Threshold PKC Shafi Goldwasser and Ran Canetti. Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e,

Slides:



Advertisements
Similar presentations
ElGamal Security Public key encryption from Diffie-Hellman
Advertisements

Secure Evaluation of Multivariate Polynomials
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Security Definitions in Computational Cryptography
CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Paillier Threshold Encryption WebService by Brett Wilson.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
0x1A Great Papers in Computer Security
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.
8. Data Integrity Techniques
The RSA Algorithm Rocky K. C. Chang, March
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
CS555Topic 211 Cryptography CS 555 Topic 21: Digital Schemes (1)
Cryptography Lecture 8 Stefan Dziembowski
Efficient and Robust Private Set Intersection and multiparty multivariate polynomials Dana Dachman-Soled 1, Tal Malkin 1, Mariana Raykova 1, Moti Yung.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.
CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
1 CIS 5371 Cryptography 1.Introduction. 2 Prerequisites for this course  Basic Mathematics, in particular Number Theory  Basic Probability Theory 
Cryptography Lecture 3 Arpita Patra © Arpita Patra.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
A plausible approach to computer-aided cryptographic proofs (a collection of thoughts) Shai Halevi – May 2005.
Group theory exercise.
Cryptography Lecture 9.
Cryptography Lecture 12.
Topic 30: El-Gamal Encryption
Fuzzy Identity Based Encryption
Cryptography Lecture 10.
Cryptography Lecture 25.
Cryptography Lecture 11.
Threshold RSA Cryptography
Cryptography Lecture 11.
Cryptography Lecture 9.
Cryptography Lecture 10.
Cryptography Lecture 21.
Cryptography Lecture 25.
Cryptography Lecture 24.
Cryptography Lecture 23.
Cryptography Lecture 26.
Presentation transcript:

Threshold PKC Shafi Goldwasser and Ran Canetti

Public Key Encryption [DH] A PKC consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e, and secret key d - E(m, e) outputs cipher text c - D(c, e, d) outputs m. Public Key: e Secret key: d C

Active Adversary: Standard PKC [RS] Chosen Cipher-text Attacks (CCA) -Adversary chooses m 0 m 1 -Adversary receives c either in E(m 0 ) or E(m 1 ) at random -Adversary may ask c’ = c A scheme is secure against CCA if adversary still cannot tell whether c in E(m 0 ) or in E(m 1 ) better than Decoding Equipment c’ m comes up in protocols

Threshold Cryptography [D,DF] An encryption or digital signature scheme where : Secret key is shared among trustees s.t. Trustees can decrypt or sign only if enough cooperate Faulty trustees can’t prevent decryption or signature Faulty trustees can be detected if they act up (optional).

Threshold Public Key Cryptography [DF] A Threshold PKC n consists of 3 PPT algorithms (G,E,D) - G(1 k ) outputs public key e, and shares of secret key d 1,...,d n - E(m, e) outputs cipher-text c - D * = (D 1, D 2 ) where D 1 (c, d i ) outputs decryption share ds i D 2 (c, e, ds 1,..., ds n ) outputs m. * Interaction maybe allowed between servers and user. C Decryption Servers C d1d1 d2d2 dndn... C ds n ds 1 Public Key: e Secret Key Shares: d i distributed among servers

Security: Threshold PKC collaborating with t servers adversary While launching the CCA: the adversary has access to all the private data of collaborating servers Say A Threshold Public Key Encryption Scheme is : t-secure: a coalition of t curious but honest servers + adversary cannot break it. t-robust: a coalition of t faulty servers cannot prevent user from decrypting (no denial of service).

Previous Work Gennaro-Shoup: under the assumption that Random Oracles exist and the DDH intractability assumption, show a Threshold PKC which is t-secure and t-robust for t< n/2 against CCA. ( No interaction is necessary.) Dolev-Dwork-Naor: under the assumption trapdoor functions exist show single server PKC secure against CCA. Use NIZK for construction. ( Prior [NY] LTA ) Cramer-Shoup: under the DDH intractability assumption show a single server PKC secure against CCA. Quite Efficient.

New Threshold PKC KEY GEN : PK = (g 1, g 2, a=g 1 x1 g 2 x2, h= g 1 z ) SK: each decryption server holds a share of x 1,x 2,y 1,y 2,z (using polynomial secret sharing, e.g. x 1i = X 1 (i) where X 1 (0) =x 1, deg (X 1 ) = t ) ENC: Same as in single server case DEC(SK,c): Let s be random and S a deg t polynomial s.t (u 1,u 2, e, tag ) S(0)=s and each server I has S(i)=s i - Server i computes tag i ’ = u 1 x 1i u 2 x 2i and sends the user g Q(i) = (tag/tag i ’) s i h z i - User combines shares to obtain g Q(0) = (tag/tag’) s h z and lets m = e/ (tag/tag’) s h z HOW?

Combine decryption shares by using Lagrange Interpolation? User received for all I, Share i = (tag/tag i ’) s i h z i = g Q(i) where Q is some degree 2t polynomial s.t. Q(0) = (tag/tag’) s h z, and needs g Q(0). Lagrange Interpolation: Gives i s.t Q(0) =  i Q(I) for every 2t degree polynomial Q. To combine shares, user computes  ( Share i ) i =  ( g Q(i) ) i = g  iQ(I) = g Q(0)

Where do s i come from for each decryption ? 1Servers share in advance random poly’s S 1,…S k s.t. deg (S j ) = t and S j (0)=s j. I.e server i holds s ji = S j (i) for all j, to use for decrypting jth cipher text. 2 To avoid synchronization errors, servers can share in advance on a single 2-var polynomial S(x,y) where S(c,) is as above, I.e server i holds polynomial S(x, i), and uses s i =S(c,I) for cipher text c.

EVOX 1.0 (current status) F.O.O. protocol: practical, scalable elections Simple implementation done in Java 1.1 So far, 2 medium-size elections with relative success. Issues found: Unintuitive user interface Low Reliability Some relatively obscure security bugs Numerous people (including 3 universities) have expressed interest in using EVOX.

EVOX (this year) Coming Improvements Multiple administrator servers (registrars) and threshold signature schemes to prevent single corruption point weakness in F.O.O. protocol. Timing improvements through signature and verification batching (based on scheme by Amos Fiat), or delegation. Different schemes are currently being analyzed. Improved UI, code security analysis, packaging of system to enable wider use. Hoping for wider release of code (possible GPL?) Current contributors: Ben Adida, Brandon DuRette, Kevin McDonald

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.