Share conversion, pseudorandom secret-sharing and

applications to secure distributed computing

Ronald Cramer (CWI & Leiden University), Ivan Damg�ard

(Aarhus University), Yuval Ishai (Technion)

Friday, February 11, 2005

1

(t; n) Replicated secret sharing

� Consider all�nt

�subsets B � f1; : : : ; ng with jBj = n� t. Call

these subsets cells.

� Additively secret-share the secret s, where each cell gets one

of the shares.

In other words the i-th share is replicated among the players

in the i-th cell Bi.

� Thus: s =P

B sB; and player Pj holds fsBgB:j2B

2

Privacy:

� Consider A � f1; : : : ; ng with jAj = t.

There is a cell B that has empty intersection with A, namely

B = f1; : : : ; ng nA

� So, A lack the share sB.

3

Reconstruction:

� All players jointly can determine the secret s.

� With n > 2t: the intersection of any two cells is non-empty.

� So each B jointly have all shares, and can can reconstruct.

[Example: if n = 2t+1, then t-private, > t reconstruction.]

4

� n > 3t ) perfect recovery from malicious errors in recon-

struction:

{ In each cell, there is a majority of good guys (n�t � 2t+1)

{ So �nd correct sB by local \majority voting" among the

shares received from members of B

Drawback: e�ciency proportional to�nt

�.

5

Why interested in this scheme...???

After all...there is Shamir's scheme..

Ito/Nishizeki/Saito: introduced general, non-threshold secret shar-

ing secret sharing (m-out-of m additive sharing within each \qual-

i�ed set")

Beaver/Wool: simple protocol for MPC, passive adversary, gen-

eral adversary

Maurer: extension to active case

6

But: only makes sense when n is small (or more generally, when

t is small).

Moreover, in all these cases more e�cient solutions are known

by more sophisticated techniques

Good reasons to revisit this technique to follow...

7

Pseudo-random secret sharing

Unbounded source of sharings of random secrets, no interaction.

� Trusted Initialization: replace share sB by a pseudo-random

function GB(�).

� De�ne

s(�) =X

B

GB(�):

Notation: suppress globally agreed argument (�)

� Variation: seeds for pseudo-random number generator

8

Pseudo-random secret sharing introduced earlier byMicali/Sidney,

and further studied by Ishai/Gilboa,..

Here: we develop enhanced pseudo-random secret sharing schemes

and give new applications of pseudo-random secret sharing:

taking interaction out of certain secure computations, threshold

crypto-systems, without paying a penalty in communication

9

Application I: Pseudo-random VSS with t < n=3

� Give all pseudo-random functions to a single designated player

(the dealer): non-interactive VSS of random secret r, known

by dealer.

� Adaptation to secret s of his choice: dealer broadcasts cor-

rection value s� r.

� Players adapt their shares locally using linearity: add in s� r.

� Reconstruction in presence of malicious errors: by e�cient

error correction

10

Application II: Non-interactive secure multiplication (shared output)

Here: n > 4t. Adversary actively corrupts at most t players.

� Intersection of any two cells contains majority of good guys.

For each pair of cells B;B0, designate a (unique) subset C �

B \B0 of size 2t+1. Call this a subcell.

� Initialization: for each subcell, replicate a fresh instance of

the pseudo-random VSS set-up.

11

� Starting condition: sharings of �; � in the replicated secret

sharing scheme. Thus:

� =X

B

�B; � =X

B

�B; � � � =X

B;B0

�B � �B0:

� Basic Idea:

For each subcell C: usual re-sharing of local products �B ��B0,

but done with pseudo-random VSS instead

Re-sharings of a correct local products occur in majority

This is due to pseudo-random VSS replicas; recognized by

voting over the broadcasted correction value

Bunch it up non-interactively to a sharing of the product

12

Note 1: No broadcast needed here in pseudo-random VSS

Note 2: (information theoretic pre-processing versus pseudo-

random approach)

preprocessing leads to apriori bounded horizon, pseudorandom-

ness makes it ongoing, unbounded horizon

13

Compressed pseudo-random secret sharing

New feature: share size \as in Shamir', still non-interactive.

Only local computation proportional to�nt

�

� For each cell B, choose �xed polynomial fB so that

1. deg(f) = t

2. f(0) = 1 but f(i) = 0 if i 62 B

� De�ne

f(X) =X

B

sB � fB(X)

14

Player Pi can compute his Shamir-share from his shares from the

replication based scheme:

f(i) =

X

B

sB � fB(i) =

X

B:i2B

sB � fB(i) +X

B:i62B

sB � fB(i) =

=X

B:i2B

sB � fB(i)

Privacy: the info held by A � f1; : : : ; ng with jAj = t lacks at

least one random coin in the expression for f(X)...

15

Compressed pseudo-random VSS

This works as before (non-interactive), with n > 3t

All pseudo-random functions given to designated player

Broadcast di�erence of pseudo-random secret and secret of in-

terest

Reconstruction: e�cient Reed-Solomon decoding (say Berlekamp

Welch)

16

Compressed non-interactive secure multiplication

n > 4t

Adversary actively corrupts t players

� Initialization: compressed pseudo-random secret sharing in

place (actually, a small variation...)

� Input:(t; n)-Shamir sharings

(�1; : : : ; �n); (�1; : : : ; �n)

of secrets �; �

� Output: � � �.

17

Pseudo-random zero-sharing: (with n > 4t) creation of random

deg 2t Shamir-sharing of the value 0.

� For each cell B, choose a �xed basis of polynomials f1B; : : : ; ftB

for the vector space of polynomials f with

1. deg(f) � 2t

2. f(0) = 0

3. f(i) = 0 if i 62 B

18

� Instead of a single one, hand pseudo-random functions

G1B(�); : : : ; G

tB(�)

to the players in B.

� De�ne

f(X) =X

B

tX

i=1

siB � f iB(X)

19

Compressed secure multiplication is now easy, by standard tech-

nique plus masking using pseudo-random zero-sharing

� i: player i's share in the pseudo-random zero-sharing.

� Masking: player i computes

�i � �i+ i;

sends it to all players

� Each player on his own applies Berlekamp-Welch to do error

correction.

20

� Indeed:

f : polynomial for zero-sharing

f�; f�: polynomials for sharing of �; �

So f� � f� + f of degree � 2t,

we have n > 4t points with � t errors.

So the error correction is possible.

� This way, each player obtains a polynomial whose free term

is � � �.

Generalization: non-interactive secure computation of degree-2

bi-variate polynomials

21

Theoretical Results on Share Compression

� Thm.: Pseudo-random secret sharing schemes can be com-

pressed to any linear secret sharing scheme

Proof: generalize the Shamir compression using canonical

monotone span programs

� Thm.: Our approach is optimal in the model where each

player gets a subset of a given collection of independently

distributed random sources

Proof: By information theoretic arguments: # random sources

� # maximal unquali�ed sets

22

Application to non-interactive threshold crypto

� Non-interactive version of the threshold-CS98 from Canetti

Goldwasser:

test of validity of ciphertext by non-interactive randomiza-

tionby (compressed secure multiplication \in the exponent")

� Communication-e�cient variant of Naor/Pinkas/Reingold Dis-

tributed Pseudo-Random Function

� Threshold signatures without random oracles based on Boneh

Boyen scheme.

23