Round Efficient Unconditionally Secure Multiparty Computation Protocol

Round Efficient Unconditionally Secure Multiparty

Computation Protocol

Arpita Patra ∗ _{Ashish Choudhary} † _{C. Pandu Rangan} ‡

Department of Computer Science and Engineering Indian Institute of Technology Madras

Chennai India 600036

Email:{ arpita,ashishc }@cse.iitm.ernet.in, [email protected]

Abstract

In this paper, we propose a round efficient unconditionally secure multiparty computation

(UMPC) protocol in information theoretic model with n > 2t players, in the absence of any physical broadcast channel, which communicates O(n4_{) field elements per multiplication and} requires O(nlog(n) +D) rounds, even if up to t players are under the control of an active adversary havingunbounded computing power. In the absence of a physical broadcast channel and with n > 2t players, the best known UMPC protocol with minimum number of rounds, requires O(n2_{D) rounds and communicates O(n}6_{) field elements per multiplication, where D} denotes the multiplicative depth of the circuit representing the function to be computed securely. On the other hand, the best known UMPC protocol with minimum communication complexity requires communication overhead of O(n2_{) field elements per multiplication, but has a round} complexity ofO(n3_{+D) rounds. Hence our UMPC protocol is the most round efficient protocol} so far and ranks second according to communication complexity. To design our protocol, we use certain new techniques which are of independent interest.

Keywords: Multiparty Computation, Information Theoretic Security, Error Probability.

1

Introduction

Secure Multiparty Computation (MPC):Secure multiparty computation (MPC) allows a set of n players to securely compute an agreed function, even if up tot players are under the control of a centralized adversary. More specifically, assume that the desired functionality can be specified by a function f : ({0,1}∗₎n _{→ ({0,1}}∗₎n _{and player P}

i has input xi ∈ {0,1}∗. At the end of the

computation of f, Pi gets yi ∈ {0,1}∗, where (y1, . . . , yn) = f(x1, . . . , xn). The function f has

to be computed securely using a protocol where at the end of the protocol all players (honest) receive correct outputs and the messages seen by the adversary during the protocol contain no

additionalinformation about the inputs and outputs of the honest players, other than what can be

computed from the inputs and outputs of the corrupted players. In theinformation theoretic model, the adversary whoactivelycontrols at most t players, is adaptive, rushing [11] and has unbounded

computing power. The function to be computed is represented as an arithmetic circuit over a finite

fieldFconsisting of five type of gates, namely addition, multiplication, random, input and output. A MPC protocol securely evaluates the circuit gate-by-gate [5, 22, 2, 22, 17, 19, 4].

The MPC problem was first defined and solved by Yao [23] in his seminal work in two-party sce-nario. The first generic solutions presented in [16, 9, 14] were based on cryptographic intractibility assumtions. Later, the research on MPC in information theoretic model was initiated by Ben-Or

∗_{Financial Support from Microsoft Research India Acknowledged} †_{Financial Support from Infosys Technology India Acknowledged}

‡_{Work Supported by Project No. CSE/05-06/076/DITX/CPAN on Protocols for Secure Communication and}

et. al. [5] and Chaum et. al. [8] in two different independent work and carried forward by the works of [22, 2]. Information theoretic security can be achieved by MPC protocols in two flavors –(a) Perfect: The outcome of the protocol is perfect in the sense that no probability of error is involved in the computation of the function (b) Unconditional: The outcome of the protocol is correct except with negligible error probability. While Perfect MPC can be achieved iff t < n/3 [5], unconditional MPC (UMPC) requires only honest majority i.e t < n/2 [22]. In the recent years, lot of research concentrated on designing communication efficient protocols for both perfect and unconditional MPC. Perfect MPC protocols with optimal resilience i.et < n/3 are presented in [17, 19, 4]. UMPC protocols with non-optimal resilience i.e t < n/3 are presented in [18, 12]. Finally, UMPC protocols with optimal resilience i.et < n/2 are presented in [11, 3].

Broadcast: Broadcast is a very important primitive and is heavily used in all MPC and UMPC protocols. Broadcast allows a sender to distribute a value x, such that all the players identically receive the same value x (even if the sender is faulty). If a physical broadcast channel is available in the network, then achieving broadcast is very trivial. In such a case, broadcasting`bits requires single round and exactly ` bits of communication. But if the broadcast channel is not physically available in the network, then broadcasting an ` bit(s) message can be simulated by executing some protocol. In particular, for perfectly (without any error probability) broadcasting` bits, the protocol presented in [6, 7] communicates Ω(n2<sub>`) bits and requires Ω(n) rounds witht < n/3. For</sub> unconditionally (with negligible error probability) broadcasting ` bits, the protocol presented in [21] communicates Ω(n2<sub>`+n</sub>6<sub>κ) bits and requires Ω(n) rounds with t < n/2 on the availability</sub> of information theoretic PKI setup (information theoretic pseudo-signature), whereκ is the error parameter. Recently Fitzi et. al. [13] have proposed multi-valued broadcast where broadcast of`

bits requires communication of O(`n+nB(n+κ)) bits, provided there exists a broadcast proto-col which communicates B(b) bits for broadcasting a b bit message where b < `. Thus using the broadcast protocol of [21] as black-box, broadcast protocol of [13] communicates O(n`+n7<sub>κ) for</sub> broadcasting an`bit message and requires Ω(n) rounds of communication, wheret < n₂.

Our Motivation: Two important parameters of multiparty computation protocols are

communi-cation complexityandround complexity. These have been the subject of intense study over the past

two decades. Establishing bounds on communication and round complexity of secure multiparty computation protocols are of fundamental theoretical interest. Moreover, reducing the communi-cation and round complexity of multiparty computation protocols is crucial, if we ever hope to use these protocols in practice. But looking at the most recent advancements in the arena of MPC, we find that round complexity of MPC protocols has been increased to an unacceptable level in order to reduce communication complexity. For example, the perfect MPC protocol of [4] celebrated for its best known communication complexity, requires round complexity of O(n2 _{+D) where D} denotes the multiplicative depth of the circuit. On the other hand, the perfect MPC protocols achieving best known round complexities such asO(nD) [5] and O(n+D) [1] are far from being truly communication efficient. In the sequel, we present a table which gives an overview of the communication complexities and round complexities of perfect and unconditional MPC protocols. The complexity figures are provided assuming that physical broadcastchannel is not available and hence broadcast is simulated by some protocol (as mentioned earlier). The communication com-plexities are given in terms of bits where κ represents the bit length of a field element in the case of perfect MPC and error parameter in the case of unconditional MPC. For simplicity, we assume that the computed function takes n inputs (one from each player) and gives n outputs. c_M and

D denote the number of multiplication gates and multiplicative depth of the circuit, respectively.

Reference Type? Resilience Brodcast Protocol Communication Complexity Round Complexity [11] Unconditional t < n/2 [13] O((cMn6+n7)κ) O(n2D)

[17] Perfect t < n/3 [6, 7] O((cMn3+n4)κ) O(n2+D)

[3] Unconditional t < n/2 [13] O((cMn2+n7)κ) O(n3+D)

[12] Unconditional t < n/3 [6, 7] O((cMn+Dn2+n4)κ) O(n2+D)

[4] Perfect t < n/3 [6, 7] O((cMn+Dn2+n3)κ) O(n2+D)

not to sacrifice one parameter for the other. So it is very essential to design protocol which balances both the parameters appropriately. Motivated by this, in this work we design an UMPC protocol which achieves efficiency in both the parameters simultaneously.

Our Network Model: We denote the set of n= 2t+ 1 players (parties) involved in the secure computation by P ={P1, P2, . . . , Pn} where player Pi possessesci input values. We assume that

all the nplayers are connected with each other by pairwise secure channels, as assumed in generic UMPC protocols [3, 11, 22]. Moreover, the system is synchronous and the protocols proceed in rounds, where in each round a player performs some computations, sends (broadcasts) values to its neighbors (everybody), receives values from neighbors and may again perform some more compu-tation, in that order. The function to be computed is specified as an arithmetic circuit over a finite field F with input, addition, multiplication, random and output gates. We denote the number of gates of each type bycI,cA,cM,cR and cO, respectively. Note that cI=

P_n

i=1ci.

We model the distrust in the system by a centralized adversary A_t, who has unbounded

com-putingpower and can actively control at mosttplayers during the protocol execution, wheret < n₂.

To actively control a player means to take full control over it and making it behave arbitrarily. The adversary isadaptive[11] and hence can corrupt players dynamically during the protocol exe-cution. Moreover, the choice of the adversary to corrupt a player may depend upon the data seen so far from the corrupted players. Moreover, the adversary is a rushing adversary [15], who in a particular round, first collects all the messages addressed to the corrupted players and exploits this information to decide on what the corrupted players send during the same round. If a player comes under the control of At, then it remains so throughout the protocol. A player which is not under

the control ofA_t is calledhonest oruncorrupted. We define two setsC and P0 _{where at any point} of time C denotes the set of corrupted players identified so far and P0 =P \ C. Initially, P0 =P

andC =∅. As the protocol proceeds, some players will be detected as corrupted and will be added toC and removed fromP0_{. We denote the number of players in P}0 _byn0 _{which is initially equal to}

n. The number of players which can be still corrupted fromP0 is denoted by t0 where t0=t− |C|. Note thatn0 _{will always maintain the following: n}0 _{≥t+ 1 +t}0 _≥2t0_{+ 1 sincet≥t}0_{. Also at any} point of time P =P0_{∪ C.}

Our protocol provides unconditional security i.e. information theoretic security with a negligible error probability of 2−O(κ) _{for some security parameterκ. To achieve this error probability, all our} computation are done over a finite field F=GF(2κ_{). Thus each field element can be represented}

by κ bits. Notice that, we also assume that n is polynomial in κ. For the ease of exposition, we always assume that the messages sent through the channels are from the specified domain. Thus if a player receives a message which is not from the specified domain (or no message at all), he replaces it with some pre-defined default message from the specified domain.

Our Contribution:In this paper, we propose a new UMPC protocol which communicatesO(n4) field elements per multiplication and requiresO(nlog(n) +D) rounds over a point-to-point network (in the absence of physical broadcast channel) withn= 2t+1 players. This result is to be compared with the UMPC protocol of [11] which provides so far best known round complexity of O(n2D) (and communicatesO(n6_{) field elements per multiplication) and with UMPC protocol of [3] which} achieves the best known communication complexity ofO(n2_{) field elements per multiplication (but} consumes O(n3+D) rounds). Hence our protocol is the most round efficient protocol so far and ranks second according to communication complexity. We introduce a new technique calledRapid

Player Elimination(RPE) which is used in the preprocessing stage of our proposed UMPC protocol.

2

Unconditionally Secure MPC Protocol with

n

= 2

t

+ 1

In this section, we present an UMPC protocol with n = 2t+ 1. Prior to that we present a number of sub-protocols each solving a specific task. Some of the sub-protocols are based on few existing techniques while some are proposed by us for the first time. We describe all our sub-protocols in the following settings: P0 _{denotes the set of players involved in the execution of the} sub-protocols where|P0|=n0, the number of corrupted players present inP0 ist0andn0 =t+ 1 +t0. During the execution of the sub-protocols, some more corrupted players may be detected as faulty and wil be removed from P0_{. Accordingly n}0 _{and t}0 _{will change (without affecting the equality}

n0 =t+ 1 +t0). Thus it is clear that at any stageP0 will always contain all thet+ 1 honest players. For simplicity, we assume that P0 _{always contains the first n}0 _{players (P}

1, . . . , Pn0) from the set

P. For convenience, we provide analysis of the communication and round complexities of our sub-protocols and sub-protocols assuming that physical broadcast channel is available in the system. At the end we give the complete communication and round complexity figure for our general multiparty computation protocol, assuming that the broadcast has to be simulated by protocol of [13]. Notice that a physical broadcast channel enables all the players fromP to receive the broadcasted message. Since our sub-protocols are executed among the players in P0 _andP0 _{⊆ P, a broadcast step in our} sub-protocol should allow only the players ofP0_{to get the broadcasted information. But notice that} all the broadcast steps will be finally replaced by protocols (say from [13]) where only players from

P0 _{are allowed to participate. Thus without loss of generality, we may interpret all the broadcasts}

steps in our sub-protocols as the broadcast to the restricted set P0_.

2.1 Information Checking

Information Checking (IC) and IC Signatures [11, 22]: IC is an information theoretically secure method for authenticating data and is used to generate IC signatures. When a player

IN T ∈ P0 receives an IC signature from a dealer D∈ P0 on some secret value(s)S, thenIN T can later produce the signature and have the players inP0 _{verify that it is in fact a valid signature of} D on S. An IC scheme consists of a sequence of three protocols:

1. Distr(D, IN T,P0_{, S) is initiated by the dealer D, who hands secret S = [s}(1) _{. . . s}(`)<sub>]∈ F</sub>`_,

where `≥ 1 to intermediaryIN T. In addition, D hands someauthentication information to

IN T and verification informationto individual players in P0, also called as receivers.

2. AuthVal(D, IN T,P0_{, S) is initiated by IN T to ensure that in protocol RevealVal, secret S} held byIN T will be accepted by all the (honest) players (receivers) inP0_.

3. RevealVal(D, IN T,P0, S)is carried out byIN T and the receivers inP0, whereIN T produces

S, along withauthentication information and the individual receivers inP0 _produce verifica-tion informaverifica-tion. Depending upon the values produced byIN T and the receivers, either S is accepted or rejected by all the players/receivers.

The authentication information, along with S, which is held by IN T at the end of AuthVal is called D’s IC signature on S, obtained by IN T. The IC signature must satisfy the following properties:

1. IfD and IN T are uncorrupted, thenS will be accepted in RevealVal.

2. IfIN T is uncorrupted, then at the end ofAuthVal,IN T possesses secret(s), sayS0_{, which will} be accepted in RevealVal, except with probability at most 2−O(κ)_.

3. IfD is uncorrupted, then duringRevealVal, with probability at least 1−2−O(κ)_{, everyS}0 _6=S produced by a corruptedIN T will be rejected.

4. If D and IN T are uncorrupted, then at the end of AuthVal, S is information theoretically secure from A_t.

The protocol allowsD to sign on a single field elements∈F(i.e. `= 1; S =s). In the protocol, Distrtakes single round (Round 1),AuthValtakes threes rounds (Round 2, 3andRound 4), while RevealVal takes two rounds (Round 1 and Round 2). The protocol is given in Table 1. Before describing the protocol, we recall the following definition from [11].

Definition 1 (1α-consistent [11]) A vector (x, y, z)∈F3 is 1α-consistent if there exists a degree

one polynomialw over Fsuch that w(0) =x, w(1) =y and w(α) =z.

Lemma 1 Protocol IC correctly generates IC signatures on a single secret (i.e. ` = 1) by

com-municating O(nκ) bits and broadcasting O(nκ) bits. The protocol satisfies all the properties of IC

signature with an error probability of at most2−O(κ)_.

Proof: The proof is similar to the proof of the properties of generalized IC protocol of [11] (see

Lemma 1, Page 318-319). 2

Protocol IC(D,IN T,P0_{, s)}

Distr(D, IN T,P0_{, s) Round 1: Corresponding to each receiver P}

i ∈ P0, D chooses a random value αi ∈ F−

{0,1} and additional random values yi, zi ∈ F, such that the three tuple (s, yi, zi) is 1αi-consistent. In addition,

corresponding to eachPi∈ P0,Dchooses another random 1α_i-consistent vector (s0i, yi0, z0i). Dsendss, yi, s0iandy0ito

IN Tandαi, zi, z0ito the receiverPi. Then0tuple [y1y2 . . . yn0] held byIN Tis calledauthentication information.

The two n0 _{tuples [y}0

1 y02 . . . y0n0] and [s01 s02 . . . , s0n0] held byIN T are called asauxiliary information, where as

the tuple (αi, zi) held by receiverPiis called verification information.

AuthVal(D, IN T,P0_{, s): Round 2: IN T randomly selectsn}0 _{random elementsd}

i,1≤i≤n0 from F− {0}and

broadcasts the tuples (di, s0i+dis, y0i+diyi).

Round 3: In response to IN T’s broadcast inRound 2,D checks the correctness of the broadcasted information and also checks whether (s0

i+dis, y0i+diyi, zi0+dizi) is 1αi-consistent for 1≤i≤n

0_{. Dbroadcastss, along with the}

n0_{tuple [y}

1y2 . . . yn0] if he finds any inconsistency. EachPi∈ P0accordingly adjusts hisverification information

(αi, zi), such that (s, yi, zi) is 1α_i-consistent and the protocolendshere.

Parallely, Pi ∈ P0 checks if (s0i+dis, y0i+diyi, z0i+dizi) is 1αi-consistent and broadcasts ”Accept” or ”Reject”,

depending upon whether (s0

i+dis, yi0+diyi, z0i+dizi) is 1αi-consistent or not.

Now the valuesand then0 _{tuple [y}

1 y2 . . . yn0] possessed byIN T is called theIC-Signatureons given byDto

IN T, which is denoted byICSigs(D, IN T).

Round 4: IfDhas not broadcasteds, along with the tuple [y1y2 . . . yn0] in the previous round, thenDbroadcasts

(αi, zi) corresponding to all receiversPi∈ P0, whose response was “Reject” in the previous round. AccordinglyIN T

will adjust hisyi so that (s, yi, zi) becomes 1αi-consistent.

RevealVal(D, IN T,P0_{, s): Round 1: IN T broadcastssand [y}

1 y2 . . . yn0];Round 2: EachPi ∈ P0 broadcasts

(αi, zi). If there exists at least t+ 1 distinct j’s such that (s, yj, zj) is 1αj-consistent then D’s signature on s is

”valid”. Otherwise the signature is ”invalid”.

Table 1: An IC Protocol to Sign on a Single Field Element

We now present an IC protocol, called EfficientIC, which allows D to sign on an ` length secret S ∈ F` _{simultaneously, with ` ≥ 1, by communicating O((`+n)κ) bits and broadcasting}

O((`+n)κ) bits, where n0 <sub>=t+ 1 +t</sub>0<sub>. Let S = (s</sub>(1)<sub>, . . . , s</sub>(`)_{) ∈F}`_{. The idea of this protocol is}

taken from [20]. The protocolEfficientIC is given in Table 2.

Lemma 2 Protocol EfficientIC correctly generates IC signature on ` field elements (each of size

κ bits) at once by communicating O((`+n)κ) bits and broadcastingO((`+n)κ) bits. The protocol

satisfies the properties of IC signature with an error probability of at most 2−O(κ)_.

Proof: The proof is similar to the proof of the IC protocol given in [20] and hence is omitted. 2

Linearity of Protocol IC and EfficientIC: ProtocolICandEfficientICsatisfies thelinearity

property as specified by the following lemmas:

Lemma 3 (Linearity of Protocol IC [11]) Let ICSigs1(D, IN T) and ICSigs2(D, IN T)

Moreover, let D uses the same set of α1, α2, . . . , αn0 to give his IC signature on s₁ and s₂. Let

r1, r2 be two random public constants fromF. Then IN T can generate ICSig(r1s1+r2s2)(D, IN T)

from ICSig_s1(D, IN T) and ICSig_s2(D, IN T) without any further communication. Similarly, the

receivers in P0 _{can obtain the verification information corresponding to ICSig}

(r1s1+r2s2)(D, IN T)

from the verification information corresponding to ICSigs1(D, IN T) and ICSigs2(D, IN T)

with-out doing any communication.

Extending the above lemma for an arbitrary length secret, we can state the following lemma:

Lemma 4 (Linearity of Protocol EfficientIC) The IC signature generated byEfficientIC

sat-isfieslinearityproperty. In particular,IN T can computeICSig_((r1s(1,1)_+r2s(2,1)_),...,(r1s(1,`)<sub>+r2s</sub>(2,`)₎₎(D, IN T)

fromICSig_(s(1,1)_,s(1,2)_...,s(1,`)<sub>)</sub>(D, IN T)andICSig<sub>(s</sub>(2,1)<sub>,s</sub>(2,2)<sub>...,s</sub>(2,`)₎(D, IN T)and receivers can

com-pute verification information corresponding to ICSig_((r1s(1,1)_+r2s(2,1)_),...,(r1s(1,`)<sub>+r2s</sub>(2,`)₎₎(D, IN T).

EfficientIC(D, IN T,P0<sub>, `, s</sub>(1)<sub>, . . . , s</sub>(`)₎

EfficientDistr(D, IN T,P0<sub>, `, s</sub>(1)<sub>, . . . , s</sub>(`)_{): Round 1: D selects a random `+t}0 _{−1 degree polynomial F(x)}

over F, whose lower order `coefficients are s(1)<sub>, . . . , s</sub>(`)_{. In addition, D selects another random `+t}0_{−1 degree}

polynomialR(x), over F, which is independent ofF(x). D selectsn0 _{distinct random elementsα}

1, α2, . . . , αn0 from

F such that each αi ∈ F− {0,1, . . . , n0−1}. D privately gives F(x) and R(x) to IN T. To receiver Pi ∈ P0, D

privately gives αi, vi and ri, where vi =F(αi) and ri = R(αi). The polynomial R(x) is called authentication information, while for 1≤i≤n0_{, the valuesα}

i, vi andriare calledverification information.

EfficientAuthVal(D, IN T,P0<sub>, `, s</sub>(1)<sub>, . . . , s</sub>(`)_{): Round 2: IN T chooses a random d ∈ F\ {0} and broadcasts}

d, B(x) =dF(x) +R(x).

Round 3:For 1≤j≤n0_,Dchecksdv

j+rj=? B(αj). IfDfinds any inconsistency, he broadcastsF(x). Parallely,

receiverPibroadcasts ”Accept” or ”Reject”, depending upon whetherdvi+ri=B(αi) or not.

Local Computation (by each player):if F(x) is broadcasted inRound 3then accept the lower order` coeffi-cients ofF(x) asD’s secret and terminate. else construct ann0 _{length bit vectorV}Sh_{, where thej}th_,1≤j≤n0

bit is 1(0), if Pj ∈ P0 has broadcasted ”Accept” (”Reject”) duringRound 3. The vector VSh is public, as it is

constructed using broadcasted information. IfVSh_{does not containn}0_−t0 _{1’s, thenDfails to give any signature to}

IN T and IC protocol terminates here.

If F(x) is not broadcasted during Round 3, then (F(x), R(x)) is called D’s IC signature on S = (s(1)_{, . . . , s}(`)₎

given toIN T, which is denoted byICSig_(s(1)_,...,s(`)₎(D, IN T).

EfficientRevealVal(D, IN T,P0<sub>, `, s</sub>(1)<sub>, . . . , s</sub>(`)_{): (a) Round 1: IN T broadcasts F(x), R(x); (b) Round 2: P} i

broadcastsαi, viandri.

Local Computation (by each player): For the polynomial F(x) broadcasted by IN T, construct an n0 _length

vector VRec

F(x) whose jth bit contains 1 if vj = F(αj), else 0. Similarly, construct the vector VRRec(x) corresponding

to R(x). Finally compute VRec

F R = VFRec(x)⊗VRRec(x), where ⊗ denotes bit wise AND. Since broadcasted information

is public, each player (honest) will compute the same vectors VRec

F(x) and VRRec(x) and henceVF RRec. IfVF RRecand VSh

matches at least at t+ 1 locations (irrespective of bit value at these locations), then accept the lower order `

coefficients of F(x) asS = (s(1)_{, . . . , s}(`)_{). In this case, we say thatD’s signature on S is correct. Else reject F(x)}

broadcasted byIN T and we say thatIN T has failed to produceD’s signature.

Table 2: An IC Protocol to Sign `Length Secret wheren0 =t+ 1 +t0

2.2 Unconditional Verifiable Secret Sharing and Reconstruction

Definition 2 t0_{-1D-Sharing: We say that a value s is correctly t}0_{-1D-shared among the players}

in P0 _{if every honest player P}

i ∈ P0 is holding a share si of s, such that there exists a degree t0

polynomialf(x) over F with f(0) =s and f(j) =s_j for everyP_j ∈ P0_{. The vector(s}

1, s2, . . . , sn0)

of shares is called a t0_{-sharing of sand is denoted by [s]}

t0. We may skip the subscript t0 when it is

clear from the context. A set of shares (possibly incomplete) is called t0_{-consistent if these shares}

Definition 3 t0_{-2D-sharing:[3] We say that a valuesis correctlyt}0_{-2D-shared among the players}

in P0 _{if there exists t}0 _{degree polynomials f, f}1_{, f}2_{. . . , f}n0

with f(0) = s and for i = 1, . . . , n0_,

fi_{(0) = f(i). Moreover, every player P}

i ∈ P0 holds a share si = f(i) of s, the polynomial fi(x)

for sharing si and a share-share sji = fj(i) of the share sj of every player Pj ∈ P0. We denote

t0_{-2D-sharing of sas [[s]]}

t0.

Definition 4 t0-2D(+)-sharing: We say that a value s is correctly t0-2D(+)-shared among the players inP0_{if there existst}0_{degree polynomialsf, f}1_{, f}2_{. . . , f}n0

withf(0) =sand fori= 1, . . . , n0_,

fi_{(0) =f(i). Moreover, every playerP}

i∈ P0 holds a share si=f(i) of s, the polynomial fi(x) for sharing si and Pj’s IC Signature on share-share sji =fj(i) of Pj’s share sj, i.e. ICSigsji(Pj, Pi)

for every player Pj ∈ P0. We denote the t0-2D(+)-sharing of s as hhsiit0. Note that in [3], the

authors called this sharing as 2D∗_-sharing.

Definition 5 t0_-2D(+,`)<sub>-sharing: We say that a set of valuess</sub>(1)<sub>, . . . , s</sub>(`) _{are correctlyt}0_-2D(+,`)

-shared among the players in P0 _{if every secrets}(l) _{is individuallyt}0_-2D(+)_{-shared. But now instead}

of P_i holding separate IC-signatures for each of the share-shares s_ji(l) for l = 1. . . , ` from P_j (i.e. ICSig_s(l)

ji

(Pj, Pi) for l = 1. . . , `), a single IC-signature on sji(1), . . . , s(ji`) is given by Pj to Pi (i.e.

ICSig

(s(1)ji,...,s (`) ji)

(P_j, P_i)). We denote the t0_-2D(+,`)<sub>-sharing of ` values as hhs</sub>1_{, . . . , s}`_ii t0.

If a secrets ist0_-1D-shared/t0_-2D-shared/t0_-2D(+)_{-shared by a dealer D∈ P}0 _{(any player fromP}0 may perform the role of a dealer ), then we denote the sharing by [s]D

t0/[[s]]D_t0/hhsiiD_t0. Similarly

if a set of `secretss(1)<sub>, . . . , s</sub>(`) _aret0_-2D(+,`)<sub>-shared by player D, we denote it by hhs</sub>1<sub>, . . . , s</sub>`_iiD

t0.

Notice that when a secret s is t0_-2D(+)_{-shared, then s is also t}0_{-1D-Shared and t}0_{-2D-shared by} default. Hence t0_-2D(+)_{-sharing is the strongest sharings among t}0_{-1D-sharing, t}0_{-2D-sharing and}

t0_-2D(+)_{-sharing. In some sense,t}0_-2D(+,`)<sub>-sharing is the extension oft</sub>0<sub>-2D</sub>(+)<sub>-sharing for`secrets.</sub> If a dealer D∈ P0 _{is honest, then he will always correctly t}0_-1D-share/t0_-2D-share/t0_-2D(+)_-share a secret s. Among these three types of sharings, t0_-2D(+)_{-sharing of a secret s allows efficient} reconstruction of the secret with n0 _{players. However, a corrupted D may perform sharing in an} incorrect way. To achieve parallelism, in the sequel, we describe a protocol called 2D(+,`)<sub>Share</sub> which allows a dealer D∈ P0 <sub>to verifiably t</sub>0<sub>-2D</sub>(+,`)<sub>-share ` ≥ 1 length secret [s</sub>(1)<sub>, s</sub>(2)<sub>, . . . , s</sub>(`)_]. Verifiablyt0_-2D(+,`)<sub>-sharing ensures correctt</sub>0<sub>-2D</sub>(+,`)_{-sharing even for a corruptedD. The protocol} 2D(+,`)<sub>Share is given in Table 3. The goal of the protocol is as follows: (a) If D is honest then</sub> he correctly generates t0<sub>-2D</sub>(+,`)_{-sharing of the secret [s}(1)_{, s}(2)_{, . . . , s}(`)_{], such that all the honest} players publicly verify that D has correctly generated the sharing. Also when D is honest, then the secret will be information theoretically secure from the adversaryAt. (b) IfDis corrupted and

has not generated correctt0_-2D(+,`)_{-sharing, then with very high probability, everybody will detect} it and protocol will terminate. The idea of the protocol is taken from [11], but instead of using the IC protocol of [11], we employ theEfficientIC protocol proposed in this paper, which provides us with higher efficiency.

Lemma 5 In protocol 2D(+,`)<sub>Share, D generates correct t</sub>0<sub>-2D</sub>(+,`)_{-sharing of ` field elements}

(each of size κ bits), with overwhelming probability. 2D(+,`)_{Share is a ten round protocol which}

communicatesO((`n2+n3)κ) bits and broadcasts O((`n2+n3)κ) bits.

Proof (Sketch): For every l ∈ {1, . . . , `}, secret s(l) _{is t}0_{-1D-shared by t}0 _{degree polynomial}

g(₀l)(y) i.eg₀(l)(0) =s(l)_{. Alsot}0 _{degree polynomialsf}(l)

1 (x), . . . , f (l)

n0 (x) are such thatg₀(l)(i) =f_i(l)(0)

for i = 1, . . . , n0_{. Hence, every secret s}(l) _{is t}0_{-2D-shared by t}0 _{degree polynomials g}(l)

0 (y) and

f₁(l)(x), . . . , f_n(l0)(x). Hence playerPi (implicitly) holdsithshare ofg0(l)(y) and polynomialfi(l)(x) for

alll∈ {1, . . . , `}. In addition to that, player Pi possesses correctICSig_(f(1) j (i),f

(2) j (i),...,f

(`) j (i))

(Pj, Pi)

for every player Pj ∈ P0, with very high probability (from the properties of our EfficientIC

very probability. Round complexity of 2D(+,`)<sub>Share is easy to verify. Since in sum at most 4(n</sub>0<sub>)</sub>2 instances ofEfficientDistrandEfficientAuthValof ProtocolEfficientICare executed, Protocol 2D(+,`)_{Share communicates and broadcastsO((`n}2_+n3_{)κ) bits. 2}

Remark: When an`length secret [s(1)<sub>, . . . , s</sub>(`)_{] ist}0_-2D(+,`)_{-shared, then implicitly the individual} secrets aret0_{-1D-shared by polynomialsg}(1)

0 (y), . . . , g(0`)(y). Also note that given hha(1), . . . , a(`)iit0

and hhb(1)_{, . . . , b}(`)_ii

t0, the players inP0 can computehhc(1), . . . , c(`)ii<sub>t</sub>0 where forl= 1, . . . , `,c(l)=

F(a(l)_{, b}(l)_{) and F denotes any linear combination. This is due to the linearity property of our} EfficientIC protocol presented in subsection 2.1.

hhs(1)_{, . . . , s}(`)_iiD

t0 = 2D(+,`)Share(D,P0, t0, `, s(1), . . . , s(`))

1. For every l = 1, . . . , `, D picks a random bivariate polynomial H(l)_{(x, y) of degree t}0 _{in both the variables,}

with H(l)_{(0,0) =s}(l)_{. Let f}(l)

i (x) = H(l)(x, i) and g (l)

i (y) = H(l)(i, y). NowD wants to hand over n0 values on

fi(l)(x) and g (l)

i (y) for l = 1, . . . , ` to Pi with his IC signature on them. For that Dexecutes EfficientDistr and EfficientAuthVal of EfficientIC(D, Pi,P0, `, f_i(1)(j), f_i(2)(j), . . . , f_i(`)(j)) for for all j ∈ {1, . . . , n0}. Similarly D

executesEfficientDistrandEfficientAuthValofEfficientIC(D, Pi,P0, `, g(1)i (j), g (2)

i (j), . . . , g (`) i (j)).

2. For l = 1, . . . , ` player Pi checks whether the two sets fi(l)(1), . . . , f

(l)

i (n0) and g (l)

i (1), . . . , g (l) i (n0)

are t0_{-consistent. If the values are not t}0_{-consistent, for some l ∈ {1, . . . , `} then P}

i along

with all players in P0 _{invoke EfficientRevealVal(D, P}

i,P0, `, fi(1)(j), f (2)

i (j), . . . , f (`)

i (j)) and EfficientRevealVal(D, Pi,P0, `, gi(1)(j), g

(2)

i (j), . . . , g (`)

i (j)) for all j ∈ {1, . . . , n0}. If the signatures

pro-duced byPiare valid and for somel∈ {1, . . . , `}either one of the two setsfi(l)(1), . . . , f (l) i (n

0_{) org}(l)

i (1), . . . , g (l) i (n

0₎

is nott0_{-consistent, then the protocol terminates here without generating the desired output.}

3. For every pair of playersPiandPjfromP0the following will be executed:

(a) Ideally for Pi and Pj the following should hold: fi(l)(j) = g (l)

j (i) and g (l) i (j) = f

(l)

j (i) for l = 1, . . . , `. Pi

as a dealer executesEfficientDistrand EfficientAuthValofEfficientIC(Pi, Pj,P0, `, fi(1)(j), . . . , f (`) i (j))

to give his IC signature on fi(1)(j), . . . , f (`)

i (j) to Pj. Upon receiving the signature, Pj checks whether

fi(l)(j) ?

= g(jl)(i) for l = 1, . . . , `. If there is an inconsistency then Pj along with all players in P0 invoke EfficientRevealVal(D, Pj,P0, `, gj(1)(i), g

(2)

j (i), . . . , g (`) j (i)).

(b) If Pj fails to produce valid signature in the previous step, then all the players from P0 ignore the

IC signatures received from Pj in previous step. Otherwise, if Pj is able to produce valid

signa-ture then gj(1)(i), g (2)

j (i), . . . , g (`)

j (i) become public. Using the public values Pi checks whether fi(l)(j) ?

=

g_j(l)(i) for l = 1, . . . , `. If he finds any inconsistency, then Pi along with all players in P0 invoke EfficientRevealVal(D, Pi,P0, `, fi(1)(j), f

(2)

i (j), . . . , f (`) i (j)).

(c) If Pi fails to produce valid signature in the previous step, then all the players from P0 ignore the IC

signa-tures received fromPi in step 3(a). Otherwise, if Pi is able to produce valid signature, then all the values

fi(1)(j), f (2)

i (j), . . . , f (`)

i (j) become public. Every player then verifies whetherf (l) i (j)

?

=gj(l)(i) forl= 1, . . . , `.

If f_i(l)(j)6= g_j(l)(i) for somel ∈ {1, . . . , `}then the protocol terminates here without generating the desired output.

Table 3: A Ten Round Protocol for Verifiablyt0_-2D(+,`)<sub>-share`Length Secret.</sub>

Conversion From a t0_-2D(+,`)<sub>-sharing to ` t</sub>0_-2D+_{-sharings: Givent}0_-2D(+,`)<sub>-sharing of `</sub> se-crets, we present a protocolConvert2D(+,`)<sub>to2D</sub>+<sub>which converts thet</sub>0<sub>-2D</sub>(+,`)<sub>-sharing of the`</sub> se-crets to` t0_-2D+<sub>-sharings of the individual`secrets. Thus givenhhs</sub>(1)<sub>, s</sub>(2)<sub>, . . . , s</sub>(`)_ii

t0,Convert2D(+,`)to2D+

produces hhs(l)iit0 forl = 1, . . . , `. Note that hhs(1), s(2), . . . , s(`)ii_t0 could have been generated

di-rectly by Protocol 2D(+,`)<sub>Shareor it could be linear combination of a number oft</sub>0<sub>-2D</sub>(+,`)_-sharings generated by different instances of Protocol 2D(+,`)_Share.

Lemma 6 Protocol Convert2D(+,`)to2D+ takes five rounds and communicates O((`n3 +n4)κ)

bits and broadcasts O((`n3_+n4_{)κ) bits.}

Reconstruction of a t0-2D+-shared secret: Let hhsiit0 be a t0-2D+-sharing, which is shared

using the polynomials H(x, y), fi(x), gi(y),1 ≤ i ≤ n0 among the players in P0. We may assume

hhsii_t0 as one of the ` outcomes of Protocol Convert2D(+,`)to2D+. We now present a protocol

(hhs(1)_ii

t0, . . . ,hhs(`)ii<sub>t</sub>0) = Convert2D(+,`)to2D+(P0, t0, `,hhs(1), s(2), . . . , s(`)ii_t0)

Letfi(l)(x),1≤i≤n0,1≤l≤`be the polynomials used for generatinghhs(1). . . , s(`)iit0. For every pair of players PiandPjfromP0, the following is done:

1. Player Pi as a dealer executes Distr and AuthVal of IC(Pi, Pj,P, fi(l)(j)) for all l ∈ {1, . . . , `} to give

ICSig_f(l)

i (j)(Pi, Pj) toPjfor alll∈ {1, . . . , `}. Sincehhs

(1)_{, . . . , s}(`)_ii

t0is generated using 2D(+,`)Share, it implies that

eitherPjalready holds a combined signature onfi(1)(j), . . . , f (`)

i (j) fromPi, i.e. ICSig_(f(1)

i (j),f

(2)

i (j),...,f

(`)

i (j))

(Pi, Pj)

or it may also happen that every player fromP0_{has ignoredP}

i’s signature. In the later case, players inP0will again

ignorePi’s signature. OtherwisePjcan now check ifPihas given signature on the same individual values.

2. Upon receiving the signatures on say ¯f_i(1)(j), . . . ,f¯_i(`)(j) (i.e ICSig_f¯(l)

i (j)

(Pi, Pj) for l = 1, . . . , `) , Pj checks

fi(l)(j) ?

= ¯fi(l)(i). If there is inconsistency for some l ∈ {1, . . . , `} then Pj along with all players in P0 invoke EfficientRevealVal(Pi, Pj,P0, `, fi(1)(j), f

(2)

i (j), . . . , f (`)

i (j))andRevealVal(Pi, Pj,P0,f¯i(l)(j))for alll∈ {1, . . . , `}.

3. In the previous step, ifPjis not able to produce the signature that he received fromPi, then all the players fromP0

ignore the IC signatures received fromPjduring step 1. Otherwise if the signatures are valid thenfi(1)(j), . . . , f (`) i (j)

and ¯f_i(1)(j), . . . ,f¯_i(`)(j) are public. All players inP0 _checkf(l) i (j)

?

= ¯f_i(l)(j) forl= 1, . . . , `. If the test fails for somel, then all the players inP0 _{ignore the values received fromP}

iduring first step. Otherwise the signature produced by

Pjwill be ignored by all the players inP0.

s =2D+_Recons(P0_{, t}0_,hhsii

t0)

For allPj∈ P0 such thatPj’s IC signatures are not ignored by the players inP0, playerPi sendsICSigfj(i)(Pj, Pi)

to every playerPkinP0. PlayerPk∈ P0checks the validity ofICSigfj(i)(Pj, Pi) with respect to his ownverification information. If the verification passes then Pk accepts ICSigfj(i)(Pj, Pi). Now if for all Pj ∈ P

0_{, P}

k accepts

ICSigfj(i)(Pj, Pi) (which he receives fromPi) then Pk checks whetherfj(i)s aret

0_{-consistent (ideallyf}

j(i) =gi(j)

for allPj∈ P0; sofj(i)s will lie ont0degree polynomialgi(y)). If yes thenPk addsPi to hisCORE set and let the

t0_{degree polynomial (on whichf}

j(i)s lie on) begi(y). PlayerPktakes all thegi(y) polynomials corresponding to the

players in hisCORE and interpolates the bivariate polynomialH(x, y) and finally sets the secrets=H(0,0). It is easy to check that all honest players fromP0_{recovers the same secrets.}

Lemma 7 Protocol 2D+Recons takes one round and privately communicatesO(n3κ) bits.

2.3 Generating Random t0_-2D(+,`)_-Sharing

We now present protocol Random(P0, t0, `) which allows the players in P0 to jointly generate a randomt0<sub>-2D</sub>(+,`)_-sharing,hhr(1)_{, . . . , r}(`)_ii

t0, where eachr(l) is a random element fromF.

hhr(1)_{, . . . , r}(`)_ii

t0 =Random(P0, t0, `)

Every player Pi ∈ P0 invokes 2D(+,`)Share(Pi,P0, t0, `, r(1,Pi), . . . , r(`,Pi)) to generate hhr(1,Pi), . . . , r(`,Pi)iiP_t0i,

where r(1,Pi)_{, . . . , r}(`,Pi) _{are randomly selected from F. LetP ass denotes the set of players Pi inP}0 _{such that}

t0_-2D(+,`)_Share(P

i,P0, t0, `, r(1,Pi), . . . , r(`,Pi)) is executed successfully. Now all the players inP0jointly computes

hhr(1)_{, . . . , r}(`)_ii t0 =P_P

i∈P asshhr

(1,Pi)_{, . . . , r}(`,Pi)_iiPi t0.

Lemma 8 With overwhelming probability, protocolRandomgenerates a randomt0_-2D(+,`)_-sharing

hhr(1), . . . , r(`)iit0 in eight rounds and privately communicates and broadcasts O((`n3+n4)κ) bits.

2.4 Proving c=ab

Definition 6 t0_-1D(+)_{-sharing: We say that a value s is correctly t}0_-1D(+)_{-shared among the}

players inP0 _{if there existst}0 _{degree polynomial f(x)held byDwithf(0) =s. Every player P}

i ∈ P0

holds a share si = f(i) of s with an IC signature on it from the dealer D (i.e. ICSigsi(D, Pi)).

We denote the t0_-1D(+)_{-sharing of a secret sby hsi}

t0.

Definition 7 t0-1D(+,`)-sharing: We say that a set of secretss(1), . . . , s(`)are correctlyt0-1D(+,`) -shared among the players in P0 <sub>if there exists t</sub>0 <sub>degree polynomials f</sub>(1)<sub>, . . . , f</sub>(`) _{held by D, with}

f(l)_{(0) =s}(l) _{for l= 1, . . . , `. Every player P}

i ∈ P0 holds sharess(1)_i =f(1)(i), . . . , s(_i`) =f(`)(i) of s(1), . . . , s(`)along with a single IC signature on them from the dealerD(i.e. ICSig_(s(1)

i ,...,s (`)

i )(D, Pi))).

If a secret s is t0_-1D(+)_{-shared by a player D ∈ P}0_{, then we denote it as hsi}D

t0. Similarly if `

secrets s(1)_{, . . . , s}(`) <sub>are t</sub>0<sub>-1D</sub>(+,`)_{-shared by player D, we denote it by hs}1_{, . . . , s}`_iD

t0. Notice that

ifs(1)_{, . . . , s}(`) <sub>ist</sub>0<sub>-2D</sub>(+,`)_{-shared, i.e. hhs}(1)_{, . . . , s}(`)_ii

t0, then theith shares of the secrets, namely

s(1)_i , . . . , s(_i`) will be automaticallyt0-1D(+,`)-shared by player Pi, i.ehs(1)i , . . . , si(`)iPt0i.

Now letD∈ P0<sub>holds`pairs of values (a</sub>(1)<sub>, b</sub>(1)<sub>), . . . ,(a</sub>(`)_{, b}(`)_{) such thatDhas already correctly}

t0_-1D(+,`)<sub>-shareda</sub>(1)<sub>, . . . , a</sub>(`) _andb(1)_{, . . . , b}(`) _{among the players inP}0_{. NowD wants to correctly}

t0-2D(+,`)-share c(1), . . . , c(`) without leaking any additional information about a(l), b(l) and c(l), such that every (honest) player in P0 _{knows that c}(l) _{= a}(l)_b(l) <sub>for l = 1, . . . , `. We propose a</sub> protocolProveCeqABto achieve this task. The idea of the protocol is inspired from [11] with the following modification: we make use of our protocol 2D(+,`)-Share, which provides us with high efficiency.

We try to explain the idea of the protocol with a single pair (a, b). ThusDhas alreadyt0_-1D(+) -sharedaand busing polynomials, sayfa(x) andfb(x). Now he wants to generatet0-2D(+)-sharing

of c, where c=ab, without leaking anyadditional information abouta, b and c. For this, he first selects a random non-zero β ∈ F and generates t0_-2D(+)_{-sharing of c, β and βb. Let f}

c(x), fβ(x)

and fβb(x) are polynomials implicitly used for sharing c, β and βb. All the players in P0 then

jointly generate a random value r. D then broadcasts the polynomial F1(x) = rfa(x) +fβ(x).

Every player locally checks whether the appropriate linear combination of his shares lies on the broadcasted polynomialF₁(x). If it does not then the player broadcastsD’s signature on the shares of a and β. If the signature is valid and indeed the player’s value does not lie on F1(x), then all the players will conclude thatD fails to provec=ab.

Otherwise, D again broadcasts F₂(x) = F₁(0)f_b(x)−f_βb(x)−rf_c(x). As before every players locally checks whether the appropriate linear combination of his shares lies on the broadcasted polynomialF2(x). If it does not then the player broadcasts D’s signature on the shares ofbandβb and c. If the signature is valid and indeed the player’s value does not lie onF₂(x), then all players will conclude that Dfails to prove c=ab. Otherwise every player checks whether F2(0)= 0. If so? the everybody accepts the t0-2D(+)-sharing of cas valid t0-2D(+)-sharing of ab.

The error probability of the protocol is negligible because of the random r which is jointly generated by all the players. Specifically, a corruptedD might have sharedβ 6=β, βb6=βborc6=c

but stillF2(0) can be zero and this will happen ifff_βb(x) +rfc(x) =fβb(x) +rfc(x). However this