Ready to build with us?
Explore our docs and start building with Ika
Links in this article
February 17, 2024
Offir Friedman, dWallet labs
Avichai Marmor, dWallet labs
Dolev Mutzari, dWallet labs
Yehonatan C. Scaly, dWallet labs
Yuval Spiizer, dWallet labs
Avishay Yanai
In the threshold version of Paillier's encryption scheme, a set of parties collectively holds the secret decryption key through a secret sharing scheme.Whenever a ciphertext is to be decrypted, the parties send their decryption shares, which are then verified for correctness and combined into the plaintext. The scheme has been widely adopted in various applications, from secure voting to general purpose MPC protocols.However, among the handful existing proposals for a maliciously secure scheme, one must choose between an efficient implementation that relies on non-standard assumptions or a computationally expensive implementation that relies on widely acceptable assumptions.In this work, we show that one can enjoy the benefits of both worlds. Specifically, we adjust a scheme by Damgard et al. (Int. J. Inf. Secur. 2010) to get a practical distributed key generation (DKG). While the original scheme was only known to be secure under ad-hoc non-standard assumptions, we prove that the adjusted scheme is in fact secure under the decisional composite residuosity (DCR) assumption alone, required for the semantic security of the Pallier encryption scheme itself.This is possible thanks to a novel reduction technique, from the soundness of a zero-knowledge proof of equality of discrete logs, to the factoring problem.Furthermore, we use similar ideas to prove that batching techniques by Aditya et al. (ACNS 2004), which allows a prover to batch several statements into a single proof, can be applied to our adjusted scheme. This enables a batched threshold Paillier decryption in the fully distributed setting for the first time.Until now, verifying that a decryption share is correct was the bottleneck of threshold Paillier schemes and hindered real world deployments (unless one is willing to rely on a trusted dealer).Our work accumulates to shifting the bottleneck back to the plaintext reconstruction, just like in the semi-honest setting, and render threshold Paillier practical for the first time, supporting large scale deployments.We exemplify this shift by implementing the scheme and report our evaluation with up to 1000 parties, in the dishonest majority setting.For instance, over an EC2 C6i machine, we get a throughput of about 50 and 3.6 decryptions per second, when run over a network of 100 and 1000 parties, respectively.
Explore our docs and start building with Ika
The information contained in this website is provided ‘as-is’ on a non-reliance, non-binding basis. We do not provide any kind of representation and / or advice of any kind (including without limitation: financial or technological) and nothing herein is substitute for receiving professional advice. We do not verify and / or guarantee the correctness and / or accuracy and / or completeness of the information herein, and any use and / or reliance on the information herein, is at the reader's own responsibility and risk. We may delete, amend and / or update the information at any time without prior notice at our sole discretion and without any obligation to do so, even if such an update and / or amendment is required as a result of new information brought to our attention, from events that occurred after the information was uploaded to the website, or whether such an update is required due to other circumstances.