Paper 2021/339

Non-interactive distributed key generation and key resharing

Jens Groth

Abstract

We present a non-interactive publicly verifiable secret sharing scheme where a dealer can construct a Shamir secret sharing of a field element and confidentially yet verifiably distribute shares to multiple receivers. We also develop a non-interactive publicly verifiable resharing scheme where existing share holders of a Shamir secret sharing can create a new Shamir secret sharing of the same secret and distribute it to a set of receivers in a confidential, yet verifiable manner. A public key may be associated with the secret being shared in the form of a group element raised to the secret field element. We use our verifiable secret sharing scheme to construct a non-interactive distributed key generation protocol that creates such a public key together with a secret sharing of the discrete logarithm. We also construct a non-interactive distributed resharing protocol that preserves the public key but creates a fresh secret sharing of the secret key and hands it to a set of receivers, which may or may not overlap with the original set of share holders. Our protocols build on a new pairing-based CCA-secure public-key encryption scheme with forward secrecy. As a consequence our protocols can use static public keys for participants but still provide compromise protection. The scheme uses chunked encryption, which comes at a cost, but the cost is offset by a saving gained by our ciphertexts being comprised only of source group elements and no target group elements. A further efficiency saving is obtained in our protocols by extending our single-receiver encryption scheme to a multi-receiver encryption scheme, where the ciphertext is up to a factor 5 smaller than just having single-receiver ciphertexts. The non-interactive key management protocols are deployed on the Internet Computer to facilitate the use of threshold BLS signatures. The protocols provide a simple interface to remotely create secret-shared keys to a set of receivers, to refresh the secret sharing whenever there is a change of key holders, and provide proactive security against mobile adversaries.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Preprint.
Keywords
Distributed key generationresharingthreshold signaturesencryption with forward secrecynon-interactive zero-knowledge proofs
Contact author(s)
jens @ dfinity org
History
2021-03-17: received
Short URL
https://ia.cr/2021/339
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2021/339,
      author = {Jens Groth},
      title = {Non-interactive distributed key generation and key resharing},
      howpublished = {Cryptology ePrint Archive, Paper 2021/339},
      year = {2021},
      note = {\url{https://eprint.iacr.org/2021/339}},
      url = {https://eprint.iacr.org/2021/339}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.