Aarhus University Verifiable Secret-Sharing Schemes Irene Giacomelli joint work with Ivan Damgård, Bernardo David and Jesper B. Nielsen Aalborg, 30th June 2014 Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 1 / 14
Packed Linear Secret-Sharing Scheme among n players Sharing Phase: (t, r)-lsss for secret s F l dealer secret s F l share c 1 F to player P 1 share c 2 F to player P 2... share c n F to player P n Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 2 / 14
Packed Linear Secret-Sharing Scheme among n players Sharing Phase: (t, r)-lsss for secret s F l dealer secret s F l share c 1 F to player P 1 share c 2 F to player P 2... Reconstruction Phase: share c 1 F share c 2 F. share c n F share c n F to player P n s F l Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 2 / 14
Packed Linear Secret-Sharing Scheme among n players (t, r)-lsss for secret s F l t-privacy share c i1 F share c i2 F. share c it F? r-reconstruction share c j1 F share c j2 F. share c jr F s F l Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 3 / 14
An example: Shamir s scheme (l = 1) for n players Let β 1,..., β n be n distinct nonzero elements of F, secret s F D chooses t f (x) = s + a i x i i=1 random shares: c i = f (β i ) i = 1,..., n Note: Shamir s scheme has t-privacy and (t + 1)-reconstruction. Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 4 / 14
An example: Shamir s scheme (l = 1) for n players Let β 1,..., β n be n distinct nonzero elements of F, secret s F D chooses t f (x) = s + a i x i i=1 random shares: c i = f (β i ) i = 1,..., n Note: Shamir s scheme has t-privacy and (t + 1)-reconstruction. 1 β 1... β1 t 1 β 2... β2 t... 1 β n... βn t s f (β 1 ) a 1.. = f (β 2 ). a t f (β n ) Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 4 / 14
An example: Shamir s scheme (l = 1) for n players Let β 1,..., β n be n distinct nonzero elements of F, secret s F D chooses t f (x) = s + a i x i i=1 random shares: c i = f (β i ) i = 1,..., n Note: Shamir s scheme has t-privacy and (t + 1)-reconstruction. The set { (s, c 1,..., c n ) } = { (f = (0), f (β1 ),..., f (β n ) ) } deg(f ) t is a [n + 1, t + 1]-Reed-Solomon code over F. Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 4 / 14
An example: Franklin and Yung s scheme (l > 1) Let {α 1,..., α l } and {β 1,..., β n } be two disjoint sets of distinct elements of F, secret s F l f (x) F[x] random s.t. deg(f ) t + l 1 and f (α i ) = s[i] i = 1,..., l shares: c i = f (β i ) i = 1,..., n s[1] s[2] where s =. s[l] Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 5 / 14
What kind of security?! Assume the dealer is honest: t-privacy security for the dealer against at most t corrupted curious players (passive corruption); Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 6 / 14
What kind of security?! Assume the dealer is honest: t-privacy security for the dealer against at most t corrupted curious players (passive corruption); What happens if the corrupted players during the reconstruction phase provide faulty shares (active corruption)?! robust reconstruction the set of the n shares determines the secret even if t of them are faulty (robust SSS) Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 6 / 14
What kind of security?! Assume the dealer is honest: t-privacy security for the dealer against at most t corrupted curious players (passive corruption); What happens if the corrupted players during the reconstruction phase provide faulty shares (active corruption)?! robust reconstruction the set of the n shares determines the secret even if t of them are faulty (robust SSS) e.g. If t < n/3, Shamir s scheme is robust (Reed-Solomon decoding) Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 6 / 14
Security: the players point of view What happens if the dealer is not honest?! Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 7 / 14
Security: the players point of view What happens if the dealer is not honest?! Consider Shamir s scheme with n = 4 and t = 1 (r = 2): s Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 7 / 14
Security: the players point of view What happens if the dealer is not honest?! Consider Shamir s scheme with n = 4 and t = 1 (r = 2): s c 1 c 2 c 3 c 4 P 1 P 2 P 3 P 4 } s } s P 1 P 2 P 3 P 4 Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 7 / 14
Security: the players point of view What happens if the dealer is not honest?! Consider Shamir s scheme with n = 4 and t = 1 (r = 2): s c 1 P 1 c 2 P 2 c 3 P 3 c 4 P 4 Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 7 / 14
Security: the players point of view What happens if the dealer is not honest?! Consider Shamir s scheme with n = 4 and t = 1 (r = 2): s P 1 s c 1 P 1 c 2 P 2 c 3 P 3 c 4 P 4 P 2 P 3 P 4 } s } s s s Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 7 / 14
Definition of VSSS: A (t, r)-sss among n players is verifiable if t-privacy: when the dealer is honest, any set of t players no info about the secret. P i1 P i2. P it? Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 8 / 14
Definition of VSSS: A (t, r)-sss among n players is verifiable if t-privacy: when the dealer is honest, any set of t players no info about the secret. P i1 P i2. P it? r-robust reconstruction: when the dealer is corrupt, the sharing phase succeeds any set of r honest players reconstruct the same secret For any {i 1,..., i r } = {j 1,..., j r }, if P i1 P i2. P ir s F l and P j1 P j2. P jr s F l = s = s Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 8 / 14
A general construction from LSSS to VSSS: (t, r)-lsss for secret s F l (t, r)-vsss for secrets {s 1,..., s l } F l Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 9 / 14
A general construction from LSSS to VSSS: (t, r)-lsss for secret s F l (t, r)-vsss for secrets {s 1,..., s l } F l Notation for (t, r)-lsss for secret s F l : d = l + e (for some integer e > 0); M F n d π l : F d F l v (v[1],..., v[l]) secret s F l D chooses f F d random s.t. π l (f) = s shares: c i = m i f i = 1,..., n where m i is the ith row of M. Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 9 / 14
The complexity (t, r)-lsss for secret s F l (t, r)-vsss for secrets {s 1,..., s l } F l Assuming F = {0, 1} and l = Θ(n), secret bits shared communication complexity LSSS l Θ(n) VSSS l 2 Θ(n 2 ) Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 10 / 14
t-privacy in the LSSS t-privacy in the VSSS Proposition: If the dealer is honest, then for any set C {1,..., n} such that C t, the views { gi, h i} i C give no info about the secrets held by the dealer. view g i1, h i 1 view g i2, h i 2. view g it, h it? Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 11 / 14
t-privacy in the LSSS t-privacy in the VSSS Proposition: If the dealer is honest, then for any set C {1,..., n} such that C t, the views { gi, h i} i C give no info about the secrets held by the dealer. If the dealer is honest, then for any set C {1,..., n} such that C t and for any λ 1,..., λ l in F, the views { g i, h i, } l λ k s k k=1 i C give no extra info about the secrets held by the dealer. Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 11 / 14
r-robust reconstruction r-reconstruction in the LSSS + checks m j h i = g j m i r-robust reconstruction in the VSSS Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 12 / 14
r-robust reconstruction r-reconstruction in the LSSS + checks m j h i = g j m i Proposition r-robust reconstruction in the VSSS Assume that no player rejects. Then, even if the dealer is corrupt, any set of at least r honest players reconstruct the same secrets. For any {i 1,..., i r } {j 1,..., j r }, if view g i1, h i1 view g i2, h i2 {s 1,..., s l } F l. view g ir, h ir view g j1, h j1 view g j2, h j2.. view g jr, h jr {s 1,..., s l} F l = {s 1,..., s l } = {s 1,..., s l} Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 12 / 14
Extensions: checking a public linear relation between the secrets generate shares of 0 F l Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 13 / 14
Applications: MPC protocols Commitment Schemes... In these cases, we need to base the construction on a LSSS with t-strong multiplication such that n + F constant t, l = Θ(n) (e.g. AG Secret-Sharing Schemes!) Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 14 / 14