Round Efficient Unconditionally Secure Multiparty Computation Protocol

Transcription

1 Round Effcent Uncondtonally Secure Multparty Computaton Protocol Arpta Patra Ashsh Choudhary C. Pandu Rangan Department of Computer Scence and Engneerng Indan Insttute of Technology Madras Chenna Inda Emal:{ arpta,ashshc Abstract In ths paper, we propose a round effcent uncondtonally secure multparty computaton (UMPC) protocol n nformaton theoretc model wth n > 2t players, n the absence of any physcal broadcast channel, whch communcates O(n 4 ) feld elements per multplcaton and requres O(n log(n) + D) rounds, even f up to t players are under the control of an actve adversary havng unbounded computng power. In the absence of a physcal broadcast channel and wth n > 2t players, the best nown UMPC protocol wth mnmum number of rounds, requres O(n 2 D) rounds and communcates O(n 6 ) feld elements per multplcaton, where D denotes the multplcatve depth of the crcut representng the functon to be computed securely. On the other hand, the best nown UMPC protocol wth mnmum communcaton complexty requres communcaton overhead of O(n 2 ) feld elements per multplcaton, but has a round complexty of O(n 3 +D) rounds. Hence our UMPC protocol s the most round effcent protocol so far and rans second accordng to communcaton complexty. To desgn our protocol, we use certan new technques whch are of ndependent nterest. Keywords: Multparty Computaton, Informaton Theoretc Securty, Error Probablty. 1 Introducton Secure Multparty Computaton (MPC): Secure multparty computaton (MPC) allows a set of n players to securely compute an agreed functon, even f up to t players are under the control of a centralzed adversary. More specfcally, assume that the desred functonalty can be specfed by a functon f : ({0, 1} ) n ({0, 1} ) n and player P has nput x {0, 1}. At the end of the computaton of f, P gets y {0, 1}, where (y 1,..., y n ) = f(x 1,..., x n ). The functon f has to be computed securely usng a protocol where at the end of the protocol all players (honest) receve correct outputs and the messages seen by the adversary durng the protocol contan no addtonal nformaton about the nputs and outputs of the honest players, other than what can be computed from the nputs and outputs of the corrupted players. In the nformaton theoretc model, the adversary who actvely controls at most t players, s adaptve, rushng [11] and has unbounded computng power. The functon to be computed s represented as an arthmetc crcut over a fnte feld F consstng of fve type of gates, namely addton, multplcaton, random, nput and output. A MPC protocol securely evaluates the crcut gate-by-gate [5, 22, 2, 22, 17, 19, 4]. The MPC problem was frst defned and solved by Yao [23] n hs semnal wor n two-party scenaro. The frst generc solutons presented n [16, 9, 14] were based on cryptographc ntractblty assumtons. Later, the research on MPC n nformaton theoretc model was ntated by Ben-Or Fnancal Support from Mcrosoft Research Inda Acnowledged Fnancal Support from Infosys Technology Inda Acnowledged Wor Supported by Project No. CSE/05-06/076/DITX/CPAN on Protocols for Secure Communcaton and Computaton Sponsored by Department of Informaton Technology, Govt. of Inda. 1

2 et. al. [5] and Chaum et. al. [8] n two dfferent ndependent wor and carred forward by the wors of [22, 2]. Informaton theoretc securty can be acheved by MPC protocols n two flavors (a) Perfect: The outcome of the protocol s perfect n the sense that no probablty of error s nvolved n the computaton of the functon (b) Uncondtonal: The outcome of the protocol s correct except wth neglgble error probablty. Whle Perfect MPC can be acheved ff t < n/3 [5], uncondtonal MPC (UMPC) requres only honest majorty.e t < n/2 [22]. In the recent years, lot of research concentrated on desgnng communcaton effcent protocols for both perfect and uncondtonal MPC. Perfect MPC protocols wth optmal reslence.e t < n/3 are presented n [17, 19, 4]. UMPC protocols wth non-optmal reslence.e t < n/3 are presented n [18, 12]. Fnally, UMPC protocols wth optmal reslence.e t < n/2 are presented n [11, 3]. Broadcast: Broadcast s a very mportant prmtve and s heavly used n all MPC and UMPC protocols. Broadcast allows a sender to dstrbute a value x, such that all the players dentcally receve the same value x (even f the sender s faulty). If a physcal broadcast channel s avalable n the networ, then achevng broadcast s very trval. In such a case, broadcastng l bts requres sngle round and exactly l bts of communcaton. But f the broadcast channel s not physcally avalable n the networ, then broadcastng an l bt(s) message can be smulated by executng some protocol. In partcular, for perfectly (wthout any error probablty) broadcastng l bts, the protocol presented n [6, 7] communcates Ω(n 2 l) bts and requres Ω(n) rounds wth t < n/3. For uncondtonally (wth neglgble error probablty) broadcastng l bts, the protocol presented n [21] communcates Ω(n 2 l + n 6 κ) bts and requres Ω(n) rounds wth t < n/2 on the avalablty of nformaton theoretc PKI setup (nformaton theoretc pseudo-sgnature), where κ s the error parameter. Recently Ftz et. al. [13] have proposed mult-valued broadcast where broadcast of l bts requres communcaton of O(ln + nb(n + κ)) bts, provded there exsts a broadcast protocol whch communcates B(b) bts for broadcastng a b bt message where b < l. Thus usng the broadcast protocol of [21] as blac-box, broadcast protocol of [13] communcates O(nl + n 7 κ) for broadcastng an l bt message and requres Ω(n) rounds of communcaton, where t < n 2. Our Motvaton: Two mportant parameters of multparty computaton protocols are communcaton complexty and round complexty. These have been the subject of ntense study over the past two decades. Establshng bounds on communcaton and round complexty of secure multparty computaton protocols are of fundamental theoretcal nterest. Moreover, reducng the communcaton and round complexty of multparty computaton protocols s crucal, f we ever hope to use these protocols n practce. But loong at the most recent advancements n the arena of MPC, we fnd that round complexty of MPC protocols has been ncreased to an unacceptable level n order to reduce communcaton complexty. For example, the perfect MPC protocol of [4] celebrated for ts best nown communcaton complexty, requres round complexty of O(n 2 + D) where D denotes the multplcatve depth of the crcut. On the other hand, the perfect MPC protocols achevng best nown round complextes such as O(nD) [5] and O(n + D) [1] are far from beng truly communcaton effcent. In the sequel, we present a table whch gves an overvew of the communcaton complextes and round complextes of perfect and uncondtonal MPC protocols. The complexty fgures are provded assumng that physcal broadcast channel s not avalable and hence broadcast s smulated by some protocol (as mentoned earler). The communcaton complextes are gven n terms of bts where κ represents the bt length of a feld element n the case of perfect MPC and error parameter n the case of uncondtonal MPC. For smplcty, we assume that the computed functon taes n nputs (one from each player) and gves n outputs. c M and D denote the number of multplcaton gates and multplcatve depth of the crcut, respectvely. Reference Type? Reslence Brodcast Protocol Communcaton Complexty Round Complexty [11] Uncondtonal t < n/2 [13] O((c M n 6 + n 7 )κ) O(n 2 D) [17] Perfect t < n/3 [6, 7] O((c M n 3 + n 4 )κ) O(n 2 + D) [3] Uncondtonal t < n/2 [13] O((c M n 2 + n 7 )κ) O(n 3 + D) [12] Uncondtonal t < n/3 [6, 7] O((c M n + Dn 2 + n 4 )κ) O(n 2 + D) [4] Perfect t < n/3 [6, 7] O((c M n + Dn 2 + n 3 )κ) O(n 2 + D) If the practcal applcablty of multparty protocols are of prmary focus, then t s always desrable 2

3 not to sacrfce one parameter for the other. So t s very essental to desgn protocol whch balances both the parameters approprately. Motvated by ths, n ths wor we desgn an UMPC protocol whch acheves effcency n both the parameters smultaneously. Our Networ Model: We denote the set of n = 2t + 1 players (partes) nvolved n the secure computaton by P = {P 1, P 2,..., P n } where player P possesses c nput values. We assume that all the n players are connected wth each other by parwse secure channels, as assumed n generc UMPC protocols [3, 11, 22]. Moreover, the system s synchronous and the protocols proceed n rounds, where n each round a player performs some computatons, sends (broadcasts) values to ts neghbors (everybody), receves values from neghbors and may agan perform some more computaton, n that order. The functon to be computed s specfed as an arthmetc crcut over a fnte feld F wth nput, addton, multplcaton, random and output gates. We denote the number of gates of each type by c I, c A, c M, c R and c O, respectvely. Note that c I = n =1 c. We model the dstrust n the system by a centralzed adversary A t, who has unbounded computng power and can actvely control at most t players durng the protocol executon, where t < n 2. To actvely control a player means to tae full control over t and mang t behave arbtrarly. The adversary s adaptve [11] and hence can corrupt players dynamcally durng the protocol executon. Moreover, the choce of the adversary to corrupt a player may depend upon the data seen so far from the corrupted players. Moreover, the adversary s a rushng adversary [15], who n a partcular round, frst collects all the messages addressed to the corrupted players and explots ths nformaton to decde on what the corrupted players send durng the same round. If a player comes under the control of A t, then t remans so throughout the protocol. A player whch s not under the control of A t s called honest or uncorrupted. We defne two sets C and P where at any pont of tme C denotes the set of corrupted players dentfed so far and P = P \ C. Intally, P = P and C =. As the protocol proceeds, some players wll be detected as corrupted and wll be added to C and removed from P. We denote the number of players n P by n whch s ntally equal to n. The number of players whch can be stll corrupted from P s denoted by t where t = t C. Note that n wll always mantan the followng: n t t 2t + 1 snce t t. Also at any pont of tme P = P C. Our protocol provdes uncondtonal securty.e. nformaton theoretc securty wth a neglgble error probablty of 2 O(κ) for some securty parameter κ. To acheve ths error probablty, all our computaton are done over a fnte feld F = GF (2 κ ). Thus each feld element can be represented by κ bts. Notce that, we also assume that n s polynomal n κ. For the ease of exposton, we always assume that the messages sent through the channels are from the specfed doman. Thus f a player receves a message whch s not from the specfed doman (or no message at all), he replaces t wth some pre-defned default message from the specfed doman. Our Contrbuton: In ths paper, we propose a new UMPC protocol whch communcates O(n 4 ) feld elements per multplcaton and requres O(n log(n) + D) rounds over a pont-to-pont networ (n the absence of physcal broadcast channel) wth n = 2t+1 players. Ths result s to be compared wth the UMPC protocol of [11] whch provdes so far best nown round complexty of O(n 2 D) (and communcates O(n 6 ) feld elements per multplcaton) and wth UMPC protocol of [3] whch acheves the best nown communcaton complexty of O(n 2 ) feld elements per multplcaton (but consumes O(n 3 + D) rounds). Hence our protocol s the most round effcent protocol so far and rans second accordng to communcaton complexty. We ntroduce a new technque called Rapd Player Elmnaton (RPE) whch s used n the preprocessng stage of our proposed UMPC protocol. Loosely speang, RPE wors as follows: The preprocessng stage of our UMPC protocol may fal several tmes due to the (ms)behavor of certan number of corrupted players whose corruptons are dentfed. RPE creates a wn-wn stuaton, where the adversary must reveal the denttes of 2 new corrupted players at the th step. Otherwse, the preprocessng stage wll not fal. Thus RPE ensures that preprocessng stage may fal at most log(t) tmes. 3

4 2 Uncondtonally Secure MPC Protocol wth n = 2t + 1 In ths secton, we present an UMPC protocol wth n = 2t + 1. Pror to that we present a number of sub-protocols each solvng a specfc tas. Some of the sub-protocols are based on few exstng technques whle some are proposed by us for the frst tme. We descrbe all our subprotocols n the followng settngs: P denotes the set of players nvolved n the executon of the sub-protocols where P = n, the number of corrupted players present n P s t and n = t+1+t. Durng the executon of the sub-protocols, some more corrupted players may be detected as faulty and wl be removed from P. Accordngly n and t wll change (wthout affectng the equalty n = t t ). Thus t s clear that at any stage P wll always contan all the t + 1 honest players. For smplcty, we assume that P always contans the frst n players (P 1,..., P n ) from the set P. For convenence, we provde analyss of the communcaton and round complextes of our subprotocols and protocols assumng that physcal broadcast channel s avalable n the system. At the end we gve the complete communcaton and round complexty fgure for our general multparty computaton protocol, assumng that the broadcast has to be smulated by protocol of [13]. Notce that a physcal broadcast channel enables all the players from P to receve the broadcasted message. Snce our sub-protocols are executed among the players n P and P P, a broadcast step n our sub-protocol should allow only the players of P to get the broadcasted nformaton. But notce that all the broadcast steps wll be fnally replaced by protocols (say from [13]) where only players from P are allowed to partcpate. Thus wthout loss of generalty, we may nterpret all the broadcasts steps n our sub-protocols as the broadcast to the restrcted set P. 2.1 Informaton Checng Informaton Checng (IC) and IC Sgnatures [11, 22]: IC s an nformaton theoretcally secure method for authentcatng data and s used to generate IC sgnatures. When a player INT P receves an IC sgnature from a dealer D P on some secret value(s) S, then INT can later produce the sgnature and have the players n P verfy that t s n fact a vald sgnature of D on S. An IC scheme conssts of a sequence of three protocols: 1. Dstr(D, INT, P, S) s ntated by the dealer D, who hands secret S = [s (1)... s (l) ] F l, where l 1 to ntermedary INT. In addton, D hands some authentcaton nformaton to INT and verfcaton nformaton to ndvdual players n P, also called as recevers. 2. AuthVal(D, INT, P, S) s ntated by INT to ensure that n protocol RevealVal, secret S held by INT wll be accepted by all the (honest) players (recevers) n P. 3. RevealVal(D, INT, P, S) s carred out by INT and the recevers n P, where INT produces S, along wth authentcaton nformaton and the ndvdual recevers n P produce verfcaton nformaton. Dependng upon the values produced by IN T and the recevers, ether S s accepted or rejected by all the players/recevers. The authentcaton nformaton, along wth S, whch s held by INT at the end of AuthVal s called D s IC sgnature on S, obtaned by INT. The IC sgnature must satsfy the followng propertes: 1. If D and INT are uncorrupted, then S wll be accepted n RevealVal. 2. If INT s uncorrupted, then at the end of AuthVal, INT possesses secret(s), say S, whch wll be accepted n RevealVal, except wth probablty at most 2 O(κ). 3. If D s uncorrupted, then durng RevealVal, wth probablty at least 1 2 O(κ), every S S produced by a corrupted INT wll be rejected. 4. If D and INT are uncorrupted, then at the end of AuthVal, S s nformaton theoretcally secure from A t. We now descrbe an IC protocol whch s a slght modfcaton of the IC protocol descrbed n [11]. 4

5 The protocol allows D to sgn on a sngle feld element s F (.e. l = 1; S = s). In the protocol, Dstr taes sngle round (Round 1), AuthVal taes threes rounds (Round 2, 3 and Round 4), whle RevealVal taes two rounds (Round 1 and Round 2). The protocol s gven n Table 1. Before descrbng the protocol, we recall the followng defnton from [11]. Defnton 1 (1 α -consstent [11]) A vector (x, y, z) F 3 s 1 α -consstent f there exsts a degree one polynomal w over F such that w(0) = x, w(1) = y and w(α) = z. Lemma 1 Protocol IC correctly generates IC sgnatures on a sngle secret (.e. l = 1) by communcatng O(nκ) bts and broadcastng O(nκ) bts. The protocol satsfes all the propertes of IC sgnature wth an error probablty of at most 2 O(κ). Proof: The proof s smlar to the proof of the propertes of generalzed IC protocol of [11] (see Lemma 1, Page ). Protocol IC(D, INT, P, s) Dstr(D, INT, P, s) Round 1: Correspondng to each recever P P, D chooses a random value α F {0, 1} and addtonal random values y, z F, such that the three tuple (s, y, z ) s 1 α -consstent. In addton, correspondng to each P P, D chooses another random 1 α -consstent vector (s, y, z ). D sends s, y, s and y to INT and α, z, z to the recever P. The n tuple [y 1 y 2... y n ] held by INT s called authentcaton nformaton. The two n tuples [y 1 y 2... y n ] and [s 1 s 2..., s n ] held by INT are called as auxlary nformaton, where as the tuple (α, z ) held by recever P s called verfcaton nformaton. AuthVal(D, INT, P, s): Round 2: INT randomly selects n random elements d, 1 n from F {0} and broadcasts the tuples (d, s + d s, y + d y ). Round 3: In response to INT s broadcast n Round 2, D checs the correctness of the broadcasted nformaton and also checs whether (s + d s, y + d y, z + d z ) s 1 α -consstent for 1 n. D broadcasts s, along wth the n tuple [y 1 y 2... y n ] f he fnds any nconsstency. Each P P accordngly adjusts hs verfcaton nformaton (α, z ), such that (s, y, z ) s 1 α -consstent and the protocol ends here. Parallely, P P checs f (s + d s, y + d y, z + d z ) s 1 α -consstent and broadcasts Accept or Reject, dependng upon whether (s + d s, y + d y, z + d z ) s 1 α -consstent or not. Now the value s and the n tuple [y 1 y 2... y n ] possessed by INT s called the IC-Sgnature on s gven by D to INT, whch s denoted by ICSg s(d, INT ). Round 4: If D has not broadcasted s, along wth the tuple [y 1 y 2... y n ] n the prevous round, then D broadcasts (α, z ) correspondng to all recevers P P, whose response was Reject n the prevous round. Accordngly INT wll adjust hs y so that (s, y, z ) becomes 1 α -consstent. RevealVal(D, INT, P, s): Round 1: INT broadcasts s and [y 1 y 2... y n ]; Round 2: Each P P broadcasts (α, z ). If there exsts at least t + 1 dstnct j s such that (s, y j, z j ) s 1 αj -consstent then D s sgnature on s s vald. Otherwse the sgnature s nvald. Table 1: An IC Protocol to Sgn on a Sngle Feld Element We now present an IC protocol, called EffcentIC, whch allows D to sgn on an l length secret S F l smultaneously, wth l 1, by communcatng O((l + n)κ) bts and broadcastng O((l + n)κ) bts, where n = t t. Let S = (s (1),..., s (l) ) F l. The dea of ths protocol s taen from [20]. The protocol EffcentIC s gven n Table 2. Lemma 2 Protocol EffcentIC correctly generates IC sgnature on l feld elements (each of sze κ bts) at once by communcatng O((l + n)κ) bts and broadcastng O((l + n)κ) bts. The protocol satsfes the propertes of IC sgnature wth an error probablty of at most 2 O(κ). Proof: The proof s smlar to the proof of the IC protocol gven n [20] and hence s omtted. Lnearty of Protocol IC and EffcentIC: Protocol IC and EffcentIC satsfes the lnearty property as specfed by the followng lemmas: Lemma 3 (Lnearty of Protocol IC [11]) Let ICSg s1 (D, INT ) and ICSg s2 (D, INT ) denotes the IC sgnature on two dfferent secrets s 1 and s 2, generated by D usng protocol IC. 5

6 Moreover, let D uses the same set of α 1, α 2,..., α n to gve hs IC sgnature on s 1 and s 2. Let r 1, r 2 be two random publc constants from F. Then INT can generate ICSg (r1 s 1 +r 2 s 2 )(D, INT ) from ICSg s1 (D, INT ) and ICSg s2 (D, INT ) wthout any further communcaton. Smlarly, the recevers n P can obtan the verfcaton nformaton correspondng to ICSg (r1 s 1 +r 2 s 2 )(D, INT ) from the verfcaton nformaton correspondng to ICSg s1 (D, INT ) and ICSg s2 (D, INT ) wthout dong any communcaton. Extendng the above lemma for an arbtrary length secret, we can state the followng lemma: Lemma 4 (Lnearty of Protocol EffcentIC) The IC sgnature generated by EffcentIC satsfes lnearty property. In partcular, INT can compute ICSg ((r1 s (1,1) +r 2 s (2,1) ),...,(r 1 s (1,l) +r 2 s (2,l) ))(D, INT ) from ICSg (s (1,1),s (1,2)...,s (1,l) ) (D, INT ) and ICSg (s (2,1),s (2,2)...,s (2,l) )(D, INT ) and recevers can compute verfcaton nformaton correspondng to ICSg ((r1 s (1,1) +r 2 s (2,1) ),...,(r 1 s (1,l) +r 2 s (2,l) ))(D, INT ). EffcentDstr(D, INT, P, l, s (1),..., s (l) ): Round 1: EffcentIC(D, INT, P, l, s (1),..., s (l) ) D selects a random l + t 1 degree polynomal F (x) over F, whose lower order l coeffcents are s (1),..., s (l). In addton, D selects another random l + t 1 degree polynomal R(x), over F, whch s ndependent of F (x). D selects n dstnct random elements α 1, α 2,..., α n from F such that each α F {0, 1,..., n 1}. D prvately gves F (x) and R(x) to INT. To recever P P, D prvately gves α, v and r, where v = F (α ) and r = R(α ). The polynomal R(x) s called authentcaton nformaton, whle for 1 n, the values α, v and r are called verfcaton nformaton. EffcentAuthVal(D, INT, P, l, s (1),..., s (l) ): Round 2: d, B(x) = df (x) + R(x). INT chooses a random d F \ {0} and broadcasts Round 3: For 1 j n, D checs dv j + r? j = B(α j). If D fnds any nconsstency, he broadcasts F (x). Parallely, recever P broadcasts Accept or Reject, dependng upon whether dv + r = B(α ) or not. Local Computaton (by each player): f F (x) s broadcasted n Round 3 then accept the lower order l coeffcents of F (x) as D s secret and termnate. else construct an n length bt vector V Sh, where the j th, 1 j n bt s 1(0), f P j P has broadcasted Accept ( Reject ) durng Round 3. The vector V Sh s publc, as t s constructed usng broadcasted nformaton. If V Sh does not contan n t 1 s, then D fals to gve any sgnature to INT and IC protocol termnates here. If F (x) s not broadcasted durng Round 3, then (F (x), R(x)) s called D s IC sgnature on S = (s (1),..., s (l) ) gven to INT, whch s denoted by ICSg (s (1),...,s (l) )(D, INT ). EffcentRevealVal(D, INT, P, l, s (1),..., s (l) ): (a) Round 1: INT broadcasts F (x), R(x); (b) Round 2: P broadcasts α, v and r. Local Computaton (by each player): For the polynomal F (x) broadcasted by INT, construct an n length correspondng to R(x). Fnally compute VF Rec R = V Rec F (x) VR(x), Rec where denotes bt wse AND. Snce broadcasted nformaton s publc, each player (honest) wll compute the same vectors V Rec F (x) and V Rec R(x) and hence VF Rec R. If VF Rec R and V Sh vector V Rec F (x) whose j th bt contans 1 f v j = F (α j ), else 0. Smlarly, construct the vector V Rec R(x) matches at least at t + 1 locatons (rrespectve of bt value at these locatons), then accept the lower order l coeffcents of F (x) as S = (s (1),..., s (l) ). In ths case, we say that D s sgnature on S s correct. Else reject F (x) broadcasted by INT and we say that INT has faled to produce D s sgnature. Table 2: An IC Protocol to Sgn l Length Secret where n = t t 2.2 Uncondtonal Verfable Secret Sharng and Reconstructon Defnton 2 t -1D-Sharng: We say that a value s s correctly t -1D-shared among the players n P f every honest player P P s holdng a share s of s, such that there exsts a degree t polynomal f(x) over F wth f(0) = s and f(j) = s j for every P j P. The vector (s 1, s 2,..., s n ) of shares s called a t -sharng of s and s denoted by [s] t. We may sp the subscrpt t when t s clear from the context. A set of shares (possbly ncomplete) s called t -consstent f these shares le on a t degree polynomal. 6

7 Defnton 3 t -2D-sharng:[3] We say that a value s s correctly t -2D-shared among the players n P f there exsts t degree polynomals f, f 1, f 2..., f n wth f(0) = s and for = 1,..., n, f (0) = f(). Moreover, every player P P holds a share s = f() of s, the polynomal f (x) for sharng s and a share-share s j = f j () of the share s j of every player P j P. We denote t -2D-sharng of s as [[s]] t. Defnton 4 t -2D (+) -sharng: We say that a value s s correctly t -2D (+) -shared among the players n P f there exsts t degree polynomals f, f 1, f 2..., f n wth f(0) = s and for = 1,..., n, f (0) = f(). Moreover, every player P P holds a share s = f() of s, the polynomal f (x) for sharng s and P j s IC Sgnature on share-share s j = f j () of P j s share s j,.e. ICSg sj (P j, P ) for every player P j P. We denote the t -2D (+) -sharng of s as s t. Note that n [3], the authors called ths sharng as 2D -sharng. Defnton 5 t -2D (+,l) -sharng: We say that a set of values s (1),..., s (l) are correctly t -2D (+,l) - shared among the players n P f every secret s (l) s ndvdually t -2D (+) -shared. But now nstead of P holdng separate IC-sgnatures for each of the share-shares s (l) j for l = 1..., l from P j (.e. ICSg (l) s (P j, P ) for l = 1..., l), a sngle IC-sgnature on s (1) j,..., s(l) j s gven by P j to P (.e. j ICSg (1) (s j,...,s(l))(p j, P )). We denote the t -2D (+,l) -sharng of l values as s 1,..., s l t. j If a secret s s t -1D-shared/t -2D-shared/t -2D (+) -shared by a dealer D P (any player from P may perform the role of a dealer ), then we denote the sharng by [s] D t /[[s]] D t / s D t. Smlarly f a set of l secrets s (1),..., s (l) are t -2D (+,l) -shared by player D, we denote t by s 1,..., s l D t. Notce that when a secret s s t -2D (+) -shared, then s s also t -1D-Shared and t -2D-shared by default. Hence t -2D (+) -sharng s the strongest sharngs among t -1D-sharng, t -2D-sharng and t -2D (+) -sharng. In some sense, t -2D (+,l) -sharng s the extenson of t -2D (+) -sharng for l secrets. If a dealer D P s honest, then he wll always correctly t -1D-share/t -2D-share/t -2D (+) -share a secret s. Among these three types of sharngs, t -2D (+) -sharng of a secret s allows effcent reconstructon of the secret wth n players. However, a corrupted D may perform sharng n an ncorrect way. To acheve parallelsm, n the sequel, we descrbe a protocol called 2D (+,l) Share whch allows a dealer D P to verfably t -2D (+,l) -share l 1 length secret [s (1), s (2),..., s (l) ]. Verfably t -2D (+,l) -sharng ensures correct t -2D (+,l) -sharng even for a corrupted D. The protocol 2D (+,l) Share s gven n Table 3. The goal of the protocol s as follows: (a) If D s honest then he correctly generates t -2D (+,l) -sharng of the secret [s (1), s (2),..., s (l) ], such that all the honest players publcly verfy that D has correctly generated the sharng. Also when D s honest, then the secret wll be nformaton theoretcally secure from the adversary A t. (b) If D s corrupted and has not generated correct t -2D (+,l) -sharng, then wth very hgh probablty, everybody wll detect t and protocol wll termnate. The dea of the protocol s taen from [11], but nstead of usng the IC protocol of [11], we employ the EffcentIC protocol proposed n ths paper, whch provdes us wth hgher effcency. Lemma 5 In protocol 2D (+,l) Share, D generates correct t -2D (+,l) -sharng of l feld elements (each of sze κ bts), wth overwhelmng probablty. 2D (+,l) Share s a ten round protocol whch communcates O((ln 2 + n 3 )κ) bts and broadcasts O((ln 2 + n 3 )κ) bts. Proof (Setch): For every l {1,..., l}, secret s (l) s t -1D-shared by t degree polynomal g (l) 0 (y).e g(l) 0 (0) = s(l). Also t degree polynomals f (l) (l) 1 (x),..., f n (x) are such that g (l) (l) 0 () = f (0) for = 1,..., n. Hence, every secret s (l) s t -2D-shared by t degree polynomals g (l) 0 (y) and f (l) (l) 1 (x),..., f n (x). Hence player P (mplctly) holds th share of g (l) (l) 0 (y) and polynomal f (x) for all l {1,..., l}. In addton to that, player P possesses correct ICSg (1) (f j (),f (2) j (),...,f (l) j ()) (P j, P ) for every player P j P, wth very hgh probablty (from the propertes of our EffcentIC protocol). Hence t s clear that D has generated correct t -2D (+,l) -sharng of l length secret wth 7

8 very probablty. Round complexty of 2D (+,l) Share s easy to verfy. Snce n sum at most 4(n ) 2 nstances of EffcentDstr and EffcentAuthVal of Protocol EffcentIC are executed, Protocol 2D (+,l) Share communcates and broadcasts O((ln 2 + n 3 )κ) bts. Remar: When an l length secret [s (1),..., s (l) ] s t -2D (+,l) -shared, then mplctly the ndvdual secrets are t -1D-shared by polynomals g (1) 0 (y),..., g(l) 0 (y). Also note that gven a(1),..., a (l) t and b (1),..., b (l) t, the players n P can compute c (1),..., c (l) t where for l = 1,..., l, c (l) = F(a (l), b (l) ) and F denotes any lnear combnaton. Ths s due to the lnearty property of our EffcentIC protocol presented n subsecton 2.1. s (1),..., s (l) D t = 2D(+,l) Share(D, P, t, l, s (1),..., s (l) ) 1. For every l = 1,..., l, D pcs a random bvarate polynomal H (l) (x, y) of degree t n both the varables, wth H (l) (0, 0) = s (l). Let f (l) (x) = H (l) (x, ) and g (l) (y) = H (l) (, y). Now D wants to hand over n values on f (l) (x) and g (l) (y) for l = 1,..., l to P wth hs IC sgnature on them. For that D executes EffcentDstr and EffcentAuthVal of EffcentIC(D, P, P, l, f (1) (j), f (2) (j),..., f (l) (j)) for for all j {1,..., n }. Smlarly D executes EffcentDstr and EffcentAuthVal of EffcentIC(D, P, P, l, g (1) (j), g (2) (j),..., g (l) (j)). 2. For l = 1,..., l player P checs whether the two sets f (l) (1),..., f (l) (n ) and g (l) (1),..., g (l) (n ) are t -consstent. If the values are not t -consstent, for some l {1,..., l} then P along wth all players n P nvoe EffcentRevealVal(D, P, P, l, f (1) (j), f (2) (j),..., f (l) (j)) and EffcentRevealVal(D, P, P, l, g (1) (j), g (2) (j),..., g (l) (j)) for all j {1,..., n }. If the sgnatures produced by P are vald and for some l {1,..., l} ether one of the two sets f (l) (1),..., f (l) (n ) or g (l) (1),..., g (l) (n ) s not t -consstent, then the protocol termnates here wthout generatng the desred output. 3. For every par of players P and P j from P the followng wll be executed: (a) Ideally for P and P j the followng should hold: f (l) (j) = g (l) j () and g(l) (j) = f (l) j () for l = 1,..., l. P (l) (j),..., f (j)) (j),..., f (l) (j) to P j. Upon recevng the sgnature, P j checs whether as a dealer executes EffcentDstr and EffcentAuthVal of EffcentIC(P, P j, P, l, f (1) to gve hs IC sgnature on f (1) f (l) (j) =? g (l) j () for l = 1,..., l. If there s an nconsstency then Pj along wth all players n P nvoe EffcentRevealVal(D, P j, P, l, g (1) j (), g (2) (),..., g (l) ()). j (b) If P j fals to produce vald sgnature n the prevous step, then all the players from P gnore the IC sgnatures receved from P j n prevous step. Otherwse, f P j s able to produce vald sgnature then g (1) j (), g (2) j (),..., g (l) j () become publc. Usng the publc values P checs whether f (l) (j) =? g (l) j () for l = 1,..., l. If he fnds any nconsstency, then P along wth all players n P nvoe EffcentRevealVal(D, P, P, l, f (1) (j), f (2) (j),..., f (l) (j)). (c) If P fals to produce vald sgnature n the prevous step, then all the players from P gnore the IC sgnatures receved from P n step 3(a). Otherwse, f P s able to produce vald sgnature, then all the values f (1) (j), f (2) (j),..., f (l) (j) become publc. Every player then verfes whether f (l) (j) =? g (l) j () for l = 1,..., l. If f (l) (j) g (l) j () for some l {1,..., l} then the protocol termnates here wthout generatng the desred output. j Table 3: A Ten Round Protocol for Verfably t -2D (+,l) -share l Length Secret. Converson From a t -2D (+,l) -sharng to l t -2D + -sharngs: Gven t -2D (+,l) -sharng of l secrets, we present a protocol Convert2D (+,l) to2d + whch converts the t -2D (+,l) -sharng of the l secrets to l t -2D + -sharngs of the ndvdual l secrets. Thus gven s (1), s (2),..., s (l) t, Convert2D (+,l) to2d + produces s (l) t for l = 1,..., l. Note that s (1), s (2),..., s (l) t could have been generated drectly by Protocol 2D (+,l) Share or t could be lnear combnaton of a number of t -2D (+,l) -sharngs generated by dfferent nstances of Protocol 2D (+,l) Share. Lemma 6 Protocol Convert2D (+,l) to2d + taes fve rounds and communcates O((ln 3 + n 4 )κ) bts and broadcasts O((ln 3 + n 4 )κ) bts. Reconstructon of a t -2D + -shared secret: Let s t be a t -2D + -sharng, whch s shared usng the polynomals H(x, y), f (x), g (y), 1 n among the players n P. We may assume s t as one of the l outcomes of Protocol Convert2D (+,l) to2d +. We now present a protocol 2D + Recons whch allows the (honest) players to correctly recover s wth very hgh probablty. 8

9 ( s (1) t,..., s (l) t ) = Convert2D (+,l) to2d + (P, t, l, s (1), s (2),..., s (l) t ) Let f (l) (x), 1 n, 1 l l be the polynomals used for generatng s (1)..., s (l) t. For every par of players P and P j from P, the followng s done: 1. Player P as a dealer executes Dstr and AuthVal of IC(P, P j, P, f (l) (j)) for all l {1,..., l} to gve ICSg (l) (P f (j), P j ) to P j for all l {1,..., l}. Snce s (1),..., s (l) t s generated usng 2D (+,l) Share, t mples that ether P j already holds a combned sgnature on f (1) (j),..., f (l) (j) from P,.e. ICSg (1) (f (j),f (2) (j),...,f (l) (P (j)), P j ) or t may also happen that every player from P has gnored P s sgnature. In the later case, players n P wll agan gnore P s sgnature. Otherwse P j can now chec f P has gven sgnature on the same ndvdual values. 2. Upon recevng the sgnatures on say f (l) f (l) (1) f (j),..., f (l) (j) (.e ICSg f (l) (P, Pj) for l = 1,..., l), Pj checs (j) (j) =? (). If there s nconsstency for some l {1,..., l} then P j along wth all players n P nvoe EffcentRevealVal(P, P j, P, l, f (1) (j), f (2) (j),..., f (l) (j)) and RevealVal(P, P j, P (l), f (j)) for all l {1,..., l}. 3. In the prevous step, f P j s not able to produce the sgnature that he receved from P, then all the players from P gnore the IC sgnatures receved from P j durng step 1. Otherwse f the sgnatures are vald then f (1) (j),..., f (l) (j) (1) (l) and f (j),..., f (j) are publc. All players n P chec f (l) (j) =? (l) f (j) for l = 1,..., l. If the test fals for some l, then all the players n P gnore the values receved from P durng frst step. Otherwse the sgnature produced by P j wll be gnored by all the players n P. s = 2D + Recons(P, t, s t ) For all P j P such that P j s IC sgnatures are not gnored by the players n P, player P sends ICSg fj ()(P j, P ) to every player P n P. Player P P checs the valdty of ICSg fj ()(P j, P ) wth respect to hs own verfcaton nformaton. If the verfcaton passes then P accepts ICSg fj ()(P j, P ). Now f for all P j P, P accepts ICSg fj ()(P j, P ) (whch he receves from P ) then P checs whether f j()s are t -consstent (deally f j() = g (j) for all P j P ; so f j ()s wll le on t degree polynomal g (y)). If yes then P adds P to hs CORE set and let the t degree polynomal (on whch f j()s le on) be g (y). Player P taes all the g (y) polynomals correspondng to the players n hs CORE and nterpolates the bvarate polynomal H(x, y) and fnally sets the secret s = H(0, 0). It s easy to chec that all honest players from P recovers the same secret s. Lemma 7 Protocol 2D + Recons taes one round and prvately communcates O(n 3 κ) bts. 2.3 Generatng Random t -2D (+,l) -Sharng We now present protocol Random(P, t, l) whch allows the players n P to jontly generate a random t -2D (+,l) -sharng, r (1),..., r (l) t, where each r (l) s a random element from F. r (1),..., r (l) t = Random(P, t, l) Every player P P nvoes 2D (+,l) Share(P, P, t, l, r (1,P),..., r (l,p) ) to generate r (1,P),..., r (l,p) P t, where r (1,P),..., r (l,p) are randomly selected from F. Let P ass denotes the set of players P n P such that t -2D (+,l) Share(P, P, t, l, r (1,P),..., r (l,p) ) s executed successfully. Now all the players n P jontly computes r (1),..., r (l) t = P P ass r(1,p ),..., r (l,p) P t. Lemma 8 Wth overwhelmng probablty, protocol Random generates a random t -2D (+,l) -sharng r (1),..., r (l) t n eght rounds and prvately communcates and broadcasts O((ln 3 + n 4 )κ) bts. 2.4 Provng c = ab Defnton 6 t -1D (+) -sharng: We say that a value s s correctly t -1D (+) -shared among the players n P f there exsts t degree polynomal f(x) held by D wth f(0) = s. Every player P P holds a share s = f() of s wth an IC sgnature on t from the dealer D (.e. ICSg s (D, P )). We denote the t -1D (+) -sharng of a secret s by s t. Defnton 7 t -1D (+,l) -sharng: We say that a set of secrets s (1),..., s (l) are correctly t -1D (+,l) - shared among the players n P f there exsts t degree polynomals f (1),..., f (l) held by D, wth f (l) (0) = s (l) for l = 1,..., l. Every player P P holds shares s (1) = f (1) (),..., s (l) = f (l) () of s (1),..., s (l) along wth a sngle IC sgnature on them from the dealer D (.e. ICSg (1) (s,...,s (l) ) (D, P ))). We denote the t -1D (+,l) -sharng of l length secret by s 1,..., s l t. 9

10 If a secret s s t -1D (+) -shared by a player D P, then we denote t as s D t. Smlarly f l secrets s (1),..., s (l) are t -1D (+,l) -shared by player D, we denote t by s 1,..., s l D t. Notce that f s (1),..., s (l) s t -2D (+,l) -shared,.e. s (1),..., s (l) t, then the th shares of the secrets, namely s (1),..., s (l) wll be automatcally t -1D (+,l) -shared by player P,.e s (1),..., s (l) P t. Now let D P holds l pars of values (a (1), b (1) ),..., (a (l), b (l) ) such that D has already correctly t -1D (+,l) -shared a (1),..., a (l) and b (1),..., b (l) among the players n P. Now D wants to correctly t -2D (+,l) -share c (1),..., c (l) wthout leang any addtonal nformaton about a (l), b (l) and c (l), such that every (honest) player n P nows that c (l) = a (l) b (l) for l = 1,..., l. We propose a protocol ProveCeqAB to acheve ths tas. The dea of the protocol s nspred from [11] wth the followng modfcaton: we mae use of our protocol 2D (+,l) -Share, whch provdes us wth hgh effcency. We try to explan the dea of the protocol wth a sngle par (a, b). Thus D has already t -1D (+) - shared a and b usng polynomals, say f a (x) and f b (x). Now he wants to generate t -2D (+) -sharng of c, where c = ab, wthout leang any addtonal nformaton about a, b and c. For ths, he frst selects a random non-zero β F and generates t -2D (+) -sharng of c, β and βb. Let f c (x), f β (x) and f βb (x) are polynomals mplctly used for sharng c, β and βb. All the players n P then jontly generate a random value r. D then broadcasts the polynomal F 1 (x) = rf a (x) + f β (x). Every player locally checs whether the approprate lnear combnaton of hs shares les on the broadcasted polynomal F 1 (x). If t does not then the player broadcasts D s sgnature on the shares of a and β. If the sgnature s vald and ndeed the player s value does not le on F 1 (x), then all the players wll conclude that D fals to prove c = ab. Otherwse, D agan broadcasts F 2 (x) = F 1 (0)f b (x) f βb (x) rf c (x). As before every players locally checs whether the approprate lnear combnaton of hs shares les on the broadcasted polynomal F 2 (x). If t does not then the player broadcasts D s sgnature on the shares of b and βb and c. If the sgnature s vald and ndeed the player s value does not le on F 2 (x), then all players wll conclude that D fals to prove c = ab. Otherwse every player checs whether F 2 (0) =? 0. If so the everybody accepts the t -2D (+) -sharng of c as vald t -2D (+) -sharng of ab. The error probablty of the protocol s neglgble because of the random r whch s jontly generated by all the players. Specfcally, a corrupted D mght have shared β β, βb βb or c c but stll F 2 (0) can be zero and ths wll happen ff f βb (x) + rf c (x) = f βb (x) + rf c (x). However ths equaton s satsfed by only one value of r. Snce r s randomly generated, ndependent of D, the probablty that the equalty wll hold s 1 F whch s neglgbly small. Now we can extend the above dea parallely for each of the l pars (a (l), b (l) ). The secrecy follows from the fact that the broadcasted polynomals F 1 (x) and F 2 (x) are randomly dstrbuted wth the constant coeffcent of F 2 (x) as zero. 10

11 c (1),..., c (l) D t =ProveCeqAB(D,P, t, l, a (1),..., a (l) D t, b(1),..., b (l) D t ) 1. D randomly generates a random non-zero l length tuple (β (1),..., β (l) ) F l. D then nvoes 2D (+,l) Share(D, P, t, l, c (1),..., c (l) ), 2D (+,l) Share(D, P, t, l, β (1),..., β (l) ) and 2D (+,l) Share(D, P, t, l, b (1) β (1),..., b (l) β (l) ) to verfably t -2D (+,l) -share (c (1),..., c (l) ), (β (1),..., β (l) ) and (b (1) β (1),..., b (l) β (l) ) respectvely. If any of the Share protocol fals, then D fals and the protocol termnates. For l = 1,..., l, let a (l), b (l), c (l), β (l) and β (l) b (l) are mplctly shared usng polynomals f a(l) (x), f b(l) (x), f c(l) (x), f β(l) (x) and f β(l) b (l) (x) respectvely. 2. Now all the players n P jontly generate a random number r. Ths s done as follows: frst the players n P execute the protocol Random(P, t, 1) to generate r t. Then the players compute r = 2D + Recons(P, t, r t ). 3. Now D broadcasts the polynomals F (l) (x) = rf a(l) (x) + f β(l) (x) for l = 1..., l. 4. Player P P checs whether F (l) ()? = rf a(l) () + f β(l) () for l = 1,..., l. If the test fals for at least one l, then P and all players nvoe EffcentRevealVal(D, P, P, l, f a(1) (),..., f a(l) ()) and EffcentRevealVal(D, P, P, l, f β(1) (),..., f β(l) ()) to reveal ICSg (f a (1) (D, P) and (),...,f a(l) ()) ICSg (f β (1) (D, P ). If the sgnature s nvald, gnore P (),...,f β(l) s complants. Otherwse all the values ()) (f a(1) (),..., f a(l) ()) and (f β(1) (),..., f β(l) ()) become publc. Usng these values all players publcly checs whether F (l) ()? = rf a(l) () + f β(l) () for l = 1,..., l. If the test fals for at least one l, then D fals and the protocol termnates here. 5. Now D broadcasts the polynomals G (l) (x) = F (l) (0)f b(l) (x) f β(l) b (l) (x) rf c(l) (x) for l = 1..., l. 6. Player P P checs whether G (l) ()? = F (l) (0)f b(l) () f β(l) b (l) () rf c(l) () for l = 1,..., l. If the test fals for at least one l, then P and all players n P nvoe EffcentRevealVal(D, P, P, l, f b(1) (),..., f b(l) ()), EffcentRevealVal(D, P, P, l, f β(1) b (1) (),..., f β(l) b (l) ()) and EffcentRevealVal(D, P, P, l, f c(1) (),..., f c(l) ()) to reveal ICSg (f b (1) (),...,f b(l) ()) (D, P ), ICSg (f β (1) b (1) (),...,f β(l) b (l) ()) (D, P ) and ICSg (f c (1) (),...,f c(l) ()) (D, P ). 7. If the sgnature s nvald, gnore P s complant. Otherwse all the values (f b(1) (),..., f b(l) ()), (f β(1) b (1) (),..., f β(l) b (l) ()) and (f c(1) (),..., f c(l) ()) become publc. Usng these values all players publcly checs whether G (l) ()? = F (l) (0)f b(l) () f β(l) b (l) () rf c(l) () for l = 1,..., l. If the test fals for at least one l, then D fals and protocol termnates here. 8. Every player checs whether G (l)? = 0 for l = 1,..., l. If the test fals for at least one l, then D fals and protocol termnates here. Otherwse D has proved that c (l) = a (l) b (l) for l = 1,..., l. Lemma 9 In protocol ProveCeqAB, f D does not fal, then wth overwhelmng probablty, every (a (l), b (l) ), c (l) satsfes c (l) = a (l) b (l) for l = 1,..., l. ProveCeqAB taes twenty fve rounds and communcates O((ln 2 + n 4 )κ) bts and broadcasts O((ln 2 + n 4 )κ) bts. Moreover, f D s honest then A t learns no nformaton about a (l), b (l) and c (l), for 1 l l. 2.5 Multplcaton Let two sets of l values a (1),..., a (l) and b (1),..., b (l) are correctly t -2D (+,l) -shared among the players n P,.e. a (1),..., a (l) t and b (1),..., b (l) t. We now present a protocol called Mult, whch allows the players to compute t -2D (+,l) -sharng c (1),..., c (l) t such that c (l) = a (l) b (l) for l = 1,..., l. Our protocol s based on the technque used n [11] wth the followng dfference: we mae use of our protocol ProveCeqAB, whch provdes us wth hgh effcency. We explan the dea wth only one par, say (a, b). Gven that a and b are correctly t -2D (+) -shared among the players n P, t mples that mplctly P holds a and b where a and b are the th share of a and b respectvely. Now multplyng a and b, P obtans th share e = a b of c where (e 1,..., e n ) s 2t -1D-sharng of c. Ths s not what we desre. We want P to hold c such that c s the th share of t -1D-sharng of c. For ths, each player P t -2D (+) -shares the value e = a b wth the proof that e s ndeed the multplcaton of a and b. Now, all the players jontly hold e 1 t,..., e n t. Snce e 1,..., e n are n ponts on a 2t degree polynomal, say C(x) whose constant term s c, by Lagrange nterpolaton formula [10], c can be computed as c = n =1 r e where r = n x j j=1,j j. The vector (r 1,..., r n ) s called recombnaton vector [10] whch s publc and nown to every player. So for shorthand notaton, we wrte c = Lagrange(e 1,..., e n ) = n =1 r e. Now all players compute c t = Lagrange( e 1 t,..., e n t ), to obtan the desred output. But notce that c s the constant term of a 2t degree polynomal C(x). So we need to have 11

12 2t + 1 of the n t -2D (+) -shared values e 1 t,..., e n t ). The reason s that any 2t degree polynomal needs at least 2t + 1 ponts for ts nterpolaton. So f t = t and n = 2t + 1, then c can not be computed even f at least one player fals to t -2D (+) -share hs e value. In general, to fal Protocol Mult at least n (2t + 1) + 1 = n 2t players must fal to t -2D (+) -share ther correspondng e values. All such players wll be removed from P and wll be added to C. c (1),..., c (l) t = Mult(P, l, a (1),..., a (l) t, b (1),..., b (l) t ) 1. Gven a (1),..., a (l) t, t mples that th shares of a (1),..., a (l) are t -1D (+) -shared by P.e. a (1),..., a (l) P t for P P. Smlarly gven b (1),..., b (l) t, we have b (1),..., b (l) P t for P P. 2. Player P n P nvoes ProveCeqAB(P, P, t, l, a (1),..., c (l) P c (1) t.,..., a (l) P t, b (1),..., b (l) P t ) to generate 3. If at least n 2t players fals n executng ProveCeqAB, then remove them from P, adjust t and termnate the protocol wthout generatng the expected result. Otherwse for smplcty assume that the frst 2t + 1 players are successful n executng ProveCeqAB. 4. All the players compute: c (1),..., c (l) t = 2t +1 =1 r c (1),..., c (l) P t, where (r 1,..., r 2t +1) represents the recombnaton vector. Lemma 10 Wth overwhelmng probablty, protocol Mult produces c (1),..., c (l) t from a (1),..., a (l) t and b (1),..., b (l) t such that c (l) = a (l) b (l) f less then n 2t players are added to C. Mult taes twenty fve rounds and communcates O((ln 3 + n 5 )κ) bts and broadcasts O((ln 3 + n 5 )κ) bts. Moreover, A t learns nothng about c (l), a (l) and b (l), for 1 l l. 2.6 Provng a=b Consder the followng scenaro: Let D P has t -1D (+,l) -shared l values a (1),..., a (l) among the players n P. Now some more computaton has been carred out after the sharng done by D and durng the computaton some players have been detected as faulty and removed from P. Let us denote the snapshot of P before and after the computaton by P 1 and P 2 respectvely. Also assume P 1 = n 1 and the number of corrupted players n P 1 s t 1 wth n 1 t t 1. Smlarly P 2 = n 2 and the number of corrupted players n P 2 s t 2 wth n 2 t t 2, t 1 > t 2. Now D wants to correctly t 2-2D (+,l) -share b (1),..., b (l) among the players of P 2 such that b (l) = a (l), wthout leang any addtonal nformaton about a (l). We propose a protocol ProveAeqB to acheve ths tas. We try to explan the dea of the protocol wth a sngle value a. D has already t 1-1D (+) -shared a among the players n P 1 by mplctly usng polynomal say f a (x). Now he wants to t 2-2D (+) -share a among the players n P 2. For ths, he frst generates t 2-2D (+) -sharng of b wth b = a. Let f b (x) be the polynomal mplctly used for sharng b. D then selects a random element c F and (t 1 1)-2D (+) -shares c among the players n P 2. Let f c (x) be the polynomal mplctly used for sharng c. Now to prove that f a (x) and f b (x) share the same value a, D broadcasts the polynomal F (x) = f a (x) + xf c (x) f b (x). Every player from P 2 locally checs whether the approprate lnear combnaton of hs shares les on the broadcasted polynomal F (x). If not then the player broadcasts D s sgnature on the shares of a, b and c. If the sgnature s vald and ndeed the player s value does not le on F (x) then all players wll conclude that D has faled to prove b = a. Otherwse every player checs whether F (0)? = 0. If so then everybody accepts the t 2-2D (+) -sharng of b as vald t 2-2D (+) -sharng of a. Our protocol ProveAeqB acheves ths tas for l values smultaneously. The secrecy follows from the fact that F (x) s randomly dstrbuted wth F (0) = 0. Lemma 11 In protocol ProveAeqB, f D does not fal, then wth overwhelmng probablty, every (a (l), b (l) ) satsfes a (l) = b (l). ProveAeqB taes thrteen rounds and communcates and broadcasts O((ln 2 +n 3 )κ) bts. Moreover, f D s honest then A t learns no nformaton about a (l), for 1 l l. 2.7 Resharng As descrbed n prevous secton, consder the tme-stamps before and after some computaton where before and after the computaton, P s denoted by P 1 and P 2 respectvely. Let the players n P 1 holds a t 1-2D (+,l) -sharng of l values s (1),..., s (l).e. s (1),..., s (l) t1. Now the players want to jontly generate t 2-2D (+,l) -sharngs of same values.e s (1),..., s (l) t2 among the players 12

13 a (1),..., a (l) D t 2 = ProveAeqB(D,P 2, t 1, t 2, l, a (1),..., a (l) D t 1 ) 1. D nvoes 2D (+,l) Share(D, P 2, t 2, l, a (1),..., a (l) ) to verfably t 2-2D (+,l) -share (a (1),..., a (l) ). D selects a random l length tuple (c (1),..., c (l) ) F l and nvoes 2D (+,l) Share(D, P 2, t 1 1, l, c (1),..., c (l) ). If protocol 2D (+,l) Share fals then D fals here and the protocol termnates here. Otherwse for convenence we say that D has t 2-2D (+,l) -shared (b (1),..., b (l) ). For an honest D, a (l) = b (l) for l = 1,..., l. 2. For l = 1,..., l, let a (l), b (l) and c (l) are mplctly shared usng polynomals f a(l) (x) (degree t 1 ), f b(l) (x) (degree t 2) and f c(l) (x) (degree t 1 1) respectvely. Now D broadcasts the polynomals F (l) (x) = f a(l) (x)+ xf c(l) (x) f b(l) (x) for l = 1..., l. 3. Player P P 2 checs whether F (l) ()? = f a(l) () + f c(l) () f b(l) () for l = 1,..., l. If the test fals for at least one l, EffcentRevealVal(D, P, P 1, l, f a(1) (),..., f a(l) ()), EffcentRevealVal(D, P, P 2, l, f b(1) (),..., f b(l) ()) and EffcentRevealVal(D, P, P 2, l, f c(1) (),..., f c(l) ()) are nvoed to reveal sgnature of D on (f a(1) (),..., f a(l) ()), (f c(1) (),..., f c(l) ()) respectvely. (f b(1) (),..., f b(l) ()) and 4. If the sgnatures are nvald, then gnore P s complants. Otherwse all the values (f a(1) (),..., f a(l) ()), (f b(1) (),..., f b(l) ()) and (f c(1) (),..., f c(l) ()) become publc. Usng these values all players publcly checs whether F (l) ()? = f a(l) + f c(l) () f b(l) () for l = 1,..., l. If the test fals for at least one l, then D fals and protocol termnates here. 5. Every player checs whether F (l) (0)? = 0 for l = 1,..., l. If the test fals for at least one l, then D fals and protocol termnates here. Otherwse D has proved that a (l) = b (l). n P 2 where t 2 < t 1. Snce n 2 t t 2, generatng t 2-2D (+,l) -sharng among the players n P 2 does not cause any loss of secrecy. We now present a protocol Reshare to perform ths tas. a (1),..., a (l) t2 = Reshare(P, t 1, t 2, l, a (1),..., a (l) t1 ) 1. Gven a (1),..., a (l) t1, t mples that the th shares of a (1),..., a (l) are already t 1-1D (+,l) -shared by P,.e. a (1),..., a (l) P t 1 for P P 1. Player P n P 2 nvoes ProveAeqB(P, P 2, t 1, t 2, l, a (1),..., a (l) P t 1 ) to generate a (1),..., a (l) P t 2. For smplcty assume that frst t players are successful n ProveAeqB. Snce n 2 = t t 2 and t > t 1, at least t + 1 t honest players wll always be successful. 2. All the players compute: a (1),..., a (l) t2 = t 1 +1 =1 r a (1),..., a (l) P t 2, where (r 1,..., r t1 +1) represents the recombnaton vector. Lemma 12 Wth overwhelmng probablty, protocol Reshare produces t 2-2D (+,l) -sharng a (1),..., a (l) t2 from a (1),..., a (l) t1 wth t 2 < t 1. Reshare taes thrteen rounds and communcates O((ln 3 + n 4 )κ) bts and broadcasts O((ln 3 +n 4 )κ) bts. Moreover, A t learns nothng about a (l), for 1 l l. 2.8 Preparaton Phase We call a trple (a, b, c) as a multplcaton trple f c = ab. The goal of the preparaton phase s to generate correct d-2d + -sharngs of (c M + c R ) secret multplcaton trples where d denotes the number of corrupted players stll present n P at the end of preparaton phase. So n total there wll be c M + c R multplcaton trples (a (), b (), c () ) such that c () = a () b () for = 1,..., (c M + c R ). The generaton of c M + c R multplcaton trples s dvded nto log(t) segments, wheren each segment s responsble for generatng d-2d (+,l) -sharngs of l = c M +c R log t trples. Here we use a novel technque called rapd player elmnaton (RPE) whch wors n the followng way: The computaton of a segment s non-robust.e. a segment may fal due to the (ms)behavor of certan number of corrupted players who reveal ther dentty durng the executon of the segment. At the begnnng of preparaton phase we set the counter for eepng trac the number of (segment) falures to zero.e f = 0. We create a wn-wn stuaton, where f a segment fals, then t must be due to the revelaton/detecton of at least 2 f new corrupted players. After removng the corrupted players from P, a fresh executon of the same segment wll be started wth f ncremented by 1. Ths ensures that total log(t) 1 falures can occur (.e f log(t) 1) snce log(t) 1 falures are enough to reveal all the t corrupted players. Once all the t corrupted players are revealed, rest of the computaton can run wthout occurrence of any falure. Specfcally, n every segment one 13