# Dynamic Threshold Public-Key Encryption

Dynamic Threshold Public-Key Encryption ... signature decryption Threshold Cryptography The access structure (authorized subsets) is dened by a thresh...

Dynamic Threshold Public-Key Encryption ´ ´ Cecile Delerablee

David Pointcheval ´ Ecole normale superieure

Orange Labs

CRYPTO 2008 August 20th, 2008

Formal Model

Our Construction

Threshold Cryptography When one cannot fully trust a unique person, but possibly a pool of individuals, the secret operation is distributed, so that authorized subsets only can perform it signature decryption Threshold Cryptography The access structure (authorized subsets) is defined by a threshold: any group of t players can perform the secret operation below this threshold, no power is provided to them

Conclusion

Formal Model

Our Construction

Conclusion

Threshold Public-Key Encryption

A ciphertext can be decrypted only if at least t users cooperate. Below this threshold, no additional information about the plaintext is leaked. Many applications: electronic voting (decryption of the final result only) key-escrow identity-based cryptography (secret key extraction) etc

Formal Model

Our Construction

Conclusion

Classical Technique: ElGamal G = hgi is a group of prime order p Lagrange Interpolation (Shamir’s Secret Sharing) GM generates a polynomial P of degree t − 1 over Zp each group member i ∈ {1, . . . n} receives ski = P(i) the group public key is PK = g sk , where sk = P(0) t users can recover sk, less than t users have no information. Threshold ElGamal Encryption one can encrypt a message m ∈ G: c1 = g r , c2 = PKr × m in order to decrypt, one has to compute a = PKr = c1sk : each user i computes ai = c1ski with t values, a can be “interpolated”.

Formal Model

Our Construction

Conclusion

Limitations At the key generation phase: the target group (or set) is fixed (the public key) the threshold t, to define the authorized subsets, is fixed Dynamic Threshold Encryption any user can dynamically join the system as a future receiver the sender can dynamically choose the target set S the sender can dynamically set the threshold t Related to Threshold broadcast encryption

[Daza, Herranz, Morillo, R`afols – ProvSec ’07]

Ciphertext linear in O(S) Formal Model

Outline

1

Formal Model

2

Our Construction

3

Conclusion

Our Construction

Conclusion

Formal Model

Our Construction

Conclusion

A Dynamic TPKE Scheme: Encryption/Decryption Setup(λ).

It outputs a set of parameters PARAM = (MK, EK, DK, VK, CK) MK is the master secret key: for adding new users Join(MK, ID). With MK and the identity ID of a new user, it outputs the user’s keys (usk, upk, uvk) Encrypt(EK, S, t, M). With the target set S (the public keys upk), and the threshold t, it outputs an encryption of the message M ShareDecrypt(DK, ID, usk, C). With his private key usk, user ID gets his decryption share σ, or ⊥ Combine(CK, S, t, C, T , Σ). With an authorized subset T (subset of t targeted users), and Σ = (σ1 , . . . , σt ) a list of t decryption shares, it outputs a cleartext M, or ⊥ Formal Model

Our Construction

Conclusion

A Dynamic TPKE Scheme (Cont’d) Robustness is achieved by public verification tools: ValidateCT(EK, S, t, C). It checks whether C is a valid ciphertext with respect to EK, S and t ShareVerify(VK, ID, uvk, C, σ). It checks whether σ is a valid decryption share with respect to uvk KEM-DEM methodology: an ephemeral secret key K is first generated (KEM) a symmetric mechanism is used to encrypt the data (DEM) Encrypt(EK, S, t). With the target set S (the public keys upk), and a threshold t, it outputs an ephemeral key K , and the key encapsulation material HDR

Formal Model

Our Construction

Conclusion

Security Model Correctness. Valid encryptions should be correctly checked and decrypted, legitimate decryptions should be correctly verified, and should lead to the plaintext/ephemeral key Robustness. It t shares are correctly checked with ShareVerify, then the Combine algorithm outputs the correct key K Privacy.

Formal Model

For any header HDR encrypted for a target set S of registered users with a threshold t, any collusion that contains less than t users from this target set cannot learn any information about the ephemeral key K Our Construction

Conclusion

Security Model: Privacy Setup:

The challenger runs Setup(λ) and the public parameters (EK, DK, VK, CK) are given to the adversary.

Query phase 1: The adversary A adaptively issues queries: Join queries (on a new user ID) Corrupt queries (on an existing user ID) to learn private keys ShareDecrypt queries (on an ID and a header HDR) to learn the partial decryption Challenge: A outputs a set of users S ? and a threshold t ? . The challenger randomly selects b ← {0, 1}, and gets (K0 , HDR? ) = Encrypt(EK, S ? , t ? ), and randomly chooses an ephemeral key K1 : it returns (Kb , HDR? ) to A. Query phase 2: as Query phase 1 Guess:

The adversary A outputs its guess b0 for b

Formal Model

Our Construction

Conclusion

Security Levels With the natural restrictions on the oracle queries wrt. the target set and the threshold, the A is defined as advantage of 1 AdvA (λ) = Pr[b0 = b] − . 2 As usual, Adv(T , n, m, t, qC , qD ) denotes the maximal value over the adversaries A such that it runs within time T it makes at most n Join-queries qC Corrupt-queries qD ShareDecrypt-queries

the size of S ? is upper-bounded by m the value of t ? is upper-bounded by t. Formal Model

Our Construction

Conclusion

Security Level: the Basic one Non-Adaptive Adversary (NAA) We restrict the adversary to decide before the setup the set S ? and the threshold t ? to be sent to the challenger Non-Adaptive Corruption (NAC) We restrict the adversary to decide before the setup the identities that will be corrupted Chosen-Plaintext Adversary (CPA) We prevent the adversary from issuing ShareDecrypt-queries (n, m, t, qC )-IND-NAA-NAC-CPA security Non-adaptive adversary, non-adaptive corruption, and CPA

Formal Model

Our Construction

Conclusion

Aggregate Tool

Our Combine algorithm makes use of the Aggregate tool [Delerabl´ee, Paillier, and Pointcheval – Pairing ’07]

It allows to compute L=A

1 (γ+x1 )...(γ+xt )

∈ GT

1 γ+xj

given A and Σ = {(xj , aj = A )}tj=1 , but γ private, where the xj ’s are pairwise distinct.

Formal Model

Our Construction

Conclusion

Our Construction: Setup Setup(λ). Given a bilinear setting, e : G1 × G2 → GT , with generators g ∈ G1 and h ∈ G2 R

γ, α ← Z∗p D = {di }m−1 i=1 of random values in Zp , where m is the maximal size of a target set (D corresponds to a set of public dummy users) u = g α·γ v = e (g, h)α The master secret key: MK = (g, γ, α)   i 2m−1 α α·γ The encryption key: EK = m, u, v , h , {h }i=1 , D The decryption key: DK = ∅   i m−2 γ The combining key: CK = m, h, {h }i=1 , D

Formal Model

Our Construction

Conclusion

Our Construction: Join/Encrypt Join(MK, ID). Given MK = (g, γ, α), and an identity ID, it randomly chooses a new x ∈ Zp : upk = x

usk = g

1 γ+x

Encrypt(EK, S, t). Given a set S = {upk1 = x1 , . . . , upks = xs } and a threshold t (with t ≤ s ≤ m), Encrypt picks R k ← Z∗p , and sets HDR =Q(C1 , C2 ) and K = vk: Q k·α· x ∈S (γ+xi )· x∈D (γ+x) m+t−s−1 i C1 = u −k C2 = h a set of m + t − s − 1 dummy users + a set of s authorized users ⇒ a polynomial of degree m + t − 1 in the exponent of h: m + t − 1 ≤ 2m − 1: can be computed from EK the cooperation of t authorized users will decrease the degree of the polynomial in v to degree m − 1: too high degree for CK! Formal Model

Our Construction

Conclusion

Our Construction: Decryption ShareDecrypt(ID, usk, HDR). Given HDR = (C1 , C2 ) and usk = g

1 γ+x

σ = e (usk, C2 ) = v

Q (γ+xi ) k· x ∈S∪D m+t−s−1 i γ+x

.

Combine(CK, HDR, T , Σ). Given a set Σ of t decryption shares:

c=

Q

   1 c p(γ) K = e C1 , h · Aggregate(v , Σ) x∈S∪Dm+t−s−1 \T 1 γ

Q

x ∈ Zp



p(γ) = · x∈S∪Dm+t−s−1 \T (γ + x) − c , a polynomial of degree m − 2, computable from CK

Formal Model

Our Construction

Conclusion

Our Construction: Decryption (Cont’d) K

0



p(γ)



= e C1 , h · Aggregate(v , Σ) Q   k· x∈S∪D (γ+x) −k·γ p(γ) m+t−s−1 \T = e g ,h ·v = v −k·γ·p(γ) · v k·(γ·p(γ)+c) = v k·c = K c .

ValidateCT(EK, S, t, HDR). Given HDR = (C1 , C2 ) C10 = u −1

C20 = h

α·

Q

x∈S∪Dm+t−s−1 (γ+x)

HDR = (C1 , C2 ) is valid with respect to S if and only if there exists a scalar k such that C1 = C10 k and C2 = C20 k :  ?  0 0 e C1 , C2 = e C1 , C2 Formal Model

Our Construction

Conclusion

Our Construction: Security Result Theorem Adv(T , n, m, t, `, 0) ≤ 2 · Advmse−ddh (T 0 , `, m, t). (`, m, t)-Multi-Sequence of Exponents DDH Let f and g be two random coprime polynomials, of respective orders ` and m, with pairwise distinct roots x1 , . . . , x` and y1 , . . . , ym respectively, as well as x1 , . . . , x` , y1 , . . . , ym `+t−2 g, g γ , . . . , g γ , g k·γ·f (γ) , `+t g α , g α·γ , . . . , g α·γ , m−2 h, hγ , . . . , hγ , 2m−1 hα , hα·γ , . . . , hα·γ , hk·g(γ) , and T ∈ GT , decide whether T is equal to e (g, h)k·f (γ) or not

Formal Model

Our Construction

Conclusion

Our Construction: Security Result Lemma (Generic Security

[Boneh, Boyen, Goh – Eurocrypt ’05])

For any probabilistic algorithm A that makes at most q queries to the group oracles, with d = 4(` + t) + 6m + 2 mse−ddh

(q + 4(` + t) + 6m + 4)2 · d (A, `, m, t) ≤ 2p

Theorem (Generic Security) Our construction is secure against non-adaptive and generic adversaries under non-adaptive corruption and chosen-plaintext attacks Formal Model

Our Construction

Conclusion

Our Construction: Efficiency Ciphertext Size k·α·

Q

x ∈S (γ+xi )·

Q

x∈Dm+t−s−1 i Ciphertext: C1 = u −k , C2 = h The header has a constant size: two group elements

(γ+x)

Decryption 1

Given HDR = (C1 , C2 ) and usk = g γ+x , σ = e (usk, C2 ). The user decryption is quite efficient: one pairing Non-Interactive Combination    1 c p(γ) K = e C1 , h · Aggregate(v , Σ) The combination step does not need any interaction

Formal Model

Our Construction

Conclusion

Extensions: Random Oracle Model All the previous properties are achieved in the standard model (under the MSE−DDH assumption) Robustness Easily achieved in the random oracle model, using Schnorr-like proof of equality of discrete logarithms Identity-Based It is simple to get an ID-based version in the random oracle model, by simply taking upk = x = H(ID)

Formal Model

Our Construction

Conclusion

Security model for (dynamic) threshold public-key encryption (a.k.a. threshold broadcast encryption) Efficient and provably secure candidate the first with constant-size header But still a lot of work on this topic: Use of a new non-standard assumption Secure against restricted adversaries only: Chosen-plaintext attacks Non-adaptive adversaries

Conclusion