Asynchronous Distributed Key Generation for Computationally- Secure Randomness, Consensus, and Threshold Signatures. Eleftherios Kokoris-Kogias†* Dahlia Malkhi Alexander Spiegelman Faceook Novi & IST Austria Faceook Novi Faceook Novi [email protected] [email protected] [email protected] ABSTRACT CCS CONCEPTS In this paper, we present the rst Asynchronous Distributed Key • Security and privacy → Distributed systems security; Cryp- Generation (ADKG) algorithm which is also the rst distributed tography; Security protocols; • Computing methodologies → key generation algorithm that can generate cryptographic keys Distributed algorithms. with a dual f , 2f + 1 threshold (where f is the number of faulty ( )− KEYWORDS parties). As a result, using our ADKG we remove the trusted setup asynchornous veriable secret sharing; consensus; randomness; assumption that the most scalable consensus algorithms make. In multiparty computation; byzantine fault-tolerance; blockchain; thresh- order to create a DKG with a dual f , 2f + 1 threshold we rst ( )− old sharing; distributed key generation; binary agreement answer in the armative the open question posed by Cachin et al. [7] on how to create an Asynchronous Veriable Secret Sharing ACM Reference Format: (AVSS) protocol with a reconstruction threshold of f + 1 < k Eleftherios Kokoris-Kogias, Dahlia Malkhi, and Alexander Spiegelman. 2020. Asynchronous Distributed Key Generation for Computationally- Secure 2f + 1, which is of independent interest. Our High-threshold-AVSS Randomness, Consensus, and Threshold Signatures.. In Proceedings of the (HAVSS) uses an asymmetric bivariate polynomial to encode the 2020 ACM SIGSAC Conference on Computer and Communications Security secret. This enables the reconstruction of the secret only if a set (CCS ’20), November 9–13, 2020, Virtual Event, USA. ACM, New York, NY, of k nodes contribute while allowing an honest node that did not USA, 17 pages. https://doi.org/10.1145/3372297.3423364 participate in the sharing phase to recover his share with the help of f + 1 honest parties. 1 INTRODUCTION Once we have HAVSS we can use it to bootstrap scalable partially A common assumption made by many modern Byzantine fault synchronous consensus protocols, but the question on how to get a tolerant distributed algorithms is the existence of a trusted dealer DKG in asynchrony remains as we need a way to produce common that generates and distributes cryptographic keys at the beginning randomness. The solution comes from a novel Eventually Perfect of every execution. For example, ecient asynchronous Byzantine Common Coin (EPCC) abstraction that enables the generation of a agreement protocols [1, 3, 9, 17, 29] use a shared coin scheme to common coin from n concurrent HAVSS invocations. EPCC’s key produce randomness [34], ecient state machine replication proto- property is that it is eventually reliable, as it might fail to agree at cols [20, 35] use a threshold signature scheme to reduce commu- most f times (even if invoked a polynomial number of times). Using nication complexity, and ecient secure multiparty computation EPCC we implement an Eventually Ecient Asynchronous Binary protocols [22, 23] use threshold encryption [26] to reduce the com- Agreement (EEABA) which is optimal when the EPCC agrees and munication complexity for sharing secret inputs. All these schemes protects safety when EPCC fails. require a trusted dealer, which is a single point of failure and a Finally, using EEABA we construct the rst ADKG which has potential weakness for secure decentralized systems. the same overhead and expected runtime as the best partially- It is therefore natural to ask under what network assumptions synchronous DKG (O n4 words, O f rounds). As a corollary of ( ) ( ) and at what cost the requirement of a trusted dealer can be sub- our ADKG, we can also create the rst Validated Asynchronous stituted with a distributed key generation (DKG) protocol. A DKG Byzantine Agreement (VABA) that does not need a trusted dealer protocol allows a group of parties to distribute private shares of a to setup threshold signatures of degree n f . Our VABA has an − cryptographic key and later use them to compute a common value overhead of expected O n2 words and O 1 time per instance, after ( ) ( ) such that an adversary controlling a threshold of the parties can- an initial O n4 words and O f time bootstrap via ADKG. ( ) ( ) not predict the value. Thereby, this value can be used to produce unpredictable randomness or as a “private” key. ∗ Corresponding Author. In synchronous communication settings, a DKG protocol can be realized via a combination of two building blocks, secret sharing Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed and consensus [32] (or a broadcast channel such as a blockchain [2, for prot or commercial advantage and that copies bear this notice and the full citation 18]). In a nutshell, all parties simultaneously choose and share a on the rst page. Copyrights for components of this work owned by others than the secret and then use a Byzantine agreement instance for each secret author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specic permission in order to agree if it should be part of the key. The key is the and/or a fee. Request permissions from [email protected]. sum of all valid secrets and the share of each party is the sum CCS ’20, November 9–13, 2020, Virtual Event, USA of the corresponding shares. To the best of our knowledge, no © 2020 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-7089-9/20/11...$15.00 asynchronous DKG (ADKG) protocol has been previously proposed. https://doi.org/10.1145/3372297.3423364 We focus on protocols with n = 3f + 1 parties that assume no trusted setup except for public key infrastructure (PKI). We further the next (additional) secret is recoverable by all honest parties. explore protocols that support threshold recovery of 2f + 1, which We call our coin Eventually Perfect Common Coin (EPCC) and the is required by ecient Byzantine agreement algorithms that use resulting Byzantine agreement Eventually Ecient Asynchronous threshold signatures to reduce the size of the messages from linear Binary Agreement (EE-ABA) , because eventually (after at most f in the number of parties to constant [1, 20, 35]. failed tries) the protocols converge to the optimal solutions. A naive approach for ADKG is to apply the ideas in [32] to the Finally, once we have an EE-ABA, we run n instances that share asynchronous settings. For example, it is possible to use the AVSS the same EPCC and use it in order to decide on the nal set of scheme of Cachin et al [7] and n independent parallel instances of shares, which terminates the ADKG protocol. In order to guarantee a binary agreement protocol1 like [4, 6]. However, the resulting that the nal key is unpredictable, the parties refrain from voting 0 algorithm has three drawbacks: First, the secret sharing in [7] has in the binary agreement instances that they consider faulty until a reconstruction threshold of f + 1 and thus the resulting ADKG they witness f + 1 binary agreements terminating with 1 (which is cannot have the desired 2f + 1 threshold. Second, running n binary guaranteed to happen due to the strong termination of the HAVSS). agreements does not guarantee a successful protocol execution, Next we explain the algorithms in more detail and prove that parties since they can all terminate with 0 which means that the key will cannot disagree on the set of shares more than f times. include no secrets. Finally, even if we could guarantee that more than f instances terminate successfully2, the resulting protocol 1.1 Technical contribution would be inecient with a communication complexity of O n5lon . ( ) We break the ADKG construction in a bottom-up manner, starting In this paper we present the rst ADKG protocol with a recovery with a building block (Section 3) we call High-threshold Asynchro- threshold of 2f + 1 and low communication cost. Formally, the nous Veriable Secret Sharing (HAVSS). HAVSS is an extension of main theorem we prove in this paper is following: Cachin et al. [7] AVSS protocol that answers in the armative the T 1.1. There exists a protocol among n parties that solves open question they posed on the existence of an AVSS protocol that Asynchronous Distributed Key Generation (ADKG) with reconstruc- has a reconstruction threshold of f +1 < k 2f +1. To achieve this, tion threshold k n f and is secure against an adaptive adversary we separate the reconstruction threshold (which we increase to k) − that controls up to f < n 3 parties, with expected O n4 communica- from the recovery threshold (which is still f +1). In order to encode / ( ) tion complexity and expected O f running time. this change, we use an asymmetric bivariate polynomial where each ( ) dimension plays a dierent role (recovery, reconstruction) and we In a nutshell, our protocol follows the idea of concurrently shar- defend against an adaptive adversary with a reliable broadcast step ing n secrets and then agree which to consider for the key. However, before terminating the sharing. More formally HAVSS satises the instead of using a costly Byzantine agreement instance for each following lemma. secret, we use the secrets as the driving randomness source to build an ecient common coin which in turn we use for an ecient L 1.2. There exists a protocol among n parties that solves Byzantine agreement. In particular, we observe that to build a com- Asynchronous Veriable Secret Sharing (AVSS) for reconstruction mon coin from the secrets we can use a slightly weaker agreement threshold f + 1 < k n f , with no trusted setup, and is secure notion which is not subject to the FLP impossibility result.