Efficient Distributed Keys Generation of Threshold Paillier Cryptosystem

Abstract

Paillier cryptosystem is the building block of many cryptographic protocols. The secure keys generation without a trusted dealer is an essential scheme in a distributed system since the dealer may be under the threat of a single point of attack.

We present a distributed keys generation scheme of the threshold Paillier’s encryption system using efficient multiparty computation. Our scheme consists of two offline and online phases where the offline phase can be implemented at any time well in advance of the computation phase. Both the public and the private keys are computed and verified in the presence of at least \(n\ge t+1\) participants in the actual online phase. This gives an improvement on the previous studies where at least a number of \(2t+1\) parties are required for the keys generation. Furthermore, the private communication complexity of our scheme is \(O(n^2)\) field elements with no broadcast communication overhead which improves on the total communication complexity of [21]. Our protocol maintains the security against a static active adversary corrupting up to t participants with the small probability of error using message authentication codes. Also, the computed keys are t-private, i.e., any subset of equal or less than t parties cannot gain any information about the factorization of N.

Correctness of the Protocol \(\Pi _{\textrm{Biprimarily}}\)

For the zero-knowledge proof of each party \(P_i\), the term \(\prod _{j=1}^n d_j \; \textrm{mod}\, N = g^{1/4(p_i+q_i)}\; \textrm{mod}\, N\) due to the homomorphism of discrete logarithm in the base g. Since \(\phi _1(N)=N+1-p_1-q_1\), the party \(P_1\) proves that he has committed to the correct value of \(\nu _1\) by having all the parties compute \(e_1= g^{1/4(N+1)} \; \textrm{mod}\, N\). For every other party except \(P_1\), the commitment value is \(e_i=g^0 \; \textrm{mod}\, N\) because \(\phi _i(N)=-(p_i+q_i)\).

For the biprimarily test, note that \(\phi (N)=N+1-p-q\) and \(\prod _{i=1}^n \nu _i= g^{\phi (N)/4}\). Since the Jacobi \({(\frac{g}{N})=1}\) and due to the Euler’s theorem, the parties check that \(g^{\phi (N)/4}= \pm 1\; \textrm{mod}\,\, N\).