ASIACRYPT 2024. ASIACRYPT 2024. Lecture Notes in Computer Science, vol 15486. Springer, Singapore. https://doi.org/10.1007/978-981-96-0891-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-981-96-0891-1_5

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-96-0890-4

  • Online ISBN: 978-981-96-0891-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics