Improving the Round Complexity of VSS in Point-to-Point Networks

Transcription

1 Improvng the Round Complexty of VSS n Pont-to-Pont Networks Jonathan Katz Chu-Yuen Koo Rant Kumaresan Abstract We revst the followng queston: what s the optmal round complexty of verfable secret sharng (VSS)? We focus here on the case of perfectly-secure VSS where the number of corrupted partes t satsfes t < n/3, wth n beng the total number of partes. Work of Gennaro et al. (STOC 2001) and Ftz et al. (TCC 2006) shows that, assumng a broadcast channel, 3 rounds are necessary and suffcent for effcent VSS. The effcent 3-round protocol of Ftz et al., however, treats the broadcast channel as beng avalable for free and does not attempt to mnmze ts usage. Ths approach leads to relatvely poor round complexty when protocols are compled for a pont-to-pont network. We show here a VSS protocol that s smultaneously optmal n terms of both the number of rounds and the number of nvocatons of broadcast. Our protocol also has a certan 2-level sharng property that makes t useful for constructng protocols for general secure computaton. 1 Introducton The round complexty of cryptographc protocols has been the subect of ntense study. Besdes protocols for general secure computaton, protocols for varous specfc functonaltes of nterest (e.g., broadcast, zero-knowledge proofs, etc.) have also been explored. Here, we revst the case of verfable secret sharng, whose defnton we now recall nformally. (Formal defntons appear n Secton 2.) In secret sharng [2, 19], there s a dealer who shares a secret among a group of n partes n a sharng phase. The requrements are that, for some parameter t < n, any set of t colludng partes gets no nformaton about the dealer s secret at the end of the sharng phase, yet any set of t+1 partes can recover the dealer s secret n a later reconstructon phase. Secret sharng assumes the dealer s honest; verfable secret sharng (VSS) [3] also requres that, no matter what a cheatng dealer does (n conuncton wth t 1 other colludng partes), there s some unque secret to whch the dealer s commtted by the end of the sharng phase. VSS serves as a fundamental buldng block n the desgn of protocols for general secure mult-party computaton as well as other specalzed goals (such as Byzantne agreement); thus, t s of nterest to understand the nherent round complexty for carryng out ths task. In ths work we wll always consder perfectly-secure VSS, where the protocol s requred to be error-free and securty should hold even aganst an all-powerful adversary. Ths s known to be possble f and only f t < n/3 [1, 6]. Prevous research nvestgatng the round complexty of VSS, surveyed further below, has focused on optmzng the round complexty assumng a broadcast Dept. of Computer Scence, Unversty of Maryland. Emal: {katz,rant}@cs.umd.edu. Research supported n part by NSF awards # and # (CAREER), and US-Israel Bnatonal Scence Foundaton grant # Dept. of Computer Scence, Unversty of Maryland and Google Labs. Emal: cykoo@cs.umd.edu. 1

2 channel s avalable for free. (We remark that broadcast s essental for VSS, n a way we make precse below.) As argued prevously [13], however, f the ultmate goal s to optmze the round complexty of protocols for pont-to-pont networks (where protocols are lkely to be run), then t s preferable to mnmze the number of rounds n whch broadcast s used rather than to mnmze the total number of rounds. Ths s due to the hgh overhead of emulatng a broadcast channel over a pont-to-pont network: determnstc broadcast protocols requre Ω(t) rounds [8]; known randomzed protocols [7, 9, 12] requre only O(1) rounds n expectaton, but the constant s rather hgh. (The most round-effcent protocol known [12, 13] requres 23 rounds n expectaton for t < n/3. 1 ) Moreover, when usng randomzed broadcast protocols, f more than one nvocaton of broadcast s used then specal care must be taken to deal wth sequental composton of protocols wthout smultaneous termnaton (see [15, 12, 13]), leadng to a substantal ncrease n the round complexty. As a consequence, a constant-round protocol that only uses a sngle round of broadcast s lkely to yeld a more round-effcent protocol n a pont-to-pont settng than any protocol that uses two rounds of broadcast (even f that protocol uses no addtonal rounds). As a concrete example (taken from [13]) to llustrate the pont, consder the VSS protocol of Mcal and Rabn [16] and the round-optmal VSS protocol of Ftz et al. [10]. The former uses 16 rounds but only a sngle round of broadcast; the latter uses 3 rounds, two of whch requre broadcast. Complng these protocols for a pont-to-pont network usng the most round-effcent technques known (see [13]), the Mcal-Rabn protocol runs n an expected 31 rounds whle the protocol of Ftz et al. requres an expected 55 rounds! In lght of the above, when dscussng the round complexty of protocols that assume a broadcast channel we keep track of both the number of rounds as well as the number of rounds n whch broadcast s used. (In a gven round when broadcast s used, each party may use the broadcast channel but a rushng adversary s stll assumed. Exstng broadcast protocols can be modfed so that the round complexty s unchanged even f many partes broadcast n parallel.) We say a protocol has round complexty (r, r ) f t uses r rounds n total, and r r of these rounds nvoke broadcast. The round complexty of VSS refers to the sharng phase only, snce the reconstructon phase of most known protocols utlzes only a sngle round, wthout broadcast. (An excepton s the protocol of [10], whose reconstructon phase uses a sngle round of broadcast.) Our results and technques. Gennaro et al. [11] show that three rounds are necessary for VSS, assumng a broadcast channel. We also observe that t s mpossble to construct a strct constant-round protocol for VSS wthout usng a broadcast channel n at least one round: VSS mples broadcast usng one addtonal round (the message to be broadcast can be treated as the nput for VSS), and the results of Fscher and Lynch [8] rule out strct constant-round protocols for broadcast. Pror work [16, 10, 13, 14] shows that optmal round complexty as well as optmal use of the broadcast channel could each be obtaned ndvdually for VSS, but t was unknown whether they could be obtaned smultaneously. Here, we resolve ths queston and show a (3, 1)-round VSS protocol that s optmal n both measures. (Our protocol has a 1-round reconstructon phase that does not use broadcast.) As a consequence, we obtan a VSS protocol wth the best known round complexty n pont-to-pont networks. Our work also leads to an mprovement n the round complexty of the most round-effcent broadcast protocols known [12]. A nce feature of our VSS protocol s that t also satsfes a certan 2-level sharng property that s not acheved by the 3-round protocol from [10]. Roughly speakng, ths means that the followng condtons hold at the end of the sharng phase when the dealer s (effectve) nput s s: 1. There exsts a polynomal f(x) of degree at most t such that f(0) = s and each honest party 1 Actually, the VSS protocol gven here can be used to mprove ths slghtly. 2

3 P holds the value f(). 2. For each party P, there exsts a polynomal f (x) of degree at most t such that f (0) = f() and each honest party P holds the value f (). VSS protocols wth ths property consttute a useful buldng block for protocols for general secure mult-party computaton (see, e.g., [13, 14]). Our protocol s effcent, n that the computaton and communcaton are polynomal n n. The communcaton complexty of our protocol s O(n 2 t) feld elements, whch matches the communcaton complexty of [10] but s worse than that of [11]. We now summarze the basc technques used to prove our man result. As n [10], we begn by constructng a protocol for weak verfable secret sharng (WSS) [18]. (In WSS, nformally, f the dealer s dshonest then, n the reconstructon phase, each honest party recovers ether the dealer s nput or a specal falure symbol.) Ftz et al. show a (3, 2)-round WSS protocol that essentally conssts of the frst three rounds of the 4-round VSS protocol from [11]. On a hgh level, ther protocol works as follows: In the frst round, the dealer dstrbutes the shares of the secret usng a random bvarate polynomal; n parallel, each par of partes (P, P ) exchanges a random r,. In the second round, P and P check for an nconsstency between ther shares by broadcastng ther common shares masked wth the random. In the thrd round, f there s a dsagreement between P and P n round 2 (note that all partes agree whether there s dsagreement snce broadcast s used n round 2), then the dealer, P, and P all broadcast the share n queston. Ths allows the rest of the partes to determne whether the dealer agrees wth P or wth P. A (5, 1)-round WSS protocol s mplctly gven n [13]. 2 There, rather than usng the random technque, a dfferent method s used to detect dsagreement between P and P. Whle ths saves one round of broadcast, t requres addtonal rounds of nteracton. To construct a (3, 1)-round WSS protocol, we modfy the (3, 2)-round WSS protocol from [10] by usng the random dea wth the followng twst: n the second round of the protocol, P and P check f there s any nconsstency between ther shares by exchangng ther common shares over a pont-to-pont lnk; they also send the random r, to the dealer. In the thrd round of the protocol, f there s a dsagreement between P and P, then P and P each broadcast the shares they hold; otherwse, they broadcast the value of ther common share masked wth the random. The dealer wll broadcast the correspondng share masked wth the random (or the share tself f the random s t receved from P and P are dfferent). Notce that secrecy of the share s preserved f P, P, and the dealer are all honest. On the other hand, f the dealer s malcous and there s a dsagreement between honest partes P and P, then the dealer can only agree wth at most one of P and P n round 3, but not both of them. The above s the hgh-level dea of our WSS protocol. Usng the same technques as n [10], we can then mmedately obtan a (3, 1)-round VSS protocol. However, the VSS protocol constructed n ths manner wll not have the 2-level sharng property; as a consequence, the resultng protocol cannot drectly be plugged n to exstng protocols for general secure mult-party computaton. To convert the VSS protocol nto one wth 2-level sharng we note that, by the end of the sharng phase, there s a set of honest partes (that we call a core set ) who already do have the requred 2-level shares; thus, we only need to provde honest partes outsde the core set wth ther requred shares. We acheve ths, as n [5], by havng the dealer use a symmetrc bvarate polynomal to share ts nput, and then modfyng the protocol so that honest partes who are not n the core set can stll generate approprate shares by nterpolatng the shares of the partes n the core set. Of 2 That work shows a 6-round VSS protocol that uses broadcast n the fnal two rounds. The frst fve rounds of that protocol suffce for WSS. 3

4 course, ths process needs to be carefully desgned so that no addtonal nformaton s leaked to the adversary. We defer the detals of ths to a later secton. Other related work. Gennaro et al. [11] ntated a study of the exact round complexty of VSS. For t < n/3, they show an effcent (.e., polynomal-tme) (4, 3)-round protocol, and an neffcent (3, 2)-round protocol. (Recall that the round complexty of VSS s defned as the number of rounds n the sharng phase; unless otherwse stated, all protocols mentoned use only one round, wthout broadcast, n the reconstructon phase.) They also show that three rounds are necessary for VSS when t < n/3. For t < n/4, they show that two rounds are necessary and suffcent for effcent VSS. Settlng the queston of the absolute round complexty of effcent VSS for t < n/3, Ftz et al. [10] show an effcent (3, 2)-round VSS protocol. The reconstructon phase of ther protocol requres one round of broadcast as well. As dscussed extensvely already, although the protocol by Ftz et al. s optmal n terms of the total number of rounds, t s not optmal n terms of ts usage of the broadcast channel. VSS protocols for t < n/3 usng one round of broadcast are known, but these protocols are not optmal n terms of ther overall round complexty. Mcal and Rabn [16] gve a (16, 1)-round VSS protocol, and recent work of the authors [13, 14] mproves ths to gve a (7, 1)-round protocol. Our work, as well as all the work referenced above, focuses on VSS protocols wth perfect securty (.e., 0-error VSS). A natural relaxaton s to consder statstcal VSS where the securty propertes may fal wth neglgble probablty. Surprsngly, recent work subsequent to our own [17] shows that the lower bound of Gennaro et al. [11] no longer holds n ths settng, and that 2-round protocols are n fact possble. Future drectons. It would, of course, be nce to characterze the optmal round complexty of VSS n pont-to-pont networks. Though our work represents progress toward ths goal, the queston s complcated by the fact that one must consder the dstrbuton of runnng tmes of any protocol (snce strct constant-round protocols are ruled out). It wll also be nterestng to understand the round complexty of statstcal VSS when t < n/2; see [17] for work n ths drecton. 2 Model and Defntons We consder the standard communcaton model where partes communcate n synchronous rounds usng parwse prvate and authentcated channels. We also assume a broadcast channel, wth the understandng that t can be emulated n a pont-to-pont network usng a broadcast protocol. A broadcast channel allows any party to send the same message to all other partes (and all partes to be assured they have receved dentcal messages) n a sngle round. We stress that we do not assume smultaneous broadcast, but allow rushng here as well. When we say a protocol tolerates t malcous partes, we always mean that t s secure aganst an adversary who may adaptvely corrupt up to t partes durng an executon of the protocol and coordnate the actons of these partes as they devate from the protocol n an arbtrary manner. Partes not corrupted by the adversary are called honest. We always assume a rushng adversary;.e., n any round the malcous partes receve the messages sent by the honest partes before decdng on ther own messages. 2.1 VSS and Varants We now present defntons of WSS, VSS, and VSS wth 2-level sharng. 4

5 Defnton 1 [Weak verfable secret sharng] A two-phase protocol for partes P = {P 1,..., P n }, where a dstngushed dealer D P holds ntal nput s, s a WSS protocol toleratng t malcous partes f the followng condtons hold for any adversary controllng at most t partes: Prvacy If the dealer s honest at the end of the frst phase (the sharng phase), then at the end of ths phase the ont vew of the malcous partes s ndependent of the dealer s nput s. Correctness Each honest party P outputs a value s at the end of the second phase (the reconstructon phase). If the dealer s honest then s = s. Weak commtment At the end of the sharng phase the ont vew of the honest partes defnes a value s (whch can be computed n polynomal tme from ths vew) such that each honest party wll output ether s or a default value at the end of the reconstructon phase. Defnton 2 [Verfable secret sharng] A two-phase protocol for partes P, where a dstngushed dealer D P holds ntal nput s, s a VSS protocol toleratng t malcous partes f t satsfes the prvacy and correctness requrements of WSS as well as the followng (stronger) commtment requrement: Commtment At the end of the sharng phase the ont vew of the honest partes defnes a value s (whch can be computed n polynomal tme from ths vew) such that all honest partes wll output s at the end of the reconstructon phase. Defnton 3 [Verfable secret sharng wth 2-level sharng] A two-phase protocol for partes P = {P 1,..., P n }, where a dstngushed dealer D P holds ntal nput s, s a VSS protocol wth 2-level sharng toleratng t malcous partes f t satsfes the prvacy and correctness requrements of VSS as well as the followng requrement: Commtment wth 2-level sharng At the end of the sharng phase each honest party P outputs s and s, for {1,..., n}, satsfyng the followng requrements: 1. There exsts a polynomal p(x) of degree at most t such that s = p() for every honest party P, and furthermore all honest partes wll output s = p(0) at the end of the reconstructon phase. 2. For each {1,..., n}, there exsts a polynomal p (x) of degree at most t such that (1) p (0) = p() and (2) s, = p () for every honest party P. Ths mples the commtment property of VSS, snce the value s = p(0) that wll be output n the reconstructon phase s defned by the vew of the honest partes at the end of the sharng phase. In our protocol descrptons, we mplctly assume all partes send properly-formatted messages at all tmes; ths s wthout loss of generalty, as we may nterpret an mproper or mssng message as some default message. We assume the dealer s nput s les n a fnte feld F contanng {0, 1,..., n} as a subset. 3 Weak Verfable Secret Sharng We show a (3, 1)-round WSS protocol toleratng t < n/3 malcous partes. 5

6 3.1 The Protocol Sharng phase. The sharng phase conssts of three rounds, wth broadcast used n the last round. Round 1: The dealer holds s. The followng steps are carred out n parallel: The dealer chooses a random bvarate polynomal F (x, y) of degree at most t n each varable such that F (0, 0) = s. The dealer then sends to each party P the polynomals f (x) := F (x, ) and g (y) := F (, y). Each party P pcks a random r, F for {1,..., n}, and sends r, to both P and the dealer D. Round 2: For every ordered par (, ), partes P and P proceed as follows: Party P sends a, := f () to P. Party P sends b, := g () to P. (Note that, when everyone s honest, then a, = b, = F (, ).) Let r, be the random that P receved from P n the prevous round. Then P sends r, to D. Round 3: For every ordered par (, ), partes P, P, and D do: (From the vewpont of P :) If b, f (), then P broadcasts ( dsagree, f (), r, ). Otherwse, P broadcasts ( agree, f () + r, ). (From the vewpont of P :) If a, g (), then P broadcasts ( dsagree, g (), r, ). Otherwse, P broadcasts ( agree, g () + r, ). (From the vewpont of D:) If r, r,, then D broadcasts ( not equal, F (, )). Otherwse, D broadcasts ( equal, F (, ) + r, ). Local computaton. An ordered par of partes (P, P ) s conflctng f, n round 3, party P broadcasts ( dsagree, f (), r, ); party P broadcasts ( dsagree, g (), r, ); and r, = r,. For a par of conflctng partes (P, P ), we say that P (resp., P ) s unhappy f one of the followng condtons hold: The dealer broadcasts ( not equal, d, ) and d, f () (resp., d, g ()). The dealer broadcasts ( equal, d, ) and d, f () + r, (resp., d, g () + r, ). Note that all partes agree on who s unhappy. If there are more than t unhappy partes, the dealer s dsqualfed and a default value s shared. Reconstructon phase. The reconstructon phase s smlar to the one n [10], except that we do not use broadcast. 1. Every party P that s not unhappy sends f (x) and g (y) to all other partes. 2. Let f, g denote the polynomals that P sent to P n the prevous step. P then constructs a consstency graph G whose vertces correspond to the partes who are not unhappy: Intally, there s an edge between P and P k n G f and only f f (k) = g k () and g (k) = f k (). (Note that we allow also the case = k here.) 6

7 If there exsts a vertex n G whose degree s less than n t (ncludng self-loops), then that vertex s removed from G. Ths s repeated untl no more vertces can be removed. Let Core denote the partes whose correspondng vertces reman n G. 3. If Core < n t, then P outputs. Otherwse, P reconstructs the polynomal F (x, y) defned by any t + 1 partes n Core, and outputs s := F (0, 0). We remark that, snce we do not use broadcast n the reconstructon phase, t s possble that Core, Core are dfferent for dfferent honest partes P, P. 3.2 Proofs Lemma 1 If the dealer s not corrupted by the end of the sharng phase, then prvacy s preserved. Proof Let C denote the set of partes corrupted by the end of the sharng phase. We show that f the dealer remans uncorrupted, then the nformaton the adversary has about the dealer s nput at the end of the sharng phase conssts of the polynomals {f (x), g (y)} P C. Snce F (x, y) s a random bvarate polynomal of degree at most t and C t, a standard argument mples that the vew of the adversary s ndependent of the dealer s nput s. It s mmedate that the adversary learns nothng addtonal about s n round 2. As for the values broadcast n round 3, consder any ordered par (P, P ) of partes who reman honest throughout the sharng phase. Snce the dealer s honest, we have f () = g () = F (, ) and, snce P, P are honest, we have r, = r,. Thus, n round 3, partes P, P, and the dealer all broadcast the same blnded value F (, ) + r,. Snce r, s chosen unformly at random from the pont of vew of the malcous partes, they do not learn anythng about the value of F (, ). Lemma 2 If the dealer s not corrupted by the end of the sharng phase, then correctness holds. Proof Observe that f the dealer remans honest then no honest party wll be unhappy. It follows that the dealer s not dsqualfed at the end of sharng phase. Let P be honest. In the reconstructon phase, Core contans all the honest partes and so Core n t. We clam that for any P Core, t holds that f (x) = F (x, ) and g (y) = F (, y), where F s the dealer s polynomal. When P s honest ths s mmedate. When P s malcous, the fact that P Core means that f (k) = g k () = F (k, ) for at least n 2t t+1 honest partes P k. Snce f (x) has degree at most t, t follows that f (x) = F (x, ). A smlar argument shows that g (y) = F (, y). Therefore, the polynomal F (x, y) reconstructed by P s equal to F (x, y), and P outputs s = F (0, 0). Lemma 3 Weak commtment holds. Proof The case of an honest dealer follows from the proof of correctness, so we consder the case of a malcous dealer. If there are more than t unhappy partes, the dealer s dsqualfed and weak commtment trvally holds; so, assume there are at most t unhappy partes. Then there are at least n 2t t + 1 honest partes who are not unhappy. Let H denote the frst t + 1 such partes. The polynomals f sent by the dealer to the partes n H defne a bvarate polynomal ˆF (x, y) n the natural way: namely, let ˆF be such that ˆF (x, ) = f (x) for each P H. Because partes n H are not unhappy, t holds also that ˆF (, y) = g (y) for all P H. Set s := ˆF (0, 0). We show that every honest party outputs ether or s n the reconstructon phase. 7

8 Consder an honest party P n the reconstructon phase. If Core < n t then P outputs and we are done. Say Core n t. We clam that for each P Core, t holds that f (x) = ˆF (x, ) and g (y) = ˆF (, y). When P s honest, the fact that P s not unhappy (whch s true snce P Core ) means that f (k) = f (k) = g k () = ˆF (k, ) for all t + 1 partes P k H. Snce f s a polynomal of degree at most t, ths mples that f (x) = ˆF (x, ). A smlar argument shows that g (y) = ˆF (, y). When P Core s malcous, we have that f (k) = g k () = ˆF (k, ) for at least n 2t t + 1 honest partes P k Core. Agan, snce f (x) has degree at most t t follows that f (x) = ˆF (x, ), and a smlar argument shows that g (y) = ˆF (, y). Therefore, the polynomal reconstructed by P s equal to ˆF (x, y), and P outputs s = ˆF (0, 0). As the proof of the above lemma ndcates, our WSS protocol also satsfes a weak varant of 2-level sharng that we state for future reference: Lemma 4 Say the dealer s not dsqualfed n an executon of the WSS protocol, and let H denote the set of all honest partes who are not unhappy. Then there s a bvarate polynomal ˆF of degree at most t n each varable such that, at the end of the sharng phase, the polynomals f, g held by each P H satsfy f (x) = ˆF (x, ) and g (y) = ˆF (, y). As a consequence, each P H can compute s and s, for {1,..., n} such that: 1. There s a polynomal p(x) of degree at most t wth s = p(), and furthermore all honest partes output ether s = p(0) or n the reconstructon phase. 2. For each {1,..., n}, there exsts a polynomal p (x) of degree at most t such that (1) p (0) = p() and (2) s, = p (). Proof When the dealer s honest take ˆF to be the dealer s polynomal. When the dealer s dshonest, let ˆF be the bvarate polynomal defned n the proof of the precedng lemma. Set p(x) def = ˆF (0, x) and p (x) def = ˆF (x, ). In what follows we assume a dshonest dealer, but t s mmedate that everythng (trvally) holds also f the dealer s honest. The proof of the precedng lemma shows that, at the end of the sharng phase, each P H holds polynomals f, g wth f (x) = ˆF (x, ) and g (y) = ˆF (, y), and such that all honest partes output ether s = ˆF (0, 0) or n the reconstructon phase. Then each P H can compute s := f (0) = ˆF (0, ) = p() and s, := g () = ˆF (, ) = p (). Furthermore, s = p(0). Fnally, p (0) = ˆF (0, ) = p() for all {1,..., n}. Thus, all the stated requrements hold. 4 Verfable Secret Sharng Before we descrbe our VSS protocol wth 2-level sharng, we revew the deas used n [10] to transform ther WSS protocol nto a VSS protocol (that does not have 2-level sharng). At a hgh level, the sharng phase of the VSS protocol s more-or-less the same as the sharng phase of the underlyng WSS protocol; the dfference s that now, n the reconstructon phase, each party reveals the random s they used n the sharng phase. A problem that arses s to ensure that a malcous party P reveals the correct random s. Ths s enforced by havng each player act as a dealer n ts own executon of WSS, and bndng the random s of each party to ths executon of WSS. In more detal: n parallel wth the sharng phase of the larger VSS protocol, each party P also acts as a dealer and shares a random secret usng the WSS protocol. Let F bvarate polynomal chosen by P. Then P wll use r, := F 8 (x, y) be the correspondng (0, ) as the approprate random

9 n the larger VSS protocol. (The s {r, } used by any honest party P are thus no longer ndependent, but secrecy s stll preserved snce they le on a random degree-t polynomal.) These random s are then revealed n the reconstructon phase by usng the reconstructon phase of the underlyng WSS protocol. We can use the deas outlned n the prevous paragraph to obtan a (3, 1)-round VSS protocol, but the resultng protocol wll not have 2-level sharng. Yet all s not lost. As observed already n Lemma 4, by the end of the sharng phase of the resultng VSS protocol the honest partes that are not unhappy do have the requred 2-level shares. To acheve our desred result we must therefore only enable any unhappy honest party to construct ts 2-level shares. At a hgh level, we do ths as follows: Suppose ˆF (x, y) s the dealer s bvarate polynomal, defned by the end of the sharng phase of the VSS protocol, and let P be an honest party who s unhappy. We need to show how P constructs the polynomals ˆF (x, ) and ˆF (, y) (whch t wll use to generate ts 2-level shares exactly as n the proof of Lemma 4). Let P be a party such that: P s not unhappy (n the larger VSS protocol); P was not dsqualfed as a dealer t ts own executon of WSS; and P s not unhappy n P s executon of WSS. From the proof of Lemma 4, we know there s a bvarate polynomal ˆF (x, y) for whch P holds the unvarate polynomal ˆF (x, ). Furthermore, P has effectvely broadcasted the polynomal B (x) def = ˆF (x, ) + ˆF (0, x) n round 3, snce t has broadcasted ˆF (k, ) + ˆF (0, k) for all k. Thus, party P can compute ˆF (, ) := B () ˆF (0, ) = ˆF (, ) for any party P satsfyng the above condtons. If there are t + 1 partes satsfyng the above condtons, then P can reconstruct the polynomal ˆF (, y). Unfortunately, t s not clear how to extend the above approach to enable P to also reconstruct the polynomal ˆF (x, ) n the case when ˆF s an arbtrary bvarate polynomal. For ths reason, we have the dealer use a symmetrc 3 bvarate polynomal. Then ˆF (x, ) = ˆF (, x) and we are done. 4.1 The Protocol We show a (3, 1)-round VSS protocol wth 2-level sharng that tolerates t < n/3 malcous partes. Proofs of securty are deferred to the appendx. Sharng phase. The sharng phase conssts of three rounds, wth broadcast used n the last round. Round 1: The dealer holds s. The followng steps are carred out n parallel: 1. The dealer chooses a random symmetrc bvarate polynomal F (x, y) of degree t n each varable such that F (0, 0) = s. Then D sends to each party P the polynomal f (x) := F (x, ). Note that F (x, ) = F (, x) snce F s symmetrc. 2. Each party P pcks a random value ŝ and executes the frst round of the WSS protocol descrbed n the prevous secton, actng as a dealer to share the nput ŝ. We refer to ths nstance of the WSS protocol as WSS. 3 A polynomal F s symmetrc f, for all l, m, the coeffcent of the term x l y m s equal to the coeffcent of the term x m y l. If F s symmetrc then F (, ) = F (, ) for all,. 9

10 3. Let F (x, y) denote the bvarate polynomal used by P n WSS (.e., F (0, 0) = ŝ ). Party P sends the polynomal r (y) := F (0, y) to the dealer D. Round 2: Round 2 of WSS s run, for all. Concurrently, each party P does the followng: 1. For all, send a, := f () to P. 2. Let f, (x) be the x-polynomal that P sent to P n round 1 of WSS. (If P s honest then f, (x) = F (x, ).) Party P sends r, := f, (0) to D. Round 3: Round 3 of WSS s run, for all. Concurrently, for every ordered par (, ): 1. (From the vewpont of P :) If a, f (), then P broadcasts ( dsagree, f (), (0, )). Otherwse, P broadcasts ( agree, f () + F (0, )). F 2. (From the vewpont of P :) If a, f (), then P broadcasts ( dsagree, f (), f, (0)). Otherwse, P broadcasts ( agree, f () + f, (0)). 3. (From the vewpont of D:) If r () r,, then D broadcasts ( not equal, F (, )). Otherwse, D broadcasts ( equal, F (, ) + r ()). Local computaton. Each party locally carres out the followng steps: 1. An ordered par of partes (P, P ) s conflctng f, n round 3, party P broadcasts ( dsagree, f (), F (0, )); party P broadcasts ( dsagree, f (), f, (0)); and t holds that F (0, ) = f, (0). For a par of conflctng partes (P, P ), we say that P (resp., P ) s unhappy f one of the followng condtons hold: (a) D broadcasts ( not equal, d, ) and d, f () (resp., d, f ()). (b) D broadcasts ( equal, d, ) and d, f () + F (0, ) (resp., d, f () + f, (0)). Let Core denote the set of partes who are not unhappy wth respect to the defnton above. For every P who was not dsqualfed as the dealer n WSS, let Core denote the set of partes who are not unhappy wth respect to WSS. (If P was dsqualfed n WSS, then set Core :=.) 2. For all,, remove P from Core f ether of the followng hold for the ordered par (, ) n round 3: P broadcasts ( agree, y) and P dd not broadcast ( agree, y). P broadcasts ( dsagree,, w) and P broadcasts anythng other than ( dsagree,, w). (Here, denotes an arbtrary value.) 3. Remove P from Core f Core Core < n t. (Thus, f P was dsqualfed n WSS then P Core.) Note that all partes have the same vew regardng Core and the {Core }. 4. If Core < n t, then the dealer s dsqualfed and a default value (and approprate 2-level shares) are shared. 5. Each party P computes a polynomal ˆf (x) of degree at most t: 10

11 (a) If P Core, then ˆf (x) s the polynomal that P receved from the dealer n round 1. (b) If P / Core, then P computes ˆf (x) n the followng way:. P frst defnes a set Core as follows: A party P s n Core f and only f all the followng condtons hold: P Core and P Core. Defne p,k, for k {1,..., n}, as follows: f, n step 1 of round 3 for the ordered par (, k), party P broadcasted ( agree, y,k ), then set p,k := y,k. If P broadcasted ( dsagree, w,k, z,k ), then set p,k := w,k + z,k. We requre that the {p,k } are consstent wth a polynomal B (x) of degree at most t;.e., B (k) = p,k for all k. (If not, then P s not ncluded n Core.) Our proofs show that Core t + 1 f the dealer s not dsqualfed.. For each P Core, set p := p, f, (0). Let ˆf be the polynomal of degree at most t such that ˆf () = p for every P Core. (It wll follow from our proof that such an ˆf exsts.) 6. Fnally, P outputs s := ˆf (0) and s, := ˆf () for all {1,..., n}. Reconstructon phase. Each party P sends s to all other partes. Let s, be the value that P sends to P. Usng Reed-Solomon decodng, P computes a polynomal f(x) of degree at most t such that f() = s, for at least 2t + 1 values of. The fnal output of P s f(0). 4.2 Proofs We prove that the protocol gven n the prevous secton s a VSS protocol wth 2-level sharng that tolerates t < n/3 malcous partes. Lemma 5 If the dealer s not corrupted by the end of the sharng phase, prvacy s preserved. Proof Let C denote the set of partes corrupted by the end of the sharng phase. We show that f the dealer remans uncorrupted, then the vew of the adversary can be smulated gven the polynomals {f (x)} P C. Snce F (x, y) s a random symmetrc bvarate polynomal of degree at most t and C t, a standard argument (see, e.g., [4]) mples that the vew of the adversary s ndependent of the dealer s nput s. It s mmedate that the adversary learns nothng addtonal about s n round 2. As for the values broadcast n round 3, consder an ordered par (P, P ) of partes who reman honest throughout the sharng phase. Snce the dealer s honest, we have f () = F (, ) = F (, ) = f () and, snce P, P are honest, r () = r,. Thus, n round 3, partes P, P, and the dealer all broadcast the same blnded value f () + F (0, ). Snce F (0, y) s a random polynomal of degree at most t ths does not leak any nformaton about the {f (x)} P C that the adversary does not already know. Lemma 6 If the dealer s not corrupted by the end of the sharng phase, then correctness and commtment wth 2-level sharng hold. Proof If the dealer s honest, then no honest party s unhappy. Also, all honest partes are n Core for any honest player P. Snce there are at least n t honest partes, no honest party s removed from Core. It follows that the dealer s not dsqualfed. 11

12 Snce all honest partes are n Core, each honest party P sets ˆf (x) := f (x) = F (x, ). Defnng p(x) def = F (0, x) and p (x) def = F (, x), t s straghtforward to verfy that the propertes of commtment wth 2-level sharng hold: Each honest party P outputs s := ˆf (0) = F (0, ) = p(). For all, t holds that p (0) = F (, 0) = F (0, ) = p(). For each honest party P and all {1,..., n}, we have s, = ˆf () = F (, ) = p (). In the reconstructon phase, s, = s = p() for any honest party P. Thus, each honest party P receves at most t values s, that do not le on the polynomal p(x). It follows that P outputs s = p(0) = F (0, 0), the dealer s nput. Ths completes the proof. We now move on to show that commtment wth 2-level sharng holds even when the dealer s malcous. The case of a dsqualfed dealer s obvous, so we focus on the case of a malcous dealer who s not dsqualfed. We begn by provng three clams: Clam 7 If the dealer s not dsqualfed, then for any honest P t holds that Core t + 1. Proof If the dealer was not dsqualfed, then Core contans at least n 2t t + 1 honest partes. We show that any honest P Core s also n Core, provng the clam. Snce P and P are both honest, P Core. Set B(x) def = f (x)+f (0, x). Ths s a polynomal of degree at most t, and the p,k computed by P all le on B (x). We conclude that P Core. Clam 8 If the dealer s not dsqualfed n the sharng phase, there s a bvarate symmetrc polynomal ˆF (x, y) of degree at most t n each varable that s consstent wth the polynomals ˆf computed by every honest party n Core;.e., for every honest P Core t holds that ˆf (x) = ˆF (x, ). Proof If the dealer s not dsqualfed, then there are at least n t partes n Core and at least n 2t t+1 of them are honest. Let H denote the frst t+1 such partes. The polynomals f sent by the dealer to the partes n H defne a bvarate polynomal ˆF (x, y) n the natural way: namely, let ˆF be such that ˆF (x, ) = f (x) for each P H. We show that ˆF satsfes the requrements of the clam. By defnton of ˆF, we have ˆf (x) = f (x) = ˆF (x, ) for any P H. Next, observe that for every honest P, P Core t holds that ˆf () = ˆf (). Indeed, t must be the case that f () = f () (or else one of P or P would be unhappy), and snce P, P Core we have ˆf (x) = f (x) and ˆf (x) = f (x). Snce H Core, ths mples that ˆF s symmetrc. It also mples that for every honest P Core (.e., not ust the P H) we have ˆf (x) = ˆF (, x) = ˆF (x, ), provng the clam. Clam 9 Assume the dealer s not dsqualfed n the sharng phase, and let ˆF be the polynomal guaranteed to exst by Clam 8. Then for any honest P Core, t holds that ˆf (x) = ˆF (x, ). Proof Fx an honest P Core, and P Core. (Clam 7 shows that Core s non-empty.) By defnton, ths means P Core and P Core. So P was not dsqualfed as a dealer n WSS and, by Lemma 4, there exsts a bvarate polynomal ˆF of degree at most t n each varable 12

13 such that f,k (x) = ˆF (x, k) for all P k Core. (Recall that f,k denotes the polynomal that P sent to P k n round 1 of WSS.) Let p,k be the values computed by P, and let B (x) be a polynomal of degree at most t such that B (k) = p,k for all k. Such a polynomal s guaranteed to exst because otherwse P Core. Snce P remans n Core, we have Core Core n t. Ths means that there are at least n 2t t+1 honest partes that are n both Core and Core. Lettng ˆF be the symmetrc polynomal guaranteed by the prevous clam, we now show that for any honest P k Core Core we have B (k) = ˆF (k, ) + ˆF (0, k). There are two cases to consder: If, n step 1 of round 3 for the ordered par (, k), party P broadcasted ( agree, y,k ), then p,k := y,k. Snce P k Core, ths means that P k must have broadcasted ( agree, y k, ) wth y k, = y,k n step 2 of that round (cf. step 2 of the local computaton phase). Snce P k s honest, B (k) = p,k = y,k = y k, usng the fact that ˆF s symmetrc. = f k () + f,k (0) = ˆF (, k) + f,k (0) ˆF (usng Clam 8 and P k Core) = ˆF (, k) + (0, k) (snce P k Core ) = ˆF (k, ) + ˆF (0, k), If, n step 1 of round 3 for the ordered par (, k), party P broadcasted ( dsagree, w,k, z,k ) then, snce P k Core, ths means that P k must have broadcasted ( dsagree, w k,, z k, ) wth z k, = z,k. It must also be the case that w k, = w,k or else one of P or P k would be unhappy. It follows that B (k) = p,k = w,k + z,k = w k, + z k,, and then an argument as before shows that B (k) = ˆF (k, ) + Summarzng, we have B (k) = ˆF (k, ) + ˆF has degree at most t, ths means B (x) = ˆF (x, ) + Party P next computes ˆF (0, k). (0, k) for at least t + 1 values of k. Snce B (x) ˆF (0, x). ˆF p := p, f, (0) = B () (0, ) = ˆF (, ) + ˆF (0, ) ˆF (0, ) = ˆF (, ), usng the fact that P Core n the frst lne. Snce ths s true for arbtrary P Core, we see that the polynomal ˆf computed by P satsfes ˆf (x) = ˆF (, x) = ˆF (x, ). Ths completes the proof. Lemma 10 Even when the dealer s malcous, commtment wth 2-level sharng holds. Proof By the precedng two clams, there exsts a symmetrc bvarate polynomal ˆF (x, y) wth degree at most t n each varable such that ˆf (x) = ˆF (x, ) for any honest party P. Set p(x) := ˆF (x, 0) and p (x) := ˆF (x, ). One can then verfy that the propertes of commtment wth 2-level sharng hold: 13

14 Each honest party P outputs s def = ˆf (0) = ˆF (0, ) = ˆF (, 0) = p(). At the end of the reconstructon phase, each honest party P wll output s = p(0). For all, t holds that p (0) = ˆF (0, ) = p(). For each honest party P and all {1,..., n}, we have Ths completes the proof. s, def = ˆf () = ˆF (, ) = ˆF (, ) = p (). References [1] M. Ben-Or, S. Goldwasser, and A. Wgderson. Completeness theorems for non-cryptographc fault-tolerant dstrbuted computaton. In 20th Annual ACM Symposum on Theory of Computng (STOC), pages 1 10, [2] G. R. Blakley. Safeguardng cryptographc keys. In Natonal Computer Conference, volume 48, pages AFIPS Press, [3] B. Chor, S. Goldwasser, S. Mcal, and B. Awerbuch. Verfable secret sharng and achevng smultanety n the presence of faults. In 26th Annual IEEE Symposum on Foundatons of Computer Scence (FOCS), pages , [4] R. Cramer and I. Damgard. Multparty computaton, an ntroducton. Lecture notes avalable at van/mpc_2004.pdf. [5] R. Cramer, I. Damgård, and U. Maurer. General secure mult-party computaton from any lnear secret sharng scheme. In Adv. n Cryptology Eurocrypt 2000, pages Sprnger- Verlag, [6] D. Dolev, C. Dwork, O. Waarts, and M. Yung. Perfectly secure message transmsson. J. ACM, 40(1):17 47, [7] P. Feldman and S. Mcal. An optmal probablstc protocol for synchronous Byzantne agreement. SIAM J. Computng, 26(4): , [8] M. J. Fscher and N. A. Lynch. A lower bound for the tme to assure nteractve consstency. Informaton Processng Letters, 14(4): , [9] M. Ftz and J. Garay. Effcent player-optmal protocols for strong and dfferental consensus. In 22nd Annual ACM Symp. on Prncples of Dstrbuted Computng, pages , [10] M. Ftz, J. A. Garay, S. Gollakota, C. P. Rangan, and K. Srnathan. Round-optmal and effcent verfable secret sharng. In 3rd Theory of Cryptography Conference (TCC), pages , [11] R. Gennaro, Y. Isha, E. Kushlevtz, and T. Rabn. The round complexty of verfable secret sharng and secure multcast. In 33rd Annual ACM Symposum on Theory of Computng (STOC), pages ,

15 [12] J. Katz and C.-Y. Koo. On expected constant-round protocols for Byzantne agreement. In Advances n Cryptology Crypto 2006, pages Sprnger-Verlag, [13] J. Katz and C.-Y. Koo. Round-effcent secure computaton n pont-to-pont networks. In Advances n Cryptology Eurocrypt 2007, pages Sprnger-Verlag, [14] C. Koo. Studes on Fault-Tolerant Broadcast and Secure Computaton. PhD thess, Unversty of Maryland, [15] Y. Lndell, A. Lysyanskaya, and T. Rabn. Sequental composton of protocols wthout smultaneous termnaton. In 21st Annual ACM Symposum on Prncples of Dstrbuted Computng, pages , [16] S. Mcal and T. Rabn. Collectve con tossng wthout assumptons nor broadcastng. In Adv. n Cryptology Crypto 90, pages Sprnger-Verlag, [17] A. Patra, A. Choudhary, B. Ashwnkumar, and C. Rangan. Probablstc verfable secret sharng toleratng an adaptve adversary. Avalable at [18] T. Rabn and M. Ben-Or. Verfable secret sharng and multparty protocols wth honest maorty. In 21st Annual ACM Symposum on Theory of Computng, pages 73 85, [19] A. Shamr. How to share a secret. Comm. ACM, 22(11): ,