GG1820

Chen-Mou Cheng

chenmou.cheng@gmail.com

Reference

  • R. Gennaro and S. Goldfeder. Fast Multiparty Threshold ECDSA with Fast Trustless Setup. https://eprint.iacr.org/2019/114
  • R. Gennaro and S. Goldfeder. One Round Threshold ECDSA with Identifiable Abort.  https://eprint.iacr.org/2020/540

Outline

  • Overview of GG1820
  • Important technical details
  • Q&A

Recall: (EC)DSA

  • Setup
    • A cyclic group \(G=\langle g\rangle\) of order \(q\)
    • Hash functions \(H:\,?\rightarrow Z_q,H':G\rightarrow Z_q\)
  • Key generation \[ \text{Private key }x\stackrel{\$}{\leftarrow}Z_q\text{, public key }X=g^x \]
  • Signing a message \(m=H(M)\) \[ (r,s)=\left(H'(\color{red}g^{k^{-1}}\color{black}),\color{red}k(m+xr)\color{black}\right)\text{ for }k\stackrel{\$}{\leftarrow}Z_q \]
  • Verification \[ r\stackrel{?}{=}H'\left(\left(g^mX^r\right)^{s^{-1}}\right)=H'\left(\left(g^mg^{xr}\right)^{k^{-1}(m+xr)^{-1}}\right) \]

Basic idea

  • Break a secret \(a=a_1+a_2+\cdots+a_n\) into \(n\) shares \[ a+b=\sum a_i+\sum b_i=\sum\left(a_i+b_i\right) \]
  • What about multiplication? \[ ab=\left(a_1+\cdots+a_n\right)\left(b_1+\cdots+b_n\right)=\sum_{i,j}a_ib_j \]
  • MtA: Break \(a_ib_j=\alpha_{ij}+\beta_{ij}\) using AHE
    • Alice sends Bob \(E_A(a_i)\)
    • Bob sends \(b_jE_A(a_i)\oplus_AE_A(-\beta_{ij})=E_A(a_ib_j-\beta_{ij})\)

\[ ab=\sum_{i,j}a_ib_j=\sum_i\left(a_ib_i+\sum_{j\neq i}\alpha_{ij}+\sum_{j\neq i}\beta_{ij}\right)=\sum_i\delta_i \]

Shamir's secret sharing

  • Break into shares \(p(1),p(2),\ldots,p(n)\) for \[ p(x)=\color{red}a_0\color{black}+a_1x+\cdots+a_{t-1}x^{t-1},t\leq n \]
  • Reconstruct via Lagrange interpolation \[ \forall S=\{s_1,\ldots,s_t\}\subset\{1,\ldots,n\},p(x)=\sum_{i=1}^t\frac{\prod_{j=1,j\neq i}^t(x-s_j)}{\prod_{j=1,j\neq i}^t(s_i-s_j)}p(s_i) \]
  • In particular, SSS is linear: \[ \color{red}a_0\color{black}=p(0)=\sum_{i=1}^t\lambda_{i,S}p(s_i)=\begin{bmatrix} \lambda_{1,S} & \cdots & \lambda_{t,S} \end{bmatrix} \begin{bmatrix} p(s_1) \\ \vdots \\ p(s_t) \end{bmatrix} \]

Verifiable secret sharing

  • Dealer publishes \(v_0=g^{\color{red}a_0\color{black}},v_1=g^{a_1},\ldots,v_{t-1}=g^{a_{t-1}}\)
  • Player \(i\) checks whether \[ g^{p(i)}=g^{\color{red}a_0\color{black}+a_1i+\cdots+a_{t-1}i^{t-1}}\stackrel{?}{=}v_0v_1^i\cdots v_{t-1}^{i^{t-1}} \]

From SSS to additive shares

  • SSS: \(x=\color{red}u_1(0)\color{black}+\cdots+\color{red}u_n(0)\color{black}\), \(\deg u_i=t-1\)
    • Player \(i\) distributes shares \(u_i(j)\) to players \(j=1,\ldots,n\)
  • WLOG \(S=\{1,\ldots,t\}\), can convert \(x\) to additive shares \[ \begin{bmatrix} u_1(0) & \cdots & u_n(0) \end{bmatrix} \begin{bmatrix} 1 \\ \vdots \\ 1 \end{bmatrix}=\begin{bmatrix} \lambda_1 & \cdots & \lambda_t \end{bmatrix} \begin{bmatrix} u_1(1) & \cdots & u_n(1) \\ \vdots & & \vdots \\ u_1(t) & \cdots & u_n(t) \end{bmatrix} \begin{bmatrix} 1 \\ \vdots \\ 1 \end{bmatrix} \] \[ =\begin{bmatrix} \lambda_1 & \cdots & \lambda_t \end{bmatrix} \begin{bmatrix} u_1(1)+\cdots+u_n(1) \\ \vdots \\ u_1(t)+\cdots+u_n(t) \end{bmatrix}=\begin{bmatrix} \lambda_1 & \cdots & \lambda_t \end{bmatrix} \begin{bmatrix} x_1 \\ \vdots \\ x_t \end{bmatrix} \]

Multiplication

  • To multiply two additively shared secrets \[ \begin{aligned}xy&=\left(\sum_ix_i\right)\left(\sum_iy_i\right)=\sum_{i,j}x_iy_j \\ &=\sum_i\left(x_iy_i+\sum_{j\neq i}\xi_{ij}+\sum_{j\neq i}\upsilon_{ij}\right)\end{aligned} \]

What about inverse?

  • Recall: Signing a message \(m=H(M)\) \[ (r,s)=\left(H'(\color{red}g^{k^{-1}}\color{black}),k(m+xr)\right)\text{ for }k\stackrel{\$}{\leftarrow}Z_q \]
  • First break random \(k\) and \(\gamma\) using VSS
  • Then reconstruct \(\delta=k\gamma\) (but not \(k\) itself!) \[ \left(g^\gamma\right)^{\delta^{-1}}=g^{\gamma k^{-1}\gamma^{-1}}=g^{k^{-1}} \]

Putting it all together (GG18)

  1. Generate \(k=\sum_{i\in S}k_i,\gamma=\sum_{i\in S}\gamma_i\) and publish \(\Gamma_i=g^{\gamma_i}\)
  2. Use MtA to compute \[ \begin{aligned}k\gamma&=\sum_{i,j\in S}k_i\gamma_j\bmod q&=\sum_{i\in S}\delta_i,\\ kx&=\sum_{i,j\in S}k_i\left(\lambda_{j,S}x_j\right)\bmod q&=\sum_{i\in S}\sigma_i\end{aligned} \]
  3. Reconstruct \(\delta\bmod q\)
  4. \(H'\left(\left(\prod_{i\in S}\Gamma_i\right)^{\delta^{-1}}\right)=H'\left(\left(g^{\sum_{i\in S}\gamma_i}\right)^{\delta^{-1}}\right)=H'\left(g^{k^{-1}}\right)=r\)
  5. Set \(s_i=mk_i+r\sigma_i\) and compute \[ \sum_{i\in S}s_i=m\sum_{i\in S}k_i+r\sum_{i\in S}\sigma_i=mk+rkx=s \]

Putting it all together (GG20)

(Recall: \(k=\sum k_i\) and \(kx=\sum\sigma_i\) )

4. \(H'\left(\left(\prod_{i\in S}\Gamma_i\right)^{\delta^{-1}}\right)=H'\left(\left(g^{\sum_{i\in S}\gamma_i}\right)^{\delta^{-1}}\right)=H'\left(g^{k^{-1}}\right)=r\)

5. Broadcast \(\bar R_i=(g^{k^{-1}})^{k_i}\) and check if \(g=\prod_{i\in S}\bar R_i\)

6. Broadcast \(S_i=(g^{k^{-1}})^{\sigma_i}\) and check if \( y=\prod_{i\in S}S_i \)

7. Set \(s_i=mk_i+r\sigma_i\) and compute \[ \sum_{i\in S}s_i=m\sum_{i\in S}k_i+r\sum_{i\in S}\sigma_i=mk+rkx=s \]

(Abort if the signature does not verify)

ZK checkpointing

  • Have assumed honest but curious adversary so far
  • How to deal with malicious adversary?
    • Checkpointing via zero-knowledge proofs
    • D. Tymokhanov and O. Shlomovits. Alpha-Rays: Key Extraction Attacks on Threshold ECDSA Implementations.  https://eprint.iacr.org/2021/1621

ZKP example 101:
Proving graph isomorphism

  • A graph isomorphism \(\phi:G_1\rightarrow G_2\) is a permutation/relabeling of the vertices of \(G_1\)
  • To prove that P knows \(\phi\) s.t. \(\phi(G_1)=G_2\):
    • P publishes \(H=\psi(G_2)\) for a random secret \(\psi\)
    • V challenges P with a random \(b\in\{1,2\}\)
    • P responds with \(\chi=\left\{\begin{aligned}\psi\circ\phi & \text{ if }b=1\\ \psi & \text{ if }b=2 \end{aligned}\right.\)
    • V verifies \(\chi(G_b)=H\)

Schnorr's DLP proof

  • To prove that P knows \(x\in(\mathbb Z/q\mathbb Z)^*\) s.t. \(y=g^x\)
    • P publishes \(t=g^v\) for a random secret \(v\in(\mathbb Z/q\mathbb Z)^*\)
    • V challenges P with a random \(c\in(\mathbb Z/q\mathbb Z)^*\)
    • P responds with \(r=v-cx\)
    • V verifies \(t=g^ry^c\)
      (Because \(g^ry^c=g^{v-cx}(g^x)^c=g^v\))
  • Generalizes to any structures with an endomorphism ring (containing a subring) isomorphic to \((\mathbb Z/n\mathbb Z)^*\)

Fiat-Shamir heuristics

  • To prove that P knows \(x\in(\mathbb Z/q\mathbb Z)^*\) s.t. \(y=g^x\)
    • P publishes \(t=g^v\) for a random secret \(v\in(\mathbb Z/q\mathbb Z)^*\)
    • \(\color{red}c=H(g||y||t||m)\in(\mathbb Z/q\mathbb Z)^*\)
    • P responds with \(r=v-cx\)
    • V verifies \(t=g^ry^c\)
      (Because \(g^ry^c=g^{v-cx}(g^x)^c=g^v\))

GMR98's proof of \(\gcd(N,\phi(N))=1\)

  • Pick a random \(x\in(\mathbb Z/N\mathbb Z)^*\)
  • Prover computes \(M=N^{-1}\bmod\phi(N)\)
  • Prover publishes \(y=x^M\bmod N\)
  • Verifier verifies \(y^N=x\bmod N\)

Commitment schemes

  • \(C:\mathbb P\times\mathbb R\rightarrow\mathbb C\)
    • Binding: cannot change a commitment afterward
    • Concealing: cannot tell what has been committed
  • Hash-based scheme
    • \(C(m,r)=H(r||m)\) for some hash function \(H\)
  • Pedersen's scheme
    • \(C(m,r)=g^rh^m\) for \(h=g^x\) unknown to Prover
    • \(C(m_1,r_1)C(m_2,r_2)=C(m_1+m_2,r_1+r_2)\)

A basic ZK range proof

  • Due to Damgård (1993)
  • Given \(c\leftarrow C(m,r)\) for \(m\in[a,a+e)\)
  • Prover: \(C(t_1,r_1),C(t_2,r_2)\) for \(t_1\stackrel{\$}{\leftarrow}[0,e),t_2=t_1-e\)
  • Verifier asks Prover opens either:
    • \(C(t_1,r_1),C(t_2,r_2)\)
    • Or \(C(t_i+m,r_i+r)\) s.t. \(t_i+m\in[a,a+e)\)

Questions?

Made with Slides.com