Page 1

Simplified VSS and Fast-track Multiparty Computations

with Applications to Threshold Cryptography

(Regular presentation submission)

ROSARIO GENNARO

?

MICHAEL O. RABIN

y

TAL RABIN

z

Abstract

The goal of this paper is to introduce a simple verifiable secret sharing scheme, and to improve the efficiency

of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of

applications which use these protocols.

First we present a very simple Verifiable Secret Sharing protocol which is based on fast cryptographic

primitivesand avoids altogether the need for expensive zero-knowledge proofs.

This is followed by a highly simplified protocol to compute multiplications over shared secrets. This is a

major component in secure multiparty computation protocols and accounts for much of the complexity of

proposed solutions. Using our protocol as a plug in unit for known protocols reduces their complexity.

Weshowhowtoachieveefficientmultipartycomputationsinthecomputationalmodel,throughtheapplication

of homomorphic commitments.

Finally, we borrow from other fields and introduce into the multiparty computation scenario the notion of

fast-track computations. In a model in which malicious faults are rare we show that it is possible to carry

out a simpler and more efficient protocol which does not perform all the expensive checks needed to combat

a malicious adversary from foiling the computation. Yet, the protocol still enables detection of faults and

recovers the computation when faults occur without givingany informationadvantage to the adversary. This

results in protocols which are much more efficient under normal operation of the system i.e. when there are

no faults.

Asanexampleofthepractical impactofourworkweshowhowourtechniquescanbeusedtogreatlyimprove

the speed and the fault-tolerance of existing threshold cryptography protocols.

?IBM T.J. Watson ResearchCenter, PO Box 704, Yorktown Heights, New York 10598, USA Email: rosario@watson.ibm.com.

yHarvard University and Hebrew University. Email: rabin@cs.huji.ac.il

zIBM T.J. WatsonResearchCenter,POBox704,Yorktown Heights,NewYork 10598,USA Email: talr@watson.ibm.com. Contact

author.

Page 2

1 Introduction

The past twenty years have witnessed an exciting development of research in the area of cryptography and

network security. From the introduction of public-key cryptography [DH76, RSA78], to the invention of zero-

knowledgeproofs[GMR89], tothedefinitionoftheproblemof securemultipartycomputationandthesomewhat

surprisingproofthatanymultipartycomputationcanbeperformedsecurely[Yao82,GMW87,BGW88,CCD88].

The combination of these results is extremely powerful, as they show that virtually any cryptographic problem

can be solved under some reasonable appropriate assumptions.

Althoughtheoreticallyimpressive,theseresultslackintheareaofpracticalfeasibility. Intoday’sapplications

even a simple public-key operation is sometimes considered too slow in comparison to the speed required by

the application. Thus, the complicated exchanges of messages and zero-knowledge proofs in protocols like

[Yao82, GMW87, BGW88, CCD88], might render them impractical. Thus, it is a high priority to optimize such

techniques. Yet, they do provide for a sound basis for our solutions, in particular we will draw heavily on the

solution introduced in [BGW88].

For the problem of verifiable secret sharing, attempts have been made to simplify the protocols by moving

into the computational model. Such results were achieved by Feldman and Pedersen [Fel87, Ped91a], and in

fact exhibit improved results with respect to communication.

We shall concentrate in this paper on the problems of verifiable secret sharing and multiparty computations.

Theinefficiencyofthegeneralsecuremultipartyprotocols ispartiallycausedbythe“generality”ofthealgorithms.

Thus, optimization can be achieved in (at least) two ways. One is to tailor protocols to the specific problem

at hand. Examples of this kind of approach include works on threshold cryptography (see Section 6) where

efficient multiparty computation protocols are devised for the task of shared generation of digital signatures.

Another possible approach, the one which we follow in this paper, is to go back to the original works

and see if their efficiency can be directly improved. If one can devise general techniques to improve on the

computation/communicationof secure multiparty protocols it is also likely that thesetechniques would improve

the efficiency of “ad-hoc” optimizations.

OUR CONTRIBUTION. In thispaper we present new algorithmsto perform specific computations more efficiently.

Furthermore, we initiate new modes of operation to enhance overall performance. The major contributions can

be summarized as follows:

? A new simple and efficient design for Verifiable Secret Sharing scheme

? Computational simplifications of the Ben-Or et al. [BGW88] protocol

? Efficient multiparty computations in the computational model

? Expeditingcomputations through the notion of “fast-track”

? Applying all the above to a specific cryptographic problem

VSS. The first algorithm is a very simple and efficient Verifiable Secret Sharing protocol (Section 2). The

main novelty of our protocol is that it is based on an efficient commitment scheme and it avoids altogether

the expensive zero-knowledge proofs, which are usually carried out to ensure the correctness of actions of

the participants in the protocol. Our protocol improves considerably over all existing verifiable secret sharing

schemes, either in communication and/or in computation.

COMPUTATIONAL SIMPLIFICATIONS. The second protocol is a highly simplified protocol to compute multipli-

cation over shared secrets. That is, in the model where there are two secrets

distributivelyamong a set of

protocol can be used in any existing multiparty computation protocol. For example when used inside[BGW88]

it improves the speed of the computation of a multiplication gate by a factor of at least 2. When used insideour

general multiparty protocol, gains are even greater.

a and

b which are shared

n players, the protocolenables theplayers to secretly compute theproduct

ab. This

1

Page 3

EFFICIENT PROTOCOLS COMPUTATIONAL MODEL. We achieve efficient multiparty computations using construc-

tions based on homomorphic commitments. Some of these techniques have been independently devised by

[CDM97], yet they use them in the context of span programs.

FAST-TRACK. The following observation leads to an additional contribution. Secure multiparty protocols pay a

heavycostintermsofcommunication/computationinordertoguaranteerobustnessagainstmaliciousadversaries

who may cause players to behave arbitrarily during the protocol. It is a well-known phenomenon that “private”

computations (i.e. secure only against passive adversaries) are usually much simpler and efficient, as they

eliminate all verification of proper conduct.

Typically, however, one can expect malicious faults to happen quite rarely. Consider for example a very

sensitivedistributedsignaturegenerationsystem(likea root certificationauthority)wheretheserversare heavily

protected by firewalls and othersecurity mechanisms. In this case one cannot rule out malicious faults (and thus

cannot blindly use the simpler private protocols), but on the other hand would like to take advantage in some

way of the fact that faults are rare.

We would like to build on the efficiency of private protocols, which operate under the assumption that no

faultsoccur, whileavoidingthetrap ofassumingthatyou can executetheprivatecomputationuntilafaultoccurs

and then re-compute. Indeed such a computation might turn out to be insecure, and expose secret information.

Thus,we borrow from otherfields and introduceintothe multipartycomputationscenario the notionof fast-

track computations. The idea is to avoid carrying out all the verification steps, but rather to identify “critical”

verification points. Only at these critical points some verification will be carried out. Once the verification is

carried out in a critical point we are guaranteed that the computation up to this point is correct. These critical

points must be chosen in such a manner that if faults occur between two consecutive critical points

where

thesection from critical point

between

An attractive feature of our approach is that most of the verification at the critical points will not be the

standard verification steps of the protocol, but rather a subset of the verification steps which should have been

computed. For example in the general multiparty computation of an arithmetic circuit, critical points are placed

on multiplications gates. At these gates we need to verify only one VSS compared to, for example, [BGW88]

where

APPLICATIONS. As an example of the practical impact of our approach, we present its application in the area of

threshold cryptography. We show that existing threshold signature protocols can be greatly enhanced in speed

using our techniques. We exemplify this over the threshold DSS protocol of [GJKR96b]. The improvements

are quite substantial. We improve the fault-tolerance from

or the computational complexity, thanks to our simplified VSS and multiplication protocols. We also present a

fast-track version of the protocol which requires >from each server a factor of

than a fully fault-tolerant protocol (e.g. in [GJKR96b]) (see Section 6).

2 Verifiable Secret Sharing Made Very Simple

c

?and

c

?,

c

?is a later point in the protocol, then the faults will be detected at point

c

?. Furthermore, recomputing

c

?to

c

?will notviolatethesecurity ofthe computation. Thus, ifno faults occurred

c

?and

c

?we “saved” all the verifications which should have been carried out between these two points.

O?n? such VSS’s must be checked (at least one for each player).

n?? to

n?? without increasing the communication

n modular exponentiations less

Since the appearance of Shamir’s [Sha79] and Blakley’s [Bla79] seminal papers on secret sharing which

introduced the notion of sharing a secret and gave very simple solutions to the problem, the research on

this topic has been extensive. These two solutions worked in the model where there are no faults in the

system. Tompa and Woll [TW88] and McEliece and Sarwate [MS81] gave the first (partial) solutions for a

model with faults. Finally the paper of Chor et al. [CGMA85] defined the complete notion of Verifiable

Secret Sharing (VSS), and gave a solution. Under various assumptions, solutions to the problem were given

[CGMA85, GMW91, Fel87, BGW88, CCD88, RB89, Ped91a]. In order to achieve the goal of verifiability,

these protocols deviate from the original solutions’ simplicity. They require either heavy computations and/or

2

Page 4

extensivezero-knowledgeproofsofproperconduct. Furthermore, in ordertoreconstructthesecret thereis again

a need for extensive computations.

In this section we will describe a VSS protocol which returns to the original simplicity of Shamir’s scheme,

furthermoretheimplementationrequiresverylittlecomputationalandcommunicationoverhead(bothforsharing

and reconstructing). This simple solution is enabled through an observation that all existing protocols achieve

much more than is required, and by eliminating all the overhead, efficiency can be regained.

In Appendix A we present Shamir’s Secret Sharing, and in Appendix B a definition of verifiable secret

sharing due to [FM].

2.1

We now proceed to describe a protocol which satisfies the above definition of VSS. It will be based on Shamir’s

secret sharing, with an additional low cost added construction. This construction will basically be an efficient

commitment of the dealer to each one of the shares held by the players. The commitment to shares as a whole

commits the dealer to a single secret. The individual commitments can be opened as we have enough good

playerswhowillexposetheirvaluesand,throughthose,verifyallothercommitments. OurVSSprotocolappears

in Figure 1. In order to construct our protocol we need some form of commitment which satisfies the following

conditions. We shall denoteourcommitment functionby

as input the secret value

Our VSS protocol

H. It will bea randomized functionwhich will receive

x and a random value

r.

secrecy given

H?x?r? it is infeasible to compute any information about

x

collisionresistance it is infeasible to find two strings

x

?

?r

?and

x

?

?r

?such that

H?x

?

?r

?

??H?x

?

?r

?

?

universal verifiability given

not require knowledge of a secret key).

x?r and

y everybody can verify if

y?H?x?r? (i.e. the computation of

H does

For example one could conjecture that

H?x?r??SHA- ??x?r?.

Theorem 1 The protocol New-VSS in Figure 1 is a VSS protocol.

Proof appears in Appendix C.

EFFICIENCY ANDSECURITY. If

then we would like to stress the efficiency of the above VSS protocol. During the sharing phase the dealer has

to compute

computation is highly efficient. During the recover phase each player has to compute the hash

costly modular exponentiationsor complex ZK proofs are required.

The security of

resistance of SHA-1. However if one wants provable security without losing in efficiency one can use the

efficient provably secure commitment scheme of [DPP96] based on collision resistant hashing.

Hisimplementedviaacryptographichashfunction(e.g.

H?x?r??SHA-1?x?r?)

n executions of the function

H while each player computes a single evaluation, and each such

n times. No

H?x?r??SHA-1?x?r? can however be only conjectured on the basis of the collision

2.2

AlmostalltheVSSprotocolsintheliterature(withthecuriousexceptionofthefirstone[CGMA85])arebasedon

Shamir’s protocol. On top of that they add some proof from the dealer that the values shared lie on a polynomial

of degree

which will be defined more rigorously later.

In [GMW91] the shares are encrypted and then theVSPS property is proven via a “generic” zero-knowledge

(ZK)proofof an NP-completeproblem. Thepublicknowledgeof theencryptedshares also prevents bad players

from contributing bad shares during reconstruction. This approach is made more efficient in [Fel87, Ped91a]

Previous approaches

t, thus ensuringthat theshares identifya uniquesecret. We refer to this propertyas theVSPS property,

3

Page 5

Verifiable Secret Sharing

Sharing Phase

1. Protocol for Dealer on input a secret:

? Randomly choose polynomials

f?x??a

t

x

t

? ????a

?

x?s, and

r?x??r

t

x

t

? ????r

?

x?r

?.

? Compute and hand player

P

ithe values

?

i

def

?f?i? and

?

i

def

?r?i?, for

??i?n

? Compute and broadcast the value

A

i

def

?H??

i

??

i

?, for

??i?n

2. Player

dealer.

3. If player

4. If the dealer does not follow some step he is disqualified, otherwise conclude that a secret has been shared.

P

iverifies that

A

i

?H??

i

??

i

?. If the equation does not hold then he broadcasts a complaint against the

P

ibroadcasted a complaint then the dealer broadcasts the values

?

i

??

i, s.t.

H??

i

??

i

??A

i.

Reconstruction Phase

1. Each player broadcasts the values

2. Take

most

3. Compute

?

i

??

i.

t?? broadcasted values for which

A

i

?H??

i

??

i

? and interpolate polynomials

?

f?x? and

?r?x? of degree at

t that pass throughthose points.

??

i

?

?

f?i? and

??

i

??r?i? and verify that

A

i

?H???

i

???

i

? for all

i. If yes, output

?

f ??? else output 0.

Figure 1: New-VSS: - Sharing and Reconstruction Protocols

where the dealer publicly commits to the polynomial using some form of “homomorphic” commitment scheme.

These commitments in return provide for a simpler proof of the VSPS property.

In [BGW88, CCD88, Rab94] the model assumes a computationallyunbounded adversary, disabling the use

of encryption. In this case the ZK proof is done via a cut-and-choose approach. Correction of bad shares during

recover is done via error-correcting codes [BGW88, CCD88] or via a mechanism of mutual authentication

[Rab94].

Is there a trend developing in all these solutions which explains why our solution is so simple? The answer

is yes. The above mentioned results achieve more than just having the dealer commit to a single value. Indeed

the dealer commits to a polynomial of degree

This additional commitment apparently complicates the protocol, and adds computations, and is not necessary

in order to achieve the sole goal of verifiable secret sharing. Indeed our protocol shows that it is possible to

commit to a single value without committing to the full polynomial. We will refer to the above protocols with

the new name of Verifiable Secret and Polynomial Sharing (VSPS).

t, where the intended secret is the free term of this polynomial.

Definition 1 We say that

properties hold for any adversary

1. The protocol is a VerifiableSecret Sharing

2. VSPS property If the value set by the VSS is

that

? is a Verifiable Secret and Polynomial Sharing protocol (VSPS) if the following

A:

? then there exists a polynomial

f?x? of degree at most

t, such

f????? and player

P

iknows the value

f?i?.

In Section 4.2.1 we will provide a method to enhance our VSS scheme by adding the VSPS property.

As we will see later VSPS protocols are important as a tool for multiparty computation, due to their structural

homomorphic properties. However, they are an overkill for a single VSS. And indeed there are several

applications, such as storing important information for back-up in a distributed fashion on insecure devices,

where there is a need only for VSS without a requirement to compute on the shares.

4