Adaptively Secure Non-interactive CCA-Secure Threshold Cryptosystems: Generic Framework and Constructions
- PDF / 544,557 Bytes
- 37 Pages / 439.37 x 666.142 pts Page_size
- 28 Downloads / 212 Views
Adaptively Secure Non-interactive CCA-Secure Threshold Cryptosystems: Generic Framework and Constructions∗ Benoît Libert CNRS, Laboratoire LIP (CNRS, ENSL, U@. Lyon, Inria, UCBL), ENS de Lyon, Lyon, France [email protected]
Moti Yung Google and Columbia University, New York, USA Communicated by Kenneth G. Paterson Received 6 April 2012 / Revised 17 April 2019
Abstract. In threshold cryptography, private keys are divided into n shares, each one of which is given to a different server in order to avoid single points of failure. In the case of threshold public-key encryption, at least t ≤ n servers need to contribute to the decryption process. A threshold primitive is said robust if no coalition of t malicious servers can prevent remaining honest servers from successfully completing private key operations. Non-interactive schemes, considered the most practical ones, allow servers to contribute to decryption without interactions. So far, most non-interactive threshold cryptosystems were only proved secure against static corruptions. In the adaptive corruption scenario (where the adversary can corrupt servers at any time, based on its complete view), all existing robust threshold encryption schemes that also resist chosen-ciphertext attacks till recently require interaction in the decryption phase. A very specific method (in composite order groups) for getting rid of interaction was recently suggested, leaving the question of more generic frameworks and constructions with better security and, in particular, better flexibility (i.e., compatibility with distributed key generation). This paper advances the state of the art and describes a general construction of adaptively secure robust non-interactive threshold cryptosystems with chosen-ciphertext security. We define the novel notion of all-but-one perfectly sound threshold hash proof systems that can be seen as (threshold) hash proof systems with publicly verifiable and simulationsound proofs. We show that this notion generically implies threshold cryptosystems combining the aforementioned properties. Then, we provide efficient instantiations under well-studied assumptions in bilinear groups (e.g., in such groups of prime order). These instantiations have a tighter security proof in the single-challenge setting and are indeed compatible with distributed key generation protocols. Keywords. Threshold cryptography, Adaptive corruptions, Public-key encryption, Chosen-ciphertext security, non-interactivity, Robustness. ∗ This is the full version of a paper published in the proceedings of TCC 2012. Moti Yung: Part of this work was done while this author was with Snapchat.
© International Association for Cryptologic Research 2020
B. Libert, M. Yung
1. Introduction Threshold cryptography [16,29,30] avoids single points of failure by splitting keys into n > 1 shares which are held by servers in such a way that at least t out of n servers should contribute to private key operations. In (t, n)-threshold cryptosystems, an adversary breaking into up to t − 1 servers sho
Data Loading...