Skip to content
Snippets Groups Projects
Commit 1cc2080f authored by Philipp Muth's avatar Philipp Muth
Browse files

minor

parent 959488c1
Branches master
No related tags found
No related merge requests found
...@@ -10,13 +10,13 @@ ...@@ -10,13 +10,13 @@
\begin{document} \begin{document}
\begin{enumerate} \begin{enumerate}
% ------------------- Motivation ------------------- % ------------------- Motivation -------------------
\item Thank you for the introduction. We will in the next few minutes discuss our work "On Actively Secure Fine-Grained Access Structures from Isogeny Assumptions". This was joint work with Fabio Campos from RheinMain University in Wiesbaden. \item Thank you for the introduction. We will in the next few minutes discuss our work "On Actively Secure Fine-Grained Access Structures from Isogeny Assumptions". This was joint work with Fabio Campos.
\item Let us first set the stage. We will be moving in the context of hard homogeneous spaces. Such a space consists of a set \(\mathcal E\), a group \(\mathcal G\) and an action \(\ast\), that combines \(\mathcal E\) and \(\mathcal G\) to produce another element of the set \(\mathcal E\). We will use this bracket notation throughout this talk and also in our paper. \item Let us first set the stage. We will be moving in the context of hard homogeneous spaces. Such a space consists of a set \(\mathcal E\), a group \(\mathcal G\) and an action \(\ast\), that combines \(\mathcal E\) and \(\mathcal G\) to produce another element of the set \(\mathcal E\). We will use this bracket notation throughout this talk and also in our paper.
We base the security of our protocols on the group action inverse problem, that is, given two elements \(E\) and \(E'\), the probability of providing a \(g\) that connects them both is negligible in an implied security parameter. This has an obvious continuation to the bracket notation. We base the security of our protocols on the group action inverse problem, that is, given two elements \(E\) and \(E'\), the probability of providing a \(g\) that connects them both is negligible in an implied security parameter. This has an obvious continuation to the bracket notation.
\item Let us have a look at the definition of a key exchange mechanism. It consists of three protocols. First, we have the key generation protocol. In a hard homogeneous space, this can look like this: A secret key is sampled and applied to a publicly known fixed \((E_0\) to get the public key. Secondly, we have the encapsulation protocol. Again, in a hard homogeneous space this is a rather simple protocol, that is a random \(b\) is sampled, applied to the public key, which results in the ephemeral key \(\key\), and to the fixed element \(E_0\), which gives us the ciphertext \(c\), that is then sent to the owner of the secret key. For decapsulation, the owner of the secret key typically simply applies the secret key to the ciphertext and arrives at the same key \(\key\), that we got from the encapsulation. \item Let us have a look at the definition of a key exchange mechanism. It consists of three protocols. First, we have the key generation protocol. In a hard homogeneous space, this can look like this: A secret key is sampled and applied to a publicly known fixed \(E_0\) to get the public key. Secondly, we have the encapsulation protocol. Again, in a hard homogeneous space this is a rather simple protocol, that is a random \(b\) is sampled, applied to the public key, which results in the ephemeral key \(\key\), and to the fixed element \(E_0\), which gives us the ciphertext \(c\), that is then sent to the owner of the secret key. For decapsulation, the owner of the secret key typically simply applies the secret key to the ciphertext and arrives at the same key \(\key\), that we got from the encapsulation.
\item However, we consider a context, in which the secret key is not held by a single party, but is shared in a secret sharing scheme. When an authorised set of shareholders gets a ciphertext \(c\) as input for decapsulation, they fix a turn order and one after another apply their respective share to the ciphertext in a round-robin fashion. Eventually, they arrive at the same key, that would result from applying the secret key in clear to the ciphertext. De Feo and Meyer showed, that this protocol is simulatable, so no shareholder can learn anything about the other parties inputs as long as the group action inverse problem is hard, even if we suspect their proof not to be entirely correct. \item However, we consider a context, in which the secret key is not held by a single party, but is shared in a secret sharing scheme. When an authorised set of shareholders gets a ciphertext \(c\) as input for decapsulation, they fix a turn order and one after another apply their respective share to the ciphertext in a round-robin fashion. Eventually, they arrive at the same key, that would result from applying the secret key in clear to the ciphertext. De Feo and Meyer showed, that this protocol is simulatable, so no shareholder can learn anything about the other parties inputs as long as the group action inverse problem is hard, even if we suspect their proof not to be entirely correct.
...@@ -35,41 +35,46 @@ ...@@ -35,41 +35,46 @@
\item We skip the precise modified protocols, since they do not offer much insight, and directly present the resulting key exchange mechanism. \item We skip the precise modified protocols, since they do not offer much insight, and directly present the resulting key exchange mechanism.
Now, for our key exchange mechanism we once more need a key generation protocol, an encapsulation and a decapsulation protocol. Now, for our key exchange mechanism we once more need a key generation protocol, an encapsulation and a decapsulation protocol.
We adapted the key generation protocol, so that a trusted dealer -- as before -- samples the secret key and applies it to the fixed \(E_0\) to generate the public key. The secret key is then shared among the shareholders in what we call a "two-level" sharing. That is, the secret key is shared as before, yet each share is shared once more by the dealer, so that each shareholder eventually receives his share \(s_i\) of the secret key, the polynomial \(f_i\), with which his share was shared once more and a share of each other share of the secret key. We adapted the key generation protocol, so that a trusted dealer -- as before -- samples the secret key and applies it to the fixed \(E_0\) to generate the public key. The secret key is then shared among the shareholders in what we call a "two-level" sharing. That is, the secret key is shared as before, yet each share is shared once more by the dealer, so that each shareholder eventually receives his share \(s_i\) of the secret key, the polynomial \(f_i\), with which his share was shared, and a share of each other share of the secret key.
We leave the encapsulation protocol unchanged, since it is not affected by the modified sharing of the secret key. We leave the encapsulation protocol unchanged, since it is not affected by the modified sharing of the secret key.
%superauthorised set %superauthorised set
The decapsulation protocol underwent the most significant changes. At the core of it is still, that a shareholder \(P_i\) computes his output \(E^k\) by applying his share \(s_i\) multiplied by the Lagrange interpolation coefficient to his input \(E^{k-1}\), where \(k\) is his position in the turn order that the shareholders agreed on. The decapsulation protocol underwent the most significant changes. At the core of it is still, that a shareholder \(P_i\) computes his output \(E^k\) by applying his share \(s_i\) multiplied by the Lagrange interpolation coefficient to his input \(E^{k-1}\), where \(k\) is his position in the turn order.
But in our protocol he now proves, that he did indeed apply the correct input to \(E^{k-1}\). For that he samples a random \(R_k\) from the set \(\mathcal E\) and computes \(R_k'\) exactly as he computed \(E^k\), that is he applies \(L_{i,S^\ast} s_i\) to \(R_k\). He then proves, that \(R_k\) and \(R_k'\) and \(E^{k-1}\) and \(E^k\) are connected by the same element of the group \(\mathcal G\) and that he has knowledge of it. But in our protocol he now proves, that he did indeed apply the correct input to \(E^{k-1}\). For that he samples a pair from the set \(\mathcal E\), that is also connected by his secret mulitplied with the Lagrange coefficnent. He then proves, that the pair and \(E^{k-1}\) and \(E^k\) are connected by the same element secret and that he has knowledge of it.
He furthermore proves, that \(R_k'\) and \(R_k\) are connected by his share of the secret key via a piecewise verifiable proof. This holds, because each other shareholder holds an interpolation point of the polynomial, with which \(P_i\)'s share \(s_i\) was shared. By combining the zero-knowledge proof and the piecewise verifiable proof, \(P_i\) thereby shows, that \(E^k\) was computed correctly with his share of the secret key. He furthermore proves, that the pair is connected by his share of the secret key via a piecewise verifiable proof. This holds, because each other shareholder holds an interpolation point of the polynomial, with which \(P_i\)'s share \(s_i\) of the secret key was shared. By combining the zero-knowledge proof and the piecewise verifiable proof, \(P_i\) thereby shows, that \(E^k\) was computed correctly with his share of the secret key.
If all other shareholders participating in the decapsulation agree, that \(P_i\) behaved honestly, then \(P_i\) ends his turn. Otherwise, the protocol is restarted, but \(P_i\) is excluded from future runs. If all other shareholders participating in the decapsulation agree, that \(P_i\) behaved honestly, then \(P_i\) ends his turn. Otherwise, the protocol is restarted, but \(P_i\) is excluded from future runs.
The last shareholder eventually outputs the result of the decapsulation.
The last shareholder eventually outputs \(E^{\# S^\ast}\) as the result of the decapsulation. Our key exchange mechanism has the following qualities. It is IND-CPA. This means, nothing can be derived from a ciphertext generated by the encapsulation protocol
Our key exchange mechanism has the following qualities. It is IND-CPA. This means, that given a public key \(\pk\), a ciphertext \(c\) and two potential keys, an adversary cannot distinguish which one is linked to the ciphertext. We skip the precise security game here.
Also, our decapsulation protocol is simulatable. We proved this in reducing the group action inverse problem to distinguishing the output of a concrete simulator from a real transcript in a series of gamehops. Also, our decapsulation protocol is simulatable. We proved this in reducing the group action inverse problem to distinguishing the output of a concrete simulator from a real transcript in a series of gamehops.
And third, the decapsulation is actively secure, in that if a shareholder can provide an incorrect input to the decapsulation without being detected by the other participants, then he can either the zero-knowledge proof or the piecewise verifiable proof. And third, the decapsulation is actively secure, in that if a shareholder can provide an incorrect input to the decapsulation without being detected by the other participants, then he can break the soundness of the zero-knowledge proof or the piecewise verifiable proof.
\item We come to our next contribution and -- to be honest -- the initial motivation for this work. We initially started out to investigate, to which secret sharing schemes the original key exchange mechanism can be transferred and still work and provide the original security guaranties. We came to the conclusion, that a compatible secret sharing scheme has to fulfill three main characteristics in order to be compatible.
\item We come to our next contribution and -- to be honest -- the initial motivation for this work. We initially started out to investigate, to which secret sharing schemes the original key exchange mechanism can be transferred and still work and have the original security guarantees. We came to the conclusion, that a compatible secret sharing scheme has to fulfill three main characteristics in order to be compatible.
First, it needs independent reconstruction. This means, that the input of a shareholder in reconstructing a secret must not depend on what the other shareholders gave as input, since the input of each individual shareholder is hidden from the others by virtue of the group action inverse problem. First, it needs independent reconstruction. This means, that the input of a shareholder in reconstructing a secret must not depend on what the other shareholders gave as input, since the input of each individual shareholder is hidden from the others by virtue of the group action inverse problem.
Second, it needs self-contained reconstruction. That is, the shares of a secret have to live in the same space as the secret itself. This enables the two-level sharing, for which the shares of the secret key is shared once more among the shareholders.
Second, it needs self-contained reconstruction. That is, the shares of a secret have to live in the same space as the secret itself. This enables the two-level sharing, that we use in the key generation.
And third the secret sharing scheme must be compatible with the zero-knowledge proof and the piecewise verifiable proof in the hard homogeneous space. And third the secret sharing scheme must be compatible with the zero-knowledge proof and the piecewise verifiable proof in the hard homogeneous space.
Let us have a quick look at some examples of compatible and incompatible secret sharing schemes. Let us have a quick look at some examples of compatible and incompatible secret sharing schemes.
Shamir's secret sharing scheme obviously is compatible, since we gave our protocols in the context of it and the passively secure key exchange mechanism, that we started out with, was based on it. Shamir's secret sharing scheme obviously is compatible, since we gave our protocols in the context of it and the passively secure key exchange mechanism, that we started out with, was based on it.
Tassa's hierarchical threshold secret sharing scheme is an extension of Shamir's approach. It is also based on polynomial interpolation, yet the lower in the hierarchy you go, the higher the degree of the derivation of the original polynomial becomes, of which a shareholder gets interpolation points. It is directly compatible with our protocols, be it with some tweaks to the PVP. Tassa extended Shamir's approach in his hierarchical threshold secret sharing scheme. It is also based on polynomial interpolation, yet the lower in the hierarchy you go, the higher the degree of the derivation of the original polynomial becomes, of which a shareholder gets interpolation points. It is directly compatible with our protocols, be it with some tweaks to the PVP.
Damgard and Thorbek proposed a secret sharing scheme, in which integer secret rather than secrets from \(\ZZ_p\) are shared. The confidentiality of their scheme is only computational, so we deem it incompatible with our protocol. Damgard and Thorbek proposed a secret sharing scheme, in which integer secret rather than secrets from \(\ZZ_p\) are shared. The confidentiality of their scheme is only computational, so we deem it incompatible with our protocol.
The simplest of all secret sharing schemes, that is additive secret sharing, cannot support the piecewise verifiable proof with the shares not having any inner structure. It is hence incompatible with our key exchange mechanism. The simplest of all secret sharing schemes, that is additive secret sharing, cannot support the piecewise verifiable proof with the shares not having any inner structure. It is hence incompatible with our key exchange mechanism.
\item In conclusion, we proposed an actively secure key exchange mechanism in which the secret key is shared among a set of shareholders, that enables decapsulation without reconstructing the secret key. We proved the decapsulation protocol simulatable and actively secure, that is an adversary cannot learn any information from an execution and cannot interfere by providing false input without detection. The key exchange mechanism also provides indistinguishability under chosen message attack, that is nothing can be learned about an encapsulated key from the corresponding ciphertext. \item In conclusion, we propose an actively secure key exchange mechanism in which the secret key is shared among a set of shareholders, that enables decapsulation without reconstructing the secret key.
We proved the decapsulation protocol simulatable and actively secure, that is an adversary cannot learn any information from an execution and cannot interfere by providing false input without detection. The key exchange mechanism is also IND-CPA.
For this aim, we transferred the PVP and zero-knowledge proof to the threshold setting. For this aim, we transferred the PVP and zero-knowledge proof to the threshold setting.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment