MPC. Assuming fully homomorphic encryption, a function ƒ : ( 0, 1 lin )n 0, 1 lout can be securely computed with guaranteed output delivery tolerating a static, malicious βn-adversary, such that the total communication complexity (of all parties) is n polylog(n) poly(n) (lin + lout) bits. One remark regarding the corruption model is in place. In this work we consider static adver- saries that choose the set of corrupted parties before the beginning of the protocol. As mentioned above, our constructions are based on some form of trusted setup, which, as we prove below, is nec- ▇▇▇▇▇▇. We emphasize that (as standard) we avoid trivialized settings, e.g., where the trusted setup determines a polylog(n)-degree communication tree for achieving full agreement, by considering the adversarial model where the adversary can corrupt the parties adaptively during the setup phase given the setup information of the corrupted parties and any public setup information. During the online phase the adversary is static and cannot corrupt additional parties. Our first construction is influenced by the “sortition approach” of Algorand [31] and merely requires one-way functions (OWF); however, the public-key infrastructure (PKI) is assumed to be honestly generated (either by the parties themselves or by an external trusted third party), and corrupted parties cannot alter their keys. The construction is based on digital signatures augmented with an oblivious key-generation algorithm for sampling a verification key without knowing the corresponding signing key.12 Lamport’s signatures [72], which are based on OWF, can easily be adjusted to support this property. To establish the PKI, every party decides whether to generate its public verification key obliviously or together with a signing key by tossing a biased coin, such that with overwhelming probability all but polylog(n) keys are generated obliviously. Since those with the ability to sign are determined at random (as part of the trusted PKI), only parties who hold a signing key can sign messages. The oblivious key-generation algorithm ensures that an adversary who only sees a list of verification keys, cannot distinguish between the keys that have a corresponding signing key and ones that do not. As a result, even if the adversary chooses the set of corrupt parties after the keys are sampled, with a high probability, the fraction of honest parties will be preserved in the signing subset. SRDS signature-aggregation is done by concatenation, and verification of an SRDS signature requires counting how many valid signatures were signed on the message. 12We note that standard signatures can be used if we strengthen the model assumptions, e.g., by assuming that a party can securely erase its signature key, or by considering a trusted party that only provides the verification keys to some parties. We opted not to rely on stronger model assumption since we can establish signatures with oblivious key generation from the minimal assumption of one-way functions. It would be desirable to reduce the trust assumption in establishing the PKI, e.g., by using verifiable pseudorandom functions (VRF) [82] as done in [31]. However, this approach [31] is defined within a blockchain model where a fresh random string (the hash of the recent block) is assumed to be consistently available to all parties later in the protocol and serves as the seed for the sortition; equivalently, that parties have access to a common random string (CRS) independent of corrupted parties’ public keys. Without this extra model assumption, their VRF approach does not apply. We note that several recent consensus protocols [1, 26, 36, 27, 38, 11, 95, 94] also follow the sortition approach of [31]; however, similar to our first construction, their PKI is assumed to be honestly generated by a trusted third party.
Appears in 1 contract
Sources: Byzantine Agreement
MPC. Assuming fully homomorphic encryption, a function ƒ f : ( 0, 1 lin Ain )n 0, 1 lout Aout can be securely computed with guaranteed output delivery tolerating a static, malicious βn-adversary, such that the total communication complexity (of all parties) is n · polylog(n) poly(n) (lin )· poly(κ)·(Ain + lout) bitsAout). One remark regarding the corruption model is in place. In this work we consider static adver- saries that choose the set of corrupted parties before the beginning of the protocol. As mentioned above, our constructions are based on some form of trusted setup, which, as we prove below, is nec- ▇▇▇▇▇▇necessary. We emphasize that (as standard) we To avoid trivialized settings, e.g., where the trusted setup determines a polylog(n)-degree communication tree for achieving full agreement, by considering the we consider a stronger adversarial model (as is standard), where the adversary can adaptively corrupt the parties adaptively during the setup phase phase, given the setup information of the corrupted parties and any public setup information. During the online phase the adversary is static and cannot corrupt additional parties. Our first construction is influenced by the “sortition approach” of Algorand [3129] and merely requires one-way functions (OWF); however, the public-key infrastructure (PKI) is assumed to be honestly generated (either by the parties themselves or by an external trusted third party), and corrupted parties cannot alter their keys. The construction is based on digital signatures augmented with an oblivious key-generation algorithm for sampling a verification key without knowing the corresponding signing key.12 Lamport’s key.8 ▇▇▇▇▇▇▇’▇ signatures [7267], which are based on OWF, can easily be adjusted to support this property. To establish the PKI, every party decides whether to generate its public verification key obliviously or together with a signing key by tossing a biased coin, such that with overwhelming probability all but polylog(n) keys are generated obliviously. Since those with the ability to sign are determined at random (as part of the trusted PKI), only parties who hold a signing key can sign messages. The oblivious key-generation algorithm ensures that an adversary who only sees a list of verification keys, cannot distinguish between the keys that have a corresponding signing key and ones that do not. As a result, even if the adversary chooses the set of corrupt parties after the keys are sampled, with a high probability, the fraction of honest parties will be preserved in the signing subset. SRDS signature-aggregation is done by concatenation, and verification of an SRDS signature requires counting how many valid signatures were signed on the message. 12We note that standard signatures can be used if we strengthen the model assumptions, e.g., by assuming that a party can securely erase its signature key, or by considering a trusted party that only provides the verification keys to some parties. We opted not to rely on stronger model assumption since we can establish signatures with oblivious key generation from the minimal assumption of one-way functions. It would be desirable to reduce the trust assumption in establishing the PKI, e.g., by using verifiable pseudorandom functions (VRF) [8276] as done in [3129]. However, this approach does not seem to translate to our setting. Indeed, [3129] is defined within in a blockchain model where a fresh random string (the hash of the recent block) is assumed to be consistently available to all parties later in the protocol and serves as the seed for the sortition; equivalently, that parties have access to a common random string (CRS) CRS independent of corrupted parties’ public keys. Without this extra model assumption, their VRF approach does not apply. We note that several recent consensus protocols [1, 2624, 3634, 27, 38, 11, 95, 9425] also follow the sortition approach of [3129]; however, similar similarly to our first construction, their PKI is assumed to be honestly generated by a trusted third party.
Appears in 1 contract
Sources: Byzantine Agreement