Embed Size (px)
Citation preview
Improving the Round Complexity of VSS in Point-to-Point Networks
Jonathan Katz (University of Maryland)
Chiu-Yuen Koo (Google Labs)
Ranjit Kumaresan (University of Maryland)
Verifiable secret sharing (VSS)
Two-phase protocol A dealer shares a secret among a set of n parties
in the sharing phase The secret is recovered in a reconstruction phase
If the dealer is honest No information about the secret is leaked in the
sharing phase All honest parties recover the dealer’s secret
Even if the dealer is dishonest The view of the honest parties in the sharing
phase defines a value s such that each honest party outputs s in the reconstruction phase
Feasibility and efficiency?
We study perfect (i.e., 0-error) VSS
This is known to be possible iff t < n/3 (even if broadcast is available)
What is the inherent round complexity of this task? 3 rounds necessary (even w/ b’cast) [GIKR01] O(1)-round protocol only possible if there is at
least 1 round of broadcast
Upper bounds?
Gennaro et al. show an efficient 4-round protocol and an inefficient 3-round protocol
Fitzi et al. give an efficient 3-round protocol Using broadcast in two of the rounds
What happens if their protocol is implemented in a point-to-point network…? Simulating broadcast is expensive… Sequential composition of broadcast is
expensive… The protocol requires 55 rounds (in expectation)!
The upshot
If the goal is to optimize round complexity for point-to-point networks, crucial to minimize the number of broadcast rounds
Does there exist a VSS protocol that is simultaneously optimal in the number of rounds and the number of broadcasts? Recall: 1 round of broadcast is (essentially)
necessary
Our results
We give a positive answer to this question A 3-round protocol using a single round of
broadcast Secure against an adaptive, rushing adversary
Our VSS protocol also satisfies a useful property (2-level sharing) not satisfied by the protocol of Fitzi et al.
The rest of the talk
WSS A weaker variant of VSS A 3-round WSS protocol using 1 round of
broadcast
VSS A 3-round VSS protocol using the WSS protocol as
a building block
WSS: definition
WSS is similar to VSS
Weaker guarantee for dishonest dealer: The view of the honest parties in the sharing phase
defines a value s such that each honest party outputs either s or in the reconstruction phase
WSS protocol: sharing phase
Round 1 D chooses F(x,y) with F(0,0) = s D sends to Pi, fi(x) := F(x,i), gi(y) := F(i,y)
Each Pi sends a random pad ri,j to both Pj and D
Round 2 For every ordered pair (i, j)
Pi sends ai,j := fi(j) to Pj
Pj sends bj,i := gj(i) to Pi
Pj sends r’i,j = ri,j to D
Sharing phase, continued
Round 3 (broadcast round) For every ordered pair (i, j):
Pi broadcasts
(“disagree”, fi(j), ri,j) if bj,i ≠ fi (j)
(“agree”, fi(j)+ri,j) otherwise
Pj broadcasts
(“disagree”, gj(i), ri,j) if ai,j ≠ gj(i)
(“agree”, gj(i)+ri,j), otherwise D broadcasts
(“not equal”, F(j,i)) if ri,j ≠ r’i,j
(“equal”, F(j,i)+ri,j) otherwise
Local computation
Ordered pair (Pi ,Pj) are conflicting if: Pi broadcasts (“disagree”, fi(j), ri,j )
Pj broadcasts (“disagree”, gj(i), r’i,j )
and ri,j = r'i,j
Note: If D is honest, then no two honest parties will be conflicting
Note: all honest parties agree on who is conflicting
Local computation
In conflicting pair (Pi, Pj), we say Pi is unhappy if either: D broadcasts (“not equal”, di,j) and di,j≠ fi(j)
D broadcasts (“equal”, di,j) and di,j ≠ fi(j)+ri,j
If there are more than t unhappy parties, then D is disqualified
Note: honest dealer never disqualified Note: all honest parties agree on who is
unhappy
WSS protocol: reconstruction phase
If Pj not unhappy, it sends fj(x) and gj(y) to all parties
Let fij and gi
j denote the polynomials Pi sends to Pj
Pi constructs a consistency graph Gi
Edge between Pj and Pk in Gi iff fji(k)=gk
i(j) and
gji(k)=fk
i(j)
Iteratively remove vertices in Gi with degree < n−t
Let Corei be the parties left in Gj
If |Corei|< n-t, then Pi outputs Else, let F’(x,y) be the polynomial defined by any t+1
parties in Corei, and output s':=F'(0,0)
Proof sketches
Privacy t points on a degree-t polynomial do not reveal
information about the constant term No information about s leaked in round 3 due to use of
random pads
Correctness for honest D: If Pi honest, then: All honest parties are in Corei, so |Corei| ≥ n-t
Any party in Corei must have sent polynomials that agree with at least 2t+1 parties in Corei, out of which
at least t+1 are honest Since the polynomials sent by honest parties all agree
with the dealer’s polynomial F, we see that Pi will correctly recover F and output the dealer’s secret
Proof sketches, continued
Weak commitment (for dishonest D): Assume dealer is not disqualified (so at most t
unhappy parties, and at least n-2t ≥ t+1 honest parties who are not unhappy)
Claim: the poly’s fi sent by D to the first t+1 such parties define a poly F such that any honest Pi outputs either F(0,0) or in reconstruction phase
If |Corei| < n-t, we are done Otherwise, argument is similar to (though slightly
more involved than) before This completes the proof
VSS
We now construct a 3-round VSS protocol (using 1 round of broadcast) using the previous WSS protocol as a subroutine
Our VSS protocol also achieves “2-level sharing”…
2-level sharing
At the end of the sharing phase each honest Pi outputs si and {si,j} such that The {si} lie on a degree-t polynomial whose
constant term is the value s that honest parties will output in the reconstruction phase
For each j, the {si,j} lie on a degree-t polynomial whose constant term is sj
Useful when VSS is used as a building block for general secure MPC
Overview of the protocol
Sharing done essentially as in WSS, but now parties reveal their random pads in the reconstruction phase
To ensure correctness, we use WSS to generate the random pads Random pads no longer independent, but lie on a
random degree-t poly (which suffices for secrecy) To obtain 2-level sharing, we have the
dealer choose a symmetric bivariate polynomial
VSS protocol: high level
Round 1 D chooses symmetric F(x,y) with F(0,0) = s D sends to Pi, fi(x):=F(x,i)
Each Pi chooses a random si and shares it using
WSS; let Fipad be the polynomial used
Pi sends Fipad(x,j) to each Pj and Fi
pad(0,y) to D
Round 2 Set ri,j = Fi
pad(i,j); rest is as before Run second round of all WSS sub-protocols
VSS protocol: high level
Round 3 As before Also run third round of all WSS sub-protocols
Local computation
We define a conflicting pair and an unhappy party as before
Core is the set of all happy parties Corei is the set of all happy parties in WSSi
All players agree on Core and {Corei}
Local computation, continued
For all i, j remove Pj from Corei if, in round 3:
Pi broadcasts (“agree”, y) and Pj did not broadcast (“agree”, y)
OR Pi broadcasts (“disagree”,*,w) and Pj broadcasts anything
other than (“disagree”,*,w)
Remove Pi from Core if |Core ∩ Corei|< n−t
If |Core| < n−t, then D is disqualified Each party Pi computes fi(x) as follows:
If Pi Core, then fi(x) is the polynomial received from D in
round 1 See paper for the other case
Each Pi outputs si = fi(0) and si,j = fi(j)
VSS: reconstruction phase
Each party Pi sends si to all other parties
Let s'j,i be the value that Pj sends to Pi
Pi computes a degree-t poly f(x) such that
f(j)=s’j,i for at least 2t+1 values of j
Pi outputs f(0)
Proof sketches
Privacy Same as WSS except for random pads Random pads lie on random degree-t polynomials and
hence reveal no additional information about s
Correctness with 2-level sharing (D honest): For honest Pi, all other honest parties belong to Corei
All honest parties remain in Core p(x)=F(0,x) and pj(x)=F(j,x) imply 2-level sharing
The reconstruction phase succeeds since there are at most t bad shares out of n>3t shares
Proof sketches, continued
Correctness with 2-level sharing (dealer dishonest): Refer to the full version of the paper for a proof http://eprint.iacr.org/2007/358
Open questions
What is the optimal (expected) round complexity of VSS in a point-to-point network?
Can better round complexity be achieved for statistical VSS?
How about (statistical) VSS for t < n/2? See Patra et al. for some recent progress on
these questions
Thank you!
Local computation, continued
If Pi not in Core,
Core'i : Pj is in Core'i if and only if
Pj ∈ Core and Pi ∈ Corej
{pj,k}k are consistent with a polynomial Bj (x) of degree at
most t, where pj,k:=yj,k - if in step 1 of round 3 for the ordered
pair (j, k), party Pj broadcasted (“agree”, yj,k)
pj,k:=wj,k+zj,k - If Pj broadcasted (“disagree”,wj,k,zj,k)
For each Pj ∈ Core'i, pj:=pj,i−fj,ipad(0). Let fi be the
interpolating polynomial for pj with Pj∈ Core'i Finally, Pi outputs si:=fi(0) and si,j:=fi(j)
Proof sketches, continued
Correctness with 2-level sharing (D dishonest): For honest Pi, |Core’i|>t
Core contains atleast t+1 honest parties. For an honest Pj, Corej contains Pi.
pj,k computed by Pi lie on Bj(x)=fj(x)+Fjpad(0,x), since
Pj∈Core, and D do not disagree on broadcasted values.
There are t+1 honest parties in Core F(x,y) is defined naturally by these parties. Polynomials of honest Pi∈ Core agree with F(x,y).
Proof sketches, continued
Constructed polynomials of Honest Pi not in
Core agree with F(x,y). For any Pk∈Corej, we have fj,k
pad(x)=Fjpad(0,k) and
fk(j)=F(k,j) (otherwise removed from Corei).
Bj(k) is recovered for atleast t+1 values of k.
Bj(x)=F(x,j)+Fjpad(0,x) is recovered.
pj=pj,i-fj,ipad(0)=Bj(i)–Fj
pad(0,i)=F(i,j).
Hence Pi recovers F(i,x)=F(x,i)
