Cryptographic Protocols Specs
πŸ”‘

Cryptographic Protocols Specs

This document is meant to be the central place of everything related to the cryptographic scheme the threshold network will employ.

It describes the cryptographic goals the threshold network wants to achieve & the different protocols one can use to get there with some implementation links.

Notation

We note nn the number of nodes that have a secret share, and t<nt < n the threshold of the network. Each node ii is identified by their long term public key PiP_i and have a secret key skisk_i.

We call QQ the set of qualified node that have successfully ran the DKG, i.e. each node in QQ have a partial share sis_i corresponding to the distributed secret key ss and public key P=sGP = sG where GG is the generator of the group (without indices means we refer to the "keys of the DKG").

We call the threshold network GTGT as Generalized Threshold.

We call the Lagrange basis polynomials the following:

Ξ΄j(x)=∏i,iβ‰ jxβˆ’xixjβˆ’xi\delta_j(x) = \prod_ {i, i \neq j} \frac{x - x_i}{x_j - x_i}

such that δj(xj)=1\delta_j(x_j) = 1 and δj(xi)=0\delta_j(x_i) = 0 with i≠ji ≠ j

When not specified otherwise, we will use a pairing equipped elliptic curve of type III. Namely:

  • There are three groups G1,G2,GT\mathbb{G_1},\mathbb{G_2},\mathbb{G_T} of order qq, with associated generators G1,G2,GtG_1,G_2,G_t.
  • There exists an efficiently computable bilinear map e:G1Γ—G2β†’GTe: \mathbb{G_1} \times \mathbb{G_2} \rightarrow \mathbb{G_T}.
  • We will place the key on the G2\mathbb{G_2} group: P=sG1P = sG_1 but that is not fixed.

Distributed Key Generation

Given the choice is not exactly settled, here are some potential solutions:

Pedersen DKG

The Pedersen based DKG works in synchronous rounds and is described succinctly here.

The main goal here is we want to have a shared scalar field at the end (and not a group element as for some other schemes such as PVSS)

Security:

Even though this DKG allows for some biasability in the final private key, because participants don't commit to the polynomial beforehand as in the Gennaro et al. one, it has been proven that the resulting key can be used for any re-keyable scheme such as BLS signature or El Gamal encryption, in this Mary et al. paper. This is sufficient for our purposes.

Plan

Specs

Each participant registered with a temporary private/public keypair Ki=kiβˆ—G1∈G1K_i = k_i * G_1 \in \mathbb{G_1} at the beginning of the protocol. How and where is out of scope for this crypto spec but you can think of it as if every participant save their public keys on a common smart contract.

We assume there is nn participants and we set the threshold T>n/2T > n/2 as being the number of parties necessary to perform an operation with the distributed secret key.

Deal Phase

Proving:

Each participant does the following:

  1. Generate T random coefficients a1,…,aT∈Fa_1, … , a_T \in \mathbb{F} for a polynomial f(x)f(x) of degree T-1
  2. Compute nn shares f(1),f(2),…,f(n)f(1), f(2), … , f(n)
    1. Note in the future we might replace the indices with roots of unity Ο‰1,Ο‰2…\omega^1, \omega^2…
  3. Compute commitment to the polynomial: F(x)=f(x)G1F(x) = f(x) G_1 by multiplying all coefficients by the base generator G1G_1
  4. Generate a random scalar r∈Fr \in \mathbb{F} and R=rG1R = rG_1
  5. Compute encryption of the share for each recipient:
    1. For recipient i, compute Ci=H(rKi)βŠ•b(f(i))C_i = H(rK_i) \oplus b(f(i)) where b(.)b(.) transforms the scalar into bytes in little endian format.
  6. Output the deal consisting of:
    1. Coefficients of F(x)F(x)
    2. Randomizer RR
    3. Encryption vector: CiC_i

Verifying:

Each recipient i perform the following verification:

  1. Compute shared key Si=kiRS_i = k_iR
  2. Decrypts share f(i)=H(Si)βŠ•Cif(i) = H(S_i) \oplus C_i (interprets results as a scalar)
  3. Verify consistency: F(i)==f(i)G1F(i) == f(i)G_1
  4. If consistency check is not passing, then go to complaint phase.

Complaint Phase

Proving:

The recipient whose share is invalid will prove it to the smart contract by giving the shared key to the smart contract and proving it is the correct one without revealing its private key.

  1. Generate a random t∈Ft \in \mathbb{F}
  2. Compute w=tRw = tR and w’=tG1’w’ = tG_1^{’}
  3. Compute u’=kiG1’u’ = k_iG_1^{’}
  4. Compute e=H(Ci,Si,u’,w,w’)e = H(C_i, S_i, u’, w, w’)
  5. Compute f=tβˆ’eβˆ—kif = t - e * k_i
  6. Output proof [Si,e,f,u’][S_i, e, f, u’]

Verifying:

The smart contract will use the information from the deals and from the proof:

  1. Compute w=fG1+eSi=(tβˆ’eβˆ—ki)R+(eβˆ—ki)R=tRw = fG_1 + eS_i = (t - e*k_i)R + (e*k_i)R = tR
  2. Compute w’=fG1’+eu’=(tβˆ’eβˆ—ki)G1’+(eβˆ—ki)G1’=tG1’w’ = fG_1^{’} + eu’ = (t - e*k_i)G_1^{’} + (e*k_i)G_1^{’} = tG_1^{’}
  3. Check if e==H(Ci,Si,u’,w,w’)e == H(C_i, S_i, u’, w, w’)
    1. If not, the complaint is not valid (the smart contract can decide to slash etc, out of scope of this document)
    2. Note the verifier must have the ciphertext not from the complainer but from the first phase. Using smart contract it is either registered onchain or the hash of it.
  4. If check is valid, then decrypt the share shi=H(Si)βŠ•Cish_i = H(S_i) \oplus C_i
  5. Verify the consistency: F(i)==shiG1F(i) == sh_i G_1
    1. If consistency is verified, complaint is not valid (the deal was correctly created)
    2. If consistency check fails, the complaint is valid and the dealer must be excluded from the list of valid participants.

Final Phase

This phase happens after the first two and is simply the phase where the distributed keypair can be computed.

Secret Share for participant i:

si=βˆ‘jfj(i)s_i = \sum_j f_j(i) for all dealers jj that were not excluded during the complaint phase.

Public Key

S=βˆ‘jFj(0)S = \sum_j F_j(0) for all dealers jj that were not excluded during the complaint phase.

Random Beacon

GTGT must be able to issue period random values, as a random beacon.

In the setting of threshold cryptography, the obvious and simple approach is to use a threshold BLS signature scheme, as in specified in drand specs.

TLDR

Signature Generation:

  • Messages mrm_r are consecutive rounds r=1,r=2,…r= 1, r=2, \dots
  • Each node partial sign Οƒi,r=[si]H(mr)∈G1\sigma_{i,r} = [s_i]H(m_r)\in G_1
  • There is an aggregation for the final signature (either by a liveness-trusted aggregator or by all nodes)
    • Οƒ=βˆ‘i∈SΞ΄i(0)Οƒi,r\sigma = \sum_{i \in S} \delta_i(0)\sigma_{i,r}
    • where SS is a tt-sized set of valid partial signatures

Verification:

  • Check if e(Οƒ,g2)==e(H(mr),P)e(\sigma, g_2) == e(H(m_r), P)

Implementation:

  • Same code as in DKG (code), also works with blinded BLS signatures

Future

  • Same thing for the roots of unity: at scale it makes the difference to be practical. Need implementation of BLS sig using roots of unity

Encryption

Using pairings and BLS signatures the way we do above, it allows us to have two kinds of encryption system:

  • Public Decryption is where the threshold network will reveal a key that allows anybody to decrypt a ciphertext, using the identity based paradigm. Think of it as if a trusted third party were decrypting messages that were encrypted to it. If this third party obeys to a smart contract, it's equivalent to say that it gives the smart contract the functionality to decrypt messages encrypted to it.
  • Private Decryption is where the threshold network's output is only decryptable by a given party with a specified private/public key pair

Public Decryption (IBE)

Intuition in blockchain context

Think of it as if a trusted third party were decrypting messages that were encrypted to it. If this third party obeys to a smart contract, it's equivalent to say that it gives the smart contract the functionality to decrypt messages encrypted to it. Note however in practice, everybody can decrypt the ciphertexts thanks to released material from the threshold network. The plaintext is not hidden in the smart contract (as currently, nothing is hidden).

The network will only decrypt the message upon a certain condition. For example, "timed encryption" means the network will release the private key material only after a certain time. If the condition is based on the exchange of tokens, the network will only release the material after the exhange has taken place. Etc.

Usages: Sealed bid auctions, timed encryptions, complex reward system (a complex condition will trigger the public decryption of the reward) etc

Performance:

  • For the network, it is similar to threshold BLS
  • For the decrypting an encrypted message client performs 1-2 pairings + XOR
    • Some pre-computation can be done

Future:

Look into using IBE for everything (public/private encryption). See FAQ.

Protocol details

This scheme is a direct application of the Identity Based Encryption scheme from Boneh et al. (section 4.2) to the threshold and BLS setting.

For each instance of the protocol, we designate an idid and the corresponding public key. For example, for "timed encryption", the ID would be the round number rr:

Qid=H1(id)=H1(r)∈G2Q_{id} = H_1(id) = H_1(r) \in \mathbb{G_2}

Encryption: A client that wishes to encrypt a message m∈{0,1}lm \in \{0,1\}^l "towards" the ID will perform the following:

  1. Compute Gid=e(P,Qid)=e(P,H1(id))G_{id} = e(P,Q_{id}) = e(P,H_1(id))
    • This can be pre-computed
  2. Choose a random Οƒβˆˆ{0,1}l\sigma \in \{0,1\}^l
  3. Set r=H3(Οƒ,m)r = H_3 (\sigma, m) where H3:{0,1}βˆ—β†’FqH_3: \{0,1\}^* \rightarrow F_q is a secure hash function
  4. Output the ciphertext:
C={U,V,W}={rG1,ΟƒβŠ•H2(rGid),mβŠ•H4(Οƒ)}C = \{U,V,W\} = \{ rG_1, \sigma \oplus H_2(r G_{id}), m \oplus H_4(\sigma)\}

where H2:Gt→{0,1}lH_2: \mathbb{G_t} \rightarrow \{0,1\}^l and H4:{0,1}l→{0,1}lH_4: \{0,1\}^l \rightarrow \{0,1\}^l are both secure hash functions.

Decryption:

  1. Once the threshold network decides it can decrypt the ciphertext, i.e. that the condition is validated, then it computes the BLS signature over the idid in a threshold way:
    1. Ο€id=sH(id)∈G1\pi_{id} = sH(id) \in G_1
    2. It publishes Ο€id\pi_{id}
  2. At this point, anybody can decrypt the ciphertext in the following way
    1. Compute Οƒ=VβŠ•H2(e(U,Ο€id))\sigma = V \oplus H_2(e(U, \pi_{id}))
    2. Compute M=WβŠ•H4(Οƒ)M = W \oplus H_4(\sigma)
    3. Set r=H3(Οƒ,m)r = H_3(\sigma, m)
    4. Test that U=rG1U = rG_1 - if not, reject.
    5. M is the decrypted ciphertext

Completeness:

  1. Computation of Οƒ\sigma
Οƒ=VβŠ•H2(e(U,Ο€id))=ΟƒβŠ•H2(rGid)βŠ•H2(e(rG1,sH1(id)))=ΟƒβŠ•H2(rse(G1,H1(id)))βŠ•H2(rse(G1,H1(id)))=Οƒ\sigma = V \oplus H_2(e(U,\pi_{id})) =\\ \sigma \oplus H_2(rG_{id}) \oplus H_2(e(rG_1,sH_1(id))) = \\ \sigma \oplus H_2(rse(G_1,H_1(id))) \oplus H_2(rse(G_1,H_1(id))) = \\\sigma
  1. Computation of MM:
M=WβŠ•H4(Οƒ)=MβŠ•H4(Οƒ)βŠ•H4(Οƒ)=MM = W \oplus H_4(\sigma) = M \oplus H_4(\sigma) \oplus H_4(\sigma)= M

Optimization: precomputation

The decryption still requires one pre-computed pairing and one individual pairing per decryption. A pairing can be costly and thus, having a way to batch decrypt would be very beneficial to using this method at scale and on-chain.

We introduce here roles to differentiate the computations:

  • The encrypter (the persons encrypting the message,
  • The helper (the party precomputing expensive operations to help decryption),
  • The decrypter (the party actually doing the decryption, can be onchain).

Signature Embedding:

The encrypter will prefix/suffix its message mm with a signature Ο€M\pi_M over mm and it encrypts the results:

mβ€²=Sig(m) ∣∣ mm' = Sig(m) \textrm{ } || \textrm{ } m

Once the helper has access to the signature related to the idid, then it precomputes the following for all encrypted transactions for this epoch:

Οƒi=VβŠ•H2(e(Ui,Ο€id))\sigma_i = V \oplus H_2(e(U_i, \pi_{id}))

and submits this to the decrypter.

The decrypter actually decrypts all the messages with a simple XOR:

miβ€²=WiβŠ•Οƒim_i' = W_i \oplus \sigma_i

and verifies if the embedded signature is correct for each mβ€²m'. If it is correct, it outputs the message mim_i . If it is not correct, it has to decide whether the encrypter or the helper has been misbehaving, i.e. either the signature is incorrect or the Οƒi\sigma_i given is incorrect. To do this he continues the decryption check:

ri=H4(Οƒi,miβ€²)Β Β Ui=?riG1r_i = H_4(\sigma_i, m_i') \textrm{ } ^ \textrm{ } U_i =^? r_iG_1
  • If the check doesn't pass, that means the helper has been misbehaving. In this case, the decrypter has to run the full decryption algorithm (either onchain or as part of recovery protocol with additional delay)
  • If the check pass, that means the encrypter has inserted an invalid signature into its message and in this case, the decryption should be discarded.

In the case of a honest helper, then he can try to decrypt all the ciphertext himself before, and only include ciphertext that leads to valid signatures and reject the ones that are not. The right incentives will bias the behavior towards the honest one.

Private Decryption

Overview:

This mode uses basic El Gamal encryption where (1) a client encrypts a message to the network, then (2) the network can decrypt it to a particular recipient according to some conditions.

In comparison with the previous section, this is useful when we want that the plaintext is only revealed to the intended recipient.

Use cases: data management policies (see Calypso), private API access, the whole set of "proxy re-encryption" use cases (like distributed encrypted file storage).

Protocols Description

To decrypt the nodes will each generate a partial decryption share. There are two ways to aggregate the shares:

  1. Local Decryption: the nodes send the partial decryption shares directly to recipient which will aggregate them locally and decrypt locally
    1. Practical Consideration: The client needs to receive on a private channel and aggregate at least t shares.The first requirement may be hard to achieve (general connectivity between any two points on the internet is not granted). The latter one can quickly become a problem as soon as we want to grow the network size, for security reason. This tends to trap us in the "security vs usability" false dichotomy.
  2. Public Aggregation: Either the nodes re-encrypt their share with the recipient public key, in a way that a liveness-trusted aggregator node can "group" them (interpolation) such the recipient perform a single constant time operation to decrypt.
    1. Practical Consideration: The client in this case only makes one decryption locally. The network only needs to aggregate the shares "off chain", it can be a special aggregator node rewarded for this (if we can prove it).

Obviously the second method is preferable, but we describe first 1. and then describe 2. in the spirit of the "straw man approach".

Encryption to the DKG network:

Client wants to encrypt a message mm to the public dist. key P=sGP = s G of the network:

  1. Generate random r∈Fqr \in \mathbb{F_q}
  2. Compute ciphertext cc:
C={C1,C2}={rG1,H(rP)βŠ•m}={rG1,H(rsG1)βŠ•m}C = \{C_1,C_2\} = \{ rG_1, H(rP) \oplus m\} = \{rG_1, H(rsG_1) \oplus m \}

with H(rP)∈FqH(rP) \in \mathbb{F_q}.

The encryption is bundled with a DLEQ proof of correctness.

Bundle with DLEQ proof of correctness

The prover also has to include a proof of correct encryption that shows:

  1. He really holds the secret rr (via DLEQ proof)
  2. This encryption has been made by him and for the given access control address

He does the following:

  1. Generate random tt
  2. Compute w=tG1w = tG_1 , w’=tG1β€²w’ = tG_1^{'} where G1β€²G_1^{'} is another public random base
  3. Compute u’=rG1β€²u’ = rG_1^{'}
  4. Compute label L=H(P,I,K)L = H(P, I, K) where P is the public key of the Medusa, I is the address the policy smart contract, and KK is the address of the encryptor
  5. Compute e=H1(C2,L,C1,uβ€²,w,w’)e = H_1(C_2,L, C_1, u', w, w’) and then f=tβˆ’ref = t - re
  6. Output the full ciphertext: C,e,f,u’C, e, f, u’

Verification of proof of correctness:

Verifier (depending on the context it can be the Medusa nodes or the smart contract) perform the following verification:

  1. Compute w=fG1+eC1=(tβˆ’re)G1+reG1=tG1w = fG_1 + eC_1 = (t - re)G_1 + reG_1 = tG_1
  2. Compute w’=fG1β€²+eu’=(tβˆ’re)G1β€²+erG’1=tG1β€²w’ = fG_1^{'} + eu’ = (t - re)G_1^{'} + erG’_1 = tG_1^{'}
  3. Check if e==H(C2,L,C1,uβ€²,w,w’)e == H(C_2, L,C_1, u', w, w’)
    1. Note LL can be computed from public information
    2. Reason of this confusing order: treat C_1 = u, and then it means that we put all the β€œpublic info” at the beginning of the hash, and then all the DLEQ related info afterwards.

Submitting a ciphertext on chain

The Medusa smart contract will verify the ciphertext proof associated in the manner described just above.

Local Decryption

Each DKG node ii compute the decryption share and send it to recipient:

Di=siC1=sirG2∈G2D_i = s_iC_1 = s_irG_2\in G_2

The node also computes a proof of correctness almost as similar as the encryptor.

Proof of correctness:

β€” TODO: since this functionality is not part of Medusa at the moment, it’s left as is.

The recipient can then interpolate locally

m=H(βˆ‘iΞ΄i(0)Di)βŠ•c2=H(rsG2)βŠ•c2=H(rP)βŠ•H(rP)βŠ•mm = H(\sum_i \delta_i(0)D_i) \oplus c_2 = H(rsG_2) \oplus c_2 = H(rP) \oplus H(rP) \oplus m

Public Aggregation

In this mode, the encryption to the network is done in the same way as before, however, it offers the possibility of aggregating the partial decryptions first and only send one message to the final recipient.

Each DKG node ii will encrypt its decryption share to the recipient's public key, such that an aggregator node can perform the Lagrange interpolation itself.

Let's call U=uG2U = uG_2 the public key of the recipient (with private key uu).

  1. Each node computes its local encrypted decryption share
Di=siC1+siU=si(C1+U)D_i = s_iC_1 + s_iU = s_i(C_1+U)

You can see the node decrypts its share and then re-encrypts it towards the public key of the recipient, but instead of using a random scalar, it uses its own share.

Proof of correctness:

The ii-th node does the following:

  1. Generate random scalar tit_i
  2. Compute wi=ti(C1+U)w_i=t_i(C_1 + U) and wi’=tiG1w_i^{’} = t_iG_1
  3. Compute ei=H(Di,wi,wi’)e_i = H(D_i,w_i,w_i^{’}) and fi=tiβˆ’eiβˆ—sif_i = t_i - e_i * s_i
  4. Output proofs [Di,ei,fi][D_i,e_i,f_i] signed by the node (threshold key or longterm key if there is one)

Verification of the proof of correctness:

When receiving such partial reencryption, one perform the following check:

  1. Computes wi=fi(C1+U)+eiDi=(tiβˆ’eiβˆ—si)(C1+U)+(eiβˆ—si)(C1+U)=ti(C1+U)w_i = f_i(C_1 + U) + e_iD_i = (t_i - e_i*s_i)(C_1 + U) + (e_i*s_i)(C_1 + U) = t_i(C_1 + U)
  2. Computes wi’=fiG1+ei(siG1)=(tiβˆ’eiβˆ—si)G1+(eiβˆ—si)G1=tiG1w_i^{’} = f_iG_1 + e_i(s_iG_1) = (t_i - e_i*s_i)G_1 + (e_i *s_i)G_1 = t_iG_1
    1. Note that siG1s_iG_1 is available publicly since we know the whole public threshold polynomial F(x)F(x) so F(i)=siG1F(i) = s_iG_1
  3. Check that ei==H(Di,wi,wi’)e_i == H(D_i,w_i,w_i^{’})

This proofs says that the node took ciphertext C1, re-encrypted it towards U and it can be publicly verifiable.

Aggregation of partial reencryptions

The aggregator collects enough shares with valid proofs and aggregate locally the ciphertext and sends it to the recipient (or to the bulletin board so the recipient sees it):

cβ€²=βˆ‘iΞ΄i(0)Di=srG+sU=srG2+suG2=(r+u)sG2c' = \sum_i \delta_i(0)D_i = srG + sU = srG_2 + suG_2 = (r + u)sG_2
  1. The recipient decrypts locally in constant time:
m=H(cβ€²βˆ’usG2)βŠ•C2=H(rsG2)βŠ•H(rsG2)βŠ•mm = H(c' - usG_2) \oplus C_2 = H(rsG_2) \oplus H(rsG_2) \oplus m

The recipient can compute βˆ’usG2-usG_2 because he knows P=sG2P = sG_2 and his own private key uu.

Research/Protocol Questions

  1. Free Riding problem: how do incentivize nodes to DO something, and not just gaining money without actually not running any software.
  2. In private decryption:
    1. Can we get a proof of correct encryption of message mm ? i.e. that CC is well formed for any message mm ?
    2. For local aggregation, can we get non-interactive proofs that the decryption shares are valid wrt to the original ciphertext ?
    3. For public aggregation, can we get non-interactive proofs that the aggregated ciphertext is valid wrt to the original ciphertext?
    4. Is there a "pairing" enabled encryption scheme such that ciphertexts are on G1G_1 , like BLS signature ?
      1. Maybe can we re-use IBE and encrypt the result
  3. Public decryption:
    1. Can we a "batchable" decryption algorithm, for the same idid ?
  4. Do we need receiver privacy ? This is likely to be tackled at the protocol level though.
  5. Get a solid ground on the security of using El Gamal with type 3 bilinear maps without isomorphism between G1 and G2 (i.e. encryption only uses one or the other) , so under XDH setting β†’ can we get cca there ?

FAQ

  • Why not using proxy re-encryption techniques with a single node ?
    • It is assumed the recipient and the proxy are not colluding, one of them is honest. By decentralizing the proxy, we ensure that the proxy is honest.
  • In private decryption, why are encryption done on G2G_2 ?
    • Using naive ElGamal encryption, it's either we put the public keys on G1G_1 but then the randomness signatures have to be on G2G_2 and therefore they're bigger. Or we put public keys on G2G_2 but then ciphertext are on G2G_2: it's a tradeoff. We can play with both.
  • Why don't we use IBE for everything ? (public and private decryption)
    • WE CAN ! Maybe we should ! Questions for private decryption is of integration: how do someone proves its identity, what is the identity based on etc.
    • Need more literature review on this - don't know enough atm
  • Why are you putting the milkmaid as background ?
    • Because we're cooking something good πŸ˜‹

References

Re-encryption:

Overview: https://www.cs.jhu.edu/~susan/600.641/scribes/lecture17.pdf

Green et al. https://eprint.iacr.org/2005/028.pdf

ID based, Green et al. : https://eprint.iacr.org/2006/473.pdf

Key private (hiding recipient): https://eprint.iacr.org/2008/463.pdf

Calypso: El Gamal based data management https://infoscience.epfl.ch/record/287444/files/3436905.3436917 (1).pdf

CryptoNet is a Protocol Labs initiative.