Threshold encryption with silent setup
发表信息
作者
- Sanjam Garg
- Dimitris Kolonelos
- Guru-Vamsi Policharla
- Mingyuan Wang
笔记
We build a concretely efficient threshold encryption scheme where the joint public key of a set of parties is computed as a deterministic function of their locally computed public keys, enabling a silent setup phase. By eliminating interaction from the setup phase, our scheme immediately enjoys several highly desirable features such as asynchronous setup, multiverse support, and dynamic threshold.
Prior to our work, the only known constructions of threshold encryption with silent setup relied on heavy cryptographic machinery such as indistinguishability Obfuscation or witness encryption for all of NP. Our core technical innovation lies in building a special purpose witness encryption scheme for the statement “at least t parties have signed a given message”. Our construction relies on pairings and is proved secure in the Generic Group Model.
Notably, our construction, restricted to the special case of threshold t=1, gives an alternative construction of the (flexible) distributed broadcast encryption from pairings, which has been the central focus of several recent works.
We implement and evaluate our scheme to demonstrate its concrete efficiency. Both encryption and partial decryption are constant time, taking <7ms and <1ms, respectively. For a committee of 1024 parties, the aggregation of partial decryptions takes <200ms, when all parties provide partial decryptions. The size of each ciphertext is ≈8× larger than an ElGamal ciphertext.
我们构建了一种具体高效的门限加密方案,其中一组参与者的联合公钥作为其本地计算公钥的一个_确定性_函数进行计算,从而实现了_无声_设置阶段。通过消除设置阶段的交互,我们的方案立即享有多个高度期望的特性,如异步设置、多世界支持和动态门限。
在我们的工作之前,已知的唯一依赖无声设置的门限加密构造依赖于重型密码学机制,如不可区分混淆(indistinguishability Obfuscation)或针对所有NP问题的见证加密(witness encryption)。我们核心的技术创新在于为“至少_t_个参与者已签署给定消息”这一命题构建了一种特殊目的的见证加密方案。我们的构造依赖于配对,并在一般群模型(Generic Group Model)中证明了其安全性。
值得注意的是,我们的构造在门限_t=1_的特例下,提供了一种基于配对的(灵活的)分布式广播加密的替代构造,这也是最近几项工作的核心焦点。
我们实现并评估了我们的方案,以证明其具体效率。加密和部分解密的时间均为常数,分别为<7毫秒和<1毫秒。对于一个由1024个参与者组成的委员会,当所有参与者提供部分解密时,聚合部分解密的时间小于200毫秒。每个密文的大小约为ElGamal密文的8倍。