Abstract
The security of many powerful cryptographic systems such as secure multiparty computation, threshold encryption, and threshold signatures rests on trust assumptions about the parties. The de-facto model treats all parties equally and requires that a certain fraction of the parties are honest. While this paradigm of one-person-one-vote has been very successful over the years, current and emerging practical use cases suggest that it is outdated.
In this work, we consider weighted cryptosystems where every party is assigned a certain weight and the trust assumption is that a certain fraction of the total weight is honest. This setting can be translated to the standard setting (where each party has a unit weight) via virtualization. However, this method is quite expensive, incurring a multiplicative overhead in the weight.
We present new weighted cryptosystems with significantly better efficiency: our proposed schemes incur only an additive overhead in weights.
-
We first present a weighted ramp secret-sharing scheme (WRSS) where the size of a secret share is O(w) (where w corresponds to the weight). In comparison, Shamir’s secret sharing with virtualization requires secret shares of size \(w\cdot \lambda \), where \(\lambda =\log |{\mathbb {F}}|\) is the security parameter.
-
Next, we use our WRSS to construct weighted versions of (semi-honest) secure multiparty computation (MPC), threshold encryption, and threshold signatures. All these schemes inherit the efficiency of our WRSS and incur only an additive overhead in weights.
Our WRSS is based on the Chinese remainder theorem-based secret-sharing scheme. Interestingly, this secret-sharing scheme is non-linear and only achieves statistical privacy. These distinct features introduce several technical hurdles in applications to MPC and threshold cryptosystems. We resolve these challenges by developing several new ideas.
S. Garg, M. Wang, and Y. Zhang–Were supported in part by DARPA under Agreement No. HR00112020026, AFOSR Award FA9550-19-1-0200, NSF CNS Award 1936826, and research grants by the Sloan Foundation, and Visa Inc. The second author was supported in part by NSF CNS-1814919, NSF CAREER 1942789, Johns Hopkins University Catalyst award, AFOSR Award FA9550-19-1-0200, JP Morgan Faculty Award, and research gifts from Ethereum, Stellar and Cisco. Any opinions, findings and conclusions, or recommendations in this material are those of the authors and do not necessarily reflect the views of the United States Government or DARPA.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In all theorems, the size and the communication complexity are measured by bits.
- 2.
This can always be achieved by multiplying all weights by a large enough factor.
- 3.
Their scheme is described informally on Page-6, after Remark 1. See the online version at https://core.ac.uk/download/pdf/147979029.pdf of the paper [31].
- 4.
To our best knowledge, the only formal security analysis for CRT-based secret sharing appears in [27], where they studied how to error-correct CRT-based codes.
- 5.
For instance, if the wiretap channel in use is the binary symmetric channel, the share size is \(\varTheta \left( \frac{1}{(\alpha -\beta )^2}\right) \). We refer the readers to their paper for details.
- 6.
To elaborate, in their scheme, the secret s is viewed as a binary string and encoded using some binary error-correcting code \(\textsf{Enc}(s)\) padded with n instances of noises \(\rho _1,\rho _2,\ldots ,\rho _n\), i.e., \(\textsf{Enc}(s)\oplus \rho _1\oplus \cdots \oplus \rho _n\). The noisy encoding is public, while the secret share of party i is \(\rho _i\), Intuitively, one could reconstruct the secret by canceling the noise in noisy encoding with the secret shares. If one gets sufficient many secret shares, one could reconstruct the secret; if one has few secret shares, the encoding is noisy enough to hide s. Clearly, one could not locally compute a secret sharing of, for instance, \(x+y\in \mathbb F\) given the secret shares of both x and y.
- 7.
We consider linear scheme over the natural field \({\mathbb {F}}\) that the secret lives in. In particular, the discussion here does not include the linear ramp scheme that we discussed in Sect. 1.2, which is over some unnatural field \({\mathbb {F}}'\) that breaks the algebraic structure of the secret.
- 8.
Unless one could generically transform a set of weight \(\{w_i\}\) to another set of weights \(\{w'_i\}\) that are significantly smaller (i.e., \(w'_i = o(w_i)\)), but define the same access structure. However, this seems extremely challenging, if at all possible.
- 9.
We note that \(\lambda _i\) could be efficiently computed. Refer to Remark 2.
- 10.
In fact, their statistical distance is quite far. In particular, the distribution of the integer \(X+Y\), where \(X = x+u\cdot p_0\) and \(Y=y+u'\cdot p_0\) is very different from the integer \((x+y)+u''\cdot p_0\).
- 11.
We call this a degree reduction protocol as it is reminiscent of the degree reduction protocol in the BGW protocol based on Shamir’s secret sharing. In Shamir’s secret sharing, the product of two secrets shared by a degree-t polynomial is shared by a degree-2t polynomial. A degree reduction protocol in this case brings down the degree of the polynomial back to t.
- 12.
Measured by the parameter L.
- 13.
To ensure they are coprime, we may pick \(p_i\) to be a distinct prime of length \(w_i\).
- 14.
There are \(2^{w_i}/(n+1)\) many integers between \(2^{w_i}/(1+1/n)\) and \(2^{w_i}\), among which, there are asymptotically \(2^{w_i}/((n+1)\cdot w_i)\) many primes numbers. Therefore, as long as \(w_i\) is large enough, e.g., \(\textsf{polylog}(\lambda )\), one could always pick a \(p_i\) for all parties. Even if the smallest \(w_i\) is a small constant, one could always multiply every weight by some small factor to enable this.
- 15.
I.e., the cumulative weight of the corrupted party is less than half of the total weight.
- 16.
The term p/N will always be small since p is the product of the adversary’s \(p_i\), which is at most \(2^t\). The WRSS scheme requires that whenever we pick a random lift integer, we shall always pick a domain much larger than \(2^t\).
References
Applebaum, B., Beimel, A., Farràs, O., Nir, O., Peter, N.: Secret-sharing schemes for general and uniform access structures. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part III. LNCS, vol. 11478, pp. 441–471. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_15
Applebaum, B., Beimel, A., Nir, O., Peter, N.: Better secret sharing via robust conditional disclosure of secrets. In: Makarychev, K., Makarychev, Y., Tulsiani, M., Kamath, G., Chuzhoy, J. (eds.), 52nd ACM STOC, pp. 280–293. ACM Press, June 2020
Applebaum, B., Nir, O.: Upslices, downslices, and secret-sharing with complexity of \(1.5^n\). In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part III. LNCS, vol. 12827, pp. 627–655. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_21
Asharov, G., Lindell, Y.: A full proof of the BGW protocol for perfectly secure multiparty computation. J. Cryptology 30(1), 58–151 (2017)
Asmuth, C., Bloom, J.: A modular approach to key safeguarding. IEEE Trans. Inf. Theory 29(2), 208–210 (1983)
Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_34
Beck, G., Goel, A., Jain, A., Kaptchuk, G.: Order-c secure multiparty computation for highly repetitive circuits. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part II. LNCS, vol. 12697, pp. 663–693. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77886-6_23
Beimel, A., Ishai, Y.: On the power of nonlinear secret-sharing. IACR Cryptol. ePrint Arch., p. 30 (2001)
Beimel, A., Tassa, T., Weinreb, E.: Characterizing ideal weighted threshold secret sharing. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 600–619. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_32
Beimel, A., Weinreb, E.: Monotone circuits for monotone weighted threshold functions. Inf. Process. Lett. 97(1), 12–18 (2006)
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: 20th ACM STOC, pp. 1–10. ACM Press, May 1988
Benhamouda, F., Halevi, S., Stambler, L.: Weighted secret sharing from wiretap channels. In: ITC (2023)
Blakley, G.R., Meadows, C.: Security of ramp schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 242–268. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_20
Breidenbach, L., et al.: Chainlink 2.0: next steps in the evolution of decentralized oracle networks. Chainlink Labs (2021)
Chaidos, P., Kiayias, A.: Mithril: stake-based threshold multisignatures. Cryptology ePrint Archive, Report 2021/916 (2021). https://eprint.iacr.org/2021/916
Choudhuri, A.R., Goel, A., Green, M., Jain, A., Kaptchuk, G.: Fluid MPC: secure multiparty computation with dynamic participants. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 94–123. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_4
Damgård, I., Ishai, Y., Krøigaard, M.: Perfectly secure multiparty computation and the computational overhead of cryptography. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 445–465. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_23
Damgård, I., Ishai, Y., Krøigaard, M., Nielsen, J.B., Smith, A.: Scalable multiparty computation with nearly optimal work and resilience. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 241–261. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_14
Desmedt, Y.: Society and group oriented cryptography: a new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_8
Desmedt, Y., Frankel, Y.: Threshold cryptosystems. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 307–315. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_28
Ellis, S., Juels, A., Nazarov, S.: Chainlink: a decentralized oracle network. Retrieved March 11(2018), 1 (2017)
Escudero, D., Goyal, V., Polychroniadou, A., Song, Y.: TurboPack: honest majority MPC with constant online communication. In: Yin, H., Stavrou, A., Cremers, C., Shi, E. (eds.), ACM CCS 2022, pp. 951–964. ACM Press, November 2022
Franklin, M.K., Yung, M.: Communication complexity of secure computation (extended abstract). In: 24th ACM STOC, pp. 699–710. ACM Press, May 1992
Gennaro, R., Goldfeder, S.: Fast multiparty threshold ECDSA with fast trustless setup. In: Lie, D., Mannan, M., Backes, M., Wang, X.F. (eds.), ACM CCS 2018, pp. 1179–1194. ACM Press, October 2018
Gentry, C., et al.: YOSO: you only speak once. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 64–93. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_3
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Aho, A. (ed.), 19th ACM STOC, pp. 218–229. ACM Press, May 1987
Goldreich, O., Ron, D., Sudan, M.: Chinese remaindering with errors. In: 31st ACM STOC, pp. 225–234. ACM Press, May 1999
Goyal, V., Polychroniadou, A., Song, Y.: Unconditional communication-efficient MPC via hall’s marriage theorem. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part II. LNCS, vol. 12826, pp. 275–304. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84245-1_10
Harn, L., Miao, F.: Weighted secret sharing based on the Chinese remainder theorem. Int. J. Netw. Secur. 16(6), 420–425 (2014)
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Iftene, S., Boureanu, I.: Weighted threshold secret sharing based on the Chinese remainder theorem. Sci. Ann. Cuza Univ. 15, 161–172 (2005)
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
Lindell, Y., Nof, A.: Fast secure multiparty ECDSA with practical distributed key generation and applications to cryptocurrency custody. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.), ACM CCS 2018, pp. 1837–1854. ACM Press, October 2018
Liu, T., Vaikuntanathan, V.: Breaking the circuit-size barrier in secret sharing. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.), 50th ACM STOC, pp. 699–708. ACM Press, June 2018
Mignotte, M.: How to share a secret. In: Beth, T. (ed.) EUROCRYPT 1982. LNCS, vol. 149, pp. 371–375. Springer, Heidelberg (1983). https://doi.org/10.1007/3-540-39466-4_27
Morillo, P., Padró, C., Sáez, G., Villar, J.L.: Weighted threshold secret sharing schemes. Inf. Process. Lett. 70(5), 211–216 (1999)
National institute of standards and technology. Multi-party threshold cryptography (2018)
Shamir, A.: How to share a secret. Commun. Assoc. Comput. Mach. 22(11), 612–613 (1979)
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Stathakopoulous, C., Cachin, C.: Threshold signatures for blockchain systems. Swiss Federal Institute of Technology, vol. 30 (2017)
Stinson, D.R., Wei, R.: An application of ramp schemes to broadcast encryption. Inf. Process. Lett. 69(3), 131–135 (1999)
Vinod, V., Narayanan, A., Srinathan, K., Rangan, C.P., Kim, K.: On the power of computational secret sharing. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 162–176. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-24582-7_12
Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: 27th FOCS, pp. 162–167. IEEE Computer Society Press, October 1986
Zou, X., Maino, F., Bertino, E., Sui, Y., Wang, K., Li, F.: A new approach to weighted multi-secret sharing. In: Wang, H., Li, J., Rouskas, G.N., Zhou, X. (eds.), Proceedings of 20th International Conference on Computer Communications and Networks, ICCCN 2011, Maui, Hawaii, USA, July 31–August 4, 2011, pp. 1–6. IEEE (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Garg, S., Jain, A., Mukherjee, P., Sinha, R., Wang, M., Zhang, Y. (2023). Cryptography with Weights: MPC, Encryption and Signatures. In: Handschuh, H., Lysyanskaya, A. (eds) Advances in Cryptology – CRYPTO 2023. CRYPTO 2023. Lecture Notes in Computer Science, vol 14081. Springer, Cham. https://doi.org/10.1007/978-3-031-38557-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-38557-5_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-38556-8
Online ISBN: 978-3-031-38557-5
eBook Packages: Computer ScienceComputer Science (R0)
