Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares

Size: px

Start display at page:

Download "Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares"

Branden Stanley
6 years ago
Views:

1 Publshed n Theoretcal Computer Scence, 645: 24, 206 Born and rased dstrbutvely: Fully dstrbuted non-nteractve adaptvely-secure threshold sgnatures wth short shares Benoît Lbert Ecole Normale Supéreure de Lyon, Lyon, France Marc Joye Techncolor and Ecole normale supéreure, Los Altos, CA, USA Mot Yung Snapchat and Columba Unversty, New York, NY, USA Abstract Threshold cryptography s a fundamental dstrbuted computatonal paradgm for enhancng the avalablty and the securty of cryptographc publc-key schemes It does t by dvdng prvate keys nto n shares handed out to dstnct servers In threshold sgnature schemes, a set of at least t + n servers s needed to produce a vald dgtal sgnature Avalablty s assured by the fact that any subset of t + servers can produce a sgnature when authorzed At the same tme, the scheme should reman robust (n the fault tolerance sense) and unforgeable (cryptographcally) aganst up to t corrupted servers; e, t adds quorum control to tradtonal cryptographc servces and ntroduces redundancy Orgnally, most practcal threshold sgnatures have a number of demerts: They have been analyzed n a statc corrupton model (where the set of corrupted servers s fxed at the very begnnng of the attack); they requre nteracton; they assume a trusted dealer n the key generaton phase (so that the system s not fully dstrbuted); or they suffer from certan overheads n terms of storage (large share szes) In ths paper, we construct practcal fully dstrbuted (the prvate key s born dstrbuted), non-nteractve schemes where the servers can compute ther partal sgnatures wthout communcaton wth other servers wth adaptve securty (e, the adversary corrupts servers dynamcally based on ts full vew of the hstory of the system) Our schemes are very effcent n terms of computaton, communcaton, and scalable storage (wth prvate key shares of sze O(), where certan solutons ncur O(n) storage costs at each server) Unlke other adaptvely secure schemes, our schemes are erasure-free (relable erasure s hard to assure and hard to admnster properly n actual systems) To the best of our knowledge, such a fully dstrbuted hghly constraned scheme has been an open problem n the area In partcular, and of specal nterest, s the fact that Pedersen s tradtonal dstrbuted key generaton (DKG) protocol can be safely employed n the ntal key generaton phase when the system s born although t s well-known not to ensure unformly dstrbuted publc keys An advantage of ths s that ths protocol only takes one round optmstcally (n the absence of faulty player) Keywords: Threshold sgnatures, fully dstrbuted schemes, non-nteractvty, adaptve securty, effcency, avalablty, fault tolerance, dstrbuted key generaton, erasure-freeness Ths s the full verson of a paper publshed at PODC 204 It ncludes all proofs that were not ncluded n the proceedngs verson Emal addresses: benotlbert@gmalcom (Benoît Lbert), marcjoye@gmalcom (Marc Joye), mot@cscolumbaedu (Mot Yung)

2 Introducton Threshold cryptography [29, 30, 5, 28] s a paradgm where cryptographc keys are dvded nto n > shares to be stored by dstnct servers, whch ncreases the system s avalablty and reslence to falures In (t, n)-threshold cryptosystems, prvate-key operatons requre the cooperaton of at least t + out of n servers (any subset s good) By dong so, the system remans secure aganst adversares that break nto up to t servers (The mechansm can be vewed as extendng Shamr s secret sharng of one value [66] to sharng of the capablty to apply cryptographc functon effcently) The publc-key porton of the functon (eg, sgnature verfcaton key) does not change from ts usual format Threshold prmtves are wdely used n dstrbuted protocols Threshold homomorphc encrypton schemes are utlzed n votng systems (see, eg, [22, 23]) and multparty computaton protocols [24] Threshold sgnatures enhance the securty of hghly senstve prvate keys, lke those of certfcaton authortes (eg, [8]) They can also serve as tools for dstrbuted storage systems [48, 64] RSA and Elgamal-type constructons have been at the core of many threshold protocols the last two decades (see, eg, [28, 39, 40, 47]) A fully dstrbuted publc-key system s one where the publc (and the dstrbuted prvate) keys are jontly generated by the same servers whch end up holdng the prvate key s shares (eg, va a threshold secret sharng [66]) Effcent dstrbuted key generaton (DKG) protocols were put forth for both RSA [2, 34, 33, 26] and dscrete-logarthm-based systems [6, 4, 35, 6, 43] Non-nteractve threshold sgnatures For a long tme, RSA-based threshold sgnatures have been the only solutons to enable non-nteractve dstrbuted sgnature generaton By non-nteractve, we mean that each server can compute ts own partal sgnature wthout any onlne conversaton wth other servers: each server should send a sngle message to an entty, called combner, whch gathers the sgnature shares so as to obtan a full sgnature Unlke threshold versons of Schnorr and DSA sgnatures [42, 39], threshold RSA sgnatures are well-suted to non-nteractve sgnng protocols as they are determnstc Hence, they do not requre the servers to jontly generate a randomzed sgnature component n a frst round before startng a second round Practcal robust non-nteractve threshold sgnatures were descrbed by Shoup [67] under the RSA assumpton and by Katz and Yung [50] assumng the hardness of factorng Boldyreva [0] showed a threshold verson of Boneh-Lynn-Shacham sgnatures [4], whch provded an alternatve non-nteractve scheme wth robustness and short sgnatures The latter constructon [0] was subsequently generalzed by Wee [68] These solutons are only known to resst statc attacks, where the set of corrupted servers s chosen by the adversary at the very begnnng of the attack, before even seeng the publc key Adaptve corruptons More realstcally than the statc model, the adaptve corrupton model allows adversares to choose whom to corrupt at any tme, based on ther entre vew so far Adaptve adversares are known to be strctly (see, eg, [25]) stronger The frst adaptvely secure threshold sgnatures were ndependently descrbed n 999 by Canett et al [6] and by Frankel et al [35, 36] These constructons rely on a technque, called sngle nconsstent player (SIP), whch nherently requres nteracton The SIP technque bascally conssts n convertng a t-out-of-n secret sharng nto a t-out-of-t secret sharng n such a way that, n the latter case, there s only one server whose nternal state cannot be consstently revealed to the adversary Snce ths player s chosen at random by the smulator among the n severs, t s only corrupted wth probablty less than /2 and, upon ths undesrable event, the smulator can smply rewnd the adversary back to one of ts prevous states After ths backtrackng operaton, the smulator uses dfferent random cons to smulate the vew of the adversary, hopng that the nconsstent player wll not be corrupted agan (and the expected number of rewndng-s s bounded by 2) Jareck and Lysyanskaya [49] extended the SIP technque n order to elmnate the need for servers to relably erase ntermedate computaton results However, ther adaptvely secure verson of the Canett-Goldwasser threshold cryptosystem [7] requres a substantal amount of nteracton at each prvate-key operaton The same holds for the adaptvely secure threshold sgnatures of Lysyanskaya and Pekert [56] and the unversally composable protocols of Abe and Fehr [] In 2006, Almansa, Damgård and Nelsen [4] showed a varant of Rabn s threshold RSA sgnatures [63] and proved them adaptvely secure usng the SIP technque and deas from [35, 36] Smlar technques were used n [69] to construct adaptvely secure threshold Waters sgnatures [70] Whle the SIP technque provdes adaptvely secure threshold sgnatures based on RSA or the Dffe-Hellman assumpton, these fall short of mnmzng the amount of nteracton The constructons of [35, 36] proceed by turnng a (t, n) polynomal secret sharng nto a (t, t) addtve 2

3 secret sharng by frst selectng a pool of at least t partcpants However, f only one of these fals to provde a vald contrbuton to the sgnng process, the whole protocol must be restarted from scratch The protocol of Almansa et al [4] s slghtly dfferent n that; lke [63], t proceeds by sharng an RSA prvate key n an addtve (n, n) fashon (e, the prvate RSA exponent d s splt nto shares d,, d n such that d = n = d ) In turn, each addtve share d s shared n a (t, n) fashon usng a polynomal verfable secret sharng and each share d, j of d s dstrbuted to another server j Ths s done n such a way that, f one partcpant fals to provde a vald RSA sgnature share H(M) d, the mssng sgnature share can be re-constructed by runnng the reconstructon algorthm of the verfable secret sharng scheme that was used to share d The frst drawback of ths approach s that t s only non-nteractve when all players are honest as a second round s needed to reconstruct mssng multplcatve sgnature shares H(M) d Another dsadvantage s that players have to store Θ(n) values, where n s the number of servers, as each player has to store a polynomal share of other players addtve share Ideally, we would lke a soluton where each player only stores O() elements, regardless of the number of players Recently, Lbert and Yung [54, 55] gave several constructons of adaptvely secure threshold encrypton schemes wth chosen-cphertext securty They also suggested an adaptvely secure and non-nteractve threshold varant [54] of a sgnature scheme due to Lewko and Waters [5] The use of blnear maps n composte order groups makes the scheme of [54] expensve when t comes to verfyng sgnatures: as dscussed by Freeman [38], computng a blnear map n composte order groups s at least 50 tmes slower than evaluatng the same blnear map n prme-order groups at the 80-bt securty level (thngs can only get worse at hgher securty levels) The technques of Lewko [52] can be used to adapt the constructon of [54] to the settng of prme-order groups In the resultng constructon, each sgnature conssts of 6 group elements The use of asymmetrc blnear maps (see [9]) allows reducng the sgnature sze to 4 group elements Unfortunately, the technques of [52, 9] assume a trusted dealer and, f mplemented n a dstrbuted manner, ther key generaton phase s lkely to be communcaton-expensve (resortng to generc multparty secure computatons) In partcular, they seem hardly compatble wth a round-optmal DKG protocol The reason s that [9] requres to generate publc keys contanng pars of matrces of the form g A G n n and g A G n n, for some, and t s not clear how these non-lnear operatons can be acheved n a round-optmal dstrbuted manner (let alone wth adaptve securty) Fnally, the solutons of [54] requre relable erasures due to the use of the dual system encrypton technque [7, 5] and the exstence of several dstrbutons of partal sgnatures matrx A Z n n p Our contrbutons We consder the problem of devsng a fully dstrbuted, non-nteractve, robust, and adaptvely secure constructon whch s as effcent as the centralzed schemes obtaned from [54, 9] and does not rely on erasures In partcular, we want to retan prvate-key shares of O() sze, no matter how many players are nvolved n the protocol Here, fully dstrbuted mples that the publc key s jontly generated by all players so that no trusted dealer s needed whle guaranteeng the securty of the scheme aganst an adaptve adversary As mentoned above, we wsh to avod the costly and hard-to-control use of relable erasures Ths means that, whenever the adversary corrupts a player, t learns the entre hstory of that player At the same tme, the dstrbuted key generaton phase should be as communcaton-effcent as possble Ideally, a sngle communcaton round should be needed when the players follow the protocol Fnally, we would lke to avod nteracton durng the dstrbuted sgnng process To the best of our knowledge, no exstng soluton combnes all the aforementoned hghly constranng propertes We thus provde the frst canddates Our constructons are derved from lnearly homomorphc structure-preservng sgnatures (LHSPS) As defned by Abe et al [2, 3], structure-preservng sgnatures (SPS) are sgnature schemes where messages and publc keys lve n an abelan group over whch a blnear map s effcently computable Recently, Lbert et al [53] consdered SPS schemes wth addtve homomorphc propertes: gven sgnatures on lnearly ndependent vectors of group elements, anyone can publcly compute a sgnature on any lnear combnaton of these vectors In order to sgn a message M {0, } n a dstrbuted manner, our dea s to hash M onto a vector of group elements whch s sgned usng the LHSPS scheme of [53] In the random oracle model, we prove that the resultng system s a secure dgtal sgnature even f the underlyng LHSPS scheme satsfes a weak securty defnton Snce the LHSPS sgnng algorthm s determnstc and further presents certan homomorphc propertes over the key space, the resultng sgnature s also amenable for non-nteractve dstrbuted sgnature generaton In the threshold settng, we take advantage of specfc propertes of the LHSPS scheme of [53] to prove that the scheme provdes securty aganst adaptve corruptons n the absence of secure erasures More surprsngly, we prove that the scheme remans adaptvely secure f the publc key s generated usng Ped- 3

4 ersen s DKG protocol [6] The latter bascally conssts n havng all players verfably share a random value usng Feldman s verfable secret sharng (VSS) [32] before computng the shared secret as the sum of all well-behaved players contrbutons Whle very effcent (as only one round s needed n the absence of faulty players), ths protocol s known [4] not to guarantee the unformty of the resultng publc key Indeed, even a statc adversary can bas the dstrbuton by corruptng only two players Nonetheless, the adversary does not have much control on the dstrbuton of the publc key and Pedersen s protocol can stll be safely used n some applcatons, as noted by Gennaro et al [42, 43] For example, t was recently utlzed by Corter et al [2] n the context of votng protocols However, these safe uses of Pedersen s protocol were n the statc corrupton settng and our scheme turns out to be ts frst applcaton n an adaptve corrupton model To our knowledge, t s also the frst adaptvely secure threshold sgnature where the DKG phase takes only one round when all players follow the specfcatons As an extenson of our frst scheme, we descrbe a varant supportng sgnature aggregaton: as suggested by Boneh et al [3], a set of n sgnatures for dstnct publc keys PK,, PK s on messages M,, M s can be aggregated nto a sngle sgnature σ whch convnces a verfer that, for each, M was sgned by the prvate key underlyng PK In the threshold settng, ths property allows for de-centralzed certfcaton authortes whle enablng the compresson of certfcaton chans As a fnal contrbuton, we gve a non-nteractve adaptvely secure threshold sgnature scheme n the standard model that retans all the useful propertes (ncludng the erasure-freeness) of our frst realzaton In partcular, Pedersen s protocol can stll be used n the key generaton phase f a set of unformly random common parameters whch can be shared by many publc keys s set up beforehand As s natural for standard-model constructons, ths scheme s somewhat less effcent than ts random-oracle-based counterpart but t remans suffcently effcent for practcal applcatons Lke Gennaro et al [43] and Corter et al [2], we prove securty va a drect reducton from the underlyng number-theoretc assumpton nstead of reducng the securty of our schemes to that of ther centralzed verson We emphasze that our proof technque s dfferent from those of [43, 2], where the reducton runs Pedersen s DKG protocol on behalf of honest players and embeds a dscrete logarthm nstance n the contrbuton of honest players to the publc key, usng a proper smulaton of Feldman s verfable secret sharng In the adaptve corrupton settng, ths would at least requre an adaptvely secure varant of Feldman s VSS, such as [], and thus extra communcatons Instead, our reducton always fathfully runs the protocol on behalf of honest players, and thus always knows ther nternal state so as to perfectly answer corrupton queres Yet, we can use the adversary s forgery to break the underlyng hardness assumpton by takng advantage of key homomorphc propertes of the scheme, whch allow us to turn a forgery for the jontly generated publc key of possbly skewed dstrbuton nto a forgery for some unformly random key 2 Background 2 Defntons for threshold sgnatures A non-nteractve (t, n)-threshold sgnature scheme conssts of a tuple Σ = (Dst-Keygen, Share-Sgn, Share-Verfy, Verfy, Combne) of effcent algorthms or protocols such that: Dst-Keygen(params, λ, t, n): Ths s an nteractve protocol nvolvng n players P,, P n, whch all take as nput common publc parameters params, a securty parameter λ N as well as a par of ntegers t, n poly(λ) such that t n The outcome of the protocol s the generaton of a publc key PK, a vector of prvate key shares SK = (SK,, SK n ) where P only obtans SK for each {,, n}, and a publc vector of verfcaton keys VK = (VK,, VK n ) Share-Sgn(SK, M): s a possbly randomzed algorthm that takes n a message M and a prvate key share SK It outputs a sgnature share σ Share-Verfy(PK, VK, M, (, σ )): s a determnstc algorthm that takes as nput a message M, the publc key PK, the verfcaton key VK and a par (, σ ) consstng of an ndex {,, n} and sgnature share σ It outputs or 0 dependng on whether σ s deemed as a vald sgnature share or not 4

5 Combne(PK, VK, M, {(, σ )} S ): takes as nput a publc key PK, a message M and a subset S {,, n} of sze S = t + wth pars {(, σ )} S such that {,, n} and σ s a sgnature share Ths algorthm outputs ether a full sgnature σ or f {(, σ )} S contans ll-formed partal sgnatures Verfy(PK, M, σ): s a determnstc algorthm that takes as nput a message M, the publc key PK and a sgnature σ It outputs or 0 dependng on whether σ s deemed vald share or not We shall use the same communcaton model as n, eg, [4, 42, 43], whch s partally synchronous Namely, communcatons proceed n synchronzed rounds and sent messages are always receved wthn some tme bound n the same round All players have access to a publc broadcast channel, whch the adversary can use as a sender and a recever However, the adversary cannot modfy messages sent over ths channel, nor prevent ther delvery In addton, we assume prvate and authentcated channels between all pars of players In the adaptve corrupton settng, the securty of non-nteractve threshold sgnatures can be defned as follows Defnton A non-nteractve threshold sgnature scheme Σ s adaptvely secure aganst chosen-message attacks f no probablstc polynomal-tme (PPT) adversary A has non-neglgble advantage n the game hereunder At any tme, we denote by C {,, n} and G := {,, n} \ C the dynamcally evolvng subsets of corrupted and honest players, respectvely Intally, we set C = The game begns by runnng the DKG protocol Dst-Keygen(params, λ, t, N) durng whch the challenger plays the role of honest players P and the adversary A s allowed to corrupt players at any tme When A chooses to corrupt a player P, the challenger sets G = G \ {}, C = C {} and returns the nternal state of P Moreover, A s allowed to act on behalf of P from ths pont forward The protocol ends wth the generaton of a publc key PK, a vector of prvate key shares SK = (SK,, SK n ) and the correspondng verfcaton keys VK = (VK,, VK n ) At the end of ths phase, the publc key PK and {SK } C are avalable to the adversary A 2 On polynomally many occasons, A adaptvely nterleaves two knds of queres Corrupton query: At any tme, A can choose to corrupt a server To ths end, A chooses {,, n} and the challenge returns SK before settng G = G \ {} and C = C {} Sgnng query: For any G, A can also submt a par (, M) and ask for a sgnature share on an arbtrary message M on behalf of player P The challenger responds by computng σ Share-Sgn(SK, M) and returnng σ to A 3 A outputs a message M and a sgnature σ We defne V = C S, where S {,, n} s the subset of players for whch A made a sgnng query of the form (, M ) The adversary wns f the followng condtons hold: () V < t + ; () Verfy(PK, M, σ ) = A s advantage s defned as ts probablty of success, taken over all con tosses Snce we focus on non-nteractve schemes, Defnton allows the adversary to ndvdually query each partal sgnng oracle whereas usual defntons only provde the adversary wth an oracle that runs the dstrbuted sgnng protocol on behalf of all honest players We also remark that Defnton allows the adversary to obtan some partal sgnatures on the forgery message M as long as ts output remans a non-trval forgery In a weaker (but stll compellng) defnton, partal sgnng queres for M would be completely dsallowed In the followng, we wll stck to the stronger defnton 22 Hardness assumptons We frst recall the defnton of the Decson Dffe-Hellman problem Defnton 2 In a cyclc group G of prme order p, the Decson Dffe-Hellman Problem (DDH) n G, s to dstngush the dstrbutons (g, g a, g b, g ab ) and (g, g a, g b, g c ), wth a, b, c R Z p The Decson Dffe-Hellman assumpton s the ntractablty of DDH for any PPT dstngusher 5

6 We use blnear maps e : G Ĝ G T over groups of prme order p We wll work n asymmetrc parngs, where we have G Ĝ so as to allow the DDH assumpton to hold n G (see, eg, [65]) In certan asymmetrc parng confguratons, DDH s even beleved to hold n both G and Ĝ Ths assumpton s called Symmetrc external Dffe-Hellman (SXDH) assumpton and t mples that no somorphsm between Ĝ and G be effcently computable For convenence, we also use the followng problem n asymmetrc parng confguratons Defnton 3 ([3]) The Double Parng problem (DP) n (G, Ĝ, G T ) s, gven (ĝ z, gˆ r ) R Ĝ 2, to fnd a par (z, r) G 2 \ {( G, G )} that satsfes e(z, ĝ z ) e(r, gˆ r ) = GT The Double Parng assumpton asserts that the DP problem s nfeasble for any PPT algorthm θ The DP problem s known [3] to be at least as hard as DDH n Ĝ Gven (ĝ z, gˆ r, ĝ θ z, gˆ 2 r ), a soluton (z, r) allows θ decdng whether θ = θ 2 or not by testng f the equalty e(z, ĝ θ z ) e(r, gˆ 2 r ) = GT holds 23 Lnearly homomorphc structure-preservng sgnatures Structure-preservng sgnatures [2, 3] are sgnature schemes that allow sgnng elements of an abelan group whle preservng ther algebrac structure, wthout hashng them frst In [53], Lbert et al descrbed structure-preservng sgnatures wth lnearly homomorphc propertes Gven sgnatures on several vectors M,, M n of group elements, anyone can publcly derve a sgnature on any lnear combnaton of M,, M n They suggested the followng scheme, whch s a one-tme LHSPS (namely, t only allows sgnng one lnear subspace) based on the DP assumpton Keygen(λ, N): Gven a securty parameter λ and the dmenson N N of the subspace to be sgned, choose blnear group (G, Ĝ, G T ) of prme order p > 2 λ R R Then, choose ĝ z, gˆ r Ĝ For k = to N, pck χ k, γ k Z p and χk γ compute gˆ k = ĝ z gˆ k r The prvate key s sk = {χ k, γ k } N = whle the publc key conssts of pk = ( ĝ z, gˆ r, { gˆ k } k=) N Sgn(sk, (M,, M N )): To sgn a vector (M,, M N ) G N usng sk = {χ k, γ k } N k=, compute and output σ = (z, r) G 2, where z = N k= M χ k k and r = N k= M γ k k SgnDerve(pk, {(ω, σ () )} l = ): Gven the publc key pk and l tuples (ω, σ () ), parse σ () as σ () = ( ) z, r G 3 for = to l Then, compute and return σ = (z, r), where z = l = zω and r = l = rω Verfy(pk, σ, (M,, M N )): Gven a purported sgnature σ = (z, r) G 2 and a vector (M,, M N ), return f and only f (M,, M N ) ( G,, G ) and (z, r) satsfes GT = e(z, ĝ z ) e(r, gˆ r ) N k= e(m k, ĝ k ) A useful property of the scheme s that, f the DP assumpton holds, t s computatonally hard to come up wth two dstnct sgnatures on the same vector, even f the prvate key s avalable 3 A practcal adaptvely secure non-nteractve threshold sgnature The constructon notably reles on the observaton that, as shown n Appendx Appendx C, any one-tme lnearly homomorphc SPS can be turned nto a fully secure ordnary sgnature by ntroducng a random oracle The publc key s smply that of a lnearly homomorphc SPS for vectors of dmenson n > Messages are sgned by hashng them to a vector H G n and generatng a one-tme homomorphc sgnature on H The securty reducton programs the random oracle n such a way that all sgned messages are hashed nto a proper subspace of G n whereas, wth some probablty, the adversary forges a sgnature on a message whch s hashed outsde ths subspace Hence, a forgery for ths message translates nto an attack aganst the underlyng lnearly homomorphc SPS In the threshold settng, our system can be seen as an adaptvely secure varant of Boldyreva s threshold sgnature [0], whch bulds on the short sgnatures of Boneh, Lynn, and Shacham [4] The DKG phase uses Pedersen s protocol [6] (or, more precsely, a varant wth two generators) Each player verfably shares a random secret usng Pedersen s verfable secret sharng [62] where verfcaton s enabled by havng all partes broadcast commtments to ther secret polynomals and the fnal secret key s obtaned by summng up the shares of non-dsqualfed players When all partes follow the protocol, a sngle communcaton round s needed Moreover, we do not need to rely on zero-knowledge proofs or relable erasures at any tme 6

7 In order to sgn a message usng hs prvate key share, each player frst hashes the message M to obtan a vector (H, H 2 ) G 2 of two group elements, whch can be sgned usng the lnearly homomorphc structure-preservng sgnature of Secton 23 We actually buld on the observaton that any one-tme lnearly homomorphc SPS mples a fully secure dgtal sgnature n the random oracle model In the threshold settng, we take advantage of two specfc propertes n the underlyng homomorphc sgnature Frst, t s also key homomorphc and thus amenable for nonnteractvely dstrbutng the sgnng process Second, n the securty proof of [53], the reducton always knows the prvate key, whch allows consstently answerng adaptve corrupton queres 3 Descrpton In the descrpton below, we assume that all players agree on publc parameters params consstng of asymmetrc blnear groups (G, Ĝ, G T ) of prme order p > 2 λ wth generators ĝ z, gˆ r R Ĝ and a hash functon H : {0, } G 2 that ranges over G G Ths hash functon s modeled as a random oracle n the securty analyss Whle no party should know log gz ˆ ( gˆ r ), we do not need an extra round to generate gˆ r n a dstrbuted manner as t can smply be derved from a random oracle Dst-Keygen(params, λ, t, n): Gven common publc parameters params = {(G, Ĝ, G T ), ĝ z, gˆ r, H}, a securty parameter λ and ntegers t, n N such that n 2t +, each player P conducts the followng steps Each player P shares two pars {(a k0, b k0 )} 2 k= To ths end, he does the followng: (a) For each k {, 2}, choose random polynomals A k [X] = a k0 + a k X + + a kt X t, B k [X] = b k0 + b k X + + b kt X t Z p [X] of degree t and broadcast a Ŵ kl = ĝ kl b z gˆ kl r l {0,, t} (b) For j = to n, send {(A k ( j), B k ( j))} 2 k= to P j 2 For each set of shares {(A jk (), B jk ())} 2 k= receved from another player P j, P verfes that ĝ A jk() z ĝ B jk() r = t l=0 Ŵ l jkl for k =, 2 () If these equaltes do not both hold, P broadcasts a complant aganst the faulty sender P j 3 Any player who receved strctly more than t complants s mmedately dsqualfed Each player P who receved a complant from another player P j responds by returnng the correct shares {(A k ( j), B k ( j))} 2 k= If any of these new shares does not satsfy (), P s dsqualfed Let Q {,, n} be the set of nondsqualfed players at the end of Step 3 4 The publc key s obtaned as PK = {ĝ k } 2 k=, where ĝ k = Q Ŵk0 = ĝ defnes hs prvate key share Q a k0 z SK = {(A k (), B k ())} 2 k= = {( j Q A jk (), j Q B jk () )} 2 k= and anyone can publcly compute hs verfcaton key VK = ( ˆV,, ˆV 2, ) as VK = ( A ĝ () B z gˆ () A r, ĝ 2 () B z gˆ 2 () ) ( r = t j Q l=0 Ŵ l jl, t j Q l=0 ĝr ) Ŵ l j2l Q b k0 Each P locally For any dsqualfed player {,, n} \ Q, the -th prvate key share s mplctly set as SK = {(0, 0)} 2 k= and the correspondng verfcaton key s VK = (Ĝ, Ĝ) Namely, the prvate key space forms an addtve group such that, for any message M, gven any two sgnatures σ Sgn(sk, M) and σ 2 Sgn(sk 2, M), anyone can compute a vald sgnature on M for the prvate key sk + sk 2 7

8 Ths completes the generaton of the prvate key shares SK = (SK,, SK n ), the vector of verfcaton keys VK = (VK,, VK n ) and the publc key, whch conssts of PK = ( params, ( gˆ, gˆ 2 ) ) When the protocol ends, the obtaned prvate key shares {A k ()} 2 k= and {B k()} 2 k= le on t-degree polynomals A k[x] = j Q A jk [X] and B k [X] = j Q B jk [X] Each player also holds an addtve share {(a k0, b k0 )} 2 k= of the secret key {(A k (0), B k (0)) = ( Q a k0, Q b k0 )} 2 k= but these shares wll not be used n the scheme Share-Sgn(, SK, M): To generate a partal sgnature on a message M {0, } usng hs prvate key share SK = {(A k (), B k ())} 2 k=, P frst computes the hash value (H, H 2 ) = H(M) G G and generates the partal sgnature σ = (z, r ) G 2 as z = 2 k= H A k() k, r = 2 k= H B k() k Share-Verfy ( PK, VK, M, (, σ ) ) : Gven a canddate partal sgnature σ = (z, r ) G 2 and the verfcaton key VK = ( ) ˆV,, ˆV 2,, the partal verfcaton algorthm frst computes (H, H 2 ) = H(M) G 2 It returns f the equalty e(z, ĝ z ) e(r, gˆ r ) 2 k= e(h k, ˆV k, ) = GT holds and 0 otherwse Combne(PK, VK, M, {(, σ )} S ): Gven a (t + )-set wth vald shares {(, σ )} S, parse the sgnature share σ as ( ) z, r G 2 for each S Then, compute (z, r) = ( S z,s (0) ) by Lagrange nterpolaton n the exponent Return the par (z, r) G 2, S r,s (0) Verfy ( PK, M, σ ) : Gven a purported sgnature σ = (z, r) G 2, compute (H, H 2 ) = H(M) G G and return f and only f the followng equalty holds: e(z, ĝ z ) e(r, gˆ r ) e(h, ĝ ) e(h 2, ĝ 2 ) = GT If the scheme s nstantated usng Barreto-Naehrg curves [5] at the 28-bt securty level, each sgnature conssts of 52 bts For the same securty level, RSA-based threshold sgnatures lke [67, 4] requre 3076 bts The scheme s also very effcent from a computatonal standpont Each server only has to compute two mult-exponentatons wth two base elements and two hash-on-curve operatons The verfer has to compute a product of four parngs At the end of the key generaton phase, each player only needs to store a prvate key share SK = {(A k (), B k ())} 2 k= of constant-sze whereas solutons lke [4] ncur the storage of O(n) elements at each player and can erase all ntermedate values, ncludng the polynomals A k [X] and B k [X] However, we nsst that the securty analyss does not requre relable erasures When a player s corrupted, we assume that the adversary learns the entre hstory of ths player 32 Securty Although the publc key s not guaranteed to be unform due to the use of Pedersen s DKG protocol, the key homomorphc property allows the reducton to turn the adversary s forgery nto a vald sgnature wth respect to some unformly random publc key obtaned by multplyng honest users contrbutons to the publc key Ths s suffcent for solvng a gven Double Parng nstance The securty proof proceeds wth a sequence of games whch can be outlned as follows The frst game s the real game where the challenger assumes the role of all honest players n the dstrbuted key generaton phase Snce t controls a majorty of players, the challenger knows the polynomals {A jk [X], B jk [X]} j Q,k {,2} and the prvate key shares {S K j } j Q of all non-dsqualfed players ether because t obtaned at least t + polynomal shares {(A jk (), B jk ())} G,k {,2} for each j Q or because t chose the polynomals tself at the end of the Dst-Keygen protocol In subsequent games, the challenger apples Coron s proof technque for Full Doman Hash sgnatures [20] At each random oracle query H(M), t flps a con ϑ M {0, } that takes the value 0 wth probablty q s /(q s + ) and the value wth probablty /(q s + ), where q s s the number of sgnng queres If ϑ M =, the challenger defnes 8

9 H(M) to be a random vector of G 2 If ϑ M = 0, the message M s hashed to a subspace of dmenson We prove that, although H does no longer behave as an actual random oracle, ths change should not affect the adversary s vew f the DDH assumpton holds n G Coron s analyss [20] shows that, wth probablty Ω(/q s ), the followng condtons are fulflled: () The adversary only obtans partal sgnatures on messages M,, M qs that are hashed n a one-dmensonal subspace; () The adversary s forgery nvolves a message M such that (H, H 2 ) = H(M ) s lnearly ndependent of the vectors {(H,, H 2, ) = H(M )} q s = Condton () ensures that the adversary obtans lttle nformaton about the prvate key shares {SK } G and the addtve shares {a k0, b k0 } G,k {,2} of honest players Hence, f the challenger computes the addtve contrbuton of honest players to a sgnature on the vector (H, H 2 ) = H(M ), ths contrbuton s completely unpredctable by the adversary due to Condton () Wth overwhelmng probablty, ths contrbuton does not concde wth the one that can be extracted (usng the addtve shares {a jk0, b jk0 } j Q\G, k {,2} that the reducton knows from the key generaton phase) from the adversary s forgery (z, r ) usng the key homomorphc property of the scheme The challenger thus obtans two dstnct lnearly homomorphc sgnatures on the vector (H, H 2 ), whch allows solvng an nstance of the Double Parng problem Theorem The scheme provdes adaptve securty under the SXDH assumpton n the random oracle model Namely, for any PPT adversary A, there exst DDH dstngushers B and B 2 wth comparable runnng tme n the groups G and Ĝ, respectvely Proof The proof proceeds wth a sequence of three games The latter begns wth Game 0, whch s the real game, and ends wth Game 2, where any PPT adversary s shown to contradct the Double Parng assumpton For each j {0,, 2}, S j denotes the event that the adversary wns n Game j We assume wlog that the adversary A always queres the random oracle H before any sgnng query for the same message M The challenger can always enforce ths by makng random oracle queres for tself We also assume that random oracle queres are dstnct Game 0: Ths s the real game Namely, the challenger runs the Dst-Keygen protocol on behalf of all uncorrupted players Whenever the adversary A decdes to corrupt a player P, the challenger sets C = C {}, G = G\{} and fathfully reveals the nternal state of P, whch ncludes P s prvate key share S K = {(A k (), B k ())} 2 k= and hs polynomals {A k [X], B k [X]} 2 k= f the corrupton query occurs after Step a of Dst-Keygen Whenever a player P s corrupted, A receves full control over P and may cause hm to arbtrarly devate from the protocol Queres to the random oracle H are answered by returnng unformly random group elements n G 2 Partal sgnature queres (, M) are answered by returnng the values (z, r ) = ( 2 k= H A k() k, 2 k= H B k() ) k At the end of the game, A outputs a message-sgnature par ( σ = (z, r ), M ) We assume that the adversary queres H(M ) before producng ts forgery We denote by S 0 the event that σ = (z, r ) s a vald sgnature In the followng, we defne A k [X] = Q A k [X] and B k [X] = Q B k [X] as well as (a k0, b k0 ) = ( Q a k0, Q b k0 ) for each k {, 2} We remark that, at the end of the Dst-Keygen protocol, the challenger knows the polynomals {A jk [X], B jk [X]} 2 k= and the addtve shares {(a jk0, b jk0 )} 2 k= of all non-dsqualfed players j Q Indeed, for each j Q C such that P j was corrupted before Step a of the dstrbuted key generaton phase, t obtaned at least t + shares {A jk (), B jk ()} 2 k=, whch s suffcent for reconstructng {A jk[x], B jk [X]} 2 k= As for other players P j such that j Q, the challenger honestly chose ther sharng polynomals at Step a of Dst-Keygen Game : Ths game s dentcal to Game 0 but wth the followng dfference For each random oracle query H(M), the challenger B flps a based con ϑ M {0, } that takes the value wth probablty /(q s +) and the value 0 wth probablty q s /(q s + ) When the game ends, B consders the event E that ether of the followng condtons holds: For the message M, the con ϑ M {0, } flpped for the hash query H(M ) was ϑ M = 0 There exsts sgnng query (, M) wth M M for whch ϑ M = 9

10 If event E occurs (whch B can detect at the end of the game), B halts and declares falure An analyss smlar to that of Coron [20] shows that ( ) qs ( ) qs Pr[ E] = q s + q s = q s + q s + q s + e (q s + ) where e s the base for the natural logarthm The transton from Game 0 to Game s thus a transton based on a falure event of large probablty [27] and we thus have Pr[S ] = Pr[S 0 ] Pr[ E] Pr[S 0 ]/e(q s + ) Game 2: We modfy the dstrbuton of random oracle outputs Specfcally, the challenger B chooses generators g, h R G at the begnnng of the game and uses them to answer random oracle queres The treatment of each hash query H(M) depends on the random con ϑ M {0, } R If ϑ M = 0, the challenger B chooses a random α M Z p, and programs the random oracle so as to have H(M) = (g α M, h α M ) Note that the resultng hash value H(M) G 2 s no longer unform n G 2 as t now lves n the one-dmensonal space spanned by the vector (g, h) G 2 If ϑ M =, B chooses a unformly random par (g M, h M ) G 2 and programs H(M) so as to have H(M) = (g M, h M ) Lemma below shows that Game 2 and Game are computatonally ndstngushable f the DDH assumpton holds n the group G It follows that Pr[S 2 ] Pr[S ] Adv DDH (B) In Game 2, we clam that Pr[S 2 ] Adv DP (B) + /p as B can be turned nto an algorthm solvng the DP problem Indeed, wth probablty /e(q s +), the hash value H(M ) = (H, H 2 ) G2 s unformly random for the message M nvolved n the forgery (z, r ) whereas, for each sgned message M such that M M, H(M) = (H, H 2 ) lves n the one-dmensonal subspace spanned by (g, h) We also note that, whle the adversary s allowed to submt queres of the form (, M ) to the partal sgnng oracle, these queres do not reveal any more nformaton than f the challenger were smply handng over the correspondng prvate share S K We thus treat these partal sgnng queres for M as corrupton queres When A halts, the challenger determnes whch players have generated a partal sgnature on M and moves them from G to C Note that, for these updated sets G and C, t stll knows the polynomals {(A jk [X], B jk [X])} 2 k= for all j C Let us defne the aggregated addtve shares a k,g = a jk0, b k,g = b jk0, a k,q C = j G j Q C a jk0, b k,q C = j G j Q C b jk0, k {, 2} We remark that all pars {(a k,g, b k,g )} 2 k= are unformly dstrbuted n Z2 p snce they are obtaned by summng addtve shares that were honestly chosen by the challenger We also argue that a 2,G s ndependent of A s vew To see ths, let us consder what an unbounded A can learn durng the game Corrupton queres reveal {A j2 ()} j G, C, whch s nsuffcent to nfer anythng about a 2,G = j G A j2 (0) snce C t For each M M, sgnng queres are answered by returnng (z, r ) = ( H A () H A 2() 2, H B () H B 2() 2 ) ( ) = (g A () h A2() ) α M, (g B () h B2() ) α M Note that the nformaton suppled by r s redundant snce, for a gven par (H, H 2 ) and a gven z G, there s only one r G satsfyng e(z, ĝ z ) e(r, gˆ r ) 2 k= e(h k, ˆV k, ) = GT Snce A knows {(A jk [X], B jk [X])} 2 k= for each j Q C, t can obtan z,g = ( g j G A j () h j G A j2 () ) α M (2) However, these partal sgnatures (z, r ) on M M only provde A wth redundant nformaton about ( j G A j (), j G A j2 (), j G B j (), j G B j2 () ) The only thng that A really learns from (2) s the value j G(A j ()+ω A j2 ()), 0

11 where ω = log g (h) In addton, durng Step 2 of the Dst-Keygen protocol, relaton () also provdes the adversary A wth ĝ jk () B z gˆ jk () r for each {,, n}, j G and k {, 2} Stll, the only way to leverage these peces of nformaton s to nterpolate them and get a,g + ω a 2,G as well as {a k,g + ρ b k,g } 2 k=, where ρ = log gˆ z ( gˆ r ), whch leaves A wth a system of 3 equatons n 4 unknowns {(a k,g, b k,g )} 2 k= As a consequence, a 2,G remans completely undetermned n A s vew as long as C t The lack of adversaral nformaton about a 2,G allows solvng the DP problem as follows For the target message M, we can wrte (H, H 2 ) = (gα M, h α M +γ ), for some random α M, γ R Z p Ths mples that, f the challenger computes a product (z, r ) of ts own partal sgnatures on the message M usng the sum (a,g, a 2,G, b,g, b 2,G ) of ts addtve shares, ths product can be wrtten as (z, r ) = ( H a,g H2 a 2,G, H b,g H2 b 2,G ) = ( (g a,g h a 2,G ) α M h γ a 2,G, (g b,g h b 2,G ) α M h γ b ) 2,G, (3) where z s completely unpredctable by A Indeed, n the rght-hand-sde member of (3), A can nformatontheoretcally determne the term (g a,g h a,g ) α M by nterpolatng the dscrete logarthms j G(A j, ()+ωa j,2 ()) obtaned from (2) (note that, although (g, h) are not explctly gven to A, they can be nferred, n the same way as exponents α M and α M, by observng hash values) However, the unformly random term h γ a 2,G remans completely ndependent of A s vew Now, the challenger can use the adversary s forgery (z, r ) to compute (z, r ) = ( z H a,q C H 2 a 2,Q C, r H b,q C H 2 b 2,Q C ), a whch, f we defne ĝ,g = ĝ,g b z gˆ,g a r and ĝ 2,G = ĝ 2,G b z gˆ 2,G r, s easly seen to satsfy e(z, ĝ z ) e(r, ĝ z ) e(h, ĝ,g) e(h 2, ĝ 2,G) = GT a snce gˆ = ĝ,g ĝ,q C b z gˆ,q C a r and gˆ 2 = ĝ 2,G ĝ 2,Q C b z gˆ 2,Q C r From (3), we see that (z, r ) also satsfes e(z, ĝ z ) e(r, ĝ z ) e(h, ĝ,g) e(h2, ĝ 2,G) = GT by constructon Gven that z s ndependent of A s vew, the quotent (z /z, r /r ) forms a non-trval soluton to the DP nstance (ĝ z, gˆ r ) wth probablty /p Such a soluton easly allows buldng a dstngusher for the DDH problem n Ĝ We thus fnd the upper bound Adv(A) e (q s + ) (Adv DDH (B) + Adv DDH 2 (B) + p), (4) where q s s the number of sgnng queres and e s the base for the natural logarthm We remark that the proof of Theorem goes through f, durng the key generaton phase, each player P addtonally publczes (Z 0, R 0 ) = ( g a 0 h a 20, g b 0 h b ) 20, for publc g, h G, whch satsfes e(z 0, ĝ z ) e(r 0, gˆ r ) e(h, Ŵ 0 ) e(g, Ŵ 20 ) = GT and thus forms a LHSPS on (g, h) for the publc key {Ŵ k0 } 2 k= Indeed, f we consder the nformaton that each player ntally reveals about ts local addtve shares (a 0, a 20, b 0, b 20 ) Z 4 p, t amounts to the dscrete logarthms of (Ŵ 0, Ŵ 20, Z 0 ) The only extra nformaton revealed by Z 0 s thus a 0 + ω a 20, where ω = log g (h), whch leaves a 20 undetermned Whle an unbounded adversary can compute the sum a,g + ω a 2,G n Game 2, t stll has no nformaton about a 2,G = j G a j20 In Appendx Appendx F, we use ths observaton to show a smple modfcaton of the scheme that supports sgnature aggregaton 33 Addng proactve securty The scheme readly extends to provde proactve securty [60, 47, 37] aganst moble adversares that can potentally corrupt all the players at some pont as long as t never controls more than t players at any tme By havng the players refreshng all shares (wthout changng the secret) at dscrete tme ntervals, the scheme remans secure aganst an adversary corruptng up to t players durng the same perod Ths s acheved by havng all players run a new nstance of Pedersen s DKG protocol where the shared secret s {(0, 0)} 2 k= and locally add the resultng shares to ther local shares before updatng {VK } n = accordngly The technques of [46, Secton 4] can also be appled to detect partes holdng a corrupted share (due to a crash durng an update phase or an adversaral behavor) and restore the correct share

12 4 A constructon n the standard model Ths secton gves a round-optmal constructon n the standard model We remark that, under the Decson Lnear assumpton [], any one-tme LHSPS n symmetrc blnear groups can be turned nto a full-fledged dgtal sgnature, as shown n the full verson of the paper In the threshold settng, we need to rely on specfc propertes of the underlyng LHSPS n order to acheve adaptve securty wthout relyng on a trusted dealer The scheme reles on the Groth-Saha non-nteractve wtness ndstngushable (NIWI) proof systems [45], whch are recalled n Appendx Appendx A In ts centralzed verson, a sgnature conssts of a NIWI proof of knowledge somewhat n the sprt of Okamoto s sgnature scheme [59] of a one-tme lnearly homomorphc sgnature on a fxed vector g G of dmenson n = To generate ths proof, the sgner forms a Groth-Saha [45] common reference strng (CRS) ( f, f M ) usng the bts of the message M, accordng to a technque suggested by Malkn et al [57] Due to the wtness ndstngushablty property of Groth-Saha proofs, no nformaton leaks about the prvate key of the underlyng one-tme homomorphc sgnature For ths reason, when the adversary creates a fake sgnature, the reducton s able to extract a dfferent homomorphc sgnature than the one t can compute Hence, t obtans two dstnct sgnatures on the same vector, whch allows solvng an nstance of the DP problem The scheme can also be seen as a threshold verson of (a varant of) the sgnature presented n [57] In order to dstrbute the sgnng process, we take advantage of the homomorphc propertes of Groth-Saha proofs More precsely, we use the fact that lnear parng product equatons and ther proofs can be lnearly combned n order to obtan a vald proof for the desred statement when performng a Lagrange nterpolaton n the exponent In order to avod nteracton durng the sgnng process, we leverage the property that the centralzed sgnature scheme s key homomorphc However, we have to prove that the scheme remans adaptvely secure when the DKG phase uses Pedersen s protocol [6] To ths end, we take further advantage of the key homomorphc property In the securty proof, we show that, f the adversary can forge a sgnature for a non-unform publc key PK, we can turn ths forgery nto one for another publc key PK, whch s unformly dstrbuted In the followng notatons, for each h G and any vector g = (g, g 2 ) G 2, we denote by E( g, ĥ) the vector (e(g, ĥ), e(g 2, ĝ)) G 2 T Here, we assume publc parameters params made of asymmetrc blnear groups (G, Ĝ, G T ) of prme order p > 2 λ wth generators g R G, ĝ z, gˆ r R Ĝ and vectors f = ( f, h) G 2 and f = ( f, h ) L poly(λ) R G 2 for = 0 to L, where Dst-Keygen(params, λ, t, n): Ths protocol proceeds as n the scheme of Secton 3 Namely, gven common parameters params = {(G, Ĝ, G T ), g, ĝ z, gˆ r, f, { f } =0 L }, a securty parameter λ and ntegers t, n N such that n 2t +, each player P conducts the followng steps Each player P shares a random par (a 0, b 0 ) accordng to the followng step: (a) Pck random polynomals A [X] = a 0 + a X + + a t X t, B [X] = b 0 + b X + + b t X t of degree t a and broadcast Ŵ l = ĝ l b z gˆ l r for all l {0,, t} (b) For j = to n, send (A ( j), B ( j)) to P j 2 For each receved shares (A j (), B j ()), player P verfes that ĝ A j() z ĝ B j() r = t l=0 Ŵ l jl (5) If the latter equalty does not hold, P broadcasts a complant aganst P j 3 Any player recevng more than t complants s dsqualfed Each player P who receved a complant from another player P j responds by returnng the correct shares (A ( j), B ( j)) If any of these new shares fals to satsfy (5), the faulty P s expelled Let Q {,, n} be the set of non-dsqualfed players at the end of Step 3 4 The publc key PK s obtaned as PK = ĝ, where ĝ = Q Ŵ0 Q a = ĝ 0 Q b 0 z r Each P locally defnes hs prvate key share as SK = (A(), B()) = ( j Q A j (), j Q B j () ) and anyone can publcly compute hs A() verfcaton key as VK = ˆV = ĝ z gˆ B() r = t j Q l=0 Ŵ l jl Any dsqualfed player {,, n} \ Q s mplctly assgned the share SK = (0, 0) and the matchng verfcaton key VK = Ĝ 2 ĝ

13 The vector of prvate key shares s SK = (SK,, SK n ) and the correspondng vector of verfcaton keys VK = (VK,, VK n ) The publc key conssts of PK = ( params, ˆ g ) Share-Sgn(SK, M): To generate a partal sgnature on a L-bt message M = M[] M[L] {0, } L usng SK = (A(), B()), defne (z, r ) = (g A(), g B() ) Usng the bts M[] M[L] of M {0, } L, defne the vector f M = f 0 L = f M[] so as to assemble a Groth-Saha CRS f M = ( f, f M ) 2 Usng the CRS f M = ( f, f M ), compute Groth-Saha commtments C z, = ( G, z ) f ν z, f ν z,2 M and C r, = ( G, r ) f ν r,, f ν r,2, M to the group elements z and r, respectvely Then, generate a NIWI proof ˆπ = (ˆπ,, ˆπ 2, ) Ĝ 2 that commtted elements (z, r ) G 2 satsfy the verfcaton equaton GT = e(z, ĝ z ) e(r, gˆ r ) e(g, ˆV ) Ths proof s obtaned as ˆπ = (ˆπ,, ˆπ 2, ) = ( ν ĝ z,, ν z gˆ r,, ν r, ĝ z,2, ν z gˆ r,2, ) r Return σ = ( C z,, C r,, ˆπ ) G 4 Ĝ 2 Share-Verfy(PK, VK, M, (, σ )): Gven M {0, } L and a canddate σ, parse σ as σ f M = f 0 L = f M[] and return f ˆπ = (ˆπ,, ˆπ 2, ) satsfes = ( C z,, C r,, ˆπ ) Defne E ( ) ( G, g), ˆV = E ( ) ( C z,, ĝ z E C ) r,, gˆ r E( f, ˆπ, ) E( f M, ˆπ 2, ) and 0 otherwse Combne(PK, VK, M, {(, σ )} S ): Gven a (t + )-set wth vald shares {(, σ )} S, parse each sgnature share σ as ( C z,, C r,, ˆπ ) G 4 Ĝ 2, where ˆπ = (ˆπ,, ˆπ 2, ), for all S Then, compute ( C z, C r, ˆπ, ˆπ 2 ) as ( S C,S (0) z,, S C,S (0) r,, S ˆπ,S (0),, S ˆπ ),S (0) 2, by Lagrange nterpolaton n the exponent Fnally, re-randomze ( C z, C r, ˆπ, ˆπ 2 ) and output the resultng rerandomzed full sgnature σ = ( C z, C r, ˆπ, ˆπ 2 ) Verfy(PK, M, σ): Gven a message M {0, } L and a purported sgnature σ, parse σ as ( C z, C r, ˆπ) G 4 Ĝ 2 Defne f M = f 0 L = f M[] and return f and only f ˆπ = (ˆπ, ˆπ 2 ) satsfes E ( ) ( G, g), ĝ = E ( ) ( C z, ĝ z E C ) r, gˆ r E( f, ˆπ ) E( f M, ˆπ 2 ) The scheme can be smplfed by havng each player set hs prvate key share as SK = (g A(), g B() ) so as to spare two exponentatons n the sgnng phase In the descrpton, we defned SK as (A(), B()) to nsst that no relable erasures are needed At each corrupton query, the adversary obtans (A(), B()) and, not only (g A(), g B() ) In any case, each player only needs to store two elements of Z p At the 28-bt securty level, f each element of G (resp Ĝ) has a 256-bt (resp 52 bt) representaton on Barreto-Naehrg curves [5], we only need 2048 bts per sgnature Theorem 2 The scheme provdes adaptve securty under the SXDH assumpton n the standard model Namely, for any PPT adversary A, there exst DDH dstngushers B and B 2 wth comparable runnng tme n the groups G and Ĝ, respectvely Proof The proof uses a sequence of three games that begns wth Game 0, whch s the real game, and ends wth Game 2, where even any PPT adversary A allows breakng the Double Parng assumpton For each j {0,, 2}, we denote by S j the event that the adversary wns n Game j 3

G /G Advanced Cryptography 12/9/2009. Lecture 14

G /G Advanced Cryptography 12/9/2009. Lecture 14 G22.3220-001/G63.2180 Advanced Cryptography 12/9/2009 Lecturer: Yevgeny Dods Lecture 14 Scrbe: Arsteds Tentes In ths lecture we covered the Ideal/Real paradgm and the noton of UC securty. Moreover, we