{"title":"无广播同步分布式密钥生成","authors":"Nibesh Shrestha, Adithya Bhat, Aniket Kate, Kartik Nayak","doi":"10.62056/ayfhsgvtw","DOIUrl":null,"url":null,"abstract":"<jats:p> Distributed key generation (DKG) is a key building block in developing many efficient threshold cryptosystems. This work initiates the study of communication complexity and round complexity of DKG protocols over a point-to-point (bounded) synchronous network. Our key result is the first synchronous DKG protocol for discrete log-based cryptosystems with <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\n <mml:mrow>\n <mml:mi>O</mml:mi>\n <mml:mo stretchy=\"false\">(</mml:mo>\n <mml:mi>κ</mml:mi>\n <mml:msup>\n <mml:mi>n</mml:mi>\n <mml:mn>3</mml:mn>\n </mml:msup>\n <mml:mo stretchy=\"false\">)</mml:mo>\n </mml:mrow>\n </mml:math> communication complexity (<mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\n <mml:mrow>\n <mml:mi>κ</mml:mi>\n </mml:mrow>\n </mml:math> denotes a security parameter) that tolerates any <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\n <mml:mrow>\n <mml:mi>t</mml:mi>\n <mml:mo><</mml:mo>\n <mml:mi>n</mml:mi>\n <mml:mo>/</mml:mo>\n <mml:mn>2</mml:mn>\n </mml:mrow>\n </mml:math> Byzantine faults among <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\n <mml:mrow>\n <mml:mi>n</mml:mi>\n </mml:mrow>\n </mml:math> parties. We present two variants of the protocol: (i) a protocol with worst-case <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\n <mml:mrow>\n <mml:mi>O</mml:mi>\n <mml:mo stretchy=\"false\">(</mml:mo>\n <mml:mi>κ</mml:mi>\n <mml:msup>\n <mml:mi>n</mml:mi>\n <mml:mn>3</mml:mn>\n </mml:msup>\n <mml:mo stretchy=\"false\">)</mml:mo>\n </mml:mrow>\n </mml:math> communication and <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\n <mml:mrow>\n <mml:mi>O</mml:mi>\n <mml:mo stretchy=\"false\">(</mml:mo>\n <mml:mi>t</mml:mi>\n <mml:mo stretchy=\"false\">)</mml:mo>\n </mml:mrow>\n </mml:math> rounds, and (ii) a protocol with expected <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\n <mml:mrow>\n <mml:mi>O</mml:mi>\n <mml:mo stretchy=\"false\">(</mml:mo>\n <mml:mi>κ</mml:mi>\n <mml:msup>\n <mml:mi>n</mml:mi>\n <mml:mn>3</mml:mn>\n </mml:msup>\n <mml:mo stretchy=\"false\">)</mml:mo>\n </mml:mrow>\n </mml:math> communication and expected constant rounds. In the process of achieving our results, we design (1) a novel weak gradecast protocol with a communication complexity of <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\n <mml:mrow>\n <mml:mi>O</mml:mi>\n <mml:mo stretchy=\"false\">(</mml:mo>\n <mml:mi>κ</mml:mi>\n <mml:msup>\n <mml:mi>n</mml:mi>\n <mml:mn>2</mml:mn>\n </mml:msup>\n <mml:mo stretchy=\"false\">)</mml:mo>\n </mml:mrow>\n </mml:math> for linear-sized inputs and constant rounds, (2) a protocol called “recoverable-set-of-shares” for ensuring recovery of shared secrets, (3) an oblivious leader election protocol with <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\n <mml:mrow>\n <mml:mi>O</mml:mi>\n <mml:mo stretchy=\"false\">(</mml:mo>\n <mml:mi>κ</mml:mi>\n <mml:msup>\n <mml:mi>n</mml:mi>\n <mml:mn>3</mml:mn>\n </mml:msup>\n <mml:mo stretchy=\"false\">)</mml:mo>\n </mml:mrow>\n </mml:math> communication and constant rounds, and (4) a multi-valued validated Byzantine agreement (MVBA) protocol with <mml:math xmlns:mml=\"http://www.w3.org/1998/Math/MathML\">\n <mml:mrow>\n <mml:mi>O</mml:mi>\n <mml:mo stretchy=\"false\">(</mml:mo>\n <mml:mi>κ</mml:mi>\n <mml:msup>\n <mml:mi>n</mml:mi>\n <mml:mn>3</mml:mn>\n </mml:msup>\n <mml:mo stretchy=\"false\">)</mml:mo>\n </mml:mrow>\n </mml:math> communication complexity for linear-sized inputs and expected constant rounds. Each of these primitives is of independent interest. </jats:p>","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"116 39","pages":"1635"},"PeriodicalIF":0.0000,"publicationDate":"2024-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"22","resultStr":"{\"title\":\"Synchronous Distributed Key Generation without Broadcasts\",\"authors\":\"Nibesh Shrestha, Adithya Bhat, Aniket Kate, Kartik Nayak\",\"doi\":\"10.62056/ayfhsgvtw\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<jats:p> Distributed key generation (DKG) is a key building block in developing many efficient threshold cryptosystems. This work initiates the study of communication complexity and round complexity of DKG protocols over a point-to-point (bounded) synchronous network. Our key result is the first synchronous DKG protocol for discrete log-based cryptosystems with <mml:math xmlns:mml=\\\"http://www.w3.org/1998/Math/MathML\\\">\\n <mml:mrow>\\n <mml:mi>O</mml:mi>\\n <mml:mo stretchy=\\\"false\\\">(</mml:mo>\\n <mml:mi>κ</mml:mi>\\n <mml:msup>\\n <mml:mi>n</mml:mi>\\n <mml:mn>3</mml:mn>\\n </mml:msup>\\n <mml:mo stretchy=\\\"false\\\">)</mml:mo>\\n </mml:mrow>\\n </mml:math> communication complexity (<mml:math xmlns:mml=\\\"http://www.w3.org/1998/Math/MathML\\\">\\n <mml:mrow>\\n <mml:mi>κ</mml:mi>\\n </mml:mrow>\\n </mml:math> denotes a security parameter) that tolerates any <mml:math xmlns:mml=\\\"http://www.w3.org/1998/Math/MathML\\\">\\n <mml:mrow>\\n <mml:mi>t</mml:mi>\\n <mml:mo><</mml:mo>\\n <mml:mi>n</mml:mi>\\n <mml:mo>/</mml:mo>\\n <mml:mn>2</mml:mn>\\n </mml:mrow>\\n </mml:math> Byzantine faults among <mml:math xmlns:mml=\\\"http://www.w3.org/1998/Math/MathML\\\">\\n <mml:mrow>\\n <mml:mi>n</mml:mi>\\n </mml:mrow>\\n </mml:math> parties. We present two variants of the protocol: (i) a protocol with worst-case <mml:math xmlns:mml=\\\"http://www.w3.org/1998/Math/MathML\\\">\\n <mml:mrow>\\n <mml:mi>O</mml:mi>\\n <mml:mo stretchy=\\\"false\\\">(</mml:mo>\\n <mml:mi>κ</mml:mi>\\n <mml:msup>\\n <mml:mi>n</mml:mi>\\n <mml:mn>3</mml:mn>\\n </mml:msup>\\n <mml:mo stretchy=\\\"false\\\">)</mml:mo>\\n </mml:mrow>\\n </mml:math> communication and <mml:math xmlns:mml=\\\"http://www.w3.org/1998/Math/MathML\\\">\\n <mml:mrow>\\n <mml:mi>O</mml:mi>\\n <mml:mo stretchy=\\\"false\\\">(</mml:mo>\\n <mml:mi>t</mml:mi>\\n <mml:mo stretchy=\\\"false\\\">)</mml:mo>\\n </mml:mrow>\\n </mml:math> rounds, and (ii) a protocol with expected <mml:math xmlns:mml=\\\"http://www.w3.org/1998/Math/MathML\\\">\\n <mml:mrow>\\n <mml:mi>O</mml:mi>\\n <mml:mo stretchy=\\\"false\\\">(</mml:mo>\\n <mml:mi>κ</mml:mi>\\n <mml:msup>\\n <mml:mi>n</mml:mi>\\n <mml:mn>3</mml:mn>\\n </mml:msup>\\n <mml:mo stretchy=\\\"false\\\">)</mml:mo>\\n </mml:mrow>\\n </mml:math> communication and expected constant rounds. In the process of achieving our results, we design (1) a novel weak gradecast protocol with a communication complexity of <mml:math xmlns:mml=\\\"http://www.w3.org/1998/Math/MathML\\\">\\n <mml:mrow>\\n <mml:mi>O</mml:mi>\\n <mml:mo stretchy=\\\"false\\\">(</mml:mo>\\n <mml:mi>κ</mml:mi>\\n <mml:msup>\\n <mml:mi>n</mml:mi>\\n <mml:mn>2</mml:mn>\\n </mml:msup>\\n <mml:mo stretchy=\\\"false\\\">)</mml:mo>\\n </mml:mrow>\\n </mml:math> for linear-sized inputs and constant rounds, (2) a protocol called “recoverable-set-of-shares” for ensuring recovery of shared secrets, (3) an oblivious leader election protocol with <mml:math xmlns:mml=\\\"http://www.w3.org/1998/Math/MathML\\\">\\n <mml:mrow>\\n <mml:mi>O</mml:mi>\\n <mml:mo stretchy=\\\"false\\\">(</mml:mo>\\n <mml:mi>κ</mml:mi>\\n <mml:msup>\\n <mml:mi>n</mml:mi>\\n <mml:mn>3</mml:mn>\\n </mml:msup>\\n <mml:mo stretchy=\\\"false\\\">)</mml:mo>\\n </mml:mrow>\\n </mml:math> communication and constant rounds, and (4) a multi-valued validated Byzantine agreement (MVBA) protocol with <mml:math xmlns:mml=\\\"http://www.w3.org/1998/Math/MathML\\\">\\n <mml:mrow>\\n <mml:mi>O</mml:mi>\\n <mml:mo stretchy=\\\"false\\\">(</mml:mo>\\n <mml:mi>κ</mml:mi>\\n <mml:msup>\\n <mml:mi>n</mml:mi>\\n <mml:mn>3</mml:mn>\\n </mml:msup>\\n <mml:mo stretchy=\\\"false\\\">)</mml:mo>\\n </mml:mrow>\\n </mml:math> communication complexity for linear-sized inputs and expected constant rounds. Each of these primitives is of independent interest. </jats:p>\",\"PeriodicalId\":13158,\"journal\":{\"name\":\"IACR Cryptol. ePrint Arch.\",\"volume\":\"116 39\",\"pages\":\"1635\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-07-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"22\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IACR Cryptol. ePrint Arch.\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.62056/ayfhsgvtw\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.62056/ayfhsgvtw","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 22
摘要
分布式密钥生成(DKG)是开发许多高效阈值密码系统的关键构件。这项工作开始研究点对点(有界)同步网络上 DKG 协议的通信复杂度和回合复杂度。我们的主要成果是第一个基于离散日志密码系统的同步 DKG 协议,其通信复杂度为 O ( κ n 3 ) (κ 表示安全参数),可容忍 n 方之间的任何 t n / 2 拜占庭故障。我们提出了该协议的两个变体:(i) 最坏情况下通信复杂度为 O ( κ n 3 ) 、回合数为 O ( t ) 的协议;(ii) 预期通信复杂度为 O ( κ n 3 ) 、回合数为常数的协议。在实现这些结果的过程中,我们设计了:(1) 一种新颖的弱梯度传输协议,对于线性大小的输入和恒定轮次,其通信复杂度为 O ( κ n 2 ) ;(2) 一种名为 "可恢复共享集 "的协议,用于确保恢复共享秘密;(3) 一种遗忘领导者选举协议,其通信复杂度为 O ( κ n 3 ) ,轮次为恒定;(4) 一种多值验证拜占庭协议(MVBA)协议,对于线性大小的输入和预期恒定轮次,其通信复杂度为 O ( κ n 3 ) 。这些基元中的每一个都具有独立的意义。
Synchronous Distributed Key Generation without Broadcasts
Distributed key generation (DKG) is a key building block in developing many efficient threshold cryptosystems. This work initiates the study of communication complexity and round complexity of DKG protocols over a point-to-point (bounded) synchronous network. Our key result is the first synchronous DKG protocol for discrete log-based cryptosystems with O(κn3) communication complexity (κ denotes a security parameter) that tolerates any t<n/2 Byzantine faults among n parties. We present two variants of the protocol: (i) a protocol with worst-case O(κn3) communication and O(t) rounds, and (ii) a protocol with expected O(κn3) communication and expected constant rounds. In the process of achieving our results, we design (1) a novel weak gradecast protocol with a communication complexity of O(κn2) for linear-sized inputs and constant rounds, (2) a protocol called “recoverable-set-of-shares” for ensuring recovery of shared secrets, (3) an oblivious leader election protocol with O(κn3) communication and constant rounds, and (4) a multi-valued validated Byzantine agreement (MVBA) protocol with O(κn3) communication complexity for linear-sized inputs and expected constant rounds. Each of these primitives is of independent interest.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
