Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,

Published bySilvia Jackson Modified over 8 years ago

Similar presentations

Presentation on theme: "Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,"— Presentation transcript:

1 Threshold PKC Shafi Goldwasser and Ran Canetti

2 Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e, and secret key d - E(m, e) outputs cipher text c - D(c, e, d) outputs m. Public Key: e Secret key: d C

3 Active Adversary: Standard PKC [RS] Chosen Cipher-text Attacks (CCA) -Adversary chooses m 0 m 1 -Adversary receives c either in E(m 0 ) or E(m 1 ) at random -Adversary may ask c’ = c A scheme is secure against CCA if adversary still cannot tell whether c in E(m 0 ) or in E(m 1 ) better than 50-50 Decoding Equipment c’ m comes up in protocols

4 Threshold Cryptography [D,DF] An encryption or digital signature scheme where : Secret key is shared among trustees s.t. Trustees can decrypt or sign only if enough cooperate Faulty trustees can’t prevent decryption or signature Faulty trustees can be detected if they act up (optional).

5 Threshold Public Key Cryptography [DF] A Threshold PKC n consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e, and shares of secret key d 1,...,d n - E(m, e) outputs cipher-text c - D * = (D 1, D 2 ) where D 1 (c, d i ) outputs decryption share ds i D 2 (c, e, ds 1,..., ds n ) outputs m. * Interaction maybe allowed between servers and user. C Decryption Servers C d1d1 d2d2 dndn... C ds n ds 1 Public Key: e Secret Key Shares: d i distributed among servers

6 Security: Threshold PKC collaborating with t servers adversary While launching the CCA: the adversary has access to all the private data of collaborating servers Say A Threshold Public Key Encryption Scheme is : t-secure: a coalition of t curious but honest servers + adversary cannot break it. t-robust: a coalition of t faulty servers cannot prevent user from decrypting (no denial of service).

7 Previous Work Gennaro-Shoup: under the assumption that Random Oracles exist and the DDH intractability assumption, show a Threshold PKC which is t-secure and t-robust for t< n/2 against CCA. ( No interaction is necessary.) Dolev-Dwork-Naor: under the assumption trapdoor functions exist show single server PKC secure against CCA. Use NIZK for construction. ( Prior [NY] LTA ) Cramer-Shoup: under the DDH intractability assumption show a single server PKC secure against CCA. Quite Efficient.

8 New Threshold PKC KEY GEN : PK = (g 1, g 2, a=g 1 x1 g 2 x2, h= g 1 z ) SK: each decryption server holds a share of x 1,x 2,y 1,y 2,z (using polynomial secret sharing, e.g. x 1i = X 1 (i) where X 1 (0) =x 1, deg (X 1 ) = t ) ENC: Same as in single server case DEC(SK,c): Let s be random and S a deg t polynomial s.t (u 1,u 2, e, tag ) S(0)=s and each server I has S(i)=s i - Server i computes tag i ’ = u 1 x 1i u 2 x 2i and sends the user g Q(i) = (tag/tag i ’) s i h z i - User combines shares to obtain g Q(0) = (tag/tag’) s h z and lets m = e/ (tag/tag’) s h z HOW?

9 Combine decryption shares by using Lagrange Interpolation? User received for all I, Share i = (tag/tag i ’) s i h z i = g Q(i) where Q is some degree 2t polynomial s.t. Q(0) = (tag/tag’) s h z, and needs g Q(0). Lagrange Interpolation: Gives i s.t Q(0) =  i Q(I) for every 2t degree polynomial Q. To combine shares, user computes  ( Share i ) i =  ( g Q(i) ) i = g  iQ(I) = g Q(0)

10 Where do s i come from for each decryption ? 1Servers share in advance random poly’s S 1,…S k s.t. deg (S j ) = t and S j (0)=s j. I.e server i holds s ji = S j (i) for all j, to use for decrypting jth cipher text. 2 To avoid synchronization errors, servers can share in advance on a single 2-var polynomial S(x,y) where S(c,) is as above, I.e server i holds polynomial S(x, i), and uses s i =S(c,I) for cipher text c.

11 EVOX 1.0 (current status) F.O.O. protocol: practical, scalable elections Simple implementation done in Java 1.1 So far, 2 medium-size elections with relative success. Issues found: Unintuitive user interface Low Reliability Some relatively obscure security bugs Numerous people (including 3 universities) have expressed interest in using EVOX.

12 EVOX 2.0 - 3.0 (this year) Coming Improvements Multiple administrator servers (registrars) and threshold signature schemes to prevent single corruption point weakness in F.O.O. protocol. Timing improvements through signature and verification batching (based on scheme by Amos Fiat), or delegation. Different schemes are currently being analyzed. Improved UI, code security analysis, packaging of system to enable wider use. Hoping for wider release of code (possible GPL?) Current contributors: Ben Adida, Brandon DuRette, Kevin McDonald http://theory.lcs.mit.edu/~cis/voting/voting.html

Download ppt "Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,"

Similar presentations

ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 100100101010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100101

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Paillier Threshold Encryption WebService by Brett Wilson.

Paillier Threshold Encryption WebService by Brett Wilson.

Similar presentations

Ads by Google