Simplified VSS and Fast-track Multiparty Computations
with Applications to Threshold Cryptography
(Regular presentation submission)
MICHAEL O. RABIN
The goal of this paper is to introduce a simple verifiable secret sharing scheme, and to improve the efficiency
of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of
applications which use these protocols.
First we present a very simple Verifiable Secret Sharing protocol which is based on fast cryptographic
primitivesand avoids altogether the need for expensive zero-knowledge proofs.
This is followed by a highly simplified protocol to compute multiplications over shared secrets. This is a
major component in secure multiparty computation protocols and accounts for much of the complexity of
proposed solutions. Using our protocol as a plug in unit for known protocols reduces their complexity.
of homomorphic commitments.
Finally, we borrow from other fields and introduce into the multiparty computation scenario the notion of
fast-track computations. In a model in which malicious faults are rare we show that it is possible to carry
out a simpler and more efficient protocol which does not perform all the expensive checks needed to combat
a malicious adversary from foiling the computation. Yet, the protocol still enables detection of faults and
recovers the computation when faults occur without givingany informationadvantage to the adversary. This
results in protocols which are much more efficient under normal operation of the system i.e. when there are
the speed and the fault-tolerance of existing threshold cryptography protocols.
?IBM T.J. Watson ResearchCenter, PO Box 704, Yorktown Heights, New York 10598, USA Email: firstname.lastname@example.org.
yHarvard University and Hebrew University. Email: email@example.com
zIBM T.J. WatsonResearchCenter,POBox704,Yorktown Heights,NewYork 10598,USA Email: firstname.lastname@example.org. Contact
The past twenty years have witnessed an exciting development of research in the area of cryptography and
network security. From the introduction of public-key cryptography [DH76, RSA78], to the invention of zero-
knowledgeproofs[GMR89], tothedefinitionoftheproblemof securemultipartycomputationandthesomewhat
The combination of these results is extremely powerful, as they show that virtually any cryptographic problem
can be solved under some reasonable appropriate assumptions.
even a simple public-key operation is sometimes considered too slow in comparison to the speed required by
the application. Thus, the complicated exchanges of messages and zero-knowledge proofs in protocols like
[Yao82, GMW87, BGW88, CCD88], might render them impractical. Thus, it is a high priority to optimize such
techniques. Yet, they do provide for a sound basis for our solutions, in particular we will draw heavily on the
solution introduced in [BGW88].
For the problem of verifiable secret sharing, attempts have been made to simplify the protocols by moving
into the computational model. Such results were achieved by Feldman and Pedersen [Fel87, Ped91a], and in
fact exhibit improved results with respect to communication.
We shall concentrate in this paper on the problems of verifiable secret sharing and multiparty computations.
Thus, optimization can be achieved in (at least) two ways. One is to tailor protocols to the specific problem
at hand. Examples of this kind of approach include works on threshold cryptography (see Section 6) where
efficient multiparty computation protocols are devised for the task of shared generation of digital signatures.
Another possible approach, the one which we follow in this paper, is to go back to the original works
and see if their efficiency can be directly improved. If one can devise general techniques to improve on the
computation/communicationof secure multiparty protocols it is also likely that thesetechniques would improve
the efficiency of “ad-hoc” optimizations.
OUR CONTRIBUTION. In thispaper we present new algorithmsto perform specific computations more efficiently.
Furthermore, we initiate new modes of operation to enhance overall performance. The major contributions can
be summarized as follows:
? A new simple and efficient design for Verifiable Secret Sharing scheme
? Computational simplifications of the Ben-Or et al. [BGW88] protocol
? Efficient multiparty computations in the computational model
? Expeditingcomputations through the notion of “fast-track”
? Applying all the above to a specific cryptographic problem
VSS. The first algorithm is a very simple and efficient Verifiable Secret Sharing protocol (Section 2). The
main novelty of our protocol is that it is based on an efficient commitment scheme and it avoids altogether
the expensive zero-knowledge proofs, which are usually carried out to ensure the correctness of actions of
the participants in the protocol. Our protocol improves considerably over all existing verifiable secret sharing
schemes, either in communication and/or in computation.
COMPUTATIONAL SIMPLIFICATIONS. The second protocol is a highly simplified protocol to compute multipli-
cation over shared secrets. That is, in the model where there are two secrets
distributivelyamong a set of
protocol can be used in any existing multiparty computation protocol. For example when used inside[BGW88]
it improves the speed of the computation of a multiplication gate by a factor of at least 2. When used insideour
general multiparty protocol, gains are even greater.
b which are shared
n players, the protocolenables theplayers to secretly compute theproduct
EFFICIENT PROTOCOLS COMPUTATIONAL MODEL. We achieve efficient multiparty computations using construc-
tions based on homomorphic commitments. Some of these techniques have been independently devised by
[CDM97], yet they use them in the context of span programs.
FAST-TRACK. The following observation leads to an additional contribution. Secure multiparty protocols pay a
who may cause players to behave arbitrarily during the protocol. It is a well-known phenomenon that “private”
computations (i.e. secure only against passive adversaries) are usually much simpler and efficient, as they
eliminate all verification of proper conduct.
Typically, however, one can expect malicious faults to happen quite rarely. Consider for example a very
sensitivedistributedsignaturegenerationsystem(likea root certificationauthority)wheretheserversare heavily
protected by firewalls and othersecurity mechanisms. In this case one cannot rule out malicious faults (and thus
cannot blindly use the simpler private protocols), but on the other hand would like to take advantage in some
way of the fact that faults are rare.
We would like to build on the efficiency of private protocols, which operate under the assumption that no
faultsoccur, whileavoidingthetrap ofassumingthatyou can executetheprivatecomputationuntilafaultoccurs
and then re-compute. Indeed such a computation might turn out to be insecure, and expose secret information.
Thus,we borrow from otherfields and introduceintothe multipartycomputationscenario the notionof fast-
track computations. The idea is to avoid carrying out all the verification steps, but rather to identify “critical”
verification points. Only at these critical points some verification will be carried out. Once the verification is
carried out in a critical point we are guaranteed that the computation up to this point is correct. These critical
points must be chosen in such a manner that if faults occur between two consecutive critical points
thesection from critical point
An attractive feature of our approach is that most of the verification at the critical points will not be the
standard verification steps of the protocol, but rather a subset of the verification steps which should have been
computed. For example in the general multiparty computation of an arithmetic circuit, critical points are placed
on multiplications gates. At these gates we need to verify only one VSS compared to, for example, [BGW88]
APPLICATIONS. As an example of the practical impact of our approach, we present its application in the area of
threshold cryptography. We show that existing threshold signature protocols can be greatly enhanced in speed
using our techniques. We exemplify this over the threshold DSS protocol of [GJKR96b]. The improvements
are quite substantial. We improve the fault-tolerance from
or the computational complexity, thanks to our simplified VSS and multiplication protocols. We also present a
fast-track version of the protocol which requires >from each server a factor of
than a fully fault-tolerant protocol (e.g. in [GJKR96b]) (see Section 6).
2 Verifiable Secret Sharing Made Very Simple
?is a later point in the protocol, then the faults will be detected at point
?. Furthermore, recomputing
?will notviolatethesecurity ofthe computation. Thus, ifno faults occurred
?we “saved” all the verifications which should have been carried out between these two points.
O?n? such VSS’s must be checked (at least one for each player).
n?? without increasing the communication
n modular exponentiations less
Since the appearance of Shamir’s [Sha79] and Blakley’s [Bla79] seminal papers on secret sharing which
introduced the notion of sharing a secret and gave very simple solutions to the problem, the research on
this topic has been extensive. These two solutions worked in the model where there are no faults in the
system. Tompa and Woll [TW88] and McEliece and Sarwate [MS81] gave the first (partial) solutions for a
model with faults. Finally the paper of Chor et al. [CGMA85] defined the complete notion of Verifiable
Secret Sharing (VSS), and gave a solution. Under various assumptions, solutions to the problem were given
[CGMA85, GMW91, Fel87, BGW88, CCD88, RB89, Ped91a]. In order to achieve the goal of verifiability,
these protocols deviate from the original solutions’ simplicity. They require either heavy computations and/or
extensivezero-knowledgeproofsofproperconduct. Furthermore, in ordertoreconstructthesecret thereis again
a need for extensive computations.
In this section we will describe a VSS protocol which returns to the original simplicity of Shamir’s scheme,
and reconstructing). This simple solution is enabled through an observation that all existing protocols achieve
much more than is required, and by eliminating all the overhead, efficiency can be regained.
In Appendix A we present Shamir’s Secret Sharing, and in Appendix B a definition of verifiable secret
sharing due to [FM].
We now proceed to describe a protocol which satisfies the above definition of VSS. It will be based on Shamir’s
secret sharing, with an additional low cost added construction. This construction will basically be an efficient
commitment of the dealer to each one of the shares held by the players. The commitment to shares as a whole
commits the dealer to a single secret. The individual commitments can be opened as we have enough good
in Figure 1. In order to construct our protocol we need some form of commitment which satisfies the following
conditions. We shall denoteourcommitment functionby
as input the secret value
Our VSS protocol
H. It will bea randomized functionwhich will receive
x and a random value
H?x?r? it is infeasible to compute any information about
collisionresistance it is infeasible to find two strings
universal verifiability given
not require knowledge of a secret key).
y everybody can verify if
y?H?x?r? (i.e. the computation of
For example one could conjecture that
Theorem 1 The protocol New-VSS in Figure 1 is a VSS protocol.
Proof appears in Appendix C.
EFFICIENCY ANDSECURITY. If
then we would like to stress the efficiency of the above VSS protocol. During the sharing phase the dealer has
computation is highly efficient. During the recover phase each player has to compute the hash
costly modular exponentiationsor complex ZK proofs are required.
The security of
resistance of SHA-1. However if one wants provable security without losing in efficiency one can use the
efficient provably secure commitment scheme of [DPP96] based on collision resistant hashing.
n executions of the function
H while each player computes a single evaluation, and each such
n times. No
H?x?r??SHA-1?x?r? can however be only conjectured on the basis of the collision
Shamir’s protocol. On top of that they add some proof from the dealer that the values shared lie on a polynomial
which will be defined more rigorously later.
In [GMW91] the shares are encrypted and then theVSPS property is proven via a “generic” zero-knowledge
(ZK)proofof an NP-completeproblem. Thepublicknowledgeof theencryptedshares also prevents bad players
from contributing bad shares during reconstruction. This approach is made more efficient in [Fel87, Ped91a]
t, thus ensuringthat theshares identifya uniquesecret. We refer to this propertyas theVSPS property,
Verifiable Secret Sharing
1. Protocol for Dealer on input a secret:
? Randomly choose polynomials
? Compute and hand player
? Compute and broadcast the value
3. If player
4. If the dealer does not follow some step he is disqualified, otherwise conclude that a secret has been shared.
?. If the equation does not hold then he broadcasts a complaint against the
ibroadcasted a complaint then the dealer broadcasts the values
1. Each player broadcasts the values
t?? broadcasted values for which
? and interpolate polynomials
?r?x? of degree at
t that pass throughthose points.
??r?i? and verify that
? for all
i. If yes, output
f ??? else output 0.
Figure 1: New-VSS: - Sharing and Reconstruction Protocols
where the dealer publicly commits to the polynomial using some form of “homomorphic” commitment scheme.
These commitments in return provide for a simpler proof of the VSPS property.
In [BGW88, CCD88, Rab94] the model assumes a computationallyunbounded adversary, disabling the use
of encryption. In this case the ZK proof is done via a cut-and-choose approach. Correction of bad shares during
recover is done via error-correcting codes [BGW88, CCD88] or via a mechanism of mutual authentication
Is there a trend developing in all these solutions which explains why our solution is so simple? The answer
is yes. The above mentioned results achieve more than just having the dealer commit to a single value. Indeed
the dealer commits to a polynomial of degree
This additional commitment apparently complicates the protocol, and adds computations, and is not necessary
in order to achieve the sole goal of verifiable secret sharing. Indeed our protocol shows that it is possible to
commit to a single value without committing to the full polynomial. We will refer to the above protocols with
the new name of Verifiable Secret and Polynomial Sharing (VSPS).
t, where the intended secret is the free term of this polynomial.
Definition 1 We say that
properties hold for any adversary
1. The protocol is a VerifiableSecret Sharing
2. VSPS property If the value set by the VSS is
? is a Verifiable Secret and Polynomial Sharing protocol (VSPS) if the following
? then there exists a polynomial
f?x? of degree at most
f????? and player
iknows the value
In Section 4.2.1 we will provide a method to enhance our VSS scheme by adding the VSPS property.
As we will see later VSPS protocols are important as a tool for multiparty computation, due to their structural
homomorphic properties. However, they are an overkill for a single VSS. And indeed there are several
applications, such as storing important information for back-up in a distributed fashion on insecure devices,
where there is a need only for VSS without a requirement to compute on the shares.