1 / 24

The Round Complexity of Verifiable Secret Sharing: The Statistical Case

The Round Complexity of Verifiable Secret Sharing: The Statistical Case. Ranjit Kumaresan (UMD) Arpita Patra C. Pandu Rangan ( IITMadras ). Verifiable Secret Sharing (VSS). Two-phase protocol

giulia
Download Presentation

The Round Complexity of Verifiable Secret Sharing: The Statistical Case

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Round Complexity of Verifiable Secret Sharing: The Statistical Case RanjitKumaresan (UMD) ArpitaPatra C. PanduRangan (IITMadras)

  2. Verifiable Secret Sharing (VSS) • Two-phase protocol • A dealer shares a secret among a set of n parties (t of which are malicious) in the sharing phase • The secret is recovered in a reconstruction phase

  3. Verifiable Secret Sharing (VSS) • Two-phase protocol • A dealer shares a secret among a set of n parties (t of which are malicious) in the sharing phase • The secret is recovered in a reconstruction phase • If the dealer is honest • No information about the secret is leaked in the sharing phase • All honest parties recover the dealer’s secret Perfect Privacy Perfect Correctness

  4. Verifiable Secret Sharing (VSS) • Even if the dealer is dishonest • The view of the honest parties in the sharing phase defines a value s such that each honest party outputs s in the reconstruction phase Perfect Commitment

  5. Verifiable Secret Sharing (VSS) • Building block in honest majority MPC constructions • Critical Parameter: Round Complexity • Perfect VSS possible iff t < n/3 • What about t < n/2 ? • Relaxation: Statistical VSS

  6. Statistical Verifiable SecretSharing • Relax any requirement of Perfect VSS to hold with all but negligible probability • Privacy • Correctness • Commitment • Improves round complexity even for t < n/3 [PCRR09] • Achievable for t < n/2 assuming broadcast channel [RB89, CDDHR99]

  7. Statistical VSS (in this work) • If the dealer is honest • No information about the secret is leaked in the sharing phase • All honest parties recover the dealer’s secret except with negl. prob. • Even if the dealer is dishonest • The view of the honest parties in the sharing phase defines a value s such that each honest party outputs s in the reconstruction phase except with negl. prob. Perfect Privacy Statistical Correctness Statistical Commitment

  8. Prior Work On Round Complexity • Perfect VSS: Long line of work • BGW88, GIKR01, FGGRS06,… • 3 round sharing is optimal (with only one broadcast round [KKK08]) • Statistical VSS for t < n/3 • 2 round sharing is optimal [PCRR09] • Statistical VSS for t < n/2 • 3 round sharing is necessary [PCRR09] • What is the optimal round complexity?

  9. Best Known Prior Work

  10. Our Results • Settles the question of optimal round complexity of Statistical VSS for t < n/2 • For t < n/3, settled by [PCRR09]

  11. Organization of the talk • Building Block: Multi Verifier ICP • Definition & Properties

  12. Organization of the talk • Building Block: Multi Verifier ICP • Overview of 4 round efficient VSS protocol

  13. Organization of the talk • Building Block: Multi Verifier ICP • Overview of 4 round efficient VSS protocol • 3 round inefficient VSS protocol • Generalizing Multi Verifier ICP • Construction

  14. Multi verifier ICP: definition & Properties • ICP - Information Checking Protocol • Well known constructions by [Rab94, CDDHR99] • Use to get Statistical VSS for t < n/2 • 2 phase protocol run by D (with input s) and INT and every other player as verifier [PCR09] • Sh(D, INT, s) • Rec(D, INT, s) INT holds D’s signature σD,INT(s) on s INT reveals σD,INT(s), Verifiers accept/reject

  15. Properties of Multi Verifier ICP • Honest D • w.h.p. σD,INT(s) revealed only as s • Honest INT • w.h.p. every verifier accepts σD,INT(s) • Adversary does not learn any information about s when D is honest • Round Complexity of construction [PCR09]: • Sh takes 3 rounds • Rec takes 2 rounds

  16. Efficient 4-Round Stat VSS Protocol • High level idea: • Build on [CDDHR99] (based on bivariatepolys) • Use ICP to sign points on the polynomial • Adapt round efficient Multi Verifier ICP into [CDDHR99] • Construction Techniques: • Random pad sent to D • Enables D to cross-check and broadcast shares when necessary • Early reveals • Deal with overlapping Sh and corresponding Recexecutions

  17. Using MVICP as a subprotocol • Both D and INT are corrupt • With D’s help, INT can reveal any value in Rec • “Weak” commitment until last round • In the last round of Sh, a corrupt D could arbitrarily change the secret • Say that D conflicts with INT • “Weak” reconstruction • Decision to accept a signature reveal is based on a voting mechanism

  18. Generalizing Multi Verifier ICP • Have multiple INTs which receive the same value • Let U represent the set of INTs • If U contains t players, then can we ask for more? • Specifically, want • All players in U to be committed to one reveal (say, v) at the end of SetSh(D, U, u) even when D is corrupt • u = v, for honest D • Adversary does not have any information about u at the end of sharing phase unless either D or some player in U is corrupt Directly gives us VSS!

  19. Towards A 3-Round Protocol • SetSh(D, U, u) : For each Piin U: • Round 1: • D sends σD,i(u)to Pi • For random rij, Pi sends σi,j(rij) to each Pj in U • Round 2: Pi broadcasts aij = u+rij, bij= u+rji for all j • Round 3: • If aij≠bji, D broadcasts u • If Pi conflicts with Pj, then broadcast entire view (i.e., including MVICP polynomials associated with σD,i(u)) ` If both Pi and Pj broadcast their entire view we call it a mutual conflict

  20. Towards A 3-Round Protocol • SetRec(D, U, u) • If D broadcasted u, then output u and terminate • If no mutual conflict, then ask players to • Reveal signatures • Prove consistency with their broadcasts • If any player passes the tests above, accept his value of u and terminate reconstruction • Dealing with mutual conflicts is tricky… `

  21. Dealing with Dishonest Verifiers • Dishonest external verifiers could either • Vote for corrupt party’s reveal • Two successful reveals on different secrets! • Abort • Only one successful reveal • Technique: Share Verification Info via SetSh! • Non-mutually conflicting executions are good • Require mutually conflicting reveals to pass all goodverification points

  22. 3-Round Construction: High Level • Sharing: For all t-sized U: • SetSh(D, U, u) • For all t-sized V: SetSh(D, V, verV(u)) • Reconstruction: For all t-sized U: • If no mutual conflict, execute SetRec(D, U, u) • Else, reconstruct check points from non-mutually conflicting SetSh(D, V, verV(u)) • Flip Side: • Exponential communication complexity • MVICP poly F used in SetShis of degree O(2 t) • Need to increase field size for security Verification info for u held by V

  23. Recap • 4-round sharing 2-round reconstruction efficient statistical VSS protocol • 3-round sharing 2-round reconstruction inefficient statistical VSS protocol • Open: 3-round efficient protocol?

  24. Thank You!

More Related