480 likes | 749 Views
Asynchronous Verifiable Secret Sharing. Presented by Michael Sirivianos 04/22/04. What is Secret Sharing?. In many applications the dealer does not trust just one secret holder. To counter this, he shares the secret among n > k > 0 shareholders Shareholders do not trust dealer either.
E N D
Asynchronous Verifiable Secret Sharing Presented by Michael Sirivianos 04/22/04
What is Secret Sharing? • In many applications the dealer does not trust just one secret holder. • To counter this, he shares the secret among n > k > 0 shareholders • Shareholders do not trust dealer either. To prevent him from distributing inconsistent shares they need share verification • Previous works able to provide unconditional verification, but required interaction.
Non-Interactive Shannon Secure VSS [Pedersen 91] • Only the dealer is allowed to send messages. • Assumes Reliable Broadcast. • Verification information and k-1 shares do not provide any information. Secrecy. • However, the dealer can distribute inconsistent shares if he could solve the DL problem.
Non-Interactive Shannon Secure VSS [Pedersen 91] • It is shown that this is inevitable in non-interactive schemes where no information is revealed. • Combines Shamir’s SS scheme with an unconditionally secure commitment scheme.
Setting • p, q large primes s.t. q | p-1, Gq is unique subgroup of Zp* of order q and g is Gq’s generator. • For any g ¹ 1 2 Gq that generates the group, the DL g (a) is assumed computationally hard. • The dealer randomly picks secret s 2 Zq
Setting(2) • Chooses F 2 Zq[x] of degree at most k-1 s.t. F(0) = s, and distributes F(i)’s for i =1, … n to the n shareholders. • Chooses G 2 Zq[x] of degree at most k-1 s.t. G(0) = t, and uses Gi ‘s and Fi ‘s for commitments.
Commitment Scheme • The dealer reliably broadcasts information about the shares to the shareholders . • Shareholders use commitments to verify that their shares are consistent. • In [Pedersen 91] commitment to a secret share is computed as E(s, t) = gsht, where h 2 Gq is G’s generator and nobody knows DLg(h).
Commitment Scheme (2) • Dealer broadcasts Ei = gFihGi for i = 0, 1, …, k-1 • If dealer could find s ¹ s’ 2 Zq and t¹ t’ 2 Zq s.t. E(s,t) = E(s,t’) then he could compute
Shamir Secret Sharing • Based on polynomial interpolation. A polynomial y=f(x) is uniquely defined by k (y,x) pairs of degree k-1
Shamir Secret Sharing • k shareholders can find F(x).
Verification • When a shareholder receives his share and the Ei = E(Fi, Gi) commitments he verifies that:
Inconsistent shares • Theorem: Under the DL assumption, it is computationally hard to distribute inconsistent shares
Inconsistent shares (2) • Proof: Assume dealer managed to distribute inconsistent shares. • Let F(x) s.t. F(i) = si and G(x) s.t. G(i) = ti for i = 1,2, ..k • Let i = k + 1 • If i > n then stop. Shares consistent. • If F(i) = si , then i = i + 1 and repeat 4, otherwise return S= { 1, 2, … k} and S’ = {1, 2, … k-1, i} • She can find F(x) ¹ F0(x) and G(x) ¹ G0(x) , thus s ¹ s0 and t ¹ t0. She can compute DLg h. QED
Shannon Secrecy • Let viewS = (E0, E1, …Ek-1, (si, tI)i 2 S ) • Theorem: For any S ½ {1, …, n} s.t. |S| · k-1 and any viewS and 8 s 2 Zq and D 2 S
Shannon Secrecy (2) • Proof: • E1, …Ek-1 can be reconstructed from (si, ti)’s and E0 • Interpolation with k-1 (F(i), G(i)) pairs reveals no information about F(x), G(x). • .
Linear Combinations • Let s0 and s00 be two distributed shares. • Let (si0,ti 0)and (si 00, ti 00) be ith’s shareholders shares. • Let si = si0 +si 00 and ti = ti 0 + ti 00 • Let (Eo 00, …, Ek-1 00) and (E0 00, …, Ek-100) be the broadcasted commitments • Then the commitments for s = s 0 +s 00mod q and t = t 0 +t00mod q are Ei = Ei 0 Ei 00for i = 0, 1 … k-1 and
Anonymous Secret Sharing • Let P1, …Pn be n participants that wish to choose and distribute a secret among themselves. Each Pi can digitally sign. Each Pi executes: • Choose random (si0 = Fi0, ti0 = Gi0) 2 Zq2. • Randomly choose:
Anonymous Secret Sharing • Broadcast Eij = E(Fij, Gij) for j= 0 to k-1 and send signed (Fi(j), Gi(j) ) to Pj for j = 1 to n. • Verify all received shares. • Compute the share (si, ti) of s = åj=1n sj0 as si = åj=1n sji, ti = åj=1n tji • Compute commitments Ej = Õz=1n Ezj for j = 0, …, k-1
Asynchronous Environment? • It is is trivial to implementa proactive variation of the Pedersen VSS. • What if synchrony is not provided?. • How can we know that all shareholders are simultaneously holding consistent shares? • Can we ensure that they simultaneously combine shares to derive secret? • What if message delays cross phase time boundaries?
Non Reliable Broadcast? • What if commitments are not reliably broadcast? Dealer could trivially distribute inconsistent shares. • A.k.a. “Asynchronous Byzantine Agreement”. Bracha[PODC’84]. A protocol for reliable broadcast satisfies: • If the sender is honest, then all other honest receivers accept the message. • If a sender P is malicious, then either all the honest receivers accept the same message, or none of them will accept the message from P.
Bracha’s Asynchronous Reliable Broadcast. • Tolerates t < n/3 Byzantine faults. • Message types: INITIAL, ECHO, and READY • Step 0 (Only by the sender).Send (initial, m) to all, for some m • Step 1. Wait till receive one (initial,m) Send (echo,m) to all • Step 2. Wait till receive more than n+t/2(echo,m) or t+1(READY,m)Send (ready,m) to all • Step 3. Wait till receive 2t + 1 (ready,m). Accept (m)
Correctness. • If two correct processes Pi and Pi0 send ready(m) and ready(m 0) then m = m 0. (Consistency) • Proof: By contradiction. Assume m ¹ m. • Pi can send a ready(m) if it receives at least d(n+t+1)/2e echo(m) msgs or at least t+1 ready(m) from other processes. • Thus another correct process Pi00(may be Pi 00= Pi ) must have received at least d (n+t+1)/2eecho(m) msgs. At least d (n-t+1)/2eecho(m) from correct processes. • Similarly a correct process Pi 000(may be Pi 000= Pi 0)must have received more than d (n+t+1)/2eecho(m0) msgs. At least d (n-t+1)/2eecho(m0) from correct processes. • Since we don’t have (n-t+1) correct processes, then at least one process must have send both echo(m), echo(m00). Q.E.D
Correctness. • If two correct processes Pi and Pi0 accept the m and m0then m = m 0. (Agreement) • Proof: • For Pi to accept m it must have seen 2t + 1 ready(m) messages, thus at least t + 1 ready(m) from correct processes. • Similarlyat least t + 1 ready(m 0 ) must be seen by Pi0 • From previous result m = m 0
Correctness. • If a correct process Pi accepts m, then every other correct process will eventually accept m. (Agreement) • Proof: • Pi must have received 2t + 1 ready(m) messages, thus at least t+ 1 ready(m) from correct processes. • Every other correct process receives these t+ 1 ready(m), thus sends its own ready(m) • Thus, at least n - t correct processes will send ready(m). • Since n > 3t, n-t ¸ 2t + 1, thus eventually every correct process will receive at least 2t + 1 ready(m) messages and accept.
Correctness. • If the sender Pi is correct and sends m, then every other correct process will accept m. • Proof: • Every correct process will receive initial(m) and send echo(m) • Every correct process will receive n-t > (n+t) /2 echo(m) from the correct processes and possibly t < (n+t)/ 2 different messages from malicious ones. • Thus, every correct process will send a ready(m)message. • Thus, every correct processwill receive at least n – t ¸ 2t + 1 ready(m) and will accept.
Asynchronous VSS [CKLS 02] • Verifiable Secret Sharing for asynchronous networks with computational security. • (n, k, t) dual-threshold sharing n –2t ¸ k > t: • n servers holding shares of secret • up to t may be corrupted by adversary • any k of them can reconstruct secret. • Dealer creates 2 dimensional polynomial sharing • Servers exchange 2 asynchronous rounds of msgs to reach agreement on the success of sharing.
Adversarial model • Every pair of servers is linked with async. channel, which provides privacy and authenticity. • Message scheduling is determined by adversary: • She can arbitrarily delay a message between honest servers. Models asynchrony. • Adversary can take complete control of up to t servers. • Obtain its state/msgs received so far. • Send msgs for him.
Asynchronous VSS • AVSS definition same as in sync. network, except we need to ensure all servers agree valid sharing has taken place. • Provided adversary initializes all honest servers on a protocol instance and delivers all messages, an AVSS dual-threshold protocol satisfies the following conditions for a t-limited adversary.
AVSS conditions • Liveness: • If dealer is honest, then all honest servers complete the sharing, except with negl. prob. • Agreement: • If some honest server completes the sharing, then all honest servers complete the sharing. • If all honest servers start the reconstruction then every honest server Pi reconstructs some zi, , except with negl. Prob.
AVSS conditions • Correctness: Once k honest servers completed sharing, 9 z 2 Zq s.t. the following hold except with negl. prob. • If the dealer has shared s and is honest during sharing, then z = s. • If an honest server reconstructs zi, then zi = z • Privacy: • If an honest dealer has shared sand less than k – t honest servers have started reconstruction the adversary knows nothing about s.
AVSS Share Distribution • Dealer chooses random bivariate polynomial f 2 Zq[x, y] of degree at most k-1 with f(0, 0) = s. f(x, y) = åj, l =0k-1 fjl xj yl • Commits using random f 02 Zq[x, y] to compute
AVSS Share Distribution (2) • Dealer sends to every server Pian initial message: • the matrix C • 2 share polynomials ai(y) = f(i, y) and a0i(y) = f 0(i, y) • 2 sub-share polynomials bi(y) = f(x, i) and b0i(y) = f 0(x, i) • Upon initial reception, any server Pi verifies polynomials and sends echomessage to every server Pj: • the matrix C • The values ai(j) = f(i, j) and a0i(j) = f 0(i, j). • The values bi(j) = f(j, i) and b0i(j) = f 0(j, i) • Note: bj(i) = ai(j), etc
AVSS Share Distribution (3) • Receivers of k ¸ d (n+t+1)/2 eecho msgs which agree on C and their points are verified against C: • Interpolate polynomials ai(y), a0i(y), bi(x), b0i(x) • e.g. server Pi interpolates ai(y) = f(i, y) using bj(i)’s from k servers Pj , and bi(x) = f(x, i) using aj(i)’s from k servers Pj. • If dealer is honest and broadcast is correct, interpolated polynomials are the same.
AVSS Share Distr. (4) • Pi’s send ready messages to every server Pj: • the matrix C • The values ai(j), a0i(j), bi(j), b0i(j) from the interpolated polynomials • Receiversof ready msgs check if C and points are valid using verify-points. • If server receives k (not t+1) valid ready but not k valid echo messages, it interpolates polynomials from the ready messages and sends its own ready message.
AVSS Share Distr. (5) • Once a server receives k + t valid ready messages, it completes the sharing. • Its share is (si, si0) = ( ai(0), a0i(0) ) • This 2-round protocol ensures that servers received the correct polynomial, thus share and commitments from dealer. Reliable Broadcast. • O(n2) message complexity, O(kn4) comm complexity and optimal n > 3t resilience.
AVSS Reconstruction • Every server Pi reveals (si, si0) to every other. Waits for k shares from other servers that are consistent with C. • Receivers verify-shares which they receive w.r.t. C. • Since it has k points of f(x, 0) it can reconstruct it and obtain f(0, 0). • This 2-round protocol ensures that servers receive the same a(y) polynomial, thus consistent shares. • Reliable Broadcast. O(n2) message complexity, O(kn4) comm. complexity and optimal n > 3t resilience.
AVSS Verification • Verify-polynomial(C, i, a(y), a0 (y), b(x), b0(x)) • True if for all l 2 [0, k-1] • And if for all j 2 [0, k-1]
AVSS Verification • Verify-points(C, i, m, a, a0, b, b0) • P_i verifies that the given points from Pm correspond to f(m, i), f0(m, i), f(i, m), f0(i, m). • True iff: • And iff:
AVSS Verification • Verify-share(C, m, s, s0) • Verifies that (s, s0) is a valid share of Pm • True iff:
AVSS Proofs • Prove liveness, agreement, correctness, privacy and efficiency. • Lemma: As in Bracha’s, if an honest servers Pi sends a ready message containing Ci and a distinct honest server Pj sends a ready message containing Cj , then Ci = Cj
AVSS Proofs • Liveness: • From protocol itself. If dealer is honest, then all honest servers complete the sharing provided they initialize the protocol and the adversary delivers all messages
AVSS Proofs • Agreement: • If some honest server completes the sharing, then all honest servers complete the sharing. • Proof: • If an honest server has completed the sharing , it has received k + t valid ready messages that agree on some C. • At least k of them been sent by honest servers. • A valid echo or ready message satisfies verify-point, and by definition honest servers send only valid ready messages. • Since an honest server sends its ready message to all servers, every honest server receives at least k valid ready messages with the same C by Lemma 2 and sends a ready message containing C. • Hence, by the assumption of the theorem, any honest server receives at least n –t ¸ k + t valid ready messages and completes sharing.
AVSS Proofs • Agreement: • If all honest servers start the reconstruction then every honest server Pi reconstructs some zi, , except with negl. prob. • Proof: • From Lemma, every honest server Pi computes same C. • Pi received enough valid echo or ready messages w.r.t C, so that it computes valid ready messages and a valid share w.r.t. to C. • Thus, if all honest servers subsequently start the reconstruction stage, then every server receives enough valid shares to reconstruct some value.
AVSS Conceptually. • Reliably broadcasts the commitments, C. • If the dealer is dishonest and gave a server different C and polynomials, which verify, the server is able to obtain correct C and polynomials (his share) from the k valid echo msgs. • Dealer distributes consistent shares (C, poly) even if up to t servers are corrupted. • In Pedersen’s the dealer cannot distribute different C, and he cannot distribute inconsistent shares under the DL assumption.
AVSS Summary. • (+) No synchronous interaction is required • (-) O(n2) messages. • (-) Message size is O(kn2) dominated by C • Possible to reduce message size by factor n relying on collision resistant H. • Extension of the proposed model for proactive cryptosystems to protect the system against mobile adversary.