75 research outputs found
Adaptively Secure (Aggregatable) PVSS and Application to Distributed Randomness Beacons
Publicly Verifiable Secret Sharing (PVSS) is a fundamental primitive that allows to share a secret among parties via a publicly verifiable transcript . Existing (efficient) PVSS are only proven secure against static adversaries who must choose who to corrupt ahead of a protocol execution. As a result, any protocol (e.g., a distributed randomness beacon) that builds on top of such a PVSS scheme inherits this limitation. To overcome this barrier, we revisit the security of PVSS under adaptive corruptions and show that, surprisingly, many protocols from the literature already achieve it in a meaningful way:
- We propose a new security definition for aggregatable PVSS, i.e., schemes that allow to homomorphically combine multiple transcripts into one compact aggregate transcript that shares the sum of their individual secrets. Our notion captures that if the secret shared by contains at least one contribution from an honestly generated transcript, it should not be predictable. We then prove that several existing schemes satisfy this notion against adaptive corruptions in the algebraic group model.
- To motivate our new notion, we show that it implies the adaptive security of two recent random beacon protocols, SPURT (S&P \u2722) and OptRand (NDSS \u2723), who build on top of aggregatable PVSS schemes satisfying our notion of unpredictability. For a security parameter , our result improves the communication complexity of the best known adaptively secure random beacon protocols to for synchronous networks with corruptions and partially synchronous networks with corruptions
Zombies and Ghosts: Optimal Byzantine Agreement in the Presence of Omission Faults
Studying the feasibility of Byzantine Agreement (BA) in realistic fault models is an important question in the area of distributed computing and cryptography. In this work, we revisit the mixed fault model with Byzantine (malicious) faults and omission faults put forth by Hauser, Maurer, and Zikas (TCC 2009), who showed that BA (and MPC) is possible with Byzantine faults, send faults (whose outgoing messages may be dropped) and receive faults (whose incoming messages may be lost) if . We generalize their techniques and results by showing that BA is possible if , given the availability of a cryptographic setup. Our protocol is the first to match the recent lower bound of Eldefrawy, Loss, and Terner (ACNS 2022) for this setting
On the Adaptive Security of the Threshold BLS Signature Scheme
Threshold signatures are a crucial tool for many distributed protocols. As shown by Cachin, Kursawe, and Shoup (PODC `00), schemes with unique signatures are of particular importance, as they allow to implement distributed coin flipping very efficiently and without any timing assumptions. This makes them an ideal building block for (inherently randomized) asynchronous consensus protocols.
The threshold-BLS signature of Boldyreva (PKC `03) is both unique and very compact, but unfortunately lacks a security proof against adaptive adversaries. Thus, current consensus protocols either rely on less efficient alternatives or are not adaptively secure. In this work, we revisit the security of the threshold BLS signature by showing the following results, assuming t adaptive corruptions:
- We give a modular security proof that follows a two-step approach: 1) We introduce a new security notion for distributed key generation protocols (DKG). We show that it is satisfied by several protocols that previously only had a static security proof. 2) Assuming any DKG protocol with this property, we then prove unforgeability of the threshold BLS scheme. Our reductions are tight and can be used to substantiate real-world parameter choices.
- To justify our use of strong assumptions such as the algebraic group model (AGM) and the hardness of one-more-discrete logarithm (OMDL), we prove an impossibility result: Even in the AGM, a strong interactive assumption is required in order to prove the scheme secure
Combining Asynchronous and Synchronous Byzantine Agreement: The Best of Both Worlds
In the problem of byzantine agreement (BA), a set of n parties wishes to agree
on a value v by jointly running a distributed protocol. The protocol is deemed
secure if it achieves this goal in spite of a malicious adversary that
corrupts a certain fraction of the parties and can make them behave in
arbitrarily malicious ways. Since its first formalization by Lamport et al.
(TOPLAS `82), the problem of BA has been extensively studied in the literature
under many different assumptions. One common way to classify protocols for BA
is by their synchrony and network assumptions. For example, some protocols
offer resilience against up to a one-half fraction of corrupted parties by
assuming a synchronized, but possibly slow network, in which parties share a
global clock and messages are guaranteed to arrive after a given time D. By
comparison, other protocols achieve much higher efficiency and work without
these assumptions, but can tolerate only a one-third fraction of corrupted
parties. A natural question is whether it is possible to combine protocols
from these two regimes to achieve the ``best of both worlds\u27\u27: protocols that
are both efficient and robust. In this work, we answer this question in the
affirmative. Concretely, we make the following contributions:
* We give the first generic compilers that combine BA protocols under
different network and synchrony assumptions and preserve both the efficiency
and robustness of their building blocks. Our constructions are simple and rely
solely on a secure signature scheme.
* We prove that our constructions achieve optimal corruption bounds.
* Finally, we give the first efficient protocol for (binary) asynchronous
byzantine agreement (ABA) which tolerates adaptive corruptions and matches the
communication complexity of the best protocols in the static case
Efficient and Universally Composable Protocols for Oblivious Transfer from the CDH Assumption
Oblivious Transfer (OT) is a simple, yet fundamental primitive which suffices to achieve almost every cryptographic application. In a recent work (Latincrypt `15), Chou and Orlandi (CO) present the most efficient, fully UC-secure OT protocol to date and argue its security under the CDH assumption. Unfortunately, a subsequent work by Genc et al. (Eprint `17) exposes a flaw in their proof which renders the CO protocol insecure. In this work, we make the following contributions: We first point out two additional, previously undiscovered flaws in the CO protocol and then show how to patch the proof with respect to static and malicious corruptions in the UC model under the stronger Gap Diffie-Hellman (GDH) assumption. With the proof failing for adaptive corruptions even under the GDH assumption, we then present a novel OT protocol which builds on ideas from the CO protocol and can be proven fully UC-secure under the CDH assumption. Interestingly, our new protocol is actually significantly more efficient (roughly by a factor of two) than the CO protocol. This improvement is made possible by avoiding costly redundancy in the symmetric encryption scheme used in the CO protocol. Our ideas can also be applied to the original CO protocol, which yields a similar gain in efficiency
Early Stopping for Any Number of Corruptions
Minimizing the round complexity of byzantine broadcast is a fundamental question in distributed computing and cryptography. In this work, we present the first early stopping byzantine broadcast protocol that tolerates up to malicious corruptions and terminates in rounds for any execution with actual corruptions. Our protocol is deterministic, adaptively secure, and works assuming a plain public key infrastructure. Prior early-stopping protocols all either require honest majority or tolerate only up to malicious corruptions while requiring either trusted setup or strong number theoretic hardness assumptions. As our key contribution, we show a novel tool called a polariser that allows us to transfer certificate-based strategies from the honest majority setting to settings with a dishonest majority
Concurrent Security of Anonymous Credentials Light, Revisited
We revisit the concurrent security guarantees of the well-known Anonymous Credentials Light (ACL) scheme (Baldimtsi and Lysyanskaya, CCS\u2713). This scheme was originally proven secure when executed sequentially, and its concurrent security was left as an open problem.
A later work of Benhamouda et al. (EUROCRYPT\u2721) gave an efficient attack on ACL when executed concurrently, seemingly resolving this question once and for all.
In this work, we point out a subtle flaw in the attack of Benhamouda et al. on ACL and show, in spite of popular opinion, that it can be proven concurrently secure.
Our modular proof in the algebraic group model uses an ID scheme as an intermediate step and leads to a major simplification of the complex security argument for Abe\u27s Blind Signature scheme by Kastner et al. (PKC\u2722)
Token meets Wallet: Formalizing Privacy and Revocation for FIDO2
The FIDO2 standard is a widely-used class of challenge-response type protocols that allows to authenticate to an online service using a hardware token.
Barbosa et al. (CRYPTO `21) provided the first formal security model and analysis for the FIDO2 standard.
However, their model has two shortcomings: (1) It does not include privacy, one of the key features claimed by FIDO2. (2) It only covers tokens that store {all secret keys locally}.
In contrast, due to limited memory, most existing FIDO2 tokens either derive all secret keys from a common seed or store keys on the server (the latter approach is also known as {key wrapping}).
In this paper, we revisit the security of the WebAuthn component of FIDO2 as implemented in practice. Our contributions are as follows.
(1) We adapt the model of Barbosa et al. so as to capture authentication tokens using key derivation or key wrapping.
(2) We provide the {first formal definition of privacy for the WebAuthn component of FIDO2}. We then prove the privacy of this component in common FIDO2 token implementations if the underlying building blocks are chosen appropriately.
(3) We address the unsolved problem of {global key revocation} in FIDO2.
To this end, we introduce and analyze a simple revocation procedure that builds on the popular BIP32 standard used in cryptocurrency wallets and can efficiently be implemented with existing FIDO2 servers
Synchronous Consensus with Optimal Asynchronous Fallback Guarantees
Typically, protocols for Byzantine agreement (BA) are designed to run in either a synchronous network (where all messages are guaranteed to be delivered within some known time from when they are sent) or an asynchronous network (where messages may be arbitrarily delayed). Protocols designed for synchronous networks are generally insecure if the network in which they run does not ensure synchrony; protocols designed for asynchronous networks are (of course) secure in a synchronous setting as well, but in that case tolerate a lower fraction of faults than would have been possible if synchrony had been assumed from the start.
Fix some number of parties , and . We ask whether it is possible (given a public-key infrastructure) to design a BA protocol that (1) is resilient to corruptions when run in a synchronous network and (2) remains resilient to faults even if the network happens to be asynchronous. We show matching feasibility and infeasibility results demonstrating that this is possible if and only if
- …