Page 1

Simplified VSS and Fast-track Multiparty Computations

with Applications to Threshold Cryptography

(Regular presentation submission)

ROSARIO GENNARO

?

MICHAEL O. RABIN

y

TAL RABIN

z

Abstract

The goal of this paper is to introduce a simple verifiable secret sharing scheme, and to improve the efficiency

of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of

applications which use these protocols.

First we present a very simple Verifiable Secret Sharing protocol which is based on fast cryptographic

primitivesand avoids altogether the need for expensive zero-knowledge proofs.

This is followed by a highly simplified protocol to compute multiplications over shared secrets. This is a

major component in secure multiparty computation protocols and accounts for much of the complexity of

proposed solutions. Using our protocol as a plug in unit for known protocols reduces their complexity.

Weshowhowtoachieveefficientmultipartycomputationsinthecomputationalmodel,throughtheapplication

of homomorphic commitments.

Finally, we borrow from other fields and introduce into the multiparty computation scenario the notion of

fast-track computations. In a model in which malicious faults are rare we show that it is possible to carry

out a simpler and more efficient protocol which does not perform all the expensive checks needed to combat

a malicious adversary from foiling the computation. Yet, the protocol still enables detection of faults and

recovers the computation when faults occur without givingany informationadvantage to the adversary. This

results in protocols which are much more efficient under normal operation of the system i.e. when there are

no faults.

Asanexampleofthepractical impactofourworkweshowhowourtechniquescanbeusedtogreatlyimprove

the speed and the fault-tolerance of existing threshold cryptography protocols.

?IBM T.J. Watson ResearchCenter, PO Box 704, Yorktown Heights, New York 10598, USA Email: rosario@watson.ibm.com.

yHarvard University and Hebrew University. Email: rabin@cs.huji.ac.il

zIBM T.J. WatsonResearchCenter,POBox704,Yorktown Heights,NewYork 10598,USA Email: talr@watson.ibm.com. Contact

author.

Page 2

1 Introduction

The past twenty years have witnessed an exciting development of research in the area of cryptography and

network security. From the introduction of public-key cryptography [DH76, RSA78], to the invention of zero-

knowledgeproofs[GMR89], tothedefinitionoftheproblemof securemultipartycomputationandthesomewhat

surprisingproofthatanymultipartycomputationcanbeperformedsecurely[Yao82,GMW87,BGW88,CCD88].

The combination of these results is extremely powerful, as they show that virtually any cryptographic problem

can be solved under some reasonable appropriate assumptions.

Althoughtheoreticallyimpressive,theseresultslackintheareaofpracticalfeasibility. Intoday’sapplications

even a simple public-key operation is sometimes considered too slow in comparison to the speed required by

the application. Thus, the complicated exchanges of messages and zero-knowledge proofs in protocols like

[Yao82, GMW87, BGW88, CCD88], might render them impractical. Thus, it is a high priority to optimize such

techniques. Yet, they do provide for a sound basis for our solutions, in particular we will draw heavily on the

solution introduced in [BGW88].

For the problem of verifiable secret sharing, attempts have been made to simplify the protocols by moving

into the computational model. Such results were achieved by Feldman and Pedersen [Fel87, Ped91a], and in

fact exhibit improved results with respect to communication.

We shall concentrate in this paper on the problems of verifiable secret sharing and multiparty computations.

Theinefficiencyofthegeneralsecuremultipartyprotocols ispartiallycausedbythe“generality”ofthealgorithms.

Thus, optimization can be achieved in (at least) two ways. One is to tailor protocols to the specific problem

at hand. Examples of this kind of approach include works on threshold cryptography (see Section 6) where

efficient multiparty computation protocols are devised for the task of shared generation of digital signatures.

Another possible approach, the one which we follow in this paper, is to go back to the original works

and see if their efficiency can be directly improved. If one can devise general techniques to improve on the

computation/communicationof secure multiparty protocols it is also likely that thesetechniques would improve

the efficiency of “ad-hoc” optimizations.

OUR CONTRIBUTION. In thispaper we present new algorithmsto perform specific computations more efficiently.

Furthermore, we initiate new modes of operation to enhance overall performance. The major contributions can

be summarized as follows:

? A new simple and efficient design for Verifiable Secret Sharing scheme

? Computational simplifications of the Ben-Or et al. [BGW88] protocol

? Efficient multiparty computations in the computational model

? Expeditingcomputations through the notion of “fast-track”

? Applying all the above to a specific cryptographic problem

VSS. The first algorithm is a very simple and efficient Verifiable Secret Sharing protocol (Section 2). The

main novelty of our protocol is that it is based on an efficient commitment scheme and it avoids altogether

the expensive zero-knowledge proofs, which are usually carried out to ensure the correctness of actions of

the participants in the protocol. Our protocol improves considerably over all existing verifiable secret sharing

schemes, either in communication and/or in computation.

COMPUTATIONAL SIMPLIFICATIONS. The second protocol is a highly simplified protocol to compute multipli-

cation over shared secrets. That is, in the model where there are two secrets

distributivelyamong a set of

protocol can be used in any existing multiparty computation protocol. For example when used inside[BGW88]

it improves the speed of the computation of a multiplication gate by a factor of at least 2. When used insideour

general multiparty protocol, gains are even greater.

a and

b which are shared

n players, the protocolenables theplayers to secretly compute theproduct

ab. This

1

Page 3

EFFICIENT PROTOCOLS COMPUTATIONAL MODEL. We achieve efficient multiparty computations using construc-

tions based on homomorphic commitments. Some of these techniques have been independently devised by

[CDM97], yet they use them in the context of span programs.

FAST-TRACK. The following observation leads to an additional contribution. Secure multiparty protocols pay a

heavycostintermsofcommunication/computationinordertoguaranteerobustnessagainstmaliciousadversaries

who may cause players to behave arbitrarily during the protocol. It is a well-known phenomenon that “private”

computations (i.e. secure only against passive adversaries) are usually much simpler and efficient, as they

eliminate all verification of proper conduct.

Typically, however, one can expect malicious faults to happen quite rarely. Consider for example a very

sensitivedistributedsignaturegenerationsystem(likea root certificationauthority)wheretheserversare heavily

protected by firewalls and othersecurity mechanisms. In this case one cannot rule out malicious faults (and thus

cannot blindly use the simpler private protocols), but on the other hand would like to take advantage in some

way of the fact that faults are rare.

We would like to build on the efficiency of private protocols, which operate under the assumption that no

faultsoccur, whileavoidingthetrap ofassumingthatyou can executetheprivatecomputationuntilafaultoccurs

and then re-compute. Indeed such a computation might turn out to be insecure, and expose secret information.

Thus,we borrow from otherfields and introduceintothe multipartycomputationscenario the notionof fast-

track computations. The idea is to avoid carrying out all the verification steps, but rather to identify “critical”

verification points. Only at these critical points some verification will be carried out. Once the verification is

carried out in a critical point we are guaranteed that the computation up to this point is correct. These critical

points must be chosen in such a manner that if faults occur between two consecutive critical points

where

thesection from critical point

between

An attractive feature of our approach is that most of the verification at the critical points will not be the

standard verification steps of the protocol, but rather a subset of the verification steps which should have been

computed. For example in the general multiparty computation of an arithmetic circuit, critical points are placed

on multiplications gates. At these gates we need to verify only one VSS compared to, for example, [BGW88]

where

APPLICATIONS. As an example of the practical impact of our approach, we present its application in the area of

threshold cryptography. We show that existing threshold signature protocols can be greatly enhanced in speed

using our techniques. We exemplify this over the threshold DSS protocol of [GJKR96b]. The improvements

are quite substantial. We improve the fault-tolerance from

or the computational complexity, thanks to our simplified VSS and multiplication protocols. We also present a

fast-track version of the protocol which requires >from each server a factor of

than a fully fault-tolerant protocol (e.g. in [GJKR96b]) (see Section 6).

2 Verifiable Secret Sharing Made Very Simple

c

?and

c

?,

c

?is a later point in the protocol, then the faults will be detected at point

c

?. Furthermore, recomputing

c

?to

c

?will notviolatethesecurity ofthe computation. Thus, ifno faults occurred

c

?and

c

?we “saved” all the verifications which should have been carried out between these two points.

O?n? such VSS’s must be checked (at least one for each player).

n?? to

n?? without increasing the communication

n modular exponentiations less

Since the appearance of Shamir’s [Sha79] and Blakley’s [Bla79] seminal papers on secret sharing which

introduced the notion of sharing a secret and gave very simple solutions to the problem, the research on

this topic has been extensive. These two solutions worked in the model where there are no faults in the

system. Tompa and Woll [TW88] and McEliece and Sarwate [MS81] gave the first (partial) solutions for a

model with faults. Finally the paper of Chor et al. [CGMA85] defined the complete notion of Verifiable

Secret Sharing (VSS), and gave a solution. Under various assumptions, solutions to the problem were given

[CGMA85, GMW91, Fel87, BGW88, CCD88, RB89, Ped91a]. In order to achieve the goal of verifiability,

these protocols deviate from the original solutions’ simplicity. They require either heavy computations and/or

2

Page 4

extensivezero-knowledgeproofsofproperconduct. Furthermore, in ordertoreconstructthesecret thereis again

a need for extensive computations.

In this section we will describe a VSS protocol which returns to the original simplicity of Shamir’s scheme,

furthermoretheimplementationrequiresverylittlecomputationalandcommunicationoverhead(bothforsharing

and reconstructing). This simple solution is enabled through an observation that all existing protocols achieve

much more than is required, and by eliminating all the overhead, efficiency can be regained.

In Appendix A we present Shamir’s Secret Sharing, and in Appendix B a definition of verifiable secret

sharing due to [FM].

2.1

We now proceed to describe a protocol which satisfies the above definition of VSS. It will be based on Shamir’s

secret sharing, with an additional low cost added construction. This construction will basically be an efficient

commitment of the dealer to each one of the shares held by the players. The commitment to shares as a whole

commits the dealer to a single secret. The individual commitments can be opened as we have enough good

playerswhowillexposetheirvaluesand,throughthose,verifyallothercommitments. OurVSSprotocolappears

in Figure 1. In order to construct our protocol we need some form of commitment which satisfies the following

conditions. We shall denoteourcommitment functionby

as input the secret value

Our VSS protocol

H. It will bea randomized functionwhich will receive

x and a random value

r.

secrecy given

H?x?r? it is infeasible to compute any information about

x

collisionresistance it is infeasible to find two strings

x

?

?r

?and

x

?

?r

?such that

H?x

?

?r

?

??H?x

?

?r

?

?

universal verifiability given

not require knowledge of a secret key).

x?r and

y everybody can verify if

y?H?x?r? (i.e. the computation of

H does

For example one could conjecture that

H?x?r??SHA- ??x?r?.

Theorem 1 The protocol New-VSS in Figure 1 is a VSS protocol.

Proof appears in Appendix C.

EFFICIENCY ANDSECURITY. If

then we would like to stress the efficiency of the above VSS protocol. During the sharing phase the dealer has

to compute

computation is highly efficient. During the recover phase each player has to compute the hash

costly modular exponentiationsor complex ZK proofs are required.

The security of

resistance of SHA-1. However if one wants provable security without losing in efficiency one can use the

efficient provably secure commitment scheme of [DPP96] based on collision resistant hashing.

Hisimplementedviaacryptographichashfunction(e.g.

H?x?r??SHA-1?x?r?)

n executions of the function

H while each player computes a single evaluation, and each such

n times. No

H?x?r??SHA-1?x?r? can however be only conjectured on the basis of the collision

2.2

AlmostalltheVSSprotocolsintheliterature(withthecuriousexceptionofthefirstone[CGMA85])arebasedon

Shamir’s protocol. On top of that they add some proof from the dealer that the values shared lie on a polynomial

of degree

which will be defined more rigorously later.

In [GMW91] the shares are encrypted and then theVSPS property is proven via a “generic” zero-knowledge

(ZK)proofof an NP-completeproblem. Thepublicknowledgeof theencryptedshares also prevents bad players

from contributing bad shares during reconstruction. This approach is made more efficient in [Fel87, Ped91a]

Previous approaches

t, thus ensuringthat theshares identifya uniquesecret. We refer to this propertyas theVSPS property,

3

Page 5

Verifiable Secret Sharing

Sharing Phase

1. Protocol for Dealer on input a secret:

? Randomly choose polynomials

f?x??a

t

x

t

? ????a

?

x?s, and

r?x??r

t

x

t

? ????r

?

x?r

?.

? Compute and hand player

P

ithe values

?

i

def

?f?i? and

?

i

def

?r?i?, for

??i?n

? Compute and broadcast the value

A

i

def

?H??

i

??

i

?, for

??i?n

2. Player

dealer.

3. If player

4. If the dealer does not follow some step he is disqualified, otherwise conclude that a secret has been shared.

P

iverifies that

A

i

?H??

i

??

i

?. If the equation does not hold then he broadcasts a complaint against the

P

ibroadcasted a complaint then the dealer broadcasts the values

?

i

??

i, s.t.

H??

i

??

i

??A

i.

Reconstruction Phase

1. Each player broadcasts the values

2. Take

most

3. Compute

?

i

??

i.

t?? broadcasted values for which

A

i

?H??

i

??

i

? and interpolate polynomials

?

f?x? and

?r?x? of degree at

t that pass throughthose points.

??

i

?

?

f?i? and

??

i

??r?i? and verify that

A

i

?H???

i

???

i

? for all

i. If yes, output

?

f ??? else output 0.

Figure 1: New-VSS: - Sharing and Reconstruction Protocols

where the dealer publicly commits to the polynomial using some form of “homomorphic” commitment scheme.

These commitments in return provide for a simpler proof of the VSPS property.

In [BGW88, CCD88, Rab94] the model assumes a computationallyunbounded adversary, disabling the use

of encryption. In this case the ZK proof is done via a cut-and-choose approach. Correction of bad shares during

recover is done via error-correcting codes [BGW88, CCD88] or via a mechanism of mutual authentication

[Rab94].

Is there a trend developing in all these solutions which explains why our solution is so simple? The answer

is yes. The above mentioned results achieve more than just having the dealer commit to a single value. Indeed

the dealer commits to a polynomial of degree

This additional commitment apparently complicates the protocol, and adds computations, and is not necessary

in order to achieve the sole goal of verifiable secret sharing. Indeed our protocol shows that it is possible to

commit to a single value without committing to the full polynomial. We will refer to the above protocols with

the new name of Verifiable Secret and Polynomial Sharing (VSPS).

t, where the intended secret is the free term of this polynomial.

Definition 1 We say that

properties hold for any adversary

1. The protocol is a VerifiableSecret Sharing

2. VSPS property If the value set by the VSS is

that

? is a Verifiable Secret and Polynomial Sharing protocol (VSPS) if the following

A:

? then there exists a polynomial

f?x? of degree at most

t, such

f????? and player

P

iknows the value

f?i?.

In Section 4.2.1 we will provide a method to enhance our VSS scheme by adding the VSPS property.

As we will see later VSPS protocols are important as a tool for multiparty computation, due to their structural

homomorphic properties. However, they are an overkill for a single VSS. And indeed there are several

applications, such as storing important information for back-up in a distributed fashion on insecure devices,

where there is a need only for VSS without a requirement to compute on the shares.

4

Page 6

3Simplification to Secure Multiparty Computations

We consider the problem of secure multiparty computation [Yao82, GMW87, BGW88, CCD88]. There are

players

in a secure manner, which intuitively means that the adversary cannot disrupt the computation, i.e. the value

computed is correct, furthermore the adversary does not learn any information about the inputs of the good

players (except for what is revealed by the function value).

MODELANDDEFINITIONS. Weconsiderasynchronousmodelwithprivatechannelsandbroadcast(e.g.[RB89,

Bea89]). The parties engage in a distributed computation, following a protocol

. Playerholds an input and the players want to compute a function

?, in order to evaluate

F

in an arbitrary manner. The adversary we consider is static i.e. it decides which players to corrupt at the

beginning of the computation. Also our adversary is computationally unbounded. We follow formal definitions

of secure multiparty computations that have appeared in several papers [MR91, Bea91, CFGN96, Can95].

In this section we will describe two simplifications to the [BGW88] protocol, and in particular to the

multiplication protocol. We first describe an algebraic simplification followed by a simplified zero-knowledge

proof for a specific property.

?x

?

? ????x

n

?. We assume that there is an adversary

A that corrupts up to

t players and coordinates their actions

3.1

In the following we shall present a simple method for computing the multiplication of two secrets which are

distributed among a set of players.

Giventwosecrets

like to compute the product

each player to locally multiply his shares of both secrets, as this generates a polynomial whose constant term is

the desired one, i.e.

a degree reduction and randomization protocols. We willshow how to achieve both thedegree reduction and the

randomization in a single step. This building block can be substituted for the multiplicationstep in the protocol

of [BGW88], as it works in the same model of computation. The computation in this section is described under

theassumptionthat all players act properly (as has been said, methods forhow to remove thisassumptionappear

in the next section).

Denote by

The product of

Algebraic Simplification for Multiplication Protocol

?and

? sharedbypolynomials

f

?

?x?and

f

?

?x?respectivelyofdegree

t, theplayerswould

??. In their seminal paper Ben-Or et al. [BGW88] note that it isn’t sufficient for

?

Then the previous equation implies that

Given polynomials

define

Furthermore,

The polynomial

??? but it is of degree

?

?t and is not a random polynomial. To overcome this they introduced

f

?

?i? and

f

?

?i? the shares of player

P

ion

f

?

?x? and

f

?

?x? respectively.

f

?

?x? and

f

?

?x? is

f

?

?x?f

?

?x??a

?t

x

?t

? ????a

?

x? ??

def

?f

??

?x?. For

??i??t??,

f

??

?i??f

?

?i?f

?

?i?. Thus we can write

?

?

?

?

?

?

??????

?

...

?????

?t

??t??????t??

?t

?

?

?

?

?

?

?

?

?

?

?

?

??

a

?

...

a

?t

?

?

?

?

?

?

?

?

?

?

?

?

?

f

??

???

f

??

???

...

f

??

??t???

?

?

?

?

?

?

Denotethe abovematrix by

an inverse. Let the first row of the inverse matrix,

A. This is a

?t?? by

?t?? Van der Monde matrix, hence non-singularand has

A

??, be

??? ?????

?t ??

?, note that these are known constants.

????

?

f

??

?????????

?t??

f

??

??t???.

h?x?? ????h

?t??

?x? all of degree

t which satisfy that

h

i

????f

??

?i? for

??i??t??,

H?x?

def

?

P

?t??

i??

?

i

h

i

?x?. Note that

H ??? is exactly

?

?

f

??

???? ?????

?t??

f

??

??t? ?? and hence

??.

H?j??

P

?t??

i??

?

i

h

i

?j??

H?x?, used for the sharing of

?? is automatically of degree

t. It is random because the

?

iare non-zero (easy to check by inspection) and there are

n?t polynomials

h

i

?x? chosen by good players,

5

Page 7

and hence at random. Thus, the sharing of

following Protocol Simple-Mult in Figure 2.

by a random polynomial of degree can be achieved directly

Simple-Mult

Input of Player

P

i: The values

f

?

?i? and

f

?

?i?

1. Player

P

ishares the value

f

?

?i?f

?

?i? by choosing a random polynomial

h

i

?x? of degree

t, such that

h

i

????

f

?

?i?f

?

?i?. He gives player

P

jthe value

h

i

?j? for

??j??t??.

2. Each player

the linear combination

P

jcomputes his share of

?? via a random polynomial

H, i.e. the value

H?j?, by locally computing

H?j??

P

?t??

i??

?

i

h

i

?j?.

Figure 2: Simplified Multiplication Protocol with honest players

Theorem 2 Protocol Simple-Mult is a secure multiplication protocol in the presence of a passive adversary

computationallyunbounded.

In order to tolerate an active adversary there is a need to verify the actions of the players. [BGW88] uses a

computationallyexpensiveprotocolto do this(which couldbecombined withSimple-Mult). However,we were

able to simplify this protocol as well, and greatly improve its efficiency. The description of our simplification

appears in Appendix D.

4 Computations with a Polynomial Time Adversary

In this section we describe how to carry out multiparty computations in the presence of a computationally

bounded adversary. It is well known that in this model there exist VSS protocols due to Feldman [Fel87] and

Pedersen [Ped91a] which are quite efficient and require limited interaction. We will show that is possibleto use

these kind of VSS protocols, including our New-VSS, to perform multiparty computations efficiently.

The basic idea is to use a homomorphiccommitment (see Section 4.1) to commit to the sharing of the inputs

during the VSS. The computation will then follow the [BGW88] paradigm. Additions are computed locally by

just summing up the shares of the secret values being added. For multiplication we run a robust version of the

simplified multiplication protocol Simple-Mult presented above. But we will use the public commitments over

the inputs to enforce correct behavior on the part of the players.

This idea originated in [CCD88] in the information-theoretic model, where such “commitments” were

achieved by a second layer of input sharings. In the cryptographicmodel we use homomorphic commitments to

generate the same effect. Some of these techniques have been independently devised by [CDM97], yet they use

them in the context of span programs.

In the following sections we will concentrate on the multiplication protocol. Given two secrets

shared via some form ofVSS, which generated some representationof thesecrets, wewant to computea sharing

of

coefficients or the commitment to the points of the polynomial. Player

In order to get a robust version of the multiplication protocol described in Section 3 we need to enforce that

shares the product

? and

?

?? ?? resulting in the same representation. By representation we mean either the commitment to the

P

iholds shares

?

i

??

iof

? and

? (resp.).

P

i

?

i

?

ivia a polynomial of degree

t.

4.1

The approach we follow requires the usageof homomorphiccommitments. Denote by

Homomorphic Commitments

H?????a commitment to

? with randomness

?. We shall say that it is a homomorphic commitment if it has the followingproperty: given

A

?

?H??

?

??

?

? and

A

?

?H??

?

??

?

? it holds for some

? that:

A

?

?A

?

?H??

?

??

?

???

6

Page 8

In our protocols we also need a ZK proof for the following: A prover publishes three commitments:

to the product of the committed values in

, andand wantsto provein ZK to a verifier that isa commitment

and (see Appendix F).

POLYNOMIAL EVALUATIONS. Assuminga polynomial

can be carried out:

, thefollowingtwo operations

? if the coefficients of the polynomial are committed to using the above scheme, then directly from these

commitments we can compute commitments to the value

call this procedure “evaluation in the exponent”.

f?i?, for

??i?n, in the following we will

? and reversely, given commitments to

coefficients ofthe polynomial,in thefollowingwewill call thisprocedure “interpolationin theexponent”.

Both of these computations are possible as there is a linear relation between the coefficients and the evaluated

points thus, due to the homomorphic properties of the commitment, the computation can be carried out in the

exponent.

f?i?, for

??i?n, it is possible to compute commitments to the

Homomorphic commitments based on general computational assumptions have been recently introduced and

studied by Cramer and Damgard [CD97]. The ZK proof in Appendix F is also due to them. For simplicity of

exposition we will use a specific commitment scheme due to Pedersen described below. However the reader

should keep in mind that any of the commitments in [CD97] will do.

Let

value

Discrete Log Assumption: We assume that it is infeasible to compute discrete logarithms in the subgroup of

p and

q be primes such that

p? ?q??, where

g is an element of order

q in

Z

?

pand

h

def

?g

z

modp. The

z is unknown to the dealer and players.

Z

A commitment to a string

[Ped91a] that this commitment is information-theoretic secure in terms of privacy and can be opened in two

different ways only by somebody who can compute

?

pgenerated by

g.

??Z

qusing a random

?

??

R

Z

qis the value

A?g

?

h

?

modp. It is proven in

?

z.

4.2

When we introduced our VSS protocol we said that it gained in efficency because it did not satisfy the VSPS

property, i.e. the guarantee that there exists an underlying polynomial. We further said that this property is

needed for the multiparty computations of [BGW88]. Thus, if we want to use our protocol for computations we

will first need to reintroduce the VSPS property into our VSS. Yet, we add the VSPS in such a manner that our

VSS with VSPS enjoys a novel property which is that the verification of theexistence of a secret is disjointfrom

the verification of the VSPS property. This split will enable us to expedite our computations along the fast-track

paradigm (see Section 5). We start by showinghow to verify the VSPS property followed by the presentation of

the robust multiplicationgate.

Multiparty Computation Using our VSS

4.2.1

The original description of our VSS protocol simply assumed a commitment scheme, but for the multiparty

computations we will implement this commitment with the homomorphic commitment of Pedersen. Now, the

dealer will share his secret

Checking the VSPS Property

??Z

qin the following manner. He will choose polynomials

f?x??a

t

x

t

? ????

a

?

x??, and

r?x??r

t

x

t

? ???r

?. The dealer will compute and give player

P

ithe values

i

def

?f?i? and

?

apparent later we extend the VSS protocol by having the dealer commit also to the secret itself, which is

evaluatedat0,bypublishing

i

def

?r?i?. The commitment will be done by

A

i

?H??

i

??

i

?

def

?g

?

i

h

?

i

modp. For reasons that will become

f?x?

A

?

?g

?

h

r

?. Thereconstructionphaseis,inessence,asbefore; player

P

ibroadcasts

?

interpolated from the accepted values and a check is carried out that, for all

If this check succeeds then

iand

?

i. We accept only those values that match the published commitment

A

i. The polynomials

?

f and

?r are

i???????n,

A

i

?H?

?

f?i???r?i??.

?

def

? hatf ??? otherwise

?

def

??.

7

Page 9

We denote with DL-VSS the above implementation of New-VSS. Although it looks similar to Pedersen’s

VSS it differs from it because in DL-VSS the public commitments are to the points of the polynomial, while in

Pedersen’s VSS the commitments are to the coefficient. For this same reason however DL-VSS does not have

the VSPS property i.e. it does not insure that the shares lie on a polynomial of degree

The first method that comes to mind to verify the VSPS property, is to interpolate in the exponent the

polynomial from

Yet, this solution is highly expensive in computation. We present a more efficient randomized solution.

If the

.

t?? values, and then to evaluate in the exponent the remaining points,and see if they match.

A

?

?????A

ndetermine a unique pair of

t-degree polynomials

?f?r

?

? such that

A

i

?g

f?i?

h

r?i?, then

A

?

? ????A

tshould define

?f?r? and so should

A

t??

? ????A

?t??. Denote by

f

???

?x??a

??t

x

t

?????a

???,

r

defined by thefirst and second sets respectively. Theidea ofthe check is to prove that fora random value

we have

???

?x??r

??t

x

t

?????r

???and

f

???

?x??a

??t

x

t

?????a

???,

r

???

?x??r

??t

x

t

?????r

???the polynomials

??Z

q

g

f

???

???

h

r

???

???

?g

f

???

???

h

r

???

???

(1)

as

that with probability

h?g

zthis implies that

f

???

????zr

???

????f

???

????zr

???

???? But since

? is chosen at random that means

??

t

qwe have

f

???

?x??zr

???

?x??f

???

?x??zr

???

?x?

(2)

For large

Recall that our final goal is to prove that

distributed shares such that

is easy to see that the dealer can compute

Thus, the whole test reduces to a local check by each player of Equation (1) for a random

the player. The left side of the equation can be computed as follows:

q the probability of error can be made negligible.

f

???

?x??f

???

?x? and

r

???

?x??r

???

?x?. Suppose that the dealer

f

???

?x???f

???

?x? and

r

???

?x???r

???

?x?, but such that Equation (2) holds. Then it

z which contradicts the assumptions.

??Z

qchosen by

g

f

???

???

h

r

???

???

?g

P

t

j ??

a

??j

?

j

h

P

t

j ??

r

??j

?

j

g

P

t

j ??

P

t

i??

f?i??

ji

?

j

h

P

t

j??

P

t

i??

r?i??

ji

?

j

?

Q

t??

i??

?g

f?i?

h

r?i?

?

?

i

?

Q

t??

i??

A

?

i

i

where

Equation (1). We denote with VSPS-Check the above method for verifying the VSPS property.

?

i

?

P

t

j ??

?

ji

?

jfor appropriate Lagrange coefficients

?

ji. Similarly compute the right-hand side of

4.2.2

Let us assume that we are given two secrets

The Robust Multiplication Gate with our VSS

? and

? shared via our DL-VSS protocol with polynomials

f

where

?

?x??f

?

?x? (resp). Player

P

ihas shares

?

i

def

?f

?

?i? and

?

i

def

?f

?

?i? in addition to

?

i

def

?r?i? and

?

i

def

?s?i?

r?x??s?x? are two random polynomials of degree

t. The values

A

i

?H??

i

??

i

??g

?

i

h

?

iand

B

i

?

H??

i

??

i

??g

?

i

h

?

iare public. We assume that the VSPS property of these two sharings has been checked.

The basic idea of the robust multiplication protocol is the following: each player

our DL-VSS protocol, where

P

ishares

c

i

??

i

?

i

?

ivia

?

iis the coefficient defined in Section 3.1. If

c

ijand

?

ijare the values

P

isends to

P

j, then

After the sharing the players check the VSPS property for

P

ipublishes

C

ij

?H?c

ij

??

ij

??g

c

ij

h

?

ij.

P

i’s sharing. Notice that

P

ibroadcasted the value

C

using theprotocol in AppendixF. For any player who does not follow theprotocol, all his private information is

made publicthrough reconstruction. It is important to note that ourrepresentation of the secret as a commitment

to the points on the polynomial lends naturally to the ZK proof, as the values are already in the format needed

for the proof.

Now we are at the starting point of the multiplication operation described in Section 3.1 with the additional

property that we know that all the sharings are correct. Thus, each player locally sums the shares which he has

i?

?g

?

i

?

i

?

i

h

?

i?.

P

iuses thisvalue to prove in zero-knowledgethat he shared

?

i

?

i

?

iwith respect to

A

iand

B

i

8

Page 10

received from all the other players in order to compute

publicinformation correspondingto this new share is generated:

protocol appears in Figure 3 and is denoted Mult.

and. Furthermore, the

. The full

Mult: Robust Multiplication

Input of player

Public input:

P

i: values

?

i

?f

?

?i?,

?

i

?f

?

?i?,

?

i

?r?i?,

?

i

?s?i?.

A

i

?H??

i

??

i

??g

?

i

h

?

i,

B

i

?H??

i

??

i

??g

?

i

h

?

ifor

??i?n

1. Each player

are random polynomials of degree

Secret informationof

Public information:

P

ishares

?

i

?

i

?

iusing the DL-VSS protocol. That is set

c

ij

?f

?? ?i

?j?,

?

ij

?u

i

?j? where

f

???i,

u

i

t such that

f

?? ?i

?????

i

?

i

?

i.

P

i: share

c

ji

??

jiof

?

j

?

j

?

j

C

ij

?g

c

ij

h

?

ijfor

?? i?j?nC

i?

?g

c

i?

h

?

i?for

??i?n

2. Players run a VSPS-Check on

reconstruction.

P

i’s sharing. If a sharing fails the test then expose the secret through the VSS

3.

P

F. Expose the values of the players who fail the proof.

iproves inzero-knowledge that

C

i?is a commitment tothe product of

?

i

?

i

?

iusingthe ZK prooffrom Appendix

4. Player

also

Secret informationof

Public information:

P

icomputes

?

i

?

P

?t??

j ??

c

jiwhich is a share of

?? ?? via a random polynomial of degree

t. Compute

?

i

?

P

?t??

j ??

?

jiand

C

j

?H??

j

??

j

??g

?

j

h

?

j

?

Q

?t??

l??

C

lj, for

??j?n.

P

i: share

?

i

C

ifor

??i?n

Figure 3: Robust multiplicationprotocol using DL-VSS

Theorem 3 Under the the discrete log assumption protocol Mult is a secure multiplication protocol in the

presence of a computationallybounded active adversary.

Plugging the above multiplication protocol into the [BGW88] construction one gets that for any function

there exists a secure multiparty computation protocol. We note that this protocol is quite efficient in terms of

computation and communication required by each player.

4.3Efficiency Analysis

A protocolsimilarto Mult usingPedersen’s VSS insteadof our DL-VSS is presentedin AppendixE and denoted

Ped-mult. We omit from this extended abstract the complete computational analysis of Mult, Ped-Mult and the

comparison between them. Here we only point out the major issues in this comparison.

F

? Our new VSS DL-VSS generates commitments to the points of the polynomial, and these are the values

which are required as input for theZK proof of proper conduct. Pedersen’s VSS instead has commitments

to the coefficients of the polynomial and thus is required in the multiplication protocol to compute these

values via evaluation in the exponent.

? Pedersen’s VSStakesadvantageofthefactthatthecheckoftheVSPSpropertyrequiresexponentiationsto

relativelysmallexponents. OurVSPS-Check insteadrequiresfullexponentiationsinthegroupgenerated

by

using Pedersen’s VSS versus DL-VSS plus VSPS-Check. Relatively fast (in the growth of

the same performance.

g. However a close look at the cost analysis shows that only for very small

n there is an advantage of

n) they have

? However, the most attractive feature of using DL-VSS is that the verification of the existence of a secret

andtheverificationoftheVSPSpropertyare separatecomputations. Thiswillallowfortheintroductionof

thefast-track paradigm described in Section 5 which will improve the overall performance of theprotocol

when there are no faults in the system.

9

Page 11

5 Fast-track Computation

As we mentioned in the Introduction secure multiparty protocols pay a heavy cost in terms of communica-

tion/computation in order to guarantee robustness against malicious adversaries. Typically, however, one can

expect malicious faults to happen quite rarely. We would like to build on the efficiency of private protocols,

whichoperateundertheassumptionthatnofaultsoccur, whileavoidingthetrapofassumingthatyoucanexecute

the private computation until a fault occurs and then re-compute. Indeed such a computation might turn out to

be insecure, and expose secret information.

Thus, we borrow from other fields and introduce into the multiparty computation scenario the paradigm

of fast-track computation. The idea is to avoid carrying out all the verification steps, but rather to identify

“critical” verification points. Only at these critical points some verification will be carried out. Once the

verification is carried out in a critical point we are guaranteed that the computation up to this point was correct.

Thesecritical pointsmust bechosen in such a manner that if faultsoccur between two consecutivecritical points

c

recomputing the section from critical point

faults occurred between

these two points.

The main result of this section is the following.

Theorem 4 For any function

requires a factor of

?and

c

?, where

c

?is a later point in the protocol, then the faults will be detected at point

c

?. Furthermore,

c

?to

c

?will not violate the security of the computation. Thus, if no

c

?and

c

?we “saved” all the verifications which should have been carried out between

F There exists a fast-tracksecure multipartymultiplicationprotocol FT-Mult that

n less computation than Mult when there are no faults in the system.

It will become clear here why our DL-VSS protocol with VSPS-Check , which has a disjoint verification

for the existence of a secret and for the VSPS property, falls nicely into the framework of fast-track. It allows to

verify the existenceof a valid secret at a low cost, and delay the expensiveVSPS check to a later point,in which

the property can be effectively verified for many secrets by a single check.

Furthermore in Appendix H we present fast-track Joint VSS protocols, which allow a set of players to

generate a random secret unknown to all of them in a shared form via a VSS protocol.

5.1

In this section we describe FT-Mult . When computinga multiplicationgate we do not check theVSPS property

on every sharing of thevalues

the multiplication. Basically we run a single VSPS-Check protocol on the values

the number of VSPS checks by a factor of

there were faults and reiterate the computation of the gate using the Mult protocol.

The protocol works in the following manner: each player

Fast-track Robust MultiplicationProtocol

?

i

?

i

?

ibut rather we check onlythe combined secret which shouldbe the result of

C

?

?????C

n. Thus, we reduce

n (assuming there are no faults). If the check fails then we know that

P

ishares the product of his local shares, i.e.

?

Appendix F) that he has in fact shared the proper value. Then the player computes the sum of the shares which

he has received, and on the set of result of this computation the players check the VSPS property. The complete

protocol appears in Appendix G.

6 Threshold Cryptography Applications

i

?

i

?

ivia our DL-VSS protocol. Using the commitment to the free term he proves (using the ZK proof in

Inrecentyearsithasbecomeevidentthatoneofthemostimportantapplicationsofsecuremultipartycomputation

is threshold cryptography [Des87, Des94]. Consider for example the cryptographic function of signing which

receives as input a secret key and a message, and generates the signature on the message. The signer holding

the secret key can easily generate the signature. But if his computer is broken into, then the secrecy of his key

is compromised. In other words, the storage of the secret key creates a single point of failure which we would

like to eliminate. This can be achieved by sharing the secret key among several signing servers in a threshold

10

Page 12

fashion. Now the computation of the signature must be carried out in a distributed manner via a multiparty

computation protocol among the signing servers.

Threshold cryptography is indeed the study of efficient multiparty computation protocols for cryptographic

functions (e.g. signing or decrypting) in which each party has as input a share of the secret key that allows the

computation of such function. Examples of threshold cryptography protocols can be found in [Boy89, Des87,

DF91, DF89, CMI93, Har94, DDFY94, PK96, Lan95, GJKR96b, FGY96, GJKR96a, JY].

The above cited protocols use, in various ways, expensive VSS protocols and zero-knowledge proofs.

Though some are more efficient than others there is still room and need for improvement. Our techniques can

be readily applied to this scenario to obtain much more efficient protocols.

We would like to present a specific application of this paradigm. In the next section we will apply our

techniques to the robust threshold DSS protocol of Gennaro e Tal [GJKR96b]. The improvements to that

protocol will be twofold:

fault-tolerance the simplified multiplication protocol described in this paper brings the fault-tolerance of the

scheme up to

(from

efficiency Ournew DSS protocolhas a fast-track version which requires a factor of

of modular exponentiations)from each player.

n??

?

n??

?) without an increase in communication or computational complexity.

n less computation (in terms

SECURITY. Formal definitionsofsecurityforthresholdsignatureprotocolscanbefoundin[GJKR96b]. Westress

that our new protocol can be proven secure under the sole assumption of the unforgeability of DSS signatures.

For the details see Appendix I.

Acknowledgments

We would like to thank Hugo Krawczyk for countless suggestions on earlier versions of this paper and Ivan

Damgard for suggesting the use of the [DPP96] provably secure commitments in our protocol New-VSS. We

also thank: Ran Canetti, Ronald Cramer, Juan Garay, Amir Herzberg and Ueli Maurer for useful discussions.

References

[BB89] J. Bar-Ilan and D. Beaver. Non-cryptographic fault-tolerant computing in a constant number of rounds. In

Proc.

[Bea89] D. Beaver. Multiparty Protocols Tolerating Half Faulty Processors. In G. Brassard, editor, Advances in

Cryptology — Crypto ’89, pages 560–572, Berlin, 1989. Springer-Verlag. Lecture Notes in Computer

Science No. 435.

[Bea91] D. Beaver. Foundations of secure interactive computing. In J. Feigenbaum, editor, Advances in Cryptology

— Crypto ’91, pages 377–391, Berlin, 1991. Springer-Verlag. Lecture Notes in Computer Science No. 576.

[BGW88] M.Ben-Or, S.Goldwasser, andA. Wigderson. CompletenessTheorems forNoncryptographicFault-Tolerant

Distributed Computations. In Proc.

1988.

[Bla79] G.R. Blakley. Safeguardingcryptographickeys. In Proc. AFIPS 1979NationalComputerConference, pages

313–317. AFIPS, 1979.

[Boy89] C. Boyd. Digital Multisignatures. In H. Baker and F. Piper, editors, Cryptography and Coding, pages

241–246. Claredon Press, 1989.

[Can95] Ran Canetti. Studies in Secure MultipartyComputation. PhD thesis, weizmann Instituteof Science, 1995.

[CCD88] D. Chaum, C. Crepeau, and I. Damgard. MultipartyUnconditionallySecure Protocols. In Proc.

Symp. on the Theory of Computing,pages 11–19. ACM, 1988.

[CD97] R. Cramer and I. Damgard. Zero-knowledge for finite field arithmetic or: Can zero-knowledge be for free?

Manuscript, 1997.

?th ACM Symp. on Principles of Distributed Computati on, pages 201–209. ACM, 1989.

??th Annual Symp. on the Theory of Computing, pages 1–10. ACM,

??thAnnual

11

Page 13

[CDM97] R. Cramer, I. Damgard, and U. Maurer. Span programs and general multiparty computations. Manuscript,

1997.

[CFGN96] Ran Canetti, Uri Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In

Proc.

[CGMA85] B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Verifiable Secret Sharing and Achieving Simultaneity

in the Presence of Faults. In Proceeding 26th Annual Symposium on the Foundations of Computer Science,

pages 383–395. IEEE, 1985.

[CMI93] M. Cerecedo, T. Matsumoto, and H. Imai. Efficient and secure multiparty generation of digital signatures

based on discrete logarithms. IEICE Trans. Fundamentals, E76-A(4):532–545,1993.

[DDFY94] Alfredo De Santis, Yvo Desmedt, Yair Frankel, and Moti Yung. How to share a function securely. In Proc.

th Annual Symp. on the Theory of Computing,pages 639–648. ACM, 1996.

??th Annual Symp. on the Theory of Computing,pages 522–533. ACM, 1994.

[Des87] YvoDesmedt. Societyand grouporientedcryptography: A new concept. In C. Pomerance, editor, Advances

in Cryptology — Crypto ’87, pages 120–127, Berlin, 1987. Springer-Verlag. Lecture Notes in Computer

Science No. 293.

[Des94] Yvo G. Desmedt. Threshold cryptography. European Transactions on Telecommunications, 5(4):449–457,

July 1994.

[DF89] Yvo Desmedt and Yair Frankel. Threshold cryptosystems. In G. Brassard, editor, Advances in Cryptology—

Crypto ’89, pages 307–315, Berlin, 1989. Springer-Verlag. Lecture Notes in Computer Science No. 435.

[DF91] Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In J. Feigenbaum, editor,

Advances in Cryptology — Crypto ’91, pages 457–469, Berlin, 1991. Springer-Verlag. Lecture Notes in

Computer Science No. 576.

[DH76] W. Diffie and M. E. Hellman. New Directions in Cryptography. IEEE Transactions on InformationTheory,

22(6):644–654,1976.

[DPP96] I. Damgard, T.P. Pedersen and B. Pfitzmann. Statistical Secrecy and Multi-BitCommitments. BRICS report

series, RS-96-45, available from http://www.brics.dk

[ElG85] T. ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE

Trans. Info. Theory, IT 31, 1985.

[Fel87] P. Feldman. A Practical Scheme for Non-Interactive Verifiable Secret Sharing. In Proc.

on Foundationsof Computer Science, pages 427–437. IEEE, 1987.

[FGY96] Y.Frankel, P. Gemmell, andM.Yung. Witness-based CryptographicProgramCheckingandRobustFunction

Sharing. In Proc.

[FM] P. Feldman and S. Micali. A Definition of Verifiable Secret Sharing. An adaptation from [FM88].

[FM88] P. Feldman and S. Micali. An Optimal Algorithm for Synchronous Byzantine Agreement. In Proc.

Annual Symp. on the Theory of Computing, pages 148–161. ACM, 1988.

[fST91] National Institute for Standards and Technology. Digital Signature Standard (DSS). Technical Report 169,

August 30 1991.

[GJKR96a] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust and efficient sharing of RSA functions. In

N. Koblitz, editor, Advances in Cryptology — Crypto ’96, pages 157–172, Berlin, 1996. Springer-Verlag.

Lecture Notes in Computer Science No. 1109.

[GJKR96b] R.Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. RobustthresholdDSS signatures. InUeli Maurer, editor,

Advances in Cryptology — Eurocrypt ’96, pages 354–371, Berlin, 1996. Springer-Verlag. Lecture Notes in

Computer Science No. 1070.

[GMR89] S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof-systems. SIAM.

J. Computing,18(1):186–208,February 1989.

[GMW87] O. Goldreich, S. Micali, and A. Wigderson. How to Play Any Mental Game. In Proc.

the Theory of Computing,pages 218–229. ACM, 1987.

[GMW91] O. Goldreich, S. Micali, and A. Wigderson. Proofs that Yield Nothing But Their Validity or All Languages

in NP Have Zero-Knowledge Proof Systems . Journal of the ACM, 38(1):691–729,1991.

??th Annual Symp.

??th Annual Symp. on the Theory of Computing,pages 499–508. ACM, 1996.

??th

??th Annual Symp. on

12

Page 14

[Har94] L. Harn. Group oriented (t,n) digital signature scheme. IEEE Proc.-Comput.Digit.Tech, 141(5):307–313,

Sept 1994.

[JY] Markus Jakobsson and Moti Yung. Distributed "magic ink" signatures. To appear in EuroCrypt97.

[Lan95] S. Langford. Threshold dss signatures without a trusted party. In D. Coppersmith, editor, Advances in

Cryptology — Crypto ’95, pages 397–409, Berlin, 1995. Springer-Verlag. Lecture Notes in Computer

Science No. 963.

[MR91] S. Micali and P. Rogaway. Secure computation. In J. Feigenbaum, editor, Advances in Cryptology— Crypto

’91, pages 392–404, Berlin, 1991. Springer-Verlag. Lecture Notes in Computer Science No. 576.

[MS81] R. J. McEliece and D. V. Sarwate. On Sharing Secrets and Reed-Solomon Codes. Communications of the

ACM, 24:583–584,September 1981.

[PK96] C. Park, and K. Kurosawa. New ElGamal Type Threshold Digital Signature Scheme. IEICE Trans. Funda-

mentals, E79-A(1):86–93,January 1996.

[Ped91a] T. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In J. Feigenbaum,

editor, Advances in Cryptology — Crypto ’91, pages 129–140, Berlin, 1991. Springer-Verlag. Lecture Notes

in Computer Science No. 576.

[Ped91b] T. Pedersen. A threshold cryptosystem without a trusted party. In D. Davies, editor, Advances in Cryptology

— Eurocrypt ’91, pages 522–526, Berlin, 1991. Springer-Verlag. Lecture Notes in Computer Science No.

547.

[Rab94] T. Rabin. Robust Sharing of Secrets When the Dealer is Honest or Faulty. Journal of the ACM, 41(6):1089–

1109, 1994.

[RB89] T. Rabin and M. Ben-Or. Verifiable Secret Sharing and MultipartyProtocols with Honest Majority. In Proc.

??st Annual Symp. on the Theory of Computing,pages 73–85. ACM, 1989.

[RSA78] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and

public-key cryptosystems. Communication of the ACM, 21(2):120–126,1978.

[Sch91] C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4:161–174,1991.

[Sha79] A. Shamir. How to Share a Secret. Communicationsof the ACM, 22:612–613,1979.

[TW88] M. Tompa and H. Woll. How to share a secret with cheaters. Journal of Cryptology, 1(2):133–138,1988.

[Yao82] A.C. Yao. Protocols for secure computations. In Proceedings of FOCS’82, pages 160–164, Chicago, 1982.

IEEE.

A Shamir’s Secret Sharing

Assume the dealer has a secret

number among

can reconstruct it. Shamir’s protocol [Sha79] is described in Figure 4.

It is important to noticethat the protocol works only under the assumptionthat no faults occur in thesystem.

Otherwise, for example, there is no assurance that the dealer shared values which define a polynomial of degree

at most

values

s which is a number in

Z

pwhere

p is a prime. The dealer wants to “share” this

n players

P

?

?????P

nso that

t of them have no information about the secret while

t?? of them

t. And during reconstruction time the bad players may compromise the recovering of

s by contributing

??

idifferent than the ones originally received from the dealer.

B Verifiable Secret Sharing

Informally a VSS protocol achieves secret sharing in the presence of malicious faults. In other words what we

want is that at the end of the sharing phase the good players are guaranteed that indeed a secret has been shared,

in the sense that they will be able to reconstruct it at the end of the recover phase, regardless of the actions of a

faulty dealer or players.

13

Page 15

Shamir’s Secret Sharing

Sharing Phase Protocol for Dealer on input a secret:

Choose and define the polynomial

? Compute and hand to player

P

ithe value

?

i

def

?f?i? modp, for

??i?n.

Reconstruction Phase

1. Each player broadcasts the value

?

i.

2. Take

t?? broadcasted values and interpolate a polynomial

f?x? of degree at most

t.

3. Output

s?f???modp.

Figure 4: Sharing and Reconstruction Protocols

Another way of thinking of VSS is as a “recoverable commitment”. In typical commitment schemes when

Alice commits to a secret value

although he knows nothing about

However nothing prevents Alice from never opening the commitment at a later time. VSS protocols have the

same functionality of commitments with the added feature that at a later time it is always possible for the good

players to reconstruct the value the dealer committed to.

The following definition of VSS is from [FM88, FM].

We have

by privatecommunication channels and they also have access to a broadcast channel. There is a staticadversary

AcannotguessattheendofShare thevalue

additivefactor.

s to Bob, Bob has a guarantee that indeed there is a unique committed secret

s. This is due to the secrecy and binding properties of commitment schemes.

n players

P

?

?????P

nand adistinguishedplayer

s is randomly chosen from a set of cardinality

D, thedealer. Thedealerand theplayers are connected

q, and the dealer is good, then the

A that can corrupt up to

Let

input the description of a set of possiblesecrets,

Share each player

is instructed to output a value in

We say that

adversary

t of the players including the dealer.

? be a protocol consistingof two phases Share,Reconstruct in which all players have as common

S. The dealer has an extra input the secret

s in

S. At the end of

P

iis instructed to output a Boolean value

v er

i. At the end of Reconstruct each player

S.

? is a Verifiable Secret Sharing protocol (VSS) if the following properties hold for any

A

Unanimity If any good player

P

ioutput

v er

i

?? at the end of Share, then

v er

j

??for all othergood players

P

j

Acceptance of good secrets If the dealer is good, then

v er

i

?? for every good

P

i

Verifiability If a good player

possiblesecrets,

at the end of Share. Moreover if the dealer is good then

P

ioutputs

v er

i

?? at the end of Share then there exists a value

? in the set of

S, such that theevent that all goodplayers output

? at theend of Reconstruct is fixed

??s the original secret input of the dealer.

Unpredictability If the secret

adversary

swithprobabilitybetterthan

?

qbyanon-negligible

The final condition can be strengthened by requiring that the view of the adversary is simulatable by a

14

Page 16

simulator that has no knowledge of

execution of the VSS protocol.

. Which means that the adversary gains no knowledge at all from the

CProof of Theorem 1

Sketch of Proof

UNANIMITY. The decision to disqualify or accept the sharing is done based on public information viewed by

all players, hence all good players reach the same decision.

ACCEPTANCE OF GOOD SECRETS. If the dealer is good then all his public actions will be seen as proper and all

honest players will decide that a secret has been shared.

VERIFIABILITY. This property is achieved via the collision resistance of

H. Assume w.l.o.g. that at least

P

?

????P

t??are honest. Let

f?x?,

r?x? be the polynomials of degree

t determined by values

?

iand

?

i, for

?

himself to the values

end of the sharing phase, and hence

remains to be shown that at the end of the reconstruction phase the players output the value

by contradiction that they reconstruct

such that

?i?t??. If

A

i

?H?f?i??r?i???i then define

?

def

?f???. Otherwise,

?

def

??. The dealer committed

A

?

?????A

nby broadcasting them. The values

?

i

??

ifor

??i?t?? are set at the

f?x? is set. Thus,

? is well defined at the end of the sharing phase. It

?. Assume

????? by choosing

t?? values

?

i

?

??????

i

t??given out by players

H??

i

j

??

i

j

??A

i

j. This means that the

t-degree polynomials

?

f?x???r?x? interpolated by the

?

term), thus there must be an index

collision for

i

jand

?

i

j(resp.) have the property that

H?

?

f?i???r?i???A

ibut

?

f?x???f?x? (as they differ in the free

j such that

?

f?j???f?j?. The pairs

?

?

f?j???r?j ?? and

?f?j??r?j??are a

H, which is known to either the dealer or player

P

j, which contradicts the hypothesis.

UNPREDICTABILITY. If the dealer is good the adversary sees

values

points. Hence,

the adversary with

t points on a polynomial of degree

t plus all the

A

i. But as we assume that

H has the secrecy property the

A

i’s give no information about the other

A has no information about the secret. In other words it is possibleto simulate the view of

t random values as the shares and

n random values as the

A

i’s.

DComputing Multiplication with Faults

Theunderlyingassumptionforthecomputationintheprevioussectionis thateach player

P

ishared apolynomial

h

value. To reduce the complexity of expositionwe change the notation, saying that player

and he needs to share a polynomial whose constant term is

have been shared properly using polynomials

prove that the three polynomials satisfy the property that

We are able to present a simpler proof for this property based on a combination of two ideas. The first idea

is, as in the multiplication step, that instead of reducing the degree of a polynomial and randomizing it through

computation it can be directly shared as a random polynomial of degree

is present and can help the players out during the proof stage. More specifically, previous proofs assumed that

the players need to reconstruct the polynomials while correcting errors. Under this assumption a set of

players can interpolatea polynomial of degree at most

the players only need to verify their points, then a set of

validity of a polynomial of degree (at most)

i

?x? such that

h

i

??? ?f

?

?i?f

?

?i?. We present a simple method for verifying that

P

ihas shared the proper

P

ihas values

? and

?

??. We take as a starting point that the values

???

f

?

?x??f

?

?x? resp. (see [BGW88] for proof). Thus, we need to

h????f

?

???f

?

???.

t. And the second is that the prover

?t??

t. But if the dealer exposes the polynomial directly and

?t?? players can check their values and insure the

?t.

15

Page 17

Thus, we shall have player

manner. First,

share of degree and prove that in the following

will provethatis of degree . Then,willshare an additionalpolynomial of degree

of

polynomial

informationabout thecoefficients of

that

to ensure that his share of

made public.

This is much more efficient than the proofin [BGW88] that uses error-correction in quitea complicated way

to enforce the condition that

, there is no need to verify that it is of theright degree, because oneof two thingscan happen: information

will be revealed is’s, or the proof will not go through. To complete the proof will broadcast the

. Thisis arandompolynomialofdegree

g

and hence reveals no

f

?

?x?f

?

?x?or

h?x?. Each player

P

jchecks that

R

i

????? whichindicates

h?x?as asitsconstanttermtheproduct

??. Furthermore,

P

jverifiesthat

R?j??jr?j??f

?

?j?f

?

?j??h?j?,

h?x? is in fact on the polynomial, if there is no match he requests that his values be

h????f

?

???f

?

???.

E The Multiplication Gate with Pedersen’s VSS

In this section we show how to carry out the multiplicationgate using Pedersen’s VSS [Ped91a]. A dealer for a

secret

??Z

qchooses a random polynomial

f

?

?x?

g

?a

t

x

t

?????a

?(with

a

?

??) and a random polynomial

r?x??r

t

x

t

?????

P

r

?where

a

i

?r

i

?Z

q. The dealer gives to player

P

ithe values

?

i

?f

?

?i? modq and

?

are basically commitments to the coefficients of the polynomials. Each player checks that his share lies on the

committed polynomial by checking that

i

?r?i? modq. He then publishes the following values

A

?

?????A

twhere

A

j

?g

a

j

h

r

j

mo

h

dp. The

A

i’s

?

i

h

?

i

?

t

Y

j ??

A

i

j

j

Let us now deal with a multiplication gate. Assume that the two secrets

Pedersen’s VSS.

That is

each player

? and

? are currently shared using

? is shared via polynomials

f

?

?x??a

t

x

t

?????a

?(with

a

?

??) and

r?x??r

t

x

t

?????r

?;

P

iholds the values

?

i

?f

?

?i?modq and

?

i

?r?i?modq. The values

A

j

?g

a

j

h

r

j

modp (for

j

Similarly

each player

???????t) are public.

? is shared via polynomials

f

?

?x??b

t

x

t

?????b

?(with

b

?

??) and

s?x??s

t

x

t

?????s

?;

P

iholds the values

?

i

?f

?

?i? modq and

?

i

?s?i?modq. The values

B

j

?g

b

j

h

s

j

modp (for

j???

We use the simplified multiplication protocol shown in Section 3.1. Each player

via Pedersen’s VSS. This will assure that the value is shared via a polynomial of degree

the VSS sharing is that

value to check that

the coefficients of the polynomial of

interpolationin the exponents. Then player

contained in these two commitments. A protocol for this task is described in Appendix F.

The full protocol is described in Figure 5.

????t) are public.

P

ishares the value

?

i

?

i

?

i

t. A side effect of

P

ipublishes the value

?

i

?

i

?

i

h

?for some random value

?. We will use this public

ishared the correct value

?

i

?

i. This is done by first generating from the commitment to

? (?) a commitment to the interpolated values, i.e.

g

?

i

?

i(g

?

i

h

?

i), via

P

iproves in ZK that the value he shared is the product of the values

F ZK Proof for multiplicationof committed values

In both the Mult and FT-Mult protocols a crucial tool to prove that a player is performing correctly is a ZK proof

of the following statement.

16

Page 18

Ped-Mult: Multiplicationbased on Pedersen’s VSS

Input of player

Public input

: values,,,.

,

1. Each player

using Pedersen’s VSS protocol. That is let

polynomialsofdegree

Player

P

ishares

?

i

?

i

?

i

f

i

?x??f

it

x

t

?????f

i?and

u

i

?x??u

it

x

t

?????u

i?two random

t such that

f

i

?????

i

?

i

?

i. Player

P

igives toplayer

P

jthe values

c

ij

?f

i

?j?,

?

ij

?u

i

?j?.

P

ipublishes

C

ij

?g

f

ij

h

u

ijfor

j???????t.

Secret informationof

Public information:

P

i: share

c

ji

??

jiof

?

j

?

j

?

j

C

ij

?g

f

ij

h

u

ij

2. The players verify each other sharing. The players who fail the verification of the VSS protocol are exposed.

3. Players compute

that

the players who fail the check.

A

i

?g

?

i

h

?

i

?

Q

t

j??

A

i

j

jand

B

i

?g

?

i

h

?

i

?

Q

t

j??

B

i

j

jRequire

P

itoprove inzero-knowledge

C

i?

?g

?

i

?

i

?

i

h

u

i?is of the correct form with respect to

A

iand

B

i. (see Appendix F.) Expose the values of

4. Player

also

P

icomputes

?

i

?

P

?t??

j??

c

jiwhich is a share of

???? via a random polynomial of degree

t. Compute

?

i

?

P

?t??

j??

?

ji.

5. Player

P

icomputes

C

j

?

Q

?t??

i??

C

ij, for

??j?n.

Secret informationof

Public information:

P

i: share

?

i

C

ifor

??i?n

Figure 5: Robust multiplication protocol using Pedersen’s VSS

The prover

ZK to a verifier

the product of the values he committed to in

The followingZK proofis adapted from a more general one invented by Cramer and Damgard [CD97]. The

basic idea is for the prover to prove that he knows that

P publishes three commitments:

A?g

?

h

?,

B?g

?

h

?and

C?g

??

h

?. He wants to prove in

V that he knows how to open such commitments and the opening of

C that he knows is really

A and

B.

C can be written as

B

?

h

????.

1.

P chooses

d? s? x?s

?

?s

?

?

R

Z

q. He sends to

V the messages

M?g

d

h

s,

M

?

?g

x

h

s

?,

M

?

?B

x

h

s

?.

2.

V chooses a challenge

e?

R

Z

qand sends it to

P

3.

P replies with the following values:

y?d?e?,

w?s?e?,

z?x?e?,

w

?

?s

?

?e?,

w

?

?

s

?

?e??????.

4.

V checks that:

g

y

h

w

?MB

e,

g

z

h

w

?

?M

?

A

eand

B

z

h

w

?

?M

?

C

e.

The above protocol is only ZK against an honest verifier but can be transformed in a ZK proof against any

verifier by standard techniques, i.e. by having the verifier commit to the challenge as a first round.

Notice that the protocol involves only a constant number of exponentiations(i.e.

O?k? multiplications).

Remark: In our protocol we can exploit the fact that the verifier only sends a random challenge to the prover.

Indeed this allows us to run a single proof from

P

ito all the other players. The proof would go as follows: 1)

17

Page 19

all the other players commit to a random number in

would decommit and the challenge will be computed as the sum of the decommitted values. If the original

commitment is non-malleable this is secure.

; 2) the prover sends the first message; 3) all the players

G Fast-track Multiplication

Protocol appears in Figure 6.

FT-Mult: Fast-track Multiplication

Input of player

Public input

P

i: values

?

i

?f

?

?i?,

?

i

?f

?

?i?,

?

i

?r?i?,

?

i

?s?i?.

A

i

?H??

i

??

i

??g

?

i

h

?

i,

B

i

?H??

i

??

i

??g

?

i

h

?

ifor

??i?n

1. Each player

random polynomialsof degree

P

ishares

?

i

?

i

?

iusing the VSS protocol. That is set

c

ij

?f

?? ?i

?j?,

?

ij

?u

i

?j? where

f

?? ?i,

u

iare

t such that

f

???i

?????

i

?

i

?

i.

Secret informationof

Public information:

P

i: share

c

ji

??

jiof

?

j

?

j

?

j

C

ij

?g

c

ij

h

?

ijfor

?? i?j?n

C

i?

?g

c

i?

h

?

i?for

??i?n

2.

P

F. Expose the values of the players who fail the proof.

iproves inzero-knowledge that

C

i?is a commitment tothe product of

?

i

?

i

?

iusingthe ZK prooffrom Appendix

3. Player

P

icomputes

?

i

?

P

?t??

j ??

c

jiwhich is a share of

???? via a random polynomial of degree

t, and

?

i

?

P

?t??

j ??

?

ji.

4. Player

P

icomputes and broadcasts

C

i

?H??

i

??

i

??g

?

i

h

?

i

?

Q

?t??

j ??

C

ji.

5. Players run a VSPS-Checkon

C

ifor

??i?n. If the test fails STOP and run Multfrom Step 2.

Secret informationof

Public information:

P

i: share

?

i

C

ifor

??i?n

Figure 6: Fast-track multiplicationprotocol

H Fast-track Joint Random VSS protocols

A crucial tool in several cryptographic protocols is a scheme to generate a a random value unknown to all the

players which will be shared with the VSPS property. A method to achieve this was introduced by Pedersen

[Ped91b]. Each player shares a random value with a VSPS protocol, then these secrets are summed to generate

the random secret. Each player checks all the other sharings and then locally sums the shares received by the

other players. It is easy to see that such a sum is a share (with the VSPS property) of a randomly distributed

secret.

In thefollowingwe willdenotewithJoint-Uncond-VSS a jointVSS thatis obtainedby theaboveparadigm

with theunderlyingVSPS protocolbeing either Pedersen’s VSS or our DL-VSS combined withVSPS-Check .

However we observe that if we use DL-VSS as the underlying VSS protocol, we can create a fast track

versionof thisprotocolby deferring theverification ofthe VSPS property onlyto thecombined values. Indeed it

18

Page 20

isnotimportantifindividualsharingsdonothavetheVSPSproperty,as weareonlyinterestedthatthefinalsecret

will have the property. If the resulting sharing fails the VSPS-Check protocol then we know there are faults in

the system and only then we check each individual sharing. The full protocol which we call FT-Joint-DL-VSS

is described in Figure 7.

Fast-Track Joint VSS

1. Player

the shares player

P

ichooses a random value

r

iand shares it using the DL-VSS protocol in Section 2. Denote by

?

i?j

??

i?j

P

igives to player

P

j. The value

A

i?j

?g

?

i?j

h

?

i?jis public.

2. The players verify the VSPS property of the sum of the shared secrets by running VSPS-Check on

where

A

?

?????A

n

A

j

?

Y

i

A

i?j

3. If the output of VSPS-Check ?

setting

1. The values

? then player

P

jcomputes his shares

?

j

??

jof the random secret

r?

P

i

r

iby

?

j

?

P

i

?

i?j,

?

j

?

P

i

?

i?jotherwise the players run VSPS-Check on each individual sharing from step

?

j

??

jare set to the sum of the shares from the sharings that pass the VSPS-Checkprotocol.

Figure 7: FT-Joint-DL-VSS

EFFICIENCY GAIN. If there are no faults in the system the protocol FT-Joint-DL-VSS is a factor of

the corresponding Joint-Uncond-VSS since the expensive procedure VSPS-Check is performed only once

instead of

n faster than

n times.

I DSS Threshold Signatures

I.1The Digital Signature Standard

The Digital Signature Standard (DSS) [fST91] is a signature scheme based on the El-Gamal [ElG85] and

Schnorr’s [Sch91] signature schemes. In our description of the DSS protocol we follow the notation introduced

in [Lan95].

KEY GENERATION. A DSS key is composed of public information

where:

divisor of

a random number

SIGNATURE ALGORITHM. Let

such that

pair

VERIFICATION ALGORITHM.A signature

p?q?g, a public key

y and a secret key

x,

p is a prime number of length

l where

l is a multiple of

?? and

????l? ????.

q is a

???-bit prime

p??.

g is an element of order

q in

Z

?

p. The triple

?p?q?g?is public.

x is the secret key of the signer,

??x?q.

y?g

x

modp is the public verification key.

m be a hash of the message to be signed. The signer picks a random number

k

??k?q, calculates

k

??

modq, and sets

r??g

k

??

modp?modq and

s?k?m? xr?modq The

?r?s? is a signature of

m.

?r?s? of a message

m can be publicly verified by checking that

r??g

Our DSS protocol uses in a crucial way Joint VSS protocols, which allow a set of players to generate a

random secret unknown to all of them in a shared form via a VSS protocol. We describe such protocols and a

clever way to fast-track them in Appendix H

ms

??

y

rs

??

modp? modq where

s

??is computed modulo

q.

19

Page 21

I.2 Yet another VSS

In our basic VSS consider yet another implementation of

the dealer shares the secret

directly based on modular exponentiation. That is

with the polynomial , gives playerthe value

is as before. Each player

the polynomial

iwhich is his share of the secret key

and publishes. The dealer also publishes . The reconstruction

P

ibroadcasts

?

i. We accept only those that match the published

A

i. We extrapolate

?

f

?check that, for all

i???????n,

A

i

?g

?

f

?

?i?. If this check succeeds then

??

?

f ??? otherwise

???.

We name the above protocol FVSS. Although it looks similar to Feldman’s VSS [Fel87] it differs from it

because in FVSS the public commitments are to the points of the polynomial, while in Pedersen’s VSS the

commitments are to the coefficient. For this same reason however DL-VSS does not have the VSPS property

i.e. it does not insurethat the shares lie on a polynomial of degree

can be checked via a randomized test similar to the one described in Section 4.2.1.

As in Feldman’s VSS, FVSS reveals the value

security. However for the specific application of threshold DSS it is OK to reveal such a value, since it will turn

out to be part of the output of the protocol.

A joint version of FVSS can be obtained as in Section H. We will denote with Joint-VSS a joint VSS

protocol in which the underlying VSS scheme is either Feldman’s VSS or our FVSS with VSPS-Check . We

denote with FT-Joint-FVSS the fast-track version of it that can be obtained with FVSS as the underlying VSS.

t. However it is easy to see that such property

g

?

modp. In general this can be a problem in terms of

I.3Our Protocol for Threshold DSS signatures

KEY GENERATION. As noted first in [Ped91b], for any discrete-log based scheme, the distributed key generation

protocol can be implemented with Joint-VSS. Recall that as a result of this protocol player

input

P

iholds a secret

xx. The values

g

xand

g

x

iare public.

OUTLINE OF SIGNATURE PROTOCOL. The protocol follows the same structure of the one in [GJKR96b]. First

the players generate distributively a random value

that this protocol be unconditionally secure as we do want to reveal

a DSS signature. To compute

protocol to compute inverses due to Bar-Ilan and Beaver [BB89]. The idea here is to generate a random value

k by running a Joint-Uncond-VSS protocol. It is necessary

g

k, which is information not revealed by

r?g

k

??

modp modq without revealing

k, the players use a variation of a

a distributively through a Joint-VSS protocol. Recall that this reveals

the value

protocol the Mult protocol still works (one just needs to adapt the ZK proof to a special case in which one of the

committed values is not information-theoreticallysecure). Reconstruct

are caught because they cannot contribute bad shares which do not match the commitment). Then, the value

can be publicly computed as

a multiplicationprotocol Mult and a linear combination over the shared values

to notice that

The protocol is described in full in Figure 8.

g

a. Compute a sharing

?

?

??????

nof

??ka via a multiplication protocol Mult. Notice that although

a is shared with a Feldman-based

? by revealing theshares

?

i(bad players

r

?g

a

?

?

??. For the generation of the signature’s value

s, the players have to compute

k and

x (here once again one has

x is shared via a Feldman-based VSS).

Theorem 5 DSS-Thresh is a secure threshold signatureprotocol for DSS

IMPROVEMENTS. What did we gain with respect to the protocol in [GJKR96b]? First of all the use of the

simplified multiplication approach allows us to bring the fault-tolerance up to

improvement over the fault-tolerance of

complexity. A close look at the protocol reveals that each player performs

t? n??. This is a dramatic

t? n?? in [GJKR96b]. This does not come at the expenses of extra

? VSS’s as a dealer and it also

20

Page 22

DSS-Thresh

Private input to player

Public Input: The values

: A share of the secret key

?

.

and the message.

1. Generate

with two polynomials of degree

k. The players generate a secret value

k, uniformly distributed in

Z

q, by running Joint-Uncond-VSS

t,

f

k

?x? and

f

?

?x? such that

f

k

??? ?k and

f

?

?????.

Secret informationof

Public information

P

i: shares

k

i

?f?i? and

?

i

?r?i?

g

k

h

?

?g

k

i

h

?

i

???i?n.

2. Generate

r?g

k

??

modp modq

(a) Generate a random value

a, uniformlydistributedin

Z

?

q, with a polynomial of degree

t, using Joint-VSS.

Secret informationof

Public information:

P

i: a share

a

iof

a

g

a

?g

a

i

???i?n

(b) Perform protocol Mult to get shares

produces random values

?

i, of

??ka modq that lie on a polynomial of degree

t. This also

?

ithat lie on a polynomial of degree

t.

Secret informationof

Public information:

P

i: shares

?

iand

?

i

g

?

h

?

?g

?

i

h

?

i

???i?n

(c) Player

reconstruct

P

ibroadcasts

?

i,

i. Discard those that do not match

g

?

i

h

?

i. Interpolate the remaining ones to

??ka. Each player

P

icomputes locally

r

def

??g

a

?

?

??

modp modq.

Public information:

r

3. Generate

s?k?m?xr?modq

(a) Perform a protocol Mult to get shares

also produces random values

s

iof

s?k?m? xr? modq that lie on a polynomial of degree

t. This

?

ithat lie on a polynomial of degree

t.

Private Informationof Player

Public information:

P

i: shares

s

iand

?

i.

g

s

i

h

?

i,

??i?n

(b) Player

interpolatingthe accepted

P

ibroadcasts

s

i,

?

i. Discard those that do not match

g

s

i

h

?

i. Let

s be the free term of the polynomial

s

i’s.

4. Check and Output. Output

?r?s? as a signature on

m.

Figure 8: DSS Distributed signature generation

participates to

we have an increase in fault-tolerance. This is due to our improved and simplified multiplication protocols.

Basically the VSS’s used in [GJKR96b] to randomize polynomials of degree

VSS’s that at the same time reduce the degree and randomize the polynomial.

Another nice property of our protocol (which the one in [GJKR96b] does not have) is the possibility of

creating a fast-track version as we will see in the next section.

??n? ?? VSS’s dealt by other players as a participant. This is the same as in [GJKR96b], but

?t are replaced in our protocol by

ON-LINE/OFF-LINE BEHAVIOR. It is worth noting that the on-line/off-line behavior of DSS is preserved even

21

Page 23

under our new protocols. Indeed the value

computation of

of

can be precomputed off-line first. Then can be used for the

on-line. In order to avoid computing modular exponentiations during the on-line computation

(because of the VSS’s of the values) one must precompute the sharings of the valuesas well.

I.4 Fast Track version

It is possible to create a fast-track version of the protocol considered above. When run in fast-track mode the

protocol will improve its speed by a factor of

happen the protocol has to be resetted and ran in the fully fault-tolerant mode.

n if there are no faults in the system. However if a malicious fault

OUTLINE. The basic idea of the protocol is to use our DL-VSS and FVSS protocols (instead of Pedersen’s and

Feldman’s VSS) for the joint VSS used during signature generation. This is because using thos protocols will

allows us to fast-track the joint VSS’s by postponingthe VSPS check to the combined secret. Also the FT-Mult

protocolis used instead of Mult . This means that the VSPS check is doneon the resultingsharing of theproduct

rather than on the single sharings of the players. If a malicious fault is discovered it is important to notice that

the fully fault-tolerant protocol starts from the round the fault manifested itself.

USING THE PUBLIC KEY. An additional improvement to the efficiency of the fast-track version can be obtained

by performing a weaker multiplication protocol during the computation of

prove they are sharing the proper value during the multiplication protocol. This may mess up the result of the

computation of

just run the fully fault-tolerant multiplicationprotocol in the last round.

s. We will not require the players to

s. But now we can use the publickey

y?g

xto check that the signatureis correct and if it is not

Remark. In [GJKR96b] a very simple and efficient protocol is presented for the case of no malicious faults.

Players carry out simple secret sharings. One could be tempted to use this protocol for the fast-track case and

then do thefully fault-tolerantprotocol only ifthe signaturedoes not match. However we were not able to prove

that the first run of the protocol does not reveal information to the adversary. For the same reason the weaker

multiplicationprotocol can be used only at the last round and not during the computation of

r.

IMPROVEMENTS. The net result is that ifthere are no malicious faultsthe players haveto perform only oneVSPS

check per round instead of the

reduction of the overall complexity of the protocol by a factor of

n?? per round required by the fully fault-tolerant protocol. Thus, we have a

n.

22