Bilinear pairings and security problems

In this section, we describe bilinear maps and hard problems [38]. Let consider two cyclic groups and with the same prime order q, and let g is a generator of . A bilinear map need satisfy the following properties:

1. Bilinearity: For all , and , .
2. Non-degeneracy: There exists , such that .
3. Computability: For all , can be computed.

Definition 1. The Decision Linear (DLLN) Problem is to decide whether a + b = c, given for unknown . The DLLN assumption states that, there is no PPT algorithm can solve the DLLN problem with non-negligible advantage.

Definition 2. The Computational Diffie-Hellman (CDH) Problem is that, given for unknown , it is hard to compute g^xy. The CDH assumption states that, there is no PPT algorithm can solve the CDH problem with non-negligible advantage.

Circuit obfuscators

In this section, we briefly review some notations of circuit obfuscators used in this paper [32]. We use to denote a class of probabilistic circles, here C_λ is the circuits in of input length l_in(λ). the notation C ← C_λ denotes the generation procedure. PPT denotes probability polynomial time. Obf denotes an obfuscator. poly(λ) indicates the set of all polynomials of λ. We now provide definitions of statistical difference and preserving functionality.

Definition 3. [32] The statistical difference between C₀(x) and C₁(x) is given by:

Definition 4. (Preserving Functionality) [32] A PPT machine Obf is a circuit obfuscator for a class of probabilistic circuits , if for every probabilistic circuit C ∈ C_λ, the following holds:

TS signature

The TS signature scheme is a tuple of algorithms ∏ = (Setup, Share-Sign, Share-Verify, Combine, Verify) such that:

• Setup(params, λ, k, n): Takes as input a security parameter and a pair of integers (k, n) ∈ poly(λ), such that 1 ≤ k ≤ n, let denote a set of n participants (users).
  1. Choose system parameter .
  2. are also generated by using GJKR’s DKG algorithm [22], respectively.
  3. To generate public key, n users jointly generate user public key g₁ = g^α by using GJKR’s DKG.
  4. Each user P_i broadcasts g^f(i) for a random jointly generated degree k − 1 polynomial such that α = f(0).
  5. User P_i gets the private key shares SK = (sk₁, sk₂, ⋯, sk_n) as for i = 1 to n. Verification keys VK = (vk₁, vk₂, ⋯, vk_n) as vk_i = g^f(i) for i = 1 to n.
  6. Output the public key p = (VK, params, g₁, g₂, u′, U), and each user is supplied with the private key share sk_i.
• Share-Sign(sk_i, m): To sign m = m₁ m₂ ⋯ m_n ∈ {0, 1}ⁿ, using sk_i, choose , compute the signature share
• Share-Verify(p, m, i, σ_i): Given a signature share σ_i, and the verification key vk_i, the partial verification algorithm return 1 if , else return 0.
• Combine(p, m, i, σ_i)_i∈Φ: For each i ∈ Φ, where a subset Φ ⊂ {1, 2, ⋯, n} and |Φ| = k. Let λ_i be the Lagrange coefficients so that compute the combined signature
• Verify Given signature , the receiver checks the equation If the equation holds, outputs 1, otherwise outputs 0.

Linear encryption scheme

The linear encryption scheme consists of three algorithms ∑ = (Key generation algorithm(KG), Encrypt algorithm(Enc), Decrypt algorithm(Dec)), the algorithms are described as follows:

• KG(params): Parse system parameter , choose as the private key sk_e, compute the encryption public key pk_e = (pk_e1, pk_e2) = (g^a, g^b).
• Enc(m, pk_e): To encrypt message m, randomly choose , compute
• Dec(τ, sk_e): Given τ and sk_e, compute .

Specifically, we denote the rerandomization algorithm by ReRand(p, pk_e, (τ₁, τ₂, τ₃)), which produces a new ciphertext , equivalent to the input ciphertext τ, under the public key pk_e = (g^a, g^b), using the additional random numbers r′ and s′.

The ETS functionality

ETS functionality is composed of ETS.Setup, ETS.Sign, ETS.Verify. We give the concrete construction as follows:

• ETS.Setup(params, λ, k, n):
  1. Parse parameter .
  2. For users(participants), generate public keys and private shares by running (VK, params, g₁, g₂, u′, U, SK)← Setup(params, λ, k, n).
  3. For receiver(verifier), randomly choose as the receiver’s private key sk_e, compute receiver’s public key pk_e = (pk_e1, pk_e2) = (g^a, g^b).
• ETS.Sign(SK, m, p, pk_e): For m = m₁ m₂⋯m_n ∈ {0, 1}ⁿ, works as follows:
  1. Randomly choose , and compute σ_j←Share-Sign(sk_j, m), that is
  2. Verify the validity of signature σ_j by
  3. Compute the combined signature ← Combine(p, m, j, σ_j)_j∈Φ, that is for each j ∈ Φ, where a subset Φ ⊂ {1, 2, ⋯, n} and |Φ| = k. Let λ_j be the Lagrange coefficients so that
  4. Randomly choose , encrypt under the receiver’s public key S₁← Enc and S₂← Enc that is
  5. Output encrypted threshold siganture (S₁, S₂).
• ETS.Verify(p, sk_e, S₁, S₂, m): Parse p = (VK, params, g₁, g₂, u′, U), and m = m₁ m₂⋯m_n ∈ {0, 1}ⁿ. Decrypt (S₁, S₂) to get , that is and then verify the encrypted signature by else return 0.

The obfuscation of ETS functionality

From the description of the ETS functionality in above section, we regard a family of circuits for the ETS functionality, C_λ is a group of circuits . We can draw system parameters (SK, pk_e, p) from . Given a circuit , the Obf_ETS works as follows:

• Obf
  1. Extract system parameters (pk_e, SK, p).
  2. Parse parameter , SK = (sk₁, sk₂, ⋯, sk_n) and VK = (vk₁, vk₂, ⋯, vk_n).
  3. For each j ∈ {1, 2, ⋯, n}, randomly choose , encrypt user’s private share sk_j to run , is an encrypted form of the original signing key sk_j, then compute . Suppose .
  4. Construct an obfuscated circles R_p,pke,t that contains the values
• R_p,pke,t: The obfuscated circuit can be executed on any untrusted cloud server, and it does the following.
  1. On input security parameter λ, the circuit outputs (pk_e, p).
  2. On input message m = m₁ m₂⋯m_n ∈ {0, 1}ⁿ, randomly choose to run ← Share-Sign , that is and
  3. Verify the validity of signature by
  4. Compute the combined signature ← Combine that is for each j ∈ Φ, where a subset Φ ⊂ {1, 2, ⋯, n} and |Φ| = k. Let be the Lagrange coefficients so that
  5. Compute and
  6. Randomly choose , rerandomize the generated signature by running ← ReRand that is and run ← Enc that is
  7. Output ).

Besides, the polynomial time property is evident as all the calculation here is valid in polynomial time. It is easily to verify that the obfuscated program by theorem 1.

Theorem 1. The algorithm R_p,pke,t can pass verification.

Proof 1. For a valid ciphertext , receiver decrypts , the correctness of R_p,pke,t is elaborated as follows:

The following equation shows that R_p,pke,t satisfies correctness:

Correctness

In this section, we identify the following goals that the obfuscator for ETS should satisfy.

1. Correctness: The correctness of an obfuscator requires “Preserving Functionality” as described in Definition 4.
2. Security: The obfuscator needs satisfy ACVBP with respect to T(C) and R(C) and existentially unforgeable with respect to ETS Obfuscator.

Below, we state the Theorem 2 which is a key result used to show the correctness of our construction.

Theorem 2. (Preserving Functionality) The obfuscated program preserves the functionality of original ETS.

Proof 2. On receiving the encrypted threshold signature (S₁, S₂), that is and where

On receiving the obfuscated program that is and where

We observe that both (S₁, S₂) and are identically distributed.

Security proof

Theorem 3. Under the DLLN assumption, the algorithm Obf_ETS is ACVBP with respect to dependent oracle and restricted dependent oracle R(C) = Corruption^{∣Φ∣≤k−1}.

Proof 3. Suppose , and R(C) = Corruption^{∣Φ∣≤k−1}. There are a pair of probabilities (Pr_Nick, Pr_Junk) that represent D^{≪C,T(C),D(C)≫} outputs 1, given the true and imitated distributions, respectively. We show that S K = (sk₁, sk₂, ⋯, sk_n) and are encrypted in the true and imitated distributions. Since the algorithm Obf_ETS is equivalent to the values . So we can utilize a simulator S which imitates these values with sampling access to C. The values (p, pk_e) can be easily draw from C. In order to simulate . Then S chooses n junk values and encrypts them using the receiver’s public encryption key pk_e.

The detailed procedure of S is as below.

1. Using the sampling access to to get (p, pk_e).
2. Parse p = (V K, params, g₁, g₂, u′, U), V K = (vk₁, vk₂, ⋯, vk_n) and .
3. Randomly choose , and .
4. Encrypt Junk_i using public key pk_e, for i = 1 to n.
5. Compute for i = 1 to n.
6. Set Junk = (c_i1, c_i2, c_i3), where i = 1, 2, ⋯, n.
7. Output , obviously, has the same distribution as .

We will first prove that the output distributions of the simulator and the obfuscator are indistinguishable. We prove this by contradiction, assume that the probability that a distinguisher D^{≪C,T(C),D(C)≫} can distinguish between the probabilities described is not negligible. That is, |Pr_Nick − Pr_Junk| is not negligible.

Assume that the probability of D to win is not negligible, then we build a couple of adversaries (A, B), which attacks the semantic security of the encryption algorithm. First, A does as below:

1. Take as input (params, pk_e, p, z).
2. Parse .
3. Generate the signers’ private key shares S K.
4. Parse S K = (sk₁, sk₂, ⋯, sk_n).
5. Randomly choose .
6. Set m₁ = sk_i and m₂ = Junk_i.
7. Output (m₁, m₂, pk_e).

Given an encryption ciphertext ct of m_i, the algorithm B can make a distinction between m₁ and m₂ by utilizing D.

1. Take as input (p, pk_e, m₁, m₂, ct, z).
2. Parse and ct.
3. Simulate .
4. Output D’s output.

The advantage of attacker B is the same as the advantage of the distinguisher D to distinguish the output distributions of obfuscator and simulator. So if it’s not negligible, then it contradicts the DLLN assumption. Thus the advantage of D is negligible when given one tuple of ciphertexts, then the advantage when given three tuples is also negligible. So we conclude that the obfuscator satisfies ACVBP with dependent oracle set T(C) and restricted oracle setR(C).

Theorem 4. If Obf_ETS for ETS functionality is ACVBP w.r.t. dependent oracle and restricted dependent oracle R(C) = Corruption^{∣Φ∣≤k−1}, then the existentially unforgeable w.r.t. ETS functionality implies the existentially unforgeable w.r.t. ETS obfuscator.

Proof 4. The proof of this theorem is very similar to the proof in [32], see [103, Theorem 1], we thus omit the formal proof here.

From Theorem 3 and Theorem 4, the TS scheme satisfies the existentially unforgeable, even if the adversary can obtain the obfuscated circuit. The obfuscator for ETS is mainly to enhance the security, and it is safe for the obfuscation circuit to be executed by any untrusted cloud server, and the cloud server could not get any useful information from it.

Corollary 1. Under DLLN and CDH assumptions, TS scheme is existentially unforgeable w.r.t. Obf_ETS.

Theoretical performance analysis

Here we analyze the performance efficiency of our scheme, in terms of computational complexity when performing ETS.Sign, Obf_ETS, R_p,pke,t and ETS.Verify operations. The result is showed in Table 1. In this table, Rand denotes the operation that randomly selects element, Add denotes addition, Mult denotes multiplication, Exp be an exponent operation, Inv denotes inverse operation. As shown in Table 1, the computational complexity of ETS.Sign and R_p,pke,t algorithms is linear in the number of n and k. All these operations are polynomial bounded operations and can be computed effectively. Therefore, all algorithms are efficient from a theoretical perspective.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 1. Computational overhead, where n is the number of users, k is the threshold number.

https://doi.org/10.1371/journal.pone.0250259.t001

Implementation

To provide numerical results, we implement it to measure the performance of our scheme. Our implementation is written in C using the Pairing-Based Cryptography Library [40]. For the computations, we use the curve groups that are implemented in the Libpbc library. The computations are run on a PC with 3.70 GHz CPU frequency, and 4 GB of RAM. In the experiment, we use elliptical curves with a base field size of 512 bits and an embedding degree of 2. The security levels are selects as |p| = 512.

The following results denote the average running times of related cryptographic operations. In the experiment, the experimental result is the average number of 10 runs. We measure the running time of four algoritms, that is: ETS.Sign, Obf_ETS, R_p,pke,t and ETS.Verify. The performing consequence of our scheme is provided in Fig 1 when n = 5 and k = 3. It is shown that the obfuscated implementation have high efficiency in general, because the algorithm needs perform more exponent operation.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 1. Execution time of the algorithms.

https://doi.org/10.1371/journal.pone.0250259.g001

Figs 2 and 3 show the time variety when the number of n and k as variables, respectively. Fig 2 shows the operations time of ETS.Sign, Obf_ETS and R_p,pke,t when k is set as 3 and the number of n is set varies from 5 to 9 increased by an interval of 1. Fig 3 shows the execution time of the three algorithms when n is set as 7 and the number of k is set varies from 3 to 7 increased by an interval of 1. We observe that R_p,pke,t, ETS.Sign and Obf_ETS’s time cost increases fastly along with the increasing of n and k. It can be seen from the results that R_p,pke,t is more costly than ETS.Sign with the same n or k.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. Time cost with k = 3.

https://doi.org/10.1371/journal.pone.0250259.g002

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Time cost with n = 7.

https://doi.org/10.1371/journal.pone.0250259.g003