Efficient Simultaneous Broadcast Sebastian Faust 1 , Emilia Käsper 1 , Stefan Lucks 2
description
Transcript of Efficient Simultaneous Broadcast Sebastian Faust 1 , Emilia Käsper 1 , Stefan Lucks 2
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
1/24
Efficient Simultaneous Broadcast
Sebastian Faust1, Emilia Käsper1, Stefan Lucks2
1 KU Leuven, ESAT-COSIC, Belgium
2 Bauhaus Universität Weimar, Germany
PKC 2008PKC 2008, 11, 11thth March 2008 March 2008
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
2/24
Simultaneous Broadcast ProblemSimultaneous Broadcast Problem
Simultaneous broadcast:
u1, u2, u3 have been chosen independently
I want to announce
u1
I want to announce
u2
I want to announce
u3
u1u1
u2u2
u3u3
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
3/24
Sealed Bid Auction in Synchronous Network
2.000 €2.000 €5.000 €5.000 €
1.000 €1.000 €4.000 €4.000 €
I won!
Simultaneous Broadcast ProblemSimultaneous Broadcast Problem
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
4/24
SB Auction in Partially Synchronous Network
2.000 €2.000 €5.000 €5.000 €
1.000 €1.000 €5.001 €5.001 €
I won!
Simultaneous Broadcast ProblemSimultaneous Broadcast Problem
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
5/24
Solution: 2-Round Protocol?
9.000 €9.000 €6.000 €6.000 €
1.000 €1.000 €6.500 €6.500 €
I won with price 9.000
€
open 6.000 €open 6.000 €
open 1.000 €open 1.000 €open 6.500 €open 6.500 €
Simultaneous Broadcast ProblemSimultaneous Broadcast Problem
open 9.000 €open 9.000 €
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
6/24
Solution: 2-Round Protocol? No!
9.000 €9.000 €6.000 €6.000 €
1.000 €1.000 €6.500 €6.500 €
We won with price 6.500 €
open 6.000 €open 6.000 €
open 1.000 €open 1.000 €open 6.500 €open 6.500 €
We won with price 6.500 €
Simultaneous Broadcast ProblemSimultaneous Broadcast Problem
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
7/24
1. Basics
2. Building Blocks
3. Solutions
4. Summary
Rest of this talk...Rest of this talk...
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
8/24
Communication Model
• Network of n players: P = {P1, … ,Pn}
• Private point-to-point channel
• Reliable broadcast channel
• Partially synchronous communication: synchronized rounds
Adversary Model
• Rushing adversary: speaks last in each round
• Full control of t < n/2 players from protocol start
1. Communication & Adversary model1. Communication & Adversary model
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
9/24
Properties• Consistency:
Protocol outcome is consistent for all honest players
• Correctness: Each honest party receives the correct announcement of each other honest party
• Independence: No correlation between announcements of corrupt and honest parties
1. Simultaneous Broadcast1. Simultaneous Broadcast
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
10/24
Definition of independence (more details)...
• u: {ui : of honest player Pi}
• Q: subgroup of corrupt players
• m: announcements of players in Q
• pQm,u : Pr[Announcement m|honest players announced u]
For any PPT adversary A, any Q, all m and all u≠v, we have
|pQm,u – pQ
m,v| ≤ ϵ(k),
where ϵ is negligible in k.
1. Simultaneous Broadcast1. Simultaneous Broadcast
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
11/24
Public Key Encryption (Gen,Enc,Dec):
• Semantic Security: Ciphertext reveals no information on plaintext
• Committing Property: m1 ≠ m2 c1 ≠ c2
ElGamal Encryption:
• Setup: Group G=<g> of prime order q.
• Gen: secret key: x ←R Zq, public key: y = gx
• Enc: c = (d,e) = (gr, yrm), for m ← G, r ←R Zq
• Dec: m = e/dx
2. Public-Key Encryption2. Public-Key Encryption
Theorem: ElGamal is a committing encryption scheme and semantically secure under the DDH assumption.
DDH assumption: given gx, gy, gz, difficult to decide whether z=xy
Public Key Encryption (Gen,Enc,Dec):
• Semantic Security: Ciphertext reveals no information on plaintext
• Committing Property: m1 ≠ m2 c1 ≠ c2
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
12/24
DD
PP11
PP22
Select Shamir sharing
polynomial: f(x)=s+a1x+..
+atxt s1 = f(1)
s2 = f(2)
s3 = f(3)
VSS a secret s:System parameters:
• n: # players, here n=3,
• D: dealer
• t: # corrupt players
• <g>=G, ord(G)= q, g ← G
2. (t,n)-Feldman VSS2. (t,n)-Feldman VSS
PP33
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
13/24
2. (t,n)-Feldman VSS2. (t,n)-Feldman VSS
DD
PP11
PP33
PP22
VSS a secret s:System parameters:
• n: # players, here n=3,
• D: dealer
• t: # corrupt players
• <g>=G, ord(G)= q, g ← G
Compute A0=gs and Ai=gai for
i=1..t
Ai, i=0..t
Verify...
Verify...
Verify...
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
14/24
2. (t,n)-Feldman VSS2. (t,n)-Feldman VSS
Properties of VSS:• Every set of t+1 shares of honest players define the same unique s
• „No information“ on s is learned by ≤ t shares
Costs of VSSing a secret s:• Sharing:
Communication: n group elements via point-to-point channels
• Verification overhead:
Communication: t+1 group elements via broadcast channel
Computation: ≈ t exponentiations per player
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
15/24
3. Previous Solutions3. Previous Solutions
• Gennaro 1996: Generic construction uses
Semantically secure encryption
Verifiable Secret Sharing
Non-Interactive Zero-Knowledge Proofs of Knowledge (NIZK)
Security depends on building-blocks
• Protocol based on Pedersen VSS:
1. Each party VSSes its announcement
2. Each party opens its announcement
3. Verify correctness recover announcement with VSS Recovery
secure under DL in standard model
Drawback: Every announcement requires execution of VSS
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
16/24
System parameters:
• n: # players, here n=4
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G PP11
PP22
PP33PP44
PP11PP22
PP33PP44
PP11PP22
PP33PP44
PP11PP22
PP33PP44
Setup (executed once):
3. Our Solution – v-SimCast[n,t,k,g]3. Our Solution – v-SimCast[n,t,k,g]
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
17/24
PP11PP22
PP33PP44
Each Pi shares xi with (t,n)-Feldman VSS
ElGamal key pair (x1,y1)
ElGamal key pair (x4,y4)
ElGamal key pair (x3,y3)
ElGamal key pair (x2,y2)
Setup (executed once):System parameters:
• n: # players, here n=4
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
Setup Costs (per player):
• Communication:
broadcasts: t + 1
point-to-point: n - 1
• Computation:
exponentiation: ≈ nt
3. Our Solution – v-SimCast[n,t,k,g]3. Our Solution – v-SimCast[n,t,k,g]
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
18/24
c1
(1) SimCast (v iterations):
Each Pi is allowed to announce value ui
c 2
c4
(1) Pi computes ElGamal
ciphertext ci =(gri,yiri · ui)
PP11PP22
PP33PP44
c 3
3. Our Solution – v-SimCast[n,t,k,g]3. Our Solution – v-SimCast[n,t,k,g]
System parameters:
• n: # players, here n=4
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
SimCast Cost (per player):
• communication: 2
broadcasts: 2
• computation:
exponentiations: 2
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
19/24
(2) SimCast (v iterations)
(r’ 2,u’ 2
)
(r’4 ,u’
4 )
(r’1 ,u’1)
(1) Pi computes ElGamal
ciphertext ci =(gri,yiri · ui)
(2) Pi opens ci
PP11PP22
PP33PP44
(r’ 3,u
’ 3)
3. Our Solution – v-SimCast[n,t,k,g]3. Our Solution – v-SimCast[n,t,k,g]
System parameters:
• n: # players, here n=4
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
SimCast Cost (per player):
• communication:
broadcasts: 2 + 2 = 4
• computation:
exponentiation: 2
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
20/24
(3) SimCast (v iterations):
PP11PP22
PP33PP44
3. Our Solution – v-SimCast[n,t,k,g]3. Our Solution – v-SimCast[n,t,k,g]
Pi verifies for each Pj if
cj = (gr’j , yjr’j · uj)
System parameters:
• n: # players, here n=4
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
SimCast Cost (per player):
• communication: 4
broadcasts: 4
• computation:
expon.: 2 + 2(n-1) = 2n
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
21/24
If verification fails for Pi:
• Reconstruct Pi’s secret key xi with VSS Recovery and disqualify Pi
(3) SimCast: Failure handling
PP11PP22
PP33PP44
3. Our Solution – v-SimCast[n,t,k,g]3. Our Solution – v-SimCast[n,t,k,g]
After step (3): Each party knows correct announcement of every other party
System parameters:
• n: # players, here n=4
• t: # corrupt players
• k: sec. parameter for ElGamal
• <g>=G, ord(G)= q, g ← G
SimCast Cost (per player):
• communication:
broadcasts: 4
• computation:
exponentiation: 2n
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
22/24
Independence against rushing adversary A under DDH:• Feldman VSS guarantees valid ElGamal key pair
• Round (1): A obtains ElGamal ciphertexts of honest players
No information is learned under DDH: Semantic security
No malleability attacks (e.g. copycat):
Opening always with secret key A must know its announcement
• Round (2): A obtains announcements of honest parties in clear
A cannot open announcement differently:
Committing property
False opening: VSS allows always to recover original announcement(Independence can be proven in standard model under DDH)
3. Security proof – key ideas3. Security proof – key ideas
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
23/24
communicationcomputation
(exponentiation)point-to-point brodcast
v-SimCast n-1 t + 1 + 4v ≈ 2nv + nt
Pedersen-VSS 2v(n-1) v(t + 1) ≈ vnt
Gennaro ≈ vn ≈ v(t + 160) ≈ v(nt +160)
4. Summary4. Summary
1. v-SimCast is particularly efficient for repeated execution
2. Limited parallel execution is possible
3. Various applications: e.g. joint generation of random values
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
24/24
Thank you for your attention!
PKC 2008PKC 2008, 11, 11thth March 2008 March 2008
0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100
25/24
Every announcement requires execution of VSS
most expensive component!
Costs of VSSing a secret s (for Pedersen VSS)• Sharing:
Communication: 2n group elements via point-to-point channels
• Verification overhead:
Communication: 2(t+1) group elements via broadcast channel
Computation: ≈ t exponentiations per player
1. Drawbacks of previous solutions1. Drawbacks of previous solutions
Note: Feldman VSS is slightly more efficient!