Adaptively Secure Consensus with Linear Complexity and Constant Round under Honest Majority in the Bare PKI Model, and Separation Bounds from the Idealized Message-Authentication Model

We consider the mainstream model in secure computation known as the bare PKI setup, also as the {bulletin-board PKI}. It allows players to broadcast once and non-interactively before they receive their inputs and start the execution. A bulletin-board PKI is essentially the minimum setup known so far to implement the model known as {messages-authentication}, i.e., when $P$ is forwarded a signed message, it considers it to be issued by $R$ if and only if $R$ signed it. It is known since [Lamport et al, 82] that BA under honest majority (let alone secure computation) would not be possible without messages-authentication. But as further highlighted by [Borcherding, 96], messages-authentication cannot not simply be implemented with digital signatures, without a bulletin-board of public keys. So the bulletin-board PKI setup and the messages-authentication model seem very close: this raizes the question whether there is a separation between them. In the bulletin-board PKI setup, the most communication-efficient synchronous BA is the one of [Boyle-Cohen-Goel, Podc\u2721 \& J. Cryptol.\u2724], which has $O(n.\text{polylog}(n))$ bit complexity, $f<n(1/3-\epsilon)$ resilience and tolerates an adversary which cannot adaptively corrupt after the setup. Our main upper-bound is a BA (and also a VBA) in this same model with strictly better parameters: {quasi-optimal} resilience $f<n(1/2-\epsilon)$, with an expected bit complexity of communications which is {linear} in $n$, and tolerance to an {adaptive} rushing adversary (but which unavoidably cannot remove messages sent). As [BCG\u2721], they have constant expected latency. All previous BAs or VBAs achieving the same metrics as our upper bound, are either in the static adversary model: Sleepy [Pass-Shi, Asiacrypt\u2717], Snow White [Daian-Pass-Shi, FC\u2719], or assume more than a bare PKI setup: (i) The model of Thunderella [Pass-Shi, EC\u2717], Algorand [Gilad et al, SOSP\u2717], Praos [David et al, EC\u2718], [Goyal et al, FC\u2721] and [Momose et al, CCS\u2722 and CCS\u2723] assumes a public random seed which is unpredictable until strictly after all players published on the bulletin board; (ii) [Abraham et al, Podc\u2719] assume a trusted entity which honestly samples the keys of all players; (iii) All known implementations of the setups (i) and (ii), as well as the setup of [Blum et al, TCC\u2720], require interactions, furthermore in the form of BAs. (iv) [Garay-Kiayas-Shen \u2723] assume that honest players work more than the adversary, or, [Eckey-Faust-Loss et al \u2717 \u2722] at least as fast. Of independent interest, our tool is a very simple non-interactive mechanism which {sets-up a self-sortition function from non-interactive publications on the bulletin board}, and still, guarantees an honest majority in every committee up to probability exponentially small in both $\epsilon$ and in the multicast complexity. We provide the following further results: {- Optimality.} We show that resilience up to a tight honest majority $f<n/2$ is impossible for any multicast-based adaptively secure BA with subquadratic communication, whatever the setup. {- Separation.} We show impossibility of subquadratic multicast-based BA in the messages-authentication model. Our model for this lower bound is even stronger, since it onboards other assumptions at least as strong as all popular implications of a bulletin-board PKI setup: {secure channels}, {a (possibly structured) random string}, {NIZK}. {- Partial synchrony.} Given that the multicast lower-bound holds a fortiori, and that the upper-bound adapts seamlessly (for $f<n(1/3-\epsilon)$), the separation also holds. We show a second separation, which holds for general BAs, non-necessarily multicast-based: any partially-synchronous BA in the messages-authentication model, if it has linear message complexity, then it has latency at least {logarithmic in $f$}. {- Extension to VBA.} We extend to VBA the logarithmic latency lower bound. This is the first communication lower bound for randomized VBA to our knowledge. It shows that the separation under partial synchrony also holds for VBA. Along the way, we close the characterization of [Civit et al, Podc\u2723] of validity conditions in authenticated consensus, by apparently new results on VBA: both BA and VBA are infeasible under partial synchrony beyond $f<n/3$, whatever the setup; whereas synchronous VBA is feasible up to $f=n-1$ (contrary to BA)

Share \& Shrink: (In-)Feasibility of MPC from one Broadcast-then-Asynchrony, and Improved Complexity

We consider protocols for secure multi-party computation (MPC) under honest majority, i.e., for $N=2t+1$ players of which $t$ are corrupt, that achieve guaranteed output delivery (GOD), and which operate in $1$ single initial round of broadcast (BC), followed by some steps of asynchronous peer-to-peer (P2P) messages. The power of closely related ``hybrid networks\u27\u27 was studied in [Fitzi-Nielsen, Disc\u2709], [Beerliova-Hirt-Nielsen, Podc\u2710], [Patra-Ravi, IEEE Trans. Inf. Theory\u2718] and [Choudhury, Podc\u2720]. Interest of such protocols is that they go at the actual speed of the network, and their security is preserved under arbitrary network conditions (past the initial broadcast). We first complete the picture of this model with an impossibility result showing that some setup is required to achieve honest majority MPC with GOD. We then consider a bare bulletin-board PKI setup, and leverage recent advances on multi-key fully homomorphic encryption [BJMS, Asiacrypt\u2720], to state feasibility of MPC in a tight 1 BC then 1 single step of asynchronous P2P. We then consider efficiency. The only protocols which can be adapted to tolerate such network model and setup are [Gordon-Liu-Shi, Crypto\u2715] and [BJMS, Asiacrypt\u2720]. The former does not allow inputs from external lightweight owners and is inherently limited to the GSW FHE, while the sizes of the ciphertexts of the latter are quadratic in the number of input owners. Our main contribution is a very simple and generic design which enables MPC in 1BC-then-asynchronous P2P. It operates over ciphertexts encrypted over a (threshold) single-key encryption scheme. Hence, they have the smallest sizes expectable. It operates from any public key encryption scheme with a key generation, encryption and decryption which are built from linear maps (such as GSW, BFV, CL). Our main building block is the squishing in the BC of both the publicly verifiable sharing of the inputs (``Share\u27\u27), in parallel with distributed key generation (DKG), then followed by threshold encryption (``Shrink\u27\u27) in one step of asynchronous P2P. As a bonus, this design allows inputs from possibly lightweight external owners. We then aim at instantiating the design from the BFV FHE, but surprisingly there exists no robust threshold BFV scheme. Precisely, all existing protocols for generating a common relinearisation key can abort as soon as one player deviates. We solve this issue, with a relinearisation key (adapted from [CDKS, CCS\u2719]) which we show how to securely generate in parallel of the threshold key, in the same broadcast. We thus obtain the first robust threshold BFV. We believe that this contribution is of independent interest. Of independent interest, as an optional alternative, we propose the first threshold FHE decryption enabling simultaneously: (i) robustness under asynchrony with honest majority; (ii) tolerating a power-of-small-prime ciphertext modulus, e.g., $2^e$; and (iii) secret shares of sizes quasi-independent of $N$

Compressed Σ\Sigma-Protocols for Bilinear Group Arithmetic Circuits and Application to Logarithmic Transparent Threshold Signatures

Lai et al. (CCS 2019) have shown how Bulletproof’s arithmetic circuit zero-knowledge protocol (Bootle et al., EUROCRYPT 2016 and Bünz et al., S&P 2018) can be generalized to work for bilinear group arithmetic circuits directly, i.e., without requiring these circuits to be translated into arithmetic circuits. In a nutshell, a bilinear group arithmetic circuit is a standard arithmetic circuit augmented with special gates capturing group exponentiations or pairings. Such circuits are highly relevant, e.g., in the context of zero-knowledge statements over pairing-based languages. As expressing these special gates in terms of a standard arithmetic circuit results in a significant overhead in circuit size, an approach to zero-knowledge via standard arithmetic circuits may incur substantial additional costs. The approach due to Lai et al. shows how to avoid this by integrating additional zero-knowledge techniques into the Bulletproof framework so as to handle the special gates very efficiently. We take a different approach by generalizing Compressed $\Sigma$-Protocol Theory (CRYPTO 2020) from arithmetic circuit relations to bilinear group arithmetic circuit relations. Besides its conceptual simplicity, our approach has the practical advantage of reducing the communication costs of Lai et al.\u27s protocol by roughly a multiplicative factor 3. Finally, we show an application of our results which may be of independent interest. We construct the first k-out-of-n threshold signature scheme (TSS) that allows for transparent setup and that yields threshold signatures of size logarithmic in n. The threshold signature hides the identities of the k signers and the threshold k can be dynamically chosen at aggregation time

Constant Size Secret Sharing: with General Thresholds, Towards Standard Assumptions, and Applications

We consider threshold Computational Secret Sharing Schemes, i.e., such that the secret can be recovered from any $t+1$ out of $n$ shares, and such that no computationally bounded adversary can distinguish between $t$ shares of a chosen secret and a uniform string. We say that such a scheme has Constant Size (CSSS) if, in the asymptotic regime of many shares of small size the security parameter, then the total size of shares reaches the minimum, which is the size of an erasures-correction encoding of the secret with same threshold. But all CSSS so far have only maximum threshold, i.e., $t=n-1$. They are known as All Or Nothing Transforms (AONT). On the other hand, for arbitrary thresholds $t<n-1$, the shortest scheme known so far is [Kra93, Crypto], which has instead twice larger size in the previous regime, due to a size overhead of $n$ times the security parameter. The other limitation of known CSSS is that they require a number of calls to idealized primitives which grows linearly with the size of the secret. Our first contribution is to show that the CSSS of [Des00, Crypto], which holds under the ideal cipher assumption, looses its privacy when instantiated with a plain pseudorandom permutation. Our main contribution is a scheme which: is the first CSSS for any threshold $t$, and furthermore, whose security holds, for the first time, under any plain pseudorandom function, with the only idealized assumption being in the key-derivation function. It is based on the possibly new observation that the scheme of [Des00] can be seen as an additive secret-sharing of an encryption key, using the ciphertext itself as a source of randomness. A variation of our construction enables to improve upon known schemes, that we denote as Encryption into Shares with Resilience against Key exposure (ESKE), having the property that all ciphertext blocks are needed to obtain any information, even when the key is leaked. We obtain the first ESKE with arbitrary threshold $t$ and constant size, furthermore in one pass of encryption. Also, for the first time, the only idealized assumption is in the key-derivation. Then, we demonstrate how to establish fast revocable storage on an untrusted server, from any black box ESKE. Instantiated with our ESKE, then encryption and decryption both require only $1$ pass of symmetric primitives under standard assumptions (except the key-derivation), compared to at least $2$ consecutive passes in [MS18, CT-RSA] and more in [Bac+16, CCS]. We finally bridge the gap between two conflicting specifications of AONT in the literature: one very similar to CSSS, which has indistinguishability, and one which has not

Breaking the t<n/3t< n/3 Consensus Bound: Asynchronous Dynamic Proactive Secret Sharing under Honest Majority

A proactive secret sharing scheme (PSS), expressed in the dynamic-membership setting, enables a committee of n holders of secret-shares, dubbed as players, to securely hand-over new shares of the same secret to a new committee. We dub such a sub-protocol as a Refresh. All existing PSS under an honest majority, require the use of a broadcast (BC) in each refresh. BC is costly to implement, and its security relies on timing assumptions on the network. So the privacy of the secret and/or its guaranteed delivery, either depend on network assumptions, or, on the reliability of a public ledger. By contrast, PSS over asynchronous channels do not have these constraints. However, all of them (but one, with exponential complexity) use asynchronous verifiable secret sharing (AVSS) and consensus (MVBA and/or ACS), which are impossible under asynchrony beyond t<n/3 corruptions, whatever the setup. We present a PSS, named asynchronous-proactive secret sharing (APSS), which is the first PSS under honest majority with guaranteed output delivery in a completely asynchronous network. More generally, APSS allows any flexible threshold $t<n$, such that privacy and correctness are guaranteed up to t corruptions, and liveness as soon as $t+1$ players behave honestly. Correctness can be lifted to any number of corruptions, provided a linearly homomorphic commitment scheme. Moreover, each refresh completes at the record speed of $2\delta$, where $\delta$ is the actual message delivery delay. APSS demonstrates that proactive refreshes are possible as long as players of the initial committee only, have a common view on a set of (publicly committed or encrypted) shares. Despite not providing consensus on a unique set of shares, APSS surprisingly enables the opening of any linear map over secrets { non-interactively, without consensus }. This, in turn, applies to threshold signing, decryption and randomness generation. APSS can also be directly integrated into the asynchronous Schnorr threshold signing scheme Roast [CCS\u2722]. Of independent interest, we: - provide the first UC formalization (and proof) of proactive AVSS, furthermore for arbitrary thresholds; - provide additional mechanisms enabling players of a committee to start a refresh then erase their old shares, synchronously up to $\delta$ from each other; - improve by 50x the verification speed of the NIZKs of encrypted re-sharing of [Cascudo et al, Asiacrypt\u2722], by using novel optimizations of batch Schnorr proofs of knowledge. We demonstrate efficiency of APSS with an implementation which uses this optimization as baseline

Brief announcement: Malicious security comes for free in consensus with leaders

We consider consensus protocols in the model that is most commonly considered for use in state machine replication, as initiated by Dwork-Lynch-Stockmeyer, then by Castro-Liskov in 1999 with "PBFT."Such protocols guarantee, assuming n players out of which t < n/3 are maliciously corrupted, that the honest players output the same valid value within a finite number of messages, after the (unknown) point in time where both: the network becomes synchronous, and a designated player (the leader) is honest. The state of the art (Hotstuff, PODC'19), achieves linear communication complexity, but at the cost of additional latency, due to one more round-trip with the leader. Furthermore, it relies on constant-size threshold signatures schemes (TSS), for which all prior-known constructions require a costly interactive (or trusted) setup. We remove all of these limitations. The communication bottleneck of PBFT lies in the subprotocol, denoted as "view change,"in which the leader forwards 2t+1 signed messages to each player. Then, each player checks that these 2t+1 messages satisfy some predicate, which we denote "non-supermajority''. We replace this with a responsive subprotocol, with linear communication complexity, that enables players to check this predicate. Its construction is elementary, since it requires only black box use of any TSS. In the full version of our paper \citemalicious2 we achieve three things. Firstly, we further optimize this subprotocol from succinct arguments of many signed messages, which we instantiate from Attema-Cramer-Rambaud \cite[2021-3-9 version]ACR20. As an introduction to these methods, we discuss here the simplest case, which is the construction in \citeACR20 of the first logarithmic-sized TSS with transparent setup. Second, we also address another complexity challenge pointed in Hotstuff, namely, that protocols with fast termination in favorable runs, have so far quadratic complexity, due to an even more complex view change. Third, we enable halting in finite time with (amortized) linear complexity, which was an unsolved question so far when external validity is required

Compressed Sigma-Protocols for bilinear circuits and applications to logarithmic-sized transparent Threshold Signature Schemes

Recently, there has been a great development in communication-efficient zero-knowledge (ZK) protocols for arithmetic circuit relations. Since any relation can be translated into an arithmetic circuit relation, these primitives are extremely powerful and widely applied. However, this translation often comes at the cost of losing conceptual simplicity and modularity in cryptographic protocol design.For this reason, Lai et al. (CCS 2019), show how Bulletproof’s communication-efficient circuit zero-knowledge protocol (Bootle et al., EUROCRYPT 2016 and Bünz et al., S&P 2018) can be generalized to work for bilinear group arithmetic circuits directly, without requiring these circuits to be translated into arithmetic circuits. For many natural relations their approach is actually more efficient than the indirect circuit ZK approach. We take a different approach and show that the arithmetic circuit model can be generalized to any circuit model in which (a) all wires take values in (possibly different) Zq-modules and (b) all gates have fan-in2and are either linear or bilinear mappings. We follow a straightforward generalization of Compressed Σ-Protocol Theory (CRYPTO 2020). We compress the communication complexity of a basic Σ-protocol for proving linear statements down to logarithmic. Then, we describe a linearization strategy to handle non-linearities. Besides its conceptual simplicity our approach also has practical advantages; we reduce the constant of the logarithmic component in the communication complexity of the CCS 2019 approach from 16 down to 6 and that of the linear component from 3 down to 1. Moreover, the generalized commitment scheme required for bilinear circuit relations is also advantageous to standard arithmetic circuit ZK protocols, since its application immediately results in a square root reduction of public parameters size. The implications of this improvement can be significant, because many application scenarios result in very large sets of public parameters. As an application of our compressed protocol for proving linear statements we construct the first k-out-of-n threshold signature scheme (TSS) with both transparent setup and threshold signatures of size O(κlog(n)) bits for security parameter κ. Each individual signature is of a so-called BLS type, the threshold signature hides the identities of the k signers and the threshold k can be dynamically chose n at aggregation time. Prior TSSs either result in sub-linear size signatures at the cost of requiring a trusted setup or the cost of the transparent setup amounts to linear (ink) size signatures.</p

Asymptotically Good Multiplicative LSSS over Galois Rings and Applications to MPC over Z/ pkZ

We study information-theoretic multiparty computation (MPC) protocols over rings Z/ pkZ that have good asymptotic communication complexity for a large number of players. An important ingredient for such protocols is arithmetic secret sharing, i.e., linear secret-sharing schemes with multiplicative properties. The standard way to obtain these over fields is with a family of linear codes C, such that C, C⊥ and C2 are asymptotically good (strongly multiplicative). For our purposes here it suffices if the square code C2 is not the whole space, i.e., has codimension at least 1 (multiplicative). Our approach is to lift such a family of codes defined over a finite field F to a Galois ring, which is a local ring that has F as its residue field and that contains Z/ pkZ as a subring, and thus enables arithmetic that is compatible with both structures. Although arbitrary lifts preserve the distance and dual distance of a code, as we demonstrate with a counterexample, the multiplicative property is not preserved. We work around this issue by showing a dedicated lift that preserves self-orthogonality (as well as distance and dual distance), for p≥ 3. Self-orthogonal codes are multiplicative, therefore we can use existing results of asymptotically good self-dual codes over fields to obtain arithmetic secret sharing over Galois rings. For p= 2 we obtain multiplicativity by using existing techniques of secret-sharing using both C and C⊥, incurring a constant overhead. As a result, we obtain asymptotically good arithmetic secret-sharing schemes over Galois rings. With these schemes in hand, we extend existing field-based MPC protocols to obtain MPC over Z/ pkZ, in the setting of a submaximal adversary corrupting less than a fraction 1 / 2 - ε of the players, where ε&gt; 0 is arbitrarily small. We consider 3 different corruption models. For passive and active security with abort, our protocols communicate O(n) bits per multiplication. For full security with guaranteed output delivery we use a preprocessing model and get O(n) bits per multiplication in the online phase and O(nlog n) bits per multiplication in the offline phase. Thus, we obtain true linear bit complexities, without the common assumption that the ring size depends on the number of players

EU-wide exposure data of 11 chemical substance groups from the HBM4EU Aligned Studies (2014–2021)

Funding Information: The authors would like to thank everybody who contributed to the HBM4EU Aligned Studies: the participating children, teenagers, adults and their families, the fieldworkers that collected the samples and database managers that made the information available to HBM4EU, the HBM4EU project partners, especially those from WP7 for developing all materials supporting the fieldwork, WP9 for organizing the QA/QC scheme under HBM4EU and all laboratories who performed the analytical measurements. We would like to acknowledge Sun Kyoung Jung from the National Institute of Environmental Research of South-Korea for providing the KoNEHS Cycle III results (crt adjusted). HBM4EU is co-financed under Horizon 2020 (grant agreement No 733032). The authors thank all principal investigators of the contributing studies for their participation and contribution to the HBM4EU Aligned Studies and the national program owners for their financial support. Further details on funding for all the participating studies can be found in the Supplemental Material, Table S12.As one of the core elements of the European Human Biomonitoring Initiative (HBM4EU) a human biomonitoring (HBM) survey was conducted in 23 countries to generate EU-wide comparable HBM data. This survey has built on existing HBM capacity in Europe by aligning national or regional HBM studies, referred to as the HBM4EU Aligned Studies. The HBM4EU Aligned Studies included a total of 10,795 participants of three age groups: (i) 3,576 children aged 6–12 years, (ii) 3,117 teenagers aged 12–18 years and (iii) 4,102 young adults aged 20–39 years. The participants were recruited between 2014 and 2021 in 11–12 countries per age group, geographically distributed across Europe. Depending on the age group, internal exposure to phthalates and the substitute DINCH, halogenated and organophosphorus flame retardants, per- and polyfluoroalkyl substances (PFASs), cadmium, bisphenols, polycyclic aromatic hydrocarbons (PAHs), arsenic species, acrylamide, mycotoxins (deoxynivalenol (total DON)), benzophenones and selected pesticides was assessed by measuring substance specific biomarkers subjected to stringent quality control programs for chemical analysis. For substance groups analyzed in different age groups higher average exposure levels were observed in the youngest age group, i.e., phthalates/DINCH in children versus teenagers, acrylamide and pesticides in children versus adults, benzophenones in teenagers versus adults. Many biomarkers in teenagers and adults varied significantly according to educational attainment, with higher exposure levels of bisphenols, phthalates, benzophenones, PAHs and acrylamide in participants (from households) with lower educational attainment, while teenagers from households with higher educational attainment have higher exposure levels for PFASs and arsenic. In children, a social gradient was only observed for the non-specific pyrethroid metabolite 3-PBA and di-isodecyl phthalate (DiDP), with higher levels in children from households with higher educational attainment. Geographical variations were seen for all exposure biomarkers. For 15 biomarkers, the available health-based HBM guidance values were exceeded with highest exceedance rates for toxicologically relevant arsenic in teenagers (40%), 3-PBA in children (36%), and between 11 and 14% for total DON, Σ (PFOA + PFNA + PFHxS + PFOS), bisphenol S and cadmium. The infrastructure and harmonized approach succeeded in obtaining comparable European wide internal exposure data for a prioritized set of 11 chemical groups. These data serve as a reference for comparison at the global level, provide a baseline to compare the efficacy of the European Commission's chemical strategy for sustainability and will give leverage to national policy makers for the implementation of targeted measures.publishersversionpublishe