In this section we show how to modify our COC schemes against malicious parties and their collusion. Since all parties should be able to check whether the computations are performed correctly, we assume that the existence of a bulletin board such that all parties can post the encryptions of their secrets onto the board, and publicly perform their computations. Furthermore, all
parties should perform the decryption jointly such that no collusive parties can get the secret information of the other party. We first introduce some building blocks. Then we integrate these building blocks for a secure INE-COC-I scheme against malicious parties. Here we take the Paillier encryption scheme as the example to describe these sub-functions. For other encryption schemes, there exist similar constructions.
The Distributed Cryptosystem. Because all parties post the encryp-tions of their secrets on the bulletin board, we need a distributed version of the cryptosystem so that no (collusive) parties can decrypt messages without the agreement of all parties. Assume that each party gets a key share in the setup phase (from a dealer or a distributed key generation protocol). To decrypt a ciphertext, all parties output their partial decryptions. They can get the message from the combination of these partial decryptions. Fouque et al. [FPS00] provided a threshold Paillier encryption scheme. We have the following lemma from their work.
Lemma 1 Under the decisional composite residuosity assumption and the random oracle model, there is a threshold Paillier cryptosystem which is se-mantically secure against active non-adaptive adversaries.
Knowledge Proof Systems. We need some knowledge proof systems to verify the correctness of parties’ computations. There exist some interac-tive proof systems for the Paillier encryption scheme. We can make them
non-interactive by using the Fiat-Shamir heuristic [FS86]. We provide the following sub-functions (assuming pk is the common public key):
• NI-PPK(Epk(m)) (Non-Interactive Proof of Plaintext Knowledge):
First of all, all parties should commit their secrets. They post the encryptions of their secrets along with non-interactive proofs of knowl-edge of their secrets. The prover proves that he knows the plaintext m for the encryption Epk(m). Cramer et al. [CDN01] provided such an interactive proof system.
• NI-PEB(EP K(b)) (Non-Interactive Proof of Encryption of a Bit):
In some schemes, A and B commit their “bitwise” secrets rather than the whole secrets. So all parties should be able to check that a cipher-text Epk(b) is indeed the encryption of a bit. Baudron [BS01] et al.
introduced such an interactive proof system.
• NI-PCM(Epk(r), Epk(m), Epk(rm)) (Non-Interactive Proof of Correct Multiplication):
In our schemes, all parties need to do multiplication on a known con-stant and a ciphertext. However, the random concon-stant could not be known by others. So each party posts the encryption of the constant Epk(r) and the result of multiplication Epk(rm). All parties can check that Epk(rm) is indeed the encryption of rm. Cramer et al. [CDN01]
provided this interactive proof system.
By the respective works, we have the following lemma.
Lemma 2 In the random oracle model, there exist NI-PPK, NI-PEK, and NI-PCM zero-knowledge proof systems.
The Mix-Net System. Mix-net is a cryptographic system providing anony-mous and unlinkable communication. It consists of a set of servers that shuffle a list of ciphertexts so that ciphertexts in the output list cannot be linked to those in the input list. To ensure correct shuffling, the output list should be verified that it is indeed a permutation of the input list. We use Mix-Net(·) to denote the mix-net sub-protocol which outputs the list of shuffled input ciphertexts. We can find such a mix-net system for the Paillier encryption scheme in the work of Nguyen et al. [NSNK04]. Also, we have the following lemma from their work.
Lemma 3 There is a Mix-Net sub-protocol which provides indistinguishabil-ity under chosen permutation attack if the decisional composite residuosindistinguishabil-ity assumption holds.
Putting Things Together. Now we take the INE-COC-I scheme as an example to show how to build a scheme secure against malicious parties by the above tools. In the initial stage, A, B and S get their shares of the secret key corresponding to pk. We present the new protocol in Figure 4.6.
At the beginning of the protocol, all parties post the encryption of their secrets on the bulletin board with the corresponding NI-PPK proofs. In
addition, A and B provide the NI-PEB proofs to convince others of their bitwise secrets. Also, S posts the encryptions of constants 0 and 1 for the later computation and provides the random factors used in the encryption such that all parties can check the correctness. Then all parties perform the computation as S performs in the INE-COC-I scheme. Since the random ri’s cannot be known by any party (we need to consider the collusion of the sender and a receiver), all parties need to generate these ri’s jointly.
For each 1 ≤ i ≤ n, they first generate their own random values rAi, rBi and rSi respectively, and perform the multiplication by themselves. The corresponding NI-PCM proofs are also posted for verification. Then they sum up their computation results, and the new random value is implicitly defined as rAi+rBi+rSi. After that, all parties execute the Mix-Net system to get the shuffled ciphertexts. Finally, S sends the partial decryptions of these ciphertexts to A and B, and A and B also exchange their partial decryptions.
With these partial decryptions, A and B can decrypt the ciphertexts.
Theorem 15 The MAL-INE-COC-I scheme is correct and secure if the de-cisional composite residuosity assumption holds.
Proof 15 Based on security assumption of the Paillier encryption scheme, the MAL-INE-COC-I scheme meets the following requirements.
Correctness. By the NI-PEB proofs, we know that Ex[i]’s and Ey[i]’s are fair encryptions of bits. Let l be the index of the first different bit of x and y (from the most significant bit). We see that Dsk(Edl) = Dsk(Eel) = x[l]−y[l]=
1 or −1, and Dsk(Ed0l) = x[l]− ¯y[l] = 0. Therefore, we have Dsk(Efl0) = 0 and Dsk(Evl) = m + (rAl+ rBl+ rSl) · 0 = m. Moreover, each Ev0i is just the permutation and reencryption of some Evj. A and B can get m from these encryptions.
Sender’s Security. For any malicious A0 and B0, we construct a simulator SIM1 to simulate the view of the adversary ADV1 who controls A0 and B0. Let pk∗ be the challenge public key that ADV1 would like to attack.
The simulator SIM1 randomly chooses the secret key shares for A0 and B0, named skA and skB, respectively. On input (pk∗, skA, skB), ADV1 first outputs two messages m∗0 and m∗1. We show that if ADV1 distinguishes between the interaction with S(m∗0) and the interaction with S(m∗1) with non-negligible probability, then we can break Lemma 1, the semantic security of the threshold Paillier encryption scheme.
Given the challenge ciphertext Epk∗(m∗b) for some b ∈ {0, 1}, SIM1 has to output its guess. It first posts Em = Epk∗(m∗b) on the board, and sim-ulates the NI-PPK proof in the random oracle model. SIM1 and ADV1
then perform the subsequent steps as the real scheme until step 4(d). In step 4(d), SIM1 first randomly chooses ˜m1, ˜m2, . . . , ˜mn ∈ ZN. After ADV1 posts EfAi’s and EfBi’s, SIM1 computes and posts
EfSi = E˜vi¢ (−1 ¡ Em) ¢ (−1 ¡ EfAi) ¢ (−1 ¡ EfBi),
where E˜vi = EP K( ˜mi), 1 ≤ i ≤ n. SIM1 also posts random ciphertexts E ’s and simulates the NI-PCM proof in the random oracle model. Then
they continue running the scheme until step 6. In step 6, SIM1 chooses a random permutation π, and outputs the partial decryptions such that ADV1 decrypts (Ev01, Ev02, . . . , Evn0) to ( ˜mπ(1), ˜mπ(2), . . . , ˜mπ(n)).
We show that all data simulated by SIM1 cannot be distinguished from the real ones by ADV1. First, since the key shares of the Paillier encryp-tion scheme are uniformly distributed, the two shares given by SIM1 are indistinguishable from the real ones. By Lemma 2, SIM1 can simulate the NI-PPK and NI-PCM proofs in the random oracle model. The encryptions EfSi’s are distributed as the real ones because SIM1 computes them from the final results. Furthermore, by the proof of Theorem 12, if x = y, Efi’s must be uniformly distributed. So the encryptions vi’s are distributed as the real ones. Finally, by Lemma 3, ADV1 cannot distinguish the permutation π from the real one. SIM1 successfully simulates the scheme. After that, ADV1 outputs the guess ˆb, and SIM1 also outputs ˆb directly. If ˆb = b with non-negligible probability, SIM1 breaks Lemma 1.
Receiver’s Security. We also construct a simulator SIM2 to simulate the view of the adversary ADV2 who controls A0 and S0. Let pk∗ be the challenge public key that ADV2 would like to attack. The simulator SIM2 randomly chooses the secret key shares for A0 and S0, named skA and skS, respectively.
On input (pk∗, skA, skS), ADV2 outputs a secret y and an index j. We show that if ADV2 distinguishes between the interaction with B(y[1]y[2]. . . y[n]) and the interaction with B(y[1]. . . y[j−1]y¯[j]y[j+1]. . . y[n]) with non-negligible
prob-ability, then we can break Lemma 1, the semantic security of the threshold Paillier encryption scheme.
Let y0∗ = y[1]y[2]. . . y[n] and y∗1 = y[1]. . . y[j−1]y¯[j]y[j+1]. . . y[n]. Given the challenge ciphertext Epk∗(y∗b) for some b ∈ {0, 1}, SIM2 has to output its guess. It first posts Eyb[i]∗ = Epk∗(yb[i]∗ ) for all 1 ≤ i ≤ n on the board, and simulates the corresponding NI-PPK and NI-PEB proof in the random oracle model. After ADV2 posts Em and Ex[i] for all i, SIM2 extracts m and y in the corresponding proofs. Then SIM2 and ADV2 perform the subsequent steps as the real scheme until step 4(d). In step 4(d), if x = y (Q(x, y) = 0), SIM2 randomly chooses ˜m1, ˜m2, . . . , ˜mn ∈ ZN; otherwise (Q(x, y) = 1), SIM2 sets ˜m1 = m and randomly chooses ˜m2, . . . , ˜mn ∈ ZN. After ADV2
posts EfSi’s and EfAi’s, SIM2 computes and posts
EfBi = Ev˜i ¢ (−1 ¡ Em) ¢ (−1 ¡ EfSi) ¢ (−1 ¡ EfAi),
where E˜vi = EP K( ˜mi), 1 ≤ i ≤ n. SIM2 also posts random ciphertexts ErBi’s and simulates the NI-PCM proof in the random oracle model. Then they continue running the scheme until step 6. In step 6, SIM2 chooses a random permutation π, and outputs the partial decryptions such that ADV2 decrypts (Ev01, Ev02, . . . , Evn0) to ( ˜mπ(1), ˜mπ(2), . . . , ˜mπ(n)).
As the argument of sender’s security, all data simulated by SIM2 cannot be distinguished from the real ones by ADV2. So SIM2 successfully simu-lates the scheme. Finally, ADV2 outputs the guess ˆb, and SIM2 also outputs ˆb directly. If ˆb = b with non-negligible probability, SIM breaks Lemma 1.
The security argument of A against the adversary who controls B and S is similar.