1. No category

Folie 1

01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
PKC 2008, 11th March 2008
Efficient Simultaneous
Broadcast
Sebastian Faust1, Emilia Käsper1, Stefan Lucks2
1 KU
2
Leuven, ESAT-COSIC, Belgium
Bauhaus Universität Weimar, Germany
1/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
Simultaneous Broadcast Problem
Simultaneous broadcast:
I want to
announce u2
I want to
announce u1
u2
u1
u1, u2, u3 have been chosen
independently
I want to
announce
u3
u3
2/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
Simultaneous Broadcast Problem
Sealed Bid Auction in Synchronous Network
2.000 €
4.000 €
I won!
5.000 €
1.000 €
3/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
Simultaneous Broadcast Problem
SB Auction in Partially Synchronous Network
2.000 €
5.000 €
I won!
5.001 €
1.000 €
4/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
Simultaneous Broadcast Problem
Solution: 2-Round Protocol?
open
9.000
9.000
€ €
open6.500
6.500€€
I won with
price 9.000 €
open
€
6.0006.000
€
1.0001.000
€
open
€
5/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
Simultaneous Broadcast Problem
Solution: 2-Round Protocol? No!
9.000 €
We won with
price 6.500 €
6.0006.000
€
open
€
We won with
price 6.500 €
open6.500
6.500€€
1.0001.000
€
open
€
6/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
Rest of this talk...
1. Basics
2. Building Blocks
3. Solutions
4. Summary
7/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
1. Communication & Adversary model
Communication Model
• Network of n players: P = {P1, … ,Pn}
• Private point-to-point channel
• Reliable broadcast channel
• Partially synchronous communication: synchronized rounds
Adversary Model
• Rushing adversary: speaks last in each round
• Full control of t < n/2 players from protocol start
8/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
1. Simultaneous Broadcast
Properties
• Consistency:
Protocol outcome is consistent for all honest players
• Correctness:
Each honest party receives the correct announcement of
each other honest party
• Independence:
No correlation between announcements of corrupt and
honest parties
9/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
1. Simultaneous Broadcast
Definition of independence (more details)...
• u: {ui : of honest player Pi}
• Q: subgroup of corrupt players
• m: announcements of players in Q
• pQm,u : Pr[Announcement m|honest players announced u]
For any PPT adversary A, any Q, all m and all u≠v, we have
|pQm,u – pQm,v| ≤ ϵ(k),
where ϵ is negligible in k.
10/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
2. Public-Key Encryption
Public Key Encryption (Gen,Enc,Dec):
• Semantic Security: Ciphertext reveals no information on plaintext
• Committing Property: m1 ≠ m2  c1 ≠ c2
ElGamal Encryption:
• Setup: Group G=<g> of prime order q.
• Gen: secret key: x ←R Zq, public key: y = gx
• Enc: c = (d,e) = (gr, yrm), for m ← G, r ←R Zq
• Dec: m = e/dx
Theorem: ElGamal is a committing encryption scheme and semantically
secure under the DDH assumption.
DDH assumption: given gx, gy, gz, difficult to decide whether z=xy
11/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
2. (t,n)-Feldman VSS
System parameters:
VSS a secret s:
Select Shamir
sharing
polynomial:
f(x)=s+a1x+..+atxt
• n: # players, here n=3,
• D: dealer
• t: # corrupt players
P1
• <g>=G, ord(G)= q, g ← G
D
P2
P3
12/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
2. (t,n)-Feldman VSS
System parameters:
VSS a secret s:
Verify...
Compute A0=gs
and Ai=gai for
i=1..t
• n: # players, here n=3,
• D: dealer
• t: # corrupt players
• <g>=G, ord(G)= q, g ← G
Verify...
P1
D
P2
Verify...
P3
13/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
2. (t,n)-Feldman VSS
Properties of VSS:
• Every set of t+1 shares of honest players define the same unique s
• „No information“ on s is learned by ≤ t shares
Costs of VSSing a secret s:
• Sharing:
 Communication: n group elements via point-to-point channels
• Verification overhead:
 Communication: t+1 group elements via broadcast channel
 Computation: ≈ t exponentiations per player
14/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
3. Previous Solutions
• Gennaro 1996: Generic construction uses
 Semantically secure encryption
 Verifiable Secret Sharing
 Non-Interactive Zero-Knowledge Proofs of Knowledge (NIZK)
 Security depends on building-blocks
• Protocol based on Pedersen VSS:
1. Each party VSSes its announcement
2. Each party opens its announcement
3. Verify correctness  recover announcement with VSS Recovery
 secure under DL in standard model
Drawback: Every announcement requires execution of VSS
15/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
3. Our Solution – v-SimCast[n,t,k,g]
System parameters:
Setup (executed once):
• n: # players, here n=4
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
P1
P3
P2
P4
16/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
3. Our Solution – v-SimCast[n,t,k,g]
System parameters:
• n: # players, here n=4
• t: # corrupt players
Setup (executed once):
ElGamal
key pair
(x1,y1)
ElGamal
key pair
(x2,y2)
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
Each Pi shares xi with
(t,n)-Feldman VSS
Setup Costs (per player):
• Communication:
 broadcasts: t + 1
 point-to-point: n - 1
• Computation:
P2
P1
ElGamal key
pair (x3,y3)
ElGamal
key pair
(x4,y4)
 exponentiation: ≈ nt
P3
P4
17/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
3. Our Solution – v-SimCast[n,t,k,g]
System parameters:
(1) SimCast (v iterations):
• n: # players, here n=4
Each Pi is allowed to announce value ui
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
P2
P1
SimCast Cost (per player):
• communication: 2
 broadcasts: 2
• computation:
 exponentiations: 2
(1) Pi computes ElGamal
P3
ciphertext ci =(gri,yiri · ui)
P4
18/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
3. Our Solution – v-SimCast[n,t,k,g]
System parameters:
(2) SimCast (v iterations)
• n: # players, here n=4
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
P2
P1
SimCast Cost (per player):
• communication:
 broadcasts: 2 + 2 = 4
• computation:
 exponentiation: 2
(1) Pi computes ElGamal
ciphertext ci =(gri,yiri · ui)
P3
(2) Pi opens ci
P4
19/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
3. Our Solution – v-SimCast[n,t,k,g]
System parameters:
(3) SimCast (v iterations):
• n: # players, here n=4
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
P2
P1
SimCast Cost (per player):
Pi verifies for each Pj if
• communication: 4
cj = (gr’j , yjr’j · uj)
 broadcasts: 4
• computation:
 expon.: 2 + 2(n-1) = 2n
P3
P4
20/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
3. Our Solution – v-SimCast[n,t,k,g]
System parameters:
(3) SimCast: Failure handling
• n: # players, here n=4
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
P1
SimCast Cost (per player):
P2
If verification fails for Pi:
• Reconstruct Pi’s secret key xi with
VSS Recovery and disqualify Pi
• communication:
 broadcasts: 4
After step (3): Each party
knows correct announcement
of every other party
• computation:
 exponentiation: 2n
P3
P4
21/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
3. Security proof – key ideas
Independence against rushing adversary A under DDH:
•
Feldman VSS guarantees valid ElGamal key pair
•
Round (1): A obtains ElGamal ciphertexts of honest players
 No information is learned under DDH: Semantic security
 No malleability attacks (e.g. copycat):
 Opening always with secret key  A must know its announcement
•
Round (2): A obtains announcements of honest parties in clear
 A cannot open announcement differently:
 Committing property
 False opening: VSS allows always to recover original announcement
(Independence can be proven in standard model under DDH)
22/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
4. Summary
1. v-SimCast is particularly efficient for repeated execution
communication
v-SimCast
Pedersen-VSS
Gennaro
computation
point-to-point
n-1
brodcast
t + 1 + 4v
(exponentiation)
≈ 2nv + nt
2v(n-1)
v(t + 1)
≈ vnt
≈ vn
≈ v(t + 160)
≈ v(nt +160)
2. Limited parallel execution is possible
3. Various applications: e.g. joint generation of random values
23/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
PKC 2008, 11th March 2008
Thank you for your attention!
24/24
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110
10010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100
10101011100101000001011101001011011001010010010100110010111100101101010001010100100101100101000101001010101010100011001001010010
10010001010010010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100
10100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
1. Drawbacks of previous solutions
Every announcement requires execution of VSS
 most expensive component!
Costs of VSSing a secret s (for Pedersen VSS)
• Sharing:
 Communication: 2n group elements via point-to-point channels
• Verification overhead:
 Communication: 2(t+1) group elements via broadcast channel
 Computation: ≈ t exponentiations per player
Note: Feldman VSS is slightly more efficient!
25/24

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz