1 / 30

Round-Optimal and Efficient Verifiable Secret Sharing

Round-Optimal and Efficient Verifiable Secret Sharing. Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad). Secret Sharing Protocols [Sha79,Bla79]. Two phases Sharing phase

amos-noel
Download Presentation

Round-Optimal and Efficient Verifiable Secret Sharing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Round-Optimal and EfficientVerifiable Secret Sharing Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad)

  2. Secret Sharing Protocols [Sha79,Bla79] • Two phases • Sharing phase • Reconstruction phase • Sharing Phase • D initially holds s and each player Pi finally holds some private information vi. • Reconstruction Phase • Each player Pi reveals (some of) his private information v’i on which a reconstruction function is applied to obtain s = Rec(v’1, v’2, …, v’n). • Set of players P = {P1 , P2, … ,Pn}, dealer D (e.g., D = P1). Round-Optimal and Efficient VSS —TCC’06

  3. Sharing Phase … vn v1 v3 v2 Reconstruction Phase Less than t +1 players have no info’ about the secret Secret Sharing (cont’d) Secret s Dealer Round-Optimal and Efficient VSS —TCC’06

  4. Sharing Phase vn v1 v3 v2  t +1 players can reconstruct the secret Secret s Secret Sharing (cont’d) Secret s Dealer … Reconstruction Phase Players are assumed to give their shares honestly Round-Optimal and Efficient VSS —TCC’06

  5. Verifiable Secret Sharing(VSS)[CGMA85] • Extends secret sharing to the case of active corruptions • (corrupted players, incl. Dealer, may not follow the protocol) • Up to t corrupted players • Adaptive adversary • Reconstruction Phase • Each player Pi reveals (some of) his private information v’i • on which a reconstruction function is applied to obtain • s’ = Rec(v’1, v’2, …, v’n). Round-Optimal and Efficient VSS —TCC’06

  6. VSS Requirements • Privacy • If D is honest, adversary has no Shannon information about s during the Sharing phase. • Correctness • If D is honest, the reconstructed value s’ = s. • Commitment • After Sharing phase, s’ is uniquely determined. Round-Optimal and Efficient VSS —TCC’06

  7. Weak VSS (WSS) [RB89] • Privacy • If D is honest, adversary has no Shannon information about s during the Sharing phase. • Correctness • If D is honest, the reconstructed value s’ = s. • Weak Commitment • After Sharing phase, s’ is uniquely determined such that • Rec(v’1, v’2, …, v’n)  {, s’}. Round-Optimal and Efficient VSS —TCC’06

  8. Communication Model and Round Complexity • Synchronous, fully connected network of pair-wisesecure channels + broadcast channel. • Round complexity:Number of communication rounds in the Sharing phase. • Efficiency:Total computation and communication polynomial in n and size of the secret. Round-Optimal and Efficient VSS —TCC’06

  9. Prior (Relevant) Work • Perfect VSS possible iff n > 3t [BGW88, DDWY90] • Round complexity of VSS [GIKR01] • n > 4t: Efficient 2-round protocol • n > 3t: No 2-round protocol exists Efficient 4-round protocol Inefficient3-round protocol Round-Optimal and Efficient VSS —TCC’06

  10. Our Contributions • VSS:Efficient3-round protocol for n > 3t • WSS: • Efficient 3-round protocol for n > 3t — round optimal • Efficient 1-round protocol for n > 4t • (1+) amortized-round VSS protocol for n > 3t Round-Optimal and Efficient VSS —TCC’06

  11. Our Contributions • VSS:Efficient3-round protocol for n > 3t • WSS: • Efficient 3-round protocol for n > 3t — round optimal • Efficient 1-round protocol for n > 4t • (1+ ) amortized-round VSS protocol for n > 3t Round-Optimal and Efficient VSS —TCC’06

  12. 3-Round (n/3)-WSS Secret s Dealer Sharing Phase … vn v1 v3 v2 Reconstruction Phase Round-Optimal and Efficient VSS —TCC’06

  13. Secret s’ 3-Round (n/3)-WSS Secret s … vn v1 v3 v2 Reconstruction Phase Round-Optimal and Efficient VSS —TCC’06

  14. F(j,i) + r 3-Round (n/3)-WSS — Sharing Phase • Round 1: • D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. • Player Pi sends to Pj a random pad rij. • Round 2:Pi broadcasts • aij = fi(j) + rij • bij = gi(j) + rji Pj broadcasts • aji = fj(i) + rji • bji = gj(i) + rij Round-Optimal and Efficient VSS —TCC’06

  15. 3-Round (n/3)-WSS — Sharing Phase • Round 1: • D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. • Player Pi sends to Pj a random pad rij. • Round 2:Pi broadcasts • aij = fi(j) + rij • bij = gi(j) + rji • Round 3:For each aij≠bji • Pi broadcasts fi(j) • Pj broadcasts gj(i) • D broadcasts F(j,i) • A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D. Pj broadcasts • aji = fj(i) + rji • bji= gj(i) + rij Round-Optimal and Efficient VSS —TCC’06

  16. 3-Round (n/3)-WSS — Reconstruction Phase • Every happy player Pi broadcasts fi(x) and gi(y). • Local computation: • Every player constructs a consistency graph G over the set of happy players: there exists an edge between Pi,Pj G iff fi(j) = gj(i) and gi(j) =fj(i). • Every player constructs a set CORE as follows: • Initially all nodes with degree at least n–t in G are in CORE. • Players in CORE consistent with less than n–t players in CORE are removed. • Repeat until no more players can be removed from CORE. • Secret determined by the polynomial defined by any t+1 players from CORE. If |CORE| < n–t, the secret is . Round-Optimal and Efficient VSS —TCC’06

  17. 3-Round (n/3)-WSS — Proof Sketch • Privacy: (D is honest) • D distributes consistent information any pair of honest players publish same mutual padded values. • Randomness of pads leads to indistinguishability of adversary’s view under different secrets. • Correctness: (D is honest) • All honest players (at least n–t) are happy  no disqualification of D in Sharing Phase. • They all end up in CORE, thus the secret reconstructed is s. Round-Optimal and Efficient VSS —TCC’06

  18. 3-Round (n/3)-WSS — Proof Sketch • Weak Commitment: • |CORE| < n – t: All honest players output . • |CORE|  n – t: All players in CORE are consistent with a polynomial fixed at the end of the Sharing Phase: • The n–2thonest happy players define a unique polynomial F’(x,y) (at the end of Sharing Phase). • Every dishonest happy player in CORE is consistent with at least n–t players in CORE, of which n–2tt+1 are honest  every dishonest happy player in CORE is also consistent with F’(x,y). Round-Optimal and Efficient VSS —TCC’06

  19. (n/3)-WSS Round Optimality • Based on impossibility of 3-round Weak Secure Multicast: • P = {P1 , P2, … ,Pn}; D P holds input m; multicast setM P. • Privacy: If all players in M are honest, then adversary learns no information about m. • Correctness: If D is honest, then all honest players in M output m. • Weak Agreement:Even if D is dishonest, all honest players in M output a value in {m’, }. • r-round WSS  r-round WSM Round-Optimal and Efficient VSS —TCC’06

  20. Recall: 3-Round (n/3)-WSS — Sharing Phase • Round 1: • D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. • Player Pi sends to Pj a random pad rij. • Round 2:Pibroadcasts • aij = fi(j) + rij • bij = gi(j) + rji • Round 3:For each aij≠bji • Pi broadcasts fi(j) • Pj broadcasts gj(i) • D broadcasts F(j,i) • A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D. Round-Optimal and Efficient VSS —TCC’06

  21. 3-Round (n/3)-VSS — Sharing Phase • Round 1: • D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. • Player Pi selects randomriand starts (n/3)-WSS onriusingFiW(x,y). Round-Optimal and Efficient VSS —TCC’06

  22. 3-Round (n/3)-VSS — Sharing Phase • Round 1: • D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. • Player Pi selects randomriand starts (n/3)-WSSi onriusingFiW(x,y). • Round 2:Pi broadcasts • aij = fi(j) + FiW(0,j) • bij = gi(j) + FjW(0,i) • Concurrently, round 2 of (n/3)- WSSi • takes place. Round-Optimal and Efficient VSS —TCC’06

  23. 3-Round (n/3)-VSS — Sharing Phase • Round 1: • D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. • Player Pi selects randomriand starts (n/3)-WSSi onriusingFiW(x,y). • Round 2:Pi broadcasts • aij = fi(j) + FiW(0,j) • bij = gi(j) + FjW(0,i) • Round 3:For each aij≠bji • Pi broadcasts fi(j) • Pj broadcasts gj(i) • D broadcasts F(j,i) • Concurrently, round 2 of (n/3)-WSSi • takes place. • Concurrently, round 3 of (n/3)-WSSi • takes place. Round-Optimal and Efficient VSS —TCC’06

  24. 3-Round (n/3)-VSS — Sharing Phase • Round 1: • D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. • Player Pi selects randomriand starts (n/3)-WSSi onriusingFiW(x,y). • Round 2:Pi broadcasts • aij = fi(j) + FiW(0,j) • bij = gi(j) + FjW(0,i) • Round 3:For each aij≠bji • Pi broadcasts fi(j) • Pj broadcasts gj(i) • D broadcasts F(j,i) • A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D. • Concurrently, round 2 of (n/3)-WSSi • takes place. • Concurrently, round 3 of (n/3)-WSSi • takes place. Round-Optimal and Efficient VSS —TCC’06

  25. 3-Round (n/3)-VSS — Sharing Phase • Local Computation: • H = {happy players} – {players disqualified as WSS dealers} • If |H| < n–t, disqualify D and stop. • For Pi H, if |H ∩ HiW| < n–t, remove Pi from H. • Call the final set COREsh. If |COREsh| < n–t disqualify D and stop. • Properties of COREsh: • If D is honest, then COREsh contains all honest players  D is not disqualified during the Sharing phase. • Every player in COREsh is consistent with n–t players in COREsh At least t+1 honest players in COREsh (defining a unique polynomial FH(x,y)). Round-Optimal and Efficient VSS —TCC’06

  26. 3-Round (n/3)-VSS — Reconstruction Phase • For each Pi COREsh, run Rec. phase of (n/3)-WSSi, concurrently. • Local computation: • CORErec := COREsh • CORErec := CORErec – {Pi : (n/3)-WSSi } • For each Pi COREreccompute fi(j) = aij – FiW(0,j),1≤ j ≤ n If fi(x) not a t-degree polynomial, remove Pi from CORErec. • ObtainF’(x,y) by taking any t+1 polynomials fi(x)from CORErec; s’ := F’(0,0). Round-Optimal and Efficient VSS —TCC’06

  27. 3-Round (n/3)-VSS — Reconstruction Phase • Properties of CORErec: • At least n–2t ( t+1) honest players in COREsh  unique t-degree polynomial FH(x,y). • Dishonest Pi in CORErec: WSSi succeeded; fi(j) lie on at-degree polynomial f’i(x) ; F’iW(x,y)is … consistent with t+1 honest players in CORErec  f’i(x) is consistent with FH(x,y). • Privacy: • The only difference with WSS protocol is the pads. • Prove that aij = fi(j) + FiW(0,j)does not reveal any info’ about fi(j). Round-Optimal and Efficient VSS —TCC’06

  28. Amortized VSS Round Complexity • Say,m k-round sequential VSS protocols (e.g., MPC) • Using “deferred commitment,”m+2 total rounds  • 1+ O(1/m) amortized-round VSS protocol • Initial phase: Dealer(s) share random values r1, r2,…, rm using the given VSS protocol. • Sharing Phaseof jth VSS protocol: • Broadcast correction term cj = sj – rj • Correction:(two ways) • In Reconstruction Phase each player computes sj = cj + rj. • At the end of Sharing Phase every player Pi computes F*j(x,i) = Fj(x,i) + cj and F*j(i,y) = Fj(i,y) + cj Round-Optimal and Efficient VSS —TCC’06

  29. Summary • VSS:Efficient3-round protocol for n > 3t • WSS: • Efficient 3-round protocol for n > 3t — round optimal • Efficient 1-round protocol for n > 4t • (1+) amortized-round VSS Round-Optimal and Efficient VSS —TCC’06

  30. Round-Optimal and EfficientVerifiable Secret Sharing Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad)

More Related