Presentation is loading. Please wait.

Presentation is loading. Please wait.

Round-Optimal and Efficient Verifiable Secret Sharing Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu.

Similar presentations


Presentation on theme: "Round-Optimal and Efficient Verifiable Secret Sharing Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu."— Presentation transcript:

1 Round-Optimal and Efficient Verifiable Secret Sharing Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad)

2 Round-Optimal and Efficient VSS TCC06 1 Secret Sharing Protocols [Sha79,Bla79] Two phases –Sharing phase –Reconstruction phase Sharing Phase –D initially holds s and each player P i finally holds some private information v i. Reconstruction Phase –Each player P i reveals (some of) his private information v i on which a reconstruction function is applied to obtain s = Rec(v 1, v 2, …, v n ). Set of players P = {P 1, P 2, …, P n }, dealer D (e.g., D = P 1 ).

3 Round-Optimal and Efficient VSS TCC06 2 Secret Sharing (contd) Secret s Dealer Less than t +1 players have no info about the secret Reconstruction Phase v1v1 v2v2 v3v3 vn vn Sharing Phase …

4 Round-Optimal and Efficient VSS TCC06 3 Secret Sharing (contd) Secret s Dealer v1v1 v2v2 v3v3 vn vn Sharing Phase Reconstruction Phase t +1 players can reconstruct the secret Secret s Players are assumed to give their shares honestly …

5 Round-Optimal and Efficient VSS TCC06 4 Verifiable Secret Sharing (VSS) [CGMA85] Extends secret sharing to the case of active corruptions (corrupted players, incl. Dealer, may not follow the protocol) Up to t corrupted players Adaptive adversary Reconstruction Phase – Each player P i reveals (some of) his private information v i on which a reconstruction function is applied to obtain s = Rec(v 1, v 2, …, v n ).

6 Round-Optimal and Efficient VSS TCC06 5 VSS Requirements Privacy –If D is honest, adversary has no Shannon information about s during the Sharing phase. Correctness –If D is honest, the reconstructed value s = s. Commitment –After Sharing phase, s is uniquely determined.

7 Round-Optimal and Efficient VSS TCC06 6 Weak VSS (WSS) [RB89] Privacy –If D is honest, adversary has no Shannon information about s during the Sharing phase. Correctness –If D is honest, the reconstructed value s = s. Weak Commitment – After Sharing phase, s is uniquely determined such that Rec(v 1, v 2, …, v n ) {, s }.

8 Round-Optimal and Efficient VSS TCC06 7 Communication Model and Round Complexity Synchronous, fully connected network of pair-wise secure channels + broadcast channel. Round complexity: Number of communication rounds in the Sharing phase. Efficiency: Total computation and communication polynomial in n and size of the secret.

9 Round-Optimal and Efficient VSS TCC06 8 Prior (Relevant) Work Perfect VSS possible iff n > 3t [BGW88, DDWY90] Round complexity of VSS [GIKR01] –n > 4t: Efficient 2-round protocol –n > 3t: No 2-round protocol exists Efficient 4-round protocol Inefficient 3-round protocol

10 Round-Optimal and Efficient VSS TCC06 9 Our Contributions VSS: Efficient 3-round protocol for n > 3t WSS: – Efficient 3-round protocol for n > 3t round optimal – Efficient 1-round protocol for n > 4t (1+ ) amortized -round VSS protocol for n > 3t

11 Round-Optimal and Efficient VSS TCC06 10 Our Contributions VSS: Efficient 3-round protocol for n > 3t WSS: – Efficient 3-round protocol for n > 3t round optimal – Efficient 1-round protocol for n > 4t (1+ ) amortized-round VSS protocol for n > 3t

12 Round-Optimal and Efficient VSS TCC Round (n/3)-WSS Secret s v1v1 v2v2 v3v3 vn vn Dealer Sharing Phase Reconstruction Phase …

13 Round-Optimal and Efficient VSS TCC Round (n/3)-WSS Secret s v1v1 v2v2 v3v3 vn vn Reconstruction Phase Secret s …

14 Round-Optimal and Efficient VSS TCC Round (n/3)-WSS Sharing Phase Round 1: –D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = f i (x) and F(i,y) = g i (y) to P i. –Player P i sends to P j a random pad r ij. Round 2: P i broadcasts –a ij = f i (j) + r ij –b ij = g i (j) + r ji P j broadcasts – a ji = f j (i) + r ji – b ji = g j (i) + r ij F(j,i) + r

15 Round-Optimal and Efficient VSS TCC Round (n/3)-WSS Sharing Phase Round 1: –D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = f i (x) and F(i,y) = g i (y) to P i. –Player P i sends to P j a random pad r ij. Round 2: P i broadcasts –a ij = f i (j) + r ij –b ij = g i (j) + r ji Round 3: For each a ij b ji –P i broadcasts f i (j) –P j broadcasts g j (i) –D broadcasts F(j,i) A player is said to be unhappy if his value does not match Ds value. If no. unhappy players > t, disqualify D. P j broadcasts – a ji = f j (i) + r ji – b ji = g j (i) + r ij

16 Round-Optimal and Efficient VSS TCC Round (n/3)-WSS Reconstruction Phase Every happy player P i broadcasts f i (x) and g i (y). Local computation: –Every player constructs a consistency graph G over the set of happy players: there exists an edge between P i, P j G iff f i (j) = g j (i) and g i (j) = f j (i). –Every player constructs a set CORE as follows: Initially all nodes with degree at least n–t in G are in CORE. Players in CORE consistent with less than n–t players in CORE are removed. Repeat until no more players can be removed from CORE. Secret determined by the polynomial defined by any t+1 players from CORE. If |CORE| < n–t, the secret is.

17 Round-Optimal and Efficient VSS TCC Round (n/3)-WSS Proof Sketch Privacy : (D is honest) –D distributes consistent information any pair of honest players publish same mutual padded values. –Randomness of pads leads to indistinguishability of adversarys view under different secrets. Correctness : (D is honest) –All honest players (at least n–t) are happy no disqualification of D in Sharing Phase. – They all end up in CORE, thus the secret reconstructed is s.

18 Round-Optimal and Efficient VSS TCC Round (n/3)-WSS Proof Sketch Weak Commitment : –|CORE| < n – t: All honest players output. –|CORE| n – t: All players in CORE are consistent with a polynomial fixed at the end of the Sharing Phase: The n–2t honest happy players define a unique polynomial F (x,y) (at the end of Sharing Phase). Every dishonest happy player in CORE is consistent with at least n–t players in CORE, of which n–2t t+1 are honest every dishonest happy player in CORE is also consistent with F (x,y).

19 Round-Optimal and Efficient VSS TCC06 18 (n/3)-WSS Round Optimality Based on impossibility of 3-round Weak Secure Multicast : P = {P 1, P 2, …, P n }; D P holds input m; multicast set M P. – Privacy: If all players in M are honest, then adversary learns no information about m. – Correctness: If D is honest, then all honest players in M output m. – Weak Agreement: Even if D is dishonest, all honest players in M output a value in {m, }. r-round WSS r-round WSM

20 Round-Optimal and Efficient VSS TCC06 19 Recall: 3-Round (n/3)-WSS Sharing Phase Round 1: –D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = f i (x) and F(i,y) = g i (y) to P i. –Player P i sends to P j a random pad r ij. Round 2: P i broadcasts –a ij = f i (j) + r ij –b ij = g i (j) + r ji Round 3: For each a ij b ji –P i broadcasts f i (j) –P j broadcasts g j (i) –D broadcasts F(j,i) A player is said to be unhappy if his value does not match Ds value. If no. unhappy players > t, disqualify D.

21 Round-Optimal and Efficient VSS TCC Round (n/3)-VSS Sharing Phase Round 1: –D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = f i (x) and F(i,y) = g i (y) to P i. –Player P i selects random r i and starts (n/3)-WSS on r i using F i W (x,y).

22 Round-Optimal and Efficient VSS TCC Round (n/3)-VSS Sharing Phase Round 1: –D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = f i (x) and F(i,y) = g i (y) to P i. –Player P i selects random r i and starts (n/3)-WSS i on r i using F i W (x,y). Round 2: P i broadcasts –a ij = f i (j) + F i W (0,j) –b ij = g i (j) + F j W (0,i) – Concurrently, round 2 of (n/3)- WSS i takes place.

23 Round-Optimal and Efficient VSS TCC Round (n/3)-VSS Sharing Phase Round 1: –D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = f i (x) and F(i,y) = g i (y) to P i. –Player P i selects random r i and starts (n/3)-WSS i on r i using F i W (x,y). Round 2: P i broadcasts –a ij = f i (j) + F i W (0,j) –b ij = g i (j) + F j W (0,i) Round 3: For each a ij b ji –P i broadcasts f i (j) –P j broadcasts g j (i) –D broadcasts F(j,i) – Concurrently, round 2 of (n/3)-WSS i takes place. – Concurrently, round 3 of (n/3)-WSS i takes place.

24 Round-Optimal and Efficient VSS TCC Round (n/3)-VSS Sharing Phase Round 1: –D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = g i (y) to P i. –Player P i selects random r i and starts (n/3)-WSS i on r i using F i W (x,y). Round 2: P i broadcasts –a ij = f i (j) + F i W (0,j) –b ij = g i (j) + F j W (0,i) Round 3: For each a ij b ji –P i broadcasts f i (j) –P j broadcasts g j (i) –D broadcasts F(j,i) A player is said to be unhappy if his value does not match Ds value. If no. unhappy players > t, disqualify D. – Concurrently, round 2 of (n/3)-WSS i takes place. – Concurrently, round 3 of (n/3)-WSS i takes place.

25 Round-Optimal and Efficient VSS TCC Round (n/3)-VSS Sharing Phase Local Computation: –H = {happy players} – {players disqualified as WSS dealers} –If | H| < n–t, disqualify D and stop. –For P i H, if | H H i W | < n–t, remove P i from H. –Call the final set CORE sh. If |CORE sh | < n–t disqualify D and stop. Properties of CORE sh : –If D is honest, then CORE sh contains all honest players D is not disqualified during the Sharing phase. –Every player in CORE sh is consistent with n–t players in CORE sh At least t+1 honest players in CORE sh (defining a unique polynomial F H (x,y)).

26 Round-Optimal and Efficient VSS TCC Round (n/3)-VSS Reconstruction Phase For each P i CORE sh, run Rec. phase of (n/3)-WSS i, concurrently. Local computation: –CORE rec := CORE sh –CORE rec := CORE rec – {P i : (n/3)-WSS i } –For each P i CORE rec compute f i (j) = a ij – F i W (0,j), 1 j n If f i (x) not a t-degree polynomial, remove P i from CORE rec. –Obtain F (x,y) by taking any t+1 polynomials f i (x) from CORE rec ; s := F (0,0).

27 Round-Optimal and Efficient VSS TCC Round (n/3)-VSS Reconstruction Phase Properties of CORE rec : –At least n–2t ( t+1) honest players in CORE sh unique t-degree polynomial F H (x,y). –Dishonest P i in CORE rec : WSS i succeeded; f i (j) lie on a t-degree polynomial f i (x) ; F i W (x,y) is … consistent with t+1 honest players in CORE rec f i (x) is consistent with F H (x,y). Privacy: –The only difference with WSS protocol is the pads. –Prove that a ij = f i (j) + F i W (0,j) does not reveal any info about f i (j).

28 Round-Optimal and Efficient VSS TCC06 27 Amortized VSS Round Complexity Say, m k-round sequential VSS protocols (e.g., MPC) Using deferred commitment, m+2 total rounds 1+ O(1/m) amortized-round VSS protocol Initial phase: Dealer(s) share random values r 1, r 2,…, r m using the given VSS protocol. Sharing Phase of j th VSS protocol: –Broadcast correction term c j = s j – r j Correction: (two ways) –In Reconstruction Phase each player computes s j = c j + r j. –At the end of Sharing Phase every player P i computes F * j (x,i) = F j (x,i) + c j and F * j (i,y) = F j (i,y) + c j

29 Round-Optimal and Efficient VSS TCC06 28 Summary VSS: Efficient 3-round protocol for n > 3t WSS: – Efficient 3-round protocol for n > 3t round optimal – Efficient 1-round protocol for n > 4t (1+ ) amortized -round VSS

30 Round-Optimal and Efficient Verifiable Secret Sharing Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad)


Download ppt "Round-Optimal and Efficient Verifiable Secret Sharing Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu."

Similar presentations


Ads by Google