250 likes | 359 Views
PKC 2008 , 11 th March 2008. Efficient Simultaneous Broadcast Sebastian Faust 1 , Emilia Käsper 1 , Stefan Lucks 2 1 KU Leuven, ESAT-COSIC, Belgium 2 Bauhaus Universität Weimar, Germany. Simultaneous Broadcast Problem. Simultaneous broadcast:. I want to announce u 2.
E N D
PKC 2008, 11th March 2008 Efficient Simultaneous Broadcast Sebastian Faust1, Emilia Käsper1, Stefan Lucks2 1 KU Leuven, ESAT-COSIC, Belgium 2Bauhaus Universität Weimar, Germany
Simultaneous Broadcast Problem Simultaneous broadcast: I want to announce u2 I want to announce u1 u2 u2 u1 u1 u1, u2, u3 have been chosen independently I want to announce u3 u3 u3
Simultaneous Broadcast Problem I won! Sealed Bid Auction in Synchronous Network 5.000 € 2.000 € 4.000 € 1.000 €
Simultaneous Broadcast Problem SB Auction in Partially Synchronous Network 5.000 € 2.000 € I won! 5.001 € 1.000 €
Simultaneous Broadcast Problem Solution: 2-Round Protocol? open 6.000 € 6.000 € I won with price 9.000 € open 9.000 € 9.000 € open 6.500 € 6.500 € 1.000 € open 1.000 €
Simultaneous Broadcast Problem Solution: 2-Round Protocol? No! 6.000 € open 6.000 € We won with price 6.500 € 9.000 € We won with price 6.500 € open 6.500 € 6.500 € 1.000 € open 1.000 €
Rest of this talk... Basics Building Blocks Solutions Summary
1. Communication & Adversary model Communication Model • Network of n players: P = {P1, … ,Pn} • Private point-to-point channel • Reliable broadcast channel • Partially synchronous communication: synchronized rounds • Adversary Model • Rushing adversary: speaks last in each round • Full control of t < n/2 players from protocol start
1. Simultaneous Broadcast Properties • Consistency:Protocol outcome is consistent for all honest players • Correctness:Each honest party receives the correct announcement of each other honest party • Independence: No correlation between announcements of corrupt and honest parties
1. Simultaneous Broadcast Definition of independence (more details)... • u: {ui : of honest player Pi} • Q: subgroup of corrupt players • m: announcements of players in Q • pQm,u : Pr[Announcement m|honest players announced u] • For any PPT adversary A, any Q, all m and all u≠v, we have • |pQm,u – pQm,v| ≤ ϵ(k), • where ϵ is negligible in k.
2. Public-Key Encryption Public Key Encryption (Gen,Enc,Dec): • Semantic Security: Ciphertext reveals no information on plaintext • Committing Property: m1≠ m2 c1≠ c2 Public Key Encryption (Gen,Enc,Dec): • Semantic Security: Ciphertext reveals no information on plaintext • Committing Property: m1≠ m2 c1≠ c2 • ElGamal Encryption: • Setup: Group G=<g> of prime order q. • Gen: secret key: x ←R Zq, public key: y = gx • Enc: c = (d,e) = (gr, yrm), for m ← G, r ←R Zq • Dec: m = e/dx Theorem:ElGamal is a committing encryption scheme and semantically secure under the DDH assumption. DDH assumption: given gx, gy, gz, difficult to decide whether z=xy
2. (t,n)-Feldman VSS VSS a secret s: • System parameters: • n: # players, here n=3, • D: dealer • t: # corrupt players • <g>=G, ord(G)= q, g ← G Select Shamir sharing polynomial: f(x)=s+a1x+..+atxt s1 = f(1) P1 D s2 = f(2) P2 s3 = f(3) P3
2. (t,n)-Feldman VSS VSS a secret s: Verify... • System parameters: • n: # players, here n=3, • D: dealer • t: # corrupt players • <g>=G, ord(G)= q, g ← G Compute A0=gs and Ai=gai for i=1..t P1 Verify... Ai, i=0..t D P2 Verify... P3
2. (t,n)-Feldman VSS • Properties of VSS: • Every set of t+1 shares of honest players define the same unique s • „No information“ on s is learned by ≤ t shares • Costs of VSSing a secret s: • Sharing: • Communication: n group elements via point-to-point channels • Verification overhead: • Communication: t+1 group elements via broadcast channel • Computation: ≈ t exponentiations per player
3. Previous Solutions • Gennaro 1996: Generic construction uses • Semantically secure encryption • Verifiable Secret Sharing • Non-Interactive Zero-Knowledge Proofs of Knowledge (NIZK) Security depends on building-blocks • Protocol based on Pedersen VSS: • Each party VSSes its announcement • Each party opens its announcement • Verify correctness recover announcement with VSS Recovery • secure under DL in standard model • Drawback: Every announcement requires execution of VSS
3. Our Solution – v-SimCast[n,t,k,g] Setup (executed once): • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G P2 P2 P2 P2 P1 P1 P1 P1 P4 P4 P4 P4 P3 P3 P3 P3
3. Our Solution – v-SimCast[n,t,k,g] ElGamal key pair (x2,y2) Setup (executed once): • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G ElGamal key pair (x1,y1) P2 P1 Each Pi shares xi with (t,n)-Feldman VSS • Setup Costs (per player): • Communication: • broadcasts: t + 1 • point-to-point: n - 1 • Computation: • exponentiation: ≈ nt ElGamal key pair (x4,y4) ElGamal key pair (x3,y3) P4 P3
3. Our Solution – v-SimCast[n,t,k,g] • SimCast (v iterations): • Each Pi is allowed to announce value ui • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G P2 P1 c1 c2 • SimCast Cost (per player): • communication: 2 • broadcasts: 2 • computation: • exponentiations: 2 c3 c4 (1) Pi computes ElGamal ciphertext ci =(gri,yiri· ui) P4 P3
3. Our Solution – v-SimCast[n,t,k,g] (2) SimCast (v iterations) • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G (r’2,u’2) P2 (r’1,u’1) P1 • SimCast Cost (per player): • communication: • broadcasts: 2 + 2 = 4 • computation: • exponentiation: 2 (r’3,u’3) (r’4,u’4) (1) Pi computes ElGamal ciphertext ci =(gri,yiri· ui) (2) Pi opens ci P4 P3
3. Our Solution – v-SimCast[n,t,k,g] (3) SimCast (v iterations): • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G P2 P1 • SimCast Cost (per player): • communication: 4 • broadcasts: 4 • computation: • expon.: 2 + 2(n-1) = 2n Pi verifies for each Pj if cj = (gr’j , yjr’j· uj) P4 P3
3. Our Solution – v-SimCast[n,t,k,g] (3) SimCast: Failure handling • System parameters: • n: # players, here n=4 • t: # corrupt players • k: sec. parameter for ElGamal • <g>=G, ord(G)= q, g ← G P2 P1 • If verification fails for Pi: • Reconstruct Pi’s secret key xi with VSS Recovery and disqualify Pi • SimCast Cost (per player): • communication: • broadcasts: 4 • computation: • exponentiation: 2n After step (3): Each party knows correct announcement of every other party P4 P3
3. Security proof – key ideas • Independence against rushing adversary A under DDH: • Feldman VSS guarantees valid ElGamal key pair • Round (1): A obtains ElGamal ciphertexts of honest players • No information is learned under DDH: Semantic security • No malleability attacks (e.g. copycat): Opening always with secret key A must know its announcement • Round (2): A obtains announcements of honest parties in clear • A cannot open announcement differently: • Committing property • False opening: VSS allows always to recover original announcement (Independence can be proven in standard model under DDH)
4. Summary • v-SimCast is particularly efficient for repeated execution • Limited parallel execution is possible • Various applications: e.g. joint generation of random values
Thank you for your attention! PKC 2008, 11th March 2008
1. Drawbacks of previous solutions • Every announcement requires execution of VSS • most expensive component! • Costs of VSSing a secret s (for Pedersen VSS) • Sharing: • Communication: 2n group elements via point-to-point channels • Verification overhead: • Communication: 2(t+1) group elements via broadcast channel • Computation: ≈ t exponentiations per player Note: Feldman VSS is slightly more efficient!