Information Technology Reference
In-Depth Information
Computation (Decryption).
All players in
S
and
E
compute the decryption
over
c
1
, the shares of
c
2
and the shares of
d
resulting in
k
that remains shared
among the players of
E
until reaching the output-stage (see fig. 2).
S
starts
protocol 2 by resharing
c
2
over
E
and sending
c
1
to
E
.Theneachplayer
E
i
computes and broadcasts a share of
c
d
1
. Furthermore, he combines a share of
c
2
c
−d
1
and computes his part
c
2
i
·
of the main decryption (multiplication of a share
with a scalar) resulting in a share of
k
. However, broadcasting this share enables
every
E
i
to reconstruct
c
2
. Due to this fact, we blind
c
2
by resharing
k
over
E
.
· c
−d
1
input:
(
S
1
[
c
1
,c
21
]
,...,S
m
[
c
1
,c
2
m
]
,E
1
[
d
1
]
,...,E
n
[
d
n
])
MPC:
c
2
output:
(
E
1
[
k
1
]
,...,E
n
[
k
n
])
l.1
for all
i ∈{
1
,...,m}
do
// decryption stage 1 (
S
&
E
)+
l.2
S
i
:
c
2
i
→
(
c
2
i
1
,...,c
2
i
n
)
l.3
send
(
S
i
[
c
1
,c
2
i
1
,...,c
2
i
n
])
→
(
E
1
[
c
1
,c
2
i
1
]
,...,E
n
[
c
1
,c
2
i
n
])
l.4
for all
i ∈{
1
,...,n}
do
// decryption stage 2 (
E
)+
2
i
=
j
=1
c
2
j
i
· λ
c
2
i
E
i
:
c
1
i
=
c
d
1
,
l.5
0
,j
send
(
E
i
[
c
1
i
])
(
E
1
[
c
1
i
]
,...,E
n
[
c
1
i
])
l.6
→
l.7
for all
i ∈{
1
,...,n}
do
// decryption stage 3 (
E
)+
(
j
=1
c
1
j
λ
0
,j
)
−
1
,
E
i
:
k
i
=
c
2
i
·
i
(
k
i
1
,...,k
in
)
l.8
→
send
(
E
i
[
k
i
1
,...,k
in
])
(
E
1
[
k
i
1
]
,...,E
n
[
k
in
])
l.9
→
l.10
for all
i ∈{
1
,...,n}
do
// decryption stage 4 (
E
)+
E
i
:
k
i
=
j
=1
k
ji
· λ
k
i
l.11
0
,j
Fig. 2.
Multi-Party Protocol 2: Distributed ElGamal Decryption
Analogous to protocol 1 a proof of correctness can be given as follows:
Proof (of Correctness (Multi-Party Protocol 2)).
⎛
⎞
−
1
n
n
n
n
(
1
=
λ
c
2
0
,i
c
1
j
λ
d
λ
c
2
0
,i
l.
=
λ
k
0
,i
k
i
c
2
i
·
⎝
⎠
k
=
k
i
·
·
·
0
,j
i
=1
i
=1
i
=1
j
=1
n
m
(
1
=
λ
c
0
,i
·
l.
=
c
2
i
·
c
−d
1
λ
c
0
,i
·
c
−d
1
c
−d
1
c
2
i
·
=
c
2
·
i
=1
i
=1
Output.
Every player
E
i
∈E
sends
k
i
to every player
E
j
∈E
.Theneach
E
j
can reconstruct the session key by computing
k
=
i
=1
k
i
·
λ
k
0
,i
.
3.1 Performance and Security Analysis
The performance of the proposed protocols depends on the number of players in
P
. The following table shows the number of sent messages, performed
multiplications and exponentiations of big integer values during the encryption
and decryption-stages for one player (additions are not considered):
,
S
and
E