![WeakVerifiable Secret Sharing (Cont.).... ?
– Two Phase Protocol for parties P = { P1,..., Pn },
– A Distinguished dealer D ∈ P holds initial input S
– Tolerating t malicious parties
Conditions to hold :
- Privacy : If the dealer is honest, at the end of this phase the joint view of
the malicious parties is independent of the dealer’s inputs.
]
- Correctness : Each honest party Pi outputs a value si at the end of the
second phase (RE phase). If the dealer is honest then
[
- Weak commitment : At the end of the sharing phase the joint view of the
honest parties defines a values such that each honest party will output
either s or a default value ⊥ at the end (REC phase).
si =
s.](https://image.slidesharecdn.com/improving-the-round-complexity-of-vss-in-point-to-point-networks-151124131228-lva1-app6891/75/Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks-12-2048.jpg)
![Conditions to hold :
- Privacy : If the dealer is honest, at the end of this phase the joint view of
the malicious parties is independent of the dealer’s inputs.
]
- Correctness : Each honest party Pi outputs a value si at the end of the
second phase (RE phase). If the dealer is honest then
[
- Strong commitment : At the end of the sharing phase the joint view of the
honest parties defines a value such that all honest parties will output at
the end of the reconstruction phase.
– Two Phase Protocol for parties P = { P1,..., Pn },
– A Distinguished dealer D ∈ P holds initial input S
– Tolerating t malicious parties
Verifiable Secret Sharing.... ?
si =
s.
S'
S'](https://image.slidesharecdn.com/improving-the-round-complexity-of-vss-in-point-to-point-networks-151124131228-lva1-app6891/75/Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks-13-2048.jpg)
![Conditions to hold :
- Privacy : If the dealer is honest, at the end of this phase the joint view of
the malicious parties is independent of the dealer’s inputs.
]
- Correctness : Each honest party Pi outputs a value si at the end of the
second phase (RE phase). If the dealer is honest then
[
- Commitment with 2-level sharing :
- A polynomial p(x) of degree at most t such that for every
honest party with all honest parties output = p(0) at the end of REC phase.
- For each j ∈ {1,...,n }, there exists a polynomial pj(x) of degree at
most t such that pj(0) = p(j) and Si,j = pj(i) for every honest party
.
– Two Phase Protocol for parties P = { P1,..., Pn },
– A Distinguished dealer D ∈ P holds initial input S
– Tolerating t malicious parties
VSS with 2-Level Sharing .... ?
si =
s.
si = p(i)
Pi S'
Pi
Pi](https://image.slidesharecdn.com/improving-the-round-complexity-of-vss-in-point-to-point-networks-151124131228-lva1-app6891/75/Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks-14-2048.jpg)
Uploaded byJITENDRA KUMAR PATEL
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
The document discusses improving the round complexity of verifiable secret sharing (VSS) protocols in point-to-point networks, highlighting prior works that established a need for a minimum number of rounds and the challenges of using broadcast channels. It introduces a new VSS protocol that optimally balances the number of rounds and broadcast channel invocations, maintaining efficiency while ensuring key properties like the '2-level sharing' feature. The research addresses the high overhead of existing protocols and aims to refine VSS for practical usage in secure multiparty computation.
Improving-The-Round-Complexity-of-VSS-in-Point-To-Point-Networks
- 1. Improving the RoundComplexity of VSS in Point-To-Point Networks Jitendra Kumar Patel
- 2. ProblemStatement.... ? What isthe optimal round complexity of Verifiable Secret Sharing (VSS) ?
- 3. EarlierWork.... ? Work ofGennaro et al.(STOC 2001) and Fitzi et al. (TCC 2006) shows that, assuming a broadcast channel, three rounds are necessary and sufficient for efficient VSS. - Assumes broadcast channel available as free - Existing protocol does not attempt to minimize its usage - Poor performance when run over PPP Examples : - For t < n/3, they show an efficient ( i.e. polynomial-time )(4, 3)-round protocol, and an inefficient(3, 2)-round protocol - For t < n/4, they show that two rounds are necessary and sufficient for efficient VSS - For t < n/3, Fitzi et al. show an efficient(3, 2)-round VSS protocol.
- 4. Result of thisPaper.... ? A VSS protocol, optimal in terms of : • No of rounds in the protocol. • No of invocations of Broadcast Channel. • Satisfies a certain “2-level sharing” property. • Provides base for constructing protocols for General Secure Computation. • Protocol is efficient,that the computation and communication are polynomial in n.
- 5. Secret Sharing.... ? Insecret sharing - Dealer who shares a secret among a group of n parties - Sharing Phase - Reconstruction Phase The requirements are that : - For t <n, any set of t colluding parties - No information about the dealer’s secret at the end of the sharing - Any set of t+1 parties can recover the dealer’s secret in a Assumption : - The dealer is honest
- 6. Verifiable Secret Sharing(VSS) .... ? Just like secret sharing but requires : - No matter what a cheating dealer does (in conjunction with t other colluding parties), there is some unique secret to which the dealer is “committed” by the end of the sharing phase. Perfect VSS, where the security guarantees are : - Unconditional - Privacy is perfect - Protocol is error-free. Perfect VSS is known to be possible if and only if t < n/3
- 7. Why this Research....? High overhead of emulating a broadcast channel over a point-to-point network. - Protocols are likely to be run in PPP - It is preferable to minimize the number of rounds in which broadcast is used rather than to minimize the total number of rounds. - A constant-round protocol that only uses a single round of broadcast is likely to yield a more round-efficient protocol in a point-to-point setting than any protocol that uses two rounds of broadcast (even that protocol uses no additional rounds) - Examples : VSS protocol of Micali and Rabin vs the “round-optimal” VSS protocol of Fitzi et al.
- 8. WeakVerifiable Secret Sharing(WSS) .... ? If the dealer is dishonest then, in the reconstruction phase, each honest party recovers either the dealer’s input or a special failure symbol. Example : - Fitzi et al. Mentioned (3,2)-round WSS protocol - A (5,1)-round WSS protocol is implicitly given by J. Katz, C.-Y. Koo Notation : We say a protocol has round complexity(r,b) if it uses r rounds in total, and b ≤ r of these rounds invoke broadcast.
- 9. Modifications .... ? Toconstruct a(3, 1)-round WSS protocol, modify the(3, 2)-round WSS protocol by Fitzi et al. - Does not have the “2-level sharing” property - Cannot directly be plugged in to existing protocols of Secure MPC
- 10. Model and Definitions....? Standard communication model : - Pairwise private and authenticated channels. - A broadcast channel which can be emulated in a PPP network using a broadcast protocol [ Protocol tolerates t malicious parties signifies it is secure against an adversary who may adaptively corrupt up tot parties during an execution of the protocol and coordinate the actions of these parties as they deviate from the protocol in an arbitrary manner. Parties not corrupted by the adversary are called honest and assumption of a rushing adversary.
- 11. VSS and Variants.... ? - Weak verifiable secret sharing - Verifiable secret sharing - Verifiable secret sharing with 2-level sharing
- 12. WeakVerifiable Secret Sharing(Cont.).... ? – Two Phase Protocol for parties P = { P1,..., Pn }, – A Distinguished dealer D ∈ P holds initial input S – Tolerating t malicious parties Conditions to hold : - Privacy : If the dealer is honest, at the end of this phase the joint view of the malicious parties is independent of the dealer’s inputs. ] - Correctness : Each honest party Pi outputs a value si at the end of the second phase (RE phase). If the dealer is honest then [ - Weak commitment : At the end of the sharing phase the joint view of the honest parties defines a values such that each honest party will output either s or a default value ⊥ at the end (REC phase). si = s.
- 13. Conditions to hold: - Privacy : If the dealer is honest, at the end of this phase the joint view of the malicious parties is independent of the dealer’s inputs. ] - Correctness : Each honest party Pi outputs a value si at the end of the second phase (RE phase). If the dealer is honest then [ - Strong commitment : At the end of the sharing phase the joint view of the honest parties defines a value such that all honest parties will output at the end of the reconstruction phase. – Two Phase Protocol for parties P = { P1,..., Pn }, – A Distinguished dealer D ∈ P holds initial input S – Tolerating t malicious parties Verifiable Secret Sharing.... ? si = s. S' S'
- 14. Conditions to hold: - Privacy : If the dealer is honest, at the end of this phase the joint view of the malicious parties is independent of the dealer’s inputs. ] - Correctness : Each honest party Pi outputs a value si at the end of the second phase (RE phase). If the dealer is honest then [ - Commitment with 2-level sharing : - A polynomial p(x) of degree at most t such that for every honest party with all honest parties output = p(0) at the end of REC phase. - For each j ∈ {1,...,n }, there exists a polynomial pj(x) of degree at most t such that pj(0) = p(j) and Si,j = pj(i) for every honest party . – Two Phase Protocol for parties P = { P1,..., Pn }, – A Distinguished dealer D ∈ P holds initial input S – Tolerating t malicious parties VSS with 2-Level Sharing .... ? si = s. si = p(i) Pi S' Pi Pi
- 15. Future Directions.... ? -Characterize the optimal round complexity of VSS in point-to-point networks. - Characterize the round complexity of statistical VSS
- 16. Reference….. Improving The RoundComplexity of VSS in Point-To-Point Networks Jonathan Katz Chiu-Yuen Koob Department of Computer Science, University of Maryland, College Park, MD 20742, USA Ranjit Kumaresana Google Labs, Mountain View, CA 94043, USA Link : http://www.journals.elsevier.com/information-and-computation
- 17.