EFFICIENT LARGE-SCALE DISTRIBUTED KEY GENERATION

AGAINST BURST INTERRUPTION

∗

Jheng-Ru Ou, Shi-Chun Tsai and Wen-Guey Tzeng

Dept. Computer Science, National Chiao Tung University, Taiwan

Keywords:

Distributed key generation, secret sharing, cryptographic protocol.

Abstract:

A distributed key generation scheme allows the key servers to distributively share a secret key and then com-

pute the corresponding public key. Canny and Sorkin (Canny and Sorkin, 2004) proposed a probabilistic

threshold distributed key generation scheme that is suitable for the case that the number of key servers is large.

The communication cost of their scheme is much less than that of previous schemes. Nevertheless, it is pos-

sible to improve their scheme in some aspects. In this paper we employ the randomness technique to cope

with some problems encountered by their scheme. Our contribution is twofold. Firstly, our scheme is secure

against a large cluster of dishonest key servers. Secondly, our scheme has better performance in some aspects.

We support this point by a series of simulation experiments. As a result, our scheme and Canny and Sorkin’s

scheme can be used in different situations.

1 INTRODUCTION

The security of a cryptographic scheme usually relies

on protecting a secret key. One way to protect such

a key is to distribute it to a set of key servers such

that each key server holds a key share. Key sharing

not only enhances key protection, but also provides a

robustness property for the secret key. For example, in

a threshold key sharing scheme, a set of key servers

over a threshold number can recover the secret key.

Even though some servers do not work, the system

works.

A distributed key generation scheme allows the

key servers to distributively share a secret key and

then compute the corresponding public key. In this

paper we focus on discrete logarithm-based thresh-

old distributed key generation schemes, in which the

secret key is x and the public key is y = g

x

mod

p. Almost all threshold distributed key genera-

tion schemes use secret sharing schemes as build-

ing blocks. Each key server runs a secret sharing

scheme to share its chosen secret to other key servers.

∗

Supported in part by NSC projects 94-2213-E-009-110

and 95-2221-E-009-031, and Taiwan Information Security

Center at NCTU (TWISC@NCTU).

Shamir (Shamir, 1979) proposed the ﬁrst threshold

secret sharing scheme based on polynomial interpo-

lation. Feldman (Feldman, 1987) added veriﬁcation

of secret shares (veriﬁable secret sharing, VSS) to

Shamir’s scheme. Pedersen (Pedersen, 1991a) further

improved the scheme by making the secret shares un-

conditionally secure.

Based on his veriﬁable secret sharing scheme,

Pedersen (Pedersen, 1991b) proposed a threshold dis-

tributed key generation scheme with some important

properties that a threshold distributed key generation

scheme should have. Gennaro et al. (Gennaro et al.,

1999) found that an adversary can bias the distribu-

tion of the generated secret key by a subtle maneuver.

They then gave a formal deﬁnition and proposed a se-

cure scheme. Chu and Tzeng (Chu and Tzeng, 2002)

further pointed out that dishonest key servers should

not obtain valid key shares to avoid abuse. Canny and

Sorkin (Canny and Sorkin, 2004) proposed a prob-

abilistic threshold distributed key generation scheme

that is suitable for the case that the number n of in-

volved key servers is large, for example, in the level

of hundreds or thousands. The main merit of their

scheme is that the total number of communications

between key servers is greatly reduced from O(n

2

)

197

Ou J., Tsai S. and Tzeng W. (2007).

EFFICIENT LARGE-SCALE DISTRIBUTED KEY GENERATION AGAINST BURST INTERRUPTION.

In Proceedings of the Second International Conference on Security and Cryptography, pages 197-203

DOI: 10.5220/0002122201970203

Copyright

c

SciTePress

to O(nl/ε

2

), where l and ε are security and robust-

ness parameters, respectively. Nevertheless, it is pos-

sible to improve their scheme in some aspects. Since

the arrangement of key servers is very regular, the

scheme is vulnerable to a large cluster of dishonest

key servers. If the DoS attack occurs to block a cluster

of honest key servers from connecting to Internet, the

execution of the scheme would fail. See Section 2.2

for the details.

In this paper we employ the randomness technique

to cope with the problems encountered by Canny and

Sorkin’s scheme. We assign non-zero values to ran-

dom entries, while Canny and Sorkin’s scheme as-

signs non-zero values to ﬁxed entries. Our contribu-

tion is twofold. Firstly, our scheme is secure against

a large cluster of dishonest key servers. Secondly,

its performance is better than Canny and Sorkin’s

method in some aspects. We support this point by

a series of simulation experiments. As a result, our

scheme and Canny and Sorkin’s scheme can be used

in different situations.

2 PRELIMINARY

Let p = 2q+1 be a large prime, where q is also prime.

Let G

q

be the subgroup of quadratic residues in Z

∗

p

and g and h be generators of G

q

. Hereafter, the oper-

ations used in exponents of g and h are over Z

q

. As-

sume that there are n key servers S

1

,S

2

,. ..,S

n

, and

the threshold is t, where t ≤ n ≪ q. A bold character

is either a matrix, like E, or a vector, like a

i

,

A probabilistic threshold distributed key genera-

tion (PTDKG) scheme consists of three stages: setup,

key share establishment and public key computation.

A PTDKG scheme should satisfy the following con-

ditions.

Deﬁnition 1 An (α, β,δ)-PTDKG scheme should sat-

isfy the following conditions:

C1. The key shares of any subset of key servers deﬁne

the same secret key x, or not at all.

C2. Any number of βn key servers can recover the se-

cret key x with probability 1− δ at least.

C3. The secret key x is uniformly distributed in Z

q

.

S1. Any adversary who controls probabilistically up

to αn key servers cannot get any information

about the secret key x except the information com-

puted from the public key y directly.

In condition S1, it is necessary to assume that the

adversary randomly picks the controlled key servers.

Otherwise, if the adversary chooses the controlled key

servers, he can choose those that communicate with

the key server S

i

and gets the secret share of S

i

. Thus,

α should be less than r

i

/n, where r

i

is the number

of key servers that communicate with S

i

, 1 ≤ i ≤ n. If

we want smaller r

i

(communication cost), the security

threshold is smaller.

A typical key share establishment stage consists

of two sub-stages:

1. Each key server runs a secret sharing scheme to

share its chosen secret to other key severs.

2. Each key server combines the received secret

shares to form its key share.

In the ﬁrst sub-stage, dishonest key servers are de-

tected and excluded. In the second sub-stage, the re-

mained honest key servers compute their key shares,

which deﬁne a unique secret key.

In the following two subsections, we introduce

conventional and Canny and Sorkin’s approaches for

the key share establishment stage.

2.1 Conventional Approaches

We ﬁrst use the matrix representation to explain

Shamir’s secret sharing scheme. It corresponds to a

t × n-dimensional evaluation matrix:

E =

1 1 ·· · 1

1 2 ·· · n

.

.

.

.

.

.

.

.

.

.

.

.

1 2

t−1

·· · n

t−1

.

For key share establishment, each key server

S

i

,1 ≤ i ≤ n, does the following:

1. Choose a random t-dimensional (secret) vector

a

i

= [a

i,1

a

i,2

·· · a

i,t

].

2. Compute s

i

= a

i

E = [s

i,1

s

i,2

·· ·s

i,n

]. The opera-

tions are over Z

q

.

3. Send s

i, j

to the key server S

j

, 1 ≤ j 6= i ≤ n.

4. Exclude dishonest key servers and compute a key

share x

i

from the received s

i, j

, 1 ≤ j ≤ n.

In the above the veriﬁcation messages and steps

are ignored for simplicity. Let H ⊆ {S

1

,S

2

,. ..,S

n

}

be the set of honest key servers established in the key

share establishment stage. Each key server S

j

in H

computes its key share

x

j

=

∑

i∈H

s

i, j

.

The secret key deﬁned by the key shares of the key

servers in H is

x =

∑

i∈H

a

i,1

.

Since s

i

= a

i

E, we have

(

∑

i∈H

a

i

)E =

∑

i∈H

s

i

= [x

1

x

2

·· · x

n

].

SECRYPT 2007 - International Conference on Security and Cryptography

198

For A = {S

i

1

,S

i

2

,. ..,S

i

r

}, let E

A

be the matrix

with the columns i

1

,i

2

,. ..,i

r

of E. For example,

E

{S

1

,S

3

,S

4

}

is a t × 3-dimensional matrix that has

columns 1, 3 and 4 of E. A set T of key servers from

H can recover the secret key x if and only if E

T

has

the full rank, i.e., rank(E

T

) = t. We can solve x by se-

lecting t independent columns E

T

′

from E

T

, T

′

⊆ T,

and compute

∑

i∈H

a

i

= (

∑

i∈H

s

i

)

T

′

(E

T

′

)

−1

. (1)

Since any t rows of E form a Vandermonde matrix,

these rows are independent and any t key servers can

recover the secret key x, which is the ﬁrst entry of

∑

i∈H

a

i

. Any set of less than t key servers cannot

compute the secret key x. Thus, the above deﬁnes a

((t − 1)/n,t/n,0)-PTDKG scheme.

One disadvantage of the above method is that each

key server S

i

has to communicate with each other key

server. The total number of communications between

the key servers is O(n

2

), which shall entail heavy net-

work overhead when n is large.

Distributed key generation schemes based on

Feldman’s and Pedersen’s veriﬁable secret sharing

schemes are similar except that the received shares of

each key server are veriﬁable (Feldman, 1987; Peder-

sen, 1991b).

2.2 Canny and Sorkin’s Approach

The idea of Canny and Sorkin to reduce the commu-

nication cost is to make s

i

very sparse by choosing an

appropriate E. For a zero entry s

i, j

, the key server S

i

need not send s

i, j

to the key server S

j

. By this, the

communication cost from S

i

to S

j

is saved. If s

i

is

very sparse, the communication cost from S

i

to other

key servers S

j

is much reduced.

Let E be a t × n-dimensional evaluation matrix

with a band of non-zero entries as follows, where ⋆

means a random number in Z

q

, which is non-zero

overwhelmingly:

E =

⋆ ⋆ ⋆ ⋆ 0 0 0 ·· · 0 0 0

0 0 ⋆ ⋆ ⋆ ⋆ 0 ·· · 0 0 0

0 0 0 0 ⋆ ⋆ ⋆ ·· · 0 0 0

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

0 0 0 0 0 0 0 ·· · 0 0 0

0 0 0 0 0 0 0 ·· · ⋆ 0 0

0 0 0 0 0 0 0 ·· · ⋆ ⋆ ⋆

Let l be the width of the band and f be the offset of the

band between two consecutive rows. For example, the

above band matrix has l = 4 and f = 2. In the scheme,

a dealer chooses E and publishes it. Each key sever S

i

chooses a t-dimensional block vector

a

i

=

0 ··· 0 a

i, j

a

i, j+1

·· · a

i, j+k−1

0 ··· 0

where j is a pre-determined index and k is the block

width. The vector s

i

= a

i

E has only (k− 1) f + l non-

zero entries. The key server S

i

need send non-zero

share s

i, j

to the key servers S

j

. With ﬁxed t and n, we

can make (k− 1) f + l small by tuning parameters k, l

and f.

Canny and Sorkin’s PTDKG (called CS-PTDKG

hereafter) scheme is (1/ f − ε,1/ f + ε, δ), for some

small ε and δ, 0 < ε,δ < 1. Overall, their method

needs n((k−1) f +l)) node-to-node communications,

while most previous methods need n(n− 1) node-to-

node communications. They suggest that l = O(logn)

and k = l/(2ε

2

). This saves quite a lot of communi-

cations between key servers overall when n is large.

We note that E and a

i

is very regular and this reg-

ularity makes the system vulnerable to burst interrup-

tion. For example, if a burst interruption keeps l con-

secutive key servers from participating the scheme,

the scheme does not work even though the number

n − l of alive key servers is much larger than βn =

(1/ f + ε)n.

3 OUR CONSTRUCTION

We employ the randomness technique to cope with

the problem of burst interruption. We choose E and

a

i

randomly such that it is more robust against burst

interruption. To see this, if l consecutive key servers

cannot participate, the rest key servers can compute

the secret key with high probability.

For each row of E, we randomly choose l entries

and assign random values in Z

q

to them. For example,

the following E has t = 3, n = 5, and l = 2:

E =

0 1 0 0 5

3 0 2 0 0

0 4 0 3 0

. (2)

Each key server S

i

,1 ≤ i ≤ n, randomly chooses k en-

tries of a

i

and assigns random values in Z

q

to them.

We see that s

i

= a

i

E has kl non-zero entries at most.

Although the number of non-zero entries is more than

(k − 1) f + l in the CS-PTDKG scheme if k and l

are the same. We shall show that our system needs

smaller k and l to achieve the same level of robust-

ness in simulation.

Before presenting our scheme, we need to discuss

some theoretical problems concerning the feasibility

of our construction. The framework is to consider

the probability that E

′

, which is obtained from E by

deleting some columns randomly, has the full rank.

If rank(E

′

) = t, the key shares of honest key servers

deﬁne the secret key uniquely.

EFFICIENT LARGE-SCALE DISTRIBUTED KEY GENERATION AGAINST BURST INTERRUPTION

199

First, the following are some terminologies about

graphs. Let U and V be two sets of vertices. A graph

G = (U,V,E) is bipartite if the edge set E ⊆ U × V,

that is, the vertices in U (and V) are not connected.

A bipartite graph G = (U,V, E) is left l-regular if all

vertices in U have degree l. A perfect matching for a

bipartite graph G = (U,V,E) with |U| ≤ |V| is a set

of edges M ⊆ E with |M| = |U| such that every vertex

x ∈ U is incident to one edge in M and every vertex

y ∈ V is incident to at most edge in M.

We consider E as the matrix representation of a bi-

partite graph G = (U,V,E), where each row is a ver-

tex in U, each column is a vertex in V and (u,v) ∈ E

if the (u,v)-entry of E is non-zero. Thus, |U| = t and

|V| = n. For example, the bipartite graph correspond-

ing to the matrix in Equation (2) is:

u

1

u

2

u

3

v

1

v

2

v

3

v

4

v

5

It is left l-regular since every vertex u ∈ U has degree

l. We see that M = {(u

1

,v

5

), (u

2

,v

1

), (u

3

,v

2

)} is a

perfect matching for the graph.

The property of the full rank of E is related to

perfect matching of G = (U,V, E), |U| ≤ |V|. As-

sume that M ⊆ E is a perfect matching of G. We can

use the matching edge (u,v) ∈ M as the pivot entry

(u,v) of E to eliminate non-zero entries in column

v. Furthermore, since the values in non-zero entries

are randomly selected from a very large set Z

q

, it is

very unlikely that the elimination process by a pivot

would cause another pivot to be zero. Therefore, the

t columns associated with the perfect matching M are

independent. We would say that E has the full rank

t if and only if G has a perfect matching. The crite-

ria for a bipartite graph to have a perfect matching is

known as Hall’s lemma.

Lemma 1 (Hall) A bipartite graph G = (U,V,E) has

a perfect matching fromU to V if and only if for every

subset S ⊆ U, |Γ(S)| ≥ |S|, where Γ(S) is the set of S’s

neighbor vertices in V.

We show that the probability that a random left l-

regular bipartite graph has a perfect matching is close

to 1. In the following two theorems, we allow multi-

ple edges in bipartite graphs for a simpler analysis. If

no multiple edges are allowed, which is like our con-

struction, the probability of forming a perfect match-

ing is higher. This means that our construction is bet-

ter than the analyzed one.

Theorem 1 For appropriate positive integers t,l and

n such that, for 3 ≤ j ≤ t,

j( j− 1)

(t − j + 1)(n− j + 2)

(

j− 2

j− 1

)

( j−1)l

(

n

j− 1

)

l

≥ 1.

The probability that a random left l-regular bipar-

tite graph G = (U,V,E) has a perfect matching is

1 −

t

3

2

(

1

n

)

2l−1

at least , where |U| = t, |V| = n and

t ≤ n.

Proof 1 We compute the probability that the condi-

tion in Hall’s lemma is not satisﬁed. For a subset

S ⊆ U of j vertices and a subset T ⊆ V of j − 1 ver-

tices, the probability that all edges from S hit into the

set T is

(

j− 1

n

)

jl

.

The probability that there is a subset S ⊆ U of j ver-

tices whose edges hit within a subset of fewer than j

vertices of V is at most

p

j

=

t

j

n

j− 1

(

j− 1

n

)

jl

.

Since, for 3 ≤ j ≤ t, p

j−1

/p

j

=

j( j− 1)

(t − j + 1)(n− j + 2)

(

j− 2

j− 1

)

( j−1)l

(

n

j− 1

)

l

≥ 1,

the probability that a left l-regular random bipartite

graph does not satisfy Hall’s lemma is at most

t

∑

j=2

p

j

≤ (t − 1)p

2

=

t(t − 1)

2

2

(

1

n

)

2l−1

<

t

3

2

(

1

n

)

2l−1

.

Thus, the theorem holds.

We notice that the probability can be made arbitrarily

small even with rather small l since l is in the expo-

nent of 1/n and n is large.

Now, we consider the recoverability of the secret

key after the key share establishment stage. After dis-

honest and unavailable key servers are discarded, a set

H of honest key servers is formed. The secret key is

computed from the key shares of the key servers in H.

The key servers in H can recover the secret key if and

only if E

H

has the full rank t, as explained in Equa-

tion (1). Assume that H is randomly selected from

{S

1

,S

2

,. .. ,S

n

}. The probability that E

H

has the full

rank depends on the size of H. We show that as long

as H is not too small, the probability is close to 1.

Let V

′

(that is, the set H of honest key servers) be

a subset of V by randomly deleting m vertices from

V. Then, the bipartite graphy G

′

= (U,V

′

,E|

U∪V

′

)

has a perfect matching with an overwhelming proba-

bility with proper parameters, where E|

U∪V

′

is the set

of edges incident to vertices in U ∪V

′

.

SECRYPT 2007 - International Conference on Security and Cryptography

200

Theorem 2 For appropriate positive intgers t, l,m

and n such that, for 3 ≤ j ≤ t,

j( j− 1)

(t − j + 1)(n− m− j + 2)

·

(

j− 2+ m

j− 1+ m

)

( j−1)l

(

n

j− 1+ m

)

l

≥ 1.

Let G = (U,V, E) be a left l-regular random bipar-

titate graph. After deteting random m vertices from

V, the probability that the remainded bipartite graph

has a perfect matching is 1−(n−m)

t(t−1)

2

2

(

m+1

n

)

2l

at

least , where |U| = t, |V| = n and t ≤ n.

Proof 2 LetV

′

be the subset ofV after deleting m ver-

tices, where |V

′

| = n

′

= n− m. An edge from a vertex

inU that hits a vertex inV −V

′

makes no contribution

to Hall’s lemma. For a subset S ⊆ U of j vertices and

T ⊆ V

′

of j − 1 vertices, the probability that Hall’s

lemma does not hold on S to T is

(

j− 1+ m

n

)

jl

.

Thus, the probability that there is a subset of S ⊆ U of

j vertices whose edges hit a subset of fewer than j− 1

vertices in V

′

or V −V

′

is at most

p

j

=

t

j

n− m

j− 1

(

j− 1+ m

n

)

jl

Since

p

j−1

p

j

=

j( j− 1)

(t − j + 1)(n− m− j + 2)

·

(

j− 2+ m

j− 1+ m

)

( j−1)l

(

n

j− 1+ m

)

l

≥ 1,

we have

t

∑

j=2

p

j

≤ (t − 1)p

2

=

t(t − 1)

2

2

(n− m)(

m+ 1

n

)

2l

,

which is an upper bound for the proability that Hall’s

lemma fails.

3.1 Our Distributed Key Generation

Scheme

The structure of our scheme is based on Gennaro et

al.’s study on secure distributed key generation (Gen-

naro et al., 1999). Their scheme is secure against the

attack of skewing the secret key distribution by dis-

honest key servers. Note that the key shares of their

scheme are unconditionally secure.

At beginning, a dealer chooses a t ×n-dimensional

evaluation matrix E and publishes it in a public bul-

letin board. Our distributed key generation scheme is

as follows:

Setup

:

1. A dealer does:

(a) Select a large prime p = 2q+ 1, where q is also

prime.

(b) Compute generators g and h of G

q

, where

G

q

= {a

2

| a ∈ Z

∗

p

} is the subgroup of quadratic

residues of Z

∗

p

.

(c) Choose a t × n-dimensional evaluation matrix

E such that each row has l non-zero entries.

Key share establishment

:

1. Each key server S

i

does the following:

(a) Select two t-dimensional vectors a

i

and a

′

i

which each consists of k non-zero random en-

tries. The non-zero entries are in the same in-

dexes of a

i

and a

′

i

.

(b) Compute s

i

= a

i

E, s

′

i

= a

′

i

E and the set of his

communication key servers Q

i

= { j | s

i, j

6= 0∨

s

′

i, j

6= 0}.

(c) Send s

i, j

and s

′

i, j

to key server S

j

via a secure

channel, j ∈ Q

i

.

(d) Broadcast C

i, j

= g

a

i, j

h

a

′

i, j

mod p, 1 ≤ j ≤ t, to

all the key servers in Q

i

.

2. Each key server S

j

does the following:

(a) Check validity of the received shares, for each

i, j ∈ Q

i

,

g

s

i, j

h

s

′

i, j

≡

t

∏

k=1

C

E

k, j

i,k

(mod p). (3)

If the check fails for i, S

j

broadcasts a com-

plaint against S

i

to the key servers in Q

j

.

(b) If S

j

is complained by S

i

, it sends s

j,i

and s

′

j,i

to

the key servers in Q

j

.

The other key servers in Q

j

check validity of

s

j,i

and s

′

j,i

by Equation (3).

If S

j

fails the test, it is marked as ”dishonest”

by the key servers in Q

j

.

3. Each key server S

j

builds a set H of honest key

servers and sets his key share as

x

j

=

∑

i∈H, j∈Q

i

s

i, j

mod q,

which is the jth entry of (

∑

i∈H

a

i

)E. Note that the

secret key is

x = (

∑

i∈H

a

i

) ·

~

1,

where

~

1 = [1 1 ·· · 1].

Public-key computation:

1. Each key server S

i

∈ H broadcasts A

i,k

= g

a

i,k

mod

p, 1 ≤ k ≤ t, to the key servers in H.

EFFICIENT LARGE-SCALE DISTRIBUTED KEY GENERATION AGAINST BURST INTERRUPTION

201

2. Each key server S

j

in Q

i

checks validity of A

i,k

by

verifying whether

g

s

i, j

≡

t

∏

k=1

A

E

k, j

i,k

(mod p). (4)

If the check fails, S

j

broadcasts a compliant

against S

i

and sends s

i, j

and s

′

i, j

to the key servers

in Q

i

.

3. If S

i

is ever complained, all the key servers in Q

i

reconstruct a

i

by solving s

i

= a

i

E and compute

correct A

i,k

, 1 ≤ k ≤ t.

4. Then, each key server in H computes the public

key as

y =

∏

i∈H

t

∏

j=1

A

i, j

mod p = g

(

∑

i∈G

a

i

)·

~

1

mod p.

Secret key recovery

: Note that in some situations, we

don’t need to recover the secret key x to ﬁnish a task.

Only each S

i

computes a partial result from its key

share x

i

.

1. Let T be the set of shown-up key servers in H. If

E

T

is full-ranked, solve

∑

i∈H

a

i

by the system of

equations

(

∑

i∈H

a

i

)E

T

=

∑

i∈H

s

i

.

2. The secret key is x =

∑

i∈H

a

i

·

~

1.

3.2 Analysis

The correctness and security of our scheme is shown

in the following theorem.

Theorem 3 Assume that n,t,l, and m satisfy the con-

dition in Theorem 2. The scheme in Section 3.1 is a

secure (

1

l

− ε,1 −

m

n

,(n − m)

t(t−1)

2

2

(

m+1

n

)

2l

)-PTDKG

scheme for some small ε, 0 < ε < 1.

Proof 3 (Sketch) Correctness follows from the results

of Gennaro et al. (Gennaro et al., 1999) almost in the

same way.

The bounds β = 1 − m/n and δ = (n − m)(t(t −

1)

2

/2)((m+ 1)/n)

2l

are from Theorem 2 directly. For

α = 1/l − ε, each Q

i

contains kl key servers at most.

Any adversary who controls up to a random fraction

α of them contains less than k dishonest key servers

in Q

i

in average. Since there are k unknown entries

in each a

i

, the adversary who controls less than k key

servers in Q

i

cannot know the information about a

i

.

For the uniform distribution of x over Z

q

, we con-

struct a simulator for the scheme. The details are de-

ferred to the full paper.

4 EXPERIMENTS AND

COMPARISON

We ﬁrst analyze the probability that the full rank is

achieved after deleting about a half of key servers.

Recall that l is the band of E, f is the offset, and t

is the number of rows.

The choice of parameters affects the communi-

cation cost of the scheme. We discuss the param-

eters ﬁrst. For the CS-PTDKG scheme, due to the

arrangement of E, the number of rows is ﬁxed to

t = (n− l)/ f . On allowing n(1/2− ε) dishonest key

servers (eg., ε = 1/10), Canny and Sorkin suggests

f = 2, l = 17logn and t = (n − 17logn)/2. Theo-

retically, the probability of achieving the full rank is

O(n

−2

).

For our PTDKG scheme, we shall do some simu-

lation experiments to obtain appropriate l

′

on the con-

dition that the probability of achieving the full rank is

the same as that of the CS-PTDKG scheme.

We take n = 1000 and delete about m = 500 dis-

honest key servers randomly. We consider different

offsets (f = 2, f = 3, and f = 4) for the CS-PTDKG

scheme. The results are shown in Figures 1-3. In each

ﬁgure, the y-axis indicates the probability of achiev-

ing the full rank and the x-axis indicates the number l

of non-zero entries in each row of E. The probability

is computed by randomly sampling 500 key servers

as ”dishonest” many times. We summarize the com-

parison results in Table 1 on 90% of achieving the full

rank. From the table, we can see that the number l

′

of

non-zero entries in each row of our E is much smaller

than that (l) of the CS-PTDKG scheme.

Table 1: Comparison of l with 90% of achieving the full

rank. There are n = 1000 key servers and m=500 of them

are dishonest.

t = 408 t = 318 t = 242

( f = 2) ( f = 3) ( f = 4)

CS-PTDKG l = 185 l = 45 l = 33

Ours l

′

= 14 l

′

= 11 l

′

= 8

Communication cost. The total communication

cost of our scheme is k

′

l

′

n and that of the CS-PTDKG

scheme is ((k − 1) f + l)n. If we want our scheme

to have the same communication cost as that of the

CS-PTDKG scheme, we set k

′

= ((k−1) f + l)/l

′

, the

number of non-zero entries in each a

i

of our scheme.

SECRYPT 2007 - International Conference on Security and Cryptography

202

Figure 1: Probability of achieving the full rank for different

l, when f = 2.

Figure 2: Probability of achieving the full rank for different

l, when f = 3.

Figure 3: Probability of achieving the full rank for different

l, when f = 4.

5 DISCUSSION

Our scheme and the CS-PTDKG scheme have dif-

ferent security parameters. For ours, α = 1/l

′

− ε

and β = 1 − m/n. For the CS-PTDKG scheme, α =

1/ f − ε and β = 1/ f + ε. These two set of param-

eters can be used for different situations. For exam-

ple, if the number of dishonest key server is relatively

small (about one in l

′

key servers), our scheme is suit-

able. Since we are dealing with a large number of

key servers, a small percent of dishonest key servers

is very likely. Our β is adjustable under some con-

straints. If larger β is desirable, our scheme provides

such choice.

REFERENCES

Canny, J. and Sorkin, S. (2004). Practical large-scale dis-

tributed key generation. In Proceedings of Advances

in Cryptology - EUROCRYPT ’04, volume 3027 of

LNCS, pages 138–152. Springer-Verlag.

Chu, C.-K. and Tzeng, W.-G. (2002). Distributed key gener-

ation as a component of an integrated protocol. In Pro-

ceedings of the 4th Information and Communications

Security - ICICS ’02, volume 2513 of LNCS, pages

411–421. Springer-Verlag.

Feldman, P. (1987). A practical scheme for non-interactive

veriﬁable secret sharing. In 28th Annual Symposium

on Foundations of Computer Science (FOCS), pages

427–437. IEEE.

Gennaro, R., Jarecki, S., Krawczyk, H., and Rabin, T.

(1999). Secure distributed key generation for discrete-

log based cryptosystems. In Proceedings of Advances

in Cryptology - EUROCRYPT ’99, volume 1592 of

LNCS, pages 295–310. Springer-Verlag.

Pedersen, T. P. (1991a). Non-interactive and information-

theoretic secure veriﬁable secret sharing. In Proceed-

ings of Advances in Cryptology - CRYPTO ’91, vol-

ume 576 of LNCS, pages 129–140. Springer-Verlag.

Pedersen, T. P. (1991b). A threshold cryptosystem without a

trusted party. In Proceedings of Advances in Cryptol-

ogy - EUROCRYPT ’91, volume 547 of LNCS, pages

522–526. Springer-Verlag.

Shamir, A. (1979). How to share a secret. Communications

of the ACM, 22(11):612–613.

EFFICIENT LARGE-SCALE DISTRIBUTED KEY GENERATION AGAINST BURST INTERRUPTION

203