Title: Round-Optimal and Efficient Verifiable Secret Sharing
1Round-Optimal and EfficientVerifiable Secret
Sharing
Matthias Fitzi (Aarhus University) Juan Garay
(Bell Labs) Shyamnath Gollakota (IIT Madras) C.
Pandu Rangan (IIT Madras) Kannan Srinathan
(IIIT Hyderabad)
2Secret Sharing Protocols Sha79,Bla79
- Set of players P P1 , P2, , Pn, dealer D
(e.g., D P1).
- Two phases
- Sharing phase
- Reconstruction phase
- Sharing Phase
- D initially holds s and each player Pi finally
holds some private information vi. - Reconstruction Phase
- Each player Pi reveals (some of) his private
information vi on which a reconstruction
function is applied to obtain s Rec(v1, v2,
, vn).
3Secret Sharing (contd)
Secret s
Dealer
4Secret Sharing (contd)
Secret s
Dealer
Reconstruction Phase
Players are assumed to give their shares honestly
5Verifiable Secret Sharing (VSS) CGMA85
- Extends secret sharing to the case of active
corruptions - (corrupted players, incl. Dealer, may not
follow the protocol) - Up to t corrupted players
- Adaptive adversary
- Reconstruction Phase
- Each player Pi reveals (some of) his private
information vi - on which a reconstruction function is
applied to obtain - s Rec(v1, v2, , vn).
6VSS Requirements
- Privacy
- If D is honest, adversary has no Shannon
information about s during the Sharing phase. - Correctness
- If D is honest, the reconstructed value s s.
- Commitment
- After Sharing phase, s is uniquely determined.
7Weak VSS (WSS) RB89
- Privacy
- If D is honest, adversary has no Shannon
information about s during the Sharing phase. - Correctness
- If D is honest, the reconstructed value s s.
- Weak Commitment
- After Sharing phase, s is uniquely determined
such that - Rec(v1, v2, , vn) ? ?, s.
8Communication Model and Round Complexity
- Synchronous, fully connected network of pair-wise
secure channels broadcast channel. - Round complexity Number of communication rounds
in the Sharing phase. - Efficiency Total computation and communication
polynomial in n and size of the secret.
9Prior (Relevant) Work
- Perfect VSS possible iff n gt 3t BGW88, DDWY90
- Round complexity of VSS GIKR01
- n gt 4t Efficient 2-round protocol
- n gt 3t No 2-round protocol exists
- Efficient 4-round protocol
- Inefficient 3-round protocol
-
10Our Contributions
- VSS Efficient 3-round protocol for n gt 3t
- WSS
- Efficient 3-round protocol for n gt 3t round
optimal - Efficient 1-round protocol for n gt 4t
- (1 ?) amortized-round VSS protocol for n gt 3t
11Our Contributions
- VSS Efficient 3-round protocol for n gt 3t
- WSS
- Efficient 3-round protocol for n gt 3t round
optimal - Efficient 1-round protocol for n gt 4t
- (1 ?) amortized-round VSS protocol for n gt 3t
123-Round (n/3)-WSS
Secret s
Dealer
Sharing Phase
vn
v1
v3
v2
Reconstruction Phase
133-Round (n/3)-WSS
Secret s
vn
v1
v3
v2
Reconstruction Phase
143-Round (n/3)-WSS Sharing Phase
- Round 1
- D selects a random bivariate polynomial F(x,y) of
degree t in each variable, s.t. F(0,0) s
sends F(x,i) fi(x) and F(i,y) gi(y) to
Pi. - Player Pi sends to Pj a random pad rij.
- Round 2 Pi broadcasts
- aij fi(j) rij
- bij gi(j) rji
- Pj broadcasts
- aji fj(i) rji
- bji gj(i) rij
153-Round (n/3)-WSS Sharing Phase
- Round 1
- D selects a random bivariate polynomial F(x,y) of
degree t in each variable, s.t. F(0,0) s
sends F(x,i) fi(x) and F(i,y) gi(y) to
Pi. - Player Pi sends to Pj a random pad rij.
- Round 2 Pi broadcasts
- aij fi(j) rij
- bij gi(j) rji
- Round 3 For each aij ? bji
- Pi broadcasts fi(j)
- Pj broadcasts gj(i)
- D broadcasts F(j,i)
- A player is said to be unhappy if his value
does not match Ds value. If no. unhappy players
gt t, disqualify D.
- Pj broadcasts
- aji fj(i) rji
- bji gj(i) rij
163-Round (n/3)-WSS Reconstruction Phase
- Every happy player Pi broadcasts fi(x) and
gi(y). - Local computation
- Every player constructs a consistency graph G
over the set of happy players there exists an
edge between Pi, Pj ? G iff fi(j)
gj(i) and gi(j) fj(i). - Every player constructs a set CORE as follows
- Initially all nodes with degree at least nt in G
are in CORE. - Players in CORE consistent with less than nt
players in CORE are removed. - Repeat until no more players can be removed from
CORE. - Secret determined by the polynomial defined by
any t1 players from CORE. If CORE lt nt, the
secret is ?.
173-Round (n/3)-WSS Proof Sketch
- Privacy (D is honest)
- D distributes consistent information ? any pair
of honest players publish same mutual padded
values. - Randomness of pads leads to indistinguishability
of adversarys view under different secrets. - Correctness (D is honest)
- All honest players (at least nt) are happy ? no
disqualification of D in Sharing Phase. - They all end up in CORE, thus the secret
reconstructed is s.
183-Round (n/3)-WSS Proof Sketch
- Weak Commitment
- CORE lt n t All honest players output ?.
- CORE ? n t All players in CORE are
consistent with a polynomial fixed at the end of
the Sharing Phase - The n2t honest happy players define a unique
polynomial F(x,y) (at the end of Sharing
Phase). - Every dishonest happy player in CORE is
consistent with at least nt players in CORE, of
which n2t ? t1 are honest - ? every dishonest happy player in CORE is also
consistent - with F(x,y).
19(n/3)-WSS Round Optimality
- Based on impossibility of 3-round Weak Secure
Multicast - P P1 , P2, , Pn D ? P holds input m
multicast set M ? P. - Privacy If all players in M are honest, then
adversary learns no information about m. - Correctness If D is honest, then all honest
players in M output m. - Weak Agreement Even if D is dishonest, all
honest players in M output a value in m, ?. - r-round WSS ? r-round WSM
20Recall 3-Round (n/3)-WSS Sharing Phase
- Round 1
- D selects a random bivariate polynomial F(x,y) of
degree t in each variable, s.t. F(0,0) s
sends F(x,i) fi(x) and F(i,y) gi(y) to
Pi. - Player Pi sends to Pj a random pad rij.
- Round 2 Pi broadcasts
- aij fi(j) rij
- bij gi(j) rji
- Round 3 For each aij ? bji
- Pi broadcasts fi(j)
- Pj broadcasts gj(i)
- D broadcasts F(j,i)
- A player is said to be unhappy if his value
does not match Ds value. If no. unhappy players
gt t, disqualify D.
213-Round (n/3)-VSS Sharing Phase
- Round 1
- D selects a random bivariate polynomial F(x,y) of
degree t in each variable, s.t. F(0,0) s
sends F(x,i) fi(x) and F(i,y) gi(y) to
Pi. - Player Pi selects random ri and starts (n/3)-WSS
on ri using FiW(x,y).
223-Round (n/3)-VSS Sharing Phase
- Round 1
- D selects a random bivariate polynomial F(x,y) of
degree t in each variable, s.t. F(0,0) s
sends F(x,i) fi(x) and F(i,y) gi(y) to
Pi. - Player Pi selects random ri and starts (n/3)-WSSi
on ri using FiW(x,y). - Round 2 Pi broadcasts
- aij fi(j) FiW(0,j)
- bij gi(j) FjW(0,i)
- Concurrently, round 2 of (n/3)- WSSi
- takes place.
233-Round (n/3)-VSS Sharing Phase
- Round 1
- D selects a random bivariate polynomial F(x,y) of
degree t in each variable, s.t. F(0,0) s
sends F(x,i) fi(x) and F(i,y) gi(y) to
Pi. - Player Pi selects random ri and starts (n/3)-WSSi
on ri using FiW(x,y). - Round 2 Pi broadcasts
- aij fi(j) FiW(0,j)
- bij gi(j) FjW(0,i)
- Round 3 For each aij ? bji
- Pi broadcasts fi(j)
- Pj broadcasts gj(i)
- D broadcasts F(j,i)
-
- Concurrently, round 2 of (n/3)-WSSi
- takes place.
- Concurrently, round 3 of (n/3)-WSSi
- takes place.
243-Round (n/3)-VSS Sharing Phase
- Round 1
- D selects a random bivariate polynomial F(x,y) of
degree t in each variable, s.t. F(0,0) s
sends F(x,i) fi(x) and F(i,y) gi(y) to
Pi. - Player Pi selects random ri and starts (n/3)-WSSi
on ri using FiW(x,y). - Round 2 Pi broadcasts
- aij fi(j) FiW(0,j)
- bij gi(j) FjW(0,i)
- Round 3 For each aij ? bji
- Pi broadcasts fi(j)
- Pj broadcasts gj(i)
- D broadcasts F(j,i)
- A player is said to be unhappy if his value
does not match Ds value. If no. unhappy players
gt t, disqualify D.
- Concurrently, round 2 of (n/3)-WSSi
- takes place.
- Concurrently, round 3 of (n/3)-WSSi
- takes place.
253-Round (n/3)-VSS Sharing Phase
- Local Computation
- H happy players players disqualified as
WSS dealers - If H lt nt, disqualify D and stop.
- For Pi ? H, if H n HiW lt nt, remove Pi from
H. - Call the final set COREsh. If COREsh lt nt
disqualify D and stop. - Properties of COREsh
- If D is honest, then COREsh contains all honest
players ? - D is not disqualified during the Sharing phase.
- Every player in COREsh is consistent with nt
players in COREsh ? At least t1 honest players
in COREsh (defining a unique polynomial
FH(x,y)).
263-Round (n/3)-VSS Reconstruction Phase
- For each Pi ? COREsh, run Rec. phase of
(n/3)-WSSi, concurrently. - Local computation
- CORErec COREsh
- CORErec CORErec Pi ? ? (n/3)-WSSi
- For each Pi ? CORErec compute
- fi(j) aij FiW(0,j), 1 j n
- If fi(x) not a t-degree polynomial, remove Pi
from CORErec. - Obtain F(x,y) by taking any t1 polynomials
fi(x) from CORErec - s F(0,0).
273-Round (n/3)-VSS Reconstruction Phase
- Properties of CORErec
- At least n2t (? t1) honest players in COREsh
- ? unique t-degree polynomial FH(x,y).
- Dishonest Pi in CORErec
- WSSi succeeded
- fi(j) lie on a t-degree polynomial fi(x)
- FiW(x,y) is consistent with ? t1 honest
players in CORErec - ? fi(x) is consistent with FH(x,y).
- Privacy
- The only difference with WSS protocol is the
pads. - Prove that aij fi(j) FiW(0,j) does not
reveal any info about fi(j).
28Amortized VSS Round Complexity
- Say, m k-round sequential VSS protocols (e.g.,
MPC) - Using deferred commitment, m2 total rounds ?
- 1 O(1/m) amortized-round VSS protocol
- Initial phase Dealer(s) share random values r1,
r2,, rm using the given VSS protocol. - Sharing Phase of jth VSS protocol
- Broadcast correction term cj sj rj
- Correction (two ways)
- In Reconstruction Phase each player computes sj
cj rj. - At the end of Sharing Phase every player Pi
computes - Fj(x,i) Fj(x,i) cj and Fj(i,y) Fj(i,y)
cj
29Summary
- VSS Efficient 3-round protocol for n gt 3t
- WSS
- Efficient 3-round protocol for n gt 3t round
optimal - Efficient 1-round protocol for n gt 4t
- (1 ?) amortized-round VSS
30Round-Optimal and EfficientVerifiable Secret
Sharing
Matthias Fitzi (Aarhus University) Juan Garay
(Bell Labs) Shyamnath Gollakota (IIT Madras) C.
Pandu Rangan (IIT Madras) Kannan Srinathan
(IIIT Hyderabad)