Cryptocurrencies with Security Policies and Two-Factor Authentication

Florian Breuer∗ Vipul Goyal Giulio Malavolta∗ KIT NTT Research and CMU MPI-SP

Abstract—Blockchain-based cryptocurrencies offer an ap- their decentralized and borderless nature make them pealing alternative to Fiat currencies, due to their decen- appealing substitutes for Fiat currencies, a burning tralized and borderless nature. However the decentralized problem with this approach is the lack of a recovery settings make the authentication process more challenging: mechanism if something goes wrong. What happens if Standard cryptographic methods often rely on the ability of one user’s key is lost or stolen? There is no bank to users to reliably store a (large) secret information. What call and no authority to rely upon to get your funds happens if one user’s key is lost or stolen? Blockchain back. Indeed, the number of such high profile attacks systems lack of fallback mechanisms that allow one to on cryptocurrencies has been rising steadily. Famous recover from such an event, whereas the traditional banking incidents like the Mt. Gox hack [14], the coincheck system has developed and deploys quite effective solutions. hack [2], and the Parity Technology code deletion [3] In this work, we develop new cryptographic techniques saw funds upwards of several hundred million dollars to integrate security policies (developed in the traditional being lost or stolen. The well-known DAO hack [32] banking domain) in the blockchain settings. We propose forced Ethereum to adopt a hard fork which created a system where a smart contract is given the custody of two version of the currency: Ethereum and Ethereum the user’s funds and has the ability to invoke a two-factor classic. To deal with such problems in future, Ethereum authentication (2FA) procedure in case of an exceptional developers have proposed EIP 867. An ethereum improvement protocol (EIP) is the process by which event (e.g., a particularly large transaction or a key recovery code changes get accepted onto the Ethereum platform. request). To enable this, the owner of the account secret- However EIP 867 has proven to be controversial since it shares the answers of some security questions among a will again bifurcate the currency into two versions, the committee of users. When the 2FA mechanism is triggered, very problem it was trying to solve. the committee members can provide the smart contract The problems of attackers stealing money or losing with enough information to check whether an attempt was credentials are of course not unique to blockchain-based successful, and nothing more. cryptocurrencies. The (traditional) banking industry has We then design a protocol that securely and efficiently been dealing with such issues for decades where a number implements such a functionality: The protocol is round- of mitigating approaches have worked pretty effectively. optimal, is robust to the corruption of a subset of committee Examples of common security policies to deal with such members, supports low-entropy secrets, and is concretely attacks include: A waiting period (say 24 hours) for efficient. As a stepping stone towards the design of this transferring money to a new recipient and an overall daily protocol, we introduce a new threshold homomorphic en- outgoing transfer limit. Bypassing these restrictions could cryption scheme for linear predicates from bilinear maps, either require additional verifications (such as two-factor which might be of independent interest. authentication), or may not be allowed at all. Different To substantiate the practicality of our approach, we im- banks could follow different security policies which might plement the above protocol as a smart contract in Ethereum also vary depending on the type of account (business vs and show that it can be used today as an additional safe- personal) and by the state/region and the local laws. This guard for suspicious transactions, at minimal added cost. We motivates the following question: also implement a second scheme where the smart contract Can we take the lessons learnt in the traditional additionally requests a signature from a physical hardware banking domain, and apply them fruitfully to token, whose verification key is registered upfront by the blockchain-based systems, without compromis- owner of the funds. We show how to integrate the widely ing their decentralized nature? used universal two-factor authentication (U2F) tokens in blockchain environments, thus enabling the deployment of 1.1. System Architecture our system with available hardware. We propose a system where each user has the opportu- 1. Introduction nity to delegate the custody of its funds to a smart contract. The security policy (which can be specified by the user Bitcoin and blockchain-based cryptocurrencies itself) is hardwired in the smart contract and it governs its brought us at the brink of a technological revolution: decision. All funds transfer will go through the approval These systems allow us to bypass the need for centralized of such a smart contract, which has the power to accept trusted entities to run currencies on a large-scale. While or reject (or even set on hold) each transaction, depending on the specified policy. In case of an exceptional event, ∗Work done in part while at CMU such as key theft, or as an additional security safeguard in case of particularly large transactions or transactions to then broadcasts a message to all committee members, who new addresses, the smart contract will require additional perform some computation locally and output a partial verification via two-factor authentication (2FA). We stress response tied to the transaction τ. The smart contract that one does not need to authenticate all transactions but then collects sufficiently many responses and publicly only a carefully chosen set, at the discretion of the policy checks whether the authentication was successful. If this specified by the owner of the funds. is the case the smart contract allows τ to go through, In this work we implement the above idea by develop- otherwise it rejects it. In terms of security, we require ing solutions for 2FA mechanisms that can coexist with that the above process does not reveal anything beyond the decentralized nature of blockchain-based currencies. whether the user’s guess was correct or not, even if the To be aligned with the philosophy of decentralized system, attacker corrupts a certain subset of committee members. our solutions are guided by the following design princi- Henceforth, we refer to this procedure as a distributed ples. zero-tester (DZT).1 Distributed Trust. The 2FA must not rely on the ex- We also consider an alternative setup where we lever- istence of a trusted authority. Instead we propose to age a physical two-factor authentication token. As an leverage a hardware token or distribute the trust among example, universal two-factor authentication (U2F) tokens a (reasonably-sized) set of parties, which are asked to in- allow a user to sign any message by querying the token. tervene in case of exceptional event. The members of such With this tool at hand, authentication is done as follows: a committee can be chosen by the users or can be selected The smart contract hardwires the verification key of the through a consensus protocol (e.g., the miners themselves U2F token and, when the 2FA mechanism is invoked, can play this role). Security must be guaranteed even if a sends the user a nonce. The authentication is successful subset of the committee members behaves maliciously. if the user provides a correct signature on the nonce. Reliability and Guaranteed Output Delivery. We re- quire the 2FA mechanism to be resilient against (benign) 1.3. Security Policies disconnections and (malicious) denial of service attacks. That is, even if part of the members of the committee go Our system is completely flexible in the policy that is offline or become corrupted, one should still be able to enforced by the smart contract, which can be specified by complete the authentication procedure (given that the set the owner of the address. A more conservative usage of of online parties is large enough). our system is just as an additional safeguard mechanism: Low Latency. In distributed environments communication Suspicious transactions (e.g., unusually large amounts or is typically expensive, as messages have to be broadcasted transactions to a new address) can trigger the 2FA mech- to all users in the network. For this reason it is of central anism and force the user to provide (human-memorable) importance to minimize the rounds of communication of answers to some security questions or a signature from a 2FA mechanism. a physical token. This gives an additional line of defense Computational Efficiency. General purpose crypto- even against the catastrophic event where an attacker steals graphic solutions are very powerful but are often com- a user signing key. putationally intensive. We aim to build a solution based On the other side of the spectrum, one user may on well-established cryptographic components which is want to set the policy such that some transactions are efficient enough to be integrated in real-life systems. allowed given only the 2FA, i.e., they are not required to be digitally signed. This can be useful in scenarios where 1.2. Two-Factor Authentication Mechanisms a user has lost the signing key for an address and wants to recover the funds: Answering some security questions A popular approach to 2FA in the traditional banking allows him to transfer the coins to a fresh address (with system is that of security questions: When the 2FA is a newly sampled signing key). However this liberal usage triggered, the user is prompted to answer a personal of our system requires careful thoughts. While on the one question and the verification process succeeds if the user’s hand it improves the usability of the currency, on the other answer is correct. If we were to import this idea to the hand it opens the doors to a new attack vector: instead decentralized setting, the first question that arises is where of stealing a secret key, an attacker can compromise to store the correct answers in absence of a trusted author- the address by guessing the answers to some security ity. Clearly the smart contract cannot hardwire the correct questions (or stealing a physical token), which is typically answers as otherwise they would be public knowledge a much easier task. This risk can be mitigated by rate- (smart contracts do not offer any form of privacy). Since limiting the amount of attempts for unsigned transactions answers typically come from a low-entropy distribution, to, e.g., once per week. Since each attempt requires the storing the hash of them is also not a good idea since user to post a message over the blockchain, the query it is vulnerable to off-line dictionary attacks, where an limit can be enforced by the smart contract itself, without attacker recovers the hash and tests locally his guesses the need for the committee members to coordinate or to until he succeeds. update the code of the physical token. Our idea to bypass this obstacle is to secret share the In this work we mainly focus on the former case, correct answers among a set of n parties, in such a way where the 2FA mechanism is invoked in addition to the that stealing the secret would require to corrupt at least t standard digital signature check. An in-depth cost analysis members of this committee (for some threshold parameter t ≤ n ). When the 2FA mechanism is triggered, the user 1. The name comes from the fact that the committee members can is asked to authenticate its transaction τ by providing the jointly check whether an attempt α˜ corresponds to the correct answer α correct answers to a set of predefined questions. The user (i.e., α˜ − α = 0) and nothing beyond that. of the security and usability tradeoff of unsigned transac- offers a general solution to our problem: The client can tions is beyond the scope of this work. simply compute Enc(pk, α) and distribute the shares of the secret key (sk1,..., skn) to the committee members. To 1.4. Our Contribution authenticate a transaction, a user computes Enc(pk, α˜) and broadcasts it to all parties. Then the committee members In this work we propose a new method to safeguard locally compute, using the homomorphic properties of the transactions on blockchain-based cryptocurrencies, in- scheme,   spired by the solutions developed in the (traditional) bank- c = Enc pk, α =? α ˜ ing domain. We then develop 2FA mechanisms amenable to the decentralized nature of cryptocurrencies, offering and compute and output the partial decryption using their different trade-offs in terms of trust assumptions, physical share ski. The plaintext bit {0, 1} of c can be publicly re- capabilities, and computational efficiency. Our technical constructed using a large enough set of decryption shares contributions can be summarized as follows. and the output of the authentication is set to be this bit. (1) Definitions. We develop the notion of distributed zero- While this solution satisfies all of our security require- tester (DZT), the central cryptographic building block that ments, it introduces a prohibitively high computational enables efficient 2FA in decentralized system. We give overhead. As of today, implementing a generic fully- formal definitions (Section5) for this primitive and we homomorphic encryption in an Ethereum smart contract characterize the security requirements with a game-based is far off the reach of the current infrastructure. Thus, definition. developing a solution that can be used in today’s systems (2) Cryptographic Protocol. We propose a cryptographic requires us to devise a different strategy. instantiation of DZT from standard assumptions on bi- linear groups (Section6). The scheme is round optimal, 2.2. A Flawed Attempt has guaranteed output delivery, and is concretely efficient. Along the way, we develop a new threshold homomor- In order to understand our solution, it is instructive phic encryption scheme for linear predicates from bilin- to iterate through a simple construction and analyze its ear groups (SectionA), which might be of independent pitfalls. In the setup phase, the client samples an ElGa- interest. mal [18] key pair (x, h = gx) and encrypts the answer α (3) Implementation. We implement the DZT scheme as a under such a key, making the resulting ciphertext smart contract in Ethereum (Section7). Our performance (c , c ) = (gr, hr · gα) evaluation shows that, for reasonably-size committee, the 0 1 resulting 2FA mechanism can be deployed by today’s publicly available to all parties. The secret key x is then users at minimal additional cost (around 1$ per authenti- secret shared (using Shamir scheme [36]) among n parties cated transaction). We also implement a U2F-based 2FA in such a way that any t shares are sufficient to reconstruct mechanism as a smart contract in Ethereum (Section8), the secret. Let (xi, i) be the i-th share. To authentication thus enabling 2FA with a hardware token already avail- a transaction τ, a user can compute the encryption of its able to the public. In terms of added cost, our scheme attempt s s −α˜ introduces (approximately) an additional 3 to 28 per (d0, d1) = (g , h · g ) transaction, depending on the choice of the curve. ¢ ¢ and broadcast it to all members of the committee. Each xi party then computes and broadcasts pi = (c0 ·d0) . Given 2. Technical Overview a set S of responses, the outcome of the authentication can be publicly recovered by checking In the following section we give an informal exposi- ? tion of the techniques developed in this work. We focus Y λi pi = c1 · d1 on the main goal of designing a crytpographic solution for i∈S a DZT: In a DZT a client secret shares an answer α (the where λ is the i-th Lagrange coefficient. Note that if primitive naturally extends to the settings of multiple an- i α =α ˜, then c ·d = hr+s and indeed the above equation swers) among a set of n parties. When the 2FA is invoked, 1 1 holds true since the secret x is reconstructed in the expo- the client (which has an attempt α˜ in his head) crafts a nent. Unfortunately this solution has multiple flaws. First single query q and sends q (together with the transaction of all, there is no mechanism that ties the transaction τ to identifier τ) to all parties, who locally compute a response the authentication process so one can authenticate without p . Given a large enough set of responses {p } , for i i i∈S the knowledge of α by simply replaying a valid ciphertext some set S of size |S| = t, anyone can publicly determine (c , c ) and swapping the corresponding transaction τ the outcome of the authentication process. The transaction 0 1 with a new τ˜. Furthermore, even if a single member τ is successfully authenticated if and only if α =α ˜ and the provides a malformed answer, the entire mechanism for protocol should not leak any information beyond whether verification fails. the authentication process succeeded or not. While these issues can be resolved using non- interactive zero-knowledge proofs (NIZK) [7], there is a 2.1. A Generic Solution more serious problem: If the authentication is not success- ful, then the responses of the committee members reveals We first discuss a high-level idea of our solution and the exact difference α − α˜. This is because then we present an efficient cryptographic instantiation. c · d hr+s · gα−α˜ hr+s · gα−α˜ Threshold fully-homomorphic encryption [22], [11] al- 1 1 = = = gα−α˜ λ (r+s) P x λ r+s lows us to compute any function over encrypted data and Q i i∈S i i h i∈S pi g which means that the attacker can always guess the correct the factor κρ completely masks the difference α − α˜ and α with at most two queries. This is a notorious issue in prevents the attack as described above. Since the value threshold cryptography, and current approaches to resolve of k = gκ is freshly sampled upon each attempt, the ran- this problem (see, e.g., [20], [17], [30]) require one to domization factor is pseudorandom for each authentication add two rounds of interaction. This is not acceptable for query. Also note that k can be sampled locally by each us, since we consider settings where communication is party, without the need of any additional interaction. expensive (i.e., each message is posted on a blockchain) and thus we aim at a completely non-interactive solution. 2.4. Additional Challenges

2.3. Bilinear Maps at Rescue The above presentation glosses over many important aspects that need to be taken into account when building The above vulnerability comes from the fact that the an efficient protocol. As an example, the above protocol threshold version of ElGamal encryption does not satisfy must be augmented with NIZK proofs to make sure that the notion of simulation security for equality predicates, a malicious player cannot deviate from the specification i.e., instead of revealing whether two strings are equal of the protocol. However, using generic NIZK schemes or not it reveals the exact difference. This problem can for NP would vanish our efforts to build a practical be bypassed by resorting to more powerful cryptographic system. Fortunately we show that our scheme can be machinery. slightly tweaked to allow us to implement the required Our first observation is that the class of predicates NIZKs using exclusively Schnorr proofs for discrete log- that we need to evaluate is very restricted, so there is arithm equality [35], which results in a concretely efficient hope to build a solution without the full power of fully- scheme. homomorphic encryption. Our second observation is that Another set of challenges arises when implementing the protocol is already secure if the authentication is the protocol as a smart contract in Ethereum. In order to successful, so we only need to worry about the case where obtain an efficient protocol, we would like to leverage the answer is not correct, i.e., α 6=α ˜. precompiled instructions to perform bilinear group op- Our central idea is to revisit the ElGamal-based ap- erations. However the semantic of operations supported proach by adding a re-randomization factor to the plaintext by Solidity (the language of Ethereum smart contracts) of the evaluated ciphertext, which cancels out only if is very limited: It only supports group operations in the α =α ˜. This can be done with the help of bilinear groups. source G1 and pairing-product equation checks. This turns In a bit more detail, in the setup phase, the client publishes out to be insufficient to implement the scheme as outlined above. To circumvent this issue, we further modify our r r ρα r˜ r˜ ρ 4 (c0, c1, c2, c3) = (g , h · g , g , h · g ) ∈ G1 construction to make it fully compatible with precompiled x instructions in Solidity. This process is not hassle-free: where h = g . The secret key x is secret shared as The new scheme requires us to introduce a new (static) before. Note that (c0, c1) serves the same role as before, assumption over bilinear groups, the dual Diffie-Hellman except that there is an additional factor ρ multiplied by the assumption. We then show that such an assumption holds answer α. The role of (c2, c3) will be clear in a moment. true in the generic group model. We refer the reader to The authentication begins with the user computing and the Section 6.2 sections for further details. broadcasting the encryption Also the integration of a U2F-based solution in s s −ρα˜ 2 Ethereum introduces some additional complications. As an (d0, d1) = (g , h · g ) ∈ G1. example, a smart contract cannot implement a randomized Note that the user does not know the factor ρ but can still algorithm but we need to sample a random challenge to compute a valid ciphertext for −ρα˜ by obliviously raising complete the U2F authentication protocol. Instead of a (c2, c3) to the power of −α˜ and then re-randomizing the truly random string, we use the hash of a unique identifier resulting ciphertext. of the transaction (to prevent replay attacks) to implement xi Each committee member computes (c0 · d0) as be- the challenge sampling procedure. We elaborate in more fore, except that it additionally samples a fresh element detail in Section8. κ k = g ∈ G2 using a random oracle and returns

xi (r+s)xiκ 3. Related Work pi = e ((c0 · d0) , k) = e(g, g) ∈ GT as the decryption share. The outcome of the authentication In the following we survey some related work from process can be recovered by checking the literature. Multi-Sig Addresses. One of the most prominent ap- Y λi ? pi = e(c1 · d1, k). proaches to safeguard accounts in cryptocurrencies is the i∈S creation of multi-sig addresses: A secret key of a digital signature scheme is secret shared among multiple parties To see why security is preserved even in the case of a using a threshold scheme [24], [29], [20], [16]. Approving failed authentication, observe that transaction requires gathering a large enough set of users e(c · d , k) h(r+s)κ · gκρ(α−α˜) h(r+s)κ · gκρ(α−α˜) to jointly sign it. This means that compromising a single 1 1 = = λ (r+s)κ P x λ (r+s)κ device is no longer sufficient to steal coins. Q p i g i∈S i i h i∈S i Our approach complements this idea and adds two so in case α =α ˜ the randomization factor κρ cancels out important features: (1) Multi-sig address require to gather and the above equality is verified. For the case case α 6=α ˜, multiple parties to sign every transaction regardless of how small or big it is, whereas in our system a smart Distributed Point Functions (DPF). A DPF [23] (and security policy can decide when additional verification is its generalization to function secret sharing [12]) al- required. To the best of our knowledge, there has been lows a set of parties to secret-share a point function no previous work which has this feature. (2) Our system f → (f1, . . . , fn) whose output can be recovered by supports also low-entropy secrets (e.g., human-memorable the output of the local evaluation of each parties, i.e., passwords or answers to security questions) that can be f(x) = f1(x) ⊕ · · · ⊕ fn(x). A DZT can be thought used as an additional verification, in case one of the parties as a threshold version of a DPF with a few important loses his credentials. differences: (i) In a DZT the output shares of the parties Password-Protected Wallets. Another approach to im- are publicly verifiable, which is in general not the case for prove the usability of blockchain systems is the so-called DPFs. Furthermore, (ii) in a DZT the output reconstruction password-protected wallet [21], where the secret keys are is not restricted to be a linear function. Finally, (iii) DZT encrypted using a human-memorable password. Unfortu- supports the evaluation of encrypted queries, whereas in nately these systems are vulnerable to exhaustive-search a DPF the inputs are typically public. attacks where one can enumerate all plausible passwords and attempt to recover the secret. A DZT can be used to 4. Preliminaries overcome this limitation and to construct a form of dis- tributed password-protected wallet across some committee We denote by λ ∈ the security parameter. We say members. N that a function negl(·) is negligible if it vanishes faster Vaults. Cryptocurrency vaults [33] aim at disincentivizing than any polynomial. Given a set S, we denote by s ←$ S key theft by delaying the acceptance transactions: Once the uniform sampling from S. We say that an algorithm is an illegitimate transaction is placed on the blockchain, PPT if it can be implemented by a probabilistic machine the legitimate owner has enough time to prevent the running in time polynomial in the security parameter. spending using an appropriate recovery key. The aim of this mechanism is to reduce the incentive for an attacker to steal keys, as it will likely result in no financial gain. 4.1. Bilinear Groups However, it does not address the question of recovering access to an account, in case of unintentional credential Let (G1, G2, GT ) be an asymmetric bilinear group losses. of prime order p with an efficiently computable pairing Password-Authenticated Key Exchange (PAKE). An e : G1 × G2 → GT and let G be the generator of area which is closely related to our DZT is that of such a group. We denote by (g1, g2) the generators of the threshold PAKE [31], [15], where a human-memorable groups G1 and G2, respectively, and by gT = e(g1, g2) the password is used to authentication a user against a set generator of GT . In the following we recall the eXternal of servers, who collectively know the password but can Diffie-Hellman (XDH) [9] and the Decisional Bilinear be individually corrupted without compromising security. Diffie-Hellman (DBDH) [27], [10] problems over bilinear The main difference with respect to our settings is that groups. we do not require to exchange any key, instead we want Assumption 1 (XDH). Let G be a bilinear group gen- to tie the authentication process with a transaction chosen erator. G is XDH-hard if for all PPT distinguishers it by the client. Additionally, we require that the outcome holds that the following distributions are computationally of the authentication process is publicly verifiable even by indistinguishable external parties, which is typically not the case for PAKE protocols. x y xy (G1, G2, GT , p, g1, g2, g1 , g1 , g1 ) ≈ Zero-Testing of ElGamal Ciphertexts. One of our main ( , , , p, g , g , gx, gy, gz) technical innovation is a new protocol where parties can G1 G2 GT 1 2 1 1 1 jointly test whether an ElGamal ciphertext is an encryp- λ where (G1, G2, GT , p, g1, g2) ←$ G(1 ) and tion of 0, without revealing any additional information. ∗ (x, y, z) ←$ Zp. While this is a well-known problem in threshold cryp- tography [13], known efficient solutions (see, e.g., [20], Assumption 2 (DBDH). Let G be a bilinear group gen- [17], [30]) are based on a commit-and-prove approach and erator. G is DBDH-hard if for all PPT distinguishers it require at least three rounds of interaction. In contrast, holds that the following distributions are computationally our solution is completely non-interactive: Each party indistinguishable broadcasts a single message and the verification procedure ( , , , p, g , g , gx, gy , gxy) ≈ is public. This is particularly suitable for settings where G1 G2 GT 1 2 2 T T x y z communication is expensive, e.g., where parties exchange (G1, G2, GT , p, g1, g2, g2 , gT , gT ) messages by posting them on a blockchain. λ where (G1, G2, GT , p, g1, g2) ←$ G(1 ) and Password-Protected Secret-Sharing (PPSS). A PPSS [4] ∗ (x, y, z) ←$ . allows a user to share a secret that can be reconstructed Zp with the sole knowledge of a password. Recent efficient protocols [26] can be used as a substitute for DZT in 4.2. Non-Interactive Zero-Knowledge our 2FA mechanism. However, PPSS would require at least one more round of interaction between the committee A non-interactive zero-knowledge (NIZK) proof [7] members and the client. In contrast, the shares in the DZT allows a prover to convince a verifier about the validity can be verified non-interactively and without the need to of a certain statement without revealing anything beyond set up an off-chain communication infrastructure. that. We recall the syntax in the following. Definition 1 (NIZK). Let L be an NP-language with 5.1. Overview relation R. A NIZK system for R consists of the following efficient algorithms. A DZT allows one to share a secret among a selected Setup(1λ): On input the security parameter 1λ, the setup committee of users in such a way that later on one can algorithm returns a common reference string crs. authenticate using the knowledge of such a secret, assum- Prove(crs, stmt, wit): On input the common reference ing that a large enough portion of committee members is string crs, a statement stmt, and a witness wit, the prover online. Our definition for a DZT is tailored to distributed algorithm returns a proof π. environments where communication is expensive and an arbitrary subset of parties may decide not to comply with Verify(crs, stmt, π): On input the common reference the protocol specifications. Our definitions (and conse- string crs, a statement stmt, and a proof π, the verifier quently the instantiation that we propose) are guided by algorithm returns a bit {0, 1}. the following design principles. Correctness requires that for all λ ∈ N and all pairs Round Optimality. For our applications of interest, the (stmt, wit) ∈ R it holds that communication among committee members happens over a blockchain. This makes communication costly in both Pr [Verify(crs, stmt, Prove(crs, stmt, wit))] = 1 financial and efficiency terms: The rate of exchanged λ where crs ←$ Setup(1 ). We recall the definition of zero- messages is bounded by the rate at which new blocks knowledge in the following. appear, which can be in the order of minutes. For this reason we aim to minimize interaction as much as possi- Definition 2 (Zero-Knowledge). A NIZK system for R is zero-knowledge if there exists a PPT algorithm ble. Ideally, an authentication attempt should consist of a single message from the user to all committee members (Sim0, Sim1) such that for all pairs (stmt, wit) ∈ R and for all PPT distinguishers the following distributions are and of a single round of response, where the output of the computationally indistinguishable protocol can be recovered without any further interaction. Guaranteed Output Delivery. As one cannot trust all (crs ← Setup(1λ), π ← Prove(crs, stmt, wit)) ≈ committee members, a corrupted user might decide at any ∗ (crs , π ← Sim1(crs, stmt, td)) point not to respond to any query. We want to guarantee ∗ λ that authentication protocols can still take place even if an where (crs , td) ← Sim0(1 ). arbitrary subset of committee members (up to some user- We require that the protocol satisfies the strong notion defined threshold) goes offline. This property is commonly of simulation extractability. known as guaranteed output delivery. Public Verifiability. We require that the outcome of the Definition 3 (Simulation Extractability). A NIZK system authentication process is publicly verifiable by any ex- for R is simulation-extractable if there exists a PPT ternal observer. This feature is needed to allow the smart algorithm Ext and a negligible function negl(·) such that contract to decide whether the user transaction should take for all λ ∈ N and all PPT algorithms A it holds that place or not.  λ  Verify(crs, stmt, π) (crs, td) ← Sim0(1 ) Resilience Against Offline Dictionary Attacks. The

Pr  ∧ stmt ∈/ Q π ← A(crs)O(·)  secrets stored by the user typically come from a low- A ∧ (stmt, wit) ∈/ R wit ← Ext (crs, td, stmt, π) entropy distribution (e.g., a human-memorable password = negl(λ) or answer to some security question). For this reason, it is important the information that an attacker can gather where O takes as input a (possibly false) statement stmt by eavesdropping the communication does not allow it and returns Sim1(crs, stmt, td) and we denote by Q the to launch brute-force attacks where the authentication list of queries issued by A. process is run locally until it succeeds. Clearly the attacker can query the online authentication mechanism, but an 4.3. Secret Sharing unusual number of attempts will trigger a rate-limiting We recall the threshold secret sharing scheme from mechanism. Resilience Against Replay Attacks. In our context au- Shamir [36] over a field F where a randomized algorithm Share takes as input a field element s, a threshold t, and a thentication is tied to a specific bitstring τ, e.g., we want number of participants n and returns the evaluations of a to make sure that an unusual transaction τ is initiated by random (t−1)-degree polynomial at the respective points the legitimate user. It is therefore important to ensure that previous successful authentications for a string τ cannot (1, s1),..., (n, sn). Then any subset S ⊆ {1, . . . , n} such that |S| = t can recover the secret s by computing be mauled into successful authentications for a different string τ 0, without the knowledge of the secret. X s = λi · si i∈S 5.2. Syntax and Security Properties over F, where λi is the i-th Lagrange coefficient. In the following we present the syntax for a DZT 5. Definitions protocol. To incorporate the fact that a query is associated with some transaction trans we augment our scheme with In the following we present the notion of a distributed tags τ, which we assume to be λ-bit strings. This is zero-tester (DZT) and we provide explicit security and without loss of generality since one can set τ = H(trans), privacy properties. Before delving into the formal defini- where H : {0, 1}∗ → {0, 1}λ is a collision resistant hash tions, we discuss on a high level our design goals. function. Definition 4 (DZT). A DZT scheme consists of the fol- polynomial-size circuit and that it has no fixed lowing efficient algorithms. point, i.e., there exists no x such that f(x) = x. Setup(1λ, t, n, α): On input the security parameter 1λ, 3) Malicious(q, τ): On input a query q and a tag τ, the adversary is given pi ← a threshold size t, a committee size n, and a string α ∈ ∗ {0, 1}∗, the setup algorithm returns a public key pk and Response(pk, ski, q, τ, i), for all i∈ / S . a vector of secret keys (sk1,..., skn). We define Q to be the set of queries to the Malicious 0 Query(pk, β, τ): On input the public key pk, a string interface and Q be the set of queries to the Accept β ∈ {0, 1}∗, and a tag τ ∈ {0, 1}λ, the query algorithm interface. The experiment returns 1 if and only if returns a query q. ∗ ∗ ∗ ∗ 0 Verdict(pk, p1, . . . pt˜, τ ) = 1 and τ ∈/ Q . Response(pk, ski, q, τ, i): On input the public key pk, a We now discuss how the experiment defined above secret key ski, a query q, a tag τ, and an index i, the models the intuition for the security properties that we response algorithm returns a partial response pi. want to ensure. First observe that the adversary is allowed Verdict(pk, p1, . . . , pt˜, τ): On input the public key pk, a to see arbitrarily many accepting and rejecting queries ˜ from the honest users without affecting its success prob- set of partial responses (p1, . . . , pt˜), for some t ≤ n, and a tag τ, the verdict algorithm returns a bit {0, 1}. ability. This means that no matter how many queries it eavesdrops, its advantage in guessing α should not change. For correctness, we require that for all λ ∈ N, all Instead, the Malicious interfaces allows the attacker to polynomials n = n(λ), all t ≤ n, all sets S ⊆ {1, . . . , n} guess the value of α exactly once per query and we of size |S| ≥ t, all strings α and τ, all (pk, sk1,..., skn) require that nothing is revealed beyond whether his guess λ in the support of Setup(1 , t, n, α) it holds that is correct or not. This prevents offline attacks where the attacker locally tests for the correct value of α and Pr [Verdict (pk, {p } , τ) = 1] = 1 i i∈S returns an accepting query without querying the Malicious interface. where pi ← Response(pk, ski, Query(pk, α, τ), τ, i). Note that correctness is required to hold as long as any set of Finally observe that the experiment captures replay committee members of size at least t participates in the attacks: If the adversary was able to maul an honest response to the queries. In other words, the protocol has accepting query into a query for a different tag, it could guaranteed output delivery as long as at most n−t parties violate the above definition with a single query to the are corrupted and may refuse to respond to queries or give Accept interface. an incorrect response. Next we define the notion of security and we ar- 6. Construction of Distributed Zero-Tester gue why it models the attackers capability in a faithful way. Our definition are inspired by those of Bellare, In this section we present our DZT construction and Pointcheval, and Rogaway [6] imported to our settings. we show that it satisfies all of the properties of interest. Let We denote by D set of distinct strings from where the (G1, G2, GT , p, g1, g2) be an asymmetric bilinear group of ∗ secret is chosen. Our definition captures both the cases prime order p and let H : {0, 1} → G2 be a hash function where D is small and exponentially large, as long as one modeled as a random oracle. We assume the existence can efficiently sample an element from D. of NIZK scheme (NIZK.Setup, NIZK.Prove, NIZK.Verify) for NP. The scheme is described in Figure1. For com- Definition 5 (Security). A DZT is secure if there exists a pleteness, we also present a self-contained version of the negligible function negl(·) such that for all λ ∈ N and underlying threshold homomorphic encryption scheme in all PPT algorithms A it holds that AppendixA.  λ  To see why the scheme is correct, note that Pr ExpA(1 ) = 1 ≤ (|Q| + 1)/|D| + negl(λ)  log(p) log(p)  where the experiment is defined in the following. Y Y c0 · c0,i, c1 · c1,i λ ExpA(1 ): i=0 i=0   λ log(p) log(p) • (t, n) ← A(1 ) i i Y 2 ·αi ri Y 2 ·αi ri = c0 · d · g , c1 · d · h • α ←$ D  0 1 1  λ i=0 i=0 • (pk, sk1,..., skn) ← Setup(1 , t, n, α) ∗ α r˜ α r˜
• S ← A(pk) = c0 · d0 · g1, c1 · d1 · h ∗ ∗ ∗ ∗ O • (q , τ , p1, . . . p˜) ← A ({ski}i∈S∗ ) r sα+˜r r −ρα ρα sα+˜r
t = g1 · g1 , h · g1 · g1 · h where |S∗| = t − 1 and O gives the adversary access to ψ ψ = (g1 , h ) the following interfaces: Plog(p) where r˜ = i=1 ri and ψ = r + sα +r ˜. Then we have 1) Accept(τ): On input a tag τ, the adver- that sary is given q ← Query(pk, α, τ) and pi ← ψ ψκ xψκ ∗ (b , b ) = (e(g , k), e(hψ, k)) = (g , g ) Response(pk, ski, q, τ, i), for all i∈ / S . 0 1 1 T T 2) Reject(τ, f): On input a tag τ and a function f, and therefore for all admissible sets S of size |S| = t we the adversary is given q ← Query(pk, f(α), τ) have together with p ← Response(pk, sk , q, τ, i), for Y xiλi xψκ i i b = g = b1 all i∈ / S∗. We require that f is given as a 0 T i∈S λ λ Setup(1 , t, n, α): On input the security parameter 1 , a threshold size t, a committee size n, and a string α ∈ Zp, ∗ the setup algorithm samples a tuple (x, r, s, ρ) ←$ Zp and a t-out-of-n Shamir secret sharing (x1, . . . , xn) ← Share(x, t, n). Then it computes crs ← NIZK.Setup(1λ). The algorithm sets the public key of the scheme to

x x1 xn r r −ρα s s ρ pk = (crs, h, h1, . . . , hn, c0, c1, d0, d1) = (crs, g1 , gT , . . . , gT , g1, h · g1 , g1, h · g1 )

and the secret keys to ski = xi, for all i ∈ {1, . . . , n}. λ Query(pk, β, τ): On input the public key pk, a string β ∈ Zp, and a tag τ ∈ {0, 1} , the query algorithm does ∗ the following. For all i ∈ {0,..., log(p)}, sample a uniform ri ←$ Zp and compute  i i  2 ·βi ri 2 ·βi ri (c0,i, c1,i) = d0 · g1 , d1 · h

where β = (β1, . . . , βlog(p)) is parsed in its binary representation. Then compute πi ← NIZK.Prove(crs, stmti, ri) where n  i i  o ri ri 2 ri 2 ri stmti = ∃ ri s.t. (c0,i, c1,i) = (g1 , h ) OR (c0,i, c1,i) = d0 · g1 , d1 · h τ .

The algorithm returns q = (c0,0, c1,0, π0, . . . , c0,log(p), c1,log(p), πlog(p)).

Response(pk, ski, q, τ, i): On input the public key pk, a secret key ski, a query q, a tag τ, and an index i, the response algorithm checks whether for all i ∈ {0,..., log(p)} it holds that

NIZK.Verify(crs, stmti, πi) = 1 and aborts if this condition is not verified. Then the algorithm evaluates k ← H(pk, q, τ) and computes

 log(p)   log(p)  Y Y b0 = e c0 · c0,i, k and b1 = e c1 · c1,i, k . i=0 i=0

(i) xi Furthermore, the algorithm computes b = b0 and an equality proof π˜ ← NIZK.Prove(crs, stmt˜ i, xi) where n o ˜ (i) xi xi stmti = ∃ xi s.t. b = b0 AND hi = gT τ . (i) The algorithm returns pi = (b , b1, π,˜ τ, i).

Verdict(pk, p1, . . . , pt˜, τ): On input the public key pk, a set of partial responses (p1, . . . , pt˜), and a tag τ, the verdict algorithm checks whether there exists a set S of responses of size |S| = t such that the corresponding values (b1, τ) are identical for all responses and

NIZK.Verify(crs, stmt˜ i, π˜i) = 1 for all i ∈ S. If this is the case, the algorithm checks whether λ Y  (i) i b = b1 i∈S and returns 1 if and only if all of the above conditions are satisfied.

Figure 1. Our DZT protocol. with probability 1. We now show that our DZT scheme hybrid argument against the zero-knowledge property of satisfies the notion of security. the NIZK system. Theorem 1 (Security). If the XDH and the DBDH prob- Hybrid 2: In this hybrid all NIZK proof sent by the lems are hard over (G1, G2, GT , p, g1, g2) then the DZT adversary are extracted using the Ext algorithm, provided construction as described in Figure1 is secure. by the simulation extractability property of the NIZK system. If any of the outputs of the extractor does not Proof. We assume without loss of generality that the constitute a valid witness for the corresponding relation, adversary outputs a maximally corrupted subset of parties then the experiment aborts. A standard hybrid argument S∗ of size |S| = t − 1. Then we gradually modify the can be used to show that the probability that an abort experiment in the following sequence of hybrids. is triggered is bounded by a negligible function in the λ Hybrid 0: This is the original experiment ExpA(1 ). security parameter, by the simulation extractability of the NIZK system. Hybrid 1: In this hybrid all NIZK proof issued to the adversary on behalf of honest parties are computed using Hybrid 3: In this hybrid we change how the responses the simulator instead of the real witness. This modifica- of the honest parties are computed for all queries of the tion is computationally indistinguishable by a standard adversary. Fix a query of the adversary (to any of the interfaces) and let (b0, b1) be defined as in the Response whereas on the other extreme the distribution is identical algorithm. The output of the i-th honest party is identical to the computation done in Hybrid 6 to the original experiment except for κ γ gκ1 , . . . , g Q , gγ1 , . . . , g Q
. −1 2 2 T T !λi b b(i) = 1 . One can easily show that the distance between the Q xj
λj κρ·(˜α−α) i-th and the (i + 1)-th hybrids is negligible by ∗ b · g j∈S 0 T an invocation of the the DBDH assumption: Let where k = gκ, and α˜ depends on the type query that the x y z 2 (G1, G2, GT , p, g1, g2, g2 , gT , gT ) be the tuple taken as adversary is asking: ρ y input by the distinguisher. The reduction sets gT = gT and (1) For queries to the Accept interface, α˜ is set to α. answers the queries {1, . . . , i − 1} as specified in Hybrid (2) For queries to the Reject interface, α˜ is set to 5 and the queries {i + 1,..., |Q|} as specified in Hybrid f(α). 6, programming the random oracle to some value with (3) For queries to the Malicious interface, the values know discrete logarithm κ. For the i-th query the reduction programs the random oracle to k = gx and computes of (β0, . . . , βlog(p)) are read from the extracted 2 NIZK sent by the adversary, and the value of α˜ −1 !λi log(p) P i b1 is set to i=0 2 · βi. b(i) = . Q xj
λj z·(˜α−α) Observe that such a response is correctly distributed since j∈S∗ b0 · gT

λi   Y x λj b1 Observe that if z = xy then the view of the adversary is b(i) · b j
= 0 κρ·(˜α−α) identical to that of the i-th hybrid distribution, whereas if z j∈S∗ gT ∗ is uniform in Zp then the view of the adversary is identical hr˜ · gκρ·(˜α−α) to that of the (i+1)-th hybrid. This shows that the hybrid = T = hr˜ κρ·(˜α−α) distributions must be computationally indistinguishable. gT for some adversarially chosen r˜. It follows that this mod- Hybrid 7: In this hybrid we change the response of the ification is only syntactical and the view of the adversary honest parties to all adversarial queries. Specifically we is identical to that of the previous hybrid. compute −1 ∗  λi Hybrid 4: In this hybrid the shares xi, for all i ∈ S , are (i) b1 sampled uniformly from p, instead of being computed Z b =  ˜  . Q xj
λj γ·b using the Share algorithm. Then the element hi corre- j∈S∗ b0 · gT sponding to the i-th honest party is computed as ˜ −1 where the bit b is defined as follows: !λi h ˜ hi = . (1) For queries to the Accept interface, we set b = 0. Q λj ˜ i∈S∗ hj (2) For queries to the Reject interface, we set b = 1. (3) For queries to the Malicious interface, we set Since |S∗| < t it follows that the view of the adversary is ˜b = 0 if and only if α = Plog(p) 2i · β , where identical to that induced by the previous hybrid. i=0 i (β0, . . . , βlog(p)) is extracted from the NIZK pro- Hybrid 5: In this hybrid we compute the ciphertexts duced by the adversary. (c , c ) and (d , d ) as encryptions of zero, i.e., 0 1 0 1 First observe that if α˜ = α, then the distribution is r r s s ˜ (c0, c1) = (g1, h ) and (d0, d1) = (g1, h ) indentical as b =α ˜−α = 0. Furthermore, observe that for 0 ∗ all constants c 6= 0 and c 6= 0 the following distributions where (r, s) ←$ Zp. Indistinguishability follows from two invocations of the XDH assumption. (c, c0, c · γ) ≡ (c, c0, c0 · γ) Hybrid 6: This hybrid is identical to the previous one, ∗ where γ ←$ Zp, are identical. It follows that the view of except that the responses of the honest parties for all the adversary is unchanged. adversarial queries are computed as Analysis: We are now in the position of analyzing the λ−1 ! i success probability of the adversary in Hybrid 7. First b1 b(i) = . observe that the public parameters of the scheme do not Q xj
λj γ·(˜α−α) j∈S∗ b0 · gT contain any information about α. Furthermore, the re- ∗ sponses of the queries to the Accept and Reject interfaces where γ ←$ Zp is sampled freshly for each adversarial query and α˜ is defined as before. are computed independently of α. On the other hand, each Let Q be the set of queries issued by the adversary to query to the Malicious interface reveals a single bit of the decryption oracle. For all i ∈ {1,..., |Q|} we define information, i.e., whether α˜ = α, for some adversarially the following hybrid distribution chosen α˜. Let Q be the set of queries to the Malicious interface, we can then bound the probability that the κ1 κQ ρκ1 ρκi−1 ρκi γi+1 γQ
g2 , . . . , g2 , gT , . . . , gT , gT , gT . . . , gT . adversary guesses the correct α by (|Q| + 1)/|D|. Note that on the one extreme we have that the distribution It remains to analyze the success probability that the α corresponds to the computation done in in Hybrid 5 adversary has without guessing a correct , which is equivalent to the probability of producing a false proof κ1 κQ ρκ1 ρκQ
g2 , . . . , g2 , gT , . . . , gT for a (fresh) rejecting statement and can be bounded to a negligible value by the simulation extractability of 2) Modular exponentiations in G1. the NIZK system. Thus, the success probability of the 3) Checks of pairing product equations PPEq : n n adversary against Hybrid 7 is bounded from above by G1 × G2 → {0, 1} of the form (|Q| + 1)/|D| + negl(λ). By the above analysis, the ? same bound holds for an adversary playing against the e(x1, y1) ··· e(xn, yn) = 1. original experiment, up to a negligible additive factor in However this semantic turns out to be insufficient to im- the security parameter. plement our scheme. The reason is that our smart contract (whose computational load consists mainly of calls to the 6.1. Efficient Non-Interactive Zero-Knowledge Verdict algorithm in Figure1) requires us to compute group operations in the target group GT , which are not In the following we discuss an efficient instantiation natively supported by Solidity. One solution to circumvent for the NIZK system, which will allow us to scale the this issue could be to implement group operations in GT efficiency of our system to the regime of practicality. from scratch, without leveraging precompiled instructions. First observe that our NIZK system must support proofs Unfortunately elliptic curve operations in the target group for discrete logarithm equality. This class of NIZKs can are notoriously expensive, and this approach causes the be instantiated very efficiently with the classical protocol smart contract to exceed the maximum amount of com- from Schnorr [35], which we recall in the following. Let putation allowed by the specifications of Ethereum. (g, h) be a pair of elements of a group of prime order p To circumvent this issue, we modify our scheme to ˜ and let (˜g, h) be two group elements. We want to prove be compatible with precompiled instructions in Solidity. w the existence of some w ∈ Zp such that g =g ˜ and Our solution is sketched in what follows. Recall that in w ˜ h = h. The prover samples a uniform r ←$ Zp and our scheme each committee member provides the smart computes the commitment (gr, hr), then the challenge contract with a target group element c ∈ is computed by hashing the commitment together Zp (i) sk with the statement. In our case the statement includes also b = e(¯c, k) i the string τ, that is concatenated to the group elements and (along with other information that is irrelevant for this hashed to compute the challenge c. The prover computes r r overview). In our modified scheme, each member pub- z = wc + r and returns π = (g , h , z). The proof is lishes instead c r z ˜c r z considered valid if g˜ · g = g and h · h = h . It is c¯ski·ψ and k1/ψ, well known [34] that the protocol is zero-knowledge and 2 ∗ simulation sound in the random oracle model. where ψ is a uniformly sampled integer in Zp. Note that The above protocol can be extended to handle disjunc- we can now compute the Verdict algorithm with a pre- tions (i.e., the OR-composition of proofs) using a standard compiled instruction PPEq (3) and the newly introduced trick: For the case of two statements, the two proofs are term ψ does not affect the correctness of the scheme, since computed in parallel using the same algorithm as above, it cancels out with the pairing. To see why this is the case, except that the prover is allowed to choose the challenges observe that c and c under the constraint that c + c = c where c is  sk ·ψ 1/ψ sk (i) 0 1 0 1 e c¯ i , k = e(¯c, k) i = b . computed hashing both statements and the corresponding commitments. The proof is considered valid if both of the We stress that the presence of the randomness ψ is crucial resulting proofs correctly verify. to avoid mix-and-match attacks. We proceed by presenting Finally we remark that Schnorr’s NIZKs have a so our modified scheme more formally. called transparent setup which is not required to be gener- Construction. We present our modified DZT construc- ated by a trusted party, i.e., the setup consists of sampling tion. Let (G1, G2, GT , p, g1, g2) be an asymmetric bilinear the random oracle. ∗ group of prime order p and let H : {0, 1} → G2 be a hash function modeled as a random oracle. We assume the 6.2. Implementation in Ethereum existence of a NIZK scheme (NIZK.Setup, NIZK.Prove, NIZK.Verify) for NP. The scheme is described in Figure2. Implementing our construction as a smart contract Correctness follows by a routine calculation. in Ethereum entails a new set of challenges: While in Note that the modified statement that we need to prove principle bilinear group operations and pairings are effi- in the response algorithm is again a proof of discrete log- cient enough to be performed on commodity machines, arithm equality, except that the first equation involves the the integration in Ethereum of our DZT requires one to comparison of target group elements, which is inefficient. implement them in Solidity, the language of Ethereum To circumvent this issue, we run the Schnorr NIZK over smart contracts. Such a language imposes a hard limit on the source group G1 and we augment the verification with the amount of computation that each smart contract can a pairing. More specifically, we let the prover sample a r r perform, which makes implementation of cryptographic uniform r ←$ Zp and compute the commitment (˜c0, g1). operations particularly challenging. Fortunately, Solidity The challenge c is obtained by hashing the commiment has precompiled instructions for the following (bilinear) and the statement, then the prover computes z = xi ·c+r. r r group operations: The proof consists of (˜c0, g1, z). The verifier accepts if c 1) Group operations in G1.  (i) (i) r z e c0 , k · e (˜c0, k) = e (˜c0, k) 2. While our DZT construction requires the stronger notion of simu- lation extractable NIZK, we settle for simulation soundness in favor of and c r z a more efficient scheme, as commonly done in the literature. hi · g1 = g1 λ λ Setup(1 , t, n, α): On input the security parameter 1 , a threshold size t, a committee size n, and a string α ∈ Zp, ∗ the setup algorithm samples a tuple (x, r, s, ρ) ←$ Zp and a t-out-of-n Shamir secret sharing (x1, . . . , xn) ← Share(x, t, n). Then it computes crs ← NIZK.Setup(1λ). The algorithm sets the public key of the scheme to

x x1 xn r r −ρα s s ρ pk = (crs, h, h1, . . . , hn, c0, c1, d0, d1) = (crs, g1 , g1 , . . . , g1 , g1, h · g1 , g1, h · g1 )

and the secret keys to ski = xi, for all i ∈ {1, . . . , n}. Query(pk, β, τ): Same as Figure1.

Response(pk, ski, q, τ, i): On input the public key pk, a secret key ski, a query q, a tag τ, and an index i, the response algorithm checks whether for all i ∈ {0,..., log(p)} it holds that

NIZK.Verify(crs, stmti, πi) = 1 and aborts if this condition is not verified. Then the algorithm evaluates k ← H(pk, q, τ) and computes

log(p) log(p) Y Y c˜0 = c0 · c0,i and c˜1 = c1 · c1,i. i=0 i=0

∗ (i) ψ·xi (i) 1/ψ Furthermore, the algorithm samples some ψ ←$ Zp and sets c0 =c ˜0 and k = k . Then it computes an equality proof π˜ ← NIZK.Prove(crs, stmt˜ i, xi) where n   o ˜ (i) (i) xi xi stmti = ∃ xi s.t. e c0 , k = e (˜c0, k) AND hi = g1 τ .

 (i) (i)  The algorithm returns pi = c0 , c˜0, c˜1, k , k, π,˜ τ, i .

Verdict(pk, p1, . . . , pt˜, τ): On input the public key pk, a set of partial responses (p1, . . . , pt˜), and a tag τ, the verdict algorithm checks whether there exists a set S of responses of size |S| = t such that the corresponding values (˜c0, c˜1, k, τ) are identical for all responses and

NIZK.Verify(crs, stmt˜ i, π˜i) = 1 for all i ∈ S. If this is the case, the algorithm checks whether  λ  Y  (i) i (i) e c0 , k = e (˜c1, k) i∈S and returns 1 if and only if all of the above conditions are satisfied.

Figure 2. Ethereum-compatible DZT protocol. where the challenge c is recomputed locally by the verifier. We are now ready to show that the scheme satisfies the Since such a protocol is an instance of Schnorr NIZK, security notion for a DZT, assuming the hardness of the zero-knowledge and simulation extractability are immedi- XDH and the dDH problems. Due to space constraints, ate. the proof is deferred to AppendixB. Analysis. We now analyze the security of our new scheme. Theorem 2 (Security). If the XDH and the dDH prob- One downside of this modification is that its security relies lems are hard over (G1, G2, GT , p, g1, g2) then the DZT on a new (static) assumption over asymmetric bilinear construction as described in Figure2 is secure. groups that we introduce in this work, which we refer to as the dual Diffie-Hellman (dDH) assumption. As a positive 7. Experimental Evaluations evidence that the problem is likely to be intractable, we show that the assumption holds in the generic group We implement the DZT-based solution as a smart model [37] in AppendixB. contract on the Ethereum blockchain. The smart contract Assumption 3 (dDH). Let G be a bilinear group gen- is written in Solidity, an Ethereum specific language. erator. G is dDH-hard if for all PPT distinguishers it Contracts written in Solidity are compiled into bytecode holds that the following distributions are computationally for the Ethereum Virtual Machine (EVM). The code is indistinguishable available at [1]. The runtime of programs on the EVM is limited by a unit called gas. Every operation in the EVM costs gas and there is a hard limit as to how much ( , , , p, g , g , gx, gy, gz, gzy/x, gv, gxv, gw, gyw) ≈ G1 G2 GT 1 2 1 1 1 1 2 2 2 2 gas a transaction can consume. This gives a hard limit on x y z u v xv w yw (G1, G2, GT , p, g1, g2, g1 , g1 , g1 , g1 , g2 , g2 , g2 , g2 ) how much computation can be done in one transaction. Since the price of Ethereum and gas is fluctuating, all costs λ where (G1, G2, GT , p, g1, g2) ←$ G(1 ) and displayed in Dollars are calculated with a fixed conversion ∗ (u, v, w, x, y, z) ←$ Zp. rate of 1 gas costing 1 GWei and 1 Ether costing 180$. Group creation cost 3 Query submission cost Total query cost 2

1

Cost of operation (in $) 0 0 10 20 30 40 Threshold Parameter (t)

Figure 4. Cost of the creation of a DZT group (blue) cost for a client Figure 3. System architecture of our DZT implementation querying the group (green) and cost of submitting and verifying a query (red).

The non-blockchain parts of the implementations use the JSON-RPC API of an Ethereum node to interact with 7.2. Performance Evaluation the smart contracts. A pictorial description of the system architecture is given in Figure3. The steps of the 2FA mechanism are implemented as functions on a smart contract. The smart contract notifies 7.1. Security Policies the committee members via Ethereum events if a new protocol step has to be executed, i.e., this happens if The security policy of a smart contract determines a new query is submitted. The contract then runs the when a transaction triggers the usage of a second factor for Verdict algorithm, which internally verifies the NIZKs and authentication. In our implementation, the smart contract checks whether the conditions dictated by the algorithm tracks the total flow of money and the amounts transferred are all verified. We stress that the worst-case runtime of to specific addresses. This allows us to set fine-grained se- the Verdict algorithm is only proportional to t˜(the number curity policies that depends on the history of transactions. of partial responses fed as input). Recall that the Verdict We say that a transaction is flagged if the security policy algorithm consist of two subroutines: invokes the 2FA protocol for such a transaction. In our prototype, we consider four types of security policies: 1) Checking the NIZKs: There are at most t˜NIZKs, so this step can be done in time linear in t˜. (1) Flag every transaction to any new beneficiary. 2) Partition the responses in sets with the same value (2) Flag a transaction if the sum of all coins trans- of (b , τ): This operation can also be done in time ferred (since the last flag) is above a predefined 1 proportional to t˜. threshold. (3) Flag a transaction if the sum of all funds that At this point we can check whether there exists a set with are transferred in a specific timeframe (a sliding more than t elements where all NIZKs verify. Note that, window) exceeds a predefined threshold. within such a set, any subset of the shares in this set is (4) Flag a transaction if the sum of all coins sent to considered valid (since all the NIZKs verify correctly), so a specific beneficiary (since the last flag) exceeds the Verdict algorithm can just pick an arbitrary one (e.g. a predefined threshold. the lexicographically smallest one). This list of policies is non-exclusive and multiple policies We use the 256bit version of the Barreto-Naehrig can coexist in the same smart contract. If any security (BN) curves to instantiate the pairings [5]. This curve is policy flags a transaction, the counter for such a policy especially suited for use in Ethereum, since an elements is reset if and only if the transaction is successfully of its base field fits into the 256bit wide registers of the authenticated. EVM. We show the costs associated with all operations in We measured the overhead that the implementation of Figure4. For our experiments, we set the threshold size each policy adds to processing transactions. For policy (t) to be equal to the group size (n), since decreasing the (1), it cost 0.005$ for a user to set it up. If a transaction value of t only decreases the costs of each algorithm. For is flagged because it is sent to a therefore unknown the client, the cost of the setup phase grows linearly with beneficiary, the user has to pay 0.008$ to now save that the size of the committee. The cost of the queries depends the beneficiary is verified for further transactions. For only on the threshold parameter t, i.e., the maximum size policies (2) and (4), the setup cost is 0.009$ and each of parties that the attacker can corrupt. The cost to verify transaction costs an additional 0.006$ to sum up the coins a query is identical for all members of the committee and transferred. If the threshold is reached, the user has to we only display the cumulative cost (i.e. the sum of the spend 0.004$ (and 0.006$, respectively) to reset the sum costs for each committee member), which grows linearly of all coins spent to 0. The cost of policy (3) varies with with t. We stress that a lower value of t implies a lower the size of the sliding window, which we measure for corruption threshold but at the same time an increase in values ranging from 0 to 100 transactions. The added cost reliability, as only t parties need to be online in order to does not exceed 0.5$, in a non-optimized implementation. run protocol. 8. A Solution Based on U2F Tokens 0.3 SECP256k The Universal Second Factor (U2F) is a token- SECP256r based authentication protocol specified by the FIDO Al- liance [38]. It is used to enhance the security of standard 0.2 password-based authentication with a cryptographic secret stored on a hardware token. This protocol is supported 0.1 by all major browser and by many web services (such as Gmail, Facebook, and Dropbox). The U2F protocol Operation cost (in $) consists of three interacting entities: (1) A hardware token, 0 (2) a client, and (3) a relying party, which guards access to the resources. The U2F protocol specifies two subroutines, Registration Verification Creation a one-time registration and and unbounded number of Operation on the contract authentications, which we briefly describe below. Registration. Figure 5. Transaction registration, verification and creation costs on curve The registration allows the relying party SECP256k (blue) and curve SECP256r (red). to bind a physical token to a user account. The relying party is associated with some application identifier (e.g., the url of its website) and begins the registration phase Implementation. U2F specifies curve SECP256r1 or P- by sending a challenge to the token. The hardware token 256 as the basis for signature creation and verification generates a fresh ECDSA key pair (sk, vk) and sends back [19]. On the other hand, Ethereum uses signatures over the verification key and a key-handle to the relying party. the curve SECP256k1 internally and offers an EVM in- At this point the relying party associates the key handle struction to access the signature verification capabilities and vk with the account of the user. that is part of the official standard [39]. To make the two Authentication. Upon each authentication request, the choices compatible, we design the smart contract to allow relying party sends the key handle, the identifier, and a a user to decide at registration time which curve should challenge to the token. The key handle is used by the be used for verification. token to recover the corresponding signing key, which is The costs for authenticating transactions are shown used to sign the challenge of the relying party. In addition in Figure5. All measurements are taken using a simu- to the challenge, the token also signs a counter, which lated token. The use of a soft token does not impact the is maintained by the token locally and increased upon messages that are exchanged on the blockchain and the each authentication run. The relaying party considers the interaction between the smart contract and the user client, authentication successful if the signature correctly verifies so this change does not affect the costs. The measurements against the verification key vk associated with the user are taken as the average over 100 transactions. The cost account and if the counter (also included in the signed of verifying signatures on the standard curve SECP256r message) increased from the previous authentication. of U2F is significantly higher compared to verification on curve SECP256k: Standard U2F tokens have a one- 8.1. U2F on Ethereum time registration fee of 0.31$ and a recurring fee of 0.28$ for verifying transaction requests. For the costs over the In the U2F token-based authentication protocol, the SECP256k curve, the one-time registration costs 0.07$ smart contract impersonates the relying party. The authen- and the recurring transaction verification costs 0.03$. The tication protocol for a transaction τ begins with the client evaluation shows that the usage of U2F in the blockchain querying the smart contract for a challenge and receives a setting is feasible in terms of costs. There is a big cost random nonce and a key handle that is used by the token benefit in switching the standard U2F signature curve to to specify the correct key to use. The client queries the one which can be natively verified by a smart contract, token for a signature on the nonce and on τ and sends it to however this also requires custom made tokens. the smart contract, which can publicly verify the validity of the signature. A client can use the same token with 9. Conclusions multiple smart contracts, since U2F tokens allow one to generate an arbitrary number of key pairs, each associated to a unique identifier. In our case, the identifier consists In this work we proposed a new system to safeguard of the address of the smart contract and the chain identity. users’ transactions, where a smart contract is entitled to Nonce Sampling. A subtlety that needs to be addresses request for a two-factor authentication, in case of excep- is that Ethereum smart contracts do not support non- tional events. We designed and implemented two 2FA deterministic operation and therefore cannot sample truly protocols in Ethereum. Our performance evaluation shows random nonces. We circumvent this limitation by setting that augmenting Ethereum with 2FA comes at minimal the nonce to H(τ), where H is a hash function modeled additional cost. as a random oracle and τ is a unique identifier of the Acknowledgements. We wish to thank Nishanth Chan- transaction. In Ethereum, a transaction can be uniquely dran, Satya Lokam, Divya Gupta, Manoj Prabhakaran, identified by the concatenation of the receiver and sender Sambhav Satija and Yifan Song for helpful discussions. addresses and the value of a counter, which denotes the Research supported in part by the NSF award 1916939, number of the transaction from the sending address and a gift from Ripple, a DoE NETL award, a JP Morgan can only grow over time. Faculty Fellowship, a PNC center for financial services innovation award, a Cylab seed funding award, the Inter- [21] R. Gennaro, S. Goldfeder, and A. Narayanan, “Threshold-optimal ACT network, and a Baden-Wurttemberg¨ scholarship. dsa/ecdsa signatures and an application to bitcoin wallet security,” in International Conference on Applied Cryptography and Network Security. Springer, 2016, pp. 156–174. References [22] C. Gentry et al., “Fully homomorphic encryption using ideal lattices.” in Stoc, vol. 9, no. 2009, 2009, pp. 169–178. [1] https://github.com/FBreuer2/security-policies-in-crypto. [23] N. Gilboa and Y. Ishai, “Distributed point functions and their applications,” in Annual International Conference on the Theory [2] “How to steal $500 million in cryptocurrency,” https://fortune.com/ and Applications of Cryptographic Techniques. Springer, 2014, 2018/01/31/coincheck-hack-how/. pp. 640–658. [3] “Parity technologies,” https://www.parity.io/security-alert-2/. [24] S. Goldfeder, R. Gennaro, H. Kalodner, J. Bonneau, J. A. Kroll, [4] A. Bagherzandi, S. Jarecki, N. Saxena, and Y. Lu, “Password- E. W. Felten, and A. Narayanan, “Securing bitcoin wallets via a protected secret sharing,” in Proceedings of the 18th ACM confer- new dsa/ecdsa threshold signature scheme,” 2015. ence on Computer and Communications Security, 2011, pp. 433– [25] S. Goldwasser and S. Micali, “Probabilistic encryption,” Journal of 444. computer and system sciences, vol. 28, no. 2, pp. 270–299, 1984. [5] P. S. Barreto and M. Naehrig, “Pairing-friendly elliptic curves [26] S. Jarecki, A. Kiayias, H. Krawczyk, and J. Xu, “Toppss: cost- of prime order,” in International Workshop on Selected Areas in minimal password-protected secret sharing based on threshold Cryptography. Springer, 2005, pp. 319–331. oprf,” in International Conference on Applied Cryptography and Network Security. Springer, 2017, pp. 39–58. [6] M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated key exchange secure against dictionary attacks,” in International con- [27] A. Joux, “A one round protocol for tripartite diffie–hellman,” in ference on the theory and applications of cryptographic techniques. International algorithmic number theory symposium. Springer, Springer, 2000, pp. 139–155. 2000, pp. 385–393. [7] M. Blum, P. Feldman, and S. Micali, “Non-interactive zero- [28] J. Katz, A. Sahai, and B. Waters, “Predicate encryption supporting knowledge and its applications,” 1988. disjunctions, polynomial equations, and inner products,” in annual international conference on the theory and applications of crypto- [8] D. Boneh and X. Boyen, “Secure identity based encryption without graphic techniques. Springer, 2008, pp. 146–162. random oracles,” in Annual International Cryptology Conference. Springer, 2004, pp. 443–459. [29] Y. Lindell, “Fast secure two-party ecdsa signing,” in Annual Inter- national Cryptology Conference. Springer, 2017, pp. 613–644. [9] D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” [30] Y. Lindell and A. Nof, “Fast secure multiparty ecdsa with practi- in Annual international cryptology conference. Springer, 2004, cal distributed key generation and applications to cryptocurrency pp. 41–55. custody,” in Proceedings of the 2018 ACM SIGSAC Conference on [10] D. Boneh and M. Franklin, “Identity-based encryption from the Computer and Communications Security, 2018, pp. 1837–1854. weil pairing,” in Annual international cryptology conference. [31] P. MacKenzie, T. Shrimpton, and M. Jakobsson, “Threshold Springer, 2001, pp. 213–229. password-authenticated key exchange,” in Annual International [11] D. Boneh, R. Gennaro, S. Goldfeder, A. Jain, S. Kim, P. M. Ras- Cryptology Conference. Springer, 2002, pp. 385–400. mussen, and A. Sahai, “Threshold cryptosystems from threshold [32] M. I. Mehar, C. L. Shier, A. Giambattista, E. Gong, G. Fletcher, fully homomorphic encryption,” in Annual International Cryptol- R. Sanayhie, H. M. Kim, and M. Laskowski, “Understanding ogy Conference. Springer, 2018, pp. 565–596. a revolutionary and flawed grand experiment in blockchain: the [12] E. Boyle, N. Gilboa, and Y. Ishai, “Function secret sharing,” in dao attack,” Journal of Cases on Information Technology (JCIT), Annual international conference on the theory and applications of vol. 21, no. 1, pp. 19–32, 2019. cryptographic techniques. Springer, 2015, pp. 337–367. [33]M.M oser,¨ I. Eyal, and E. G. Sirer, “Bitcoin covenants,” in Interna- tional Conference on Financial Cryptography and Data Security. [13] R. Canetti and S. Goldwasser, “An efficient threshold public key Springer, 2016, pp. 126–141. cryptosystem secure against adaptive chosen ciphertext attack,” in International Conference on the Theory and Applications of [34] D. Pointcheval and J. Stern, “Security proofs for signature Cryptographic Techniques. Springer, 1999, pp. 90–106. schemes,” in International Conference on the Theory and Applica- tions of Cryptographic Techniques. Springer, 1996, pp. 387–398. [14] C. Decker and R. Wattenhofer, “Bitcoin transaction malleability and mtgox,” in European Symposium on Research in Computer [35] C.-P. Schnorr, “Efficient signature generation by smart cards,” Security. Springer, 2014, pp. 313–326. Journal of cryptology, vol. 4, no. 3, pp. 161–174, 1991. [15] M. Di Raimondo and R. Gennaro, “Provably secure threshold [36] A. Shamir, “How to share a secret,” Communications of the ACM, password-authenticated key exchange,” in International Conference vol. 22, no. 11, pp. 612–613, 1979. on the Theory and Applications of Cryptographic Techniques. [37] V. Shoup, “Lower bounds for discrete logarithms and related prob- Springer, 2003, pp. 507–523. lems,” in International Conference on the Theory and Applications [16] J. Doerner, Y. Kondi, E. Lee, and A. Shelat, “Secure two-party of Cryptographic Techniques. Springer, 1997, pp. 256–266. threshold ecdsa from ecdsa assumptions,” in 2018 IEEE Symposium [38] S. Srinivas, D. Balfanz, E. Tiffany, A. Czeskis, and F. Alliance, on Security and Privacy (SP). IEEE, 2018, pp. 980–997. “Universal 2nd factor (u2f) overview,” FIDO Alliance Proposed Standard, pp. 1–5, 2015. [17] ——, “Threshold ecdsa from ecdsa assumptions: The multiparty case,” in 2019 IEEE Symposium on Security and Privacy (SP). [39] G. Wood et al., “Ethereum: A secure decentralised generalised IEEE, 2019, pp. 1051–1066. transaction ledger.” [18] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE transactions on information Appendix theory, vol. 31, no. 4, pp. 469–472, 1985. [19] S. for Efficient Cryptography Group, “Sec 2: Recommended 1. Threshold Homomorphic Encryption from Bi- elliptic curve domain parameters,” 10 2019. [Online]. Available: https://www.secg.org/sec2-v2.pdf linear Maps [20] R. Gennaro and S. Goldfeder, “Fast multiparty threshold ecdsa with fast trustless setup,” in Proceedings of the 2018 ACM SIGSAC In the following we present our threshold homomor- Conference on Computer and Communications Security. ACM, phic encryption scheme for linear predicates from bilinear 2018, pp. 1179–1194. maps. λ Definition. A threshold homomorphic encryption (THE) ExpA,Real(1 ): allows one to share the keys for a homomorphic encryp- λ tion scheme to a set of n parties such that any set that • A ← A(1 ) λ satisfies the corresponding access structure can reconstruct • (pk, sk1,..., skn) ← Setup(1 , A) ∗ the evaluation of some homomorphic computation. We • (S ∈/ A, m1, . . . , m`) ← A(pk) recall the definition from [11]. • For all i ∈ {1, . . . , `} : ci ← Enc(pk, mi) O • b ← A (c , . . . , c , {sk } ∗ ) Definition 6 (THE). A THE scheme for a function family 1 ` i i∈S F and n parties consists of the following efficient algo- where O takes as input a function f ∈ F and a set S, rithms. computes c ← Eval(pk, f, (c1, . . . , c`)) and returns, for λ λ Setup(1 , A): On input the security parameter 1 and an all i ∈ S, the shares pi ← PDec(ski, c, i). access structure , the setup algorithm returns a public λ A ExpA,Ideal(1 ): key pk and a set of secret keys (sk1,..., skn). λ Enc(pk, m): On input the public key pk and a message • A ← A(1 ) λ m, the encryption algorithm returns a ciphertext c. • (pk, sk1,..., skn) ← Setup(1 , A) ∗ • (S ∈/ A, m1, . . . , m`) ← A(pk) Eval(pk, f, (c1, . . . , c`)) : On input the public key pk, an ∗ • ({ski }i∈S∗ , td) ← Sim0(pk) `-input function f, and a set of ciphertexts (c1, . . . , c`), • For all i ∈ {1, . . . , `} : ci ← Enc(pk, mi) the evaluation algorithm returns an evaluated ciphertext O˜ ∗ c. • b ← A (c1, . . . , c`, {ski }i∈S∗ ) PDec(sk, c, i): On input a secret key sk, a ciphertext c, where O˜ takes as input a function f ∈ F and a set S and and an index i, the partial decryption algorithm returns returns Sim1(f, (c1, . . . , c`), f(m1, . . . , m`),S), td). a decryption share p. Construction, Let (G1, G2, GT , p, g1, g2) be an asymmet- Rec(p1, . . . , pt˜): On input a set of shares (p1, . . . , pt˜), ric bilinear group of prime order p and let H : {0, 1}∗ → for some t˜ ≤ n, the reconstruction algorithm returns a G2 be a hash function modeled as a random oracle. In this message m. section we describe a THE scheme for linear predicates ` ` We say that a scheme is compact if the size of evalu- f : Zp × Zp → {0, 1}, i.e., our scheme supports the ated ciphertexts does not depend on the circuit represen- evaluation of functions of the form tation of the evaluated function f. Correctness requires ( P` 1 if i=1 xiyi = 0 that for all λ ∈ N, all access structures A, all accepting f~y(~x) = 0 otherwise. sets S ∈ A, all `-input functions f ∈ F , all message vectors (m1, . . . , m`), all (pk, sk1,..., skn) in the support λ The scheme is described in Figure6. of Setup(1 , A) and ci in the support of Enc(pk, mi) it holds that To see why the scheme satisfies correctness, observe   that Rec ({PDec(sk , Eval(pk, f, (c1, . . . , c`)), i)}i∈S) Pr i = 1. ` ` ! = f(m1, . . . , m`) Y yi Y yi (c0, c1) = ci,0, ci,1 We recall the standard notion of semantic security for i=1 i=1 public-key encryption [25]. ` ` ! Y Y = (dmi · gri )yi , (dmi · hri )yi Definition 7 (Semantic Security). A THE is semantically 0 1 1 secure if there exists a negligible function negl(·) such i=1 i=1 ` ` ! that for all λ ∈ , all access structures , and all PPT Y Y N A = (gri+rmi )yi , (gρmi · hri+rmi )yi algorithms A it holds that 1 1 i=1 i=1 λ P`  (pk, sk ,..., sk ) ← Setup(1 , )   ψ ρ miyi  1 n A = g , g i=1 · hψ (m , m ) ← A(pk) 1 1 Pr A(c) = b 0 1   b ←$ {0, 1}  P` κ where ψ = (ri + rmi)yi. Let k = g , for some c ← Enc(pk, mb) i=1 2 = 1/2 + negl(λ) . κ ∈ Zp, since (b0, b1) = (e(c0, k), e(c1, k)) then we have that Finally we recall the notion of simulation security Y Y Y ψκ ψκ P` λi xiλi xiλi i=1 xiλi which, roughly speaking, says that the decryption shares pi = b0 = (gT ) = (gT ) should not reveal anything beyond the output of the eval- i∈S i∈S i∈S uated function. ψκ x ψκ = (gT ) = h = b1 = P Definition 8 (Simulation Security). A THE is simulation P` for all S such that |S| = t, if and only if miyi = 0. secure if there exists a PPT simulator (Sim0, Sim1) and i=1 Analysis. In the following we show that the scheme is negligible function negl(·) such that for all λ ∈ N and all PPT algorithms A it holds that the following experiments semantically secure. are computationally indistinguishable Theorem 3 (Semantic Security). If the XDH problem is Exp (1λ) ≈ Exp (1λ). hard over (G1, G2, GT , p, g1, g2) then the THE construc- A,Real A,Ideal tion as described in Figure6 is simulation secure in the Where the two experiments are defined as follows. random oracle model. Setup(1λ, (t, n)) : On input the security parameter 1λ and a pair of threshold parameters (t, n), the setup algorithm ∗ samples a uniform triple (x, r, ρ) ←$ Zp and sets the public key of the scheme to x r r ρ pk = (h, d0, d1) = (g1 , g1, h · g1 ).

Then it samples a t-out-of-n Shamir secret sharing (x1, . . . , xn) ← Share(x, t, n) and sets ski = xi, for all i ∈ {1, . . . , n}.

Enc(pk, m): On input the public key pk = (h, d0, d1) and a message m, the encryption algorithm samples a ∗ uniform s ←$ Zp and computes the ciphertext m s m s c = (c0, c1) = (d0 · g1, d1 · h ).

Eval(pk, f, (c1, . . . , c`)) : On input the public key pk, an `-input function f = (y1, . . . , y`), and a set of ciphertexts (c1, . . . , c`) = ((c1,0, c1,1),..., (c`,0, c`,1)), the evaluation algorithm returns an evaluated ciphertext ` ` ! Y yi Y yi c = (c0, c1) = ci,0, ci,1 . i=1 i=1

PDec(sk, c, i): On input a secret key sk, a ciphertext c = (c0, c1), and an index i, the partial decryption algorithm evaluates k ← H(pk, c), computes b0 = e(c0, k) and b1 = e(c1, k) sk and returns the decryption share p = (b0 , b1, i). ˜ Rec(p1, . . . , pt˜): On input a set of shares (p1, . . . , pt˜) = ((p1,P, 1),..., (pt˜,P, t)), the reconstruction algorithm samples an arbitrary subset of shares S of size |S| = t and outputs 1 if

Y λi pi = P i∈S and outputs 0 otherwise.

Figure 6. Our THE scheme for linear predicates.

Proof. The proof consists in the observation that a freshly let (c0, c1) be the output of the corresponding evaluation computed ciphertext is of the form algorithm, and let (b0, b1) be the pair as defined in the ∗ m s m s original PDec algorithm. For the set S ∩ S we compute (c0, c1) = (d0 · g1, d1 · h ) the output as specified in the real experiment. For the r m s r ρ m s = ((g1) · g1, (h · g1 ) · h ) complement of such a set, we compute r·m s r·m ρ·m s = (g1 · g1, h · g1 · h ) −1  λi = (gr·m+s, hr·m+s · gρ·m) b 1 1 b(i) = 1 .  λ P`  ∗ Q xj
j κρ· i=1 mi·yi for a uniform s ←$ Zp, which is a well-formed ElGamal j∈S∗ b0 · gT ciphertext. Therefore semantic security follows from an κ (i) invocation of the XDH assumption. where k = g2 , and output (b , b1, i). Note that this output is correctly distributed since The following shows that the scheme is simulation λi secure.  (i) Y xj
λj b1 b · b0 = P` κρ· i=1 mi·yi Theorem 4 (Simulation Security). If the XDH and the j∈S∗ gT ` P` DBDH problems are hard over ( 1, 2, T , p, g1, g2) P r ·y κρ· i=1 mi·yi G G G h i=1 i i · g then the THE construction as described in Figure6 is T = P` κρ· i=1 mi·yi simulation secure. gT P` r ·y Proof. We consider without loss of generality an adver- = h i=1 i i sary that output a maximally corrupted set S∗ of size exactly t − 1. We gradually change the view of the which is exactly what we expect. It follows that this adversary through a series of hybrids and then we describe modification is purely syntactical and therefore the view of the adversary is unchanged. the simulator (Sim0, Sim1) in the end of the proof. ∗ Hybrid 0: This is defined as in the experiment Hybrid 2: In this hybrid the shares xi, for all i ∈ S , are sampled uniformly from , instead of being computed Exp (1λ). Zp A,Real using the Share algorithm. Note that we no longer need to Hybrid 1: In this hybrid we change how the output of the explicitly compute the shares of the non-corrupted parties. honest share is computed for each query of the adversary. Since |S∗| < t it follows that the view of the adversary is Let (f = (y1, . . . , y`),S) be the a query of the adversary, identical to that induced by the previous hybrid. Hybrid 3: In this hybrid we compute all ciphertexts ci as so in this case the view of the adversary is identical. On P` encryptions of zero, i.e., the other hand if i=1 mi · yi 6= 0, then

ri ri −1 ci = (g1 , h ) !λi b ∗ (i) 1 where ri ←$ . Indistinguishability follows from a sim- b = . Zp Q xj
λj γ ple hybrid argument against the XDH assumption. j∈S∗ b0 · gT ∗ Hybrid 4: We define the fourth hybrid to be identical to the for some uniform γ ←$ Zp. Note that the distributions γ ∗ previous one, except that in the queries to the decryption and c·γ, where γ ←$ Zp and c 6= 0, are identical. It follows shares of the honest parties are computed as that the change is purely syntactical and the view of the −1 adversary is unchanged.  λi b b(i) = 1 . Simulator: The simulator (Sim0, Sim1) is defined to be  λ P`  Q xj
j γ· i=1 mi·yi identical to the previous hybrid. This concludes our proof. j∈S∗ b0 · gT ∗ where γ ←$ Zp is sampled freshly for each adversarial query. Let Q be the set of queries issued by the adversary Extensions and Generalizations. We first show that the to the decryption oracle. For all i ∈ {1,..., |Q|} we define class of linear predicates encompasses equality checks as a the following hybrid distribution special case, i.e., the parties holding the shares can jointly test whether two ciphertext Enc(pk, m0) and Enc(pk, m1) κ1 κQ ρκ1 ρκi−1 ρκi γi+1 γQ
g2 , . . . , g2 , gT , . . . , gT , gT , gT . . . , gT . encrypt the same message. This can be achieved by eval- Note that on the one extreme we have that the distribution uating the linear function f = (1, −1) homomorphically corresponds to the computation done in in Hybrid 3 and then running the distributed decryption procedure. The predicate κ1 κQ ρκ1 ρκQ
g2 , . . . , g2 , gT , . . . , gT f(m0, m1) = m0 − m1 = 0 whereas on the other extreme the distribution is identical is satisfied if and only if m0 = m1, which gives us exactly to the computation done in Hybrid 4 the desired functionality. κ γ κ1 Q γ1 Q
Furthermore, we show that linear predicates generalize g2 , . . . , g2 , gT , . . . , gT . to polynomial evaluations of any bounded degree. Let One can easily show that that the distance between ` the i-th and the (i + 1)-th hybrids is negligible P(x) = c0 + c1x + ··· + c`x by an invocation of the the DBDH assumption: Let x y z be an `-degree polynomial over Zp. Provided with the en- (G1, G2, GT , p, g1, g2, g2 , gT , gT ) be the tuple taken as ρ y cryptions of the coefficients Enc(pk, c0),..., Enc(pk, c`), input by the distinguisher. The reduction sets gT = gT and answers the queries {1, . . . , i−1} as specified in Hybrid 3 the committee members can jointly check whether a point a P f = (1, a, . . . , a`) and the queries {i + 1,..., |Q|} as specified in Hybrid 4, is a root of by setting since programming the random oracle to some value with know ` X i discrete logarithm κ. For the i-th query it programs the f(c0, c1, . . . , c`) = cia = P(a) = 0 x random oracle to k = g2 and computes i=0 −1  λi if and only if a is indeed a root of P. Using standard (i) b1 encoding techniques [28], polynomial evaluations imme- b =  P`  . x λj z· m ·y Q b j
· g i=1 i i diately generalize to threshold predicates and constant- j∈S∗ 0 T variables CNF/DNF formulae. Observe that if z = xy then the view of the adversary is identical to that of the i-th hybrid distribution, whereas if z 2. Missing Proofs ∗ is uniform in Zp then the view of the adversary is identical to that of the (i+1)-th hybrid. This shows that the hybrid In the following we present the missing proofs for the distributions must be computationally indistinguishable. Ethereum-compatible DZT. Hybrid 5: In this hybrid we revert the change made in Hardness of the Dual Diffie-Hellman Problem. We Hybrid 3. Indistinguishability follows from another invo- present positive evidence that that the dual Diffie-Hellman cation of the XDH assumption. problem is hard, by establishing a bound in the generic group model [37]. We refer the reader to [8] a compre- Hybrid 6: In this hybrid we compute the share of the hensive introduction to the bilinear group model. Here f honest parties using the output of the function , i.e., we recall a useful lemma to prove facts about generic −1 !λi attackers. (i) b1 b = λ . Lemma 1 (Schwartz-Zippel). Let P (X ,...,X ) be a Q bxj
j · gγ·(1−f(m1,...,m`)) 1 n j∈S∗ 0 T non-zero polynomial of degree d ≥ 0 over a field F. P` Then the probability that P (x1, ..., xn) = 0 for randomly Note that if f(m1, . . . , m`) = 1, then i=1 mi · yi = 0 n chosen values (x1, ..., xn) in F is bounded from above and therefore d −1 by | | . !λi F b b(i) = 1 Theorem 5. The dual Diffie-Hellman (dDH) problem is Q xj
λj hard in the generic group model. j∈S∗ b0 Proof Sketch. A generic attacker is given the encoding of algorithm. The output of the i-th honest party is identical the base elements of either of the following distributions to the original experiment except for y zy/x yw ψ·λ−1 D = (g , g , gx, g , gz, g , gv, gxv, gw, g ) ! i 0 1 2 1 1 1 1 2 2 2 2 (i) c˜1 c0 = or Q xj
λj ρ·(˜α−α) j∈S∗ c˜0 · g1 y yw D = (g , g , gx, g , gz, gu, gv, gxv, gw, g ) ∗ (i) 1 1 2 1 1 1 1 2 2 2 2 where ψ ←$ Zp (note that k is defined as before to be ∗ k1/ψ) and α˜ depends on the type query that the adversary where all integers are uniformly chosen from ZP , and has to decide which is the case. The adversary is given is asking: oracle access to a group-operation oracle that supports 1) For queries to the Accept interface, α˜ is set to α. linear operations in G1, G2, and GT and pairing between 2) For queries to the Reject interface, α˜ is set to elements in the source groups. We assume that each f(α). element is assigned a unique identifier, so equality can 3) For queries to the Malicious interface, the values be tested locally. Note that the only way for an attacker of (β0, . . . , βlog(p)) are read from the extracted to distinguish between the two distributions is to find a NIZK sent be the adversary, and the value of α˜ polynomial P of degree at most 2 with a non-trivial zero. Plog(p) i is set to i=0 2 · βi. More precisely, the adversary has to find some polynomial P such that Observe that such a response is correctly distributed since

P (X,Y,Z, {U, ZY/X} , V, XV, W, Y W )  λi   λj   (i) (i) Y  (j) (j) e c0 , k · e c0 , k = c0 + c1X + c2Y + c3Z + c4{U, ZY/X} + c5V + c6XV j∈S∗ 2 + c7W + c8YW + c9XV + c10X V + c11XW + c12XYW  λ  λ  (i) i Y  (j)  j 2 = e c , k(i) · e c , k(j) + c13YV + c14YW + c15Y W + c16ZV + c17ZXV 0 0 j∈S∗ + c18ZW + c19ZYW + c20 {UV, ZY V/X}  λi   (i) (i) Y xj ·λj + c21 {UXV,ZYV } + c22 {UW, ZY W/X} = e c0 , k · e (˜c0, k)  2 j∈S∗ + c23 UYV,ZY V/X  ψ  = 0 ! c˜1 1/ψ Y xj ·λj = e  , k  · e (˜c0, k) Q xj
λj ρ·(˜α−α) where formal variables correspond to the integers sampled j∈S∗ c˜0 · g1 j∈S∗ by the challenger. We say that P is non-trivial if all the ! ! c˜ hr˜ · gρ·(˜α−α) coefficients (c20, c21, c22, c23) are non-zero. By lemma1 = e 1 , k = e 1 , k = e hr˜, k
the probability that any non-trivial polynomial P evaluates ρ·(˜α−α) ρ·(˜α−α) g1 g1 to 0, over the random choices of the assignments, is negligibly small. for some adversarially chosen r˜. Here the second and the fifth equations are guaranteed to hold as otherwise they Proof of Theorem 2. We present the proof of Theorem would trigger an abort of the simulator. It follows that 2. this modification is only syntactical and the view of the adversary is identical to that of the previous hybrid. Proof. We assume without loss of generality that the ∗ adversary outputs a maximally corrupted subset of parties Hybrid 4: In this hybrid the shares xi, for all i ∈ S , are ∗ S of size |S| = t − 1. Consider the following sequence sampled uniformly from Zp, instead of being computed of hybrids. using the Share algorithm. Then the element hi corre- sponding to the i-th honest party is computed as Hybrid 0: This is the original experiment Exp (1λ). A −1 !λi Hybrid 1: In this hybrid all NIZK proofs from the honest h hi = . parties are computed using the simulator. By a standard Q λj ∗ h hybrid argument over the zero-knowledge property of the i∈S j NIZK scheme, this hybrid is computationally indistin- Since |S∗| < t it follows that the view of the adversary is guishable from the previous one. identical to that induced by the previous hybrid. Hybrid 2: In this hybrid all NIZK proofs sent by the Hybrid 5: In this hybrid we compute the ciphertexts adversary are extracted using Ext. If any of the outputs (c0, c1) and (d0, d1) as encryptions of zero, i.e., of the extractor does not constitute a valid witness for r r s s (c0, c1) = (g1, h ) and (d0, d1) = (g1, h ) the corresponding relation, then the experiment aborts. A ∗ standard hybrid argument shows the probability that an where (r, s) ←$ Zp. Indistinguishability follows from two abort is triggered is bounded by a negligible function in invocations of the XDH assumption. the security parameter, by the simulation extractability of Hybrid 6: This hybrid is identical to the previous one, the NIZK scheme. except that the responses of the honest parties for all Hybrid 3: In this hybrid we change how the responses adversarial queries are computed as −1 of the honest parties are computed for all queries of the !ψ·λi adversary. Fix a query of the adversary (to any of the (i) c˜1 c0 = (˜c , c˜ ) Response Q xj
λj γ·(˜α−α) interfaces) and let 0 1 be defined as in the j∈S∗ c˜0 · g1 ∗ where γ ←$ Zp is sampled freshly for each adversarial answered according to Hybrid 6. Note that if u = yz then query and α˜ is defined as before. the view of the adversary for the i-th query is identical Before showing a reduction against the hardness of to Hybrid 5, since u/y = z. On the other hand, if u the dDH assumption, we consider a reformulation of the is uniformly distributed, then the view of the adversary problem, that is more convenient to use. I.e., we are going is identical to Hybrid 6. Thus, whenever the reduction to construct a distinguisher for the distributions guesses the i-th index correctly, its advantage is identi- cal to that of the adversary. This shows that the hybrid D0 = distributions must be computationally indistinguishable. ( , , , p, g , g , gx, gy, gxz, gyz, gv/x, gv, gw/y, gw) G1 G2 GT 1 2 1 1 1 1 2 2 2 2 Hybrid 7: In this hybrid we change the response of the and honest parties to all adversarial queries. Specifically we compute D1 = ψ·λ−1 x y xz u v/x v w/y w   i (G1, G2, GT , p, g1, g2, g1 , g1 , g1 , g1 , g2 , g2 , g2 , g2 ) (i) c˜1 c0 =  ˜  Q xj
λj γ·b which are identical to the distributions defined by the dDH j∈S∗ c˜0 · g1 problem (up to renaming of the variables). In the following we describe the reduction against the where the bit ˜b is defined as follows: dDH problem. On input a tuple (1) For queries to the Accept interface, we set ˜b = 0. x y xz u v/x v w/y w (2) For queries to the Reject interface, we set ˜b = 1. (G1, G2, GT , p, g1, g2, g1 , g1 , g1 , g1 , g2 , g2 , g2 , g2 ) (3) For queries to the Malicious interface, we set sampled either from D0 (in which case u = yz) or from ˜ Plog(p) i ∗ b = 0 if and only if α = i=0 2 · βi, where D1 (where u is uniformly from ). The reduction sets Zp (β0, . . . , βlog(p)) is extracted from the NIZK pro- the public parameters of the scheme exactly as specified duced by the adversary. in Hybrid 5. Let Q be the set of queries issued by the adversary to the decryption oracle. The reduction samples First observe that if α˜ = α, then the distribution is ˜ a uniform i ←$ {1,..., |Q|}, then answers all queries {i+ identical as b =α ˜ − α = 0. Furthermore, observe that for 1,..., |Q|} as specified in Hybrid 6, programming the all constants c 6= 0 and c0 6= 0 the following distributions random oracle to some value with know discrete logarithm (c, c0, c · γ) ≡ (c, c0, c0 · γ) κ. For queries {1, . . . , i − 1} (and for each honest party) ∗ ∗ the reduction samples a uniform pair (χi, µ) ←$ Zq and where γ ←$ Zp, are identical. It follows that the view of computes the adversary is unchanged. x·r˜·sk·χ ·λ−1 g i i Analysis: We are now in the position of analyzing the c(i) = 1 0 x·r˜·sk ·λ ·χ ·λ−1 −1 success probability of the adversary in Hybrid 7. First Q j j i i xz·χi·λi ·(˜α−α) j∈S∗ g1 · g1 observe that the public parameters of the scheme do not −1 α x·χi·λi contain any information about . Furthermore, the re- c˜1 sponses of the queries to the Accept and Reject interfaces = −1 λj ·x·χi·λ −1  sk  i xz·χi·λ ·(˜α−α) are computed independently of α. On the other hand, each Q c˜ j · g i j∈S∗ 0 1 query to the Malicious interface reveals a single bit of −1  x·χi·λi information, i.e., whether α˜ = α, for some adversarially c˜ chosen α˜. Let Q be the set of queries to the Malicious =  1    λj  interface, we can then bound the probability that the Q skj z·(˜α−α) j∈S∗ c˜0 · g1 adversary guesses the correct α by (|Q| + 1)/|D|. It remains to analyze the success probability that the where r˜ is extracted from the corresponding NIZK of the adversary has without guessing a correct α, which is adversary. Furthermore, the output of the random oracle equivalent to the probability of producing a false proof v·µ (i) v·µ/x·χi is programmed to g2 and k is set to g2 . for a (fresh) rejecting statement and can be bounded On the other hand, for the i-th query (and for each to a negligible value by the simulation extractability of ∗ honest party) the reduction samples ωi ←$ Zq sets the NIZK system. Thus, the success probability of the

−1 adversary against Hybrid 7 is bounded from above by y·ωi·r˜·sk·λi (i) g1 (|Q| + 1)/|D| + negl(λ). By the above analysis, the c0 = −1 −1 y·ωi·r˜·sk ·λj ·λ u·ω ·λ ·(˜α−α) same bound holds for an adversary playing against the Q g j i · g i i j∈S∗ 1 1 original experiment, up to a negligible additive factor in y·ω ·λ−1   i i the security parameter. c˜ =  1    λj  Q skj (u/y)·(˜α−α) j∈S∗ c˜0 · g1 w and programs the output of the random oracle k = g2 (i) w/y·ωi and sets k = g2 . The reduction returns the same output of the adversary. It is easy to see that the queries up to i−1 are answered according to Hybrid 5, whereas the queries after i + 1 are