Round-Optimal and Efficient Verifiable Secret Sharing Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad)

Secret Sharing Protocols [Sha79,Bla79] Set of players P = {P1 , P2, … , Pn}, dealer D (e.g., D = P1). Two phases Sharing phase Reconstruction phase Sharing Phase D initially holds s and each player Pi finally holds some private information vi. Reconstruction Phase Each player Pi reveals (some of) his private information v’i on which a reconstruction function is applied to obtain s = Rec(v’1, v’2, …, v’n). Round-Optimal and Efficient VSS —TCC’06

Secret Sharing (cont’d) Dealer v1 v2 v3 vn Sharing Phase … Less than t +1 players have no info’ about the secret Reconstruction Phase Round-Optimal and Efficient VSS —TCC’06

Secret Sharing (cont’d) Dealer v1 v2 v3 vn Sharing Phase …  t +1 players can reconstruct the secret Secret s Reconstruction Phase Players are assumed to give their shares honestly Round-Optimal and Efficient VSS —TCC’06

Verifiable Secret Sharing (VSS) [CGMA85] Extends secret sharing to the case of active corruptions (corrupted players, incl. Dealer, may not follow the protocol) Up to t corrupted players Adaptive adversary Reconstruction Phase Each player Pi reveals (some of) his private information v’i on which a reconstruction function is applied to obtain s’ = Rec(v’1, v’2, …, v’n). Round-Optimal and Efficient VSS —TCC’06

Round-Optimal and Efficient VSS —TCC’06 VSS Requirements Privacy If D is honest, adversary has no Shannon information about s during the Sharing phase. Correctness If D is honest, the reconstructed value s’ = s. Commitment After Sharing phase, s’ is uniquely determined. Round-Optimal and Efficient VSS —TCC’06

Round-Optimal and Efficient VSS —TCC’06 Weak VSS (WSS) [RB89] Privacy If D is honest, adversary has no Shannon information about s during the Sharing phase. Correctness If D is honest, the reconstructed value s’ = s. Weak Commitment After Sharing phase, s’ is uniquely determined such that Rec(v’1, v’2, …, v’n)  {, s’}. Round-Optimal and Efficient VSS —TCC’06

Communication Model and Round Complexity Synchronous, fully connected network of pair-wise secure channels + broadcast channel. Round complexity: Number of communication rounds in the Sharing phase. Efficiency: Total computation and communication polynomial in n and size of the secret. Round-Optimal and Efficient VSS —TCC’06

Round-Optimal and Efficient VSS —TCC’06 Prior (Relevant) Work Perfect VSS possible iff n > 3t [BGW88, DDWY90] Round complexity of VSS [GIKR01] n > 4t: Efficient 2-round protocol n > 3t: No 2-round protocol exists Efficient 4-round protocol Inefficient 3-round protocol Round-Optimal and Efficient VSS —TCC’06

Round-Optimal and Efficient VSS —TCC’06 Our Contributions VSS: Efficient 3-round protocol for n > 3t WSS: Efficient 3-round protocol for n > 3t — round optimal Efficient 1-round protocol for n > 4t (1+ ) amortized-round VSS protocol for n > 3t Round-Optimal and Efficient VSS —TCC’06

Round-Optimal and Efficient VSS —TCC’06 Our Contributions VSS: Efficient 3-round protocol for n > 3t WSS: Efficient 3-round protocol for n > 3t — round optimal Efficient 1-round protocol for n > 4t (1+ ) amortized-round VSS protocol for n > 3t Round-Optimal and Efficient VSS —TCC’06

Round-Optimal and Efficient VSS —TCC’06 3-Round (n/3)-WSS Secret s Dealer Sharing Phase … v1 v2 v3 vn Reconstruction Phase Round-Optimal and Efficient VSS —TCC’06

Round-Optimal and Efficient VSS —TCC’06 3-Round (n/3)-WSS Secret s … v1 v2 v3 vn Secret s’ Reconstruction Phase Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-WSS — Sharing Phase D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. Player Pi sends to Pj a random pad rij. Round 2: Pi broadcasts aij = fi(j) + rij bij = gi(j) + rji Pj broadcasts aiji = fj(i) + rji bji = gj(i) + rij F(j,i) + r Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-WSS — Sharing Phase D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. Player Pi sends to Pj a random pad rij. Round 2: Pi broadcasts aij = fi(j) + rij bij = gi(j) + rji Round 3: For each aij ≠ bji Pi broadcasts fi(j) Pj broadcasts gj(i) D broadcasts F(j,i) A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D. Pj broadcasts aij = fj(i) + rji bji = gj(i) + rij Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-WSS — Reconstruction Phase Every happy player Pi broadcasts fi(x) and gi(y). Local computation: Every player constructs a consistency graph G over the set of happy players: there exists an edge between Pi, Pj  G iff fi(j) = gj(i) and gi(j) = fj(i). Every player constructs a set CORE as follows: Initially all nodes with degree at least n–t in G are in CORE. Players in CORE consistent with less than n–t players in CORE are removed. Repeat until no more players can be removed from CORE. Secret determined by the polynomial defined by any t+1 players from CORE. If |CORE| < n–t, the secret is . Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-WSS — Proof Sketch Privacy: (D is honest) D distributes consistent information  any pair of honest players publish same mutual padded values. Randomness of pads leads to indistinguishability of adversary’s view under different secrets. Correctness: (D is honest) All honest players (at least n–t) are happy  no disqualification of D in Sharing Phase. They all end up in CORE, thus the secret reconstructed is s. Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-WSS — Proof Sketch Weak Commitment: |CORE| < n – t: All honest players output . |CORE|  n – t: All players in CORE are consistent with a polynomial fixed at the end of the Sharing Phase: The n–2t honest happy players define a unique polynomial F’(x,y) (at the end of Sharing Phase). Every dishonest happy player in CORE is consistent with at least n–t players in CORE, of which n–2t  t+1 are honest  every dishonest happy player in CORE is also consistent with F’(x,y). Round-Optimal and Efficient VSS —TCC’06

Recall: 3-Round (n/3)-WSS — Sharing Phase D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. Player Pi sends to Pj a random pad rij. Round 2: Pi broadcasts aij = fi(j) + rij bij = gi(j) + rji Round 3: For each aij ≠ bji Pi broadcasts fi(j) Pj broadcasts gj(i) D broadcasts F(j,i) A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D. Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-VSS — Sharing Phase D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. Player Pi selects random ri and starts (n/3)-WSS on ri using FiW(x,y). Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-VSS — Sharing Phase D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. Player Pi selects random ri and starts (n/3)-WSSi on ri using FiW(x,y). Round 2: Pi broadcasts aij = fi(j) + FiW(0,j) bij = gi(j) + FjW(0,i) Concurrently, round 2 of (n/3)- WSSi takes place. Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-VSS — Sharing Phase D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. Player Pi selects random ri and starts (n/3)-WSSi on ri using FiW(x,y). Round 2: Pi broadcasts aij = fi(j) + FiW(0,j) bij = gi(j) + FjW(0,i) Round 3: For each aij ≠ bji Pi broadcasts fi(j) Pj broadcasts gj(i) D broadcasts F(j,i) Concurrently, round 2 of (n/3)-WSSi takes place. Concurrently, round 3 of (n/3)-WSSi takes place. Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-VSS — Sharing Phase D selects a random bivariate polynomial F(x,y) of degree t in each variable, s.t. F(0,0) = s; sends F(x,i) = fi(x) and F(i,y) = gi(y) to Pi. Player Pi selects random ri and starts (n/3)-WSSi on ri using FiW(x,y). Round 2: Pi broadcasts aij = fi(j) + FiW(0,j) bij = gi(j) + FjW(0,i) Round 3: For each aij ≠ bji Pi broadcasts fi(j) Pj broadcasts gj(i) D broadcasts F(j,i) A player is said to be unhappy if his value does not match D’s value. If no. unhappy players > t, disqualify D. Concurrently, round 2 of (n/3)-WSSi takes place. Concurrently, round 3 of (n/3)-WSSi takes place. Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-VSS — Sharing Phase Local Computation: H = {happy players} – {players disqualified as WSS dealers} If |H| < n–t, disqualify D and stop. For Pi  H, if |H ∩ HiW| < n–t, remove Pi from H. Call the final set COREsh. If |COREsh| < n–t disqualify D and stop. Properties of COREsh: If D is honest, then COREsh contains all honest players  D is not disqualified during the Sharing phase. Every player in COREsh is consistent with n–t players in COREsh  At least t+1 honest players in COREsh (defining a unique polynomial FH(x,y)). Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-VSS — Reconstruction Phase For each Pi  COREsh, run Rec. phase of (n/3)-WSSi, concurrently. Local computation: CORErec := COREsh CORErec := CORErec – {Pi :   (n/3)-WSSi } For each Pi  CORErec compute fi(j) = aij – FiW(0,j), 1≤ j ≤ n If fi(x) not a t-degree polynomial, remove Pi from CORErec. Obtain F’(x,y) by taking any t+1 polynomials fi(x) from CORErec; s’ := F’(0,0). Round-Optimal and Efficient VSS —TCC’06

3-Round (n/3)-VSS — Reconstruction Phase Properties of CORErec: At least n–2t ( t+1) honest players in COREsh  unique t-degree polynomial FH(x,y). Dishonest Pi in CORErec: WSSi succeeded; fi(j) lie on a t-degree polynomial f’i(x) ; F’iW(x,y) is … consistent with  t+1 honest players in CORErec  f’i(x) is consistent with FH(x,y). Privacy: The only difference with WSS protocol is the pads. Prove that aij = fi(j) + FiW(0,j) does not reveal any info’ about fi(j). Round-Optimal and Efficient VSS —TCC’06

Amortized VSS Round Complexity Say, m k-round sequential VSS protocols (e.g., MPC) Using “deferred commitment,” m+2 total rounds  1+ O(1/m) amortized-round VSS protocol Initial phase: Dealer(s) share random values r1, r2,…, rm using the given VSS protocol. Sharing Phase of jth VSS protocol: Broadcast correction term cj = sj – rj Correction: (two ways) In Reconstruction Phase each player computes sj = cj + rj. At the end of Sharing Phase every player Pi computes F*j(x,i) = Fj(x,i) + cj and F*j(i,y) = Fj(i,y) + cj Round-Optimal and Efficient VSS —TCC’06

Round-Optimal and Efficient VSS —TCC’06 Summary VSS: Efficient 3-round protocol for n > 3t WSS: Efficient 3-round protocol for n > 3t — round optimal Efficient 1-round protocol for n > 4t (1+ ) amortized-round VSS Round-Optimal and Efficient VSS —TCC’06

Round-Optimal and Efficient Verifiable Secret Sharing Matthias Fitzi (Aarhus University) Juan Garay (Bell Labs) Shyamnath Gollakota (IIT Madras) C. Pandu Rangan (IIT Madras) Kannan Srinathan (IIIT Hyderabad)

(n/3)-WSS Round Optimality Based on impossibility of 3-round Weak Secure Multicast: P = {P1 , P2, … , Pn}; D  P holds input m; multicast set M  P. Privacy: If all players in M are honest, then adversary learns no information about m. Correctness: If D is honest, then all honest players in M output m. Weak Agreement: Even if D is dishonest, all honest players in M output a value in {m’, }. r-round WSS  r-round WSM Round-Optimal and Efficient VSS —TCC’06