Broadcast (and Round) Efficient Verifiable Secret Sharing [chapter]

Juan Garay, Clint Givens, Rafail Ostrovsky, Pavel Raykov
2014 Lecture Notes in Computer Science  
Verifiable secret sharing (VSS) is a fundamental cryptographic primitive, lying at the core of secure multi-party computation (MPC) and, as the distributed analogue of a commitment functionality, used in numerous applications. In this paper we focus on unconditionally secure VSS protocols with honest majority. In this setting it is typically assumed that parties are connected pairwise by authenticated, private channels, and that in addition they have access to a "broadcast" channel. Because
more » ... dcast cannot be simulated on a point-to-point network when a third or more of the parties are corrupt, it is impossible to construct VSS (and more generally, MPC) protocols in this setting without using a broadcast channel (or some equivalent addition to the model). A great deal of research has focused on increasing the efficiency of VSS, primarily in terms of round complexity. In this work we consider a refinement of the round complexity of VSS, by adding a measure we term broadcast complexity. We view the broadcast channel as an expensive resource and seek to minimize the number of rounds in which it is invoked as well. We construct a (linear) VSS protocol which uses the broadcast channel only twice in the sharing phase, while running in an overall constant number of rounds. Further, it is known that in this regime (n/3 ≤ t < n/2), protocols are subject to some (negligibly small) error probability and cannot achieve so-called perfect security [CCD88, RB89, DDWY93], which is possible when t < n/3. A great deal of research has focused on understanding the complexity as well as increasing the efficiency of VSS, primarily in terms of round complexity [GIKR02, FGG + 06, KKK08, PCRR09, KPC10]. Indeed, given its typical applications, such as implementing a pre-processing phase, as well as the share phase in the general "share-compute-reveal" shape of an MPC protocol [GMW87], or its use during the setup phase of information-theoretic protocols when t ≥ n/3 (e.g., [PW96, BTHR07, HR13]; see Related work), a fast execution-namely, a (small) constant number of rounds (some specific figures given later on)-is of utmost importance. In this work we consider a refinement of the round complexity of VSS, by incorporating an additional measure which we term broadcast complexity. We view the broadcast channel as an expensive resource and seek to minimize the number of rounds in which it is invoked as well. Justifiably so, high-level descriptions of VSS (and, more generally, MPC) protocols tend to treat broadcast as a black-box. When t < n/3, this may be viewed simply as a convenient abstraction, since broadcast in any case can be simulated in a point-to-point network using Byzantine agreement 1 . However, when t < n/2, the black-box treatment of broadcast is (as described above) no longer a convenience but a requirement, and there are compelling reasons to consider it more expensive than "mere" secure channels. Indeed, while the latter can be realized for example via the physical exchange (using trusted couriers) of large one-time pads between every pair of players, which may be done in an asynchronous preprocessing phase and without any centrally trusted party, we see no equally straightforward approach to physically implement broadcast without a trusted party, and when the participants are geographically scattered. Hence it is only natural to treat physical broadcast as an expensive resource, and in particular to treat a protocol's broadcast rounds as (substantially) more expensive than ordinary rounds. In addition, the question of how many broadcast rounds does VSS require in the t < n/2 regime is compelling from a theoretical perspective. Our results. Thus motivated to better understand the broadcast requirements of verifiable secret sharing when t < n/2, in this work we present new upper bounds on its broadcast and round complexity. Specifically, we show a constant-round, linear VSS protocol which only uses two broadcasts in the sharing phase and none in reconstruction-what we call a (2, 0)-broadcast VSS. The overall number of rounds is (20, 1), again meaning 20 rounds in the sharing phase and 1 reconstruction round. To our knowledge, the most efficient VSS protocol in terms of broadcast rounds for t < n/2 is the (2, 2)-broadcast, (3, 2)-round protocol of Kumaresan et al. [KPC10] , which is exponential-time and not (apparently) linear. The same authors also give a (3, 2)-broadcast, (4, 2)-round VSS which is polynomial-time and linear (we believe-though the authors do not claim it here either), at the expense of an additional round in the sharing phase. Hence our (2, 0)-broadcast protocol improves the overall broadcast complexity (although it is not as round-efficient). Considering linear, constant-round protocols which use zero broadcasts during reconstruction (which are more suitable for VSS applications such as [broadcast-efficient] MPC), the most broadcast-efficient VSS protocol we are aware of is the (7, 0)-broadcast protocol described in [RB89, Rab94] . Recently, Hirt and Raykov [HR13] presented an approach allowing to construct (1, 0)-broadcast VSS protocols for t < n/2, but the overall number of protocol rounds is linear in n, making it not ideally fit for the natural applications of VSS mentioned above. We derive our (2, 0)-broadcast, constant-round VSS protocol in two stages. 1. In the first stage, we obtain a (3, 0)-broadcast, constant-round protocol which is inspired by the protocol in [Rab94], but leverages a number of novelties and optimizations to reduce the broadcast complexity from 7 to 3; its overall round complexity is (9, 1). This is presented in Section 3.1. 2. In the second stage, we apply a transformation to the sharing phase of the above protocol such that it uses two rounds of broadcast instead of three. This optimization is in turn inspired by the one
doi:10.1007/978-3-319-04268-8_12 fatcat:misuq2f64fat5eohmwjybejo3i