Context-Dependent Threshold Decryption and Its Applications

In a threshold decryption system, a secret key is split across a number of parties so that any threshold of them can decrypt a given ciphertext. We introduce a new concept in threshold decryption called a decryption context, which is an additional argument that is used during decryption. The context ensures that decryption shares that are generated for a ciphertext using different contexts are isolated from each other and cannot be jointly used to decrypt the ciphertext. For example, suppose the decryption threshold is t. Further, suppose that less than t decryption shares are generated for a ciphertext c under one context, and less than t decryption shares are generated for c under a different context. Then this set of shares is insufficient to decrypt c even if the total number of shares exceeds t. This new concept has several important applications, most notably for implementing an encrypted mempool in a consensus protocol. We give two CCA-secure threshold decryption constructions that support context. One is based on ElGamal encryption, and the other is generic showing how to add context to any CCA-secure threshold decryption system without changing the encryption algorithm.

Duke Scholars

Author Kartik Nayak Computer Science