tl;dr: I was at the Next-Generation Secure Distributed Computing seminar at Schloss Dagstuhl and spoke about how a blockchain should keep a secret.
Slides: here.
Abstract: In this talk, we survey results & challenges around generating, maintaining and using a shared secret amongst the validators of a proof-of-stake (PoS) blockchain.
In the first part, we discuss techniques for generating a secret. We start with secret sharing in the threshold setting and then in the weighted setting that arises in PoS blockchains. We then introduce publicly-verifiable secret sharing (PVSS), explaining why it could be an ideal primitive to build distributed key generation (DKG) protocols from. Lastly, we discuss the new “silent setup” setting1$^,$2$^,$3$^,$4 for bootstrapping threshold cryptosystems without a DKG or any explicit secret sharing (previously known as “ad hoc groups” in the literature).
In the second part, we discuss the threat of collusion attacks in the PoS attacks, where validators stand to profit by exposing the shared secret or a function of it (e.g., the plaintext obtained after threshold decryption under the shared secret). We present three different collusion attacks which are all detectable-but-unpunishable. We then give a TEE-based approach that could prevent collusion and call for more research in this direction.
In the third part, we discuss some new techniques used to speed up threshold cryptosystems. We begin by reminding practitioners that Lagrange interpolation in threshold cryptosystems can and should be done via an optimized quasilinear time algorithm, instead of quadratic5. Then, we present new results on threshold cryptosystems that use group elements as secret key6$^,$7$^,$8. Lastly, we present an exciting new direction on batching threshold cryptosystems so that communication during aggregation is independent of the batch size.
Overall, we highlight important research problems in both the theory and the practice of threshold cryptography.
Follow-up reading
Matthieu Rambaud suggested:
- Partially Non-Interactive Two-Round Lattice-Based Threshold Signatures
- The derived $\{0,1\}$-LSSS in Threshold Fully Homomorphic Encryption
- A tradeoff with $n^2$-sized shares: Improved Universal Thresholdizer from Iterative Shamir Secret Sharing
-
Threshold Signatures in the Multiverse, by L. Baird and S. Garg and A. Jain and P. Mukherjee and R. Sinha and M. Wang and Y. Zhang, in 2023 IEEE Symposium on Security and Privacy (SP), 2023, [URL] ↩
-
Threshold Signatures from Inner Product Argument: Succinct, Weighted, and Multi-threshold, by Sourav Das and Philippe Camacho and Zhuolun Xiang and Javier Nieto and Benedikt Bunz and Ling Ren, in Cryptology ePrint Archive, Paper 2023/598, 2023, [URL] ↩
-
hinTS: Threshold Signatures with Silent Setup, by Sanjam Garg and Abhishek Jain and Pratyay Mukherjee and Rohit Sinha and Mingyuan Wang and Yinuo Zhang, in Cryptology ePrint Archive, Paper 2023/567, 2023, [URL] ↩
-
Threshold Encryption with Silent Setup, by Sanjam Garg and Dimitris Kolonelos and Guru-Vamsi Policharla and Mingyuan Wang, in Cryptology ePrint Archive, Paper 2024/263, 2024, [URL] ↩
-
Towards Scalable Threshold Cryptosystems, by Alin Tomescu and Robert Chen and Yiming Zheng and Ittai Abraham and Benny Pinkas and Guy Golan Gueta and Srinivas Devadas, in IEEE S\&P’20, 2020 ↩
-
Ferveo: Threshold Decryption for Mempool Privacy in {BFT} networks, by Joseph Bebel and Dev Ojha, in Cryptology {ePrint} Archive, Paper 2022/898, 2022, [URL] ↩
-
Distributed Randomness using Weighted VRFs, by Sourav Das and Benny Pinkas and Alin Tomescu and Zhuolun Xiang, in Cryptology ePrint Archive, Paper 2024/198, 2024, [URL] ↩
-
Aggregatable Distributed Key Generation, by Gurkan, Kobi and Jovanovic, Philipp and Maller, Mary and Meiklejohn, Sarah and Stern, Gilad and Tomescu, Alin, in Advances in Cryptology – EUROCRYPT 2021, 2021 ↩