A threshold pseudorandom function construction and its applications
- 格式:pdf
- 大小:192.62 KB
- 文档页数:16
AThresholdPseudorandomFunction
ConstructionandItsApplications
JesperBuusNielsen
BRICSDepartmentofComputerScienceUniversityofAarhusNyMunkegadeDK-8000ArhusC,Denmark
Abstract.Wegivethefirstconstructionofapracticalthresholdpseudo-randomfunction.Theprotocolforevaluatingthefunctionisefficientenoughthatitcanbeusedtoreplacerandomoraclesinsomeprotocolsrelyingonsuchoracles.Inparticular,weshowhowtotransformtheeffi-cientcryptographicallysecureByzantineagreementprotocolbyCachin,KursaweandShoupfortherandomoraclemodelintoacryptographi-callysecureprotocolforthecomplexitytheoreticmodelwithoutloosingefficiencyorresilience,therebyconstructinganefficientandoptimallyre-silientByzantineagreementprotocolforthecomplexitytheoreticmodel.
1Introduction
ThenotionofpseudorandomfunctionwasintroducedbyGoldreich,Goldwasser
andMicali[GGM86]andhasfoundinnumerableapplications.Apseudorandom
functionfamilyisafunctionFtakingasinputakeyKandelementx,wewrite
FK(x),whereforarandomkeytheoutputofFKcannotbedistinguishedfrom
uniformlyrandomvaluesifonedoesnotknowthekey.Ifonehavetorequire
thattheinputofFKisuniformlyrandomfortheoutputofFKtolookuniformly
random,wesaythatFisweakpseudorandom.
Oneimmediateapplicationofpseudorandomfunctionsisusingthemforim-
plementingrandomoracles:Consideraprotocolsettingwithnparties.Ac-
thresholdrandomoraclewithdomainDisanidealfunctionality(ortrusted
party).Aftercpartieshaveinput(evaluate,x),wheresayx∈{0,1}∗,the
functionalitywillreturnauniformlyrandomvaluerxR←Dtoallpartiesthat
input(evaluate,x).Thisfunctionalitydefinesauniformlyrandomfunctionfrom
{0,1}∗toD.Numerousprotocolconstructionsareknownthatcanbeproved
secureassumingthatarandomoracleisavailable.However,anyimplementation
ofsuchaprotocolmustalsoprovideanimplementationoftheoracle.Inprac-
tice,ahashfunctionisoftenusedtoreplacea1-randomoracle,butthenthe
implementationisonlysecureifanadversarycandonobetterwiththehash
buus@brics.dk.BasicResearchinComputerScience,CentreoftheDanishNationalResearchFoundation.404J.B.Nielsen
functionthanhecouldwiththeoracle.Thisissomethingthatingeneralcannot
beproved,butmustbeabeliefbasedonheuristics—infact,forsomeprotocols,
thisbeliefisalwayswrong[CGH98,Nie02].
Incontrast,pseudorandomfunctionscanbeusedtoimplementrandomora-
cleswithoutlossofsecurity.ThiscanbedonebygeneratingKatthebeginning
oftheprotocolandlettingrx=FK(x)whenrxisneeded.Itishoweverclearly
necessarythatnopartyshouldknowthekeyofFK,sincetheoutputofapseudo-
randomfunctiononlylooksrandomtopartieswhodonothavethekey.Therefore
thekey—andhencealsoabilitytoevaluatethefunction—mustbedistributed
amongthepartiesusing,forinstance,athresholdsecret-sharingscheme.
OurResultsInthispaperweconstructanewpseudorandomfunctionfamily.
ThekeywillbeaprimeQ,whereP=2Q+1isalsoaprime,arandom
valuexfromthesubgroupQPofZ∗PoforderQ,alongwith2lrandomvalues
{αj,b}j=1,...,l,b=0,1fromZQ.Thefunctionfamilymapsfromthesetofstringsof
lengthatmostltoQP,andgivenσ=(σ1,...,σm)∈{0,1}≤l,theoutputwill
bexmi=1αi,σimodP.Weprovethisfunctionfamilysecureunderthedecisional
Diffie-Hellman(DDH)assumption.
Moreimportantly,wegiveasecuren-partyprotocolforevaluatingthefunc-
tion.Ourprotocolisfortheasynchronousmodelwithauthenticatedpublicpoint-
to-pointchannels.Thisisaveryrealisticmodelofcommunicationandcanbe
efficientlyimplemented[CHH00].Theprotocolisstaticallysecureaslongasless
thann/3partiesmisbehave.Insomeapplicationstheprotocolcancommunicate
asmuchasO(ln2k)bitsperevaluation,wherekisthesecurityparameter(for
eachexponenteachpartysendstoeachotherpartykbits).However,inmany
usesthecommunicationcomplexitywillbeO(n2k)bits.
Todemonstratetheapplicabilityofournewthresholdpseudorandomfunc-
tion,wedescribehowtoimplementefficientByzantineagreement(BA)inthe
complexitytheoreticmodel,byreplacingtherandomoraclesintheprotocol
[CKS00]withourthresholdpseudorandomfunction.Theresultingprotocolhas
thesameresilienceastheprotocolin[CKS00],namelyresilienceagainstamali-
ciouscoalitionofonethirdoftheparties.Ithasthesamecommunicationcom-
plexityofO(n2k)bitsperactivationandthesame(constant)roundcomplexity
uptoasmallconstantfactor.Aspartoftheimplementationweshowhowto
replacetherandomoraclesinthethresholdsignatureschemefrom[Sho00]by
ourthresholdpseudorandomfunction.
RelatedWorkThenotionofdistributedpseudorandomfunction,whichissim-
ilartoourthresholdpseudorandomfunction,wasintroducedbyNaor,Pinkas
andReingoldin[NPR99].Theydonotdefinedistributedpseudorandomfunc-
tionsinageneralmultipartycomputationmodel—theirmodelismoread-hoc
andimplementation-near.Sincetherearedifferencesbetweenthetwonotions,
wehavechosenadifferentnameforourdefinition.
Untilnowthemostefficientknownconstructionofthresholdpseudorandom
functionswasusinggeneralmultipartycomputationtechniquesorcoin-tosspro-