TDH2 implementation #583
TDH2 implementation #583
Conversation
|
|
|
🔒 Could not start CI tests due to missing safe PR label. Please contact a DEDIS maintainer. |
|
Sorry for cold pings, but I saw you are also working on some go implementation of tdh2, thought might wanna contribute to or review this as well @pszal , @stchrysa , @kaleofduty. |
I am afraid we likely won't have time for that, but it's always great to see more open-source cryptography implementations. Hope everything goes well for your project! |
|
Any feedback from the maintainers? |
|
Maintainer here - thank you for the contribution, it's much appreciated. @AnomalRoil do you have time to look into this? |
|
Hi there, any update or feedback on this one? |
4 participants
This PR adds TDH2 implementation. TDH2 is a threshold encryption scheme, where decryption is secreted shared among n parties. Decryption requires a threshold of t+1 parties to cooperate. The scheme is based on ElGamal encryption and uses non-interactive zero-knowledge proofs (NIZK) to ensure the correctness of encryption.
See the original paper for more theoretical details:
https://www.shoup.net/papers/thresh1.pdf by Victor Shoup and Rosario Gennaro
This scheme is proven to be secure against chosen ciphertext attack
(CCA secure) under the decisional Diffie-Hellman (DDH) assumption
For this implementation, this specification is followed,
https://github.com/coinbase/cb-mpc/blob/master/docs/spec/tdh2-spec.pdf
Similar to the specification, this implementation also provides an
alternative to the original one time-pad encryption of the message.
If useAESGCM is set to true, AES-GCM (256-bit) is used instead of the one-time-pad.
We also support labels that can be used as associated data in the AEAD scheme.