排除不誠實者的安全分散式金鑰產生協定

Abstract

在這篇論文中我們討論建構在離散對數下的分散式金鑰產生協定。一個t-out-of-n分散式金鑰產生協定允許n個參與者共同產生密碼系統裡的公開及私密金鑰。如果多於n個參與者同意，他們便可以重建此私密金鑰。 架構在離散對數下的分散式金鑰產生協定在多年前即已有了解決方案。由於先前的方法均採用可驗證式的秘密分享，所以一旦驗證失敗，該參與者便會被取消資格。然而，被取消資格的參與者仍能得到正確的私密金鑰分享值。 我們對於安全的分散式金鑰產生協定做了新的定義，並且提出一個能夠剔除不誠實參與者的新協定。也就是說，在協定中被取消資格的參與者無法取得最後秘密分享多項式的任何資訊。我們也證明了此協定的確符合我們所定義的安全要求。雖然在通訊與計算上成本較高，但花費仍與n成線性關係。我們提出的方法還可當做其他架構在離散對數下的分散式或預防式密碼系統的一個元件。

We discuss the distributed key generation (DKG) protocol for discrete-log based cryptosystems. A t-out-of-n DKG protocol allows n players jointly generate public/private key pairs of the cryptosystems. If more than t players agree, they can reconstruct the private key. Solutions of discrete-log based DKG have been known for many years. Since all previous works use verifiable secret sharing scheme to distribute the secret, the players who fail in the verification will be disqualified. However, the disqualified players obtain valid shares of the private key. We provide a new definition of secure DKG protocol and present a novel DKG protocol capable of excluding dishonest players. Namely, the disqualified players in the protocol have no information about the final sharing polynomial. We prove the proposed protocol meets all security requirements. Though it has higher cost for communication and computation, both costs are linear in n. Our solution can be used as a component of other distributed or proactive discrete-log based cryptosystems.