Universally Composable DKG with Linear Number of Exponentiations

  • Douglas Wikström
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3352)


Until now no distributed discrete-logarithm key generation (DKG) protocol is known to be universally composable. We extend Feldman’s verifiable secret sharing scheme to construct such a protocol. Our result holds for static adversaries corrupting a minority of the parties under the Decision Diffie-Hellman assumption in a weak common random string model in which the simulator does not choose the common random string.

Our protocol is optimistic. If all parties behave honestly, each party computes O(3.5k) exponentiations, and otherwise each party computes O(k 2) exponentiations, where k is the number of parties. In previous constructions each party always computes Ω(k 2) exponentiations.


Hybrid Model Secret Sharing Scheme Ideal Functionality Linear Number Auxiliary Input 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abe, M., Fehr, S.: Adaptively Secure Feldman VSS and Applications to Universally-Composable Threshold Cryptography. to appear at Crypto 2004 full version at Cryptology ePrint Archive, Report 2004 118 (2004),
  2. 2.
    Aho, A., Hopcroft, J., Ullman, J.: The Design and Analysis of Computer Algorithms. Addison Wesley, Reading (1974)zbMATHGoogle Scholar
  3. 3.
    Beaver, D.: Foundations of secure interactive computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 377–391. Springer, Heidelberg (1992)Google Scholar
  4. 4.
    Canetti, R.: Security and composition of multi-party cryptographic protocols. Journal of Cryptology 13(1) (winter 2000)Google Scholar
  5. 5.
    Canetti, R.: Universally Composable Security: A New Paradigm for Cryptographic Protocols, and ECCC TR 01–24; Extended abstract appears in 42nd FOCS, IEEE Computer Society, Los Alamitos (2001)
  6. 6.
    Canetti, R., Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Adaptive security for threshold cryptosystems. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 98–115. Springer, Heidelberg (1999)Google Scholar
  7. 7.
    Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  8. 8.
    Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: 28th FOCS, pp. 427–438 (1987)Google Scholar
  9. 9.
    Frankel, Y., MacKenzie, P., Yung, M.: Adaptively-secure distributed threshold public key systems. In: Nešetřil, J. (ed.) ESA 1999. LNCS, vol. 1643, pp. 4–27. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Frankel, Y., MacKenzie, P., Yung, M.: Adaptively-secure optimal-resilience proactive RSA. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 180–194. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  11. 11.
    Frankel, Y., MacKenzie, P., Yung, M.: Adaptive Security for the Additive-Sharing Based Proactive RSA. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 240–263. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. 12.
    Frankel, Y., MacKenzie, P., Yung, M.: Adaptively secure distributed public-key systems. Theoretical Computer Science 287(2) (September 2002)Google Scholar
  13. 13.
    Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure Applications of Pedersen’s Distributed Key Generation Protocol. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 373–390. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure Distributed Key Generation for Discrete-Log Based Cryptosystems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 295–310. Springer, Heidelberg (1999)Google Scholar
  15. 15.
    Gennaro, R., Rabin, M.O., Rabin, T.: Simplified VSS and Fast-track Multiparty Computations with Applications to Threshold Cryptography. In: Proc. of the 1998 ACM Symposium on Principles of Distributed Computing (1998)Google Scholar
  16. 16.
    Goldreich, O.: Foundations of Cryptography. Cambridge University Press, Cambridge (2001)zbMATHCrossRefGoogle Scholar
  17. 17.
    Goldreich, O., Micali, S., Wigderson, A.: How to Play Any Mental Game. In: 19th STOC, pp. 218–229 (1987)Google Scholar
  18. 18.
    Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991)Google Scholar
  19. 19.
    Goldwasser, S., Lindell, Y.: Secure Multi-Party Computation Without Agreement. In: Malkhi, D. (ed.) DISC 2002. LNCS, vol. 2508, pp. 17–32. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  20. 20.
    Goldwasser, S., Micali, S., Rackoff, C.: The Knowledge Complexity of Interactive Proof Systems. SIAM Journal of Computing 18, 186–208 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    Jarecki, S., Lysyanskaya, A.: Adaptively Secure Threshold Cryptography without the Assumption of Erasure. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 221–242. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  22. 22.
    Lindell, Y., Lysyanskaya, A., Rabin, T.: On the Composition of Authenticated Byzantine Agreement. In: 34th STOC, pp. 514–523 (2002)Google Scholar
  23. 23.
    Micali, S., Rogaway, P.: Secure Computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992)Google Scholar
  24. 24.
    Pedersen, T.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992)Google Scholar
  25. 25.
    Pedersen, T.: A threshold cryptosystem without a trusted party. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 129–140. Springer, Heidelberg (1991)Google Scholar
  26. 26.
    Pfitzmann, B., Waidner, M.: Composition and Integrity Preservation of Secure Reactive Systems. In: 7th Conference on Computer and Communications Security of the ACM, pp. 245–254 (2000)Google Scholar
  27. 27.
    Rackoff, C., Simon, D.: Noninteractive zero-knowledge proofs of knowledge and chosen ciphertext attacks. In: 22nd STOC, pp. 433–444 (1991)Google Scholar
  28. 28.
    Wikström, D.: A Universally Composable Mix-Net. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 315–335. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Douglas Wikström
    • 1
  1. 1.Royal Institute of Technology (KTH)KTH, NadaStockholmSweden

Personalised recommendations