1 / 25

Efficient Simultaneous Broadcast Sebastian Faust 1 , Emilia Käsper 1 , Stefan Lucks 2

PKC 2008 , 11 th March 2008. Efficient Simultaneous Broadcast Sebastian Faust 1 , Emilia Käsper 1 , Stefan Lucks 2 1 KU Leuven, ESAT-COSIC, Belgium 2 Bauhaus Universität Weimar, Germany. Simultaneous Broadcast Problem. Simultaneous broadcast:. I want to announce u 2.

marisa
Download Presentation

Efficient Simultaneous Broadcast Sebastian Faust 1 , Emilia Käsper 1 , Stefan Lucks 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PKC 2008, 11th March 2008 Efficient Simultaneous Broadcast Sebastian Faust1, Emilia Käsper1, Stefan Lucks2 1 KU Leuven, ESAT-COSIC, Belgium 2Bauhaus Universität Weimar, Germany

  2. Simultaneous Broadcast Problem Simultaneous broadcast: I want to announce u2 I want to announce u1 u2 u2 u1 u1 u1, u2, u3 have been chosen independently I want to announce u3 u3 u3

  3. Simultaneous Broadcast Problem I won! Sealed Bid Auction in Synchronous Network 5.000 € 2.000 € 4.000 € 1.000 €

  4. Simultaneous Broadcast Problem SB Auction in Partially Synchronous Network 5.000 € 2.000 € I won! 5.001 € 1.000 €

  5. Simultaneous Broadcast Problem Solution: 2-Round Protocol? open 6.000 € 6.000 € I won with price 9.000 € open 9.000 € 9.000 € open 6.500 € 6.500 € 1.000 € open 1.000 €

  6. Simultaneous Broadcast Problem Solution: 2-Round Protocol? No! 6.000 € open 6.000 € We won with price 6.500 € 9.000 € We won with price 6.500 € open 6.500 € 6.500 € 1.000 € open 1.000 €

  7. Rest of this talk... Basics Building Blocks Solutions Summary

  8. 1. Communication & Adversary model Communication Model • Network of n players: P = {P1, … ,Pn} • Private point-to-point channel • Reliable broadcast channel • Partially synchronous communication: synchronized rounds • Adversary Model • Rushing adversary: speaks last in each round • Full control of t < n/2 players from protocol start

  9. 1. Simultaneous Broadcast Properties • Consistency:Protocol outcome is consistent for all honest players • Correctness:Each honest party receives the correct announcement of each other honest party • Independence: No correlation between announcements of corrupt and honest parties

  10. 1. Simultaneous Broadcast Definition of independence (more details)... • u: {ui : of honest player Pi} • Q: subgroup of corrupt players • m: announcements of players in Q • pQm,u : Pr[Announcement m|honest players announced u] • For any PPT adversary A, any Q, all m and all u≠v, we have • |pQm,u – pQm,v| ≤ ϵ(k), • where ϵ is negligible in k.

  11. 2. Public-Key Encryption Public Key Encryption (Gen,Enc,Dec): • Semantic Security: Ciphertext reveals no information on plaintext • Committing Property: m1≠ m2 c1≠ c2 Public Key Encryption (Gen,Enc,Dec): • Semantic Security: Ciphertext reveals no information on plaintext • Committing Property: m1≠ m2 c1≠ c2 • ElGamal Encryption: • Setup: Group G=<g> of prime order q. • Gen: secret key: x ←R Zq, public key: y = gx • Enc: c = (d,e) = (gr, yrm), for m ← G, r ←R Zq • Dec: m = e/dx Theorem:ElGamal is a committing encryption scheme and semantically secure under the DDH assumption. DDH assumption: given gx, gy, gz, difficult to decide whether z=xy

  12. 2. (t,n)-Feldman VSS VSS a secret s: • System parameters: • n: # players, here n=3, • D: dealer • t: # corrupt players • <g>=G, ord(G)= q, g ← G Select Shamir sharing polynomial: f(x)=s+a1x+..+atxt s1 = f(1) P1 D s2 = f(2) P2 s3 = f(3) P3

  13. 2. (t,n)-Feldman VSS VSS a secret s: Verify... • System parameters: • n: # players, here n=3, • D: dealer • t: # corrupt players • <g>=G, ord(G)= q, g ← G Compute A0=gs and Ai=gai for i=1..t P1 Verify... Ai, i=0..t D P2 Verify... P3

  14. 2. (t,n)-Feldman VSS • Properties of VSS: • Every set of t+1 shares of honest players define the same unique s • „No information“ on s is learned by ≤ t shares • Costs of VSSing a secret s: • Sharing: • Communication: n group elements via point-to-point channels • Verification overhead: • Communication: t+1 group elements via broadcast channel • Computation: ≈ t exponentiations per player

  15. 3. Previous Solutions • Gennaro 1996: Generic construction uses • Semantically secure encryption • Verifiable Secret Sharing • Non-Interactive Zero-Knowledge Proofs of Knowledge (NIZK)  Security depends on building-blocks • Protocol based on Pedersen VSS: • Each party VSSes its announcement • Each party opens its announcement • Verify correctness  recover announcement with VSS Recovery •  secure under DL in standard model • Drawback: Every announcement requires execution of VSS

  16. 3. Our Solution – v-SimCast[n,t,k,g] Setup (executed once): • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G P2 P2 P2 P2 P1 P1 P1 P1 P4 P4 P4 P4 P3 P3 P3 P3

  17. 3. Our Solution – v-SimCast[n,t,k,g] ElGamal key pair (x2,y2) Setup (executed once): • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G ElGamal key pair (x1,y1) P2 P1 Each Pi shares xi with (t,n)-Feldman VSS • Setup Costs (per player): • Communication: • broadcasts: t + 1 • point-to-point: n - 1 • Computation: • exponentiation: ≈ nt ElGamal key pair (x4,y4) ElGamal key pair (x3,y3) P4 P3

  18. 3. Our Solution – v-SimCast[n,t,k,g] • SimCast (v iterations): • Each Pi is allowed to announce value ui • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G P2 P1 c1 c2 • SimCast Cost (per player): • communication: 2 • broadcasts: 2 • computation: • exponentiations: 2 c3 c4 (1) Pi computes ElGamal ciphertext ci =(gri,yiri· ui) P4 P3

  19. 3. Our Solution – v-SimCast[n,t,k,g] (2) SimCast (v iterations) • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G (r’2,u’2) P2 (r’1,u’1) P1 • SimCast Cost (per player): • communication: • broadcasts: 2 + 2 = 4 • computation: • exponentiation: 2 (r’3,u’3) (r’4,u’4) (1) Pi computes ElGamal ciphertext ci =(gri,yiri· ui) (2) Pi opens ci P4 P3

  20. 3. Our Solution – v-SimCast[n,t,k,g] (3) SimCast (v iterations): • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G P2 P1 • SimCast Cost (per player): • communication: 4 • broadcasts: 4 • computation: • expon.: 2 + 2(n-1) = 2n Pi verifies for each Pj if cj = (gr’j , yjr’j· uj) P4 P3

  21. 3. Our Solution – v-SimCast[n,t,k,g] (3) SimCast: Failure handling • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G P2 P1 • If verification fails for Pi: • Reconstruct Pi’s secret key xi with VSS Recovery and disqualify Pi • SimCast Cost (per player): • communication: • broadcasts: 4 • computation: • exponentiation: 2n After step (3): Each party knows correct announcement of every other party P4 P3

  22. 3. Security proof – key ideas • Independence against rushing adversary A under DDH: • Feldman VSS guarantees valid ElGamal key pair • Round (1): A obtains ElGamal ciphertexts of honest players • No information is learned under DDH: Semantic security • No malleability attacks (e.g. copycat):  Opening always with secret key  A must know its announcement • Round (2): A obtains announcements of honest parties in clear • A cannot open announcement differently: •  Committing property •  False opening: VSS allows always to recover original announcement (Independence can be proven in standard model under DDH)

  23. 4. Summary • v-SimCast is particularly efficient for repeated execution • Limited parallel execution is possible • Various applications: e.g. joint generation of random values

  24. Thank you for your attention! PKC 2008, 11th March 2008

  25. 1. Drawbacks of previous solutions • Every announcement requires execution of VSS •  most expensive component! • Costs of VSSing a secret s (for Pedersen VSS) • Sharing: • Communication: 2n group elements via point-to-point channels • Verification overhead: • Communication: 2(t+1) group elements via broadcast channel • Computation: ≈ t exponentiations per player Note: Feldman VSS is slightly more efficient!

More Related