Adaptively Secure Non-interactive CCA-Secure Threshold Cryptosystems: Generic Framework and Constructions

Abstract

In threshold cryptography, private keys are divided into n shares, each one of which is given to a different server in order to avoid single points of failure. In the case of threshold public-key encryption, at least \(t \le n\) servers need to contribute to the decryption process. A threshold primitive is said robust if no coalition of t malicious servers can prevent remaining honest servers from successfully completing private key operations. Non-interactive schemes, considered the most practical ones, allow servers to contribute to decryption without interactions. So far, most non-interactive threshold cryptosystems were only proved secure against static corruptions. In the adaptive corruption scenario (where the adversary can corrupt servers at any time, based on its complete view), all existing robust threshold encryption schemes that also resist chosen-ciphertext attacks till recently require interaction in the decryption phase. A very specific method (in composite order groups) for getting rid of interaction was recently suggested, leaving the question of more generic frameworks and constructions with better security and, in particular, better flexibility (i.e., compatibility with distributed key generation). This paper advances the state of the art and describes a general construction of adaptively secure robust non-interactive threshold cryptosystems with chosen-ciphertext security. We define the novel notion of all-but-one perfectly sound threshold hash proof systems that can be seen as (threshold) hash proof systems with publicly verifiable and simulation-sound proofs. We show that this notion generically implies threshold cryptosystems combining the aforementioned properties. Then, we provide efficient instantiations under well-studied assumptions in bilinear groups (e.g., in such groups of prime order). These instantiations have a tighter security proof in the single-challenge setting and are indeed compatible with distributed key generation protocols.

Appendices

One-Time Signatures

1.1 Definition

A one-time signature scheme is a triple of algorithms \(\varSigma =({\mathsf {Gen}},{\mathsf {Sig}},{\mathsf {Ver}})\) such that, on input of a security parameter \(\lambda \) and (optionally) a set of externally supplied public parameters \({\mathsf {pp}}\), \({\mathcal {G}}\) generates a one-time key pair \(({\mathsf {SSK}},{\mathsf {SVK}}) \leftarrow \varSigma .{\mathcal {G}}(\lambda ,{\mathsf {pp}})\) while, for any message M, \(\varSigma .{\mathsf {Ver}}({\mathsf {SVK}},M,\sigma )\) outputs 1 whenever \(\sigma =\varSigma .{\mathsf {Sig}}({\mathsf {SSK}},M)\) and 0 otherwise.

As in [22, 31], we need strongly unforgeable one-time signatures: no PPT adversary can be able to create a new signature for a previously signed message.

Definition 4

\(\varSigma =({\mathsf {Gen}},{\mathsf {Sig}},{\mathsf {Ver}})\) is a strongly unforgeable one-time signature if the probability

$$\begin{aligned}&{\mathbf {Adv}}^{\mathsf {OTS}}={\mathrm {Pr}} \big [ ({\mathsf {SSK}},{\mathsf {SVK}}) \leftarrow {\mathcal {G}}(\lambda ,{\mathsf {pp}}); (M,St) \leftarrow {\mathcal {F}}({\mathsf {SVK}}); \\&\quad \sigma \leftarrow \varSigma .{\mathsf {Sig}}({\mathsf {SSK}},M); (M',\sigma ') \leftarrow {\mathcal {F}}(M,\sigma ,{\mathsf {SVK}},St) : \\&\quad \varSigma .{\mathsf {Ver}}(\sigma ',{\mathsf {SVK}},M')=1 \wedge (M',\sigma ')\ne (M,\sigma )~ \big ], \end{aligned}$$

where St denotes the state information maintained by \({\mathcal {F}}\) between stages, is negligible for any PPT forger \({\mathcal {F}}\).

1.2 Groth’s One-Time Signature

For completeness, this section recalls the description of the one-time signature proposed by Groth [37], which was proved strongly unforgeable under the Discrete Logarithm assumption. The description assumes pre-existing public parameters \({\mathsf {pp}}\) consisting of a cyclic group \({\mathbb {G}}\) of prime order \(p>2^\lambda \) with a generator \(g \in {\mathbb {G}}\) and a random member \(H:\{0,1\}^* \rightarrow {\mathbb {Z}}_p\) of collision-resistant hash function family.

• \({\mathsf {Gen}}(\lambda ,{\mathsf {pp}})\) Given \(\lambda \in {\mathbb {N}}\), a key pair is generated by taking the following steps.

  1. 1.

     Choose and compute \(f=g^x\), \(h=g^y\).

  2. 2.

     Choose and compute \(c= f^r h^s\).

  Output \({\mathsf {SVK}}=(f,h,c) \in {\mathbb {G}}^3\) and \({\mathsf {SSK}}=(x,y,r,s) \in {\mathbb {Z}}_p^4\).

• \({\mathsf {Sig}}({\mathsf {SSK}},M)\) To sign \(M \in \{0,1\}^*\), choose and compute

  $$\begin{aligned} \sigma = \Bigl ( t, \frac{x \cdot (r-t) + y \cdot s - H(M) }{y} \Bigr ) \in {\mathbb {Z}}_p^2. \end{aligned}$$

• \({\mathsf {Ver}}({\mathsf {SVK}},M,\sigma )\) Given a message M and a purported signature \(\sigma =(t,w) \in {\mathbb {Z}}_p^2\), return 1 if

  $$\begin{aligned} c= g^{H(M)} \cdot f^t \cdot h^w \end{aligned}$$

  and 0 otherwise.

Constructing Non-interactive Proofs for Schemes in Prime Order Groups

1.1 Constructing Proof Elements in the DLIN-Based Instantiation

In the following notations, we define a coordinate-wise pairing \(E:{\mathbb {G}}\times {\mathbb {G}}^3 \rightarrow {\mathbb {G}}_T^3\) such that, for any element \(h\in {\mathbb {G}}\) and any vector \(\vec {g}=(g_1,g_2,g_3)\), we have \(E\big (h,\vec {g}\big )=\big (e(h,g_1),e(h,g_2),e(h,g_3)\big )\).

To construct the proof \(\pi _{\mathrm {LIN}}\) that \(\varPhi =(\varPhi _1,\varPhi _2,\varPhi _3)=\big (g_1^{\theta _1},g_2^{\theta _2},g^{\theta _1+\theta _2}\big )\), for some \((\theta _1,\theta _2) \in ({\mathbb {Z}}_p)^2\), the sender first computes commitments \(\vec {C}_{\theta _i}=\vec {g}_{\mathsf {tag}}^{~\theta _i} \cdot \vec {g_1}^{r_i} \cdot \vec {g_2}^{s_i}=\big (g_{\mathsf {tag},1}^{~\theta _i} \cdot g_1^{r_i},~g_{\mathsf {tag},2}^{~\theta _i} \cdot g_2^{s_i},g_{\mathsf {tag},3}^{~\theta _i} \cdot g^{r_i+s_i} \big )\), for each \(i \in \{1,2\}\), with and where \(\vec {g}_{\mathsf {tag}}=(g_{\mathsf {tag},1},g_{\mathsf {tag},2},g_{\mathsf {tag},3}) \in {\mathbb {G}}^3\). Then, he generates the proof \(\pi _{(\theta _1,\theta _2)}\) as

$$\begin{aligned} \pi _{(\theta _1,\theta _2)}= & {} ( {\pi }_{1}, {\pi }_{2}, {\pi }_{3},\pi _4,\pi _5,\pi _6) = \Bigl ( g_1^{r_1},~g_1^{s_1},~g_2^{r_2},~g_2^{s_2},~g^{r_1+r_2},~g^{s_1+s_2} \Bigr ) \end{aligned}$$

which satisfies the verification equations

$$\begin{aligned} E\big (g_1,\vec {C}_{\theta _1} \big )= & {} E\big ( \varPhi _1 ,\vec {g}_{\mathsf {tag}} \big ) \cdot E\big (\pi _1,\vec {g_1} \big ) \cdot E\big (\pi _2,\vec {g_2} \big ) \nonumber \\ E\big (g_2,\vec {C}_{\theta _2} \big )= & {} E\big ( \varPhi _2 ,\vec {g}_{\mathsf {tag}} \big ) \cdot E\big (\pi _3,\vec {g_1} \big ) \cdot E\big (\pi _4,\vec {g_2} \big ) \nonumber \\ E\big (g,\vec {C}_{\theta _1} \cdot \vec {C}_{\theta _2} \big )= & {} E\big ( \varPhi _3 ,\vec {g}_{\mathsf {tag}} \big ) \cdot E\big (\pi _5,\vec {g_1} \big ) \cdot E\big (\pi _6,\vec {g_2} \big ). \end{aligned}$$

(11)

When the above verifications are performed in the naive way, they require to evaluate 30 pairings altogether. However, using randomized batch verification techniques (which, as illustrated in [10], can provide substantial savings in the context of Groth–Sahai proofs), they can be more efficiently processed by computing a product of 12 pairings at the expense of a tiny probability of accepting an invalid ciphertext.

On a CRS \((\vec {g_1},\vec {g_2},\vec {g}_{\mathsf {tag}^\star })\) for the WI setting (i.e., where \(\vec {g}_{\mathsf {tag}^\star }=\vec {g_1}^{\xi _1} \cdot \vec {g_2}^{\xi _2}\) for some \(\xi _1,\xi _2 \in _R {\mathbb {Z}}_p\)), the proof \(\pi _{\mathrm {LIN}}\) can be simulated as follows. First, commitments \(\vec {C}_{\theta _1},\vec {C}_{\theta _2}\) are computed as commitments to 0 (say \(\vec {C}_{\theta _i}=\vec {g_1}^{r_i} \cdot \vec {g_2}^{s_i}\) for each \(i \in \{1,2\}\) with ). Then, proof elements \(\pi _{(\theta _1,\theta _2)}=(\pi _1,\pi _2,\pi _3,\pi _4,\pi _5,\pi _6)\) satisfying (11) can be obtained as per

$$\begin{aligned} \pi _1= & {} g_1^{r_1} \cdot \varPhi _1^{-\xi _1} \qquad \qquad \pi _3=g_2^{r_2} \cdot \varPhi _2^{-\xi _1} \qquad \qquad \pi _5=g^{r_1+r_2} \cdot \varPhi _3^{-\xi _1} \\ \pi _2= & {} g_1^{s_1} \cdot \varPhi _1^{-\xi _2} \qquad \qquad \pi _4=g_2^{s_2} \cdot \varPhi _2^{-\xi _2} \qquad \qquad \pi _6=g^{s_1+s_2} \cdot \varPhi _3^{-\xi _2}. \end{aligned}$$

1.2 Constructing Proof Elements in the SXDH-Based instantiation

Here, our notations use a coordinate-wise pairing \(E:{\mathbb {G}}\times {\hat{{\mathbb {G}}}}^2 \rightarrow {\mathbb {G}}_T^2\) such that, for any element \(h\in {\mathbb {G}}\) and any vector \(\vec { {g}}=(\hat{g_1},\hat{g_2} ) \in {\hat{{\mathbb {G}}}}^2\), we have \(E\big (h,\vec { {g}}\big )=\big (e(h,\hat{g_1}),e(h,\hat{g_2}) \big )\).

To construct the non-interactive proof \(\pi _{\mathrm {DH}}\) that \((\varPhi _1,\varPhi _2)=(g_1^{\theta },g_2^{\theta })\), for some \(\theta \in _R {\mathbb {Z}}_p\), the sender first computes a commitment \(\vec {C}_{\theta }=\vec {u}_{\mathsf {tag}}^{~\theta } \cdot \vec {u_1}^{r } =\big ({\hat{u}}_{\mathsf {tag},1}^{~\theta } \cdot {\hat{g}}^{r},~{\hat{u}}_{\mathsf {tag},2}^{~\theta } \cdot {\hat{h}}^{r} \big )\), using a randomly drawn and where \(\vec {u}_{\mathsf {tag}}=({\hat{u}}_{\mathsf {tag},1},{\hat{u}}_{\mathsf {tag},2}) \in {\hat{{\mathbb {G}}}}^2\). Then, he generates the proof \(\pi _{\theta }\) as

$$\begin{aligned} \pi _{\theta }= & {} ( {\pi }_{1}, {\pi }_{2} ) = \big ( g_1^{r }, g_2^{r } \big ) \in {\mathbb {G}}^2 \end{aligned}$$

which satisfies the verification equations

$$\begin{aligned} E\big (g_1,\vec {C}_{\theta } \big )= & {} E\big ( \varPhi _1 ,\vec {u}_{\mathsf {tag}} \big ) \cdot E\big (\pi _1,\vec {u_1} \big ) \nonumber \\ E\big (g_2,\vec {C}_{\theta } \big )= & {} E\big ( \varPhi _2 ,\vec {u}_{\mathsf {tag}} \big ) \cdot E\big (\pi _2,\vec {u_1} \big ) . \end{aligned}$$

(12)

Instead of naively verifying equations (12) separately, the verifier can choose and test whether

$$\begin{aligned} E(g_1 \cdot g_2^{\omega },\vec {C}_{\theta })= E(\varPhi _1 \cdot \varPhi _2^{\omega },\vec {u}_{\mathsf {tag}}) \cdot E(\pi _1 \cdot \pi _2^{\omega }, \vec {u}_1), \end{aligned}$$

which fails with overwhelming probability when one of the two equations (12) is not satisfied. With further optimizations (when coordinate-wise equalities are simultaneously batch-verified), the verifier only needs to compute a product of 6 pairings.

On a CRS \((\vec {u}_{\mathsf {tag}},\vec {u}_1)\) for the perfect WI setting (i.e., where \(\vec {u}_{\mathsf {tag}}=\vec {u}_1^{\rho _u}\) for some \(\rho _u \in _R {\mathbb {Z}}_p\)), a NIZK proof \(\pi _{\mathrm {DH}}\) can be simulated by computing \(\vec {C}_{\theta }\) as a commitment to 0 (say \(\vec {C}_{\theta }=\vec {u}_1^r\) for some ) and the assignment

$$\begin{aligned} \pi _1=g_1^r \cdot \varPhi _1^{-\rho _u} \qquad \qquad \qquad \pi _2=g_2^r \cdot \varPhi _2^{-\rho _u} \end{aligned}$$

is easily seen to satisfy the verification equations (12).