Practical Robust DKG Protocols for CSIDH

Abstract

A Distributed Key Generation (DKG) protocol is an essential component of threshold cryptography. DKGs enable a group of parties to generate a secret and public key pair in a distributed manner so that the secret key is protected from being exposed, even if a certain number of parties are compromised. Robustness further guarantees that the construction of the key pair is always successful, even if malicious parties try to sabotage the computation. In this paper, we construct two efficient robust DKG protocols in the CSIDH setting that work with Shamir secret sharing. Both the proposed protocols are proven to be actively secure in the quantum random oracle model and use an Information Theoretically (IT) secure Verifiable Secret Sharing (VSS) scheme that is built using bivariate polynomials. As a tool, we construct a new piecewise verifiable proof system for structured public keys, that could be of independent interest. In terms of isogeny computations, our protocols outperform the previously proposed DKG protocols CSI-RAShi and Structured CSI-RAShi. As an instance, using our DKG protocols, 4 parties can sample a PK of size 4 kB, for CSI-FiSh and CSI-SharK, respectively, 3.4 and 1.7 times faster than the current alternatives. On the other hand, since we use an IT-secure VSS, the communication cost of our schemes is generally higher, except for a few specific parameters, and the fraction of corrupted parties is limited to less than a third.

Appendices

A Security Proofs

1.1 A.1 Proof of Theorem 4.1

We prove the security of new non-interactive Structured PVP, described in Algorithms 3 and 4 by the following theorem.

Theorem 4.1. Assuming that the commitment scheme \(\mathcal {C}\) is collapsing and quantum computationally hiding, the described non-interactive PVP for the structured public keys (in Algorithms 3 and 4) is complete, sound, and ZK in the QROM for the list of relations given in Eq. (2).

Proof

The proof of this theorem is analogous to the proof of [6, Theorem 2], with a few differences, which we will highlight in this proof.

A key peculiarity of PVPs (and SPVPs) is that they use a weak version of the Fiat–Shamir transform, i.e. where the random oracle is called with commitments as inputs rather than commitments and statements. In [6], the consequences regarding the security of this are treated in detail and PVPs could be proven secure, even with this modification. We refer the reader to [6, App. A] for more details. We note that these results also still apply to our case, so we will omit proving them again. Rather, let us point out, where the differences between SPVPs and PVPs lie. These are mainly in the definition of the relation \(R_0\), which in the original CSI-RAShi paper is defined as

$$\begin{aligned} \{ (x_0 = (F_1, F_1'),f(x)) \ | \ (F_1' = [f(0)]F_1)\}\,, \end{aligned}$$

and thus represents the special case \(k=1\) and \(c_1=1\) of the definition in Eq. (2).⁸ Similarly, the commitments as represented in Algorithms 3 and 4 also reduce to the case \(k=1\).

As a result of this different structure, the proofs for completeness and soundness are adapted below for the case \(i=0\). The case \(i\ne 0\) remains unchanged, as also here the relation is unchanged. We note that zero-knowledge immediately follows from the properties of the commitment scheme \(\mathcal {C}\) and is therefore analogous to the proof in [6].

Completeness. For any \(j=1,\dots ,\lambda \), if \(d_j = 0\), then \(r_j = b_j\) and hence \(\widetilde{F}_j^l = [c_lr_j(0)]F_l = [c_lb_j(0)]F_l = \hat{F}_j^l\) for \(l=1, \cdots , k\). If \(d_j = 1\), then \(r_j(0) = b_j(0)-f(0)\), so again we have \(\widetilde{F}_j^l = [c_lr_j(0)]F_l' = [c_lb_j(0)-c_lf(0)][c_lf(0)]F_l = [c_lb_j(0)]F_l = \hat{F}_j^l\), for \(l=1, \cdots , k\). Thus both \(\textsf{C}_0\) are equal and the verifier will accept.

Soundness. Let \(I \subseteq \{0, 1, \cdots , n\}\) with \(\left|I \right| > t\). Given two accepting transcripts with different challenges (e.g. \(d_j=0\) and \(d_j'=1\), without loss of generality), if \(0\in I\) and any of \([c_1r_j(0)]F_1 \not = [c_1r_j'(0)]F_1'\), \([c_2r_j(0)]F_2 \not = [c_2r_j'(0)]F_2', \cdots , [c_{k}r_j(0)]F_{k} \not = [c_{k}r_j'(0)]F_{k}'\), then we found a collision in \(\mathcal {C}\). Similarly, if for some non-zero \(i \in I\) we have \(r_j(i) \not = r'_j(i) + x_i\) then we also have a collision for \(\mathcal {C}\). If there is no collision, then

$$\begin{aligned} r_j(i)&= r_j'(i) + x_i \text { for all } i \in I , i>0 \, \text {, and } \\ [c_lr_j(0)] F_l&= [c_lr_j'(0)] F_l' \ \text { for } l=1, 2, \cdots , k \quad (\text {if } 0 \in I) \, , \end{aligned}$$

so we can extract a valid witness as \(r_j(X) - r'_j(X)\).   \(\square \)

B Computational and Communication Costs of Our Protocols

In this section, we establish the computational and communication costs of our DKG protocols. We express the sequential costs \(\tau \) of the protocol steps, i.e. the total runtime from start to finish, including when some of the parties are idle and discuss optimizations that minimize these idle times. We denote by \(T_I\), \(T_E\), \(T_C\) and \(T_H\) the cost of isogeny computations, polynomial evaluations, calls to the commitment scheme and calls to the random oracle, respectively. We ignore the cost of other operations, such as sampling and addition and multiplication over the ring \(\mathbb {Z}_N\), as they are negligible in comparison. We express the communication cost in terms of outgoing communication cost \(\gamma \) per party. Let \(C_E\) and \(C_N\) denote the information content of an elliptic curve in \(\mathcal {E}\) and an element in \(\mathbb {Z}_N\), respectively. A monovariate polynomial of degree t can be represented by \(t+1\) elements in \(\mathbb {Z}_N\). We first determine the costs of the individual building blocks of our protocol, before we put them together and compute the full costs.

VSS. We can easily see that in the VSS step from Fig. 1, each party first evaluates and sends out \(2(n-1)\) monovariate polynomials. Then, in the verification step, parties further evaluate and share \(2(n-1)(n-2)\) polynomial evaluations. We note that the evaluations can be done in parallel, thus this amounts to a total of \(2(n-1)^2\) sequential evaluations and \(2(n-1)(n+t-1)\) elements in \(\mathbb {Z}_N\) sent out to the other parties. We find

$$\begin{aligned} \tau _{vss}(n) = 2(n-1)^2T_E \quad \text { and }\quad \gamma _{vss}(n,t) = 2(n-1)(n+t-1)C_N\,. \end{aligned}$$

Proof Step. In the public key computation step of Fig. 1, parties have to compute one isogeny and run the proof in Algorithm 1. By carefully counting the operations in the latter, we find the total cost of

$$ \tau _{proof}(n,\lambda )=\lambda (n+1)T_E+(\lambda +1) T_I+2(n+1)T_C+T_H\,. $$

After this step, the party has to publish the computed curve and the main proof and send the individual proof pieces to each other player. We can easily check that the proof pieces are \(2\lambda \) bits each and that the main proof consists of \(2(n+1)\) commitments, each for \(2\lambda \) bits and of the response, for \(\lambda (t+1)C_N\).

We note that both the computational and communication cost change when we use the twist trick. Remember that in this case, the challenge space increases from size 2 to 3, resulting in the number of repetitions being reduced to \(\lambda ' := \left\lceil \lambda /\log _23\right\rceil \). In this case, the proof simply cost becomes \(\tau _{proof}(n,\lambda ')\). Regarding communication, we point out that the size of the proof pieces, determined by the security parameter \(\lambda \), does not change when using the twist trick. To avoid confusion, we simply denote the cost of a commitment, or of a proof piece as \(C_C=2\lambda \), which is fixed. We can then express the total communication cost in the proof step as

$$ \gamma _{proof}(n,t,\lambda ) = C_E + (3n+2)C_C + \lambda (t+1)C_N\,. $$

Verification Step. For simplicity, we look at the upper bound \(|Q|=n\). The verification step is reduced to the evaluation of Algorithm 2 by \(n-1\) parties, in parallel, once for \(i=0\) and once for \(i\ne 0\). Note that the hash computation remains the same in both cases, and so only has to be computed once. By counting the different steps, we find the total of

$$ \tau _{verif}(\lambda ) = \lambda (T_E+T_I)+4T_C + T_H\,. $$

If all the checks succeed, parties do not have to communicate anything in this step. In the converse case, per failed verification, parties have to broadcast one polynomial and verify at most n by evaluating them. This happens at most t times. We will ignore these costs in the interest of more realistic estimates.

Basic DKG Protocol. We can finally compute the full cost of the protocol in Fig. 1. This protocol simply consists of a VSS, and n consecutive proof and verification steps in the round-robin. We note that in the first round, we can use the twist trick. We find

$$\begin{aligned} \tau _{DKG}(n,\lambda ) = \,\,&\tau _{vss}(n)+\tau _{proof}(n,\lambda ')+\tau _{verif}(\lambda ')\\&+(n-1)(\tau _{proof}(n,\lambda )+\tau _{verif}(\lambda ))\,. \end{aligned}$$

and \( \gamma _{DKG}(n,t,\lambda ) = \ \gamma _{vss}(n,t) + \gamma _{proof}(n,t,\lambda ')+(n-1)\gamma _{proof}(n,t,\lambda )\,. \) By looking at the individual terms, we find the results summarized in Tables 2 and 3.

Extended DKG Protocol. In the case of extended (non-structured) public keys discussed at the end of Sect. 3.2, the VSS step has to be repeated k times and the cost of a round-robin step naively increases by a factor k. This cost can be greatly improved by staggering the proofs and verifications, as was proposed in [17] and analyzed in more detail in [2]. Roughly, the idea is to compute the first proof and then publish it, so that other parties can verify it during the creation of the second proof and so on. As a result, the sequential cost of a round-robin step is reduced to the cost of k consecutive proofs plus one extra verification. But we can even do better, using the idea from [2, Sec. 6]: Since all the different round-robins are independent computations, we can permute the players for each of them, and run multiple round-robins in parallel. This means, that while \(P_1\) computes the k first curves for one secret and creates the PVP, \(P_2\) does the same but for a different secret etc. Then, all of the verifications are performed, before moving onto the second step of all of the round-robins. In that way, we minimize idle time.

For n players with k secrets, the lowest attainable sequential runtime in this way is composed of \(\left\lceil \tfrac{k}{n}\right\rceil \) proof steps and \(k-\left\lfloor \tfrac{k}{n}\right\rfloor \) sequential verification steps, per round-robin step. Including the twist trick, we find the total cost

$$\begin{aligned} \tau _{DKG}^{ext.}(n,k,\lambda ) = \,\,&k\tau _{vss}(n) + \Big ( \left\lceil \tfrac{k}{n}\right\rceil \tau _{proof}(n,\lambda ')+\big (k-\left\lfloor \tfrac{k}{n}\right\rfloor \big )\tau _{verif}(\lambda ') \Big ) \nonumber \\&+ (n-1)\Big ( \left\lceil \tfrac{k}{n}\right\rceil \tau _{proof}(n,\lambda )+\big (k-\left\lfloor \tfrac{k}{n}\right\rfloor \big )\tau _{verif}(\lambda ) \Big )\,. \end{aligned}$$

(3)

The communication costs are not changed by changing the order, so that we simply find \( \gamma _{DKG}^{ext.}(n,k,t,\lambda ) = k\gamma _{DKG}(n,t,\lambda )\,. \) The individual terms are again summarized in Tables 2 and 3.

Structured DKG Protocol. If we use the DKG for structured public keys (given in Fig. 2), the VSS does not have to be repeated k times as we only have a single secret. Furthermore, in the public key computation step, proofs and verifications are done with SPVPs, which are introduced in Algorithms 3 and 4. Some scrutiny reveals

$$\begin{aligned} \tau _{proof}^{SPVP}(n,k,\lambda )&= \lambda (n+1)T_E+k(\lambda +1) T_I+2(n+1)T_C+T_H\,, \\ \tau _{verif}^{SPVP}(k,\lambda )&= \lambda T_E +k\lambda T_I+4T_C + T_H\,. \end{aligned}$$

Note that \(\tau _{proof}^{SPVP}\) also includes the computation of the curves in the round-robin step. In comparison to the cost of the standard PVPs established earlier, only the isogeny computations increase by a factor k, while the other terms remain unchanged. Regarding communication cost, we can easily see that an SPVP has the same size as a PVP, independent of k. The difference to the basic case is that we publish k curves instead of one, resulting in the cost per proof step of \( \gamma _{proof}^{SPVP}(n,k,t,\lambda ) = kC_E + (3n+2)C_C + \lambda (t+1)C_N\,. \) We end up with the total

$$\begin{aligned} \gamma _{DKG}^{SPK}(n,k,t,\lambda ) = \gamma _{vss}(n,t) + \gamma _{proof}^{SPVP}(n,t,\lambda ')+(n-1)\gamma _{proof}^{SPVP}(n,t,\lambda )\,. \end{aligned}$$

In the protocol from Fig. 2, we can use a similar approach as for the extended DKG protocol, in the sense that we can run multiple round-robins in parallel. A difference here, is that each player does not run k individual PVPs, but instead batches them into SPVPs. This allows to run an initial round of n SPVPs in parallel, each with \(\left\lfloor \tfrac{k}{n}\right\rfloor \) elements, and a second round with \(k\text { mod }n\) PVPs in parallel. The first round has \(n-1\) subsequent verifications to be performed and the second \(k\text { mod }n\) more, again all in parallel by the individual players. The cost per round-robin step can therefore be expressed as

$$\begin{aligned} R(n,k,\lambda ) =&\ \tau _{proof}^{SPVP}(n,\left\lfloor \tfrac{k}{n}\right\rfloor ,\lambda )+(n-1)\tau _{verif}^{SPVP}(\left\lfloor \tfrac{k}{n}\right\rfloor ,\lambda ) \\&+\chi _{n,k}(\tau _{proof}(n,\lambda )+(k\text { mod }n)\tau _{verif}(\lambda ))\,, \end{aligned}$$

where we define \(\chi _{n,k}=\left\lceil \tfrac{k}{n}\right\rceil -\left\lfloor \tfrac{k}{n}\right\rfloor \), i.e. \(\chi _{n,k}=0\), if \(n\mid k\), and 1 otherwise. These steps are repeated n times, where at the first step we can use the twist trick. Together with the VSS, we find the total cost of

$$\begin{aligned} \tau _{DKG}^{str.}(n,k,\lambda ) =&\ \tau _{vss}(n) + R(n,k,\lambda ')+ (n-1)R(n,k,\lambda )\,. \end{aligned}$$

(4)

Again, the individual terms are summarized in Tables 2 and 3.

Comparison of Extended and Structured Case. Finally, we establish some of the background related to Figs. 4 and 3.

Communication. Using the fact that \(N\approx \sqrt{p}\) [29] and choosing the security parameter \(\lambda \approx \root 4 \of {p}\) (reflecting the classical security, see [2, 10]), we can easily identify \( 2\lambda \approx C_C\approx C_N\approx \frac{1}{2}C_E\,. \) By plugging this into the terms in Table 3 and dropping some of the constant terms, we can see, that the communication cost of the extended DKG asymptotically scales with \(2nk\lambda (5n+\lambda t)\), while the structured case scales with \(2n\lambda (5n+\lambda t+2k)\). For \(n\rightarrow \infty \), the latter is k times smaller, while for \(k\rightarrow \infty \), the latter is \(\lambda t/2\) times smaller, both considerable gains. We depict these trends in Fig. 4. The asymptotic quadratic trend in n and linear trend in k of our schemes are clearly visible in the figure. One can also see, that the expected asymptotic gain of \(k=2^{6}\) for the structured case with respect to the extended case is well-represented on the left graph, while the right graph shows the expected asymptotic gain of \(\lambda n/6\approx 64\).

Computation. The results in Table 2 show that using structured public keys removes the dependency on k in all cases but isogeny computations. It is clear that the number of calls to commitment schemes or random oracles becomes the same around \(k\approx n\). For the number of polynomial evaluations, this behavior becomes a bit more complex, and the structured case always outperforms the extended case for some \(k\le n\). This is due to the fact that the VSS in the extended case scales with k, while it is independent of k in the structured case.

We note that in general, isogeny computation costs will strongly dominate the full protocol cost. We restate the full isogeny costs of both protocols here, in the most general case, using the twist trick. For the latter, we define \(\lambda '=\lceil \lambda /\log _23\rceil \). By looking at the isogeny cost terms of Eqs. (3) and (4), we find, after some arithmetic, that they are both equal to

$$\begin{aligned} I(n,k,\lambda ) = (\lambda '+(n-1)\lambda )\big (k+\chi _{n,k}\big )+n\left\lceil \tfrac{k}{n}\right\rceil \,. \end{aligned}$$

We compare this with the results from [2] in Fig. 3. Below, we also summarize the gains we get by using the twist trick for low n.

n	2	3	4	5	6	8	10	20	50
Gain	\(18.3\%\)	\(12.2\%\)	\(9.2\%\)	\(7.3\%\)	\(6.1\%\)	\(4.6\%\)	\(3.6\%\)	\(1.8\%\)	\(0.7\%\)