Aggregatable Distributed Key Generation

In this paper, we introduce a distributed key generation (DKG) protocol with aggregatable and publicly-verifiable transcripts. Compared with prior publicly-verifiable approaches, our DKG reduces the size of the final transcript and the time to verify it from O(n) to O(n logn), where n denotes the number of parties. As compared with prior non-publicly-verifiable approaches, our DKG leverages gossip rather than all-to-all communication to reduce verification and communication complexity. We also revisit existing DKG security definitions, which are quite strong, and propose new and natural relaxations. As a result, we can prove the security of our aggregatable DKG as well as that of several existing DKGs, including the popular Pedersen variant. We show that, under these new definitions, these existing DKGs can be used to yield secure threshold variants of popular cryptosystems such as El-Gamal encryption and BLS signatures. We also prove that our DKG can be securely combined with a new efficient verifiable unpredictable function (VUF), whose security we prove in the random oracle model. Finally, we experimentally evaluate our DKG and show that the perparty overheads scale linearly and are practical. For 64 parties, it takes 71 ms to share and 359 ms to verify the overall transcript, while for 8192 parties, it takes 8 s and 42.2 s respectively.

[1]  Hugo Krawczyk,et al.  Adaptive Security for Threshold Cryptosystems , 1999, CRYPTO.

[2]  Manoj Prabhakaran,et al.  Rerandomizable RCCA Encryption , 2007, CRYPTO.

[3]  Danny Dolev,et al.  Distributed computing meets game theory: robust mechanisms for rational secret sharing and multiparty computation , 2006, PODC '06.

[4]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[5]  Ian Goldberg,et al.  FROST: Flexible Round-Optimized Schnorr Threshold Signatures , 2020, IACR Cryptol. ePrint Arch..

[6]  Goichiro Hanaoka,et al.  How to Obtain Fully Structure-Preserving (Automorphic) Signatures from Structure-Preserving Ones , 2016, ASIACRYPT.

[7]  Narjes Ben Rajeb,et al.  Distributed key generation protocol with a new complaint management strategy , 2016, Secur. Commun. Networks.

[8]  Jacques Stern,et al.  One Round Threshold Discrete-Log Key Generation without Private Channels , 2001, Public Key Cryptography.

[9]  Ian Miers,et al.  Scalable Multi-party Computation for zk-SNARK Parameters in the Random Beacon Model , 2017, IACR Cryptol. ePrint Arch..

[10]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[11]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[12]  Benny Pinkas,et al.  Towards Scalable Threshold Cryptosystems , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[13]  Jens Groth,et al.  Fine-Tuning Groth-Sahai Proofs , 2014, IACR Cryptol. ePrint Arch..

[14]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[15]  Aniket Kate,et al.  Distributed Key Generation and Its Applications , 2010 .

[16]  Silvio Micali,et al.  Verifiable random functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[17]  Daniela Tulone A Scalable and Intrusion-tolerant Digital Time-stamping System , 2006, 2006 IEEE International Conference on Communications.

[18]  Matthew Green,et al.  Correlation-Resistant Storage via Keyword-Searchable Encryption , 2005, IACR Cryptol. ePrint Arch..

[19]  Jens Groth,et al.  Rerandomizable and Replayable Adaptive Chosen Ciphertext Attack Secure Cryptosystems , 2004, TCC.

[20]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..

[21]  Alexandra Boldyreva,et al.  Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme , 2003, Public Key Cryptography.

[22]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[23]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[24]  María Isabel González Vasco,et al.  Applications of algebra to cryptography , 2008, Discret. Appl. Math..

[25]  Jia Liu,et al.  Fully Distributed Verifiable Random Functions and their Application to Decentralised Random Beacons , 2020, 2021 IEEE European Symposium on Security and Privacy (EuroS&P).

[26]  Markulf Kohlweiss,et al.  Updatable and Universal Common Reference Strings with Applications to zk-SNARKs , 2018, IACR Cryptol. ePrint Arch..

[27]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[28]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[29]  Hugo Krawczyk,et al.  Secure Applications of Pedersen's Distributed Key Generation Protocol , 2003, CT-RSA.

[30]  Mehdi Tibouchi,et al.  Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures , 2014, IACR Cryptol. ePrint Arch..

[31]  B. Pittel On spreading a rumor , 1987 .

[32]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[33]  John F. Canny,et al.  Practical Large-Scale Distributed Key Generation , 2004, EUROCRYPT.

[34]  Giulio Malavolta,et al.  Efficient Unlinkable Sanitizable Signatures from Signatures with Re-randomizable Keys , 2016, Public Key Cryptography.

[35]  Giulio Malavolta,et al.  Efficient unlinkable sanitizable signatures from signatures with re-randomizable keys , 2018, IET Inf. Secur..

[36]  Nicolas Gailly,et al.  Verifiable Management of Private Data under Byzantine Failures , 2019 .

[37]  Ryo Nishimaki,et al.  Constant-Size Structure-Preserving Signatures: Generic Constructions and Simple Assumptions , 2015, Journal of Cryptology.

[38]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[39]  Jan Camenisch,et al.  On the Impossibility of Structure-Preserving Deterministic Primitives , 2014, TCC.

[40]  Silvio Micali,et al.  Accountable-subgroup multisignatures: extended abstract , 2001, CCS '01.

[41]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[42]  Dan Boneh,et al.  Efficient Selective Identity-Based Encryption Without Random Oracles , 2011, Journal of Cryptology.

[43]  Ian Goldberg,et al.  Distributed Key Generation for the Internet , 2009, 2009 29th IEEE International Conference on Distributed Computing Systems.

[44]  Ittai Abraham,et al.  HotStuff: BFT Consensus with Linearity and Responsiveness , 2019, PODC.

[45]  Edgar R. Weippl,et al.  ETHDKG: Distributed Key Generation with Ethereum Smart Contracts , 2019, IACR Cryptol. ePrint Arch..

[46]  Ignacio Cascudo,et al.  SCRAPE: Scalable Randomness Attested by Public Entities , 2017, IACR Cryptol. ePrint Arch..

[47]  Silvio Micali,et al.  Algorand: Scaling Byzantine Agreements for Cryptocurrencies , 2017, IACR Cryptol. ePrint Arch..

[48]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[49]  Mehdi Tibouchi,et al.  Efficient Fully Structure-Preserving Signatures and Shrinking Commitments , 2018, Journal of Cryptology.

[50]  Amit Sahai,et al.  Efficient Noninteractive Proof Systems for Bilinear Groups , 2008, SIAM J. Comput..

[51]  Scott Shenker,et al.  Epidemic algorithms for replicated database maintenance , 1988, OPSR.

[52]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[53]  Dahlia Malkhi,et al.  Asynchronous Distributed Key Generation for Computationally-Secure Randomness, Consensus, and Threshold Signatures. , 2020, CCS.

[54]  Michael J. Fischer,et al.  Scalable Bias-Resistant Distributed Randomness , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[55]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, Journal of Cryptology.

[56]  Tancrède Lepoint,et al.  On the (in)Security of ROS , 2022, Journal of Cryptology.

[57]  Jan Camenisch,et al.  Untraceable RFID tags via insubvertible encryption , 2005, CCS '05.

[58]  Ueli Maurer,et al.  Rational Protocol Design: Cryptography against Incentive-Driven Adversaries , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[59]  Aggelos Kiayias,et al.  Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol , 2017, CRYPTO.

[60]  Ittai Abraham,et al.  Asymptotically Optimal Validated Asynchronous Byzantine Agreement , 2019, PODC.

[61]  Jeannette M. Wing,et al.  Verifiable secret redistribution for archive systems , 2002, First International IEEE Security in Storage Workshop, 2002. Proceedings..

[62]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[63]  Philippe Trebuchet,et al.  Threshold signature for distributed time stamping scheme , 2007, Ann. des Télécommunications.

[64]  Richard M. Karp,et al.  Randomized rumor spreading , 2000, Proceedings 41st Annual Symposium on Foundations of Computer Science.