Jul 11, 2018 - AbstractâAsynchronous verifiable secret sharing (AVSS) is a cornerstone primitive ... secret with a set of replicas, of which some may be faulty. In prior AVSS schemes ...... of i, and so by the security of r, its success (in the sense of ... used before for error correction codes, to share a secret with unconditional ...
Asynchronous Verifiable Secret-Sharing Protocols on a Good Day Soumya Basu1,2,3 , Dahlia Malkhi1 , Mike Reiter1,4 , and Alin Tomescu1,5 1
VMWare Research Cornell University 3 IC3 4 UNC-Chapel Hill 5 MIT
arXiv:1807.03720v2 [cs.CR] 11 Jul 2018
2
Abstract—Asynchronous verifiable secret sharing (AVSS) is a cornerstone primitive in secure multi-party computation and Byzantine fault tolerance. AVSS requires a dealer to share a secret with a set of replicas, of which some may be faulty. In prior AVSS schemes, the dealer paid for the possibility of replica failures up front, thus incurring quadratic or worse communication complexity. However, in practice, there would typically be at most a few replica failures in each sharing. This paper introduces an optimistic AVSS protocol that only pays for the number of failures that actually occur, rather than the maximum allowed number of failures. By doing so, we bring the cost of AVSS down to typically linear on a good day, specifically with only linear communication cost for the dealer.
I. T ECHNICAL OVERVIEW In this section, we provide a high-level, informal overview of the core technique we develop here to solve the asynchronous VSS problem. A precise description and details are given in the following sections. A. The Asynchronous VSS Problem In the asynchronous VSS problem, a dealer shares to a group of n participants a polynomial s. The API for sharing is denoted vssShare. If the sharing completes anywhere, then eventually every non-faulty participant eventually completes the sharing. The basic method for secret sharing is to provide participant i a point (xi , s(xi )) on the polynomial s. The method fulfills two key properties, hiding and binding: • Loosely speaking, hiding means that for a polynomial s of degree f , any k = f + 1 shares suffice to reconstruct it via interpolation (API: vssReconstruct), and that no combination of f or less reveal any information about it. • Binding means that every participant receives, in addition to its private share, a global commitment c to the polynomial s that binds the share it receives as a verifiable valid share of s (API: vssVerify). In asynchronous settings in which f participants might fail, a dealer can wait for at most n−f participants to acknowledge receiving a valid share, before it inevitably may walk away. The asynchronous VSS problem requires that if the dealer (or any participant) completes the share protocol, then every correct participant can eventually reconstruct its share using
a distributed protocol with f + 1 participants: Participants contribute recovery information (API: vssRecoverContrib∗ ), which is validated by the recipient (API: vssRecoverVerify∗ ) and then combined to reconstruct the missing share (API: vssRecover∗ ). B. Existing Solutions Original solutions for asynchronous VSS in the informationtheoretic setting were introduced in the context of Byzantine agreement and secure MPC [1]. They incurred communication complexities of O(n6 log n) and message complexity O(n5 ). AVSS. The first practical asynchronous VSS solution in the computational setting was introduced by Cachin et al. [2]. We will refer to it by the name AVSS. To cope with asynchrony, AVSS uses a bivariate secret polynomial sˆ(·, ·). Share i consists of two uni-variate polynomials, sˆ(i, ·), sˆ(·, i), hence the dealer sends O(n) information to each participant. A missing ˆi’th share can be reconstructed from f + 1 evaluations sˆ(i, ·), sˆ(·, i), incurring linear communication overhead per recovery, for an overall recovery complexity of O(n2 ) messages and O(n2 ) bits. Additionally, participants need to verify that all shares are bound to the same polynomial. AVSS makes use of Pederson polynomial commitments [3] for all polynomials sˆ(i, y), sˆ(x, i), i = 1..n. This commitment scheme leverages the hardness of discrete log in a group with generator g. A commitment c(v) to a value v is a pair of values, (g v hr , r), where r is drawn at random and h is a random element of the group. A Pederson commitment to a polynomial f (·) consists of a vector of commitments at n evaluation points, hxi , c(f (xi ))i. Given any pair of values hx, yi, it is possible to verify c(y) = c(f (x)) using homomorphism. AVSS weaves into the sharing protocol the dissemination of commitments while incurring message complexity O(n2 ) and communication complexity O(n3 ). eAVSS-SC. Kate et al. [4] introduce a polynomial commitment that has constant size. To prevent sending the full polynomial, the commitment only consists of its evaluation at a single point τ . To prove that an evaluation at i was done correctly, the dealer shows that s(τ ) − s(i) is divisible by τ − i. The technique was employed in [5] to construct an
asynchronous VSS scheme called eAVSS-SC that incurs both message and communication complexities O(n2 ). In eAVSS-SC, a dealer chooses in addition to the secret polynomial s another n polynomials sˆi , i = 1..n. sˆi encodes share i of s for recovery purposes. Each of s, sˆi , has a constant-size polynomial commitment due to the scheme by Kate et al. [4]. The commitments are constructed such that a commitment of sˆi validates it as a share of s. Using homomorphism, eAVSS-SC weaves into the sharing protocol the dissemination of commitments while incurring both message complexity and bit complexity O(n2 ). The need for a new scheme. In all the above schemes, the dealer computes O(n2 ) commitment values and sends O(n2 ) bits. Hence, to date, all asynchronous VSS solutions require a dealer, who wants to store a single secret to a system, to incur O(n2 ) communication/crypto complexities. This can be quite prohibitive for moderate n values, e.g., n = 1000, and infeasible for n = 50, 000. Fundamentally, prior asynchronous VSS schemes allow share recovery by having the dealer enumerate all pairwise recovery responses between replicas in advance. In other words, if replica i is helping replica ˆi recover, the dealer (in the form of a polynomial) has shared with i the response to send to ˆi. However, such an approach must necessarily require quadratic bandwidth on the dealer. To get around this difficulty, we make use of a distributed pseudorandom function (DPRF), allowing these recovery responses to be generated dynamically using information shared in the setup phase. C. sAVSS Our solution, named sAVSS (for ‘scalable AVSS’), is the first in which the dealer work is linear in n. Informally, sAVSS revolves around a novel construction called a Recovery Polynomial (RP). A Recovery Polynomial sj encodes f secret values. The dealer partitions the secret shares of s into ` = dn/f e groups, and uses ` RPs sj , j = 1..`, to encode the corresponding groups. Every one of original n shares of s is thus encoded in one of the RPs. The dealer shares both s and the sj ’s among the n participants, and participants use relevant sj ’s to recover missing shares. More specifically, an RP sj is a random polynomial of degree f that has f pre-defined points. For (j −1)f ≤ i < jf , the recovery polynomial sj is constructed so that sj (i) = yi , where yi = F(i) for a DPRF F with reconstruction threshold k. (In our actual construction, yi = F(hr, ii) for a random value r, to ensure that sj is distinct each time. But we elide r for our discussion here.) The dealer shares each sj among the n participants, as well as s. Recovery of missing shares is handled in sAVSS as follows. To recover its share, participant ˆi probes other participants, to which each participant responds with its share of s + sj for j = dˆi/f e. Each participant i can construct its response from its shares of s and sj . In addition, participant ˆi probes participants for their shares of F(ˆi), i.e., of the secret value sj (ˆi). (In API terms, vssRecoverContrib∗ returns a share of s + sj and a share of F(ˆi).) Participant ˆi then reconstructs
s + sj in full and computes (s + sj )(ˆi) − F(ˆi) = s(ˆi) (API: vssRecover∗ ). To verify a recovery share (vssRecoverVerify∗ ), first participant ˆi validates each share of s + sj that it receives against the commitment c(s + sj ), which it computes from c(s) and c(sj ). Then it validates the recovery result against c(s). A technicality to note here is that in the Kate et al. commitment scheme, each share must be accompanied by a witness used for commitment validation. Participants need to recover witnesses for validation. The witness for participant for ˆi could be encoded into the RPs, at the expense of sharing polynomials over much larger fields. Luckily, this is not necessary; witnesses can be reconstructed leveraging homomorphism over the witnesses of the participants that participate in the recovery protocol. If validation fails, then participant ˆi can prove to the other participants that the dealer is bad. In that case, different from AVSS and eAVSS-SC, participants expose the dealer’s secret. The complexities incurred by different participants at different steps of the sAVSS protocol are as follows. A dealer provides each of n participants shares and constant-size commitments on `+1 polynomials. The total message/communication complexity is O(`n), or simply O(n) in the usual case where ` is a (small) constant. Upon each recovery request, a participant sends a constant amount of information to the requester, for a total O(t) communication in case of t requests. Finally, each participant requiring share recovery obtains shares from other participants incurring O(n) communication, for a total O(tn) communication in case of t requests. II. S HARE R ECOVERY IN V ERIFIABLE S ECRET S HARING A. Distributed Pseudorandom Functions A distributed pseudorandom function (DPRF) is a pseudorandom function that requires the cooperation of k replicas out of n total replicas to evaluate. A DPRF F provides the following interfaces, where [n] = {1, . . . , n}. • dprfInit is a randomized procedure that returns a set of pairs {hdpk i , dsk i i}i∈[n] ← dprfInit(1κ , k, n, D, R). Each dpk i is public key, and each dsk i is its corresponding private key. • dprfContrib is a deterministic procedure that returns a contribution d ← dprfContrib(dsk i , x) if x ∈ D and failure (⊥) otherwise. • dprfVerify is a deterministic procedure that returns a boolean value. We require that dprfVerify(dpk i , x, d) returns true if d = dprfContrib(dsk i , x) for the private key dsk i corresponding to dpk i . • dprfEval is a deterministic procedure that returns a value y ← dprfEval(x, {di }i∈I ), where y ∈ R, if x ∈ D, |I| ≥ k and for all i ∈ I, dprfVerify(dpk i , x, di ) returns true. Otherwise, dprfEval(x, {di }i∈I ) returns ⊥. Security for a distributed pseudorandom function is defined as follows. An adversary AF is provided inputs hdpk i ii∈[n] , k, n, D, and R, where {hdpk i , dsk i i}i∈[n] ← dprfInit(1κ , k, n, D, R). In addition, AF is given oracle
access to n + 1 oracles. The first n oracles, denoted hOF ,i ii∈[n] , each supports two types of queries. AF can invoke OF ,i .contrib(x), which returns dprfContrib(dsk i , x), or it can invoke OF ,i .compromise, which returns dsk i . The ? last oracle provided to AF is denoted OF : D → R and real rand is instantiated as one of two oracles, either OF or OF . real Oracle OF , on input x, selects a subset I ⊆ [n] at random of size |I| = k, invokes di ← OF ,i .contrib(x) for each rand i ∈ I, and returns dprfEval(x, {di }i∈I ). Oracle OF is instantiated as a function chosen uniformly at random from the set of all functions from D to R. For any x ∈ D, let Ix be the oracle indices such that for each i ∈ Ix , AF invokes OF ,i .compromise or OF ,i .contrib(x). Then, AF is legitimate ? if |Ix | < k for every x for which AF invokes OF (x). Finally, AF outputs a bit. We say that the distributed pseudorandom function is secure if for all legitimate adversaries AF that run in time polynomial in κ, � � real hOF ,i ii∈[n] ,OF P AF (hdpk i ii∈[n] , k, n, D, R) = 1 � � rand hOF ,i ii∈[n] ,OF − P AF (hdpk i ii∈[n] , k, n, D, R) = 1 is negligible in κ.
(1)
B. Verifiable Secret Sharing Verifiable Secret Sharing (VSS) is a way to share a secret so that it requires a coalition of k replicas out of n total replicas in order to reconstruct the secret. A VSS scheme provides the following interfaces: • vssInit is a randomized procedure that returns hq, {hvpk i , vsk i i}i∈[n] i ← vssInit(1κ , k, n). Here, q is a prime of length κ bits. Each vpk i is a public key, and each vsk i is its corresponding private key. • vssShare is a deterministic procedure that produces hc, {ui }i∈[n] i ← vssShare(s, q, {vpk i }i∈[n] ). Here, s ∈ Zq [x] is a degree k−1 polynomial, and q and {vpk i }i∈[n] are as output by vssInit. The value c is a commitment, and each ui is a share. • vssVerify is a deterministic procedure that returns a boolean. We require that vssVerify(vpk i , c, ui ) return true if hc, {ui }i∈[n] i ← vssShare(s, q, {vpk i }i∈[n] ). • vssReconstruct is a deterministic procedure that returns a value s ← vssReconstruct(c, {hvpk i , ui i}i∈I ) where s ∈ Zq [x] of degree k − 1, if |I| ≥ k and for all i ∈ I, vssVerify(vpk i , c, ui ) returns true. Otherwise, vssReconstruct(c, {hvpk i , ui i}i∈I ) returns ⊥. The security of a VSS scheme lies in its hiding and binding properties. 1) Hiding: A hiding adversary AV is provided inputs q and {vpk i }i∈[n] , where hq, {hvpk i , vsk i i}i∈[n] i ← vssInit(1κ , k, n), and access to n+1 oracles. The first n oracles are denoted hOV,i ii∈[n] ; each OV,i is initialized with vsk i and can be invoked as described below. The last oracle provided to AV is denoted OVb , where b ∈ {0, 1}. AV can invoke this oracle with two inputs s0 , s1 ∈ Zq . When invoked, OVb generates
a random sˆ ∈ Zq [x] of degree k − 1 such that sˆ(0) = sb and performs hc, {ui }i∈[n] i ← vssShare(ˆ s, q, {vpk i }i∈[n] ), providing c to AV and hc, ui i to OV,i . The oracles hOV,i ii∈[n] can be invoked by AV as follows. AV can invoke OV,i .contrib(c), which returns the share ui provided to OV,i with commitment c by OVb . AV can also invoke OV,i .compromise, which returns vsk i and all hc, ui i pairs received from OVb . For any c, let Ic be the oracle indices such that for each i ∈ Ic , AV invokes OV,i .compromise or OV,i .contrib(c). Then, AV is legitimate if |Ic | < k for every c. Finally, AV outputs a bit. We say that the VSS V is hiding if for all legitimate adversaries AV that run in time polynomial in κ, � � 1 hOV,i ii∈[n] ,OV P AV (q, {vpk i }i∈[n] ) = 1 � � (2) 0 hOV,i ii∈[n] ,OV − P AV (q, {vpk i }i∈[n] ) = 1 is negligible in κ. 2) Binding: A binding adversary AV is provided inputs hq, {hvpk i , vsk i i}i∈[n] i ← vssInit(1κ , k, n). AV outputs c, {ui }i∈I and {ˆ ui }i∈Iˆ. We say that VSS V is binding if for all binding adversaries AV that run in time polynomial in κ, vssReconstruct(c, {hvpk i , ui i}i∈I ) = s ˆi i}i∈Iˆ) = sˆ P ∧ vssReconstruct(c, {hvpk i , u ∧ s 6= ⊥ ∧ sˆ 6= ⊥ ∧ s 6= sˆ
is negligible in κ, where the probability is taken with respect to random choices made in vssInit and by AV . C. Goals
Given such a VSS scheme V and a DPRF F, our goal is to construct a new VSS scheme V ∗ that provides the vssInit, vssShare, vssVerify, and vssReconstruct algorithms (denoted vssInit∗ , vssShare∗ , vssVerify∗ and vssReconstruct∗ for V ∗ , respectively) as defined in Section II-A, as well as three more algorithms, denoted vssRecoverContrib∗ , vssRecoverVerify∗ , and vssRecover∗ . We allow the vssShare∗ algorithm to accept additional arguments (a set of private keys for a DPRF) and to return an additional value r that is provided as input to all procedures except for vssInit∗ . The algorithms vssRecoverContrib∗ , vssRecoverVerify∗ , and vssRecover∗ together permit a replica to recover its share from other replicas, and behave as follows: ∗ • vssRecoverContrib is a deterministic procedure that re∗ turns vi ← vssRecoverContrib∗ (c∗ , r, vsk ∗i , u∗i , ˆi) where vi∗ is a recovery share with properties described below. ∗ • vssRecoverVerify is a deterministic procedure that returns a boolean. vssRecoverVerify∗ (c∗ , r, vi∗ , vpk ∗i , ˆi) must return true if vi∗ ← vssRecoverContrib∗ (c∗ , r, vsk ∗i , u∗i , ˆi) and vssVerify∗ (vpk ∗i , c∗ , r, u∗i ) returns true. ∗ • vssRecover is a deterministic procedure that returns ∗ uˆi ← vssRecover∗ (c∗ , r, {hvpk ∗i , vi∗ i}i∈I , ˆi, vpk ˆ∗i ) if |I| ≥ k, vssRecoverVerify∗ (c∗ , r, vi∗ , vpk ∗i , ˆi) returns true for all i ∈ I, and vssVerify∗ (vpk ˆ∗i , c∗ , r, uˆ∗i ) returns true. Otherwise, vssRecover∗ (c∗ , r, {hvpk ∗i , vi∗ i}i∈I , ˆi, vpk ˆ∗i ) returns ⊥.
Due to the additional interfaces above, we change the definition of hiding security as follows. Each oracle OV ∗ ,i additionally supports a query OV ∗ ,i .recover (c∗ , ˆi) that returns vi∗ ← vssRecoverContrib∗ (c∗ , r, vsk ∗i , u∗i , ˆi). For any c∗ , let Ic∗ be the oracle indices such that for each i ∈ Ic∗ , AV ∗ invokes OV ∗ ,i .compromise, OV ∗ ,i .contrib(c∗ ), or ˆ ≥ k. Then, AV ∗ is {OV ∗ ,ˆi .recover (c∗ , i)}ˆi∈Iˆ where |I| legitimate if |Ic∗ | < k for every c∗ . D. Assumptions on Underlying VSS Our construction combines an existing VSS scheme with a DPRF for which, if hq, {hvpk i , vsk i i}i∈[n] i ← vssInit(1κ , k, n), then R = Zq and each share ui output from vssShare is in Zq . In addition, we require that the VSS offer additional procedures, as follows. • There is a procedure vssMakeSecret that creates s ← vssMakeSecret(q, {hxi , yi i}i∈I ) where s ∈ Zq [x] is of degree |I|, and so that if hc, {ui }i∈[n] i ← vssShare(s, q, {vpk i }i∈[n] ) •
then ui = yi for any i ∈ I. There is a procedure vssCombineCommitments such that if vssReconstruct(c, {hvpk i , ui i}i∈I ) = s
vssReconstruct(ˆ c, {hvpk i , u ˆi i}i∈I ) = sˆ where s, sˆ 6= ⊥, and if cˇ ← vssCombineCommitments(c, cˆ) then vssReconstruct(ˇ c, {hvpk i , (ui + u ˆi )i}i∈I ) = s + sˆ An example of such a VSS scheme is that due to Kate et al. [4]. E. VSS Scheme with Recovery Below we describe the procedures that make up the VSS scheme V ∗ . The algorithms are expressed in terms of constants n (the number of replicas), k (the reconstruction threshold), and ` = dn/(k − 1)e. Each share u∗i and commitment c∗ is a zero-indexed vector of ` + 1 elements. We denote the j-th element of each by u∗i [j] and c∗ [j], respectively, for 0 ≤ j ≤ `. Line numbers below refer to Figure 1. vssInit∗ initializes the underlying VSS V in line 2, as well as a DPRF F in line 3. The public key vpk ∗i for replica i consists of its public key vpk i for V and its public key dpk i for F (line 7) and similarly for the private key vsk ∗i (line 6). vssShare∗ is modified to take in all of the private keys {dsk i }i∈[n] for the DPRF F, as well as the other arguments included in its definition in Section II-B. (For this reason, our construction requires each dealer to have a distinct set of parameters for its sharings, i.e., produced by its own call to vssInit∗ .) This enables the dealer to evaluate F itself, which it does on hr, ii for each i ∈ [n] (lines 10–12),
where r is a new, random κ-bit nonce (line 9). The resulting values {yi }i∈[n] are divided into ` groups of size k − 1, each group being used to construct a set of k − 1 points Pj ← {hi, yi i | (j − 1)(k − 1) < i ≤ j(k − 1)} (line 14) on which vssMakeSecret is invoked (line 15). The resulting sj ∈ Zq [x] is then shared using V (line 16). Recall that by the definition of vssMakeSecret, each u∗i [j] thus produced satisfies u∗i [j] = yi . Of course, the input secret s is also shared (line 17). The results of these sharings are grouped according to replica index i and returned as u∗i for each i ∈ [n], along with all of the sharing commitments c∗ and the nonce r (line 18). vssVerify∗ and vssReconstruct∗ operate in the natural way. vssVerify∗ verifies the commitment c∗ [0] and share u∗i [0] (line 21) produced in the sharing of s, as well as verifying the commitment c∗ [j] and share u∗i [j] (line 28) produced in the sharing of sj . In addition, it verifies (intuitively) that u∗i [j] = yi (line 25). The latter two verifications are skipped if u∗i [1] = ⊥ (line 23), which occurs if the share u∗i was recovered (see below). In this case, u∗i [j] = ⊥ for all j ∈ [`] (or should be, and so any j ∈ [`] for which u∗i [j] 6= ⊥ is just ignored). vssReconstruct∗ simply uses vssVerify∗ to verify each share u∗i provided as input (line 33) and then submits c∗ [0] and the inputs {hvpk i , u∗i [0]i}i∈I to vssReconstruct to reconstruct s (line 36). vssRecoverContrib∗ (c∗ , r, vsk ∗i , u∗i , ˆi) is invoked at replica i to construct its contribution to enable replica ˆi to reconstruct its share uˆ∗i . vssRecoverContrib∗ returns u∗i [0] blinded by u∗i [j] (line 41) where j ← dˆi/(k − 1)e. Then, so that replica ˆi can recover its share of the original secret, replica i also returns its share of the DPRF scheme F evaluated at hr, ˆii (line 39). vssRecoverVerify∗ (c∗ , r, vi∗ , vpk ∗i , ˆi) is executed by replica ˆi to verify that replica i performed vssRecoverContrib∗ correctly. The output of vssRecoverContrib∗ contributed by replica i is passed into vssRecoverVerify∗ as vi∗ and is parsed into its constituent components in line 44. First, the DPRF contribution di is checked on line 46 to ensure that it corresponds to a correct evaluation of the DPRF scheme F at the point hr, ˆii. vssRecoverVerify∗ then combines the commitments (line 48) and uses vssVerify (line 49) to check that the blinded share u was created correctly. If both checks pass, then vssRecoverVerify∗ returns true. vssRecover∗ (c∗ , r, {hvpk ∗i , vi∗ i}i∈I , ˆi, vpk ˆ∗i ) is executed at replica ˆi to recover its share uˆ∗i . In particular, uˆ∗i [0] will be a share of the original polynomial for ˆi. vssRecover∗ first invokes vssRecoverVerify∗ to make sure that the share sent by each replica i ∈ I is correct (line 55). vssRecover∗ then leverages vssReconstruct (line 60) to reconstruct a polynomial s ∈ Zq [x] that is the sum of the polynomial originally shared in vssShare∗ that resulted in commitment c∗ [0] and the jth masking polynomial sj that resulted in commitment c∗ [j], where j = dˆi/(k − 1)e. vssRecover∗ then evaluates s(ˆi) and subtracts sj (ˆi) = dprfEval(hr, ˆii, {di }i∈I ) (lines 60–62) to obtain uˆ∗i [0].
1: procedure vssInit∗ (1κ , k, n) 2: hq, {hvpk i , vsk i i}i∈[n] i ← vssInit(1κ , k, n) 3: h{hdpk i , dsk i i}i∈[n] i ← dprfInit(1κ , k, n, {0, 1}κ × [n], Zq ) 4: for i ∈ [n] do 5: vpk ∗i ← hvpk i , dpk i i 6: vsk ∗i ← hvsk i , dsk i i 7: return hq, {hvpk ∗i , vsk ∗i i}i∈[n] i 8: procedure vssShare∗ (s, q, {dsk i }i∈[n] , {vpk ∗i }i∈[n] )
9: 10: 11: 12:
13: 14: 15: 16: 17: 18:
$
r ← {0, 1}κ for i ∈ [n] do hvpk i , dpk i i ← vpk ∗i yi ← dprfEval(hr, ii, {dprfContrib(dsk ˆi , hr, ii)}ˆi∈[n] ) for j ∈ [`] do Pj ← {hi, yi i | (j − 1)(k − 1) < i ≤ j(k − 1)} sj ← vssMakeSecret(q, Pj ) hc∗ [j], {u∗i [j]}i∈[n] i ← vssShare(sj , q, {vpk i }i∈[n] )
hc∗ [0], {u∗i [0]}i∈[n] i ← vssShare(s, q, {vpk i }i∈[n] ) return hc∗ , r, {u∗i }i∈[n] i
19: procedure vssVerify∗ (vpk ∗i , c∗ , r, u∗i ) 20: hvpk i , dpk i i ← vpk ∗i 21: if vssVerify(vpk i , c∗ [0], u∗i [0]) = false then 22: return false 23: if u∗i [1] 6= ⊥ then 24: j ← di/(k − 1)e 25: if dprfVerify(dpk i , hr, ii, u∗i [j]) = false then 26: return false 27: for j ∈ [`] do 28: if vssVerify(vpk i , c∗ [j], u∗i [j]) = false then 29: return false 30: return true
31: procedure vssReconstruct∗ (c∗ , r, {hvpk ∗i , u∗i i}i∈I ) 32: for i ∈ I do 33: if vssVerify∗ (vpk ∗i , c∗ , r, u∗i ) = false then 34: return ⊥ 35: hvpk i , dpk i i ← vpk ∗i 36: return vssReconstruct(c∗ [0], {hvpk i , u∗i [0]i}i∈I ) 37: procedure vssRecoverContrib∗ (c∗ , r, vsk ∗i , u∗i , ˆi) 38: hvsk i , dsk i i ← vsk ∗i 39: di ← dprfContrib(dsk i , hr, ˆii) 40: j ← dˆi/(k − 1)e 41: return hdi , (u∗i [0] + u∗i [j])i 42: procedure vssRecoverVerify∗ (c∗ , r, vi∗ , vpk ∗i , ˆi) 43: j ← dˆi/(k − 1)e 44: hdi , ui ← vi∗ 45: hvpk i , dpk i i ← vpk ∗i 46: if dprfVerify(dpk i , hr, ˆii, di ) = false then 47: return false 48: c ← vssCombineCommitments(c∗ [0], c∗ [j]) 49: if vssVerify(vpk i , c, u) = false then 50: return false 51: return true 52: procedure vssRecover∗ (c∗ , r, {hvpk ∗i , vi∗ i}i∈I , ˆi, vpk ˆ∗i ) 53: j ← dˆi/(k − 1)e 54: for i ∈ I do 55: if vssRecoverVerify∗ (c∗ , r, vi∗ , vpk ∗i , ˆi) = false then 56: return ⊥ 57: hdi , ui i ← vi∗ 58: hvpk i , dpk i i ← vpk ∗i 59: c ← vssCombineCommitments(c∗ [0], c∗ [j]) 60: s ← vssReconstruct(c, {hvpk i , ui i}i∈I ) 61: yˆi ← dprfEval(hr, ˆii, {di }i∈I ) 62: uˆ∗ ← h(s(ˆi) − yˆi ), ⊥, . . . , ⊥i i 63: if vssVerify∗ (vpk ˆ∗i , c∗ , r, uˆ∗ ) = false then i 64: return ⊥ ∗ 65: return uˆ i
Fig. 1. Pseudocode for our verifiable secret sharing scheme
F. Security Below, we prove that our modified VSS scheme still satisfies the security properties guaranteed by the underlying VSS protocol. a) Hiding: Suppose that the underlying DPRF scheme F and VSS scheme V are secure, and let AV ∗ be a hiding adversary for V ∗ . We claim that if AV ∗ is legitimate, then for any commitment c∗ , the set of indices I for which AV ∗ obtains the shares {u∗i [0]}i∈I produced in line 17 (i.e., in its invocation of OVb ∗ that returned c∗ ) satisfies |I| < k. To see why, note that AV ∗ can obtain u∗i [0] for any i in one of three ways: (i) by invoking OV ∗ ,i .compromise; (ii) by invoking OV ∗ ,i .contrib(c∗ ); or (iii) by invoking OV ∗ ,ˆi .recover (c∗ , i) at ˆ ≥ k, in which case AV ∗ can recover u∗ [0] each ˆi ∈ Iˆ where |I| i using the vssRecover∗ routine (line 62). Critically, invoking ˆ < k yields no OV ∗ ,ˆi .recover (c∗ , i) at each ˆi ∈ Iˆ where |I| ∗ ˆ < k, the value useful information about ui [0], since when |I| ∗ yi (line 61) and so ui [0] = s(i) − yi (line 62) cannot be predicted nonnegligibly better than guessing it at random, due to the security of the DPRF F (i.e., (1)). Because AV ∗ is legitimate, it thus obtains u∗i [0] for only fewer than k values of i, and so by the security of V, its success (in the sense of (2)) is negligible in κ.
b) Binding: A binding adversary AV ∗ is provided inputs hq, {hvpk ∗i , vsk ∗i i}i∈[n] i ← vssInit∗ (1κ , k, n), and succeeds if it outputs c∗ , {u∗i }i∈I and {ˆ u∗i }i∈Iˆ for which vssReconstruct∗ (c∗ , r, {hvpk ∗i , u∗i i}i∈I ) = s ˆ∗i i}i∈Iˆ) = sˆ ∧ vssReconstruct∗ (c∗ , r, {hvpk ∗i , u ∧ s 6= ⊥ ∧ sˆ 6= ⊥ ∧ s 6= sˆ
Let s and sˆ be values satisfying this condition. Then, s = vssReconstruct(c∗ [0], {hvpk i , u∗i [0]i}i∈I ) sˆ = vssReconstruct(c∗ [0], {hvpk i , u∗i [0]i}i∈Iˆ)
where hq, {hvpk i , vsk i i}i∈[n] i ← vssInit(1κ , k, n) (see lines 2 and 36). That is, breaking binding for V ∗ implies breaking binding for V, and so if V ensures the binding property, then so does V ∗ . III. R ELATED W ORK The seminal work by Shamir [6] introduced the idea of employing polynomial interpolation, a technique that was used before for error correction codes, to share a secret with unconditional security. A line of work emanated from this result and addressed many additional features, such as share verifiability, asynchrony, and proactive share refresh.
At a high level, sAVSS relies on verifiable secret sharing as a primitive and composes it with a distributed pseudorandom function in order to handle asynchrony. The particular instantiation we use rests on a secret sharing scheme from Kate et. al. [4], however, sAVSS can be instantiated with other well known verifiable secret sharing schemes such as Feldman [7] and Pedersen [3]’s schemes. The cryptographic assumptions that sAVSS rests on will vary depending on which VSS scheme is used. The fundamental problem of asynchrony is that during the sharing phase, the dealer is unable to wait for all honest replicas to reply. Thus, there must be a way for honest replicas to recover a share. The first practical asynchronous verifiable secret sharing scheme [2] solves this by incorporating an asynchronous reliable broadcast substrate due to Bracha and Toueg [8]. This scheme (called AVSS) further reduces the total number of bytes transmitted by using erasure codes inside the broadcast substrate. AVSS has message complexity O(n2 ) and communication complexity O(n3 ). Backes et. al. improves in [5] by employing constant-size polynomial commitments due to Kate et al. [4]. Their scheme (called eAVSS-SC) shares n + 1 polynomials, one for the secret, and n additional ones for recovery shares. eAVSSSC weaves into the sharing protocol the dissemination of commitments while incurring both message complexity and bit complexity O(n2 ). sAVSS uses a different approach more similar in nature to proactive secret sharing that refresh shares by adding a random polynomial whose value is zero at the y-intercept of the secret shared polynomial. Prior work in proactive secret sharing [9] is difficult to apply to the problem of share recovery, however. These works [9], [10] assume a synchronous broadcast channel that delivers to all replicas instantaneously, which greatly simplifies the problem of agreeing on a random recovery polynomial. PVSS [11] does not make any such assumption and can be used in sAVSS, but it suffers from an exponential cost in the number of faults it tolerates, making it unusable for tolerating more than a few faults. MPSS [12] uses a Byzantine agreement protocol in order to explicitly agree on the random recovery polynomial, which would add a few additional rounds to sAVSS if used in share reconstruction. Although closest in ”spirit” to proactive recovery schemes, sAVSS addresses only the share phase. It is left for future work to see whether proactive share recovery can be expedited with techniques borrowing from sAVSS. IV. C ONCLUSION We presented a new asynchronous verifiable secret sharing protocol, sAVSS, that reduces the dealer work to linear, while maintaining share recovery cost linear as well. Thus, sAVSS optimizes for common executions by only paying a linear cost for every failure that actually occurs. This optimism allows asynchronous verifiable secret sharing at large scale, allowing larger clusters for techniques using secret sharing as a primitive such as Byzantine fault tolerance and secure multiparty computation.
V. ACKNOWLEDGEMENTS The authors would like to thank Ittai Abraham, DragosAdrian Seredinschi, and Emin G¨un Sirer for their insightful comments and technical discussion relating to ideas presented in this note. R EFERENCES [1] R. Canetti and T. Rabin, “Fast asynchronous Byzantine agreement with optimal resilience,” in 25th ACM Symposium on Theory of Computing (STOC), May 1993, pp. 42–51. [2] C. Cachin, K. Kursawe, A. Lysyanskaya, and R. Strobl, “Asynchronous verifiable secret sharing and proactive cryptosystems,” in 9th ACM Conference on Computer and Communications Security (CCS), Nov. 2002. [3] T. P. Pedersen, “Non-interactive and information-theoretic secure verifiable secret sharing,” in Advances in Cryptology – CRYPTO ’91, ser. LNCS, vol. 576, 1992, pp. 129–140. [4] A. Kate, G. M. Zaverucha, and I. Goldberg, “Constant-size commitments to polynomials and their applications,” in Advances in Cryptology – ASIACRYPT 2010, ser. LNCS, vol. 6477, Dec. 2010, pp. 177–194. [5] M. Backes, A. Datta, and A. Kate, “Asynchronous computational VSS with reduced communication complexity,” in Topics in Cryptology – CT-RSA 2013, ser. LNCS, vol. 7779, Feb. 2013, pp. 259–276. [6] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, Nov. 1979. [7] P. Feldman, “A practical scheme for non-interactive verifiable secret sharing,” in 28th IEEE Symposium on Foundations of Computer Science (FOCS), Oct. 1987, pp. 427–438. [8] G. Bracha and S. Toueg, “Asynchronous consensus and broadcast protocols,” Journal of the ACM, vol. 32, no. 4, pp. 824–840, Oct. 1985. [9] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, “Proactive secret sharing or: How to cope with perpetual leakage,” in Advances in Cryptology – CRYPTO ’95, vol. 963, 1995, pp. 339–352. [10] A. Herzberg, M. Jakobsson, S. Jarecki, H. Krawczyk, and M. Yung, “Proactive public key and signature systems,” in 4th ACM Conference on Computer and Communications Security (CCS), Apr. 1997, pp. 100–110. [11] L. Zhou and F. B. Schneider, “APSS: Proactive secret sharing in asynchronous systems,” ACM Transactions on Information and System Security, vol. 8, no. 3, pp. 259–286, Aug. 2005. [12] D. Schultz, B. Liskov, and M. Liskov, “MPSS: Mobile proactive secret sharing,” ACM Transactions on Information and System Security, vol. 13, no. 4, pp. 1–32, Dec. 2010.
