A threshold pseudorandom function construction and its applications

  • 格式:pdf
  • 大小:192.62 KB
  • 文档页数:16

AThresholdPseudorandomFunction

ConstructionandItsApplications

JesperBuusNielsen󰀤

BRICS󰀁󰀁DepartmentofComputerScienceUniversityofAarhusNyMunkegadeDK-8000ArhusC,Denmark

Abstract.Wegivethefirstconstructionofapracticalthresholdpseudo-randomfunction.Theprotocolforevaluatingthefunctionisefficientenoughthatitcanbeusedtoreplacerandomoraclesinsomeprotocolsrelyingonsuchoracles.Inparticular,weshowhowtotransformtheeffi-cientcryptographicallysecureByzantineagreementprotocolbyCachin,KursaweandShoupfortherandomoraclemodelintoacryptographi-callysecureprotocolforthecomplexitytheoreticmodelwithoutloosingefficiencyorresilience,therebyconstructinganefficientandoptimallyre-silientByzantineagreementprotocolforthecomplexitytheoreticmodel.

1Introduction

ThenotionofpseudorandomfunctionwasintroducedbyGoldreich,Goldwasser

andMicali[GGM86]andhasfoundinnumerableapplications.Apseudorandom

functionfamilyisafunctionFtakingasinputakeyKandelementx,wewrite

FK(x),whereforarandomkeytheoutputofFKcannotbedistinguishedfrom

uniformlyrandomvaluesifonedoesnotknowthekey.Ifonehavetorequire

thattheinputofFKisuniformlyrandomfortheoutputofFKtolookuniformly

random,wesaythatFisweakpseudorandom.

Oneimmediateapplicationofpseudorandomfunctionsisusingthemforim-

plementingrandomoracles:Consideraprotocolsettingwithnparties.Ac-

thresholdrandomoraclewithdomainDisanidealfunctionality(ortrusted

party).Aftercpartieshaveinput(evaluate,x),wheresayx∈{0,1}∗,the

functionalitywillreturnauniformlyrandomvaluerxR←Dtoallpartiesthat

input(evaluate,x).Thisfunctionalitydefinesauniformlyrandomfunctionfrom

{0,1}∗toD.Numerousprotocolconstructionsareknownthatcanbeproved

secureassumingthatarandomoracleisavailable.However,anyimplementation

ofsuchaprotocolmustalsoprovideanimplementationoftheoracle.Inprac-

tice,ahashfunctionisoftenusedtoreplacea1-randomoracle,butthenthe

implementationisonlysecureifanadversarycandonobetterwiththehash

󰀁buus@brics.dk.󰀁󰀁BasicResearchinComputerScience,CentreoftheDanishNationalResearchFoundation.404J.B.Nielsen

functionthanhecouldwiththeoracle.Thisissomethingthatingeneralcannot

beproved,butmustbeabeliefbasedonheuristics—infact,forsomeprotocols,

thisbeliefisalwayswrong[CGH98,Nie02].

Incontrast,pseudorandomfunctionscanbeusedtoimplementrandomora-

cleswithoutlossofsecurity.ThiscanbedonebygeneratingKatthebeginning

oftheprotocolandlettingrx=FK(x)whenrxisneeded.Itishoweverclearly

necessarythatnopartyshouldknowthekeyofFK,sincetheoutputofapseudo-

randomfunctiononlylooksrandomtopartieswhodonothavethekey.Therefore

thekey—andhencealsoabilitytoevaluatethefunction—mustbedistributed

amongthepartiesusing,forinstance,athresholdsecret-sharingscheme.

OurResultsInthispaperweconstructanewpseudorandomfunctionfamily.

ThekeywillbeaprimeQ,whereP=2Q+1isalsoaprime,arandom

valuexfromthesubgroupQPofZ∗PoforderQ,alongwith2lrandomvalues

{αj,b}j=1,...,l,b=0,1fromZQ.Thefunctionfamilymapsfromthesetofstringsof

lengthatmostltoQP,andgivenσ=(σ1,...,σm)∈{0,1}≤l,theoutputwill

bex󰀁mi=1αi,σimodP.Weprovethisfunctionfamilysecureunderthedecisional

Diffie-Hellman(DDH)assumption.

Moreimportantly,wegiveasecuren-partyprotocolforevaluatingthefunc-

tion.Ourprotocolisfortheasynchronousmodelwithauthenticatedpublicpoint-

to-pointchannels.Thisisaveryrealisticmodelofcommunicationandcanbe

efficientlyimplemented[CHH00].Theprotocolisstaticallysecureaslongasless

thann/3partiesmisbehave.Insomeapplicationstheprotocolcancommunicate

asmuchasO(ln2k)bitsperevaluation,wherekisthesecurityparameter(for

eachexponenteachpartysendstoeachotherpartykbits).However,inmany

usesthecommunicationcomplexitywillbeO(n2k)bits.

Todemonstratetheapplicabilityofournewthresholdpseudorandomfunc-

tion,wedescribehowtoimplementefficientByzantineagreement(BA)inthe

complexitytheoreticmodel,byreplacingtherandomoraclesintheprotocol

[CKS00]withourthresholdpseudorandomfunction.Theresultingprotocolhas

thesameresilienceastheprotocolin[CKS00],namelyresilienceagainstamali-

ciouscoalitionofonethirdoftheparties.Ithasthesamecommunicationcom-

plexityofO(n2k)bitsperactivationandthesame(constant)roundcomplexity

uptoasmallconstantfactor.Aspartoftheimplementationweshowhowto

replacetherandomoraclesinthethresholdsignatureschemefrom[Sho00]by

ourthresholdpseudorandomfunction.

RelatedWorkThenotionofdistributedpseudorandomfunction,whichissim-

ilartoourthresholdpseudorandomfunction,wasintroducedbyNaor,Pinkas

andReingoldin[NPR99].Theydonotdefinedistributedpseudorandomfunc-

tionsinageneralmultipartycomputationmodel—theirmodelismoread-hoc

andimplementation-near.Sincetherearedifferencesbetweenthetwonotions,

wehavechosenadifferentnameforourdefinition.

Untilnowthemostefficientknownconstructionofthresholdpseudorandom

functionswasusinggeneralmultipartycomputationtechniquesorcoin-tosspro-