Distributed Parameter Generation for Bilinear Diffie Hellman Exponentiation and Applications

Abstract

Distributed parameter and key generation plays a fundamental role in cryptographic applications and is motivated by the need to relax the trust assumption on a single authority that is responsible for producing the necessary keys for cryptographic algorithms to operate. There are many well-studied distributed key generation protocols for the discrete logarithm problem. In this paper, building upon previous distributed key generation protocols for discrete logarithms, we provide two new building blocks that one can use them in a sequential fashion to derive distributed parameter generation protocols for a class of problems in the bilinear groups setting, most notably the n-Bilinear Diffie Hellman Exponentiation problem. Based on this we present new applications in distributed multi-party oriented cryptographic schemes including decentralized broadcast encryption, revocation systems and identity based encryption.

A Appendix

1.1 A.1 Preliminaries

Parties (Servers and an Adversary): Let \(\mathcal {P}\) is a set of parties \(\mathcal {P}=\{1,..,n\}\). Party \(i\in \mathcal {P}\) is assumed to be probabilistic polynomial time Turing Machine. Among those parties, there are up to t corrupt parties completely controlled by a static adversary and the adversary is active.

Input and Output: Each party is given private and public input. The input of each party includes the number of parties n. At the end of the computation each party will produce private and public output that should be equal among all honest parties (global public output). The private input of corrupted servers as well as the public input is given to the adversary at the start of the protocol.

Communication Model: We assume that the communication is synchronous and protocol execution proceeds in rounds. In each round the each party using its current state and all history of communication from all rounds produces two types of messages to be delivered to other parties: (1) private messages that are sent to other parties by using private channel network where a message is assured of being delivered in a fixed period. The network is assumed to be secure and complete, that is every pair of parties is connected by an untappable and mutually authenticated channel; (2) broadcast message that will be delivered to all parties at the beginning of the next round. At each round a party produces private messages for all other parties as well as a public broadcast message.

Adversarial Operation: Each round, after adversary sees all broadcast messages and secret messages from honest parties that are received by corrupted parties, he sends public and private messages depending on those received messages (public and private) as well as all information that the corrupted parties have had from previous rounds.

Computational Assumption: We use the large primes p, q that satisfy \(q|p-1\). We represent by G the subgroup of elements of order q in \(Z^{*}_p\). It is assumed that solving the discrete logarithm problem in G is intractable.

Feldman’s Verifiable Secret Sharing (FVSS): FVSS [17] allows a malicious adversary which corrupts up to \(\frac{\left( n-1\right) }{2}\) parties including the dealer. The dealer generates a random t-degree polynomial \(f\left( .\right) \), where \(f\left( 0\right) =x\) which is the secret value, and sends to each party i a share \(s_{i}=f\left( i\right) \) mod q. The dealer also broadcasts values \(V_{k}=g^{a_{k}}\), where \(a_{k}\) is the kth coefficient of \(f\left( .\right) \). This will allow the parties to check if the values \(s_{i}\) really define a secret by checking that \(g^{s_{i}}=\prod _{k=0}^{t} V_{k}^{i^{k}}\) mod p \((\mathbf{Eq. 1 })\), where \(k=0,...,t\). If this equation is not satisfied, party i complains and asks the dealer to reveal his share. If more than t parties complain then the dealer is clearly bad and he is disqualified. Otherwise, he reveals the share \(s_{i}\) matching Equation \(\mathbf{Eq. 1 }\) for each complaining i. Equation \(\mathbf{Eq. 1 }\) also allows detection of incorrect shares \(s'_{i}\) at reconstruction time. Notice that the value of the secret is only computationally secure, e.g., the value \(g^{a_{0}}=g^{x}\) is leaked. However, it can be shown that an adversary that learns t or less shares cannot obtain any information on the secret x beyond what can be derived from \(g^{x}\). We will use the following notation to describe the execution of a FVSS protocol: \(FVSS\left( x\right) \left( g\right) \xrightarrow {f,n,t} \left( s_{i}\right) \left( V_{k}\right) \), \(k=0,...,t\).

Pedersen’s Verifiable Secret Sharing (PVSS): We now recall a VSS protocol that provides information theoretic secrecy for the shared secret. This is in contrast to FVSS protocol which leaks the value of \(g^{x}\). PVSS [29] uses the parameters p, q, g as defined for FVSS. In addition, it uses an element \(h\in Z_{p}^{*}\) such that h belongs to the subgroup generated by g and the discrete log of h in base g is unknown (and assumed hard to compute). The dealer first chooses two t-degree random polynomials \(f\left( .\right) ,f'\left( .\right) \), with random coefficients over \(Z_{q}\), subject to \(f\left( 0\right) =x\), which is the secret. The dealer sends to each party i the values \(x_{i}=f\left( i\right) \) mod q and \(x'_{i}=f'\left( i\right) \) mod q. The dealer then commits to each coefficient of the polynomials f and \(f'\) publishing the values \(V_{k}=g^{a_{k}}h^{b_{k}}\), where \(a_{k}\) (resp. \(b_{k}\)) is the kth coefficient of f (resp. \(f'\)). This allows the parties to verify the received shares by checking that \(g^{s_{i}}h^{s'_{i}}=\prod _{k=0}^{t} V_{k}^{i^{k}}\) mod p \((\mathbf{Eq. 2 })\). If the shares that do not satisfy the equation \(\mathbf{Eq. 2 }\) broadcast a complaint. If more than t parties complain the dealer is disqualified. Otherwise the dealer broadcasts the values \(x_{i}\) and \(x'_{i}\) matching the equation for each complaining party i. At reconstruction time the parties are required to reveal both \(x_{i}\) and \(x'_{i}\) and Equation \(\mathbf{Eq. 2 }\) is used to validate the shares. Indeed in order to have an incorrect share \(t_{i}\) accepted at reconstruction time, it can be shown that party i has to compute the discrete log of h in base g. Notice that the value of the secret is unconditionally protected since the only value revealed is \(V_{0}=g^{s}h^{r}\) (it can be seen that for any value \(x'\) there is exactly one value \(r'\) such that \(V_{0}=g^{s'}h^{r'}\) thus \(V_{0}\) gives no information on s). We will use the following notation to denote an execution of PVSS: \(PVSS\left( x,x'\right) \left( g,h\right) \xrightarrow {f,f',n,t} \left( x_{i},x'_{i}\right) \left( V_{k}\right) \) \((\mathbf{Eq. 3 })\), \(k=0,...,t\).

Bilinear Maps: (1) G and \(G'\) are two multiplicative cyclic groups of prime order q; (2) g is a generator of G; (3) \(e:G \times G \rightarrow G'\). Let G and \(G'\) be two groups as above. A bilinear map is a map \(e:G \times G \rightarrow G'\) with the following properties: (1) for all \(u,v \in G\) and \(a,b \in Z\), we have \(e\left( u^{a},v^{b}\right) = e\left( u,v\right) ^{ab}\); (2) the map is not degenerate, i.e., \(e\left( g,g\right) \not =1\)

1.2 A.2 Proof of Theorem 2

Definition 7

( t -Secure Distributed n -BDHE Protocol).

\({D}^{n-BDHE }\) is an n-party sequentially composable 2n protocols (each protocol generates one instance of n-BDHE parameter). Each party takes public parameter set PP as input, and sequentially outputs \(n-BDHE =\left( g_{1},..,g_{n},g_{n+2},..,g_{2n}\right) \), where \(g_{i}=g^{x^{i}}\) for some random value x with the presence of at most t corrupted parties. t-Secure Distributed n-BDHE protocol satisfies the following properties from [20]:

Correctness: (1) x is uniformly distributed in \(Z_{q}\); (2) All subsets of \(t+1\) shares provided by honest players define the same unique secret key x; (3) All honest parties have the same public values \(g_{1},..,g_{n},g_{n+2},..,g_{2n}\); (4) If at least \(2t+1\) parties follow the protocol, shares are accepted with probability 1.

Secrecy: No information on x can be learned by the adversary except for what is implied by the values \(g_{1},..,g_{n},g_{n+2},..,g_{2n}\). More formally, we state this condition in terms of simulatability: for every PPT adversary \(\mathcal {A}\) that corrupts up to t parties, there exists a PPT simulator \(\mathcal {S}\), such that on input an elements \(g_{1},..,g_{n},g_{n+2},..,g_{2n}\), produces an output distribution which is polynomially indistinguishable from \(\mathcal {A}\)’s view (Definition 1) of a run of the n-BDHE protocol that ends with \(g_{1},..,g_{n},g_{n+2},..,g_{2n}\) as its public key output.

Proof

Correctness: The correctness properties (1), (2), (3) for \(g_{1}\) can be shown by following [20], the other instances \(g_{2},..,g_{n}\) can be obtained by the presence of at least \(t+1\) honest parties that use their share of secret \(x_{i}\) and recover the value x in the exponent sequentially. Basically, they raise sequentially their shares (\(x_{i}\)) to recover x value in the exponent using Lagrange interpolation. The share \(g_{i}^{x_{j}}\), where \(i=1,2,..,n\) can be verified publicly using bilinear map. To show the value \(g_{n+2}\) is obtained from \(g_{n}\) by any \(t+1\) honest parties, at least \(2t+1\) parties are needed that they follow \(\mathcal {RECSQ}\) sub-protocol. The process can be followed in a similar way in [1] (Lemma 2). The difference is that we have \(x^{2}\) in the exponent. To do that parties need to run one more PVSS and one more FVSS to show they share the correct value of their \(c_{i}\)s in the exponent using g and \(g_{n}\) as the bases. The other instances \(g_{n+2},..,g_{2n}\) also can be obtained as the same way with at least \(t+1\) honest parties.

Secrecy: It follows from Theorem 1 since it is the special protocol of \(\varUpsilon _{\mathcal {A}}^{GSuite}\).    \(\square \)