# R-LWE-Based Distributed Key Generation and Threshold Decryption

^{*}

^{†}

^{‡}

^{§}

## Abstract

**:**

## 1. Introduction

#### 1.1. State-of-the-Art

#### 1.2. Contributions

#### 1.3. Structure

## 2. Preliminaries

#### 2.1. Notation

#### 2.2. Cryptographic Primitives

**Definition**

**1.**

- $\mathcal{M}$is a set called plaintext space.
- $\mathcal{C}$is a set called ciphertext space.
- $\mathcal{K}$is a set called key space. Generally a key generation procedure is also specified to generate$k\in \mathcal{K}$.
- $\mathcal{E}=\{{\mathrm{E}}_{k}:k\in \mathcal{K}\}$is a set of functions${\mathrm{E}}_{k}:\mathcal{M}\times \mathcal{R}\to \mathcal{C}$called encryption functions.$\mathcal{R}$is a randomness space to account for probabilistic encryption schemes.
- $\mathcal{D}=\{{\mathrm{D}}_{k}:k\in \mathcal{K}\}$is a set of functions${\mathrm{D}}_{k}:\mathcal{C}\to \mathcal{M}$called decryption functions.

**Definition**

**2.**

**Attack Game**

**1**

- The challenger chooses$e\stackrel{\$}{\leftarrow}{\mathcal{K}}_{p}$and sends it to the adversary.
- The adversary submits polynomially many queries to the challenger. For$i=1,2,\dots $, $\mathcal{A}$submits two same-length messages${m}_{{0}_{i}},{m}_{{1}_{i}}\in \mathcal{M}$. The challenger computes${c}_{i}={E}_{e}\left({m}_{{b}_{i}}\right)$and sends it to the adversary.
- The adversary outputs a bit$\widehat{b}\in \{0,1\}$.

**Definition**

**3**

#### 2.3. Distributed Cryptography

**Definition**

**4**

- Knowledge of$t+1$or more pieces${D}_{i}$makes D easily computable.
- Knowledge of t or less pieces${D}_{i}$leaves D completely undetermined (i.e., all its possible values are equally likely).

**Definition**

**5.**

**Technique**

**1**

- Choose t elements${b}_{i}\in \mathbb{F}$and define the polynomial$f\left(x\right):=s+{\sum}_{i=1}^{t}{b}_{i}{x}^{i}$(i.e., choose a random polynomial$f\left(x\right)\in \mathbb{F}\left[x\right]$such that$f\left(0\right)=s$).
- For every player${P}_{j}$, their share of the secret is$f\left({i}_{j}\right)$, with${i}_{j}\in \mathbb{F}\setminus \left\{0\right\}$being different for every player and agreed before-hand.
- When$t+1$players want to recover the secret, they use Lagrange interpolation to find$f\left(x\right)$and then compute$f\left(0\right)$.

**Definition**

**6.**

**Technique**

**2**

- For each subset H of t players a TTP defines a key${K}_{H}\in {\mathbb{Z}}_{q}$uniformly at random.
- Each player${P}_{j}$ is given ${K}_{H},\phantom{\rule{4pt}{0ex}}\forall H$ such that ${P}_{j}\notin H$.
- The pseudo-random number they are sharing is$$\begin{array}{c}\hfill x:=\sum _{H}{\Phi}_{{K}_{H}}\left(\mu \right)\end{array}$$
- To compute${x}^{j}$a Shamir share of x every player computes$$\begin{array}{c}\hfill {x}^{j}=\sum _{H\not\ni {P}_{j}}{\Phi}_{{K}_{H}}\left(\mu \right)\xb7{f}_{H}\left(j\right)\end{array}$$

**Technique**

**3**

- For each subset H of t players the dealer D chooses a key${K}_{H}\in {\mathbb{Z}}_{q}$uniformly at random.
- The dealer D gives to player${P}_{j}$all the${K}_{H}$such that${P}_{j}\notin H$.
- The dealer D reconstructs the pseudo-random value the players share$x={\sum}_{H}{\varphi}_{{K}_{H}}\left(\mu \right)$, since he has all the keys.
- D broadcasts the value$s-x$, and now all the players have a share of s by adding their shares of x to$s-x$.

**Definition**

**7**

- Correctness: For all$m\in \mathcal{M}$, if $C\left(m\right)=(c,o)$then$$\begin{array}{c}\hfill \mathrm{Pr}\left[V(m,c,o)=\u2018\mathit{accept}\u2019\right]=1.\end{array}$$
- Binding: This property is the notion that once a commitment c is generated, it should only commit for one message in$\mathcal{M}$. In particular, for every efficient adversary$\mathcal{A}$that outputs$(c,{m}_{1},{o}_{1},{m}_{2},{o}_{2})$we must have that$$\begin{array}{c}\hfill \mathrm{Pr}\left[\begin{array}{c}{m}_{1}\ne {m}_{2}\phantom{\rule{4.pt}{0ex}}\mathit{and}\phantom{\rule{4.pt}{0ex}}\\ V({m}_{1},c,{o}_{1})=V({m}_{2},c,{o}_{2})=\u2018\mathit{accept}\u2019\end{array}\right]=\mathit{neg}\left(\lambda \right).\end{array}$$
- Hiding: This property is the notion that the commitment c alone should not reveal any information about the message m. To properly define this, we use a semantic security attack game (see Attack Game 2.1, [12]) where instead of encrypting the messages we compute its commitment. What we ask is, if${W}_{b}$denotes the event that the adversary outputs 1 in experiment b, then$$\begin{array}{c}\hfill |\mathrm{Pr}\left[{W}_{0}\right]-\mathrm{Pr}\left[{W}_{1}\right]|=\mathit{neg}\left(\lambda \right).\end{array}$$

#### 2.4. Ring Learning with Errors

**Definition**

**8.**

**Definition**

**9.**

**Definition**

**10.**

**Definition**

**11**

**Definition**

**12**

**Definition**

**13.**

## 3. Encryption Scheme and Protocols

**Encryption Scheme 1.**Let $q,n,u\in {\mathbb{Z}}_{>0}$, where u is the number of players, and χ be a distribution over ${R}_{q}$. The encryption scheme $\mathcal{S}=(\mathcal{M},\mathcal{C},\mathcal{K},\mathcal{E},\mathcal{D})$ and key generation we will be using is the following:

- $\mathcal{M}={\{0,1\}}^{n}\subseteq {\mathbb{Z}}_{q}^{n}\cong {R}_{q}$. We will see every $m\in \mathcal{M}$ as an element in ${R}_{q}$ with $m$ being its vector of coefficients.
- $\mathcal{C}\subseteq {R}_{q}\times {R}_{q}$.
- This is a public encryption scheme, we have ${\mathcal{K}}_{s}\subseteq {R}_{q}$ and ${\mathcal{K}}_{p}\subseteq {R}_{q}\times {R}_{q}$.
- –
- For any pair of keys $(\mathit{pk},s)\in {\mathcal{K}}_{p}\times {\mathcal{K}}_{s}$ we will have $s\u27f5{\sum}_{i=1}^{u}\chi $ (meaning it is the sum of u samples of χ) and $\mathit{pk}=({a}_{E},{b}_{E})=({a}_{E},{a}_{E}\xb7s+e)$ where ${a}_{E}\stackrel{\$}{\leftarrow}{R}_{q}$ and $e\u27f5{\sum}_{i=1}^{u}\chi $.

- $\mathcal{E}=\{{\mathrm{E}}_{\mathit{pk}}:\mathit{pk}=({a}_{E},{b}_{E})\in {\mathcal{K}}_{p}\}$ such that given a message $m\in \mathcal{M}$:$$\begin{array}{cc}\hfill {\mathrm{E}}_{\mathit{pk}}:\mathcal{M}& \to \mathcal{C}\hfill \\ \hfill m& \mapsto (u,v)\hfill \end{array}$$
- $\mathcal{D}=\{{\mathrm{D}}_{s}:s\in {\mathcal{K}}_{s}\}$ such that given a ciphertext $(u,v)\in \mathcal{C}$:$$\begin{array}{cc}\hfill {\mathrm{D}}_{s}:\mathcal{C}& \to \mathcal{P}\hfill \\ \hfill (u,v)& \mapsto m\hfill \end{array}$$$$\begin{array}{c}\hfill v-s\xb7u=e\xb7{r}_{E}+{e}_{v}-s\xb7{e}_{u}+m\xb7\u230a\frac{q}{2}\u230b\end{array}$$

**Protocol**

**1.**

- A TTP generates the keys ${K}_{H}\in {\mathbb{Z}}_{q}$ for every subset H of players of size t and distributes them according to the PRSS technique (Technique 2). It also generates the secret key $s\sim {\sum}_{i=1}^{u}\chi $ and the public key $({a}_{E},{b}_{E})$ as stated in the Encryption Scheme 1. Then, the TTP sends to the players $({a}_{E},{b}_{E})$ and Shamir shares of $s$. We call ${s}^{j}$ the Shamir share of $s$ of player ${P}_{j}$, understood as a vector of Shamir shares on the coefficients of $s$.
- Client receives ciphertext $c=(u,v)$, and sends all players $c$.
- Each player ${P}_{j}$ computes ${\tilde{e}}^{j}=v-{s}^{j}\xb7u$ that is a Shamir share of $\tilde{e}=e\xb7{r}_{E}+{e}_{v}-s\xb7{e}_{u}+m\xb7\lfloor \frac{q}{2}\rfloor $ with $e,{r}_{E},{e}_{v},s,{e}_{u}\leftarrow \chi $.
- Each player ${P}_{j}$ computes ${x}^{j}$, as in the PRSS protocol but using $\mu =u+v$ (since it changes for every message and it is hard to distinguish from uniformly at random), its Shamir share of $x:={\sum}_{H}{\Phi}_{{K}_{H}}\left(u+v\right)$ and gets ${x}^{j}+{\tilde{e}}^{j}$ Shamir share of $x+\tilde{e}$.
- Client reconstructs $x+\tilde{e}$ for every allowed subset of $t+1$ players, picks whichever value is repeated more times, then for every coefficient returns 0 if $x+\tilde{e}$ is closer to 0 than to $\lfloor \frac{q}{2}\rfloor $ and returns 1 otherwise, and this is made public.

**Protocol**

**2.**

- For the secret key $s\in {R}_{q}$, each player ${P}_{j}$ chooses its contribution ${s}_{j}=({s}_{{1}_{j}},\dots ,{s}_{{n}_{j}})$ with ${s}_{j}\sim \chi $. Then, they act as the dealer in a NIVSS (Technique 3) to share every ${s}_{{i}_{j}}$ to all players. All players verify the value broadcast when doing the NIVSS (${s}_{{i}_{j}}-{\sum}_{H}{\varphi}_{{K}_{{N}_{{H}_{j}}}^{s}}^{KG}\left(\mu \right)$) is in the interval $\left(\genfrac{}{}{0pt}{}{u}{t}\right){\mathbb{I}}_{KG}$. Now all players have shares of every ${s}_{{i}_{j}}$ and by their linearity also of ${s}_{i}={\sum}_{j}{s}_{{i}_{j}}$. Then, $s$ is the polynomial in ${R}_{q}$ with coefficients $({s}_{1},\dots ,{s}_{n})$.
- For the keys ${K}_{H}\in {\mathbb{Z}}_{q}$ that will be used for the PRSS in the threshold decryption, for every subset H of t players each player ${P}_{j}$ chooses uniformly at random ${K}_{{H}_{j}}\in {\mathbb{Z}}_{q}$ their contribution on these keys and shares it with all the players using Shamir secret sharing. Then, the players will have, by adding all the shares received by other players, Shamir shares of ${K}_{H}={\sum}_{j}{K}_{{H}_{j}}$. Finally, all players send privately their shares on ${K}_{H}$ to all the players in A the complement of H, so they can recover ${K}_{H}$.
- For the contributions to $e\in {R}_{q}$ proceed identically to when generating $s$.
- For ${a}_{E}\in {R}_{q}$ every player ${P}_{j}$ chooses its share $({a}_{{E,1}_{j}},\dots ,{a}_{{E,n}_{j}})$ randomly in ${R}_{q}^{n}$ and does a Shamir share of it. Then, all players send to all players their share on all the $({a}_{{E,1}_{j}},\dots ,{a}_{{E,n}_{j}})$ so every player can recover (by adding the shares) $\left({\sum}_{j}{a}_{{E,1}_{j}},\dots ,{\sum}_{j}{a}_{{E,n}_{j}}\right)$. The polynomial in ${R}_{q}$ with these coefficients will be ${a}_{E}$.
- Every player computes locally their Shamir shares on ${b}_{E}={a}_{E}\xb7s+e$ by performing these same operations with the shares they have on $s$ and $e$.
- Finally, the public key $({a}_{E},{b}_{E})$ is made public.

## 4. Correctness

**Theorem**

**1.**

**Proof.**

## 5. Security

#### 5.1. Security of Encryption Scheme

**Theorem**

**2.**

**Definition**

**14**

**Definition**

**15**

**Definition**

**16**

**Lemma**

**1**

#### 5.2. Non-Leakage of Information

**Lemma**

**2.**

**Lemma**

**3.**

**Theorem**

**3.**

**Proof.**

- If $b=0$: The challenger uses the decryption protocol to compute the shares of the decryption ${d}_{B}^{\prime}$ for the honest players. It computes the decrypted message $m$ and outputs $({d}_{B}^{\prime},m)$.
- If $b=1$: The challenger computes for every H such that $C\supseteq H$ some element ${r}_{\mathbf{H}}\in {\mathbb{I}}_{D}^{n}$ uniformly at random and we denote as $y$ the polynomial in ${R}_{q}$ with vector of coefficients ${\sum}_{C\u2289H}{\Phi}_{{K}_{H}}(u+v)+{\sum}_{C\supseteq H}{r}_{\mathbf{H}}$. Then the challenger generates ${d}_{B}^{\prime}$ consistent shares of $y+m\lfloor \frac{q}{2}\rfloor $ (the challenger knows $m$ as it can be computed using the protocol, given that everything needed is known) and outputs $({d}_{B}^{\prime},m)$.

**Theorem**

**4.**

**Proof.**

- If $b=0$: The challenger and the adversary follow Protocol 2 to generate ${a}_{E},{b}_{E}$ and the shares ${s}_{B}^{\prime},{e}_{B}^{\prime},{K}_{H}^{B},{{a}_{E}}^{B}$ and outputs $({a}_{E},{b}_{E},{s}_{B}^{\prime},{e}_{B}^{\prime},{K}_{H}^{B},{{a}_{E}}^{B})$.
- If $b=1$: The challenger samples $s,e\sim {\sum}_{u}\chi $, ${a}_{E}\stackrel{\$}{\leftarrow}{R}_{q}$ and every ${K}_{H}\stackrel{\$}{\leftarrow}{\mathbb{Z}}_{q}$ and computes ${b}_{E}={a}_{E}\xb7s+e$. Then he uses the trapdoor in the commitment scheme to recover $({\stackrel{\u02da}{s}}_{C},{\stackrel{\u02da}{e}}_{C},{K}_{{N}_{{H}_{C}}}^{s},{K}_{{N}_{{H}_{C}}}^{e},{K}_{{H}_{C}}^{\prime},{{a}_{E}}_{C}^{\prime})$, and proceeds as follows. We will divide the explanation depending on what he is simulating to ease comprehension, but everything will be done simultaneously, following the flow of information seen in Table 3.
- -
- For the “generation” of $s$, the challenger will use the keys ${K}_{{N}_{{H}_{C}}}^{s}$ (of which he knows all of them given that they were generated through queries to the random oracle through the challenger) to recover ${s}_{C}$, the contribution of the corrupt players to $s$. With this information, the challenger can compute ${s}_{B}$ the contribution of the honest players to $s$ such that $s={s}_{C}+{s}_{B}$. With these values computed the challenger follows with the protocol.
- -
- For the “generation” of $e$ the challenger proceeds identically as with generating $s$.
- -
- For the “generation” of ${K}_{H}$, the challenger samples random values in ${\mathbb{Z}}_{q}$ for ${K}_{{H}_{B}}^{\prime}$ (the first step) and commits them. It then will receive ${K}_{H}^{C}$ from the adversary (the shares of ${K}_{H}$ pertaining to the corrupt players) and will compute consistent Shamir shares ${K}_{H}^{B}$ so that the players share ${K}_{H}$. Then, as in the protocol, the challenger sends the shares ${K}_{H}^{B}$ to all players not in H.
- -
- For the “generation” of ${a}_{E}$, the challenger samples random values in ${R}_{q}$ for ${{a}_{E}}_{B}$ (the first step) and commits them. It then will receive ${{a}_{E}}^{C}$ (the shares of ${a}_{E}$ pertaining to the corrupt players) and will compute consistent Shamir shares ${{a}_{E}}^{B}$ so that the players share ${a}_{E}$. Then, as in the protocol, the challenger sends the shares ${{a}_{E}}^{B}$ to all players.
- -
- For the “generation” of ${b}_{E}$ the challenger outputs ${b}_{E}$ at the end of the protocol.

Then, the challenger outputs $({a}_{E},{b}_{E},{s}_{B}^{\prime},{e}_{B}^{\prime},{K}_{H}^{B},{{a}_{E}}^{B})$.

**Theorem**

**5.**

**Proof.**

## 6. Implementation

#### 6.1. Choosing Parameters

**Lemma**

**4.**

#### 6.2. Implementation Particulars

#### 6.3. Results of the Simulation

## 7. Conclusions and Future Work

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## Abbreviations

CPA | Chosen Plaintext Attack |

GAPSVP | GAP Shortest Vector Problem |

HMAC | Hash-based Message Authentication Code |

K-DGS | Discrete Gaussian Sampling over K |

LWE | Learning with Errors |

NIST | National Institute of Standards and Technology |

NIVSS | Non-Interactive Verifiable Secret Sharing |

R-LWE | Ring Learning with Errors |

PRF | Pseudo-Random Function |

PRSS | Pseudo-Random Secret Sharing |

TTP | Trusted Third-Party |

## Appendix A. Correctness and Security against Active Adversaries

#### Appendix A.1. Correctness

**Theorem**

**A1.**

**Proof.**

#### Appendix A.2. Security

**Theorem**

**A2.**

**Theorem**

**A3.**

**Proof.**

- If $b=0$: The challenger and the adversary follow Protocol 2 to generate ${a}_{E},{b}_{E}$ and the shares ${s}_{B}^{\prime},{e}_{B}^{\prime},{K}_{H}^{B},{{a}_{E}}^{B}$ and outputs $({a}_{E},{b}_{E},{s}_{B}^{\prime},{e}_{B}^{\prime},{K}_{H}^{B},{{a}_{E}}^{B})$.
- If $b=1$: The challenger samples $s,e\sim {\sum}_{u}\chi $, ${a}_{E}\stackrel{\$}{\leftarrow}{R}_{q}$ and every ${K}_{H}\stackrel{\$}{\leftarrow}{\mathbb{Z}}_{q}$ and computes ${b}_{E}={a}_{E}\xb7s+e$. Then he uses the trapdoor in the commitment scheme to recover $({\stackrel{\u02da}{s}}_{C},{\stackrel{\u02da}{e}}_{C},{K}_{{N}_{{H}_{C}}}^{s},{K}_{{N}_{{H}_{C}}}^{e},{K}_{{H}_{C}}^{\prime},{{a}_{E}}_{C}^{\prime})$, and proceeds as follows. We will divide the explanation depending on what he is simulating to ease comprehension, but everything will be done simultaneously, following the flow of information seen in Table 3.
- For the “generation” of $s$, the challenger will use the keys ${K}_{{N}_{{H}_{C}}}^{s}$ (of which he knows all of them as he/she controls more than t players), to recover ${s}_{C}$, the contribution of the corrupt players to $s$. With this information, the challenger can compute ${s}_{B}$ the contribution of the honest players to $s$ such that $s={s}_{C}+{s}_{B}$. With these values computed, the challenger proceeds with the protocol.
- For the “generation” of $e$ the challenger proceeds identically as with generating ${s}^{\prime}$.
- For the “generation” of ${K}_{H}$, the challenger recovers ${K}_{{H}_{C}}$ (as it controls more than t players) the contribution of the corrupt players to ${K}_{H}$. With this information, the challenger can compute ${K}_{{H}_{B}}$ the contribution of the honest players such that ${K}_{H}={K}_{{H}_{C}}+{K}_{{H}_{B}}$ for all H. With these values computed, the challenger proceeds with the protocol.
- For the “generation” of ${a}_{E}$, the challenger recovers ${{a}_{E}}_{C}$ (as it controls more than t players) the contribution of the corrupt players to ${a}_{E}$. With this information, the challenger can compute ${{a}_{E}}_{B}$ the contribution of the honest players such that ${a}_{E}={{a}_{E}}_{C}+{{a}_{E}}_{B}$. With these values computed, the challenger proceeds with the protocol.
- For the “generation” of ${b}_{E}$ the challenger outputs ${b}_{E}$ at the end of the protocol.

Then, the challenger outputs $({a}_{E},{b}_{E},{s}_{B}^{\prime},{e}_{B}^{\prime},{K}_{H}^{B},{{a}_{E}}^{B})$.

**Theorem**

**A4.**

**Proof.**

## Appendix B. Proofs of Auxiliary Theorems and Lemmas

#### Appendix B.1. Proof of Theorem 2

**Theorem**

**A5.**

**Proof.**

**Attack Game A1.**The attack game goes as follows:

- Set the public key to $({\overline{a}}_{1},{\overline{b}}_{1})$ and send it to $\mathcal{A}$.
- Receive ${m}_{01},{m}_{11}$ from the adversary, and choose ${b}_{1}\stackrel{\$}{\leftarrow}\{0,1\}$.
- Compute ${u}_{1}={\overline{a}}_{1}\xb7{r}_{E}+{e}_{u}$ and ${v}_{1}={\overline{b}}_{1}\xb7{r}_{E}+{e}_{v}+{m}_{{b}_{1}1}\lfloor \frac{q}{2}\rfloor $ with ${r}_{E},{e}_{u},{e}_{v}\u27f5\chi $, and send $({u}_{1},{v}_{1})$ to $\mathcal{A}$.
- Receive ${\widehat{b}}_{1}$ from the adversary.

**Attack Game A2.**The attack game goes as follows:

- Set the public key to $({\overline{a}}_{1},{\overline{a}}_{2})$ and send it to the adversary.
- Receive ${m}_{02},{m}_{12}$ from the adversary, and choose ${b}_{2}\stackrel{\$}{\leftarrow}\{0,1\}$.
- ${u}_{2}={\overline{b}}_{1}$ and ${v}_{2}={\overline{b}}_{2}+{m}_{{b}_{2}2}\lfloor \frac{q}{2}\rfloor $ and send $({u}_{1},{v}_{1})$ to $\mathcal{A}$.
- Receive ${\widehat{b}}_{2}$ from the adversary.

#### Appendix B.2. Proofs of Lemmas 2 and 3

**Lemma**

**A1.**

**Proof.**

**Lemma**

**A2.**

**Proof.**

#### Appendix B.3. Proof of Lemma 4

**Definition**

**A1.**

**Lemma**

**A3.**

**Proof.**

**Lemma**

**A4.**

**Proof.**

## Appendix C. Link to Repository

## References

- Saračević, M.; Adamović, S.; Maček, N.; Elhoseny, M.; Sarhan, S. Cryptographic keys exchange model for smart city applications. IET Intell. Transp. Syst.
**2020**, 14, 1456–1464. [Google Scholar] [CrossRef] - Shor, P.W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev.
**1999**, 41, 303–332. [Google Scholar] [CrossRef] - Alagic, G.; Alperin-Sheriff, J.; Apon, D.; Cooper, D.; Dang, Q.; Kelsey, J.; Liu, Y.K.; Miller, C.; Moody, D.; Peralta, R.; et al. Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process; US Department of Commerce, NIST: Washington, DC, USA, 2020.
- De Feo, L.; Meyer, M. Threshold schemes from isogeny assumptions. In Proceedings of the IACR International Conference on Public-Key Cryptography, Edinburgh, UK, 4–7 May 2020; pp. 187–212. [Google Scholar]
- Devevey, J.; Libert, B.; Nguyen, K.; Peters, T.; Yung, M. Non-interactive CCA2-secure threshold cryptosystems: Achieving adaptive security in the standard model without pairings. In Proceedings of the IACR International Conference on Public-Key Cryptography, Virtual Event, 10–13 May 2021; pp. 659–690. [Google Scholar]
- Bendlin, R.; Damgård, I. Threshold decryption and zero-knowledge proofs for lattice-based cryptosystems. In Proceedings of the Theory of Cryptography Conference, Zurich, Switzerland, 9–11 February 2010; pp. 201–218. [Google Scholar]
- Singh, K.; Rangan, C.P.; Banerjee, A. Lattice-based identity-based resplittable threshold public key encryption scheme. Int. J. Comput. Math.
**2016**, 93, 289–307. [Google Scholar] [CrossRef] - Boneh, D.; Gennaro, R.; Goldfeder, S.; Jain, A.; Kim, S.; Rasmussen, P.M.; Sahai, A. Threshold cryptosystems from threshold fully homomorphic encryption. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 19–23 August 2018; pp. 565–596. [Google Scholar]
- Zhang, X.; Xu, C.; Jin, C.; Xie, R.; Zhao, J. Efficient fully homomorphic encryption from RLWE Ext. A Threshold Encryption Scheme. Future Gener. Comput. Syst.
**2014**, 36, 180–186. [Google Scholar] [CrossRef] - OQS Development Team. Open Quantum Safe (OQS). Available online: https://openquantumsafe.org/ (accessed on 20 January 2022).
- Alborch Escobar, F. RLWE-Based Distributed Key Generation and Threshold Decryption. Master’s Thesis, Universitat Politècnica de Catalunya, Barcelona, Spain, 2021. [Google Scholar]
- Boneh, D.; Shoup, V. A Graduate Course in Applied Cryptography (2020). Draft Version 0.5 2020. Available online: https://toc.cryptobook.us/book.pdf (accessed on 10 December 2021).
- Shamir, A. How to share a secret. Commun. ACM
**1979**, 22, 612–613. [Google Scholar] [CrossRef] - Cramer, R.; Damgård, I.; Ishai, Y. Share conversion, pseudorandom secret-sharing and applications to secure computation. In Proceedings of the Theory of Cryptography Conference, Cambridge, MA, USA, 10–12 February 2005; pp. 342–362. [Google Scholar]
- Regev, O. On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM)
**2009**, 56, 1–40. [Google Scholar] [CrossRef] - Lyubashevsky, V.; Peikert, C.; Regev, O. On ideal lattices and learning with errors over rings. J. ACM (JACM)
**2013**, 60, 1–35. [Google Scholar] [CrossRef] - Peikert, C.; Regev, O.; Stephens-Davidowitz, N. Pseudorandomness of Ring-LWE for any ring and modulus. In Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, Montreal, ON, Canada, 19–23 June 2017; pp. 461–473. [Google Scholar]
- Micciancio, D.; Regev, O. Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput.
**2007**, 37, 267–302. [Google Scholar] [CrossRef] [Green Version] - Albrecht, M.R.; Player, R.; Scott, S. On the concrete hardness of learning with errors. J. Math. Cryptol.
**2015**, 9, 169–203. [Google Scholar] [CrossRef] [Green Version] - Bellare, M. New proofs for NMAC and HMAC: Security without collision-resistance. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 2006; pp. 602–619. [Google Scholar]

Proposal | Lattice Problem | Key Generation | Implementation |
---|---|---|---|

[6] | LWE | ✓ | ✗ |

[7] | LWE | ✗ | ✗ |

[8] | LWE | ✓ | ✗ |

[5] | LWE | ✗ | ✗ |

[9] | R-LWE | ✗ | ✗ |

Our proposal | R-LWE | ✓ | ✓ |

Decryption Protocol | |
---|---|

Inputs: ${s}^{j}$, ${K}_{H}$ s.t. $j\notin H$, ${\Phi}_{\xb7}(\xb7)$, ${f}_{H}$ | |

Player${\mathbf{P}}_{\mathbf{j}}$ | |

$\stackrel{(u,v)}{\leftarrow}$ | |

${x}^{j}={\sum}_{H\notin j}{\Phi}_{{K}_{H}}(u+v)\xb7{f}_{H}\left(j\right)$ | |

${\tilde{e}}^{j}=v-{s}^{j}\xb7u$ | |

$\stackrel{{x}^{j}+{\tilde{e}}^{j}}{\to}$ |

Key Generation Protocol | |
---|---|

Inputs: $\chi $, ${\Phi}_{\xb7}^{KG}(\xb7)$, $\mu $ | |

Player${\mathbf{P}}_{\mathbf{j}}$ | |

$\begin{array}{c}{s}_{j},{e}_{j}\leftarrow \chi \\ {K}_{{H}_{j}},{K}_{{N}_{{H}_{j}}}^{s},{K}_{{N}_{{H}_{j}}}^{e}\stackrel{\$}{\leftarrow}{\mathbb{Z}}_{q}\phantom{\rule{4pt}{0ex}}\forall \left|H\right|=n-t\\ {\stackrel{\u02da}{s}}_{j}={s}_{j}-{\sum}_{H}{\Phi}_{{K}_{{N}_{{H}_{j}}}^{s}}^{KG}\left(\mu \right)\\ {\stackrel{\u02da}{e}}_{j}={e}_{j}-{\sum}_{H}{\Phi}_{{K}_{{N}_{{H}_{j}}}^{e}}^{KG}\left(\mu \right)\\ {{a}_{E}}_{j}\stackrel{\$}{\leftarrow}{R}_{q}\\ {K}_{{H}_{j}}^{\prime},{{a}_{E}}_{j}^{\prime}=\mathrm{Shamir}.\mathrm{Shares}({K}_{{H}_{j}},{{a}_{E}}_{j})\\ {\mathcal{C}}_{j}=\mathrm{Commit}({\stackrel{\u02da}{s}}_{j},{\stackrel{\u02da}{e}}_{j},{K}_{{N}_{{H}_{j}}}^{s},{K}_{{N}_{{H}_{j}}}^{e},{K}_{{H}_{j}}^{\prime},{{a}_{E}}_{j}^{\prime})\end{array}$ | |

$\stackrel{{\mathcal{C}}_{j}}{\to}$ | |

$\stackrel{{\left\{{\mathcal{C}}_{k}\right\}}_{k=1}^{u}}{\leftarrow}$ | |

$\stackrel{{\stackrel{\u02da}{s}}_{j},{\stackrel{\u02da}{e}}_{j},{K}_{{N}_{{H}_{j}}}^{s},{K}_{{N}_{{H}_{j}}}^{e},{K}_{{H}_{j}}^{\prime},{{a}_{E}}_{j}^{\prime}}{\to}$ | |

$\stackrel{{\left\{{\stackrel{\u02da}{s}}_{k},{\stackrel{\u02da}{e}}_{k},{K}_{{N}_{{H}_{k}}}^{s},{K}_{{N}_{{H}_{k}}}^{e},{K}_{{H}_{k}}^{\prime},{{a}_{E}}_{k}^{\prime}\right\}}_{k=1}^{u}}{\leftarrow}$ | |

${\left\{\mathrm{Verify}{\left({\mathcal{C}}_{k}\right)}_{j}=\left\{\u2019\mathrm{accept}\u2019\phantom{\rule{4.pt}{0ex}}\mathrm{or}\phantom{\rule{4.pt}{0ex}}\u2019\mathrm{reject}\u2019\right\}\right\}}_{k=1}^{u}$ | |

$\stackrel{{\left\{\mathrm{Verify}{\left({\mathcal{C}}_{k}\right)}_{j}\right\}}_{k=1}^{u}}{\to}$ | |

$\stackrel{{\left\{\mathrm{Verify}{\left({\mathcal{C}}_{i}\right)}_{k}\right\}}_{i,k=1}^{u}}{\leftarrow}$ | |

if $\mathrm{Verify}{\left({\mathcal{C}}_{i}\right)}_{k}=$ ’reject’ for some $i,k$ abort | |

$\begin{array}{c}{\left\{\mathrm{Verify}.\mathrm{interval}{\left({\stackrel{\u02da}{s}}_{k}\right)}_{j}=\left\{\u2019\mathrm{accept}\u2019\phantom{\rule{4.pt}{0ex}}\mathrm{or}\phantom{\rule{4.pt}{0ex}}\u2019\mathrm{reject}\u2019\right\}\right\}}_{k=1}^{u}\\ {\left\{\mathrm{Verify}.\mathrm{interval}{\left({\stackrel{\u02da}{e}}_{k}\right)}_{j}=\left\{\u2019\mathrm{accept}\u2019\phantom{\rule{4.pt}{0ex}}\mathrm{or}\phantom{\rule{4.pt}{0ex}}\u2019\mathrm{reject}\u2019\right\}\right\}}_{k=1}^{u}\\ {s}^{j}={\sum}_{k=1}^{u}{\stackrel{\u02da}{s}}_{k}+{\sum}_{H\not\ni {P}_{j}}{\Phi}_{{K}_{{N}_{{H}_{j}}}^{s}}^{KG}\left(\mu \right)\xb7{f}_{H}\left(j\right)\\ {e}^{j}={\sum}_{k=1}^{u}{\stackrel{\u02da}{e}}_{k}+{\sum}_{H\not\ni {P}_{j}}{\Phi}_{{K}_{{N}_{{H}_{j}}}^{e}}^{KG}\left(\mu \right)\xb7{f}_{H}\left(j\right)\\ {K}_{H}^{j}={\sum}_{k=1}^{u}{K}_{{H}_{k}}^{\prime}\\ {{a}_{E}}^{j}={\sum}_{k=1}^{u}{{a}_{E}}_{k}^{\prime}\end{array}$ | |

$\stackrel{{\left\{\mathrm{Verify}.\mathrm{interval}{\left({\stackrel{\u02da}{s}}_{k}\right)}_{j},\mathrm{Verify}.\mathrm{interval}{\left({\stackrel{\u02da}{e}}_{k}\right)}_{j}\right\}}_{k=1}^{u}}{\to}$ | |

$\stackrel{{\left\{\mathrm{Verify}.\mathrm{interval}{\left({\stackrel{\u02da}{s}}_{i}\right)}_{k},\mathrm{Verify}.\mathrm{interval}{\left({\stackrel{\u02da}{e}}_{i}\right)}_{k}\right\}}_{i,k=1}^{u}}{\leftarrow}$ | |

if $\mathrm{Verify}.\mathrm{interval}{\left({\stackrel{\u02da}{s}}_{i}\right)}_{k}=$ ’reject’ for some $i,k$ abort | |

if $\mathrm{Verify}.\mathrm{interval}{\left({\stackrel{\u02da}{e}}_{i}\right)}_{k}=$ ’reject’ for some $i,k$ abort | |

$\stackrel{{{a}_{E}}^{j},{K}_{H}^{j}\phantom{\rule{4.pt}{0ex}}\mathrm{to}\phantom{\rule{4.pt}{0ex}}k\phantom{\rule{4.pt}{0ex}}\mathrm{s}.\mathrm{t}.\phantom{\rule{4.pt}{0ex}}H\not\ni {P}_{k}}{\to}$ | |

$\stackrel{{\left\{{{a}_{E}}^{k},{K}_{H}^{k}\phantom{\rule{4.pt}{0ex}}\mathrm{s}.\mathrm{t}.\phantom{\rule{4.pt}{0ex}}H\not\ni {P}_{j}\right\}}_{k=1}^{u}}{\leftarrow}$ | |

$\begin{array}{c}{K}_{H}=\mathrm{Reconstruct}.\mathrm{Shamir}\left({K}_{H}^{k}\right)\phantom{\rule{4.pt}{0ex}}\mathrm{s}.\mathrm{t}.\phantom{\rule{4.pt}{0ex}}H\not\ni {P}_{j}\\ {a}_{E}=\mathrm{Reconstruct}.\mathrm{Shamir}({a}_{E}^{k})\\ {b}_{E}^{j}={a}_{E}\xb7{s}^{j}+{e}^{j}\end{array}$ | |

$\stackrel{{a}_{E},{b}_{E}^{j}}{\to}$ | |

$\stackrel{{\left\{{b}_{E}^{k}\right\}}_{k=1}^{u}}{\leftarrow}$ | |

${b}_{E}=\mathrm{Reconstruct}.\mathrm{Shamir}\left({b}_{E}^{k}\right)$ | |

$\stackrel{{b}_{E}}{\to}$ |

n | = | 4096 |

q | = | 713,623,846,352,979,940,529,142,984,724,747,568,191,373,381 |

$\kappa $ | = | 168 |

$\xi $ | = | 14.897861091181875 |

${\mathbb{I}}_{D}$ | = | 8,403,614,205,785,368,527,542,540,898,258,331,059,093,504 |

${\mathbb{I}}_{KG}$ | = | 872,305,872,233,851,041,593,123,383,308,976,128 |

Bits of Security | = | 121 |

Operating System | Ubuntu 18.04.5 LTS |

CPU | ${\mathrm{Intel}}^{\circledR}$ Core™ i5-8500 |

Memory | 15.4 GiB |

Word Size | 64 bits |

CPU Clock Speed | 3.00 GHz |

n | Key Generation | Decryption | Encryption | ||
---|---|---|---|---|---|

Active | Passive | Active | Passive | ||

4096 | 7031.34 ms | 1005.63 ms | 530.36 ms | 131.73 ms | 191.79 ms |

8192 | 14320.01 ms | 2160.05 ms | 1167.24 ms | 372.75 ms | 539.71 ms |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Alborch, F.; Martínez, R.; Morillo, P.
*R*-LWE-Based Distributed Key Generation and Threshold Decryption. *Mathematics* **2022**, *10*, 728.
https://doi.org/10.3390/math10050728

**AMA Style**

Alborch F, Martínez R, Morillo P.
*R*-LWE-Based Distributed Key Generation and Threshold Decryption. *Mathematics*. 2022; 10(5):728.
https://doi.org/10.3390/math10050728

**Chicago/Turabian Style**

Alborch, Ferran, Ramiro Martínez, and Paz Morillo.
2022. "*R*-LWE-Based Distributed Key Generation and Threshold Decryption" *Mathematics* 10, no. 5: 728.
https://doi.org/10.3390/math10050728