3,969 research outputs found
Communication-Efficient Proactive MPC for Dynamic Groups with Dishonest Majorities
International audienceSecure multiparty computation (MPC) has recently been increasingly adopted to secure cryptographic keys in enterprises, cloud infrastructure, and cryptocurrency and blockchain-related settings such as wallets and exchanges. Using MPC in blockchains and other distributed systems highlights the need to consider dynamic settings. In such dynamic settings, parties, and potentially even parameters of underlying secret sharing and corruption tolerance thresholds of sub-protocols, may change over the lifetime of the protocol. In particular, stronger threat models-in which mobile adversaries control a changing set of parties (up to t out of n involved parties at any instant), and may eventually corrupt all n parties over the course of a protocol's execution-are becoming increasingly important for such real world deployments; secure protocols designed for such models are known as Proactive MPC (PMPC). In this work, we construct the first efficient PMPC protocol for dynamic groups (where the set of parties changes over time) secure against a dishonest majority of parties. Our PMPC protocol only requires O(n 2) (amortized) communication per secret, compared to existing PMPC protocols that require O(n 4) and only consider static groups with dishonest majorities. At the core of our PMPC protocol is a new efficient technique to perform multiplication of secret shared data (shared using a bivariate scheme) with O(n √ n) communication with security against a dishonest majority without requiring pre-computation. We also develop a new efficient bivariate batched proactive secret sharing (PSS) protocol for dishonest majorities, which may be of independent interest. This protocol enables multiple dealers to contribute different secrets that are efficiently shared together in one batch; previous batched PSS schemes required all secrets to come from a single dealer
Communication-Efficient Proactive Secret Sharing for Dynamic Groups with Dishonest Majorities
In standard Secret Sharing (SS), a dealer shares a secret among parties such that an adversary corrupting no more than parties does not learn , while any parties can efficiently recover . Proactive Secret Sharing (PSS) retains confidentiality of even when a mobile adversary corrupts all parties over the lifetime of the secret, but no more than a threshold in each epoch (called a refresh period). Withstanding such adversaries has become of increasing importance with the emergence of settings where private keys are secret shared and used to sign cryptocurrency transactions, among other applications. Feasibility of single-secret PSS for static groups with dishonest majorities was demonstrated but with a protocol that requires inefficient communication of .
In this work, we improve over prior work in three directions: batching without incurring a linear loss in corruption threshold, communication efficiency, and handling dynamic groups. While each of properties we improve upon appeared independently in the context of PSS and in other previous work, handling them simultaneously (and efficiently) in a single scheme faces non-trivial challenges. Some PSS protocols can handle batching of secrets, but all of them are for the honest majority setting. Techniques typically used to accomplish such batching decrease the tolerated corruption threshold bound by a linear factor in , effectively limiting the number of elements that can be batched with dishonest majority. We solve this problem by reducing the threshold decrease to instead, allowing us to deal with the dishonest majority setting when . This is accomplished based on new bivariate-polynomials-based techniques for sharing, and refreshing and recovering of shares, that allow batching of up to secrets in our PSS. To tackle the efficiency bottleneck the constructed PSS protocol requires only communication for secrets, i.e., an amortized communication complexity of when the maximum batch size is used. To handle dynamic groups we develop three new sub-protocols to deal with parties joining and leaving the group
Building Regular Registers with Rational Malicious Servers and Anonymous Clients
The paper addresses the problem of emulating a regular register in a synchronous distributed system where clients invoking and operations are anonymous while server processes maintaining the state of the register may be compromised by rational adversaries (i.e., a server might behave as rational malicious Byzantine process). We first model our problem as a Bayesian game between a client and a rational malicious server where the equilibrium depends on the decisions of the malicious server (behave correctly and not be detected by clients vs returning a wrong register value to clients with the risk of being detected and then excluded by the computation). We prove such equilibrium exists and finally we design a protocol implementing the regular register that forces the rational malicious server to behave correctly
Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning
The secret keys of critical network authorities - such as time, name,
certificate, and software update services - represent high-value targets for
hackers, criminals, and spy agencies wishing to use these keys secretly to
compromise other hosts. To protect authorities and their clients proactively
from undetected exploits and misuse, we introduce CoSi, a scalable witness
cosigning protocol ensuring that every authoritative statement is validated and
publicly logged by a diverse group of witnesses before any client will accept
it. A statement S collectively signed by W witnesses assures clients that S has
been seen, and not immediately found erroneous, by those W observers. Even if S
is compromised in a fashion not readily detectable by the witnesses, CoSi still
guarantees S's exposure to public scrutiny, forcing secrecy-minded attackers to
risk that the compromise will soon be detected by one of the W witnesses.
Because clients can verify collective signatures efficiently without
communication, CoSi protects clients' privacy, and offers the first
transparency mechanism effective against persistent man-in-the-middle attackers
who control a victim's Internet access, the authority's secret key, and several
witnesses' secret keys. CoSi builds on existing cryptographic multisignature
methods, scaling them to support thousands of witnesses via signature
aggregation over efficient communication trees. A working prototype
demonstrates CoSi in the context of timestamping and logging authorities,
enabling groups of over 8,000 distributed witnesses to cosign authoritative
statements in under two seconds.Comment: 20 pages, 7 figure
A High-Assurance Evaluator for Machine-Checked Secure Multiparty Computation
Secure Multiparty Computation (MPC) enables a group of
distrusting parties to jointly compute a function using private
inputs. MPC guarantees correctness of computation and confidentiality
of inputs if no more than a threshold of the parties are corrupted.
Proactive MPC (PMPC) addresses the stronger threat model of a
mobile adversary that controls a changing set of parties (but
only up to at any instant), and may eventually corrupt all parties over a long time.
This paper takes a first stab at developing high-assurance
implementations of (P)MPC. We formalize in EasyCrypt, a tool-assisted
framework for building high-confidence cryptographic proofs, several
abstract and reusable variations of secret sharing and of (P)MPC protocols
building on them. Using those, we prove a series of abstract theorems for the
proactive setting. We implement and perform computer-checked security
proofs of concrete instantiations of the required (abstract) protocols in
EasyCrypt.
We also develop a new tool-chain to extract
high-assurance executable implementations of protocols formalized and
verified in EasyCrypt. Our tool-chain uses Why as an intermediate tool, and enables us
to extract executable code from our (P)MPC
formalizations. We conduct an evaluation of the extracted executables by
comparing their performance to performance of manually implemented versions using
Python-based Charm framework for prototyping
cryptographic schemes. We argue that the small overhead of our
high-assurance executables is a reasonable price to pay for the
increased confidence about their correctness and security
On Regenerating Codes and Proactive Secret Sharing: Relationships and Implications
We look at two basic coding theoretic and cryptographic mechanisms developed separately and investigate relationships between them and their implications. The first mechanism is Proactive Secret Sharing (PSS), which allows randomization and repair of shares using information from other shares. PSS enables constructing secure multi-party computation protocols that can withstand mobile dynamic attacks.
This self-recovery and the redundancy of uncorrupted shares allows a system to overcome recurring faults throughout its lifetime, eventually finishing the computation (or continuing forever to maintain stored data). The second mechanismis Regenerating Codes (RC) which were extensively studied and adopted in distributed storage systems. RC are error correcting (or erasure handling) codes capable of recovering a block of a distributively held codeword from other servers\u27 blocks. This self-healing nature enables more robustness of a code distributed over different machines. Given that the two mechanisms have a built-in self-healing (leading to stabilizing) and that both can be based on Reed Solomon Codes, it is natural to formally investigate deeper relationships between them.
We prove that a PSS scheme can be converted into an RC scheme, and that under some conditions RC can be utilized to instantiate a PSS scheme. This allows us, in turn, to leverage recent results enabling more efficient polynomial interpolation (due to Guruswami and Wooters) to improve the efficiency of a PSS scheme. We also show that if parameters are not carefully calibrated, such interpolation techniques (allowing partial word leakage) may be used to attack a PSS scheme over time.
Secondly, the above relationships give rise to extended (de)coding notions. Our first example is mapping the generalized capabilities of adversaries (called generalized adversary structures) from the PSS realm into the RC one. Based on this we define a new variant of RC we call Generalized-decoding Regenerating Code (GRC) where not all network servers have a uniform sub-codeword (motivated by non-uniform probability of attacking different servers case). We finally
highlight several interesting research directions due to our results, e.g., designing new improved GRC, and more adaptive RC re-coding techniques
- …