On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr

Introduction  Secret-sharing (introduced by Shamir) – l-bits secret distributes to n players, every player have a share. Over than t shares can find the secret by some player.  Privacy – If an adversary sees up to t shares, it still learns no information about the secret and correctness. (t+1 is enough).

Introduction  This paper consider more. Some player (at most t players) may be corrupted, they may contribute wrong shares.,  We want every player try to reconstruct the secret under this situation.  If t  n/2, no one can sure that its reconstruction is correct.  If t<n/3, a standard methods can give an opt solution with no error.

Introduction  We only consider n/3  t < n/2.  A honest player can either reconstruct the secret or output “failure”. (failure 2 -  (k), where k is security parameter)  When t=  (n-1)/2 , there is a lower bound of information sending O(nl+kn 2 ).  This bound is also tight.

Communication Model  Secure-channels model with broadcast. – There is a set of players {P 1,…,P n } – A dealer D. – Every pair has a secure private channel.  Adversary – Active(corrupt at most t players) – Rushing (can decide after all honest players sent). – Static, adaptive (static means it needs to corrupt players before execution).

Single-Round Honest-Dealer VSS  Distribution phase: – The honest dealer generates shares s i ={k i,y i }, i=1…n, according to a fixed and publicly known conditional probability distribution P S1…Sn (…|s), where s is the secret. Privately sends s i to P i.  Reconstruction phase: – Each player P i is required to broadcast ŷ i, which is supposedly to equal to y i. Each player P i decides on the secret s based on k i and other ŷ i … ŷ n. (output s or “failure”).

 Adversary can change the ŷ j to broadcast, when P j is corrupted. Others honest players always have ŷ j =y j.  Adversary can be rushing, non-rushing; static, adaptive.

 Single-Round Honest-Dealer VSS is (t, n, 1-  )-secure if: – Privacy: Adversary gains no information of s form distribution phase. – (1-  )-correctness: In the reconstruction phase, each uncorrupted output ‘s’ or “failure”, and outputting failure has  probability.

 We can repeat m times to make the error rate to  m.  This definition is very general, we don’t care the dictate of the implementation.

Theoretical Lower Bound and Tightness Proof of SRHD-VSS

Lower Bound on Reconstruction Complexity  If and for a security parameter k, then the total information broadcast in the reconstruction phase is lower bounded by – For any family of Single-Round Honest- Dealer VSS scheme, (t, n, 1-δ)-secure against an active, rushing adversary H is the entropy of S, by definition:

Reduced Theorem: Proposition 1  Let be the message distributed by the SRHD-VSS. In the case of odd n, the size of any public share Y i is lower bounded by  While for even n, it is the size H(Y i Y j ) of every pair Y i ≠Y j that is lower bounded by

A Little Authentication Theory  Let K, M, Y, Z be r.v. with joint distribution P KMYZ such that M is independent of K and Z but uniquely defined by Y and Z. Then one can compute consistent with K and Z by Z with probability* * Stands for impersonation attack

A Little Authentication Theory  Also, knowing Z and Y, one can compute consistent with K and Z and a with probability*: * Stands for a substitution attack

Observation of P S and P I  Let K, M, Y, Z the same as above. If M is uniformly distributed among a non-trivial set, then one can compute with Z known and consistent with K and Z, and a with probability: An successful impersonating attack is a successful substitution attack by definition M is uniformly distributed and M ’ !=M

Proof of Proposition 1 (1/3) P1P1 P2P2 P i-1 PiPi P t+1 PtPt …… Y t+1  Y ’ t+1 Either red ones are honest or vice versa … Pi can thus not compute S with certainty. We then let* *Note that the semantics of δ is for P i to decide {failure} and still a recoverable error may be counted in. See Section 6 for correctness proof

Proof of Proposition 1 (2/3)  Apply observation 1 by letting K=K i, M=S, Y=Y t+1, and Z=(K 1,…,K i-1,Y 1 …,Y t )  Use the δ then

A Little Information Theory  Chain rule of mutual information

Proof of Proposition 1 (3/3)  Use the chain rule, we have  And since S 1 …S t cannot work without S t+1, we have  And the proposal is resulted.

Theorem 2: Theorem 1 is Tight  For, against an adaptive and rushing adversary, with total communication complexity of O(kn 2 ) bits  Proof by constructing one.

Construction of the SRHD-VSS (1/3)  Given a (t+1, n) threshold secret sharing scheme and an authentication scheme, e.g. by a family of strongly universal hash function  Dealer: 人人有一份, 對對有一根 … – S  – Select a random

Construction of the SRHD-VSS (2/3)  Dealer: 金刀為證, 玉璽為憑 – Generate authentication tag for every process P j  Everyone: 問鼎中原, 人人有責 – P i send to P j for all i,j, i!=j

Making Ω(k) (3/3)  Use Shamir’s secret sharing scheme over a field F, |F| > n  Choose the hash family h α, β (X) = αX+β over F – As such, the attack can succeed with probability 1/F – Choose – The desired result follows

Thanks Presented by 游騰楷 呂育恩 葉恆青