To understand and present the techniques on how to improve round complexity in verifiable secret sharing paradigm as academic assignment. I am also assigned on a project where i will need to implement this protocol.
VSS :
In secret sharing , there is a dealer who shares a secret among a group of n parties in a sharing phase. The requirements are that, for some parameter t < n,any set of t colluding parties gets no information about the dealer’s secret at the end of the sharing phase, yet any set of t+1 parties can recover the dealer’s secret in a later reconstruction phase. Secret sharing assumes the dealer is honest; verifiable secret sharing (VSS) also requires that, no matter what a cheating dealer does (in conjunction with t+1 other colluding parties), there is some unique secret to which the dealer is “committed” by the end of the sharing phase. VSS serves as a fundamental building block in the design of protocols for general secure multi-party computation as well as other specialized goals.
3. EarlierWork.... ?
Work of Gennaro et al.(STOC 2001) and Fitzi et al. (TCC 2006) shows that,
assuming a broadcast channel, three rounds are necessary and sufficient for
efficient VSS.
- Assumes broadcast channel available as free
- Existing protocol does not attempt to minimize its usage
- Poor performance when run over PPP
Examples :
- For t < n/3, they show an efficient ( i.e. polynomial-time )(4, 3)-round
protocol, and an inefficient(3, 2)-round protocol
- For t < n/4, they show that two rounds are necessary and sufficient for
efficient VSS
- For t < n/3, Fitzi et al. show an efficient(3, 2)-round VSS protocol.
4. Result of this Paper.... ?
A VSS protocol, optimal in terms of :
• No of rounds in the protocol.
• No of invocations of Broadcast Channel.
• Satisfies a certain “2-level sharing” property.
• Provides base for constructing protocols for General Secure
Computation.
• Protocol is efficient,that the computation and communication are
polynomial in n.
5. Secret Sharing.... ?
In secret sharing
- Dealer who shares a secret among a group of n parties
- Sharing Phase
- Reconstruction Phase
The requirements are that :
- For t <n, any set of t colluding parties
- No information about the dealer’s secret at the end of the sharing
- Any set of t+1 parties can recover the dealer’s secret in a
Assumption :
- The dealer is honest
6. Verifiable Secret Sharing (VSS) .... ?
Just like secret sharing but requires :
- No matter what a cheating dealer does (in conjunction with t other
colluding parties), there is some unique secret to which the dealer is
“committed” by the end of the sharing phase.
Perfect VSS, where the security guarantees are :
- Unconditional
- Privacy is perfect
- Protocol is error-free.
Perfect VSS is known to be possible if and only if t < n/3
7. Why this Research.... ?
High overhead of emulating a broadcast channel over a point-to-point network.
- Protocols are likely to be run in PPP
- It is preferable to minimize the number of rounds in which broadcast is
used rather than to minimize the total number of rounds.
- A constant-round protocol that only uses a single round of broadcast is
likely to yield a more round-efficient protocol in a point-to-point setting than any
protocol that uses two rounds of broadcast (even that protocol uses no
additional rounds)
- Examples : VSS protocol of Micali and Rabin vs the “round-optimal”
VSS protocol of Fitzi et al.
8. WeakVerifiable Secret Sharing (WSS) .... ?
If the dealer is dishonest then, in the reconstruction phase, each honest party
recovers either the dealer’s input or a special failure symbol.
Example :
- Fitzi et al. Mentioned (3,2)-round WSS protocol
- A (5,1)-round WSS protocol is implicitly given by J. Katz, C.-Y. Koo
Notation :
We say a protocol has round complexity(r,b) if it uses r rounds in total, and b ≤
r of these rounds invoke broadcast.
9. Modifications .... ?
To construct a(3, 1)-round WSS protocol, modify the(3, 2)-round WSS protocol
by Fitzi et al.
- Does not have the “2-level sharing” property
- Cannot directly be plugged in to existing protocols of Secure MPC
10. Model and Definitions.... ?
Standard communication model :
- Pairwise private and authenticated channels.
- A broadcast channel which can be emulated in a PPP network using a
broadcast protocol
[
Protocol tolerates t malicious parties signifies it is secure against an
adversary who may adaptively corrupt up tot parties during an execution of the
protocol and coordinate the actions of these parties as they deviate from the
protocol in an arbitrary manner.
Parties not corrupted by the adversary are called honest and assumption of a
rushing adversary.
12. WeakVerifiable Secret Sharing (Cont.).... ?
– Two Phase Protocol for parties P = { P1,..., Pn },
– A Distinguished dealer D ∈ P holds initial input S
– Tolerating t malicious parties
Conditions to hold :
- Privacy : If the dealer is honest, at the end of this phase the joint view of
the malicious parties is independent of the dealer’s inputs.
]
- Correctness : Each honest party Pi outputs a value si at the end of the
second phase (RE phase). If the dealer is honest then
[
- Weak commitment : At the end of the sharing phase the joint view of the
honest parties defines a values such that each honest party will output
either s or a default value ⊥ at the end (REC phase).
si =
s.
13. Conditions to hold :
- Privacy : If the dealer is honest, at the end of this phase the joint view of
the malicious parties is independent of the dealer’s inputs.
]
- Correctness : Each honest party Pi outputs a value si at the end of the
second phase (RE phase). If the dealer is honest then
[
- Strong commitment : At the end of the sharing phase the joint view of the
honest parties defines a value such that all honest parties will output at
the end of the reconstruction phase.
– Two Phase Protocol for parties P = { P1,..., Pn },
– A Distinguished dealer D ∈ P holds initial input S
– Tolerating t malicious parties
Verifiable Secret Sharing.... ?
si =
s.
S'
S'
14. Conditions to hold :
- Privacy : If the dealer is honest, at the end of this phase the joint view of
the malicious parties is independent of the dealer’s inputs.
]
- Correctness : Each honest party Pi outputs a value si at the end of the
second phase (RE phase). If the dealer is honest then
[
- Commitment with 2-level sharing :
- A polynomial p(x) of degree at most t such that for every
honest party with all honest parties output = p(0) at the end of REC phase.
- For each j ∈ {1,...,n }, there exists a polynomial pj(x) of degree at
most t such that pj(0) = p(j) and Si,j = pj(i) for every honest party
.
– Two Phase Protocol for parties P = { P1,..., Pn },
– A Distinguished dealer D ∈ P holds initial input S
– Tolerating t malicious parties
VSS with 2-Level Sharing .... ?
si =
s.
si = p(i)
Pi S'
Pi
Pi
15. Future Directions.... ?
- Characterize the optimal round complexity of VSS in point-to-point networks.
- Characterize the round complexity of statistical VSS
16. Reference…..
Improving The Round Complexity of VSS in Point-To-Point Networks
Jonathan Katz
Chiu-Yuen Koob
Department of Computer Science,
University of Maryland, College Park, MD 20742, USA
Ranjit Kumaresana
Google Labs, Mountain View, CA 94043, USA
Link : http://www.journals.elsevier.com/information-and-computation