310 likes | 428 Views
Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University of Maryland). Improving the Round Complexity of VSS in Point-to-Point Networks. Verifiable secret sharing (VSS). Two-phase protocol
E N D
Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University of Maryland) Improving the Round Complexity of VSS in Point-to-Point Networks
Verifiable secret sharing (VSS) Two-phase protocol A dealer shares a secret among a set of n parties in the sharing phase The secret is recovered in a reconstruction phase If the dealer is honest No information about the secret is leaked in the sharing phase All honest parties recover the dealer’s secret Even if the dealer is dishonest The view of the honest parties in the sharing phase defines a value s such that each honest party outputs s in the reconstruction phase
Feasibility and efficiency? We study perfect (i.e., 0-error) VSS This is known to be possible iff t < n/3 (even if broadcast is available) What is the inherent round complexity of this task? 3 rounds necessary (even w/ b’cast) [GIKR01] O(1)-round protocol only possible if there is at least 1 round of broadcast
Upper bounds? Gennaro et al. show an efficient 4-round protocol and an inefficient 3-round protocol Fitzi et al. give an efficient 3-round protocol Using broadcast in two of the rounds What happens if their protocol is implemented in a point-to-point network…? Simulating broadcast is expensive… Sequential composition of broadcast is expensive… The protocol requires 55 rounds (in expectation)!
The upshot • If the goal is to optimize round complexity for point-to-point networks, crucial to minimize the number of broadcast rounds • Does there exist a VSS protocol that is simultaneously optimal in the number of rounds and the number of broadcasts? • Recall: 1 round of broadcast is (essentially) necessary
Our results We give a positive answer to this question A 3-round protocol using a single round of broadcast Secure against an adaptive, rushing adversary Our VSS protocol also satisfies a useful property (2-level sharing) not satisfied by the protocol of Fitzi et al.
The rest of the talk WSS A weaker variant of VSS A 3-round WSS protocol using 1 round of broadcast VSS A 3-round VSS protocol using the WSS protocol as a building block
WSS: definition WSS is similar to VSS Weaker guarantee for dishonest dealer: The view of the honest parties in the sharing phase defines a value s such that each honest party outputs either s or in the reconstruction phase
WSS protocol: sharing phase Round 1 D chooses F(x,y) with F(0,0) = s D sends to Pi,fi(x):=F(x,i), gi(y) := F(i,y) Each Pi sends a random pad ri,jto both Pjand D Round 2 For every ordered pair (i, j) Pi sends ai,j := fi(j) to Pj Pj sends bj,i := gj(i) to Pi Pjsends r’i,j = ri,j to D
Sharing phase, continued Round 3 (broadcast round) For every ordered pair (i, j): Pibroadcasts (“disagree”, fi(j), ri,j) if bj,i ≠ fi (j) (“agree”, fi(j)+ri,j) otherwise Pj broadcasts (“disagree”, gj(i), ri,j) if ai,j ≠gj(i) (“agree”, gj(i)+ri,j), otherwise D broadcasts (“not equal”, F(j,i)) if ri,j ≠r’i,j (“equal”, F(j,i)+ri,j) otherwise
Local computation Ordered pair (Pi ,Pj) are conflicting if: Pibroadcasts (“disagree”, fi(j), ri,j ) Pj broadcasts (“disagree”, gj(i), r’i,j ) and ri,j = r'i,j Note: If D is honest, then no two honest parties will be conflicting Note: all honest parties agree on who is conflicting
Local computation • In conflicting pair (Pi, Pj), we say Pi is unhappy if either: • D broadcasts (“not equal”, di,j) and di,j≠ fi(j) • D broadcasts (“equal”, di,j) and di,j ≠ fi(j)+ri,j • If there are more than t unhappy parties, then D is disqualified • Note: honest dealer neverdisqualified • Note: all honest parties agree on who is unhappy
WSS protocol: reconstruction phase If Pj not unhappy, it sends fj(x) and gj(y) to all parties Let fij and gij denote the polynomials Pi sends to Pj Pi constructs a consistency graph Gi Edge between Pj and Pk in Giiff fji(k)=gki(j) and gji(k)=fki(j) Iteratively remove vertices in Gi with degree < n−t Let Corei be the parties left in Gj If |Corei|< n-t, then Pi outputs Else, let F’(x,y) be the polynomial defined by any t+1 parties in Corei, and output s':=F'(0,0)
Proof sketches Privacy t points on a degree-t polynomial do not reveal information about the constant term No information about s leaked in round 3 due to use of random pads Correctness for honest D: If Pi honest, then: All honest parties are in Corei, so |Corei| ≥ n-t Any party in Corei must have sent polynomials that agree with at least 2t+1 parties in Corei, out of which at least t+1 are honest Since the polynomials sent by honest parties all agree with the dealer’s polynomial F, we see that Pi will correctly recover F and output the dealer’s secret
Proof sketches, continued Weak commitment (for dishonest D): Assume dealer is not disqualified (so at most t unhappy parties, and at least n-2t ≥ t+1 honest parties who are not unhappy) Claim: the poly’s fisent by D to the first t+1 such parties define a poly F such that any honest Pi outputs either F(0,0) or in reconstruction phase If |Corei| < n-t, we are done Otherwise, argument is similar to (though slightly more involved than) before This completes the proof
VSS • We now construct a 3-round VSS protocol (using 1 round of broadcast) using the previous WSS protocol as a subroutine • Our VSS protocol also achieves “2-level sharing”…
2-level sharing At the end of the sharing phase each honest Pi outputs si and {si,j} such that The {si} lie on a degree-t polynomial whose constant term is the value s that honest parties will output in the reconstruction phase For each j, the {si,j} lie on a degree-t polynomial whose constant term is sj Useful when VSS is used as a building block for general secure MPC
Overview of the protocol Sharing done essentially as in WSS, but now parties reveal their random pads in the reconstruction phase To ensure correctness, we use WSS to generate the random pads Random pads no longer independent, but lie on a random degree-t poly (which suffices for secrecy) To obtain 2-level sharing, we have the dealer choose a symmetric bivariate polynomial
VSS protocol: high level Round 1 D chooses symmetricF(x,y) with F(0,0) = s D sends to Pi,fi(x):=F(x,i) Each Pi chooses a random si and shares it using WSS; let Fipad be the polynomial used Pi sends Fipad(x,j) to each Pj and Fipad(0,y) to D Round 2 Set ri,j = Fipad(i,j); rest is as before Run second round of all WSS sub-protocols
VSS protocol: high level Round 3 As before Also run third round of all WSS sub-protocols
Local computation We define a conflicting pair and an unhappy party as before Core is the set of all happy parties Corei is the set of all happy parties in WSSi All players agree on Core and {Corei}
Local computation, continued For all i, j remove Pj from Corei if, in round 3: Pi broadcasts (“agree”, y) and Pj did not broadcast (“agree”, y)OR Pi broadcasts (“disagree”,*,w) and Pj broadcasts anything other than (“disagree”,*,w) Remove Pi from Core if |Core ∩ Corei|< n−t If |Core| < n−t, then D is disqualified Each party Picomputes fi(x) as follows: If Pi Core, then fi(x) is the polynomial received from D in round 1 See paper for the other case Each Pi outputs si = fi(0) and si,j = fi(j)
VSS: reconstruction phase Each party Pi sends si to all other parties Let s'j,i be the value that Pj sends to Pi Pi computes a degree-t poly f(x) such that f(j)=s’j,i for at least 2t+1 values of j Pi outputs f(0)
Proof sketches Privacy Same as WSS except for random pads Random pads lie on random degree-t polynomials and hence reveal no additional information about s Correctness with 2-level sharing (D honest): For honest Pi, all other honest parties belong to Corei All honest parties remain in Core p(x)=F(0,x) and pj(x)=F(j,x) imply 2-level sharing The reconstruction phase succeeds since there are at most t bad shares out of n>3t shares
Proof sketches, continued Correctness with 2-level sharing (dealer dishonest): Refer to the full version of the paper for a proof http://eprint.iacr.org/2007/358
Open questions What is the optimal (expected) round complexity of VSS in a point-to-point network? Can better round complexity be achieved for statistical VSS? How about (statistical) VSS for t < n/2? See Patra et al. for some recent progress on these questions
Local computation, continued • If Pinot in Core, • Core'i : Pj is in Core'i if and only if • Pj ∈ Core and Pi ∈ Corej • {pj,k}kare consistent with a polynomial Bj (x) of degree at most t, where • pj,k:=yj,k - if in step 1 of round 3 for the ordered pair (j, k), party Pj broadcasted (“agree”, yj,k) • pj,k:=wj,k+zj,k - If Pj broadcasted (“disagree”,wj,k,zj,k) • For each Pj ∈ Core'i, pj:=pj,i−fj,ipad(0). Letfi be the interpolating polynomial for pj with Pj∈ Core'i • Finally, Pi outputs si:=fi(0) and si,j:=fi(j)
Proof sketches, continued • Correctness with 2-level sharing (D dishonest): • For honest Pi, |Core’i|>t • Core contains atleast t+1 honest parties. • For an honest Pj, Corej contains Pi. • pj,k computed by Pi lie on Bj(x)=fj(x)+Fjpad(0,x), since Pj∈Core, and D do not disagree on broadcasted values. • There are t+1 honest parties in Core • F(x,y) is defined naturally by these parties. • Polynomials of honest Pi∈ Core agree withF(x,y).
Proof sketches, continued • Constructed polynomials of Honest Pi not in Core agree withF(x,y). • For any Pk∈Corej, we have fj,kpad(x)=Fjpad(0,k) and fk(j)=F(k,j) (otherwise removed from Corei). • Bj(k) is recovered for atleast t+1 values of k. • Bj(x)=F(x,j)+Fjpad(0,x) is recovered. • pj=pj,i-fj,ipad(0)=Bj(i)–Fjpad(0,i)=F(i,j). • Hence Pirecovers F(i,x)=F(x,i)