Round-Optimal and Efficient Verifiable Secret Sharing
30
Round-Optimal and Efficient Verifiable Secret Sharing Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad)
description
Round-Optimal and Efficient Verifiable Secret Sharing. Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad). Secret Sharing Protocols [Sha79,Bla79]. Two phases Sharing phase - PowerPoint PPT Presentation
Transcript of Round-Optimal and Efficient Verifiable Secret Sharing
Round-Optimal and Efficient
Verifiable Secret Sharing
Matthias Fitzi (Aarhus University)Juan Garay (Bell Labs)Shyamnath Gollakota (IIT Madras)C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad)
Round-Optimal and Efficient VSS —TCC’06 2
Secret Sharing Protocols [Sha79,Bla79]
Two phases– Sharing phase– Reconstruction phase
Sharing Phase– D initially holds s and each player Pi finally holds some private
information vi.
Reconstruction Phase– Each player Pi reveals (some of) his private information v’i on which
a reconstruction function is applied to obtain s = Rec(v’1, v’2, …, v’n).
Set of players P = {P1 , P2, … , Pn}, dealer D (e.g., D = P1).
Round-Optimal and Efficient VSS —TCC’06 3
Secret Sharing (cont’d)
Secret s Dealer
Less than t +1 players have no info’ about the secret
ReconstructionPhase
v1 v2 v3 vn
Sharing Phase
…
Round-Optimal and Efficient VSS —TCC’06 4
Secret Sharing (cont’d)
Secret s Dealer
v1 v2 v3 vn
Sharing Phase
ReconstructionPhase
t +1 players can reconstruct the secret
Secret s Players are assumed to give their shares honestly
…
Round-Optimal and Efficient VSS —TCC’06 5
Verifiable Secret Sharing (VSS) [CGMA85]
Extends secret sharing to the case of active corruptions (corrupted players, incl. Dealer, may not follow the protocol)Up to t corrupted playersAdaptive adversary
Reconstruction Phase– Each player Pi reveals (some of) his private information v’i
on which a reconstruction function is applied to obtain
s’ = Rec(v’1, v’2, …, v’n).
Round-Optimal and Efficient VSS —TCC’06 6
VSS Requirements Privacy
– If D is honest, adversary has no Shannon information about s during the Sharing phase.
Correctness– If D is honest, the reconstructed value s’ = s.
Commitment– After Sharing phase, s’ is uniquely determined.
Round-Optimal and Efficient VSS —TCC’06 7
Weak VSS (WSS) [RB89]
Privacy– If D is honest, adversary has no Shannon information about s
during the Sharing phase.
Correctness– If D is honest, the reconstructed value s’ = s.
Weak Commitment– After Sharing phase, s’ is uniquely determined such that Rec(v’1, v’2, …, v’n) {, s’}.
Round-Optimal and Efficient VSS —TCC’06 8
Communication Model and Round Complexity
Synchronous, fully connected network of pair-wise secure channels + broadcast channel.
Round complexity: Number of communication rounds in the Sharing phase.
Efficiency: Total computation and communication polynomial in n and size of the secret.
Round-Optimal and Efficient VSS —TCC’06 9
Prior (Relevant) Work
Perfect VSS possible iff n > 3t [BGW88, DDWY90] Round complexity of VSS [GIKR01]
– n > 4t: Efficient 2-round protocol– n > 3t: No 2-round protocol exists
Efficient 4-round protocol
Inefficient 3-round protocol
Round-Optimal and Efficient VSS —TCC’06 10
Our Contributions
VSS: Efficient 3-round protocol for n > 3t WSS:
– Efficient 3-round protocol for n > 3t — round optimal – Efficient 1-round protocol for n > 4t
(1+ ) amortized-round VSS protocol for n > 3t
Round-Optimal and Efficient VSS —TCC’06 11
Our Contributions
VSS: Efficient 3-round protocol for n > 3t WSS:
– Efficient 3-round protocol for n > 3t — round optimal – Efficient 1-round protocol for n > 4t
(1+ ) amortized-round VSS protocol for n > 3t
Round-Optimal and Efficient VSS —TCC’06 12
3-Round (n/3)-WSS
Secret s
v1 v2 v3 vn
Dealer
Sharing Phase
ReconstructionPhase
…
Round-Optimal and Efficient VSS —TCC’06 13
3-Round (n/3)-WSS
Secret s
v1 v2 v3 vn
ReconstructionPhase
Secret s’
…
Round-Optimal and Efficient VSS —TCC’06 14
3-Round (n/3)-WSS — Sharing Phase Round 1:
– D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi.
– Player Pi sends to Pj a random pad rij.
Round 2: Pi broadcasts – aij = fi(j) + rij
– bij = gi(j) + rji
Pj broadcasts – aji = fj(i) + rji
– bji = gj(i) + rij
F(j,i) + r
Round-Optimal and Efficient VSS —TCC’06 15
3-Round (n/3)-WSS — Sharing Phase Round 1:
– D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi.
– Player Pi sends to Pj a random pad rij.
Round 2: Pi broadcasts – aij = fi(j) + rij
– bij = gi(j) + rji
Round 3: For each aij ≠ bji
– Pi broadcasts fi(j)– Pj broadcasts gj(i)– D broadcasts F(j,i)
A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D.
Pj broadcasts – aji = fj(i) + rji
– bji = gj(i) + rij
Round-Optimal and Efficient VSS —TCC’06 16
3-Round (n/3)-WSS — Reconstruction Phase Every happy player Pi broadcasts fi(x) and gi(y). Local computation:
– Every player constructs a consistency graph G over the set of happy players: there exists an edge between Pi, Pj G iff fi(j) = gj(i) and gi(j) = fj(i).
– Every player constructs a set CORE as follows:• Initially all nodes with degree at least n–t in G are in CORE.• Players in CORE consistent with less than n–t players in
CORE are removed.• Repeat until no more players can be removed from CORE.
Secret determined by the polynomial defined by any t+1 players from CORE. If |CORE| < n–t, the secret is .
Round-Optimal and Efficient VSS —TCC’06 17
3-Round (n/3)-WSS — Proof SketchPrivacy: (D is honest)
– D distributes consistent information any pair of honest players publish same mutual padded values.
– Randomness of pads leads to indistinguishability of adversary’s view under different secrets.
Correctness: (D is honest) – All honest players (at least n–t) are happy no disqualification
of D in Sharing Phase.– They all end up in CORE, thus the secret reconstructed is s.
Round-Optimal and Efficient VSS —TCC’06 18
3-Round (n/3)-WSS — Proof Sketch
Weak Commitment: – |CORE| < n – t: All honest players output . – |CORE| n – t: All players in CORE are consistent with a
polynomial fixed at the end of the Sharing Phase:• The n–2t honest happy players define a unique polynomial
F’(x,y) (at the end of Sharing Phase). • Every dishonest happy player in CORE is consistent with at
least n–t players in CORE, of which n–2t t+1 are honest every dishonest happy player in CORE is also consistent with F’(x,y).
Round-Optimal and Efficient VSS —TCC’06 19
(n/3)-WSS Round Optimality
Based on impossibility of 3-round Weak Secure Multicast:
P = {P1 , P2, … , Pn}; D P holds input m; multicast set M P. – Privacy: If all players in M are honest, then adversary learns no
information about m.– Correctness: If D is honest, then all honest players in M output m. – Weak Agreement: Even if D is dishonest, all honest players in M
output a value in {m’, }.
r-round WSS r-round WSM
Round-Optimal and Efficient VSS —TCC’06 20
Recall: 3-Round (n/3)-WSS — Sharing Phase Round 1:
– D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi.
– Player Pi sends to Pj a random pad rij.
Round 2: Pi broadcasts – aij = fi(j) + rij
– bij = gi(j) + rji
Round 3: For each aij ≠ bji
– Pi broadcasts fi(j)– Pj broadcasts gj(i)– D broadcasts F(j,i)
A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D.
Round-Optimal and Efficient VSS —TCC’06 21
3-Round (n/3)-VSS — Sharing Phase Round 1:
– D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi.
– Player Pi selects random ri and starts (n/3)-WSS on ri using FiW(x,y).
Round-Optimal and Efficient VSS —TCC’06 22
3-Round (n/3)-VSS — Sharing Phase Round 1:
– D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi.
– Player Pi selects random ri and starts (n/3)-WSSi on ri using FiW(x,y).
Round 2: Pi broadcasts – aij = fi(j) + Fi
W(0,j) – bij = gi(j) + Fj
W(0,i)
– Concurrently, round 2 of (n/3)- WSSi takes place.
Round-Optimal and Efficient VSS —TCC’06 23
3-Round (n/3)-VSS — Sharing Phase Round 1:
– D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi.
– Player Pi selects random ri and starts (n/3)-WSSi on ri using FiW(x,y).
Round 2: Pi broadcasts – aij = fi(j) + Fi
W(0,j) – bij = gi(j) + Fj
W(0,i)
Round 3: For each aij ≠ bji
– Pi broadcasts fi(j)– Pj broadcasts gj(i)– D broadcasts F(j,i)
– Concurrently, round 2 of (n/3)-WSSi takes place.
– Concurrently, round 3 of (n/3)-WSSi takes place.
Round-Optimal and Efficient VSS —TCC’06 24
3-Round (n/3)-VSS — Sharing Phase Round 1:
– D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi.
– Player Pi selects random ri and starts (n/3)-WSSi on ri using FiW(x,y).
Round 2: Pi broadcasts – aij = fi(j) + Fi
W(0,j) – bij = gi(j) + Fj
W(0,i)
Round 3: For each aij ≠ bji
– Pi broadcasts fi(j)– Pj broadcasts gj(i)– D broadcasts F(j,i)
A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D.
– Concurrently, round 2 of (n/3)-WSSi takes place.
– Concurrently, round 3 of (n/3)-WSSi takes place.
Round-Optimal and Efficient VSS —TCC’06 25
3-Round (n/3)-VSS — Sharing Phase Local Computation:
– H = {happy players} – {players disqualified as WSS dealers} – If |H| < n–t, disqualify D and stop.
– For Pi H, if |H ∩ HiW| < n–t, remove Pi from H.
– Call the final set COREsh. If |COREsh| < n–t disqualify D and stop.
Properties of COREsh:– If D is honest, then COREsh contains all honest players
D is not disqualified during the Sharing phase.
– Every player in COREsh is consistent with n–t players in COREsh At least t+1 honest players in COREsh (defining a unique polynomial FH(x,y)).
Round-Optimal and Efficient VSS —TCC’06 26
3-Round (n/3)-VSS — Reconstruction Phase
For each Pi COREsh, run Rec. phase of (n/3)-WSSi, concurrently.
Local computation:– CORErec := COREsh – CORErec := CORErec – {Pi : (n/3)-WSSi } – For each Pi CORErec compute
fi(j) = aij – FiW(0,j), 1≤ j ≤ n
If fi(x) not a t-degree polynomial, remove Pi from CORErec. – Obtain F’(x,y) by taking any t+1 polynomials fi(x) from CORErec; s’ := F’(0,0).
Round-Optimal and Efficient VSS —TCC’06 27
3-Round (n/3)-VSS — Reconstruction Phase Properties of CORErec:
– At least n–2t ( t+1) honest players in COREsh unique t-degree polynomial FH(x,y).
– Dishonest Pi in CORErec:
WSSi succeeded;fi(j) lie on a t-degree polynomial f’i(x) ;F’i
W(x,y) is … consistent with t+1 honest players in CORErec
f’i(x) is consistent with FH(x,y).
Privacy: – The only difference with WSS protocol is the pads.– Prove that aij = fi(j) + Fi
W(0,j) does not reveal any info’ about fi(j).
Round-Optimal and Efficient VSS —TCC’06 28
Amortized VSS Round Complexity Say, m k-round sequential VSS protocols (e.g., MPC) Using “deferred commitment,” m+2 total rounds
1+ O(1/m) amortized-round VSS protocol Initial phase: Dealer(s) share random values r1, r2,…, rm using the
given VSS protocol. Sharing Phase of jth VSS protocol:
– Broadcast correction term cj = sj – rj
Correction: (two ways)– In Reconstruction Phase each player computes sj = cj + rj.– At the end of Sharing Phase every player Pi computes
F*j(x,i) = Fj(x,i) + cj and F*
j(i,y) = Fj(i,y) + cj
Round-Optimal and Efficient VSS —TCC’06 29
Summary
VSS: Efficient 3-round protocol for n > 3t WSS:
– Efficient 3-round protocol for n > 3t — round optimal – Efficient 1-round protocol for n > 4t
(1+ ) amortized-round VSS
Round-Optimal and Efficient
Verifiable Secret Sharing
Matthias Fitzi (Aarhus University)Juan Garay (Bell Labs)Shyamnath Gollakota (IIT Madras)C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad)
