GG1820
Chen-Mou Cheng
chenmou.cheng@gmail.com
Reference
- R. Gennaro and S. Goldfeder. Fast Multiparty Threshold ECDSA with Fast Trustless Setup. https://eprint.iacr.org/2019/114
- R. Gennaro and S. Goldfeder. One Round Threshold ECDSA with Identifiable Abort. https://eprint.iacr.org/2020/540
Outline
- Overview of GG
1820 - Important technical details
- Q&A
Recall: (EC)DSA
- Setup
- A cyclic group \(G=\langle g\rangle\) of order \(q\)
- Hash functions \(H:\,?\rightarrow Z_q,H':G\rightarrow Z_q\)
- Key generation \[ \text{Private key }x\stackrel{\$}{\leftarrow}Z_q\text{, public key }X=g^x \]
- Signing a message \(m=H(M)\) \[ (r,s)=\left(H'(\color{red}g^{k^{-1}}\color{black}),\color{red}k(m+xr)\color{black}\right)\text{ for }k\stackrel{\$}{\leftarrow}Z_q \]
- Verification \[ r\stackrel{?}{=}H'\left(\left(g^mX^r\right)^{s^{-1}}\right)=H'\left(\left(g^mg^{xr}\right)^{k^{-1}(m+xr)^{-1}}\right) \]
Basic idea
- Break a secret \(a=a_1+a_2+\cdots+a_n\) into \(n\) shares \[ a+b=\sum a_i+\sum b_i=\sum\left(a_i+b_i\right) \]
- What about multiplication? \[ ab=\left(a_1+\cdots+a_n\right)\left(b_1+\cdots+b_n\right)=\sum_{i,j}a_ib_j \]
- MtA: Break \(a_ib_j=\alpha_{ij}+\beta_{ij}\) using AHE
- Alice sends Bob \(E_A(a_i)\)
- Bob sends \(b_jE_A(a_i)\oplus_AE_A(-\beta_{ij})=E_A(a_ib_j-\beta_{ij})\)
\[ ab=\sum_{i,j}a_ib_j=\sum_i\left(a_ib_i+\sum_{j\neq i}\alpha_{ij}+\sum_{j\neq i}\beta_{ij}\right)=\sum_i\delta_i \]
Shamir's secret sharing
- Break into shares \(p(1),p(2),\ldots,p(n)\) for \[ p(x)=\color{red}a_0\color{black}+a_1x+\cdots+a_{t-1}x^{t-1},t\leq n \]
- Reconstruct via Lagrange interpolation \[ \forall S=\{s_1,\ldots,s_t\}\subset\{1,\ldots,n\},p(x)=\sum_{i=1}^t\frac{\prod_{j=1,j\neq i}^t(x-s_j)}{\prod_{j=1,j\neq i}^t(s_i-s_j)}p(s_i) \]
- In particular, SSS is linear: \[ \color{red}a_0\color{black}=p(0)=\sum_{i=1}^t\lambda_{i,S}p(s_i)=\begin{bmatrix} \lambda_{1,S} & \cdots & \lambda_{t,S} \end{bmatrix} \begin{bmatrix} p(s_1) \\ \vdots \\ p(s_t) \end{bmatrix} \]
Verifiable secret sharing
- Dealer publishes \(v_0=g^{\color{red}a_0\color{black}},v_1=g^{a_1},\ldots,v_{t-1}=g^{a_{t-1}}\)
- Player \(i\) checks whether \[ g^{p(i)}=g^{\color{red}a_0\color{black}+a_1i+\cdots+a_{t-1}i^{t-1}}\stackrel{?}{=}v_0v_1^i\cdots v_{t-1}^{i^{t-1}} \]
From SSS to additive shares
- SSS: \(x=\color{red}u_1(0)\color{black}+\cdots+\color{red}u_n(0)\color{black}\), \(\deg u_i=t-1\)
- Player \(i\) distributes shares \(u_i(j)\) to players \(j=1,\ldots,n\)
- WLOG \(S=\{1,\ldots,t\}\), can convert \(x\) to additive shares \[ \begin{bmatrix} u_1(0) & \cdots & u_n(0) \end{bmatrix} \begin{bmatrix} 1 \\ \vdots \\ 1 \end{bmatrix}=\begin{bmatrix} \lambda_1 & \cdots & \lambda_t \end{bmatrix} \begin{bmatrix} u_1(1) & \cdots & u_n(1) \\ \vdots & & \vdots \\ u_1(t) & \cdots & u_n(t) \end{bmatrix} \begin{bmatrix} 1 \\ \vdots \\ 1 \end{bmatrix} \] \[ =\begin{bmatrix} \lambda_1 & \cdots & \lambda_t \end{bmatrix} \begin{bmatrix} u_1(1)+\cdots+u_n(1) \\ \vdots \\ u_1(t)+\cdots+u_n(t) \end{bmatrix}=\begin{bmatrix} \lambda_1 & \cdots & \lambda_t \end{bmatrix} \begin{bmatrix} x_1 \\ \vdots \\ x_t \end{bmatrix} \]
Multiplication
- To multiply two additively shared secrets \[ \begin{aligned}xy&=\left(\sum_ix_i\right)\left(\sum_iy_i\right)=\sum_{i,j}x_iy_j \\ &=\sum_i\left(x_iy_i+\sum_{j\neq i}\xi_{ij}+\sum_{j\neq i}\upsilon_{ij}\right)\end{aligned} \]
What about inverse?
- Recall: Signing a message \(m=H(M)\) \[ (r,s)=\left(H'(\color{red}g^{k^{-1}}\color{black}),k(m+xr)\right)\text{ for }k\stackrel{\$}{\leftarrow}Z_q \]
- First break random \(k\) and \(\gamma\) using VSS
- Then reconstruct \(\delta=k\gamma\) (but not \(k\) itself!) \[ \left(g^\gamma\right)^{\delta^{-1}}=g^{\gamma k^{-1}\gamma^{-1}}=g^{k^{-1}} \]
Putting it all together (GG18)
- Generate \(k=\sum_{i\in S}k_i,\gamma=\sum_{i\in S}\gamma_i\) and publish \(\Gamma_i=g^{\gamma_i}\)
- Use MtA to compute \[ \begin{aligned}k\gamma&=\sum_{i,j\in S}k_i\gamma_j\bmod q&=\sum_{i\in S}\delta_i,\\ kx&=\sum_{i,j\in S}k_i\left(\lambda_{j,S}x_j\right)\bmod q&=\sum_{i\in S}\sigma_i\end{aligned} \]
- Reconstruct \(\delta\bmod q\)
- \(H'\left(\left(\prod_{i\in S}\Gamma_i\right)^{\delta^{-1}}\right)=H'\left(\left(g^{\sum_{i\in S}\gamma_i}\right)^{\delta^{-1}}\right)=H'\left(g^{k^{-1}}\right)=r\)
- Set \(s_i=mk_i+r\sigma_i\) and compute \[ \sum_{i\in S}s_i=m\sum_{i\in S}k_i+r\sum_{i\in S}\sigma_i=mk+rkx=s \]
Putting it all together (GG20)
(Recall: \(k=\sum k_i\) and \(kx=\sum\sigma_i\) )
4. \(H'\left(\left(\prod_{i\in S}\Gamma_i\right)^{\delta^{-1}}\right)=H'\left(\left(g^{\sum_{i\in S}\gamma_i}\right)^{\delta^{-1}}\right)=H'\left(g^{k^{-1}}\right)=r\)
5. Broadcast \(\bar R_i=(g^{k^{-1}})^{k_i}\) and check if \(g=\prod_{i\in S}\bar R_i\)
6. Broadcast \(S_i=(g^{k^{-1}})^{\sigma_i}\) and check if \( y=\prod_{i\in S}S_i \)
7. Set \(s_i=mk_i+r\sigma_i\) and compute \[ \sum_{i\in S}s_i=m\sum_{i\in S}k_i+r\sum_{i\in S}\sigma_i=mk+rkx=s \]
(Abort if the signature does not verify)
ZK checkpointing
- Have assumed honest but curious adversary so far
- How to deal with malicious adversary?
- Checkpointing via zero-knowledge proofs
- D. Tymokhanov and O. Shlomovits. Alpha-Rays: Key Extraction Attacks on Threshold ECDSA Implementations. https://eprint.iacr.org/2021/1621
ZKP example 101:
Proving graph isomorphism
- A graph isomorphism \(\phi:G_1\rightarrow G_2\) is a permutation/relabeling of the vertices of \(G_1\)
- To prove that P knows \(\phi\) s.t. \(\phi(G_1)=G_2\):
- P publishes \(H=\psi(G_2)\) for a random secret \(\psi\)
- V challenges P with a random \(b\in\{1,2\}\)
- P responds with \(\chi=\left\{\begin{aligned}\psi\circ\phi & \text{ if }b=1\\ \psi & \text{ if }b=2 \end{aligned}\right.\)
- V verifies \(\chi(G_b)=H\)
Schnorr's DLP proof
- To prove that P knows \(x\in(\mathbb Z/q\mathbb Z)^*\) s.t. \(y=g^x\)
- P publishes \(t=g^v\) for a random secret \(v\in(\mathbb Z/q\mathbb Z)^*\)
- V challenges P with a random \(c\in(\mathbb Z/q\mathbb Z)^*\)
- P responds with \(r=v-cx\)
- V verifies \(t=g^ry^c\)
(Because \(g^ry^c=g^{v-cx}(g^x)^c=g^v\))
- Generalizes to any structures with an endomorphism ring (containing a subring) isomorphic to \((\mathbb Z/n\mathbb Z)^*\)
Fiat-Shamir heuristics
- To prove that P knows \(x\in(\mathbb Z/q\mathbb Z)^*\) s.t. \(y=g^x\)
- P publishes \(t=g^v\) for a random secret \(v\in(\mathbb Z/q\mathbb Z)^*\)
- \(\color{red}c=H(g||y||t||m)\in(\mathbb Z/q\mathbb Z)^*\)
- P responds with \(r=v-cx\)
- V verifies \(t=g^ry^c\)
(Because \(g^ry^c=g^{v-cx}(g^x)^c=g^v\))
GMR98's proof of \(\gcd(N,\phi(N))=1\)
- Pick a random \(x\in(\mathbb Z/N\mathbb Z)^*\)
- Prover computes \(M=N^{-1}\bmod\phi(N)\)
- Prover publishes \(y=x^M\bmod N\)
- Verifier verifies \(y^N=x\bmod N\)
Commitment schemes
- \(C:\mathbb P\times\mathbb R\rightarrow\mathbb C\)
- Binding: cannot change a commitment afterward
- Concealing: cannot tell what has been committed
- Hash-based scheme
- \(C(m,r)=H(r||m)\) for some hash function \(H\)
- Pedersen's scheme
- \(C(m,r)=g^rh^m\) for \(h=g^x\) unknown to Prover
- \(C(m_1,r_1)C(m_2,r_2)=C(m_1+m_2,r_1+r_2)\)
A basic ZK range proof
- Due to Damgård (1993)
- Given \(c\leftarrow C(m,r)\) for \(m\in[a,a+e)\)
- Prover: \(C(t_1,r_1),C(t_2,r_2)\) for \(t_1\stackrel{\$}{\leftarrow}[0,e),t_2=t_1-e\)
- Verifier asks Prover opens either:
- \(C(t_1,r_1),C(t_2,r_2)\)
- Or \(C(t_i+m,r_i+r)\) s.t. \(t_i+m\in[a,a+e)\)
Questions?
GG1820
By Chen-Mou Cheng
GG1820
- 95
