CryptoDB
Daniele Cozzo
ORCID: 0000-0001-5289-3769
Publications
Year
Venue
Title
2024
ASIACRYPT
Verifiable Secret Sharing from Symmetric Key Cryptography with Improved Optimistic Complexity
Abstract
In this paper we propose verifiable secret sharing (VSS) schemes
secure for any honest majority in the synchronous model, and that only use \textit{symmetric-key} cryptographic tools, therefore having plausibly post-quantum security. Compared to the state-of-the-art scheme with these features (Atapoor et al., Asiacrypt `23), our main improvement lies on the complexity of the \textit{``optimistic''} scenario where the dealer and all but a small number of receivers behave honestly in the sharing phase: in this case, the running time and download complexity (amount of information read) of each honest verifier is \textit{polylogarithmic} and the total amount of broadcast information by the dealer is \textit{logarithmic}; all these complexities were linear in the aforementioned work by Atapoor et al. At the same time, we preserve these complexities with respect to the previous work for the ``pessimistic'' case where the dealer or $O(n)$ receivers cheat actively.
The new VSS protocol is of interest in multiparty computations where each party runs one VSS as a dealer, such as distributed key generation protocols.
Our main technical handle is a distributed zero-knowledge proof of low degreeness of a polynomial, in the model of Boneh et al. (Crypto `19) where the statement (in this case the evaluations of the witness polynomial) is distributed among several verifiers, each knowing one evaluation. Using folding techniques similar to FRI (Ben-Sasson et al., ICALP `18) we construct such a proof where each verifier receives polylogarithmic information and runs in polylogarithmic time.
2023
ASIACRYPT
VSS from Distributed ZK Proofs and Applications
Abstract
Non-Interactive Verifiable Secret Sharing (NI-VSS) is a technique for distributing a secret among a group of individuals in a verifiable manner, such that shareholders can verify the validity of their received share and only a specific number of them can access the secret. VSS is a fundamental tool in cryptography and distributed computing. In this paper, we present an extremely efficient NI-VSS scheme using Zero-Knowledge (ZK) proofs on secret shared data. While prior VSS schemes have implicitly used ZK proofs on secret shared data, we specifically use their formal definition recently provided by Boneh et al. in CRYPTO 2019. The proposed NI-VSS scheme uses a quantum random oracle and a quantum computationally hiding commitment scheme in a black-box manner, which ensures its ease of use, especially in post-quantum threshold protocols. Implementation results further solidify its practicality and superiority over current constructions. With the new VSS scheme, for parameter sets $(n, t)=(128, 63)$ and $(2048, 1023)$, a dealer can share a secret in less than $0.02$ and $2.0$ seconds, respectively, and shareholders can verify their shares in less than $0.4$ and $5.0$ milliseconds. Compared to the well-established Pedersen VSS scheme, for the same parameter sets, at the cost of $2.5\times$ higher communication, the new scheme is respectively $22.5\times$ and $3.25\times$ faster in the sharing phase, and notably needs $271\times$ and $479\times$ less time in the verification. Leveraging the new NI-VSS scheme, we revisit several classic and PQ-secure threshold protocols and improve their efficiency. Our revisions led to more efficient versions of both the Pedersen DKG protocol and the GJKR threshold signature scheme. We show similar efficiency enhancements and improved resilience to malicious parties in isogeny-based DKG and threshold signature schemes. We think, due to its remarkable efficiency and ease of use, the new NI-VSS scheme can be a valuable tool for a wide range of threshold protocols.
2023
TCC
Round-Robin is Optimal: Lower Bounds for Group Action Based Protocols
Abstract
An hard homogeneous space (HHS) is a finite group acting on a set with
the group action being hard to invert and the set lacking any algebraic
structure.
As such HHS could potentially replace finite groups where the discrete logarithm is hard for building cryptographic primitives and protocols in a post-quantum world.
Threshold HHS-based primitives typically require parties to compute the group action of a secret-shared input on a public set element.
On one hand this could be done through generic MPC techniques, although they incur in prohibitive costs due to the high complexity of circuits evaluating group actions known to date.
On the other hand round-robin protocols only require black box usage of the HHS.
However these are highly sequential procedures, lasting as many rounds as parties involved.
The high round complexity appears to be inherent due the lack of homomorphic properties in HHS, yet no lower bounds were known so far.
In this work we formally show that round-robin protocols are optimal.
In other words, any \textit{at least passively secure} distributed computation of a group action making black-box use of an HHS must take a number of rounds greater or equal to the threshold parameter.
We furthermore study \textit{fair} protocols in which all users receive the output in the same round (unlike plain round-robin), and prove communication and computation lower bounds of $\Omega(n \log_2 n)$ for $n$ parties.
Our results are proven in Shoup's Generic Action Model (GAM), and hold regardless of the underlying computational assumptions.
2021
ASIACRYPT
Gladius: LWR based efficient hybrid public key encryption with distributed decryption
📺
Abstract
Standard hybrid encryption schemes based on the KEM-DEM framework are hard to implement efficiently in a distributed manner whilst maintaining the CCA security property of the scheme. This is because the DEM needs to be decrypted under the key encapsulated by the KEM, before the whole ciphertext is declared valid. In this paper we present a new variant of the KEM-DEM framework, closely related to Tag-KEMs, which sidesteps this issue. We then present a post-quantum KEM for this framework based on Learning-with-Rounding, which is designed specifically to have fast distributed decryption. Our combined construction of a hybrid encryption scheme with Learning-with-Rounding based KEM, called Gladius, is closely related to the NIST Round 3 candidate called Saber. Finally, we give a prototype distributed implementation that achieves a decapsulation time of 4.99 seconds for three parties.
Coauthors
- Shahla Atapoor (1)
- Karim Baghery (1)
- Ignacio Cascudo (1)
- Kelong Cong (1)
- Daniele Cozzo (4)
- Emanuele Giunta (2)
- Varun Maram (1)
- Robi Pedersen (1)
- Nigel P. Smart (1)