1 / 46

Asynchronous Verifiable Secret Sharing

Asynchronous Verifiable Secret Sharing. Presented by Michael Sirivianos 04/22/04. What is Secret Sharing?. In many applications the dealer does not trust just one secret holder. To counter this, he shares the secret among n > k > 0 shareholders Shareholders do not trust dealer either.

macy
Download Presentation

Asynchronous Verifiable Secret Sharing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Asynchronous Verifiable Secret Sharing Presented by Michael Sirivianos 04/22/04

  2. What is Secret Sharing? • In many applications the dealer does not trust just one secret holder. • To counter this, he shares the secret among n > k > 0 shareholders • Shareholders do not trust dealer either. To prevent him from distributing inconsistent shares they need share verification • Previous works able to provide unconditional verification, but required interaction.

  3. Non-Interactive Shannon Secure VSS [Pedersen 91] • Only the dealer is allowed to send messages. • Assumes Reliable Broadcast. • Verification information and k-1 shares do not provide any information. Secrecy. • However, the dealer can distribute inconsistent shares if he could solve the DL problem.

  4. Non-Interactive Shannon Secure VSS [Pedersen 91] • It is shown that this is inevitable in non-interactive schemes where no information is revealed. • Combines Shamir’s SS scheme with an unconditionally secure commitment scheme.

  5. Setting • p, q large primes s.t. q | p-1, Gq is unique subgroup of Zp* of order q and g is Gq’s generator. • For any g ¹ 1 2 Gq that generates the group, the DL g (a) is assumed computationally hard. • The dealer randomly picks secret s 2 Zq

  6. Setting(2) • Chooses F 2 Zq[x] of degree at most k-1 s.t. F(0) = s, and distributes F(i)’s for i =1, … n to the n shareholders. • Chooses G 2 Zq[x] of degree at most k-1 s.t. G(0) = t, and uses Gi ‘s and Fi ‘s for commitments.

  7. Commitment Scheme • The dealer reliably broadcasts information about the shares to the shareholders . • Shareholders use commitments to verify that their shares are consistent. • In [Pedersen 91] commitment to a secret share is computed as E(s, t) = gsht, where h 2 Gq is G’s generator and nobody knows DLg(h).

  8. Commitment Scheme (2) • Dealer broadcasts Ei = gFihGi for i = 0, 1, …, k-1 • If dealer could find s ¹ s’ 2 Zq and t¹ t’ 2 Zq s.t. E(s,t) = E(s,t’) then he could compute

  9. Shamir Secret Sharing • Based on polynomial interpolation. A polynomial y=f(x) is uniquely defined by k (y,x) pairs of degree k-1

  10. Shamir Secret Sharing • k shareholders can find F(x).

  11. Verification • When a shareholder receives his share and the Ei = E(Fi, Gi) commitments he verifies that:

  12. Inconsistent shares • Theorem: Under the DL assumption, it is computationally hard to distribute inconsistent shares

  13. Inconsistent shares (2) • Proof: Assume dealer managed to distribute inconsistent shares. • Let F(x) s.t. F(i) = si and G(x) s.t. G(i) = ti for i = 1,2, ..k • Let i = k + 1 • If i > n then stop. Shares consistent. • If F(i) = si , then i = i + 1 and repeat 4, otherwise return S= { 1, 2, … k} and S’ = {1, 2, … k-1, i} • She can find F(x) ¹ F0(x) and G(x) ¹ G0(x) , thus s ¹ s0 and t ¹ t0. She can compute DLg h. QED

  14. Shannon Secrecy • Let viewS = (E0, E1, …Ek-1, (si, tI)i 2 S ) • Theorem: For any S ½ {1, …, n} s.t. |S| · k-1 and any viewS and 8 s 2 Zq and D 2 S

  15. Shannon Secrecy (2) • Proof: • E1, …Ek-1 can be reconstructed from (si, ti)’s and E0 • Interpolation with k-1 (F(i), G(i)) pairs reveals no information about F(x), G(x). • .

  16. Linear Combinations • Let s0 and s00 be two distributed shares. • Let (si0,ti 0)and (si 00, ti 00) be ith’s shareholders shares. • Let si = si0 +si 00 and ti = ti 0 + ti 00 • Let (Eo 00, …, Ek-1 00) and (E0 00, …, Ek-100) be the broadcasted commitments • Then the commitments for s = s 0 +s 00mod q and t = t 0 +t00mod q are Ei = Ei 0 Ei 00for i = 0, 1 … k-1 and

  17. Anonymous Secret Sharing • Let P1, …Pn be n participants that wish to choose and distribute a secret among themselves. Each Pi can digitally sign. Each Pi executes: • Choose random (si0 = Fi0, ti0 = Gi0) 2 Zq2. • Randomly choose:

  18. Anonymous Secret Sharing • Broadcast Eij = E(Fij, Gij) for j= 0 to k-1 and send signed (Fi(j), Gi(j) ) to Pj for j = 1 to n. • Verify all received shares. • Compute the share (si, ti) of s = åj=1n sj0 as si = åj=1n sji, ti = åj=1n tji • Compute commitments Ej = Õz=1n Ezj for j = 0, …, k-1

  19. Asynchronous Environment? • It is is trivial to implementa proactive variation of the Pedersen VSS. • What if synchrony is not provided?. • How can we know that all shareholders are simultaneously holding consistent shares? • Can we ensure that they simultaneously combine shares to derive secret? • What if message delays cross phase time boundaries?

  20. Non Reliable Broadcast? • What if commitments are not reliably broadcast? Dealer could trivially distribute inconsistent shares. • A.k.a. “Asynchronous Byzantine Agreement”. Bracha[PODC’84]. A protocol for reliable broadcast satisfies: • If the sender is honest, then all other honest receivers accept the message. • If a sender P is malicious, then either all the honest receivers accept the same message, or none of them will accept the message from P.

  21. Bracha’s Asynchronous Reliable Broadcast. • Tolerates t < n/3 Byzantine faults. • Message types: INITIAL, ECHO, and READY • Step 0 (Only by the sender).Send (initial, m) to all, for some m • Step 1. Wait till receive one (initial,m) Send (echo,m) to all • Step 2. Wait till receive more than n+t/2(echo,m) or t+1(READY,m)Send (ready,m) to all • Step 3. Wait till receive 2t + 1 (ready,m). Accept (m)

  22. Correctness. • If two correct processes Pi and Pi0 send ready(m) and ready(m 0) then m = m 0. (Consistency) • Proof: By contradiction. Assume m ¹ m. • Pi can send a ready(m) if it receives at least d(n+t+1)/2e echo(m) msgs or at least t+1 ready(m) from other processes. • Thus another correct process Pi00(may be Pi 00= Pi ) must have received at least d (n+t+1)/2eecho(m) msgs. At least d (n-t+1)/2eecho(m) from correct processes. • Similarly a correct process Pi 000(may be Pi 000= Pi 0)must have received more than d (n+t+1)/2eecho(m0) msgs. At least d (n-t+1)/2eecho(m0) from correct processes. • Since we don’t have (n-t+1) correct processes, then at least one process must have send both echo(m), echo(m00). Q.E.D

  23. Correctness. • If two correct processes Pi and Pi0 accept the m and m0then m = m 0. (Agreement) • Proof: • For Pi to accept m it must have seen 2t + 1 ready(m) messages, thus at least t + 1 ready(m) from correct processes. • Similarlyat least t + 1 ready(m 0 ) must be seen by Pi0 • From previous result m = m 0

  24. Correctness. • If a correct process Pi accepts m, then every other correct process will eventually accept m. (Agreement) • Proof: • Pi must have received 2t + 1 ready(m) messages, thus at least t+ 1 ready(m) from correct processes. • Every other correct process receives these t+ 1 ready(m), thus sends its own ready(m) • Thus, at least n - t correct processes will send ready(m). • Since n > 3t, n-t ¸ 2t + 1, thus eventually every correct process will receive at least 2t + 1 ready(m) messages and accept.

  25. Correctness. • If the sender Pi is correct and sends m, then every other correct process will accept m. • Proof: • Every correct process will receive initial(m) and send echo(m) • Every correct process will receive n-t > (n+t) /2 echo(m) from the correct processes and possibly t < (n+t)/ 2 different messages from malicious ones. • Thus, every correct process will send a ready(m)message. • Thus, every correct processwill receive at least n – t ¸ 2t + 1 ready(m) and will accept.

  26. Asynchronous VSS [CKLS 02] • Verifiable Secret Sharing for asynchronous networks with computational security. • (n, k, t) dual-threshold sharing n –2t ¸ k > t: • n servers holding shares of secret • up to t may be corrupted by adversary • any k of them can reconstruct secret. • Dealer creates 2 dimensional polynomial sharing • Servers exchange 2 asynchronous rounds of msgs to reach agreement on the success of sharing.

  27. Adversarial model • Every pair of servers is linked with async. channel, which provides privacy and authenticity. • Message scheduling is determined by adversary: • She can arbitrarily delay a message between honest servers. Models asynchrony. • Adversary can take complete control of up to t servers. • Obtain its state/msgs received so far. • Send msgs for him.

  28. Asynchronous VSS • AVSS definition same as in sync. network, except we need to ensure all servers agree valid sharing has taken place. • Provided adversary initializes all honest servers on a protocol instance and delivers all messages, an AVSS dual-threshold protocol satisfies the following conditions for a t-limited adversary.

  29. AVSS conditions • Liveness: • If dealer is honest, then all honest servers complete the sharing, except with negl. prob. • Agreement: • If some honest server completes the sharing, then all honest servers complete the sharing. • If all honest servers start the reconstruction then every honest server Pi reconstructs some zi, , except with negl. Prob.

  30. AVSS conditions • Correctness: Once k honest servers completed sharing, 9 z 2 Zq s.t. the following hold except with negl. prob. • If the dealer has shared s and is honest during sharing, then z = s. • If an honest server reconstructs zi, then zi = z • Privacy: • If an honest dealer has shared sand less than k – t honest servers have started reconstruction the adversary knows nothing about s.

  31. AVSS Share Distribution • Dealer chooses random bivariate polynomial f 2 Zq[x, y] of degree at most k-1 with f(0, 0) = s. f(x, y) = åj, l =0k-1 fjl xj yl • Commits using random f 02 Zq[x, y] to compute

  32. AVSS Share Distribution (2) • Dealer sends to every server Pian initial message: • the matrix C • 2 share polynomials ai(y) = f(i, y) and a0i(y) = f 0(i, y) • 2 sub-share polynomials bi(y) = f(x, i) and b0i(y) = f 0(x, i) • Upon initial reception, any server Pi verifies polynomials and sends echomessage to every server Pj: • the matrix C • The values ai(j) = f(i, j) and a0i(j) = f 0(i, j). • The values bi(j) = f(j, i) and b0i(j) = f 0(j, i) • Note: bj(i) = ai(j), etc

  33. AVSS Share Distribution (3) • Receivers of k ¸ d (n+t+1)/2 eecho msgs which agree on C and their points are verified against C: • Interpolate polynomials ai(y), a0i(y), bi(x), b0i(x) • e.g. server Pi interpolates ai(y) = f(i, y) using bj(i)’s from k servers Pj , and bi(x) = f(x, i) using aj(i)’s from k servers Pj. • If dealer is honest and broadcast is correct, interpolated polynomials are the same.

  34. AVSS Share Distr. (4) • Pi’s send ready messages to every server Pj: • the matrix C • The values ai(j), a0i(j), bi(j), b0i(j) from the interpolated polynomials • Receiversof ready msgs check if C and points are valid using verify-points. • If server receives k (not t+1) valid ready but not k valid echo messages, it interpolates polynomials from the ready messages and sends its own ready message.

  35. AVSS Share Distr. (5) • Once a server receives k + t valid ready messages, it completes the sharing. • Its share is (si, si0) = ( ai(0), a0i(0) ) • This 2-round protocol ensures that servers received the correct polynomial, thus share and commitments from dealer. Reliable Broadcast. • O(n2) message complexity, O(kn4) comm complexity and optimal n > 3t resilience.

  36. AVSS Reconstruction • Every server Pi reveals (si, si0) to every other. Waits for k shares from other servers that are consistent with C. • Receivers verify-shares which they receive w.r.t. C. • Since it has k points of f(x, 0) it can reconstruct it and obtain f(0, 0). • This 2-round protocol ensures that servers receive the same a(y) polynomial, thus consistent shares. • Reliable Broadcast. O(n2) message complexity, O(kn4) comm. complexity and optimal n > 3t resilience.

  37. AVSS Verification • Verify-polynomial(C, i, a(y), a0 (y), b(x), b0(x)) • True if for all l 2 [0, k-1] • And if for all j 2 [0, k-1]

  38. AVSS Verification • Verify-points(C, i, m, a, a0, b, b0) • P_i verifies that the given points from Pm correspond to f(m, i), f0(m, i), f(i, m), f0(i, m). • True iff: • And iff:

  39. AVSS Verification • Verify-share(C, m, s, s0) • Verifies that (s, s0) is a valid share of Pm • True iff:

  40. AVSS Proofs • Prove liveness, agreement, correctness, privacy and efficiency. • Lemma: As in Bracha’s, if an honest servers Pi sends a ready message containing Ci and a distinct honest server Pj sends a ready message containing Cj , then Ci = Cj

  41. AVSS Proofs • Liveness: • From protocol itself. If dealer is honest, then all honest servers complete the sharing provided they initialize the protocol and the adversary delivers all messages

  42. AVSS Proofs • Agreement: • If some honest server completes the sharing, then all honest servers complete the sharing. • Proof: • If an honest server has completed the sharing , it has received k + t valid ready messages that agree on some C. • At least k of them been sent by honest servers. • A valid echo or ready message satisfies verify-point, and by definition honest servers send only valid ready messages. • Since an honest server sends its ready message to all servers, every honest server receives at least k valid ready messages with the same C by Lemma 2 and sends a ready message containing C. • Hence, by the assumption of the theorem, any honest server receives at least n –t ¸ k + t valid ready messages and completes sharing.

  43. AVSS Proofs • Agreement: • If all honest servers start the reconstruction then every honest server Pi reconstructs some zi, , except with negl. prob. • Proof: • From Lemma, every honest server Pi computes same C. • Pi received enough valid echo or ready messages w.r.t C, so that it computes valid ready messages and a valid share w.r.t. to C. • Thus, if all honest servers subsequently start the reconstruction stage, then every server receives enough valid shares to reconstruct some value.

  44. AVSS Conceptually. • Reliably broadcasts the commitments, C. • If the dealer is dishonest and gave a server different C and polynomials, which verify, the server is able to obtain correct C and polynomials (his share) from the k valid echo msgs. • Dealer distributes consistent shares (C, poly) even if up to t servers are corrupted. • In Pedersen’s the dealer cannot distribute different C, and he cannot distribute inconsistent shares under the DL assumption.

  45. AVSS Summary. • (+) No synchronous interaction is required • (-) O(n2) messages. • (-) Message size is O(kn2) dominated by C • Possible to reduce message size by factor n relying on collision resistant H. • Extension of the proposed model for proactive cryptosystems to protect the system against mobile adversary.

  46. Thank you

More Related