Efficient Simultaneous Broadcast Sebastian Faust 1 , Emilia Käsper 1 , Stefan Lucks 2

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

1/24

Efficient Simultaneous Broadcast

Sebastian Faust1, Emilia Käsper1, Stefan Lucks2

1 KU Leuven, ESAT-COSIC, Belgium

2 Bauhaus Universität Weimar, Germany

PKC 2008PKC 2008, 11, 11thth March 2008 March 2008

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

2/24

Simultaneous Broadcast ProblemSimultaneous Broadcast Problem

Simultaneous broadcast:

u1, u2, u3 have been chosen independently

I want to announce

u1

I want to announce

u2

I want to announce

u3

u1u1

u2u2

u3u3

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

3/24

Sealed Bid Auction in Synchronous Network

2.000 €2.000 €5.000 €5.000 €

1.000 €1.000 €4.000 €4.000 €

I won!


0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

4/24

SB Auction in Partially Synchronous Network

2.000 €2.000 €5.000 €5.000 €

1.000 €1.000 €5.001 €5.001 €

I won!


0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

5/24

Solution: 2-Round Protocol?

9.000 €9.000 €6.000 €6.000 €

1.000 €1.000 €6.500 €6.500 €

I won with price 9.000

€

open 6.000 €open 6.000 €

open 1.000 €open 1.000 €open 6.500 €open 6.500 €


open 9.000 €open 9.000 €

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

6/24

Solution: 2-Round Protocol? No!

9.000 €9.000 €6.000 €6.000 €

1.000 €1.000 €6.500 €6.500 €

We won with price 6.500 €

open 6.000 €open 6.000 €

open 1.000 €open 1.000 €open 6.500 €open 6.500 €

We won with price 6.500 €


0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

7/24

1. Basics

2. Building Blocks

3. Solutions

4. Summary

Rest of this talk...Rest of this talk...

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

8/24

Communication Model

• Network of n players: P = {P1, … ,Pn}

• Private point-to-point channel

• Reliable broadcast channel

• Partially synchronous communication: synchronized rounds

Adversary Model

• Rushing adversary: speaks last in each round

• Full control of t < n/2 players from protocol start

1. Communication & Adversary model1. Communication & Adversary model

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

9/24

Properties• Consistency:

Protocol outcome is consistent for all honest players

• Correctness: Each honest party receives the correct announcement of each other honest party

• Independence: No correlation between announcements of corrupt and honest parties

1. Simultaneous Broadcast1. Simultaneous Broadcast

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

10/24

Definition of independence (more details)...

• u: {ui : of honest player Pi}

• Q: subgroup of corrupt players

• m: announcements of players in Q

• pQm,u : Pr[Announcement m|honest players announced u]

For any PPT adversary A, any Q, all m and all u≠v, we have

|pQm,u – pQ

m,v| ≤ ϵ(k),

where ϵ is negligible in k.

1. Simultaneous Broadcast1. Simultaneous Broadcast

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

11/24

Public Key Encryption (Gen,Enc,Dec):

• Semantic Security: Ciphertext reveals no information on plaintext

• Committing Property: m1 ≠ m2 c1 ≠ c2

ElGamal Encryption:

• Setup: Group G=<g> of prime order q.

• Gen: secret key: x ←R Zq, public key: y = gx

• Enc: c = (d,e) = (gr, yrm), for m ← G, r ←R Zq

• Dec: m = e/dx

2. Public-Key Encryption2. Public-Key Encryption

Theorem: ElGamal is a committing encryption scheme and semantically secure under the DDH assumption.

DDH assumption: given gx, gy, gz, difficult to decide whether z=xy

Public Key Encryption (Gen,Enc,Dec):

• Semantic Security: Ciphertext reveals no information on plaintext

• Committing Property: m1 ≠ m2 c1 ≠ c2

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

12/24

DD

PP11

PP22

Select Shamir sharing

polynomial: f(x)=s+a1x+..

+atxt s1 = f(1)

s2 = f(2)

s3 = f(3)

VSS a secret s:System parameters:

• n: # players, here n=3,

• D: dealer

• t: # corrupt players

• <g>=G, ord(G)= q, g ← G

2. (t,n)-Feldman VSS2. (t,n)-Feldman VSS

PP33

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

13/24


DD

PP11

PP33

PP22

VSS a secret s:System parameters:

• n: # players, here n=3,

• D: dealer


• <g>=G, ord(G)= q, g ← G

Compute A0=gs and Ai=gai for

i=1..t

Ai, i=0..t

Verify...

Verify...

Verify...

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

14/24


Properties of VSS:• Every set of t+1 shares of honest players define the same unique s

• „No information“ on s is learned by ≤ t shares

Costs of VSSing a secret s:• Sharing:

Communication: n group elements via point-to-point channels

• Verification overhead:

Communication: t+1 group elements via broadcast channel

Computation: ≈ t exponentiations per player

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

15/24

3. Previous Solutions3. Previous Solutions

• Gennaro 1996: Generic construction uses

Semantically secure encryption

Verifiable Secret Sharing

Non-Interactive Zero-Knowledge Proofs of Knowledge (NIZK)

Security depends on building-blocks

• Protocol based on Pedersen VSS:

1. Each party VSSes its announcement

2. Each party opens its announcement

3. Verify correctness recover announcement with VSS Recovery

secure under DL in standard model

Drawback: Every announcement requires execution of VSS

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

16/24

System parameters:

• n: # players, here n=4


• k: sec. parameter for ElGamal

• <g>=G, ord(G)= q, g ← G PP11

PP22

PP33PP44

PP11PP22

PP33PP44

PP11PP22

PP33PP44

PP11PP22

PP33PP44

Setup (executed once):

3. Our Solution – v-SimCast[n,t,k,g]3. Our Solution – v-SimCast[n,t,k,g]

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

17/24

PP11PP22

PP33PP44

Each Pi shares xi with (t,n)-Feldman VSS

ElGamal key pair (x1,y1)




Setup (executed once):System parameters:




• <g>=G, ord(G)= q, g ← G

Setup Costs (per player):

• Communication:

broadcasts: t + 1

point-to-point: n - 1

• Computation:

exponentiation: ≈ nt


0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

18/24

c1

(1) SimCast (v iterations):

Each Pi is allowed to announce value ui

c 2

c4

(1) Pi computes ElGamal

ciphertext ci =(gri,yiri · ui)

PP11PP22

PP33PP44

c 3


System parameters:




• <g>=G, ord(G)= q, g ← G

SimCast Cost (per player):

• communication: 2

broadcasts: 2

• computation:

exponentiations: 2

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

19/24

(2) SimCast (v iterations)

(r’ 2,u’ 2

)

(r’4 ,u’

4 )

(r’1 ,u’1)

(1) Pi computes ElGamal

ciphertext ci =(gri,yiri · ui)

(2) Pi opens ci

PP11PP22

PP33PP44

(r’ 3,u

’ 3)


System parameters:




• <g>=G, ord(G)= q, g ← G


• communication:

broadcasts: 2 + 2 = 4

• computation:

exponentiation: 2

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

20/24

(3) SimCast (v iterations):

PP11PP22

PP33PP44


Pi verifies for each Pj if

cj = (gr’j , yjr’j · uj)

System parameters:




• <g>=G, ord(G)= q, g ← G


• communication: 4

broadcasts: 4

• computation:

expon.: 2 + 2(n-1) = 2n

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

21/24

If verification fails for Pi:

• Reconstruct Pi’s secret key xi with VSS Recovery and disqualify Pi

(3) SimCast: Failure handling

PP11PP22

PP33PP44


After step (3): Each party knows correct announcement of every other party

System parameters:




• <g>=G, ord(G)= q, g ← G


• communication:

broadcasts: 4

• computation:

exponentiation: 2n

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

22/24

Independence against rushing adversary A under DDH:• Feldman VSS guarantees valid ElGamal key pair

• Round (1): A obtains ElGamal ciphertexts of honest players

No information is learned under DDH: Semantic security

No malleability attacks (e.g. copycat):

Opening always with secret key A must know its announcement

• Round (2): A obtains announcements of honest parties in clear

A cannot open announcement differently:

Committing property

False opening: VSS allows always to recover original announcement(Independence can be proven in standard model under DDH)

3. Security proof – key ideas3. Security proof – key ideas

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

23/24

communicationcomputation

(exponentiation)point-to-point brodcast

v-SimCast n-1 t + 1 + 4v ≈ 2nv + nt

Pedersen-VSS 2v(n-1) v(t + 1) ≈ vnt

Gennaro ≈ vn ≈ v(t + 160) ≈ v(nt +160)

4. Summary4. Summary

1. v-SimCast is particularly efficient for repeated execution

2. Limited parallel execution is possible

3. Various applications: e.g. joint generation of random values

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

24/24

Thank you for your attention!

PKC 2008PKC 2008, 11, 11thth March 2008 March 2008

0110110010100100101001100101111001011010100010101001001011001010001010010101010101000110100101010100100010100101111001111010011010010010101010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100101010111001010000010111010010110110010100100101001100101111001011010100010101001001011001010001010010101010101000110010010100101001000101001001010001010101010010101010101001010010101010101001010011100100100100010100000101011000010010100010011110100101010010100100101010100010101000010111001010010101010101001010010101010101001100100101100101000101001010100001011101100001101100110100

25/24

Every announcement requires execution of VSS

most expensive component!

Costs of VSSing a secret s (for Pedersen VSS)• Sharing:

Communication: 2n group elements via point-to-point channels

• Verification overhead:

Communication: 2(t+1) group elements via broadcast channel

Computation: ≈ t exponentiations per player

1. Drawbacks of previous solutions1. Drawbacks of previous solutions

Note: Feldman VSS is slightly more efficient!

Efficient Simultaneous Broadcast Sebastian Faust 1 , Emilia Käsper 1 , Stefan Lucks 2

Documents

Transcript of Efficient Simultaneous Broadcast Sebastian Faust 1 , Emilia Käsper 1 , Stefan Lucks 2