Presentation is loading. Please wait.

Presentation is loading. Please wait.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Published byJoseph O’Neal’ Modified over 9 years ago

Similar presentations

Presentation on theme: "Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University."— Presentation transcript:

1 Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University of Maryland)

2 Verifiable secret sharing (VSS)  Two-phase protocol A dealer shares a secret among a set of n parties in the sharing phase The secret is recovered in a reconstruction phase  If the dealer is honest No information about the secret is leaked in the sharing phase All honest parties recover the dealer’s secret  Even if the dealer is dishonest The view of the honest parties in the sharing phase defines a value s such that each honest party outputs s in the reconstruction phase

3 Feasibility and efficiency?  We study perfect (i.e., 0-error) VSS  This is known to be possible iff t < n/3 (even if broadcast is available)  What is the inherent round complexity of this task? 3 rounds necessary (even w/ b’cast) [GIKR01] O(1)-round protocol only possible if there is at least 1 round of broadcast

4 Upper bounds?  Gennaro et al. show an efficient 4-round protocol and an inefficient 3-round protocol  Fitzi et al. give an efficient 3-round protocol Using broadcast in two of the rounds  What happens if their protocol is implemented in a point-to-point network…? Simulating broadcast is expensive… Sequential composition of broadcast is expensive… The protocol requires 55 rounds (in expectation)!

5 The upshot  If the goal is to optimize round complexity for point-to-point networks, crucial to minimize the number of broadcast rounds  Does there exist a VSS protocol that is simultaneously optimal in the number of rounds and the number of broadcasts? Recall: 1 round of broadcast is (essentially) necessary

6 Our results  We give a positive answer to this question A 3-round protocol using a single round of broadcast Secure against an adaptive, rushing adversary  Our VSS protocol also satisfies a useful property (2-level sharing) not satisfied by the protocol of Fitzi et al.

7 The rest of the talk  WSS A weaker variant of VSS A 3-round WSS protocol using 1 round of broadcast  VSS A 3-round VSS protocol using the WSS protocol as a building block

8 WSS: definition  WSS is similar to VSS  Weaker guarantee for dishonest dealer: The view of the honest parties in the sharing phase defines a value s such that each honest party outputs either s or  in the reconstruction phase

9 WSS protocol: sharing phase  Round 1 D chooses F(x,y) with F(0,0) = s D sends to P i, f i (x) := F(x,i), g i (y) := F(i,y) Each P i sends a random pad r i,j to both P j and D  Round 2 For every ordered pair (i, j)  P i sends a i,j := f i (j) to P j  P j sends b j,i := g j (i) to P i P j sends r’ i,j = r i,j to D

10 Sharing phase, continued  Round 3 (broadcast round)  For every ordered pair (i, j): P i broadcasts  (“disagree”, f i (j), r i,j ) if b j,i ≠ f i (j)  (“agree”, f i (j)+r i,j ) otherwise P j broadcasts  (“disagree”, g j (i), r i,j ) if a i,j ≠ g j (i)  (“agree”, g j (i)+r i,j ), otherwise D broadcasts  (“not equal”, F(j,i)) if r i,j ≠ r’ i,j  (“equal”, F(j,i)+r i,j ) otherwise

11 Local computation  Ordered pair (P i,P j ) are conflicting if: P i broadcasts (“disagree”, f i (j), r i,j ) P j broadcasts (“disagree”, g j (i), r’ i,j ) and r i,j = r' i,j  Note: If D is honest, then no two honest parties will be conflicting  Note: all honest parties agree on who is conflicting

12 Local computation  In conflicting pair (P i, P j ), we say P i is unhappy if either: D broadcasts (“not equal”, d i,j ) and d i,j ≠ f i (j) D broadcasts (“equal”, d i,j ) and d i,j ≠ f i (j)+r i,j  If there are more than t unhappy parties, then D is disqualified  Note: honest dealer never disqualified  Note: all honest parties agree on who is unhappy

13 WSS protocol: reconstruction phase  If P j not unhappy, it sends f j (x) and g j (y) to all parties Let f i j and g i j denote the polynomials P i sends to P j  P i constructs a consistency graph G i Edge between P j and P k in G i iff f j i (k)=g k i (j) and g j i (k)=f k i (j) Iteratively remove vertices in G i with degree < n−t  Let Core i be the parties left in G j If |Core i |< n-t, then P i outputs  Else, let F’(x,y) be the polynomial defined by any t+1 parties in Core i, and output s':=F'(0,0)

14 Proof sketches  Privacy t points on a degree-t polynomial do not reveal information about the constant term No information about s leaked in round 3 due to use of random pads  Correctness for honest D: If P i honest, then: All honest parties are in Core i, so |Core i | ≥ n-t Any party in Core i must have sent polynomials that agree with at least 2t+1 parties in Core i, out of which at least t+1 are honest Since the polynomials sent by honest parties all agree with the dealer’s polynomial F, we see that P i will correctly recover F and output the dealer’s secret

15 Proof sketches, continued  Weak commitment (for dishonest D): Assume dealer is not disqualified (so at most t unhappy parties, and at least n-2t ≥ t+1 honest parties who are not unhappy) Claim: the poly’s f i sent by D to the first t+1 such parties define a poly F such that any honest P i outputs either F(0,0) or  in reconstruction phase If |Core i | < n-t, we are done Otherwise, argument is similar to (though slightly more involved than) before  This completes the proof

16 VSS  We now construct a 3-round VSS protocol (using 1 round of broadcast) using the previous WSS protocol as a subroutine  Our VSS protocol also achieves “2-level sharing”…

17 2-level sharing  At the end of the sharing phase each honest P i outputs s i and {s i,j } such that The {s i } lie on a degree-t polynomial whose constant term is the value s that honest parties will output in the reconstruction phase For each j, the {s i,j } lie on a degree-t polynomial whose constant term is s j  Useful when VSS is used as a building block for general secure MPC

18 Overview of the protocol  Sharing done essentially as in WSS, but now parties reveal their random pads in the reconstruction phase  To ensure correctness, we use WSS to generate the random pads Random pads no longer independent, but lie on a random degree-t poly (which suffices for secrecy)  To obtain 2-level sharing, we have the dealer choose a symmetric bivariate polynomial

19 VSS protocol: high level  Round 1 D chooses symmetric F(x,y) with F(0,0) = s D sends to P i, f i (x):=F(x,i) Each P i chooses a random s i and shares it using WSS; let F i pad be the polynomial used P i sends F i pad (x,j) to each P j and F i pad (0,y) to D  Round 2 Set r i,j = F i pad (i,j); rest is as before Run second round of all WSS sub-protocols

20 VSS protocol: high level  Round 3 As before Also run third round of all WSS sub-protocols

21 Local computation  We define a conflicting pair and an unhappy party as before  Core is the set of all happy parties  Core i is the set of all happy parties in WSS i  All players agree on Core and {Core i }

22 Local computation, continued  For all i, j remove P j from Core i if, in round 3: P i broadcasts (“agree”, y) and P j did not broadcast (“agree”, y) OR P i broadcasts (“disagree”,*,w) and P j broadcasts anything other than (“disagree”,*,w)  Remove P i from Core if |Core ∩ Core i |< n−t  If |Core| < n−t, then D is disqualified  Each party P i computes f i (x) as follows: If P i  Core, then f i (x) is the polynomial received from D in round 1 See paper for the other case  Each P i outputs s i = f i (0) and s i,j = f i (j)

23 VSS: reconstruction phase  Each party P i sends s i to all other parties Let s' j,i be the value that P j sends to P i  P i computes a degree-t poly f(x) such that f(j)=s’ j,i for at least 2t+1 values of j  P i outputs f(0)

24 Proof sketches  Privacy Same as WSS except for random pads Random pads lie on random degree-t polynomials and hence reveal no additional information about s  Correctness with 2-level sharing (D honest): For honest P i, all other honest parties belong to Core i All honest parties remain in Core p(x)=F(0,x) and p j (x)=F(j,x) imply 2-level sharing The reconstruction phase succeeds since there are at most t bad shares out of n>3t shares

25 Proof sketches, continued  Correctness with 2-level sharing (dealer dishonest): Refer to the full version of the paper for a proof http://eprint.iacr.org/2007/358

26 Open questions  What is the optimal (expected) round complexity of VSS in a point-to-point network?  Can better round complexity be achieved for statistical VSS?  How about (statistical) VSS for t < n/2? See Patra et al. for some recent progress on these questions

27 Thank you!

28 Local computation, continued  If P i not in Core,  Core' i : P j is in Core' i if and only if P j ∈ Core and P i ∈ Core j {p j,k } k are consistent with a polynomial B j (x) of degree at most t, where  p j,k :=y j,k - if in step 1 of round 3 for the ordered pair (j, k), party P j broadcasted (“agree”, y j,k ) ‏  p j,k :=w j,k +z j,k - If P j broadcasted (“disagree”,w j,k,z j,k ) ‏  For each P j ∈ Core' i, p j :=p j,i −f j,i pad (0). Let f i be the interpolating polynomial for p j with P j ∈ Core' i  Finally, P i outputs s i :=f i (0) and s i,j :=f i (j) ‏

29 Proof sketches, continued  Correctness with 2-level sharing (D dishonest): For honest P i, |Core’ i |>t Core contains atleast t+1 honest parties. For an honest P j, Core j contains P i. p j,k computed by P i lie on B j (x)=f j (x)+F j pad (0,x), since P j ∈ Core, and D do not disagree on broadcasted values. There are t+1 honest parties in Core F(x,y) is defined naturally by these parties. Polynomials of honest P i ∈ Core agree with F(x,y).

30 Proof sketches, continued  Constructed polynomials of Honest P i not in Core agree with F(x,y). For any P k ∈ Core j, we have f j,k pad (x)=F j pad (0,k) and f k (j)=F(k,j) (otherwise removed from Core i ). B j (k) is recovered for atleast t+1 values of k. B j (x)=F(x,j)+F j pad (0,x) is recovered. p j =p j,i -f j,i pad (0)=B j (i)–F j pad (0,i)=F(i,j). Hence P i recovers F(i,x)=F(x,i) ‏

Download ppt "Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University."

Similar presentations

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
Multi-Party Contract Signing Sam Hasinoff April 9, 2001.

Multi-Party Contract Signing Sam Hasinoff April 9, 2001.
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.

Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.
Approximation, Chance and Networks Lecture Notes BISS 2005, Bertinoro March 7-13 2005 Alessandro Panconesi University La Sapienza of Rome.

Approximation, Chance and Networks Lecture Notes BISS 2005, Bertinoro March Alessandro Panconesi University La Sapienza of Rome.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Heuristics for the Hidden Clique Problem Robert Krauthgamer (IBM Almaden) Joint work with Uri Feige (Weizmann)

Heuristics for the Hidden Clique Problem Robert Krauthgamer (IBM Almaden) Joint work with Uri Feige (Weizmann)
Graph Isomorphism Algorithms and networks. Graph Isomorphism 2 Today Graph isomorphism: definition Complexity: isomorphism completeness The refinement.

Graph Isomorphism Algorithms and networks. Graph Isomorphism 2 Today Graph isomorphism: definition Complexity: isomorphism completeness The refinement.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.

Outline. Theorem For the two processor network, Bit C(Leader) = Bit C(MaxF) = 2[log 2 ((M + 2)/3.5)] and Bit C t (Leader) = Bit C t (MaxF) = 2[log 2 ((M.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.

Achieving Byzantine Agreement and Broadcast against Rational Adversaries Adam Groce Aishwarya Thiruvengadam Ateeq Sharfuddin CMSC 858F: Algorithmic Game.

Similar presentations

Ads by Google