Round-Optimal and Efficient Verifiable Secret Sharing - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Round-Optimal and Efficient Verifiable Secret Sharing

Description:

If D is honest, adversary has no Shannon information about s during the Sharing phase. ... takes place. Round-Optimal and Efficient VSS TCC'06. 21. 3-Round (n ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 31
Provided by: lor9158
Category:

less

Transcript and Presenter's Notes

Title: Round-Optimal and Efficient Verifiable Secret Sharing


1
Round-Optimal and EfficientVerifiable Secret
Sharing

Matthias Fitzi (Aarhus University) Juan Garay
(Bell Labs) Shyamnath Gollakota (IIT Madras) C.
Pandu Rangan (IIT Madras) Kannan Srinathan
(IIIT Hyderabad)
2
Secret Sharing Protocols Sha79,Bla79
  • Set of players P P1 , P2, , Pn, dealer D
    (e.g., D P1).
  • Two phases
  • Sharing phase
  • Reconstruction phase
  • Sharing Phase
  • D initially holds s and each player Pi finally
    holds some private information vi.
  • Reconstruction Phase
  • Each player Pi reveals (some of) his private
    information vi on which a reconstruction
    function is applied to obtain s Rec(v1, v2,
    , vn).

3
Secret Sharing (contd)
Secret s
Dealer
4
Secret Sharing (contd)
Secret s
Dealer

Reconstruction Phase
Players are assumed to give their shares honestly
5
Verifiable Secret Sharing (VSS) CGMA85
  • Extends secret sharing to the case of active
    corruptions
  • (corrupted players, incl. Dealer, may not
    follow the protocol)
  • Up to t corrupted players
  • Adaptive adversary
  • Reconstruction Phase
  • Each player Pi reveals (some of) his private
    information vi
  • on which a reconstruction function is
    applied to obtain
  • s Rec(v1, v2, , vn).

6
VSS Requirements
  • Privacy
  • If D is honest, adversary has no Shannon
    information about s during the Sharing phase.
  • Correctness
  • If D is honest, the reconstructed value s s.
  • Commitment
  • After Sharing phase, s is uniquely determined.

7
Weak VSS (WSS) RB89
  • Privacy
  • If D is honest, adversary has no Shannon
    information about s during the Sharing phase.
  • Correctness
  • If D is honest, the reconstructed value s s.
  • Weak Commitment
  • After Sharing phase, s is uniquely determined
    such that
  • Rec(v1, v2, , vn) ? ?, s.

8
Communication Model and Round Complexity
  • Synchronous, fully connected network of pair-wise
    secure channels broadcast channel.
  • Round complexity Number of communication rounds
    in the Sharing phase.
  • Efficiency Total computation and communication
    polynomial in n and size of the secret.

9
Prior (Relevant) Work
  • Perfect VSS possible iff n gt 3t BGW88, DDWY90
  • Round complexity of VSS GIKR01
  • n gt 4t Efficient 2-round protocol
  • n gt 3t No 2-round protocol exists
  • Efficient 4-round protocol
  • Inefficient 3-round protocol

10
Our Contributions
  • VSS Efficient 3-round protocol for n gt 3t
  • WSS
  • Efficient 3-round protocol for n gt 3t round
    optimal
  • Efficient 1-round protocol for n gt 4t
  • (1 ?) amortized-round VSS protocol for n gt 3t

11
Our Contributions
  • VSS Efficient 3-round protocol for n gt 3t
  • WSS
  • Efficient 3-round protocol for n gt 3t round
    optimal
  • Efficient 1-round protocol for n gt 4t
  • (1 ?) amortized-round VSS protocol for n gt 3t

12
3-Round (n/3)-WSS
Secret s
Dealer
Sharing Phase

vn
v1
v3
v2
Reconstruction Phase
13
3-Round (n/3)-WSS
Secret s

vn
v1
v3
v2
Reconstruction Phase
14
3-Round (n/3)-WSS Sharing Phase
  • Round 1
  • D selects a random bivariate polynomial F(x,y) of
    degree t in each variable, s.t. F(0,0) s
    sends F(x,i) fi(x) and F(i,y) gi(y) to
    Pi.
  • Player Pi sends to Pj a random pad rij.
  • Round 2 Pi broadcasts
  • aij fi(j) rij
  • bij gi(j) rji
  • Pj broadcasts
  • aiji fj(i) rji
  • bji gj(i) rij

15
3-Round (n/3)-WSS Sharing Phase
  • Round 1
  • D selects a random bivariate polynomial F(x,y) of
    degree t in each variable, s.t. F(0,0) s
    sends F(x,i) fi(x) and F(i,y) gi(y) to
    Pi.
  • Player Pi sends to Pj a random pad rij.
  • Round 2 Pi broadcasts
  • aij fi(j) rij
  • bij gi(j) rji
  • Round 3 For each aij ? bji
  • Pi broadcasts fi(j)
  • Pj broadcasts gj(i)
  • D broadcasts F(j,i)
  • A player is said to be unhappy if his value
    does not match Ds value. If no. unhappy players
    gt t, disqualify D.
  • Pj broadcasts
  • aij fj(i) rji
  • bji gj(i) rij

16
3-Round (n/3)-WSS Reconstruction Phase
  • Every happy player Pi broadcasts fi(x) and
    gi(y).
  • Local computation
  • Every player constructs a consistency graph G
    over the set of happy players there exists an
    edge between Pi, Pj ? G iff fi(j)
    gj(i) and gi(j) fj(i).
  • Every player constructs a set CORE as follows
  • Initially all nodes with degree at least nt in G
    are in CORE.
  • Players in CORE consistent with less than nt
    players in CORE are removed.
  • Repeat until no more players can be removed from
    CORE.
  • Secret determined by the polynomial defined by
    any t1 players from CORE. If CORE lt nt, the
    secret is ?.

17
3-Round (n/3)-WSS Proof Sketch
  • Privacy (D is honest)
  • D distributes consistent information ? any pair
    of honest players publish same mutual padded
    values.
  • Randomness of pads leads to indistinguishability
    of adversarys view under different secrets.
  • Correctness (D is honest)
  • All honest players (at least nt) are happy ? no
    disqualification of D in Sharing Phase.
  • They all end up in CORE, thus the secret
    reconstructed is s.

18
3-Round (n/3)-WSS Proof Sketch
  • Weak Commitment
  • CORE lt n t All honest players output ?.
  • CORE ? n t All players in CORE are
    consistent with a polynomial fixed at the end of
    the Sharing Phase
  • The n2t honest happy players define a unique
    polynomial F(x,y) (at the end of Sharing
    Phase).
  • Every dishonest happy player in CORE is
    consistent with at least nt players in CORE, of
    which n2t ? t1 are honest
  • ? every dishonest happy player in CORE is also
    consistent
  • with F(x,y).

19
Recall 3-Round (n/3)-WSS Sharing Phase
  • Round 1
  • D selects a random bivariate polynomial F(x,y) of
    degree t in each variable, s.t. F(0,0) s
    sends F(x,i) fi(x) and F(i,y) gi(y) to
    Pi.
  • Player Pi sends to Pj a random pad rij.
  • Round 2 Pi broadcasts
  • aij fi(j) rij
  • bij gi(j) rji
  • Round 3 For each aij ? bji
  • Pi broadcasts fi(j)
  • Pj broadcasts gj(i)
  • D broadcasts F(j,i)
  • A player is said to be unhappy if his value
    does not match Ds value. If no. unhappy players
    gt t, disqualify D.

20
3-Round (n/3)-VSS Sharing Phase
  • Round 1
  • D selects a random bivariate polynomial F(x,y) of
    degree t in each variable, s.t. F(0,0) s
    sends F(x,i) fi(x) and F(i,y) gi(y) to
    Pi.
  • Player Pi selects random ri and starts (n/3)-WSS
    on ri using FiW(x,y).

21
3-Round (n/3)-VSS Sharing Phase
  • Round 1
  • D selects a random bivariate polynomial F(x,y) of
    degree t in each variable, s.t. F(0,0) s
    sends F(x,i) fi(x) and F(i,y) gi(y) to
    Pi.
  • Player Pi selects random ri and starts (n/3)-WSSi
    on ri using FiW(x,y).
  • Round 2 Pi broadcasts
  • aij fi(j) FiW(0,j)
  • bij gi(j) FjW(0,i)
  • Concurrently, round 2 of (n/3)- WSSi
  • takes place.

22
3-Round (n/3)-VSS Sharing Phase
  • Round 1
  • D selects a random bivariate polynomial F(x,y) of
    degree t in each variable, s.t. F(0,0) s
    sends F(x,i) fi(x) and F(i,y) gi(y) to
    Pi.
  • Player Pi selects random ri and starts (n/3)-WSSi
    on ri using FiW(x,y).
  • Round 2 Pi broadcasts
  • aij fi(j) FiW(0,j)
  • bij gi(j) FjW(0,i)
  • Round 3 For each aij ? bji
  • Pi broadcasts fi(j)
  • Pj broadcasts gj(i)
  • D broadcasts F(j,i)
  • Concurrently, round 2 of (n/3)-WSSi
  • takes place.
  • Concurrently, round 3 of (n/3)-WSSi
  • takes place.

23
3-Round (n/3)-VSS Sharing Phase
  • Round 1
  • D selects a random bivariate polynomial F(x,y) of
    degree t in each variable, s.t. F(0,0) s
    sends F(x,i) fi(x) and F(i,y) gi(y) to
    Pi.
  • Player Pi selects random ri and starts (n/3)-WSSi
    on ri using FiW(x,y).
  • Round 2 Pi broadcasts
  • aij fi(j) FiW(0,j)
  • bij gi(j) FjW(0,i)
  • Round 3 For each aij ? bji
  • Pi broadcasts fi(j)
  • Pj broadcasts gj(i)
  • D broadcasts F(j,i)
  • A player is said to be unhappy if his value
    does not match Ds value. If no. unhappy players
    gt t, disqualify D.
  • Concurrently, round 2 of (n/3)-WSSi
  • takes place.
  • Concurrently, round 3 of (n/3)-WSSi
  • takes place.

24
3-Round (n/3)-VSS Sharing Phase
  • Local Computation
  • H happy players players disqualified as
    WSS dealers
  • If H lt nt, disqualify D and stop.
  • For Pi ? H, if H n HiW lt nt, remove Pi from
    H.
  • Call the final set COREsh. If COREsh lt nt
    disqualify D and stop.
  • Properties of COREsh
  • If D is honest, then COREsh contains all honest
    players ?
  • D is not disqualified during the Sharing phase.
  • Every player in COREsh is consistent with nt
    players in COREsh ? At least t1 honest players
    in COREsh (defining a unique polynomial
    FH(x,y)).

25
3-Round (n/3)-VSS Reconstruction Phase
  • For each Pi ? COREsh, run Rec. phase of
    (n/3)-WSSi, concurrently.
  • Local computation
  • CORErec COREsh
  • CORErec CORErec Pi ? ? (n/3)-WSSi
  • For each Pi ? CORErec compute
  • fi(j) aij FiW(0,j), 1 j n
  • If fi(x) not a t-degree polynomial, remove Pi
    from CORErec.
  • Obtain F(x,y) by taking any t1 polynomials
    fi(x) from CORErec
  • s F(0,0).

26
3-Round (n/3)-VSS Reconstruction Phase
  • Properties of CORErec
  • At least n2t (? t1) honest players in COREsh
  • ? unique t-degree polynomial FH(x,y).
  • Dishonest Pi in CORErec
  • WSSi succeeded
  • fi(j) lie on a t-degree polynomial fi(x)
  • FiW(x,y) is consistent with ? t1 honest
    players in CORErec
  • ? fi(x) is consistent with FH(x,y).
  • Privacy
  • The only difference with WSS protocol is the
    pads.
  • Prove that aij fi(j) FiW(0,j) does not
    reveal any info about fi(j).

27
Amortized VSS Round Complexity
  • Say, m k-round sequential VSS protocols (e.g.,
    MPC)
  • Using deferred commitment, m2 total rounds ?
  • 1 O(1/m) amortized-round VSS protocol
  • Initial phase Dealer(s) share random values r1,
    r2,, rm using the given VSS protocol.
  • Sharing Phase of jth VSS protocol
  • Broadcast correction term cj sj rj
  • Correction (two ways)
  • In Reconstruction Phase each player computes sj
    cj rj.
  • At the end of Sharing Phase every player Pi
    computes
  • Fj(x,i) Fj(x,i) cj and Fj(i,y) Fj(i,y)
    cj

28
Summary
  • VSS Efficient 3-round protocol for n gt 3t
  • WSS
  • Efficient 3-round protocol for n gt 3t round
    optimal
  • Efficient 1-round protocol for n gt 4t
  • (1 ?) amortized-round VSS

29
Round-Optimal and EfficientVerifiable Secret
Sharing

Matthias Fitzi (Aarhus University) Juan Garay
(Bell Labs) Shyamnath Gollakota (IIT Madras) C.
Pandu Rangan (IIT Madras) Kannan Srinathan
(IIIT Hyderabad)
30
(n/3)-WSS Round Optimality
  • Based on impossibility of 3-round Weak Secure
    Multicast
  • P P1 , P2, , Pn D ? P holds input m
    multicast set M ? P.
  • Privacy If all players in M are honest, then
    adversary learns no information about m.
  • Correctness If D is honest, then all honest
    players in M output m.
  • Weak Agreement Even if D is dishonest, all
    honest players in M output a value in m, ?.
  • r-round WSS ? r-round WSM
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Round-Optimal and Efficient Verifiable Secret Sharing" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!