[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2013136235A1 - Byzantine fault tolerance and threshold coin tossing - Google Patents

Byzantine fault tolerance and threshold coin tossing Download PDF

Info

Publication number
WO2013136235A1
WO2013136235A1 PCT/IB2013/051815 IB2013051815W WO2013136235A1 WO 2013136235 A1 WO2013136235 A1 WO 2013136235A1 IB 2013051815 W IB2013051815 W IB 2013051815W WO 2013136235 A1 WO2013136235 A1 WO 2013136235A1
Authority
WO
WIPO (PCT)
Prior art keywords
coin
share
attributes
coin share
verifier
Prior art date
Application number
PCT/IB2013/051815
Other languages
French (fr)
Inventor
Muhammad Asim
Klaus Kursawe
Original Assignee
Koninklijke Philips N.V.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Koninklijke Philips N.V. filed Critical Koninklijke Philips N.V.
Priority to CN201380013959.2A priority Critical patent/CN104160651A/en
Priority to EP13718905.6A priority patent/EP2847923A1/en
Priority to JP2014561559A priority patent/JP2015513156A/en
Priority to US14/382,877 priority patent/US20150023498A1/en
Publication of WO2013136235A1 publication Critical patent/WO2013136235A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/24Key scheduling, i.e. generating round keys or sub-keys for block encryption

Definitions

  • the invention relates to a coin share generation.
  • the invention further relates to a coin share verification.
  • the invention further relates to performing a byzantine fault tolerance protocol.
  • Cloud computing can be classified as a new paradigm for the dynamic provisioning of computing services, typically supported by state-of-the-art data centers containing ensembles of networked Virtual Machines. Cloud computing delivers infrastructure, platform, and software (application) as services. These are referred to as, respectively, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
  • IaaS Infrastructure as a Service
  • PaaS Platform as a Service
  • SaaS Software as a Service
  • Clouds may provide improved next generation data centers by architecting them as a network of virtual services (hardware, database, user-interface, application logic), so that users are able to access and deploy applications from anywhere in the world on demand at competitive costs depending on the user's desired QoS (Quality of Service) level.
  • QoS Quality of Service
  • Developers with innovative ideas for new Internet services no longer need large capital outlays in hardware to deploy their service or human expense to operate it. It offers significant benefits to IT companies by freeing them from the low level task of setting up basic hardware (servers) and software infrastructures, thus enabling them to focus more on innovation and on creating business value for their services.
  • cloud infrastructure providers i.e., IaaS providers
  • IaaS providers IaaS providers
  • cloud computing provides a number of benefits there are still a lot of challenges related to the availability, reliability and security that need to be addressed.
  • BFT Byzantine fault tolerance
  • cloud computing in particular critical services deployed in a cloud.
  • a service might be hosted by multiple independent cloud providers, such that it tolerates faults in a subset of the clouds.
  • BFT protocols use threshold coin tossing schemes as a means to enhance fault tolerance.
  • a threshold coin tossing scheme allows managing faults based on the identity of the participants in the scheme.
  • the public key size used in threshold coin tossing increases with the number of parties.
  • Privacy in databases is obtained by perturbing the true answer to a database query by the addition of a small amount of Gaussian or exponentially distributed random noise.
  • a distributed implementation eliminates the need for a trusted database administrator.
  • a first aspect of the invention provides a coin share generator for use in a system for performing a threshold coin tossing scheme.
  • the coin share generator comprises:
  • a coin determining unit arranged for determining a coin value
  • a coin share generating unit arranged for generating a coin share based on a coin value and a private key associated with a set of attributes, to obtain a coin share associated with the set of attributes.
  • the coin share generating unit may be arranged for generating a coin share that enables a receiving entity to reconstruct the coin, based on a particular threshold number of coin shares associated with a set of attributes that satisfies a predetermined policy over the attributes. This way, the attributes can be used instead of the identity of the sender to reconstruct the coin. This reduces or eliminates the burden of maintaining public keys for different users' identities.
  • the invention provides a coin share verifier for use in a system for performing a threshold coin tossing scheme.
  • the coin share verifier comprises:
  • a coin share determining unit arranged for determining a coin share to be verified, wherein the coin share is associated with a set of attributes
  • a coin share verifying unit arranged for verifying a validity of the coin share, taking into account the set of attributes associated with the coin share.
  • Such a coin share verifier can assess the validity of coin shares based on their associated attributes. This may reduce the size of public key data needed, as the attributes may be re-used among several entities. Moreover, the key handling is simplified because the coin share verifier does not need to keep track of users' privileges, because these privileges may be represented by the attributes of such users.
  • the coin share verifying unit may comprise an attribute verification unit arranged for verifying that the coin share is validly associated with a particular attribute.
  • a coin share may be thought to be associated with a particular set of attributes, for example because the coin share contains a list of associated attributes.
  • the attribute verification unit helps to verify that the coin share is validly associated with these attributes, for example using attribute-based cryptography, because it allows to verify whether the coin share is associated with a particular attribute.
  • the coin share verifier may comprise a policy determiner arranged for determining a policy over a collection of attributes, wherein the set of attributes comprises a subset of the collection of attributes; and wherein the coin share verifying unit is further arranged for verifying whether the coin share is associated with a set of attributes that satisfies the policy. It may be the case that different sets of attributes are acceptable for a favorable validation of the coin share.
  • the constraints that define what is an acceptable set of attributes may be represented by means of a policy over the collection of attributes in the system. This allows a compact representation of coin share verifier parameters and/or enables a flexible configuration of the coin share verifier.
  • the coin share verifier may comprise a share combining unit arranged for reconstructing the coin by combining at least a predetermined threshold number of coin shares, wherein the coin shares are associated with respective sets of attributes that satisfy a predetermined policy over the attributes. Not all the coin shares need to be associated with the same set of attributes for a successful reconstruction of the coin. However, the coin shares should be associated with respective sets of attributes that satisfy the policy over the collection of attributes.
  • the share combining unit may comprise a coin share reconstructing unit for removing the attributes from the coin shares, to obtain reconstructed coin shares. These reconstructed coin shares have been cryptographically processed, so that any encryption or encoding due to the attribute-based cryptography of the coin share is removed. This makes it easier to combine the coin shares to reconstruct the coin.
  • the coin share may comprise an identification of the set of attributes associated with the coin share. This facilitates processing by the verifier. Moreover, the coin share may be cryptographically processed using attribute-based cryptography. This allows verification by the verifier with a high level of system security.
  • the invention provides a system for performing a byzantine fault tolerance protocol.
  • This system comprises a coin share generator as set forth herein. Additionally or alternatively, the system comprises a coin share verifier set forth herein.
  • the system may further comprise a root authority subsystem comprising an attribute selector for selecting the set of attributes of a user; a key generating unit for generating the private key associated with the set of attributes; and
  • a key distributor for providing the private key to the coin share generator.
  • a workstation or a mobile terminal may be provided that comprises a coin share generator as set forth herein, a coin share verifier as set forth herein, and/or a system for performing a byzantine fault tolerance protocol as set forth herein.
  • the invention provides a method of generating a coin share in a threshold coin tossing scheme, comprising
  • determining a coin value determining a coin value; and generating a coin share based on a coin value and a private key associated with a set of attributes, to obtain a coin share associated with the set of attributes.
  • the invention provides a method of verifying a coin share in a threshold coin tossing scheme, comprising
  • the method may further comprise reconstructing the coin by combining at least a predetermined threshold number of coin shares, wherein the coin shares are associated with respective sets of attributes that satisfy a predetermined policy over the attributes.
  • the invention provides a computer program product comprising instructions for causing a processor system to perform one or more of the methods set forth.
  • Fig. 1 is a block diagram of a system for performing a threshold coin tossing scheme.
  • Fig. 2 is a flowchart of a method of performing a threshold coin tossing scheme.
  • One way of describing a threshold coin tossing scheme is by describing a set of algorithms that can be employed by different actors in the scheme. These algorithms may be implemented on devices that are under control of these different actors.
  • An example set of algorithms is the following.
  • This algorithm may be run by a root authority (RA) and, in some embodiments, does not need to take any parameters as input. However, some parameters may be implicitly defined by the design of the system. Such parameters may include the field used to perform the computations.
  • the setup algorithm may generate as outputs a set of public parameters PK and a master secret key MK.
  • the master secret key MK may be used in the key generation algorithm for the generation of private keys.
  • Key Generation (MK, o>): This algorithm may be run by the root authority. Alternatively, it may be run by a separate key distributing entity.
  • the key generation algorithm takes as input the master secret key MK and an attribute set ⁇ possessed by party P £ .
  • the output of this algorithm is a secret key SK a p. associated with attribute set ⁇ .
  • This algorithm may be run on a computing environment that is controlled by one of the parties, for example party P £ .
  • This algorithm takes as input the coin C E ⁇ 0,1 ⁇ * and the party P £ 's secret key SK a P ..
  • This secret key SK a P . is associated with the attribute set ⁇ .
  • the output of this algorithm is a share of the coin C.
  • this share of the coin C is processed using attribute-based cryptography, for example digitally signed with the set of attributes ⁇ , so that a receiving party can verify that the share is associated with the attribute set ⁇ possessed by P £ .
  • the share combining algorithm takes as input the valid shares of the coin C signed using attribute set ⁇ . It may output the original value of the coin if a sufficiently large number of shares of the coin is available.
  • An attribute-based threshold coin tossing scheme may be provided wherein the coin share is generated according to a policy over attributes.
  • the secret key components related to the attributes of a party may be issued by a dealer, for example a root authority. After issuing these keys, the dealer does not necessarily have any further role to play in the interaction protocol. Similar to the regular threshold coin tossing scheme, a correct coin may only be constructed if there are enough parties, say "t" out of "n", that have provided a valid coin share. However, in the attribute-based threshold coin tossing scheme, these coin shares need to be associated with an appropriate list of attributes.
  • Fig. 1 illustrates an example of a system that comprises a number of entities that can perform a threshold coin tossing scheme.
  • the system comprises a root authority subsystem 1, a coin share generator 5, and a coin share verifier 8.
  • a second coin share generator 5 ' is also drawn to illustrate that there typically is more than one coin share generator. There may also be more than one coin share verifier in the system. However, this is not shown in the drawing.
  • a plurality of coin share generators 5,5' may generate their respective coin shares and send them to the same coin share verifier 8 for validation and reconstruction of the coin.
  • the root authority subsystem 1 may comprise an attribute selector 2 for selecting the set of attributes of a user.
  • an attribute selector 2 may be operatively coupled with other elements of the system that are not shown in the drawing.
  • the attribute selector 2 may have access to a protected user database that stores information relating to different users of the system.
  • the attribute selector 2 may be arranged for selecting the set of attributes of a user in dependence on the information about that user in the database.
  • the attribute selector 2 may comprise a user interface that enables a user to choose one or more of the attributes.
  • the root authority subsystem 1 may further comprise a key generating unit 3 for generating a private key associated with the set of attributes selected by the attribute selector 2.
  • This private key may be an attribute-based encryption key or an attribute-based digital signature key, for example. More details of an example of such a key are provided hereinafter.
  • the root authority subsystem 1 may further comprise a key distributor 4 for providing the private key to the coin share generator.
  • This key distributor may be operatively connected to a network, such as the Internet or a private network, for transmitting the private key to the legitimate user of that key.
  • the key distributor may also be arranged for simply outputting the key, so that a human operator may physically deliver the key to the user of the key.
  • the coin share generator 5 may be arranged for generating the coin share.
  • the coin share generator may comprise a coin determining unit 6 arranged for determining a coin value.
  • This coin value may be a value that should be conveyed to a receiving party.
  • the coin determining unit 6 may be arranged for receiving the coin value from an external program, subroutine, or database.
  • the coin determining unit 6 may also be arranged for determining the coin value based on a user input. Other ways of determining the coin value are apparent to the person skilled in the art of conventional threshold coin tossing algorithms and Byzantine fault tolerance systems.
  • the coin share generator 5 may further comprise a coin share generating unit 7 for generating a coin share based on the coin value and a private key associated with a set of attributes. This private key is typically received from the root authority subsystem 1.
  • the coin share that is generated comprises a representation of at least part of the coin value. However, a sufficient number of coin shares is needed to be able to establish the authenticity of the coin value and/or to reconstruct the coin value.
  • the coin share generator 5 is arranged to generate the coin share in such a way that the coin share is associated with the set of attributes. This association can be performed, for example, using an attribute-based cryptography and/or signature algorithm.
  • the coin share generating unit 7 may be arranged for generating a coin share that enables a receiving entity to reconstruct the coin based on a particular threshold number of coin shares associated with a set of attributes that satisfies a predetermined policy over the attributes.
  • the different coin shares used in a reconstruction are generated by different coin share generators 5, 5'.
  • the coin share verifier 8 may comprise a coin share determining unit 9 for determining a coin share to be verified, wherein the coin share is associated with a set of attributes.
  • the coin share determining unit 9 is connected to the coin share generators 5, 5' via a network connection. This would allow the coin share determining unit 9 to receive the coin shares from the coin share generators 5, 5' via the network.
  • a separate program or device may be arranged to receive the coin shares and store them in a database under control of the coin share verifier 8.
  • Other ways to transfer the coin shares from the coin share generators 5, 5' to the coin share verifier 8 will be apparent to the person skilled in the art.
  • the coin share verifier 8 may further comprise a coin share verifying unit 10 for verifying a validity of the coin share, taking into account the set of attributes associated with the coin share.
  • the coin share verifying unit 10 thus verifies the authenticity of the coin share in relation to the set of attributes that the coin share is thought to be associated with.
  • the coin share verifying unit may be arranged for extracting the set of attributes from the coin share itself.
  • the coin share may comprise a plain-text representation of its associated set of attributes.
  • the coin share verifier has access to a list of attributes for each of the senders. The authenticity of these attributes may be checked cryptographically by the coin share verifier 8.
  • the coin share verifying unit 10 may comprise an attribute verification unit 11 arranged for verifying that the coin share is validly associated with a particular attribute.
  • the coin share verifying unit may be arranged for activating the attribute verification unit 11 repeatedly for the attributes that it needs to verify.
  • the coin share verifier 8 may further comprise a policy determining unit 12 for determining a policy over a collection of attributes, wherein the set of attributes comprises a subset of the collection of attributes.
  • a policy can be expressed by specifying which combinations of attributes are acceptable for a coin share.
  • the policy determining unit 12 determines the policy. The particulars of this policy may be imposed by external considerations, such as the privileges of the different parties involved in the system.
  • the policy determining unit 12 may be arranged for receiving the policy from another entity, or for receiving the policy by means of a user input, or by a predefined setting.
  • the policy determining unit 12 may provide the policy to the coin share verifying unit 10, so that the latter can verify whether the coin shares satisfy the policy.
  • the same policy may be imposed on all coin shares, or different policies may be allowed for different coin shares.
  • the coin share verifier 8 may comprise a share combining unit 13 for reconstructing the coin value by combining at least a predetermined threshold number of coin shares. These coin shares may be associated with respective sets of attributes that satisfy a predetermined policy over the attributes.
  • a two-step approach may be employed, although this is not a limitation. In the two-step approach, first the attributes are removed from the coin shares. This presupposes that the coin share generator 5 is arranged for adding the attributes as a "wrapper" around a "bare” coin share. This "bare" coin share may be generated and combined in a way similar to the generation and combining of coin shares in existing threshold coin sharing schemes.
  • the share combining unit 13 may comprise a coin share reconstructing unit 14 for removing the attributes from the coin shares, to obtain reconstructed coin shares.
  • the coin share may comprise an identification of the set of attributes associated with the coin share, for example a listing of the attributes in an unencrypted representation.
  • the coin share may be crypto graphically processed using attribute-based cryptography. This cryptographic processing may be applied to the entire coin share, or to only a portion of it.
  • the cryptographic processing may comprise attribute-based encrypting/decrypting and/or attribute-based signature generation and verification. Consequently, a coin share may comprise an encrypted portion and/or a digitally signed portion, according to the set of attributes of the coin share generator 5.
  • the system for performing an attribute-based threshold coin tossing scheme may be adapted to and/or included in a system for performing a byzantine fault tolerance protocol.
  • the skilled person is capable to perform the adaptations needed for this based on this disclosure.
  • the different algorithms and entities disclosed therein may be implemented by means of devices comprising dedicated electronic circuitry for performing the described functionality. Alternatively, they may be implemented by means of a suitably programmed processing device.
  • a processing device can be a workstation or personal computer, or a mobile device, such as a tablet or smartphone. They may also be hosted 'in the cloud', on a server system that is connected to the Internet. Users may access such hosted applications using client devices, for example via a web browser.
  • client devices for example via a web browser.
  • the use of the algorithms may be protected against malicious use. For example, user access control can be imposed on the units implementing key portions of the protocol.
  • Fig. 2 shows an illustrative method of generating a coin share in a threshold coin tossing scheme.
  • the method starts at step 200.
  • the method comprises a preparation step 201 that involves selecting a set of attributes for a user, generating a private key associated with the set of attributes for the user, and providing the private key to the user or the user's coin share generator.
  • step 206 it is determined whether a private key is needed for another user, and if so, step 201 is repeated.
  • a coin value is determined.
  • a coin share is generated to represent at least part of the coin value.
  • the coin share is associated with the set of attributes of the user, and created using the private key provided.
  • the coin share may be transmitted in step 204 to a recipient.
  • the recipient may have a coin share verifier as set forth herein.
  • Steps 202 to 204 may be performed by a coin share generator set forth herein.
  • steps 202 to 204 may be repeated using another coin share generator, using the other coin share generator's private key, but the same coin value.
  • a coin share to be verified is determined. For example, the coin share is received from the coin share generator that generated it.
  • the validity of the coin share is determined, taking into account the set of attributes associated with the coin share. If more coin shares are found to be available in step 209, steps 207 and 208 may be repeated in respect of the remaining coin shares.
  • the coin value may be reconstructed in step 21 1 by combining at least a predetermined threshold number of coin shares. After that, the process terminates in step 213.
  • the method may be implemented by means of a computer program product comprising instructions for causing a processor system to perform the method.
  • This computer program product may be split up into several units that are run on different computer systems, under control of several different parties using the system.
  • share of the coin is generated, along with a validity proof. Shares of the coin can then be combined to obtain e (g, g) x ° by interpolation in the exponent.
  • the setup algorithm selects a bilinear group G 0 of prime order p and random generator E G 0 . In addition, it also employs a hash function H: ⁇ 0,1 ⁇ * ⁇ G 0 . The function is used to map any attribute described as a binary string to a random group element. It also chooses a bilinear map e: G 0 x G 0 ⁇ G T .
  • the setup algorithm selects a, E ⁇ ⁇ , where 1 ⁇ j ⁇ N and N being the total number of attributes in the system.
  • the public parameters PK and master secret key MK consist of the following components: Key Generation ⁇ MK, ⁇ ⁇ ): The key generation algorithm is run by central trusted authority.
  • the above routine may be applied to the shares of the coin of all parties P £ (l ⁇ i ⁇ ri), where n is the total number of parties in the system.
  • Step (P £ ) This routine is used to construct the share of the coin of each party P £ .
  • is the total number of attributes in p.
  • Step 2-Reconstruct Coin After constructing the share of the coins for at least t parties for the claimed set of attributes, the following is computed: where t represents Lagrange interpolation coefficients.
  • the invention also applies to computer programs, particularly computer programs on or in a carrier, adapted to put the invention into practice.
  • the program may be in the form of a source code, an object code, a code intermediate source and object code such as in a partially compiled form, or in any other form suitable for use in the implementation of the method according to the invention.
  • a program may have many different architectural designs.
  • a program code implementing the functionality of the method or system according to the invention may be sub-divided into one or more sub-routines. Many different ways of distributing the functionality among these sub-routines will be apparent to the skilled person.
  • the subroutines may be stored together in one executable file to form a self-contained program.
  • Such an executable file may comprise computer-executable instructions, for example, processor instructions and/or interpreter instructions (e.g. Java interpreter instructions).
  • one or more or all of the sub-routines may be stored in at least one external library file and linked with a main program either statically or dynamically, e.g. at run-time.
  • the main program contains at least one call to at least one of the sub-routines.
  • the sub-routines may also comprise calls to each other.
  • An embodiment relating to a computer program product comprises computer-executable instructions corresponding to each processing step of at least one of the methods set forth herein. These instructions may be sub-divided into sub-routines and/or stored in one or more files that may be linked statically or dynamically.
  • Another embodiment relating to a computer program product comprises computer-executable instructions corresponding to each means of at least one of the systems and/or products set forth herein. These instructions may be sub-divided into sub-routines and/or stored in one or more files that may be linked statically or dynamically.
  • the carrier of a computer program may be any entity or device capable of carrying the program.
  • the carrier may include a storage medium, such as a ROM, for example, a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example, a flash drive or a hard disk.
  • the carrier may be a transmissible carrier such as an electric or optical signal, which may be conveyed via electric or optical cable or by radio or other means.
  • the carrier may be constituted by such a cable or other device or means.
  • the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted to perform, or to be used in the performance of, the relevant method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

A coin share generator (5) is employed in a system for performing a threshold coin tossing scheme. The coin share generator (5) comprises a coin determining unit (6) for determining a coin value, and a coin share generating unit (7) for generating a coin share based on a coin value and a private key associated with a set of attributes, to obtain a coin share associated with the set of attributes. The system further comprises a coin share verifier (8) that has a coin share determining unit (9) for determining a coin share to be verified, wherein the coin share is associated with a set of attributes, and a coin share verifying unit (10) for verifying a validity of the coin share, taking into account the set of attributes associated with the coin share.

Description

Byzantine fault tolerance and threshold coin tossing
FIELD OF THE INVENTION
The invention relates to a coin share generation. The invention further relates to a coin share verification. The invention further relates to performing a byzantine fault tolerance protocol.
BACKGROUND OF THE INVENTION
In recent times, the interest in cloud computing has increased significantly due to the benefits that it promises. In cloud computing, computing services are readily available on demand, similar to utility services that could be availed on demand. Users no longer need to invest heavily or encounter difficulties in building and maintaining complex IT
infrastructure. In such a model, users may access services based on their needs regardless of where the services are hosted. Cloud computing can be classified as a new paradigm for the dynamic provisioning of computing services, typically supported by state-of-the-art data centers containing ensembles of networked Virtual Machines. Cloud computing delivers infrastructure, platform, and software (application) as services. These are referred to as, respectively, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Clouds may provide improved next generation data centers by architecting them as a network of virtual services (hardware, database, user-interface, application logic), so that users are able to access and deploy applications from anywhere in the world on demand at competitive costs depending on the user's desired QoS (Quality of Service) level. Developers with innovative ideas for new Internet services no longer need large capital outlays in hardware to deploy their service or human expense to operate it. It offers significant benefits to IT companies by freeing them from the low level task of setting up basic hardware (servers) and software infrastructures, thus enabling them to focus more on innovation and on creating business value for their services.
In order to support a large number of users from around the world, cloud infrastructure providers (i.e., IaaS providers) have established data centers in multiple geographical locations to provide redundancy and ensure reliability in case of site failures. Although cloud computing provides a number of benefits there are still a lot of challenges related to the availability, reliability and security that need to be addressed.
Byzantine fault tolerance (BFT) has been studied as a mechanism to improve availability and security of practical systems. One of the applications of BFT is in cloud computing, in particular critical services deployed in a cloud. For example, a service might be hosted by multiple independent cloud providers, such that it tolerates faults in a subset of the clouds. BFT protocols use threshold coin tossing schemes as a means to enhance fault tolerance. A threshold coin tossing scheme allows managing faults based on the identity of the participants in the scheme. The public key size used in threshold coin tossing increases with the number of parties.
"Our Data, Ourselves: Privacy via Distributed Noise Generation", by C.
Dwork et al, in Proceedings Eurocrypt, 2006, pages 486-503, Springer, discloses distributed protocols for generating shares of random noise, secure against malicious participants.
Privacy in databases is obtained by perturbing the true answer to a database query by the addition of a small amount of Gaussian or exponentially distributed random noise. A distributed implementation eliminates the need for a trusted database administrator.
SUMMARY OF THE INVENTION
It would be advantageous to have an improved system for performing a threshold coin tossing scheme. To better address this concern, a first aspect of the invention provides a coin share generator for use in a system for performing a threshold coin tossing scheme. The coin share generator comprises:
a coin determining unit arranged for determining a coin value; a coin share generating unit arranged for generating a coin share based on a coin value and a private key associated with a set of attributes, to obtain a coin share associated with the set of attributes.
By associating a coin share with a set of attributes, it becomes possible to perform a threshold coin tossing scheme that allows participating parties that have predetermined attributes. It is not necessary to use identification-based cryptography. One of the advantages of managing the faults based on the attributes is a reduction of public key size as the same attribute may be possessed by multiple parties. Further, this also allows managing the entities based on a policy over a list of attributes. The proposed coin share generator allows the generation of a coin share associated with a set of attributes. Because of this, verification and reconstruction of the coin share by a verification unit based on a policy on the attributes of the parties, becomes possible.
The coin share generating unit may be arranged for generating a coin share that enables a receiving entity to reconstruct the coin, based on a particular threshold number of coin shares associated with a set of attributes that satisfies a predetermined policy over the attributes. This way, the attributes can be used instead of the identity of the sender to reconstruct the coin. This reduces or eliminates the burden of maintaining public keys for different users' identities.
In another aspect, the invention provides a coin share verifier for use in a system for performing a threshold coin tossing scheme. The coin share verifier comprises:
a coin share determining unit arranged for determining a coin share to be verified, wherein the coin share is associated with a set of attributes; and
a coin share verifying unit arranged for verifying a validity of the coin share, taking into account the set of attributes associated with the coin share.
Such a coin share verifier can assess the validity of coin shares based on their associated attributes. This may reduce the size of public key data needed, as the attributes may be re-used among several entities. Moreover, the key handling is simplified because the coin share verifier does not need to keep track of users' privileges, because these privileges may be represented by the attributes of such users.
The coin share verifying unit may comprise an attribute verification unit arranged for verifying that the coin share is validly associated with a particular attribute. A coin share may be thought to be associated with a particular set of attributes, for example because the coin share contains a list of associated attributes. The attribute verification unit helps to verify that the coin share is validly associated with these attributes, for example using attribute-based cryptography, because it allows to verify whether the coin share is associated with a particular attribute.
The coin share verifier may comprise a policy determiner arranged for determining a policy over a collection of attributes, wherein the set of attributes comprises a subset of the collection of attributes; and wherein the coin share verifying unit is further arranged for verifying whether the coin share is associated with a set of attributes that satisfies the policy. It may be the case that different sets of attributes are acceptable for a favorable validation of the coin share. The constraints that define what is an acceptable set of attributes may be represented by means of a policy over the collection of attributes in the system. This allows a compact representation of coin share verifier parameters and/or enables a flexible configuration of the coin share verifier.
The coin share verifier may comprise a share combining unit arranged for reconstructing the coin by combining at least a predetermined threshold number of coin shares, wherein the coin shares are associated with respective sets of attributes that satisfy a predetermined policy over the attributes. Not all the coin shares need to be associated with the same set of attributes for a successful reconstruction of the coin. However, the coin shares should be associated with respective sets of attributes that satisfy the policy over the collection of attributes.
The share combining unit may comprise a coin share reconstructing unit for removing the attributes from the coin shares, to obtain reconstructed coin shares. These reconstructed coin shares have been cryptographically processed, so that any encryption or encoding due to the attribute-based cryptography of the coin share is removed. This makes it easier to combine the coin shares to reconstruct the coin.
The coin share may comprise an identification of the set of attributes associated with the coin share. This facilitates processing by the verifier. Moreover, the coin share may be cryptographically processed using attribute-based cryptography. This allows verification by the verifier with a high level of system security.
In another aspect, the invention provides a system for performing a byzantine fault tolerance protocol. This system comprises a coin share generator as set forth herein. Additionally or alternatively, the system comprises a coin share verifier set forth herein.
The system may further comprise a root authority subsystem comprising an attribute selector for selecting the set of attributes of a user; a key generating unit for generating the private key associated with the set of attributes; and
a key distributor for providing the private key to the coin share generator.
This allows the coin share generator to generate the coin share associated with the set of attributes of the user of the coin share generator.
A workstation or a mobile terminal may be provided that comprises a coin share generator as set forth herein, a coin share verifier as set forth herein, and/or a system for performing a byzantine fault tolerance protocol as set forth herein.
In another aspect, the invention provides a method of generating a coin share in a threshold coin tossing scheme, comprising
determining a coin value; and generating a coin share based on a coin value and a private key associated with a set of attributes, to obtain a coin share associated with the set of attributes.
In another aspect, the invention provides a method of verifying a coin share in a threshold coin tossing scheme, comprising
determining a coin share to be verified, wherein the coin share is associated with a set of attributes; and
verifying a validity of the coin share, taking into account the set of attributes associated with the coin share.
The method may further comprise reconstructing the coin by combining at least a predetermined threshold number of coin shares, wherein the coin shares are associated with respective sets of attributes that satisfy a predetermined policy over the attributes.
In another aspect, the invention provides a computer program product comprising instructions for causing a processor system to perform one or more of the methods set forth.
It will be appreciated by those skilled in the art that two or more of the above- mentioned embodiments, implementations, and/or aspects of the invention may be combined in any way deemed useful.
Modifications and variations of the image acquisition apparatus, the workstation, the system, the method, and/or the computer program product, which correspond to the described modifications and variations of the system, can be carried out by a person skilled in the art on the basis of the present description.
BRIEF DESCRIPTION OF THE DRAWINGS
These and other aspects of the invention are apparent from and will be elucidated with reference to the drawings.
Fig. 1 is a block diagram of a system for performing a threshold coin tossing scheme.
Fig. 2 is a flowchart of a method of performing a threshold coin tossing scheme.
DETAILED DESCRIPTION OF EMBODIMENTS
One way of describing a threshold coin tossing scheme is by describing a set of algorithms that can be employed by different actors in the scheme. These algorithms may be implemented on devices that are under control of these different actors. An example set of algorithms is the following.
Setup(): This algorithm may be run by a root authority (RA) and, in some embodiments, does not need to take any parameters as input. However, some parameters may be implicitly defined by the design of the system. Such parameters may include the field used to perform the computations. The setup algorithm may generate as outputs a set of public parameters PK and a master secret key MK. The master secret key MK may be used in the key generation algorithm for the generation of private keys.
Key Generation (MK, o>): This algorithm may be run by the root authority. Alternatively, it may be run by a separate key distributing entity. The key generation algorithm takes as input the master secret key MK and an attribute set ω possessed by party P£. The output of this algorithm is a secret key SKa p. associated with attribute set ω.
Generate Coin Share(C, 5 ί" ω P.): This algorithm may be run on a computing environment that is controlled by one of the parties, for example party P£. This algorithm takes as input the coin C E {0,1}* and the party P£ 's secret key SKa P.. This secret key SKa P. is associated with the attribute set ω. The output of this algorithm is a share of the coin C. However, this share of the coin C is processed using attribute-based cryptography, for example digitally signed with the set of attributes ω, so that a receiving party can verify that the share is associated with the attribute set ω possessed by P£.
Share Verification (PK, σω P.): This algorithm takes as input the public key PK and a share of the coin σω Ρ. from party P£. It determines whether the coin share is valid. For example, it determines whether the coin share is validly signed with an appropriate set of attributes.
Share Combining ( σω P.): The share combining algorithm takes as input the valid shares of the coin C signed using attribute set ω. It may output the original value of the coin if a sufficiently large number of shares of the coin is available.
An attribute-based threshold coin tossing scheme may be provided wherein the coin share is generated according to a policy over attributes. The secret key components related to the attributes of a party may be issued by a dealer, for example a root authority. After issuing these keys, the dealer does not necessarily have any further role to play in the interaction protocol. Similar to the regular threshold coin tossing scheme, a correct coin may only be constructed if there are enough parties, say "t" out of "n", that have provided a valid coin share. However, in the attribute-based threshold coin tossing scheme, these coin shares need to be associated with an appropriate list of attributes. Fig. 1 illustrates an example of a system that comprises a number of entities that can perform a threshold coin tossing scheme. The system comprises a root authority subsystem 1, a coin share generator 5, and a coin share verifier 8. A second coin share generator 5 ' is also drawn to illustrate that there typically is more than one coin share generator. There may also be more than one coin share verifier in the system. However, this is not shown in the drawing. A plurality of coin share generators 5,5' may generate their respective coin shares and send them to the same coin share verifier 8 for validation and reconstruction of the coin.
The root authority subsystem 1 may comprise an attribute selector 2 for selecting the set of attributes of a user. Such an attribute selector 2 may be operatively coupled with other elements of the system that are not shown in the drawing. For example, the attribute selector 2 may have access to a protected user database that stores information relating to different users of the system. The attribute selector 2 may be arranged for selecting the set of attributes of a user in dependence on the information about that user in the database. Additionally or alternatively, the attribute selector 2 may comprise a user interface that enables a user to choose one or more of the attributes.
The root authority subsystem 1 may further comprise a key generating unit 3 for generating a private key associated with the set of attributes selected by the attribute selector 2. This private key may be an attribute-based encryption key or an attribute-based digital signature key, for example. More details of an example of such a key are provided hereinafter.
The root authority subsystem 1 may further comprise a key distributor 4 for providing the private key to the coin share generator. This key distributor may be operatively connected to a network, such as the Internet or a private network, for transmitting the private key to the legitimate user of that key. The key distributor may also be arranged for simply outputting the key, so that a human operator may physically deliver the key to the user of the key.
The coin share generator 5 may be arranged for generating the coin share. To this end, the coin share generator may comprise a coin determining unit 6 arranged for determining a coin value. This coin value may be a value that should be conveyed to a receiving party. The coin determining unit 6 may be arranged for receiving the coin value from an external program, subroutine, or database. The coin determining unit 6 may also be arranged for determining the coin value based on a user input. Other ways of determining the coin value are apparent to the person skilled in the art of conventional threshold coin tossing algorithms and Byzantine fault tolerance systems.
The coin share generator 5 may further comprise a coin share generating unit 7 for generating a coin share based on the coin value and a private key associated with a set of attributes. This private key is typically received from the root authority subsystem 1. The coin share that is generated comprises a representation of at least part of the coin value. However, a sufficient number of coin shares is needed to be able to establish the authenticity of the coin value and/or to reconstruct the coin value. Moreover, the coin share generator 5 is arranged to generate the coin share in such a way that the coin share is associated with the set of attributes. This association can be performed, for example, using an attribute-based cryptography and/or signature algorithm.
The coin share generating unit 7 may be arranged for generating a coin share that enables a receiving entity to reconstruct the coin based on a particular threshold number of coin shares associated with a set of attributes that satisfies a predetermined policy over the attributes. Typically, the different coin shares used in a reconstruction are generated by different coin share generators 5, 5'.
The coin share verifier 8 may comprise a coin share determining unit 9 for determining a coin share to be verified, wherein the coin share is associated with a set of attributes. For example, the coin share determining unit 9 is connected to the coin share generators 5, 5' via a network connection. This would allow the coin share determining unit 9 to receive the coin shares from the coin share generators 5, 5' via the network. Alternatively, a separate program or device may be arranged to receive the coin shares and store them in a database under control of the coin share verifier 8. Other ways to transfer the coin shares from the coin share generators 5, 5' to the coin share verifier 8 will be apparent to the person skilled in the art.
The coin share verifier 8 may further comprise a coin share verifying unit 10 for verifying a validity of the coin share, taking into account the set of attributes associated with the coin share. The coin share verifying unit 10 thus verifies the authenticity of the coin share in relation to the set of attributes that the coin share is thought to be associated with. The coin share verifying unit may be arranged for extracting the set of attributes from the coin share itself. For example, the coin share may comprise a plain-text representation of its associated set of attributes. Alternatively, the coin share verifier has access to a list of attributes for each of the senders. The authenticity of these attributes may be checked cryptographically by the coin share verifier 8. The coin share verifying unit 10 may comprise an attribute verification unit 11 arranged for verifying that the coin share is validly associated with a particular attribute. For example, the coin share verifying unit may be arranged for activating the attribute verification unit 11 repeatedly for the attributes that it needs to verify.
The coin share verifier 8 may further comprise a policy determining unit 12 for determining a policy over a collection of attributes, wherein the set of attributes comprises a subset of the collection of attributes. In attribute-based systems, usually there is defined a universe of attributes. This universe of attributes is herein referred to as the collection of attributes. A policy can be expressed by specifying which combinations of attributes are acceptable for a coin share. The policy determining unit 12 determines the policy. The particulars of this policy may be imposed by external considerations, such as the privileges of the different parties involved in the system. The policy determining unit 12 may be arranged for receiving the policy from another entity, or for receiving the policy by means of a user input, or by a predefined setting. The policy determining unit 12 may provide the policy to the coin share verifying unit 10, so that the latter can verify whether the coin shares satisfy the policy. The same policy may be imposed on all coin shares, or different policies may be allowed for different coin shares.
The coin share verifier 8 may comprise a share combining unit 13 for reconstructing the coin value by combining at least a predetermined threshold number of coin shares. These coin shares may be associated with respective sets of attributes that satisfy a predetermined policy over the attributes. A two-step approach may be employed, although this is not a limitation. In the two-step approach, first the attributes are removed from the coin shares. This presupposes that the coin share generator 5 is arranged for adding the attributes as a "wrapper" around a "bare" coin share. This "bare" coin share may be generated and combined in a way similar to the generation and combining of coin shares in existing threshold coin sharing schemes. To support this two-step approach, the share combining unit 13 may comprise a coin share reconstructing unit 14 for removing the attributes from the coin shares, to obtain reconstructed coin shares.
It will be understood that the coin share may comprise an identification of the set of attributes associated with the coin share, for example a listing of the attributes in an unencrypted representation. Moreover, the coin share may be crypto graphically processed using attribute-based cryptography. This cryptographic processing may be applied to the entire coin share, or to only a portion of it. The cryptographic processing may comprise attribute-based encrypting/decrypting and/or attribute-based signature generation and verification. Consequently, a coin share may comprise an encrypted portion and/or a digitally signed portion, according to the set of attributes of the coin share generator 5.
The system for performing an attribute-based threshold coin tossing scheme may be adapted to and/or included in a system for performing a byzantine fault tolerance protocol. The skilled person is capable to perform the adaptations needed for this based on this disclosure.
The different algorithms and entities disclosed therein may be implemented by means of devices comprising dedicated electronic circuitry for performing the described functionality. Alternatively, they may be implemented by means of a suitably programmed processing device. Such a processing device can be a workstation or personal computer, or a mobile device, such as a tablet or smartphone. They may also be hosted 'in the cloud', on a server system that is connected to the Internet. Users may access such hosted applications using client devices, for example via a web browser. In all cases, the use of the algorithms may be protected against malicious use. For example, user access control can be imposed on the units implementing key portions of the protocol.
Fig. 2 shows an illustrative method of generating a coin share in a threshold coin tossing scheme. The method starts at step 200. The method comprises a preparation step 201 that involves selecting a set of attributes for a user, generating a private key associated with the set of attributes for the user, and providing the private key to the user or the user's coin share generator. In step 206, it is determined whether a private key is needed for another user, and if so, step 201 is repeated.
In step 202, a coin value is determined. In step 203, a coin share is generated to represent at least part of the coin value. The coin share is associated with the set of attributes of the user, and created using the private key provided. The coin share may be transmitted in step 204 to a recipient. The recipient may have a coin share verifier as set forth herein. Steps 202 to 204 may be performed by a coin share generator set forth herein. In step 205, if a coin share from another coin share generator is needed, steps 202 to 204 may be repeated using another coin share generator, using the other coin share generator's private key, but the same coin value.
In step 207, a coin share to be verified is determined. For example, the coin share is received from the coin share generator that generated it. In step 208, the validity of the coin share is determined, taking into account the set of attributes associated with the coin share. If more coin shares are found to be available in step 209, steps 207 and 208 may be repeated in respect of the remaining coin shares. In step 210, it is decided whether the number of valid shares is at least equal to a predetermined threshold. If the number of valid shares is smaller than the predetermined threshold, the process terminates at step 212.
Alternatively, if the number of valid shares is at least equal to the threshold value, the coin value may be reconstructed in step 21 1 by combining at least a predetermined threshold number of coin shares. After that, the process terminates in step 213.
The method may be implemented by means of a computer program product comprising instructions for causing a processor system to perform the method. This computer program product may be split up into several units that are run on different computer systems, under control of several different parties using the system.
Hereinafter, examples of the algorithms used in the system and method are described in more detail. These algorithms are part of an attribute-based threshold coin- tossing scheme. It will be understood that these details are intended as non-limiting example implementations. At a high level, the scheme works as follows: The value of coin C E {0,1}* is obtained by first hashing C to obtain ^ £ G0, then computing e (g, g)x° to obtain the value of the coin that belongs to the group G . The secret exponent x0 is distributed among the parties denoted by Pt with the attribute set ω using Shamir's secret sharing scheme. In addition to the share of x0, each party also has the secret keys related to the attribute set ω. Using share of x0 i.e. xt and secret key components i.e. H(j)rj+0C Xi : Vj E ω, share of the coin is generated, along with a validity proof. Shares of the coin can then be combined to obtain e (g, g)x° by interpolation in the exponent.
Setup (): The setup algorithm selects a bilinear group G0 of prime order p and random generator E G0 . In addition, it also employs a hash function H: {0,1}*→ G0. The function is used to map any attribute described as a binary string to a random group element. It also chooses a bilinear map e: G0 x G0→ GT. The setup algorithm selects a, E Έρ , where 1 < j≤ N and N being the total number of attributes in the system. The public parameters PK and master secret key MK consist of the following components:
Figure imgf000013_0001
Key Generation {MK, ωΡ ): The key generation algorithm is run by central trusted authority. It takes as input a set of attributes ω for party P master secret key MK and outputs secret key for the user related to the attribute set ω. The algorithm selects xt = f(i for each party P£, where / is a polynomial over TLq of degree less then k. It then generates secret key for the party P£ related to the attribute set ω which consists of the following components: K^ = (v; ε to-. D = H0 rj+a'Xi, D^ = x
Generate Coin Share (5Κω Ρ.): For a general coin C £ {0,1}, let g = H(C).
The coin share for a party P£ along with its validity proof is generated using ΞΚω Ρ., which consists of the following components: σω,Ρ. = (σ(1) = gxi■ H{j)r'+a Xi: V/ £ ω, σ& = gXi, σ& = HQ')Xi)
Note: In this function, one could use shares of the value xt during the generation of the coin share using for example a threshold secrete sharing scheme instead of the value of the xt. Share Verification (PK, σω Ρ. ): The share verification algorithm takes as input the public parameters and share of the coin σω Ρ. generated by the party P£ using the attribute set ω. g) = e{gri, H(j)) e{a&, ga) e{g, a ): Vj £ ω
Figure imgf000014_0001
e(gXi■ H(jyj+a-Xi, g = e(grJ, H ]-)) e(H(jY ga) e{g, gxi): Vj £ ω
The above routine may be applied to the shares of the coin of all parties P£ (l≤ i≤ ri), where n is the total number of parties in the system.
Share Combining (σω,ρ;): The share combining algorithm first reconstructs the share of the coin for all parties P£. After the reconstruction of the coin shares, it recovers the final value of the coin.
(a) Step
Figure imgf000014_0002
(P£) : This routine is used to construct the share of the coin of each party P£. Let p be the list of the claimed attributes by the party P£.
Figure imgf000015_0001
where η is the total number of attributes in p.
Note: The use of η is optional. During the generation of the coin's share, if xt has also been shared among the attributes used for the generation of the coin share, then η is not necessary in this function and one may use the Lagrange interpolation instead. (b) Step 2-ReconstructCoin (): After constructing the share of the coins for at least t parties for the claimed set of attributes, the following is computed: where t represents Lagrange interpolation coefficients.
It will be appreciated that the invention also applies to computer programs, particularly computer programs on or in a carrier, adapted to put the invention into practice. The program may be in the form of a source code, an object code, a code intermediate source and object code such as in a partially compiled form, or in any other form suitable for use in the implementation of the method according to the invention. It will also be appreciated that such a program may have many different architectural designs. For example, a program code implementing the functionality of the method or system according to the invention may be sub-divided into one or more sub-routines. Many different ways of distributing the functionality among these sub-routines will be apparent to the skilled person. The subroutines may be stored together in one executable file to form a self-contained program. Such an executable file may comprise computer-executable instructions, for example, processor instructions and/or interpreter instructions (e.g. Java interpreter instructions). Alternatively, one or more or all of the sub-routines may be stored in at least one external library file and linked with a main program either statically or dynamically, e.g. at run-time. The main program contains at least one call to at least one of the sub-routines. The sub-routines may also comprise calls to each other. An embodiment relating to a computer program product comprises computer-executable instructions corresponding to each processing step of at least one of the methods set forth herein. These instructions may be sub-divided into sub-routines and/or stored in one or more files that may be linked statically or dynamically. Another embodiment relating to a computer program product comprises computer-executable instructions corresponding to each means of at least one of the systems and/or products set forth herein. These instructions may be sub-divided into sub-routines and/or stored in one or more files that may be linked statically or dynamically.
The carrier of a computer program may be any entity or device capable of carrying the program. For example, the carrier may include a storage medium, such as a ROM, for example, a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example, a flash drive or a hard disk. Furthermore, the carrier may be a transmissible carrier such as an electric or optical signal, which may be conveyed via electric or optical cable or by radio or other means. When the program is embodied in such a signal, the carrier may be constituted by such a cable or other device or means. Alternatively, the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted to perform, or to be used in the performance of, the relevant method.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. Use of the verb "comprise" and its conjugations does not exclude the presence of elements or steps other than those stated in a claim. The article "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Claims

CLAIMS:
1. A coin share generator (5) for use in a system for performing a threshold coin tossing scheme, comprising
a coin determining unit (6) for determining a coin value;
a coin share generating unit (7) for generating a coin share based on the coin value and a private key associated with a set of attributes, wherein the coin share is associated with the set of attributes.
2. The coin share generator (5) according to claim 1, wherein the coin share generating unit (7) is arranged for generating a coin share that enables a receiving entity to reconstruct the coin based on a particular threshold number of coin shares associated with a set of attributes that satisfies a predetermined policy over the attributes.
3. A coin share verifier (8) for use in a system for performing a threshold coin tossing scheme, comprising
a coin share determining unit (9) for determining a coin share to be verified, wherein the coin share is associated with a set of attributes; and
a coin share verifying unit (10) for verifying a validity of the coin share, taking into account the set of attributes associated with the coin share.
4. The coin share verifier (8) of claim 3, wherein the coin share verifying unit
(10) comprises an attribute verification unit (11) for verifying that the coin share is validly associated with a particular attribute.
5. The coin share verifier (8) of claim 3,
further comprising a policy determining unit (12) for determining a policy over a collection of attributes, wherein the set of attributes comprises a subset of the collection of attributes; and
wherein the coin share verifying unit (10) is further arranged for verifying whether the coin share is associated with a set of attributes that satisfies the policy.
6. The coin share verifier (8) of claim 3, further comprising
a share combining unit (13) for reconstructing the coin by combining at least a predetermined threshold number of coin shares, wherein the coin shares are associated with respective sets of attributes that satisfy a predetermined policy over the attributes.
7. The coin share generator (5) of claim 1 or the coin share verifier (8) of claim 3, wherein the coin share comprises an identification of the set of attributes associated with the coin share, and wherein the coin share is cryptographically processed using attribute- based cryptography.
8. A system for performing a byzantine fault tolerance protocol, comprising the coin share generator (5) of claim 1 and/or the coin share verifier (8) of claim 3.
9. The system according to claim 8, further comprising a root authority subsystem (1), comprising
an attribute selector (2) for selecting the set of attributes of an entity;
a key generating unit (3) for generating the private key associated with the set of attributes; and
a key distributor (4) for providing the private key to the coin share generator.
10. A workstation or a mobile terminal comprising the coin share generator of claim 1, the coin share verifier of claim 3, and/or the system for performing a byzantine fault tolerance protocol according to claim 8.
11. A method of generating a coin share in a threshold coin tossing scheme, comprising
determining (202) a coin value; and
generating (203) a coin share based on a coin value and a private key associated with a set of attributes, wherein the coin share is associated with the set of attributes.
12. A method of verifying a coin share in a threshold coin tossing scheme, comprising determining (207) a coin share to be verified, wherein the coin share is associated with a set of attributes; and
verifying (208) a validity of the coin share, taking into account the set of attributes associated with the coin share.
13. The method according to claim 12, further comprising reconstructing the coin by combining at least a predetermined threshold number of coin shares, wherein the coin shares are associated with respective sets of attributes that satisfy a predetermined policy over the attributes.
14. A computer program product comprising instructions for causing a processor system to perform the method of claim 11 or 12.
PCT/IB2013/051815 2012-03-12 2013-03-07 Byzantine fault tolerance and threshold coin tossing WO2013136235A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN201380013959.2A CN104160651A (en) 2012-03-12 2013-03-07 Byzantine fault tolerance and threshold coin tossing
EP13718905.6A EP2847923A1 (en) 2012-03-12 2013-03-07 Byzantine fault tolerance and threshold coin tossing
JP2014561559A JP2015513156A (en) 2012-03-12 2013-03-07 Byzantine fault tolerance and threshold coin toss
US14/382,877 US20150023498A1 (en) 2012-03-12 2013-03-07 Byzantine fault tolerance and threshold coin tossing

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201261609524P 2012-03-12 2012-03-12
US61/609,524 2012-03-12

Publications (1)

Publication Number Publication Date
WO2013136235A1 true WO2013136235A1 (en) 2013-09-19

Family

ID=48190558

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2013/051815 WO2013136235A1 (en) 2012-03-12 2013-03-07 Byzantine fault tolerance and threshold coin tossing

Country Status (5)

Country Link
US (1) US20150023498A1 (en)
EP (1) EP2847923A1 (en)
JP (1) JP2015513156A (en)
CN (1) CN104160651A (en)
WO (1) WO2013136235A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11429967B2 (en) * 2018-03-13 2022-08-30 Nec Corporation Mechanism for efficient validation of finality proof in lightweight distributed ledger clients

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209730B (en) * 2015-04-30 2020-03-10 华为技术有限公司 Method and device for managing application identifier
US10686765B2 (en) * 2017-04-19 2020-06-16 International Business Machines Corporation Data access levels
US10887090B2 (en) 2017-09-22 2021-01-05 Nec Corporation Scalable byzantine fault-tolerant protocol with partial tee support
US10572352B2 (en) * 2017-11-01 2020-02-25 Vmware, Inc. Byzantine fault tolerance with verifiable secret sharing at constant overhead
CN109766673B (en) * 2019-01-18 2019-12-10 四川大学 Alliance type audio and video copyright block chain system and audio and video copyright chaining method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6931431B2 (en) * 2001-01-13 2005-08-16 International Business Machines Corporation Agreement and atomic broadcast in asynchronous networks
US8229859B2 (en) * 2007-04-19 2012-07-24 Gideon Samid Bit currency: transactional trust tools
US8189789B2 (en) * 2008-11-03 2012-05-29 Telcordia Technologies, Inc. Intrusion-tolerant group management for mobile ad-hoc networks
US8321495B2 (en) * 2009-07-28 2012-11-27 International Business Machines Corporation Byzantine fault-tolerance in distributed computing networks

Non-Patent Citations (5)

* Cited by examiner, † Cited by third party
Title
C. DWORK ET AL.: "Proceedings Eurocrypt", 2006, SPRINGER, article "Our Data, Ourselves: Privacy via Distributed Noise Generation", pages: 486 - 503
HUAI-XI WANG ET AL: "Attribute-Based Signature with Policy-and-Endorsement Mechanism", JOURNAL OF COMPUTER SCIENCE AND TECHNOLOGY, KLUWER ACADEMIC PUBLISHERS, BO, vol. 25, no. 6, 3 November 2010 (2010-11-03), pages 1293 - 1304, XP019859539, ISSN: 1860-4749, DOI: 10.1007/S11390-010-9406-1 *
JIN LI ET AL: "Attribute-based Signature and its Applications", ASIACCS'10, 13 April 2010 (2010-04-13), XP055003406 *
SOMAYEH HEIDARVAND ET AL: "Public Verifiability from Pairings in Secret Sharing Schemes", 14 August 2008, SELECTED AREAS IN CRYPTOGRAPHY, SPRINGER BERLIN HEIDELBERG, BERLIN, HEIDELBERG, PAGE(S) 294 - 308, ISBN: 978-3-642-04158-7, XP019128239 *
YOULIANG TIAN ET AL: "A practical publicly verifiable secret sharing scheme based on bilinear pairing", ANTI-COUNTERFEITING, SECURITY AND IDENTIFICATION, 2008. ASID 2008. 2ND INTERNATIONAL CONFERENCE ON, IEEE, PISCATAWAY, NJ, USA, 20 August 2008 (2008-08-20), pages 71 - 75, XP031365968, ISBN: 978-1-4244-2584-6, DOI: 10.1109/IWASID.2008.4688348 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11429967B2 (en) * 2018-03-13 2022-08-30 Nec Corporation Mechanism for efficient validation of finality proof in lightweight distributed ledger clients

Also Published As

Publication number Publication date
EP2847923A1 (en) 2015-03-18
US20150023498A1 (en) 2015-01-22
JP2015513156A (en) 2015-04-30
CN104160651A (en) 2014-11-19

Similar Documents

Publication Publication Date Title
CN109151053B (en) Anti-quantum computing cloud storage method and system based on public asymmetric key pool
CN107800688B (en) Cloud data deduplication and integrity auditing method based on convergence encryption
CN111066285B (en) SM2 signature based public key recovery method
CN109150519B (en) Anti-quantum computing cloud storage security control method and system based on public key pool
US20180013555A1 (en) Data transmission method and apparatus
US20110307698A1 (en) Masking the output of random number generators in key generation protocols
WO2019088979A1 (en) Multi-party threshold authenticated encryption
CN110365469B (en) Data integrity verification method in cloud storage supporting data privacy protection
JP5506704B2 (en) Decryption system, key device, decryption method, and program
US20150023498A1 (en) Byzantine fault tolerance and threshold coin tossing
CN105721156B (en) Data are carried out with the method and relevant device of coding and digital signature
WO2019110399A1 (en) Two-party signature device and method
US9660813B1 (en) Dynamic privacy management for communications of clients in privacy-preserving groups
WO2014106149A1 (en) Techniques for validating cryptographic applications
GB2574076A (en) Distributed data storage
CN113259317B (en) Cloud storage data deduplication method based on identity agent unencrypted
Kanimozhi et al. Secure sharing of IOT data in cloud environment using attribute-based encryption
JP6294882B2 (en) Key storage device, key storage method, and program thereof
CN107070900B (en) It can search for re-encryption method based on what is obscured
Krasnoselskii et al. Distributed random number generator on Hedera Hashgraph
CN109412788B (en) Anti-quantum computing agent cloud storage security control method and system based on public key pool
CN111245594A (en) Homomorphic operation-based collaborative signature method and system
CN117235342A (en) Dynamic cloud auditing method based on homomorphic hash function and virtual index
US20220385453A1 (en) Secure file transfer
CN114697001B (en) Information encryption transmission method, equipment and medium based on blockchain

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13718905

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 14382877

Country of ref document: US

ENP Entry into the national phase

Ref document number: 2014561559

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2013718905

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2013718905

Country of ref document: EP

REG Reference to national code

Ref country code: BR

Ref legal event code: B01A

Ref document number: 112014022246

Country of ref document: BR

ENP Entry into the national phase

Ref document number: 112014022246

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20140909