Eο¬cient Statistical Asynchronous Veriο¬able
Secret Sharing and Multiparty Computation
with Optimal Resilience
IArpita Patraβ,1,2, Ashish Choudhury1,3, C. Pandu Rangan1,4
Abstract
Veriο¬able Secret Sharing (VSS) is a fundamental primitive used as a building block in many distributed cryptographic tasks, such as Secure Multiparty Com-putation (MPC) and Byzantine Agreement (BA). An important variant of VSS is Asynchronous VSS (AVSS) which is designed to work over asynchronous net-works. AVSS is a two phase (Sharing, Reconstruction) protocol carried out amongπ parties in the presence of acomputationally unbounded active adver-sary, who can corrupt up toπ‘parties. We assume that every two parties in the network are directly connected by a pairwise secure channel.
In this paper, we present a new statistical AVSS protocol with optimal resilience; i.e. with π = 3π‘ + 1. Our protocol privately communicates 5
πͺ((βπ3+π4log1
π) log1π) bits andA-casts6 πͺ(π3log(π)) bits to simultaneously
shareββ₯1 elements from a ο¬nite ο¬eldπ½, whereπis the error parameter of our protocol.
There are only two known statistical AVSS protocols withπ= 3π‘+1 reported in [22] and [61]. The AVSS protocol of [22] requires a private communication of πͺ(π9(log1
π)4) bits and A-cast of πͺ(π9(log1π)2log(π)) bits to share a single
element from π½. Thus our AVSS protocol shows a signiο¬cant improvement in
IThis is an extended and elaborate version of [62] βCorresponding author
Email addresses: arpitapatra [email protected], [email protected](Arpita Patra),partho [email protected], [email protected](Ashish Choudhary),
[email protected], [email protected](C. Pandu Rangan)
1Department of Computer Science and Engineering, IIT Madras, Chennai India 600036. 2Financial support from Microsoft Research India acknowledged. The author would also
like to thank the organizing committee of ICITS 2009 for ο¬nancial support to attend the conference, where a preliminary version of the paper was presented.
3Financial Support from Infosys Technology India Acknowledged. The author would also
like to thank IARCS for providing ο¬nancial support to attend ICITS 2009, where a preliminary version of the paper was presented.
4Work Supported by Project No. CSE/05/06/076/DITX/CPAN on Protocols for Secure Computation and Communication, Sponsored by Department of Information Technology, Govt. of India.
5Communication over secure channels
6A-castis the asynchronous equivalent ofbroadcastin synchronous world. A-castallows a
communication complexity over the AVSS of [22]. The AVSS protocol of [61] requires a private communication andA-castofπͺ((βπ3+π4) log1
π) bits to share
ββ₯1 elements. However, the shared element(s) may beπ π πΏπΏββπ½. Thus our AVSS is better than the AVSS of [61] due to the following reasons:
1. TheA-cast communication of our AVSS isindependentof the number of secrets i.e. β;
2. Our AVSS makes sure that the shared value(s) always belong toπ½. Using our AVSS, we design a new primitive called Asynchronous Complete Secret Sharing (ACSS) which acts as an important building block of asyn-chronous multiparty computation(AMPC). Using our ACSS scheme, we design a statistical AMPC protocol withoptimal resilience; i.e., withπ= 3π‘+1, that pri-vately communicatesπͺ(π5log1
π) bitsper multiplication gate. This signiο¬cantly
improves the communication complexity of only known optimally resilient statis-tical AMPC of [15] that privately communicates Ξ©(π11(log1
π)4) bits andA-cast
Ξ©(π11(log1
π)2log(π)) bits per multiplication gate. Both our ACSS and AVSS
employ several new techniques, which are of independent interest.
Key words: Asynchronous Networks, AVSS, Optimal Resilience, AMPC, Information Theoretic Security.
1. Introduction
VSS is one of the fundamental building blocks for many secure distributed computing tasks, such as multiparty computation (MPC) [2, 12, 3, 4, 5, 13, 9, 10, 11, 15, 7, 20, 23, 27, 28, 31, 42, 41, 45, 47, 49, 50, 65, 67, 69, 60], Byzantine Agreement (BA) [37, 22, 55, 1, 61], etc. Any VSS scheme consists of a pair of protocols (Sh, Rec). ProtocolSh5allows a special party called dealer(denoted
asπ·), to share a secretπ βπ½(an element from a ο¬nite ο¬eldπ½) among a set ofπ parties in a way that allow for a unique reconstruction ofπ by every party using protocolRec 6. Moreover, if π· ishonest, then the secrecy of π is preserved till
the end of Sh.
Over the last three decades, active research has been carried out in this area by several researchers, and many interesting and signiο¬cant results have been obtained dealing with high eο¬ciency, security against general adversaries, se-curity against mixed types of corruptions, long-term sese-curity, provable sese-curity, etc (see [24, 33, 53, 7, 42, 13, 23, 34, 35, 66, 27, 15, 22, 67, 38, 39, 41, 54, 59, 9, 11, 45, 60, 29, 26, 19, 43, 16, 64, 37, 36, 6, 21, 14, 32, 40, 58, 70, 18, 44] and their references). However, almost all of these solutions are for the synchronous model, where it is assumed that every message in the network is delayed at most by a given constant. This assumption is very strong because a single de-layed message would completely break down the overall security of the protocol.
Therefore, VSS protocols for the synchronous model are not suited for real world networks like the Internet.
Later, VSS protocols for the asynchronous network were developed [15, 22]. Here, messages are allowed to be delayed arbitrarily. However, in comparison to the VSS in synchronous settings, research in VSS in the asynchronous settings has attracted much less attention. Known asynchronous VSS protocols are of theoretical interest only and involve high communication complexity. Surpris-ingly, the techniques used for designing eο¬cient VSS protocols in synchronous networks cannot be adapted directly to the asynchronous setting. This mo-tivated us to design asynchronous VSS protocols taking a fresh look at the problem.
1.1. Model
In this paper, we follow the network model of [19]. Speciο¬cally, we as-sume that an AVSS protocol is carried out among a set of π parties, say π« ={π1, . . . , ππ}, where every two parties are directly connected by a secure
channel andπ‘out of theπparties can be under the inο¬uence of acomputationally unbounded Byzantine (active) adversary, denoted asππ‘. The Byzantine
adver-saryππ‘completely dictates the parties under its control and can force them to
deviate from a protocol, in any arbitrary manner. We assumeππ‘to berushing
[59, 39, 27], who ο¬rst listens all the messages sent to the corrupted parties by the honest parties, before allowing the corrupted parties to send their messages. The parties not under the inο¬uence ofππ‘are calledhonest or uncorrupted. We
assume that there is a speciο¬c party in π«, called the dealer π·, who wants to share the secret in AVSS protocol.
The underlying network is asynchronous, where the communication channels between the parties have arbitrary, yet ο¬nite delay (i.e the messages are guar-anteed to reach eventually). To model this,ππ‘ is given the power to schedule
the delivery ofallmessages in the network. However,ππ‘can only schedule the
messages communicated between honest parties, without having any access to the contents of the message. In asynchronous network, the inherent diο¬culty in designing a protocol comes from the fact that when a party does not receive an expected message then he cannot decide whether the sender is corrupted (and did not send the message at all) or the message is just delayed. So a party can not wait to consider the values sent by all parties, as waiting for all of them could turn out to be endless. Hence the values of up toπ‘ (potentially honest) parties may have to be ignored. Due to this the protocols in asynchronous net-work are generally involved in nature and require new set of primitives. For an comprehensive introduction to asynchronous protocols, see [19].
1.2. Deο¬nitions
We now give the deο¬nition of primitives which are used in this article. For all these primitives, we assume a ο¬nite ο¬eldπ½=πΊπΉ(2π ), whereπ= 2βΞ©(π )andπis
the error parameter. Also without loss of generality, we assumeπ= poly(π ) = poly(log1
π). Thus each ο¬eld element can be represented by πͺ(π ) = πͺ(log1π)
Deο¬nition 1 (Statistical Asynchronous Weak Secret Sharing (AWSS) [61]). Let (Sh, Rec) be a pair of protocols in which a dealer π· β π« shares a secretπ
usingSh. We say that (Sh7, Rec8) is aπ‘-resilient statistical AWSS scheme if all the following hold:
β Termination: With probability at least 1βπ, the following requirements hold:
1. If π· is honest then each honest party will eventually terminate pro-tocol Sh.
2. If some honest party has terminated protocolSh, then irrespective of the behavior ofπ·, each honest party will eventually terminateSh.
3. If all honest parties have terminated Sh and invokedRec, then each honest party will eventually terminateRec.
β Correctness: With probability at least 1βπ, the following requirements hold:
1. Correctness 1 (AWSS): Ifπ·is honest then each honest party upon terminatingRec, outputs the shared secretπ .
2. Correctness 2 (AWSS): Ifπ· is faulty and some honest party has terminated Sh, then there exists a unique π β² β π½βͺ {π π πΏπΏ}, such
that each honest party upon terminatingRec will output either π β² or π π πΏπΏ. This property is also called asweak-commitment.
β Secrecy: Ifπ· is honest and no honest party has begun executing protocol
Rec, thenππ‘ has no information aboutπ .
Deο¬nition 2 (Statistical AVSS [12, 19]). It is same as statistical AWSS except thatCorrectness 2 (AWSS)property is strengthened as follows:
β Correctness 2 (AVSS): If π· is corrupted and some honest party has terminatedSh, then there exists a ο¬xedπ β²βπ½, such that each honest party
upon completing Rec, will output onlyπ β².
Deο¬nition 3 (π‘-sharing [9, 11]). A valueπ βπ½is said to be π‘-shared among the parties inπ« if there exists a random degree-π‘ polynomialπ(π₯) overπ½, with
π(0) = π such that each (honest) party ππ β π« holds his share π π = π(π) of
secret π . The vector of shares ofπ corresponding to the honest parties is called
π‘-sharing of π and is denoted by[π ]π‘.
Typically, VSS is used as a tool for generating π‘-sharing of secret. That is, at the end of sharing phase, each honest party holds his share of the secret such that shares of all honest parties constitute distinct points on a degree-π‘
polynomial. Such VSS protocols are reported in [13, 54]. On the other hand, there are VSS schemes that do not generate π‘-sharing of secret. They only ensure that a unique secret is shared / committed (during sharing phase) which will be uniquely reconstructed during reconstruction phase. Such schemes are presented in [38, 59, 22]. So we call a VSS scheme asComplete Secret Sharing
(CSS) scheme if it generates π‘-sharing of secret. More formally, we have the following deο¬nition:
Deο¬nition 4 (Statistical Asynchronous Complete Secret Sharing (ACSS)). Thetermination, correctnessandsecrecyproperty of ACSS are same as in AVSS. In addition, ACSS achieves the following completeness property at the end ofSh with probability at least(1βπ):
β Completeness: If some honest party terminates Sh, then there exists a random degree-π‘ polynomial π(π₯) over π½, with π(0) = π β² such that each
(honest) partyππβ π« will eventually hold his shareπ π =π(π)of secretπ β².
Moreover, if π· is honest, then π β²=π .
The above deο¬nitions of AWSS, AVSS and ACSS can be extended for secret π containing multiple elements (sayβwithβ >1) fromπ½.
Remark 1 (AWSS, AVSS and ACSS with Private Reconstruction). The deο¬nitions of AWSS, AVSS and ACSS as given above consider βpublic recon-structionβ, where all parties publicly reconstruct the secret in Rec. A common variant of these deο¬nitions consider βprivate reconstructionβ, where only some speciο¬c party, sayππΌ β π«, is allowed to reconstruct the secret in Rec. As per
our requirement in this paper, we present our AWSS and AVSS schemes with only private reconstruction. However, the protocols for public reconstruction for these schemes can be obtained by doing slight modiο¬cation in the corresponding protocols for βprivate reconstructionβ.
In our protocols, we useA-castprimitive, which is formally deο¬ned as follows:
Deο¬nition 5 (A-cast [22]). A-castis an asynchronous broadcast primitive. It was introduced and elegantly implemented by Bracha [17] withπ= 3π‘+1parties. LetΞ be an asynchronous protocol initiated by a special party (called the sender), having inputπ(the message to be broadcast). We say that Ξ is aπ‘-resilient A-castprotocol if the following hold, for every possible behavior ofππ‘:
β Termination:
1. If the sender is honest and all the honest parties participate in the protocol, then each honest party will eventually terminate the proto-col.
β Correctness: If the honest parties terminate the protocol then they do so with a common output πβ. Furthermore, if the sender is honest then πβ=π.
For the sake of completeness, we recall Brachaβs A-cast protocol from [19] and present it in Fig. 1.
Figure 1: BrachaβsA-castProtocol withπ= 3π‘+ 1
Bracha-A-cast(π,π«, π)
Code for the senderπ(with inputπ): onlyπexecutes this code
1. Send message (π ππΊ, π) privately to all the parties.
Code for partyππ: every party inπ«executes this code
1. Upon receiving a message (π ππΊ, π), send (πΈπΆπ»π, π) privately to all parties. 2. Upon receivingπβπ‘messages (πΈπΆπ»π, πβ²) that agree on the value ofπβ², send
(π πΈπ΄π·π, πβ²) privately to all the parties.
3. Upon receivingπ‘+ 1 messages (π πΈπ΄π·π, πβ²) that agree on the value of πβ², send (π πΈπ΄π·π, πβ²) privately to all the parties.
4. Upon receivingπβπ‘messages (π πΈπ΄π·π, πβ²) that agree on the value ofπβ², send (ππΎ, πβ²) privately to all the parties, acceptπβ²as the output message and terminate the protocol.
Theorem 1 ([19]). ProtocolA-castprivately communicatesπͺ(βπ2)bits for an
βbit message.
Notation 1 (Notation for Using A-cast). In the rest of the paper, we use the following convention: we say that ππ receives π from the A-cast of ππ, if
ππ completes the execution of ππβs A-cast (the A-cast protocol where ππ is the
sender), withπ as the output.
Deο¬nition 6 (Online Error Correction (OEC)). Let π be a secret which is π‘-shared among the parties in π« by a degree-π‘ polynomial π(π₯). So π(0) = π . Let ππΌ β π« be a speciο¬c party, who wants to reconstruct π . Towards this
every partyππ sends his shareπ π of π to ππΌ. The shares may reachππΌ in any
arbitrary order. Moreover, up to π‘ of the shares may be incorrect or missing. In such a situation, by applying OEC on the receivedπ πβs, partyππΌcan get the
interpolation polynomial π(π₯) and reconstruct the secret π =π(0) in an online fashion. The OEC method uses the properties of Reed-Solomon error correcting codes [56] and enablesππΌto recognize when the received shares deο¬ne a unique
degree-π‘ interpolation polynomial.
1.3. Existing Results for Statistical AVSS with Optimal Resilience
From [22], statistical AVSS toleratingππ‘is possible iο¬πβ₯3π‘+1. Therefore,
any statistical AVSS withπ= 3π‘+ 1 parties is said to haveoptimal resilience. The known statistical AVSS protocols with optimal resilience are due to [22] and [61]. Both these AVSS schemes were designed to be used for construct-ingAsynchronous Byzantine Agreement(ABA) protocols. In the following, we summarize these two AVSS schemes.
1. The authors of [22] have presented a series of protocols for designing their AVSS scheme. They ο¬rst designed a tool called Information Checking Protocol(ICP) which is used as a black box for another primitive Asyn-chronous Recoverable Sharing(A-RS). Subsequently, using A-RS, the au-thors have designed an AWSS scheme, which is further used to design a variation of AWSS called Two & Sum AWSS. Finally using their Two & Sum AWSS, an AVSS scheme was presented. Pictorially, the route taken by AVSS scheme of [22] is as follows: ICPβ A-RS β AWSS β
Two & Sum AWSSβAVSS. Since the AVSS scheme is designed on top of so many sub-protocols, it becomes highly communication intensive as well as very much involved. The scheme requires a private communication ofπͺ(π9(log1
π)4) bits andA-castπͺ(π9(log1π)2log(π)) bits9to share a
sin-gleelement fromπ½. However, the AVSS scheme of [22] does not generate π‘-sharing of the secret. That is, the AVSS scheme of [22] is not an ACSS scheme and hence can not be used directly in AMPC.
2. The authors of [61] used the following simpler route to design their AVSS scheme: ICP β AWSS β AVSS. Moreover, due to the new design approach used in their ICP, AWSS and AVSS protocol, the AVSS of [61] provides much better communication complexity than the AVSS of [22]. So the AVSS protocol of [61] requires a private communication of πͺ((βπ3+π4) log1
π) bits and A-cast of πͺ((βπ3+π4) log1π) bits to share
ββ₯1 elements. While the AVSS scheme of [61] is suitable for ABA prob-lem, it is not suitable for AMPC because:
(a) The AVSS scheme of [61] is not an ACSS scheme.
(b) In AVSS of [61], acorruptedπ·may choose secrets fromπ½βͺ {π π πΏπΏ} rather than fromπ½only.
1.4. Our Contribution
We present a new statistical AVSS scheme with optimal resilience by fol-lowing the simple route of [61]. In the folfol-lowing table, we compare the com-munication complexity of our AVSS with the AVSS of [22, 61]. The table also shows the private communication complexity (CC) of the AVSS protocols after simulatingA-castusing the protocol of [17].
9The communication complexity analysis of the AVSS scheme of [22] was not done earlier
Ref. CC in bits CC in bits usingA-castof [17] # Secrets [22] Privateβπͺ(π9(log1
π)4) πͺ(π9(log
1
π)4+π11(log
1
π)2logπ) 1
A-castβπͺ(π9(log1
π)2log(π))
[61] Privateβπͺ((βπ3+π4) log1
π) πͺ((βπ5+π6) log1π) β
A-castβπͺ((βπ3+π4) log1
π)
This Privateβπͺ((βπ3+π4log1
π) log
1
π) πͺ((βπ3+π4log
1
π) log
1
π+π5logπ) β
Article A-castβπͺ(π3log(π))
As shown in the table, our AVSS attains signiο¬cantly better communication complexity than the AVSS of [22] and [61] for any value ofβ. As mentioned in the previous section, the AVSS of [61] has a weaker property than the AVSS of this article and [22]: A corrupted π· may choose secrets from π½βͺ {π π πΏπΏ}. Such an AVSS is suο¬cient for designing ABA protocols. However, to be ap-plicable for AMPC, we require that AVSS should allow to share secret(s)only
fromπ½[15]. Our AVSS achieves this crucial property at a lesser communication cost. Using our AVSS, we design a new ACSS scheme, which is an essen-tial component ofasynchronous multiparty computation(AMPC) [15]. Though there are CSS schemes in synchronous settings, our ACSS scheme is ο¬rst of its kind in asynchronous settings with π = 3π‘+ 1. In fact, using our ACSS, we construct an eο¬cient statistical AMPC with optimal resilience; i.e., with π = 3π‘+ 1, which privately communicates πͺ(π5log1
π) bits per multiplication
gate. This is a signiο¬cant improvement over theonly known statistical AMPC of [15] with π = 3π‘+ 1 that privately communicates Ξ©(π11(log1
π)4) bits and A-castΞ©(π11(log1
π)2log(π)) bits per multiplication gate.
In order to design AVSS, we ο¬rst propose a new Information Checking Pro-tocol (ICP) which signiο¬cantly improves the communication complexity of the ICP of [61]. Using our ICP, we design an AWSS which is inspired by the AWSS of [61]. Finally our AWSS is used in constructing our new AVSS proto-col. The design approach of our AVSS and ACSS are the main essence of this article. In sum, our route for constructing the AMPC protocol is as follows: πΌπΆπ βπ΄π ππβπ΄π ππβπ΄πΆππβπ΄π π πΆ.
1.5. Organization of the Paper
2. Information Checking Protocol (ICP) and IC Signature
The Information Checking Protocol (ICP) is a tool for authenticating mes-sages in the presence of computationally unbounded corrupted parties. The notion of ICP was ο¬rst introduced by Rabin et.al [67] who have designed an ICP insynchronoussettings. The ICP of Rabin et. al. was also used as a tool by Canetti et. al. [22] for designing their AVSS scheme.
As described in [67, 22, 27], an ICP is executed among three parties: adealer
π·, an intermediary πΌπ π and a veriο¬er π . The dealer π· hands over a secret valueπ to πΌπ π. At a later stage, πΌπ π is required to hand over π to π and convinceπ that π is indeed the value whichπΌπ π received fromπ·. The basic deο¬nition of ICP involves only asingleveriο¬er π [67, 27, 22]. We extend this notion to multipleveriο¬ers, where all theπ parties inπ« act as veriο¬ers. Thus our ICP is executed among three entities: a dealer π· β π«, an intermediary πΌπ π β π« and the entire set π« acting as veriο¬ers. This will be later helpful in using ICP as a tool in our AWSS protocol. Moreover, in contrast to the existing ICP protocols that deal with single secret, our ICP can deal withmultiplesecrets
concurrentlyand thus achieves better communication complexity than multiple execution of ICP dealing with single secret. Note that, as opposed to the case of a single veriο¬er, when multiple veriο¬erssimultaneouslyparticipate in ICP, we need to distinguish between synchronity and asynchronity of the network. Our ICP is executed in asynchronous settings and thus we refer it as AICP. As in [67, 22], our AICP is also structured into sequence of following three phases:
1. Generation Phase: This phase is initiated byπ·. Hereπ·hands over the secret π containingβelements from π½tointermediaryπΌπ π. In addition, π· sends some authentication information to πΌπ π and some veriο¬cation informationto individual veriο¬ers inπ«.
2. Veriο¬cation Phase: This phase is initiated by πΌπ π to acquire an IC Signature onπ that will be later accepted by every honest veriο¬ers inπ«. Depending on the nature of π·, πΌπ π may or may not receive IC Signa-ture from π·. When πΌπ π receives IC Signature, he decides to continue AICP and later participate in Revelation Phase. On the other hand, when πΌπ π does not receive IC Signature, he aborts AICP and does not participate in Revelation Phase later. The IC signature (when πΌπ π receives it), denoted by πΌπΆπππ(π·, πΌπ π,π«, π) is nothing but the π along with theauthentication informationwhich is/are held byπΌπ π at the end ofVeriο¬cation Phase.
(b) ππΌ-private-revelation of πΌπΆπππ(π·, πΌπ π,π«, π): Here πΌπ π privately
revealsπΌπΆπππ(π·, πΌπ π,π«, π) toonlyππΌ. After doing some checking,
ifππΌ believes that πΌπ π indeed received IC signature on π from π·
thenππΌsetsRevealπΌ=π. Otherwise ππΌ setsRevealπΌ=π π πΏπΏ.
Any AICP should satisfy the following properties, assuming public revelation of signature (these properties are almost same as the properties of ICP deο¬ned in [22]). In the properties, π denotes the error parameter of AICP. In order to bound the error probability by π, any AICP protocol operates over ο¬eld π½=πΊπΉ(2π ), whereπ= 2βΞ©(π ). Soπ =βlog1
πβ.
1. AICP-Correctness1: Ifπ·andπΌπ πarehonest, thenπΌπΆπππ(π·, πΌπ π,π«, π) will be accepted inRevelation Phaseby every honestveriο¬er.
2. AICP-Correctness2: If anhonestπΌπ π holds an πΌπΆπππ(π·, πΌπ π,π«, π) at the end ofVeriο¬cation Phase, thenπΌπΆπππ(π·, πΌπ π,π«, π) will be ac-cepted inRevelation Phaseby every honest veriο¬er, except with prob-abilityπ.
3. AICP-Correctness3: If π· is honest, then duringRevelation Phase, with probability at least (1βπ), everyπΌπΆπππ(π·, πΌπ π,π«, πβ²) withπβ²β=π produced by acorruptedπΌπ π will not be accepted by anhonestveriο¬er. 4. AICP-Secrecy: If π· and πΌπ π are honest and πΌπ π has not started
Revelation Phase, thenππ‘will have no information about π.
For AICP withππΌ-private-revelation in Revelation Phase, the above
prop-erties can be modiο¬ed by replacing βevery/any honest veriο¬erβ with βhonest ππΌβ.
In the following, we ο¬rst present an informal idea of our novel AICP called
MVMS-AICPand then describe protocolMVMS-AICPin Fig. 2.
The Intuition behind Protocol MVMS-AICP: π· selects a random poly-nomial π(π₯) of degree β+π‘π , whose ο¬rst β coeο¬cients are the elements of π and deliversπ(π₯) toπΌπ π. In addition, to each individual veriο¬er, π· privately gives the value ofπ(π₯) at π randomevaluation points. This distribution of in-formation byπ· helps to achieveAICP-Correctness3 property. Speciο¬cally, ifπ· ishonest, then a corruptedπΌπ π cannot produce an incorrectπβ²(π₯)β=π(π₯) duringRevelation Phasewithout being detected by anhonestveriο¬er. This is because a corruptedπΌπ π will have no information about the evaluation points of an honest veriο¬er and hence with very high probability,πβ²(π₯) will not match with the evaluation points held by an honest veriο¬er.
The above distribution of information byπ·also maintainsAICP-Secrecy
property. This is because the degree ofπ(π₯) isβ+π‘π andππ‘will know the value
ofπ(π₯) at most atπ‘π evaluation points.
However, a corruptedπ· might do the following: he may distributeπ(π₯) to πΌπ π and value of some other polynomial (diο¬erent from π(π₯)) to each honest veriο¬er. To avoid this situation,πΌπ π and the veriο¬ers interact inzero knowledge
values ofπ(π₯) held by individual veriο¬er. The speciο¬c details of the cut-and-choose, along with other formal steps of protocolMVMS-AICPare given in Fig. 2.
Since in our AWSS, we require onlyππΌ-private-revelation ofπΌπΆπππ(π·, πΌπ π,π«, π),
we present protocolMVMS-AICPwithRevelation PhasedescribingππΌ
-private-revelation ofπΌπΆπππ(π·, πΌπ π,π«, π).
Figure 2:AICP withπ= 3π‘+ 1. Hereπ =βlog1
πβ
ProtocolMVMS-AICP(π·, πΌπ π,π«, π, π) Generation Phase: Gen(π·, πΌπ π,π«, π, π)
1. π· selects a randomβ+π‘π degree polynomialπ(π₯) whose lower orderβcoeο¬cients are the secrets in π = (π 1, . . . , π β). π· also picksππ random, non-zero, distinct
evaluation pointsfromπ½, denoted byπΌπ
1, . . . , πΌππ , forπ= 1, . . . , π.
2. π· privately sends π(π₯) toπΌπ π and the veriο¬cation tags π§π
1 = (πΌπ1, ππ1), . . . , π§π π =
(πΌπ
π , πππ ) to partyππ. Hereπππ=π(πΌππ), forπ= 1, . . . , π .
Veriο¬cation Phase: Ver(π·, πΌπ π,π«, π, π)
1. Every veriο¬erππrandomly partitions the index set{1, . . . , π }into two setsπΌπand
πΌπof equal size and sendsπΌπandπ§π
πfor allπβπΌπtoπΌπ π.
2. Local Computation (only forπΌπ π):
(a) For every veriο¬erππfrom whichπΌπ π has receivedπΌπand corresponding
ver-iο¬cation tags,πΌπ π checks whether foreveryπβπΌπ,π(πΌπ π)
? =ππ
π.
(b) If for at least 2π‘+ 1 veriο¬ers, the above condition is satisο¬ed, then πΌπ π
sets πΌπΆπππ(π·, πΌπ π,π«, π) = π(π₯) and concludes that he has received
πΌπΆπππ(π·, πΌπ π,π«, π) fromπ·.
(c) If for at leastπ‘+ 1 veriο¬ers, the above condition is not satisο¬ed, thenπΌπ π
setsπΌπΆπππ(π·, πΌπ π,π«, π) =π π πΏπΏand concludes that he has not received
πΌπΆπππ(π·, πΌπ π,π«, π) fromπ·.
Revelation Phase: Reveal-Private(π·, πΌπ π,π«, π, ππΌ, π): ππΌ-private-revelation of
πΌπΆπππ(π·, πΌπ π,π«, π)
1. To partyππΌ,πΌπ π sendsπΌπΆπππ(π·, πΌπ π,π«, π) =π(π₯).
2. To partyππΌ, every veriο¬erππsends the index setπΌπand allπ§ππsuch thatπβπΌπ.
3. Local Computation (only forππΌ):
(a) Upon receivingπ(π₯) fromπΌπ π and the values from veriο¬erππ, check whether
forsomeπβπΌπ,π(πΌπ π)
? =ππ
π.
(b) If for at least π‘ + 1 veriο¬ers the condition is satisο¬ed, then accept
πΌπΆπππ(π·, πΌπ π,π«, π) and setRevealπΌ = π, where π is lower order β
coef-ο¬cients ofπ(π₯).
(c) If for at least 2π‘+ 1 veriο¬ers the above condition is not satisο¬ed, then reject
πΌπΆπππ(π·, πΌπ π,π«, π) and setRevealπΌ=π π πΏπΏ.
We now prove the properties of protocolMVMS-AICP.
Lemma 1 (AICP-Correctness1). Ifπ·,πΌπ π andππΌare honest, thenπwill
Proof: Ifπ· is honest then he will honestly deliverπ(π₯) to πΌπ π and its value atπ points to individual veriο¬er. So eventually, the condition stated in step 2(a) ofVeriο¬cation Phase will be satisο¬ed for at least 2π‘+ 1 veriο¬ers and hence πΌπ π, who is honest in this case will setπΌπΆπππ(π·, πΌπ π,π«, π) =π(π₯). Now it is easy to see that the condition stated in step 3(a) ofRevelation Phasewill be eventually satisο¬ed, corresponding to the honest veriο¬ers inπ« (there are at least 2π‘+ 1 honest veriο¬ers). Hence ππΌ, who is honest in this case, will eventually
acceptπΌπΆπππ(π·, πΌπ π,π«, π) at the end ofRevelation phase. β‘
Lemma 2 (AICP-Correctness2). If an honestπΌπ π holds anπΌπΆπππ(π·, πΌπ π, π«, π)at the end ofVeriο¬cation Phase, thenπΌπΆπππ(π·, πΌπ π,π«, π)will be ac-cepted inRevelation Phaseby honestππΌ, except with probabilityπ.
Proof: We have to consider the case whenπ·is corruptedas otherwise the proof will follow from Lemma 1. SinceπΌπ π is honest and it holds anπΌπΆπππ(π·, πΌπ π,π«, π) at the end ofVeriο¬cation phase,πΌπ π has ensured that for at least 2π‘+ 1 veriο¬ers the condition speciο¬ed in step 2(a) of Veriο¬cation phase has been satisο¬ed. Letβbe the set ofhonestveriο¬ers among these 2π‘+ 1 veriο¬ers. Note that β£ββ£ β₯ π‘+ 1. To prove the lemma, we prove that corresponding to each veriο¬er in β, the condition stated in step 3(a) ofRevelation Phase will be satisο¬ed with very high probability. Note that corresponding to a veriο¬erππ in
β, the condition stated in step 3(a) of Revelation Phase will fail if for all
πβπΌπ,π(πΌπ
π)β=πππ. This implies that (corrupted)π· must have distributedπ(π₯)
(to πΌπ π) and π§π
π (to ππ) inconsistently for all π β πΌπ and it so happens that
ππ has partitioned {1, . . . , π } intoπΌπ andπΌπ during Veriο¬cation Phase, such
thatπΌπcontains only inconsistent tuples (π§ππβs). Thus corresponding to a veriο¬er
ππ β β, the probability that the condition stated in step 3(a) of Revelation
Phase fails is same as the probability of ππ selecting all consistent
(inconsis-tent) tuples inπΌπ (πΌπ), which is 1
(π /2)π β2βΞ©(π ). Now as there are at leastπ‘+ 1 parties inβ, except with probability (π‘+ 1)2βΞ©(π )βπ,π
πΌwill eventually ο¬nd
step 3(a) ofRevelation Phaseto be true for all parties inβand will accept
πΌπΆπππ(π·, πΌπ π,π«, π). β‘
Lemma 3 (AICP-Correctness3). If π· is honest, then during Revelation Phase, with probability at least(1βπ), everyπΌπΆπππ(π·, πΌπ π,π«, πβ²)withπβ²β=π
produced by a corruptedπΌπ π will be rejected by honest veriο¬erππΌ.
Proof: It is easy to see that πβ² β= π produced by a corrupted πΌπ π will be accepted by anhonest ππΌ, if the condition stated in step 3(a) ofRevelation
Phasegets satisο¬ed corresponding toat least one honestveriο¬er (forπ‘corrupted veriο¬ers, the condition may always satisfy). However, the condition will be satisο¬ed corresponding to honest veriο¬erππif corruptedπΌπ π cancorrectly guess
a veriο¬cation tag π§ππ for at least one π β πΌπ, which he can do with probability
1
β£π½β£ = 2βΞ©(π )=π. β‘
Proof: Ifπ·andπΌπ π are honest, then at the end ofVeriο¬cation Phase,ππ‘
will getπ‘π distinct values onπ(π₯). However,π(π₯) is of degreeβ+π‘π and hence the lower order β coeο¬cients ofπ(π₯) which are the elements of π will remain
information theoretically secure. β‘
Lemma 5 (AICP-Communication-Complexity). ProtocolGenprivately com-municatesπͺ((β+πlog1
π) log1π)bits. ProtocolVer privately communicates
πͺ((πlog1
π) log1π) bits. Protocol Reveal-Private privately communicates πͺ((β+
πlog1
π) log1π)bits.
Proof: In protocol Gen, π· privately gives β +π‘π ο¬eld elements to πΌπ π and π ο¬eld elements to each veriο¬er. Since each ο¬eld element can be repre-sented by πͺ(π ) bits and π = βlog1
πβ, protocol Gen incurs a private
commu-nication of πͺ((β+πlog1
π) log1π) bits. In protocolVer, every veriο¬er privately
sends π
2 ο¬eld elements toπΌπ π, thus incurring a total private communication of
πͺ((πlog1
π) log1π) bits. In protocol Reveal-Private, πΌπ π sends to ππΌ the
poly-nomialπ(π₯), consisting ofβ+π‘π ο¬eld elements, while each veriο¬er sendsπΌπ and
corresponding veriο¬cation tags. SoReveal-Privateinvolves private communica-tion ofπͺ((β+πlog1
π) log1π) bits. β‘
Theorem 2. Protocol Multi-Veriο¬er-AICPis an eο¬cient AICP.
Proof: The theorem follows from Lemma 1, Lemma 2, Lemma 3 and Lemma 4.
Notation 2 (Notation for Using Multi-Veriο¬er-AICP). Recall that π· and
πΌπ π can be any party fromπ«. In the sequel we use the following convention. We say that:
1. βππ sends πΌπΆπππ(ππ, ππ,π«, π)toππ with error parameterπβ to mean that
ππacting as dealerπ·and consideringππasπΌπ π, executesGen(ππ, ππ,π«, π, π);
2. βππ receivesπΌπΆπππ(ππ, ππ,π«, π)fromππ with error parameterπβ to mean
thatππasπΌπ π has receivedπΌπΆπππ(ππ, ππ,π«, π)after executingVer(ππ, ππ,π«,
π, π);
3. βππ revealsπΌπΆπππ(ππ, ππ,π«, π)toππΌ with error parameterπβ to meanππ
as πΌπ π executesReveal-Private(ππ, ππ,π«, π, ππΌ, π)along with the
partici-pation of the veriο¬ers in π«;
4. βππΌ completes revelation of πΌπΆπππ(ππ, ππ,π«, π) with RevealπΌ = πβ to
mean thatππΌ has successfully completedReveal-Private(ππ, ππ,π«, π, ππΌ, π)
withRevealπΌ=π.
3. Statistical AWSS Scheme for Sharing a Single Secret
We now present an AWSS scheme, calledAWSSwithπ= 3π‘+ 1, consisting of a pair of protocols (AWSS-Share, AWSS-Rec-Private). While AWSS-Share
reconstruction as ππΌ-weak-private-reconstruction. In AWSS-Share, a corrupted
π· may commit toπ =π π πΏπΏinstead of an element fromπ½(the meaning of it will be clear in the sequel).
Our AWSS-Share protocol is similar toAWSS-Share protocol given in [61]. However, instead of using the AICP of [61], we useMVMS-AICP presented in this paper inAWSS-Share. This leads to better communication complexity.
High Level Idea of AWSS-Share:We follow the general strategy used in [13, 27, 39, 38, 54] for synchronous settings for sharing the secretπ with a symmetric bivariate polynomial πΉ(π₯, π¦) of degree-π‘ in π₯and π¦, where each party ππ gets
the univariate polynomialππ(π₯) =πΉ(π₯, π). So inAWSS-Share,π·chooses a
sym-metric bivariate polynomialπΉ(π₯, π¦) of degree-π‘inπ₯andπ¦such thatπΉ(0,0) =π . π· then hands overπΌπΆπππ(π·, πΌπ π,π«, ππ(π)) for everyπ = 1, . . . , π toππ. This
step implicitly implies thatππ will receiveππ(π₯) fromπ·. After receiving these
IC signatures fromπ·, the parties then exchange IC signature on their common values (a pair (ππ, ππ) has one common value, namelyπΉ(π, π); ππ hasππ(π) and
ππ hasππ(π) where πΉ(π, π) = ππ(π) = ππ(π)). Then π·, in conjunction with all
other parties, perform a sequence of communication and computation. As a result of this, at the end of AWSS-Share, every party agrees on a set of 2π‘+ 1 parties, calledπ πΆππ πΈ, such that every partyππβπ πΆππ πΈisIC-committed
toππ(0) usingππ(π₯) to a set of 2π‘+1 parties, called asππΎππ. ππisIC-committed
toππ(0) usingππ(π₯) among the parties inππΎππ only when every ππ βππΎππ
received (a)πΌπΆπππ(π·, ππ,π«, ππ(π)) and (b)πΌπΆπππ(ππ, ππ,π«, ππ(π)) and ensures
ππ(π) =ππ(π) (this should ideally hold due to the selection and distribution of
symmetric bivariate polynomial). In some sense, we may view this as every ππ βπ πΆππ πΈis attempting to commit his received (fromπ·) polynomialππ(π₯)
among the parties inππΎππ (by giving hisIC Signatureon one point ofππ(π₯)
to each party) and the parties in ππΎππ allowing him to do so after
verify-ing that they have got π·βs IC signature on the same value of ππ(π₯). We will
show that later in the reconstruction phase, every honest ππβs (in π πΆππ πΈ)
IC-commitment will be reconstructed correctly irrespective of whether π· is honest or corrupted. Moreover, a corrupted ππβs IC-commitment will be
re-constructed correctly when π· is honest. But on the other hand, a corrupted ππβs IC-commitment can be reconstructed to any value when π· is corrupted.
These properties are at the heart of our AWSS protocol.
Achieving the agreement (among the parties) onπ πΆππ πΈ and correspond-ing ππΎππs is a bit tricky in asynchronous network. Even though these sets
are constructed on the basis of information that areA-casted by parties, parties may end up with diο¬erent versions ofπ πΆππ πΈ andππΎππβs while attempting
to generate them locally, due to the asynchronous nature of the network. We solve this problem by askingπ·to constructπ πΆππ πΈ andππΎππs based on A-casted information and then askπ·toA-castthe same. After receivingπ πΆππ πΈ andππΎππs from theA-castofπ·, individual parties ensure the validity of these
Figure 3: Sharing Phase of Protocol AWSS for Sharing a Single Secret π with
π= 3π‘+ 1
Protocol
AWSS-Share(
π·,
π«
, π , π
)
Distribution: Code forπ·β Onlyπ·executes this code.
1. Select a random, symmetric bivariate polynomialπΉ(π₯, π¦) of degree-π‘inπ₯and
π¦, such thatπΉ(0,0) =π . Forπ= 1, . . . , π, letππ(π₯) =πΉ(π₯, π).
2. Forπ= 1, . . . , π, sendπΌπΆπππ(π·, ππ,π«, ππ(π)) toππwith error parameterπβ²= ππ2
for eachπ= 1, . . . , π.
Verification: Code forππβ Every party includingπ·executes this code.
1. Wait to receive πΌπΆπππ(π·, ππ,π«, ππ(π)) with error parameter πβ² for each π =
1, . . . , πfromπ·.
2. Check if (ππ(1), . . . , ππ(π)) deο¬nes degree-π‘ polynomial. If yes then send
πΌπΆπππ(ππ, ππ,π«, ππ(π)) toππwith error parameterπβ²for allπ= 1, . . . , π.
3. If πΌπΆπππ(ππ, ππ,π«, ππ(π)) is received fromππ with error parameter πβ² and if
ππ(π) =ππ(π), thenA-castOK(ππ, ππ).
WCORE Construction :Code forπ·β Onlyπ·executes this code.
1. For eachππ, build a setππΎππ={ππβ£π·receivesOK(ππ, ππ) from theA-castofππ}.
When β£ππΎππβ£ = 2π‘+ 1, then ππβsIC-commitment on ππ(0) is over (or we
may say thatππ isIC-committedtoππ(0)) and addππ inπ πΆππ πΈ(which is
initially empty).
2. Wait until β£π πΆππ πΈβ£ = 2π‘+ 1. Then A-cast π πΆππ πΈ and ππΎππ for all
ππβπ πΆππ πΈ.
WCORE Verification & Agreement on WCORE :Code forππ
1. Wait to obtain π πΆππ πΈand ππΎππ for allππ β π πΆππ πΈfromπ·βsA-cast,
such thatβ£π πΆππ πΈβ£= 2π‘+ 1 andβ£ππΎππβ£= 2π‘+ 1 for eachππβπ πΆππ πΈ.
2. Wait to receive OK(ππ, ππ) for all ππ β ππΎππ and ππ β π πΆππ πΈ. After
receiving all theseOKs, accept theπ πΆππ πΈandππΎππβs received fromπ·and
terminateAWSS-Share.
Before moving into the discussion and description of AWSS-Rec-Private, we now deο¬ne what we call asπ·βs AWSS-commitment.
Remark 2 (π·βs AWSS-commitment). We say that π· is AWSS-committed to a secretπ βπ½ inAWSS-Shareif there is a unique degree-π‘univariate polyno-mialπ(π₯)such thatπ(0) =π and every honestππ inπ πΆππ πΈreceivesπ(π)from
π· and IC-commits toπ(π)among the parties in ππΎππ. Otherwise, we say that
π·has committedπ π πΏπΏ. An honestπ· always commitsπ fromπ½as in this case
π(π₯) is π0(π₯)(= πΉ(π₯,0)), whereπΉ(π₯, π¦) is the symmetric bivariate polynomial of degree-π‘ in π₯ and π¦, chosen by honest π·. Moreover, every honest party ππ
inπ πΆππ πΈ will receiveπ0(π)which is same asππ(0)(this can be obtained from
ππ(π₯)). But AWSS-Sharecan not ensure that corrupted π· also commitsπ β π½.
that, polynomialπ0(π₯) deο¬ned by the π0(π)(=ππ(0)) values possessed by honest
ππβs in π πΆππ πΈ may not be a degree-π‘ polynomial. In this case we say π· has
AWSS-committedπ π πΏπΏ.
Our discussion in the sequel will show that for a corrupted π·, irrespective of the behavior of the corrupted parties, eitherπ·βs AWSS-committed secret π (which belongs toπ½βͺ {π π πΏπΏ}) or NULL will be reconstructed by honestππΌ.
High Level Idea of AWSS-Rec-Private:InAWSS-Rec-Private, the parties in π πΆππ πΈ and corresponding ππΎππβs are used in order to reconstruct π·βs
AWSS-committed secret. Speciο¬cally, for everyππ βπ πΆππ πΈ,ππβs
IC-commit-ment (ππ(0)) is reconstructed by asking every party ππ β ππΎππ to reveal
πΌπΆπππ(π·, ππ,
π«, ππ(π)) and πΌπΆπππ(ππ, ππ,π«, ππ(π)) such thatππ(π) =ππ(π). Since there are
at leastπ‘+ 1 honest parties in ππΎππ, eventually at least π‘+ 1ππ(π)βs will be
revealed with which ππ(π₯) and thusππ(0) will be reconstructed. Thenππ(0)βs
are used to construct the univariate polynomialπ0(π₯) that is committed byπ·
duringAWSS-Share.
Asking ππ βππΎππ to revealπ·βs IC signature ensures that ifπ· ishonest,
then even for acorrupted ππ β π πΆππ πΈ, the reconstructed polynomialππ(π₯)
will be same as the one handed over by π· to ππ in sharing phase (that is,
a corrupted ππβs IC-commitment ππ(0) will be reconstructed correctly). This
helps our AWSS protocol to satisfy Correctness 1 property of AWSS. Now askingππ inππΎππ to revealππβs signature ensures that even ifπ· iscorrupted,
for anhonestππ βπ πΆππ πΈ, the reconstructed polynomialππ(π₯) will be same
as the one received by ππ from π· in AWSS-Share(that is, an honest ππβs
IC-commitmentππ(0) will be reconstructed correctly even thoughπ·is corrupted).
This helps to ensureCorrectness 2 property. Summing up, when at least one ofπ·andππ is honest,ππβsIC-commitment(i.eππ(0)) will be revealed properly.
But when bothπ·andππare corrupted,ππβsIC-commitmentcan be revealed as
anyππ(0) which may or may not be equal toππ(0). It is the later property that
makes our protocol to qualify as a AWSS protocol rather than a AVSS protocol. ProtocolAWSS-Rec-Privateis formally given in Fig. 4.
The proof of the properties of our AWSS scheme follows using similar argu-ments as given for the AWSS scheme of [61]. However, for the sake of complete-ness we recall them here.
Lemma 6 (AWSS-Termination). Protocols (AWSS-Share,AWSS-Rec-Private) satisfy termination property of Deο¬nition 1.
Proof: Termination 1: Whenπ·is honest then eventually all honest parties will receive desired IC signatures fromπ· and will also eventually exchange IC signatures on their common values and will A-cast OK for each other. Hence every honestππ will eventually complete hisIC-commitment on ππ(0) with at
least 2π‘+ 1 honest parties inππΎππ. Soπ·will eventually include 2π‘+ 1 parties
Figure 4: Reconstruction Phase of Protocol AWSS Scheme for Sharing a Single Secretπ withπ= 3π‘+ 1
Protocol
AWSS-Rec-Private(
π·,
π«
, π , π
πΌ, π
)
:
π
πΌ-weak-private-reconstruction of
π
Signature Revelation: Code forππβ Every party executes this code1. If ππ belongs to ππΎππ for some ππ β π πΆππ πΈ, then reveal
πΌπΆπππ(π·, ππ,π«, ππ(π)) andπΌπΆπππ(ππ, ππ,π«, ππ(π)) toππΌ, each with error
pa-rameterπβ².
Local Computation: Code forππΌβ OnlyππΌ executes this code
1. For everyππβπ πΆππ πΈ, reconstructππβsIC-commitment, sayππ(0) as
fol-lows:
(a) Construct a setπ ππππππ=β .
(b) AddππβππΎππtoπ ππππππif the following conditions hold:
i. Revelation of πΌπΆπππ(π·, ππ,π«, ππ(π)) and πΌπΆπππ(ππ, ππ,π«, ππ(π))
are completed withRevealπΌ=ππ(π) andRevealπΌ=ππ(π); and
ii. ππ(π) =ππ(π).
(c) Wait until β£π ππππππβ£ = π‘+ 1. Construct a polynomial ππ(π₯) passing
through the points (π, ππ(π)) whereππβπ ππππππ. Associateππ(0) with
ππβπ πΆππ πΈ.
2. Wait forππ(0) to be reconstructed for everyππinπ πΆππ πΈ.
3. Check whether the points (π, ππ(0)) forππβπ πΆππ πΈlie on a unique degree-π‘
polynomialπ0(π₯). If yes, then setπ =π0(0) and terminateAWSS-Rec-Private. Else setπ =π π πΏπΏand terminateAWSS-Rec-Private.
the property ofA-cast, each honest party will eventually receiveπ πΆππ πΈ from the A-cast of π·. Finally, since honest π· had included ππ in π πΆππ πΈ after
receiving theOKsignals from the parties inππΎππβs, each honest party will also
receive the same and will eventually terminateAWSS-Share.
Termination 2: If an honest ππ has terminated AWSS-Share, then he must
have received π πΆππ πΈ and ππΎππβs from the A-cast of π· and veriο¬ed their
validity by receiving the desiredA-casts. By properties of A-cast, each honest party will also receive the same and will eventually terminateAWSS-Share.
Termination 3: Since each of the IC signatures are given with an error pa-rameterπβ²= π
π2, ifππ (acting asπΌπ π) is honest and has received an IC
signa-ture, then IC signature produced byππ during Reveal-Privatewill be accepted
by honest ππΌ without any error probability when π· is honest (by
AICP-Correctness1 i.e Lemma 1) and except with probability πβ² when π· is cor-rupted (byAICP-Correctness2i.e Lemma 2). Since for everyππ βπ πΆππ πΈ,
β£ππΎππβ£ = 2π‘+ 1, there are at leastπ‘+ 1 honest parties in ππΎππ and each of
them may be present inπ ππππππ except with probability πβ². Thus except with
probability at most π2πβ² = π, π
all ππ β π πΆππ πΈ. So except with probability π, honest ππΌ will terminate AWSS-Rec-Private after executing remaining steps of [Local Computation] (as speciο¬ed in protocolAWSS-Rec-Private). β‘
Lemma 7 (AWSS-Secrecy). Protocol AWSS-Sharesatisο¬es secrecy property of Deο¬nition 1.
proof: We have to consider the case whenπ· is honest. The proof follows from the secrecy of protocolMVMS-AICPand properties of symmetric bivariate poly-nomial of degree-π‘inπ₯andπ¦[25]. Speciο¬cally, without loss of generality, assume thatπ1, . . . , ππ‘are the parties under the control ofππ‘. So during the execution
ofAWSS-Share,ππ‘will knowπ1(π₯), . . . , ππ‘(π₯) andπ‘points onππ‘+1(π₯), . . . , ππ(π₯).
However,ππ‘ still lacks one more point to uniquely interpolate πΉ(π₯, π¦). Hence,
π =πΉ(0,0) will be information theoretically secure. β‘
Lemma 8 (AWSS-Correctness). Protocols (AWSS-Share,AWSS-Rec-Private) satisfy correctness property of Deο¬nition 1.
Proof: Correctness 1: Here we have to consider the case when π· is hon-est. We show that π·βs AWSS-commitment will be reconstructed correctly by honest ππΌ, except with probability π. We prove the lemma by showing that
whenπ· ishonest,ππβsIC-commitmentππ(0) will be correctly reconstructed for
ππ β π πΆππ πΈ, except with probability ππ, irrespective of whether ππ is
hon-est or corrupted. Consequently, asβ£π πΆππ πΈβ£= 2π‘+ 1, all honest parties will reconstructπ0(π₯) =πΉ(π₯,0) and hence the secret π =π0(0) with probability at
least (1β(2π‘+ 1)π
π)β(1βπ). So we consider the following two cases:
1. Consider an honestππinπ πΆππ πΈ. FromAICP-Correctness3(Lemma
3), a corruptedππβππΎππ will be able to successfully produce
πΌπΆπππ(ππ, ππ,π«, ππ(π)) such thatππ(π)β=ππ(π), with probability at most
πβ². As there can be at most π‘ corrupted parties in π πππππ
π, except with
probabilityπ‘πβ²= π
π, the valueππ(π) is same asππ(π) for allππβπ ππππππ.
Hence honest ππβs IC-commitment ππ(0) will be correctly reconstructed,
except with probability π π.
2. Consider a corruptedππ inπ πΆππ πΈ. Now a corruptedππ βππΎππ will
be able to produceπΌπΆπππ(π·, ππ,π«, ππ(π)) such that ππ(π)β=ππ(π), with
probability at most πβ² according to AICP-Correctness3. Thus except with probability π‘πβ² = π
π, corresponding to a corrupted ππ β π πΆππ πΈ,
the parties inπ ππππππ have produced correct points onππ(π₯).
Correctness 2: Here we consider the case, whenπ· is corrupted. Now there are two cases: (a)π·βsAWSS-committed secretπ belongs toπ½; (b)π·βs AWSS-committedsecretπ isπ π πΏπΏ. Whatever may be case, we show that except with probabilityπ, honestππΌ will either reconstructπ orπ π πΏπΏ.
1. We ο¬rst consider the case whenπ βπ½. This implies that theππ(0) values
π0(π₯). Moreover every honest ππ in π πΆππ πΈ is IC-committed to ππ(0).
We now show that in AWSS-Rec-Private, IC-commitment of all honest parties inπ πΆππ πΈ will be reconstructed correctly byππΌ with
probabil-ity at least (1βπ). So let ππ be an honest party in π πΆππ πΈ. Now
from AICP-Correctness3, a corrupted ππ β ππΎππ can not produce
πΌπΆπππ(ππ, ππ,π«, ππ(π)) such that ππ(π) β= ππ(π) except with probability
πβ². Hence for honest π
π in π πΆππ πΈ, ππ(π₯) and thus ππ(0) will be
re-constructed correctly, except with probability π‘πβ². As there are at least π‘+ 1 honest parties in π πΆππ πΈ, the probability that the above event happens for all honest parties in π πΆππ πΈ is at most π‘(π‘+ 1)πβ² βπ. So
IC-commitment of all honest parties in π πΆππ πΈ will be reconstructed correctly byππΌ with probability at least (1βπ).
However, for a corrupted ππ in π πΆππ πΈ, ππβs IC-commitment can be
revealed to any valueππ(0). This is because a corrupted ππ βππΎππ can
produce a valid signature of ππ on anyππ(π) as well as a valid signature
of π· (who is corrupted as well) on ππ(π) = ππ(π). Also the adversary
can delay the messages such that the values of corrupted ππ β ππΎππ
are revealed to ππΌ before the values of honest parties in ππΎππ. Now
if reconstructed ππ(0) = ππ(0) for all corrupted ππ β π πΆππ πΈ, then π
will be reconstructed by ππΌ. Otherwise, π π πΏπΏ will be reconstructed.
However, since for all the honest parties of π πΆππ πΈ, IC-commitment
will be reconstructed correctly with probability at least (1βπ) (who in turn deο¬neπ0(π₯)), no other secret (other thanπ ) can be reconstructed by
ππΌ.
2. We next consider the second case when π·βs AWSS-committed secret is π π πΏπΏ. This implies that the points (π, ππ(0)) corresponding to honest
ππβs inπ πΆππ πΈ do not deο¬ne a unique degree-π‘polynomial. It is easy to
see that in this case, irrespective of the behavior of the corrupted parties π π πΏπΏwill be reconstructed. This is because the pointsππ(0)
correspond-ing to all honestππβπ πΆππ πΈwill be reconstructed correctly except with
probabilityπ(following the argument given in previous case).
β‘
Lemma 9 (AWSS-Communication-Complexity). ProtocolAWSS-Share in-curs a private communication of πͺ(π3(log1
π)2) bits and A-cast of πͺ(π2logπ)
bits. ProtocolAWSS-Rec-Privateprivately communicates πͺ(π3(log1
π)2)bits.
Proof: In AWSS-Share, there areπͺ(π2) instances of Gen andVer (of MVMS-AICP), each dealing with one value (substitutingβ= 1) and executed with an error parameter ofπβ² = π
π2. From Theorem 5, this requires a private commu-nication ofπͺ(π3(logπ2
π )2) =πͺ(π3(logπ1)2) bits, asπ= poly(log1π). Moreover,
there areA-cast of πͺ(π2) OKsignals. In addition, there is A-castof π πΆππ πΈ
AWSS-Shareincurs a private communication ofπͺ(π3(log1
π)2) bits andA-castof
πͺ(π2logπ) bits.
In AWSS-Rec-Private, there are πͺ(π2) instances of Reveal-Private of our MVMS-AICP, each dealing with β= 1 value. This requires a private communi-cation ofπͺ(π3(log1
π)2) bits. β‘
Theorem 3. ProtocolAWSSconsisting of (AWSS-Share,AWSS-Rec-Private) con-stitutes a valid statistical AWSS scheme with π = 3π‘+ 1 parties with private reconstruction.
Proof: The proof follows from Lemma 6, Lemma 7 and Lemma 8. β‘
Notation 3 (Notation for Using AWSS-Share,AWSS-Rec-Private). In our AVSS scheme (that shares a single secret), we will invokeAWSS-Shareas AWSS-Share(π·,π«, π(π₯), π) to mean thatπ·commits toπ(π₯)inAWSS-Share. Essentially here π· is asked to choose a symmetric bivariate polynomial πΉ(π₯, π¦) of
degree-π‘ in π₯ and π¦, where πΉ(π₯,0) = π(π₯) holds. π· then tries to give πΉ(π₯, π) and henceπΉ(0, π) =π(π)to partyππ. Similarly,AWSS-Rec-Privatewill be invoked as
AWSS-Rec-Private(π·,π«, π(π₯), ππΌ, π) forππΌ-weak-private-reconstruction ofπ(π₯).
4. Statistical AWSS Scheme for Sharing Multiple Secrets
In this section, we extend protocol AWSS-Share and AWSS-Rec-Private to
AWSS-MS-ShareandAWSS-MS-Rec-Privaterespectively10. Now our new AWSS
scheme calledAWSS-MS consists of (AWSS-MS-Share, AWSS-MS-Rec-Private). Protocol AWSS-MS-Share allows π· β π« to concurrently share a secret π = (π 1. . . π β), containing β elements. On the other hand, protocol AWSS-MS-Rec-Privateallows a speciο¬c partyππΌβ π« to reconstruct eitherπ orπ π πΏπΏ.
Notice that we could have executed protocol AWSS-Shareβ times parallely, each sharing individual elements ofπ. However, from Lemma 9 this would in-cur a private communication ofπͺ(βπ3(log1
π)2) bits and A-castof πͺ(βπ2logπ)
bits. On the other hand,AWSS-MS-Shareshares all elements ofπ concurrently, requiring a private communication ofπͺ((βπ2+π3log1
π) log1π) bits and A-cast
of A-castof πͺ(π2logπ) bits. Thus for suο¬ciently large β, the communication
complexity of AWSS-MS-Share is less than what would have been required by βparallel executions of AWSS-Share. Similarly, protocol AWSS-MS-Rec-Private
reconstructs all theβsecrets simultaneously, incurring a private communication ofπͺ((βπ2+π3log1
π) log1π) bits.
The Intuition: The high level idea of protocol AWSS-MS-Share is similar to
AWSS-Share. For eachπ π, π= 1, . . . , β, the dealerπ·selects a random symmetric
bivariate polynomial πΉπ(π₯, π¦) of degree-π‘ in π₯and π¦, where πΉπ(0,0) =π π and
gives his IC signature on ππ
π(1), . . . , πππ(π) to party ππ, for π = 1, . . . , π. For
