- 81 Views
- Uploaded on
- Presentation posted in: General

Round-Optimal and Efficient Verifiable Secret Sharing

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Round-Optimal and EfficientVerifiable Secret Sharing

Matthias Fitzi (Aarhus University)

Juan Garay (Bell Labs)

Shyamnath Gollakota (IIT Madras)

C. Pandu Rangan (IIT Madras)

Kannan Srinathan (IIIT Hyderabad)

- Two phases
- Sharing phase
- Reconstruction phase

- Sharing Phase
- D initially holds s and each player Pi finally holds some private information vi.

- Reconstruction Phase
- Each player Pi reveals (some of) his private information v’i on which a reconstruction function is applied to obtain s = Rec(v’1, v’2, …, v’n).

- Set of players P = {P1 , P2, … ,Pn}, dealer D (e.g., D = P1).

Round-Optimal and Efficient VSS —TCC’06

Sharing

Phase

…

vn

v1

v3

v2

Reconstruction

Phase

Less than t +1 players have no info’ about the secret

Secret s

Dealer

Round-Optimal and Efficient VSS —TCC’06

Sharing

Phase

vn

v1

v3

v2

t +1 players can reconstruct the secret

Secret s

Secret s

Dealer

…

Reconstruction

Phase

Players are assumed to give their shares honestly

Round-Optimal and Efficient VSS —TCC’06

- Extends secret sharing to the case of active corruptions
- (corrupted players, incl. Dealer, may not follow the protocol)
- Up to t corrupted players
- Adaptive adversary

- Reconstruction Phase
- Each player Pi reveals (some of) his private information v’i
- on which a reconstruction function is applied to obtain
- s’ = Rec(v’1, v’2, …, v’n).

Round-Optimal and Efficient VSS —TCC’06

- Privacy
- If D is honest, adversary has no Shannon information about s during the Sharing phase.

- Correctness
- If D is honest, the reconstructed value s’ = s.

- Commitment
- After Sharing phase, s’ is uniquely determined.

Round-Optimal and Efficient VSS —TCC’06

- Privacy
- If D is honest, adversary has no Shannon information about s during the Sharing phase.

- Correctness
- If D is honest, the reconstructed value s’ = s.

- Weak Commitment
- After Sharing phase, s’ is uniquely determined such that
- Rec(v’1, v’2, …, v’n) {, s’}.

Round-Optimal and Efficient VSS —TCC’06

- Synchronous, fully connected network of pair-wisesecure channels + broadcast channel.
- Round complexity:Number of communication rounds in the Sharing phase.
- Efficiency:Total computation and communication polynomial in n and size of the secret.

Round-Optimal and Efficient VSS —TCC’06

- Perfect VSS possible iff n > 3t [BGW88, DDWY90]
- Round complexity of VSS [GIKR01]
- n > 4t: Efficient 2-round protocol
- n > 3t: No 2-round protocol exists
Efficient 4-round protocol

Inefficient3-round protocol

Round-Optimal and Efficient VSS —TCC’06

- VSS:Efficient3-round protocol for n > 3t
- WSS:
- Efficient 3-round protocol for n > 3t — round optimal
- Efficient 1-round protocol for n > 4t

- (1+) amortized-round VSS protocol for n > 3t

Round-Optimal and Efficient VSS —TCC’06

- VSS:Efficient3-round protocol for n > 3t
- WSS:
- Efficient 3-round protocol for n > 3t — round optimal
- Efficient 1-round protocol for n > 4t

- (1+ ) amortized-round VSS protocol for n > 3t

Round-Optimal and Efficient VSS —TCC’06

Secret s

Dealer

Sharing

Phase

…

vn

v1

v3

v2

Reconstruction

Phase

Round-Optimal and Efficient VSS —TCC’06

Secret s’

Secret s

…

vn

v1

v3

v2

Reconstruction

Phase

Round-Optimal and Efficient VSS —TCC’06

F(j,i) + r

- Round 1:
- D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi.
- Player Pi sends to Pj a random pad rij.

- Round 2:Pi broadcasts
- aij = fi(j) + rij
- bij = gi(j) + rji

Pj broadcasts

- aiji = fj(i) + rji
- bji = gj(i) + rij

Round-Optimal and Efficient VSS —TCC’06

- Round 1:
- D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi.
- Player Pi sends to Pj a random pad rij.

- Round 2:Pi broadcasts
- aij = fi(j) + rij
- bij = gi(j) + rji

- Round 3:For each aij≠bji
- Pi broadcasts fi(j)
- Pj broadcasts gj(i)
- D broadcasts F(j,i)

- A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D.

Pj broadcasts

- aij = fj(i) + rji
- bji = gj(i) + rij

Round-Optimal and Efficient VSS —TCC’06

- Every happy player Pi broadcasts fi(x) and gi(y).
- Local computation:
- Every player constructs a consistency graph G over the set of happy players: there exists an edge between Pi,Pj G iff fi(j) = gj(i) and gi(j) =fj(i).
- Every player constructs a set CORE as follows:
- Initially all nodes with degree at least n–t in G are in CORE.
- Players in CORE consistent with less than n–t players in CORE are removed.
- Repeat until no more players can be removed from CORE.

- Secret determined by the polynomial defined by any t+1 players from CORE. If |CORE| < n–t, the secret is .

Round-Optimal and Efficient VSS —TCC’06

- Privacy: (D is honest)
- D distributes consistent information any pair of honest players publish same mutual padded values.
- Randomness of pads leads to indistinguishability of adversary’s view under different secrets.

- Correctness: (D is honest)
- All honest players (at least n–t) are happy no disqualification of D in Sharing Phase.
- They all end up in CORE, thus the secret reconstructed is s.

Round-Optimal and Efficient VSS —TCC’06

- Weak Commitment:
- |CORE| < n – t: All honest players output .
- |CORE| n – t: All players in CORE are consistent with a polynomial fixed at the end of the Sharing Phase:
- The n–2thonest happy players define a unique polynomial F’(x,y) (at the end of Sharing Phase).
- Every dishonest happy player in CORE is consistent with at least n–t players in CORE, of which n–2tt+1 are honest
every dishonest happy player in CORE is also consistent

with F’(x,y).

Round-Optimal and Efficient VSS —TCC’06

- Round 1:
- D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi.
- Player Pi sends to Pj a random pad rij.

- Round 2:Pibroadcasts
- aij = fi(j) + rij
- bij = gi(j) + rji

- Round 3:For each aij≠bji
- Pi broadcasts fi(j)
- Pj broadcasts gj(i)
- D broadcasts F(j,i)

- A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D.

Round-Optimal and Efficient VSS —TCC’06

- Round 1:
- Player Pi selects randomriand starts (n/3)-WSS onriusingFiW(x,y).

Round-Optimal and Efficient VSS —TCC’06

- Round 1:
- Player Pi selects randomriand starts (n/3)-WSSi onriusingFiW(x,y).

- Round 2:Pi broadcasts
- aij = fi(j) + FiW(0,j)
- bij = gi(j) + FjW(0,i)

- Concurrently, round 2 of (n/3)- WSSi
- takes place.

Round-Optimal and Efficient VSS —TCC’06

- Round 1:
- Player Pi selects randomriand starts (n/3)-WSSi onriusingFiW(x,y).

- Round 2:Pi broadcasts
- aij = fi(j) + FiW(0,j)
- bij = gi(j) + FjW(0,i)

- Round 3:For each aij≠bji
- Pi broadcasts fi(j)
- Pj broadcasts gj(i)
- D broadcasts F(j,i)

- Concurrently, round 2 of (n/3)-WSSi
- takes place.

- Concurrently, round 3 of (n/3)-WSSi
- takes place.

Round-Optimal and Efficient VSS —TCC’06

- Round 1:
- Player Pi selects randomriand starts (n/3)-WSSi onriusingFiW(x,y).

- Round 2:Pi broadcasts
- aij = fi(j) + FiW(0,j)
- bij = gi(j) + FjW(0,i)

- Round 3:For each aij≠bji
- Pi broadcasts fi(j)
- Pj broadcasts gj(i)
- D broadcasts F(j,i)

- A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D.

- Concurrently, round 2 of (n/3)-WSSi
- takes place.

- Concurrently, round 3 of (n/3)-WSSi
- takes place.

Round-Optimal and Efficient VSS —TCC’06

- Local Computation:
- H = {happy players} – {players disqualified as WSS dealers}
- If |H| < n–t, disqualify D and stop.
- For Pi H, if |H ∩ HiW| < n–t, remove Pi from H.
- Call the final set COREsh. If |COREsh| < n–t disqualify D and stop.

- Properties of COREsh:
- If D is honest, then COREsh contains all honest players
D is not disqualified during the Sharing phase.

- Every player in COREsh is consistent with n–t players in COREsh At least t+1 honest players in COREsh (defining a unique polynomial FH(x,y)).

- If D is honest, then COREsh contains all honest players

Round-Optimal and Efficient VSS —TCC’06

- For each Pi COREsh, run Rec. phase of (n/3)-WSSi, concurrently.
- Local computation:
- CORErec := COREsh
- CORErec := CORErec – {Pi : (n/3)-WSSi }
- For each Pi COREreccompute
fi(j) = aij – FiW(0,j),1≤ j ≤ n

If fi(x) not a t-degree polynomial, remove Pi from CORErec.

- ObtainF’(x,y) by taking any t+1 polynomials fi(x)from CORErec;
s’ := F’(0,0).

Round-Optimal and Efficient VSS —TCC’06

- Properties of CORErec:
- At least n–2t ( t+1) honest players in COREsh
unique t-degree polynomial FH(x,y).

- Dishonest Pi in CORErec:
WSSi succeeded;

fi(j) lie on at-degree polynomial f’i(x) ;

F’iW(x,y)is … consistent with t+1 honest players in CORErec

f’i(x) is consistent with FH(x,y).

- At least n–2t ( t+1) honest players in COREsh
- Privacy:
- The only difference with WSS protocol is the pads.
- Prove that aij = fi(j) + FiW(0,j)does not reveal any info’ about fi(j).

Round-Optimal and Efficient VSS —TCC’06

- Say,m k-round sequential VSS protocols (e.g., MPC)
- Using “deferred commitment,”m+2 total rounds
- 1+ O(1/m) amortized-round VSS protocol
- Initial phase: Dealer(s) share random values r1, r2,…, rm using the given VSS protocol.
- Sharing Phaseof jth VSS protocol:
- Broadcast correction term cj = sj – rj

- Correction:(two ways)
- In Reconstruction Phase each player computes sj = cj + rj.
- At the end of Sharing Phase every player Pi computes
F*j(x,i) = Fj(x,i) + cj and F*j(i,y) = Fj(i,y) + cj

Round-Optimal and Efficient VSS —TCC’06

- VSS:Efficient3-round protocol for n > 3t
- WSS:
- Efficient 3-round protocol for n > 3t — round optimal
- Efficient 1-round protocol for n > 4t

- (1+) amortized-round VSS

Round-Optimal and Efficient VSS —TCC’06

Round-Optimal and EfficientVerifiable Secret Sharing

Matthias Fitzi (Aarhus University)

Juan Garay (Bell Labs)

Shyamnath Gollakota (IIT Madras)

C. Pandu Rangan (IIT Madras)

Kannan Srinathan (IIIT Hyderabad)

- Based on impossibility of 3-round Weak Secure Multicast:
- P = {P1 , P2, … ,Pn}; D P holds input m; multicast setM P.
- Privacy: If all players in M are honest, then adversary learns no information about m.
- Correctness: If D is honest, then all honest players in M output m.
- Weak Agreement:Even if D is dishonest, all honest players in M output a value in {m’, }.

- r-round WSS r-round WSM

Round-Optimal and Efficient VSS —TCC’06