In a threshold decryption system, a secret key is split across a number of parties so that any threshold of them can decrypt a given ciphertext. We introduce a new concept in threshold decryption called a decryption context, which is an additional argument that is used during decryption. The context ensures that decryption shares that are generated for a ciphertext using different contexts are isolated from each other and cannot be jointly used to decrypt the ciphertext. For example, suppose the decryption threshold is t. Further, suppose that less than t decryption shares are generated for a ciphertext c under one context, and less than t decryption shares are generated for c under a different context. Then this set of shares is insufficient to decrypt c even if the total number of shares exceeds t. This new concept has several important applications, most notably for implementing an encrypted mempool in a consensus protocol. We give two CCA-secure threshold decryption constructions that support context. One is based on ElGamal encryption, and the other is generic showing how to add context to any CCA-secure threshold decryption system without changing the encryption algorithm.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Context-Dependent Threshold Decryption and Its Applications

  • Dan Boneh,
  • Benedikt Bünz,
  • Kartik Nayak,
  • Lior Rotem,
  • Victor Shoup

摘要

In a threshold decryption system, a secret key is split across a number of parties so that any threshold of them can decrypt a given ciphertext. We introduce a new concept in threshold decryption called a decryption context, which is an additional argument that is used during decryption. The context ensures that decryption shares that are generated for a ciphertext using different contexts are isolated from each other and cannot be jointly used to decrypt the ciphertext. For example, suppose the decryption threshold is t. Further, suppose that less than t decryption shares are generated for a ciphertext c under one context, and less than t decryption shares are generated for c under a different context. Then this set of shares is insufficient to decrypt c even if the total number of shares exceeds t. This new concept has several important applications, most notably for implementing an encrypted mempool in a consensus protocol. We give two CCA-secure threshold decryption constructions that support context. One is based on ElGamal encryption, and the other is generic showing how to add context to any CCA-secure threshold decryption system without changing the encryption algorithm.