Download presentation
Presentation is loading. Please wait.
1
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 1/24 Efficient Simultaneous Broadcast Sebastian Faust 1, Emilia Käsper 1, Stefan Lucks 2 1 KU Leuven, ESAT-COSIC, Belgium 2 Bauhaus Universität Weimar, Germany PKC 2008, 11 th March 2008
2
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 2/24 Simultaneous Broadcast Problem Simultaneous broadcast: u 1, u 2, u 3 have been chosen independently I want to announce u 1 I want to announce u 2 I want to announce u 3 u1u1 u1u1 u2u2 u2u2 u3u3 u3u3
3
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 3/24 Sealed Bid Auction in Synchronous Network 2.000 € 5.000 € 1.000 € 4.000 € I won! Simultaneous Broadcast Problem
4
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 4/24 SB Auction in Partially Synchronous Network 2.000 € 5.000 € 1.000 € 5.001 € I won! Simultaneous Broadcast Problem
5
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 5/24 Solution: 2-Round Protocol? 9.000 € 6.000 € 1.000 € 6.500 € I won with price 9.000 € open 6.000 € open 1.000 € open 6.500 € Simultaneous Broadcast Problem open 9.000 €
6
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 6/24 Solution: 2-Round Protocol? No! 9.000 € 6.000 € 1.000 € 6.500 € We won with price 6.500 € open 6.000 € open 1.000 € open 6.500 € We won with price 6.500 € Simultaneous Broadcast Problem
7
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 7/24 1. Basics 2. Building Blocks 3. Solutions 4. Summary Rest of this talk...
8
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 8/24 Communication Model Network of n players: P = {P 1, …,P n } Private point-to-point channel Reliable broadcast channel Partially synchronous communication: synchronized rounds Adversary Model Rushing adversary: speaks last in each round Full control of t < n/2 players from protocol start 1. Communication & Adversary model
9
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 9/24 Properties Consistency: Protocol outcome is consistent for all honest players Correctness: Each honest party receives the correct announcement of each other honest party Independence: No correlation between announcements of corrupt and honest parties 1. Simultaneous Broadcast
10
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 10/24 Definition of independence (more details)... u: {u i : of honest player P i } Q: subgroup of corrupt players m: announcements of players in Q p Q m,u : Pr[Announcement m|honest players announced u] For any PPT adversary A, any Q, all m and all u≠v, we have |p Q m,u – p Q m,v | ≤ (k), where is negligible in k. 1. Simultaneous Broadcast
11
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 11/24 Public Key Encryption (Gen,Enc,Dec): Semantic Security: Ciphertext reveals no information on plaintext Committing Property: m 1 ≠ m 2 c 1 ≠ c 2 ElGamal Encryption: Setup: Group G= of prime order q. Gen: secret key: x ← R Z q, public key: y = g x Enc: c = (d,e) = (g r, y r m), for m ← G, r ← R Z q Dec: m = e/d x 2. Public-Key Encryption Theorem: ElGamal is a committing encryption scheme and semantically secure under the DDH assumption. DDH assumption: given g x, g y, g z, difficult to decide whether z=xy Public Key Encryption (Gen,Enc,Dec): Semantic Security: Ciphertext reveals no information on plaintext Committing Property: m 1 ≠ m 2 c 1 ≠ c 2
12
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 12/24 D P1P1P1P1 P2P2P2P2 Select Shamir sharing polynomial: f(x)=s+a 1 x+..+a t x t s 1 = f(1) s 2 = f(2) s 3 = f(3) VSS a secret s: System parameters: n: # players, here n=3, D: dealer t: # corrupt players =G, ord(G)= q, g ← G 2. (t,n)-Feldman VSS P3P3P3P3
13
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 13/24 2. (t,n)-Feldman VSS D P1P1P1P1 P3P3P3P3 P2P2P2P2 VSS a secret s: System parameters: n: # players, here n=3, D: dealer t: # corrupt players =G, ord(G)= q, g ← G Compute A 0 =g s and A i =g a i for i=1..t A i, i=0..t Verify...
14
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 14/24 2. (t,n)-Feldman VSS Properties of VSS: Every set of t+1 shares of honest players define the same unique s „No information“ on s is learned by ≤ t shares Costs of VSSing a secret s: Sharing: Communication: n group elements via point-to-point channels Verification overhead: Communication: t+1 group elements via broadcast channel Computation: ≈ t exponentiations per player
15
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 15/24 3. Previous Solutions Gennaro 1996: Generic construction uses Semantically secure encryption Verifiable Secret Sharing Non-Interactive Zero-Knowledge Proofs of Knowledge (NIZK) Security depends on building-blocks Protocol based on Pedersen VSS: 1.Each party VSSes its announcement 2.Each party opens its announcement 3.Verify correctness recover announcement with VSS Recovery secure under DL in standard model Drawback: Every announcement requires execution of VSS
16
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 16/24 System parameters: n: # players, here n=4 t: # corrupt players k: sec. parameter for ElGamal =G, ord(G)= q, g ← G P1P1P1P1 P2P2P2P2 P3P3P3P3 P4P4P4P4 P1P1P1P1 P2P2P2P2 P3P3P3P3 P4P4P4P4 P1P1P1P1 P2P2P2P2 P3P3P3P3 P4P4P4P4 P1P1P1P1 P2P2P2P2 P3P3P3P3 P4P4P4P4 Setup (executed once): 3. Our Solution – v-SimCast[n,t,k,g]
17
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 17/24 P1P1P1P1 P2P2P2P2 P3P3P3P3 P4P4P4P4 Each P i shares x i with (t,n)-Feldman VSS ElGamal key pair (x 1,y 1 ) ElGamal key pair (x 4,y 4 ) ElGamal key pair (x 3,y 3 ) ElGamal key pair (x 2,y 2 ) Setup (executed once): System parameters: n: # players, here n=4 t: # corrupt players k: sec. parameter for ElGamal =G, ord(G)= q, g ← G Setup Costs (per player): Communication: broadcasts: t + 1 point-to-point: n - 1 Computation: exponentiation: ≈ nt 3. Our Solution – v-SimCast[n,t,k,g]
18
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 18/24 c1c1 (1) SimCast (v iterations): Each P i is allowed to announce value u i c2c2 c4c4 (1) P i computes ElGamal ciphertext c i =(g r i,y i r i · u i ) P1P1P1P1 P2P2P2P2 P3P3P3P3 P4P4P4P4 c3c3 3. Our Solution – v-SimCast[n,t,k,g] System parameters: n: # players, here n=4 t: # corrupt players k: sec. parameter for ElGamal =G, ord(G)= q, g ← G SimCast Cost (per player): communication: 2 broadcasts: 2 computation: exponentiations: 2
19
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 19/24 (2) SimCast (v iterations) (r’ 2,u’ 2 ) (r’ 4,u’ 4 ) (r’ 1,u’ 1 ) (1) P i computes ElGamal ciphertext c i =(g r i,y i r i · u i ) (2) P i opens c i P1P1P1P1 P2P2P2P2 P3P3P3P3 P4P4P4P4 (r’ 3,u’ 3 ) 3. Our Solution – v-SimCast[n,t,k,g] System parameters: n: # players, here n=4 t: # corrupt players k: sec. parameter for ElGamal =G, ord(G)= q, g ← G SimCast Cost (per player): communication: broadcasts: 2 + 2 = 4 computation: exponentiation: 2
20
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 20/24 (3) SimCast (v iterations): P1P1P1P1 P2P2P2P2 P3P3P3P3 P4P4P4P4 3. Our Solution – v-SimCast[n,t,k,g] P i verifies for each P j if c j = (g r’ j, y j r’ j · u j ) System parameters: n: # players, here n=4 t: # corrupt players k: sec. parameter for ElGamal =G, ord(G)= q, g ← G SimCast Cost (per player): communication: 4 broadcasts: 4 computation: expon.: 2 + 2(n-1) = 2n
21
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 21/24 If verification fails for P i : Reconstruct P i ’s secret key x i with VSS Recovery and disqualify P i (3) SimCast: Failure handling P1P1P1P1 P2P2P2P2 P3P3P3P3 P4P4P4P4 3. Our Solution – v-SimCast[n,t,k,g] After step (3): Each party knows correct announcement of every other party System parameters: n: # players, here n=4 t: # corrupt players k: sec. parameter for ElGamal =G, ord(G)= q, g ← G SimCast Cost (per player): communication: broadcasts: 4 computation: exponentiation: 2n
22
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 22/24 Independence against rushing adversary A under DDH: Feldman VSS guarantees valid ElGamal key pair Round (1): A obtains ElGamal ciphertexts of honest players No information is learned under DDH: Semantic security No malleability attacks (e.g. copycat): Opening always with secret key A must know its announcement Round (2): A obtains announcements of honest parties in clear A cannot open announcement differently: Committing property False opening: VSS allows always to recover original announcement (Independence can be proven in standard model under DDH) 3. Security proof – key ideas
23
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 23/24 communication computation (exponentiation) point-to-pointbrodcast v-SimCast n-1t + 1 + 4v≈ 2nv + nt Pedersen-VSS 2v(n-1)v(t + 1)≈ vnt Gennaro ≈ vn≈ v(t + 160)≈ v(nt +160) 4. Summary 1.v-SimCast is particularly efficient for repeated execution 2.Limited parallel execution is possible 3.Various applications: e.g. joint generation of random values
24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 24/24 Thank you for your attention! PKC 2008, 11 th March 2008
25
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100 10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010 10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100 10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100 25/24 Every announcement requires execution of VSS most expensive component! Costs of VSSing a secret s (for Pedersen VSS) Sharing: Communication: 2n group elements via point-to-point channels Verification overhead: Communication: 2(t+1) group elements via broadcast channel Computation: ≈ t exponentiations per player 1. Drawbacks of previous solutions Note: Feldman VSS is slightly more efficient!
Similar presentations
![Secret Sharing Protocols [Sha79,Bla79]](/2/686104/big_thumb.jpg "Secret Sharing Protocols [Sha79,Bla79]>")
