Simplified VSS and Fast-track Multiparty Computations
with Applications to Threshold Cryptography
(Regular presentation submission)
MICHAEL O. RABIN
The goal of this paper is to introduce a simple verifiable secret sharing scheme, and to improve the efficiency
of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of
applications which use these protocols.
First we present a very simple Verifiable Secret Sharing protocol which is based on fast cryptographic
primitivesand avoids altogether the need for expensive zero-knowledge proofs.
This is followed by a highly simplified protocol to compute multiplications over shared secrets. This is a
major component in secure multiparty computation protocols and accounts for much of the complexity of
proposed solutions. Using our protocol as a plug in unit for known protocols reduces their complexity.
of homomorphic commitments.
Finally, we borrow from other fields and introduce into the multiparty computation scenario the notion of
fast-track computations. In a model in which malicious faults are rare we show that it is possible to carry
out a simpler and more efficient protocol which does not perform all the expensive checks needed to combat
a malicious adversary from foiling the computation. Yet, the protocol still enables detection of faults and
recovers the computation when faults occur without givingany informationadvantage to the adversary. This
results in protocols which are much more efficient under normal operation of the system i.e. when there are
the speed and the fault-tolerance of existing threshold cryptography protocols.
?IBM T.J. Watson ResearchCenter, PO Box 704, Yorktown Heights, New York 10598, USA Email: firstname.lastname@example.org.
yHarvard University and Hebrew University. Email: email@example.com
zIBM T.J. WatsonResearchCenter,POBox704,Yorktown Heights,NewYork 10598,USA Email: firstname.lastname@example.org. Contact
The past twenty years have witnessed an exciting development of research in the area of cryptography and
network security. From the introduction of public-key cryptography [DH76, RSA78], to the invention of zero-
knowledgeproofs[GMR89], tothedefinitionoftheproblemof securemultipartycomputationandthesomewhat
The combination of these results is extremely powerful, as they show that virtually any cryptographic problem
can be solved under some reasonable appropriate assumptions.
even a simple public-key operation is sometimes considered too slow in comparison to the speed required by
the application. Thus, the complicated exchanges of messages and zero-knowledge proofs in protocols like
[Yao82, GMW87, BGW88, CCD88], might render them impractical. Thus, it is a high priority to optimize such
techniques. Yet, they do provide for a sound basis for our solutions, in particular we will draw heavily on the
solution introduced in [BGW88].
For the problem of verifiable secret sharing, attempts have been made to simplify the protocols by moving
into the computational model. Such results were achieved by Feldman and Pedersen [Fel87, Ped91a], and in
fact exhibit improved results with respect to communication.
We shall concentrate in this paper on the problems of verifiable secret sharing and multiparty computations.
Thus, optimization can be achieved in (at least) two ways. One is to tailor protocols to the specific problem
at hand. Examples of this kind of approach include works on threshold cryptography (see Section 6) where
efficient multiparty computation protocols are devised for the task of shared generation of digital signatures.
Another possible approach, the one which we follow in this paper, is to go back to the original works
and see if their efficiency can be directly improved. If one can devise general techniques to improve on the
computation/communicationof secure multiparty protocols it is also likely that thesetechniques would improve
the efficiency of “ad-hoc” optimizations.
OUR CONTRIBUTION. In thispaper we present new algorithmsto perform specific computations more efficiently.
Furthermore, we initiate new modes of operation to enhance overall performance. The major contributions can
be summarized as follows:
? A new simple and efficient design for Verifiable Secret Sharing scheme
? Computational simplifications of the Ben-Or et al. [BGW88] protocol
? Efficient multiparty computations in the computational model
? Expeditingcomputations through the notion of “fast-track”
? Applying all the above to a specific cryptographic problem
VSS. The first algorithm is a very simple and efficient Verifiable Secret Sharing protocol (Section 2). The
main novelty of our protocol is that it is based on an efficient commitment scheme and it avoids altogether
the expensive zero-knowledge proofs, which are usually carried out to ensure the correctness of actions of
the participants in the protocol. Our protocol improves considerably over all existing verifiable secret sharing
schemes, either in communication and/or in computation.
COMPUTATIONAL SIMPLIFICATIONS. The second protocol is a highly simplified protocol to compute multipli-
cation over shared secrets. That is, in the model where there are two secrets
distributivelyamong a set of
protocol can be used in any existing multiparty computation protocol. For example when used inside[BGW88]
it improves the speed of the computation of a multiplication gate by a factor of at least 2. When used insideour
general multiparty protocol, gains are even greater.
b which are shared
n players, the protocolenables theplayers to secretly compute theproduct
EFFICIENT PROTOCOLS COMPUTATIONAL MODEL. We achieve efficient multiparty computations using construc-
tions based on homomorphic commitments. Some of these techniques have been independently devised by
[CDM97], yet they use them in the context of span programs.
FAST-TRACK. The following observation leads to an additional contribution. Secure multiparty protocols pay a
who may cause players to behave arbitrarily during the protocol. It is a well-known phenomenon that “private”
computations (i.e. secure only against passive adversaries) are usually much simpler and efficient, as they
eliminate all verification of proper conduct.
Typically, however, one can expect malicious faults to happen quite rarely. Consider for example a very
sensitivedistributedsignaturegenerationsystem(likea root certificationauthority)wheretheserversare heavily
protected by firewalls and othersecurity mechanisms. In this case one cannot rule out malicious faults (and thus
cannot blindly use the simpler private protocols), but on the other hand would like to take advantage in some
way of the fact that faults are rare.
We would like to build on the efficiency of private protocols, which operate under the assumption that no
faultsoccur, whileavoidingthetrap ofassumingthatyou can executetheprivatecomputationuntilafaultoccurs
and then re-compute. Indeed such a computation might turn out to be insecure, and expose secret information.
Thus,we borrow from otherfields and introduceintothe multipartycomputationscenario the notionof fast-
track computations. The idea is to avoid carrying out all the verification steps, but rather to identify “critical”
verification points. Only at these critical points some verification will be carried out. Once the verification is
carried out in a critical point we are guaranteed that the computation up to this point is correct. These critical
points must be chosen in such a manner that if faults occur between two consecutive critical points
thesection from critical point
An attractive feature of our approach is that most of the verification at the critical points will not be the
standard verification steps of the protocol, but rather a subset of the verification steps which should have been
computed. For example in the general multiparty computation of an arithmetic circuit, critical points are placed
on multiplications gates. At these gates we need to verify only one VSS compared to, for example, [BGW88]
APPLICATIONS. As an example of the practical impact of our approach, we present its application in the area of
threshold cryptography. We show that existing threshold signature protocols can be greatly enhanced in speed
using our techniques. We exemplify this over the threshold DSS protocol of [GJKR96b]. The improvements
are quite substantial. We improve the fault-tolerance from
or the computational complexity, thanks to our simplified VSS and multiplication protocols. We also present a
fast-track version of the protocol which requires >from each server a factor of
than a fully fault-tolerant protocol (e.g. in [GJKR96b]) (see Section 6).
2 Verifiable Secret Sharing Made Very Simple
?is a later point in the protocol, then the faults will be detected at point
?. Furthermore, recomputing
?will notviolatethesecurity ofthe computation. Thus, ifno faults occurred
?we “saved” all the verifications which should have been carried out between these two points.
O?n? such VSS’s must be checked (at least one for each player).
n?? without increasing the communication
n modular exponentiations less
Since the appearance of Shamir’s [Sha79] and Blakley’s [Bla79] seminal papers on secret sharing which
introduced the notion of sharing a secret and gave very simple solutions to the problem, the research on
this topic has been extensive. These two solutions worked in the model where there are no faults in the
system. Tompa and Woll [TW88] and McEliece and Sarwate [MS81] gave the first (partial) solutions for a
model with faults. Finally the paper of Chor et al. [CGMA85] defined the complete notion of Verifiable
Secret Sharing (VSS), and gave a solution. Under various assumptions, solutions to the problem were given
[CGMA85, GMW91, Fel87, BGW88, CCD88, RB89, Ped91a]. In order to achieve the goal of verifiability,
these protocols deviate from the original solutions’ simplicity. They require either heavy computations and/or
extensivezero-knowledgeproofsofproperconduct. Furthermore, in ordertoreconstructthesecret thereis again
a need for extensive computations.
In this section we will describe a VSS protocol which returns to the original simplicity of Shamir’s scheme,
and reconstructing). This simple solution is enabled through an observation that all existing protocols achieve
much more than is required, and by eliminating all the overhead, efficiency can be regained.
In Appendix A we present Shamir’s Secret Sharing, and in Appendix B a definition of verifiable secret
sharing due to [FM].
We now proceed to describe a protocol which satisfies the above definition of VSS. It will be based on Shamir’s
secret sharing, with an additional low cost added construction. This construction will basically be an efficient
commitment of the dealer to each one of the shares held by the players. The commitment to shares as a whole
commits the dealer to a single secret. The individual commitments can be opened as we have enough good
in Figure 1. In order to construct our protocol we need some form of commitment which satisfies the following
conditions. We shall denoteourcommitment functionby
as input the secret value
Our VSS protocol
H. It will bea randomized functionwhich will receive
x and a random value
H?x?r? it is infeasible to compute any information about
collisionresistance it is infeasible to find two strings
universal verifiability given
not require knowledge of a secret key).
y everybody can verify if
y?H?x?r? (i.e. the computation of
For example one could conjecture that
Theorem 1 The protocol New-VSS in Figure 1 is a VSS protocol.
Proof appears in Appendix C.
EFFICIENCY ANDSECURITY. If
then we would like to stress the efficiency of the above VSS protocol. During the sharing phase the dealer has
computation is highly efficient. During the recover phase each player has to compute the hash
costly modular exponentiationsor complex ZK proofs are required.
The security of
resistance of SHA-1. However if one wants provable security without losing in efficiency one can use the
efficient provably secure commitment scheme of [DPP96] based on collision resistant hashing.
n executions of the function
H while each player computes a single evaluation, and each such
n times. No
H?x?r??SHA-1?x?r? can however be only conjectured on the basis of the collision
Shamir’s protocol. On top of that they add some proof from the dealer that the values shared lie on a polynomial
which will be defined more rigorously later.
In [GMW91] the shares are encrypted and then theVSPS property is proven via a “generic” zero-knowledge
(ZK)proofof an NP-completeproblem. Thepublicknowledgeof theencryptedshares also prevents bad players
from contributing bad shares during reconstruction. This approach is made more efficient in [Fel87, Ped91a]
t, thus ensuringthat theshares identifya uniquesecret. We refer to this propertyas theVSPS property,
I.2 Yet another VSS
In our basic VSS consider yet another implementation of
the dealer shares the secret
directly based on modular exponentiation. That is
with the polynomial , gives playerthe value
is as before. Each player
iwhich is his share of the secret key
and publishes. The dealer also publishes . The reconstruction
i. We accept only those that match the published
i. We extrapolate
?check that, for all
?i?. If this check succeeds then
f ??? otherwise
We name the above protocol FVSS. Although it looks similar to Feldman’s VSS [Fel87] it differs from it
because in FVSS the public commitments are to the points of the polynomial, while in Pedersen’s VSS the
commitments are to the coefficient. For this same reason however DL-VSS does not have the VSPS property
i.e. it does not insurethat the shares lie on a polynomial of degree
can be checked via a randomized test similar to the one described in Section 4.2.1.
As in Feldman’s VSS, FVSS reveals the value
security. However for the specific application of threshold DSS it is OK to reveal such a value, since it will turn
out to be part of the output of the protocol.
A joint version of FVSS can be obtained as in Section H. We will denote with Joint-VSS a joint VSS
protocol in which the underlying VSS scheme is either Feldman’s VSS or our FVSS with VSPS-Check . We
denote with FT-Joint-FVSS the fast-track version of it that can be obtained with FVSS as the underlying VSS.
t. However it is easy to see that such property
modp. In general this can be a problem in terms of
I.3Our Protocol for Threshold DSS signatures
KEY GENERATION. As noted first in [Ped91b], for any discrete-log based scheme, the distributed key generation
protocol can be implemented with Joint-VSS. Recall that as a result of this protocol player
iholds a secret
xx. The values
OUTLINE OF SIGNATURE PROTOCOL. The protocol follows the same structure of the one in [GJKR96b]. First
the players generate distributively a random value
that this protocol be unconditionally secure as we do want to reveal
a DSS signature. To compute
protocol to compute inverses due to Bar-Ilan and Beaver [BB89]. The idea here is to generate a random value
k by running a Joint-Uncond-VSS protocol. It is necessary
k, which is information not revealed by
modp modq without revealing
k, the players use a variation of a
a distributively through a Joint-VSS protocol. Recall that this reveals
protocol the Mult protocol still works (one just needs to adapt the ZK proof to a special case in which one of the
committed values is not information-theoreticallysecure). Reconstruct
are caught because they cannot contribute bad shares which do not match the commitment). Then, the value
can be publicly computed as
a multiplicationprotocol Mult and a linear combination over the shared values
to notice that
The protocol is described in full in Figure 8.
a. Compute a sharing
??ka via a multiplication protocol Mult. Notice that although
a is shared with a Feldman-based
? by revealing theshares
??. For the generation of the signature’s value
s, the players have to compute
x (here once again one has
x is shared via a Feldman-based VSS).
Theorem 5 DSS-Thresh is a secure threshold signatureprotocol for DSS
IMPROVEMENTS. What did we gain with respect to the protocol in [GJKR96b]? First of all the use of the
simplified multiplication approach allows us to bring the fault-tolerance up to
improvement over the fault-tolerance of
complexity. A close look at the protocol reveals that each player performs
t? n??. This is a dramatic
t? n?? in [GJKR96b]. This does not come at the expenses of extra
? VSS’s as a dealer and it also
Private input to player
Public Input: The values
: A share of the secret key
and the message.
with two polynomials of degree
k. The players generate a secret value
k, uniformly distributed in
q, by running Joint-Uncond-VSS
?x? such that
??? ?k and
(a) Generate a random value
q, with a polynomial of degree
t, using Joint-VSS.
i: a share
(b) Perform protocol Mult to get shares
produces random values
??ka modq that lie on a polynomial of degree
t. This also
ithat lie on a polynomial of degree
i. Discard those that do not match
i. Interpolate the remaining ones to
??ka. Each player
(a) Perform a protocol Mult to get shares
also produces random values
s?k?m? xr? modq that lie on a polynomial of degree
ithat lie on a polynomial of degree
Private Informationof Player
i. Discard those that do not match
s be the free term of the polynomial
4. Check and Output. Output
?r?s? as a signature on
Figure 8: DSS Distributed signature generation
we have an increase in fault-tolerance. This is due to our improved and simplified multiplication protocols.
Basically the VSS’s used in [GJKR96b] to randomize polynomials of degree
VSS’s that at the same time reduce the degree and randomize the polynomial.
Another nice property of our protocol (which the one in [GJKR96b] does not have) is the possibility of
creating a fast-track version as we will see in the next section.
??n? ?? VSS’s dealt by other players as a participant. This is the same as in [GJKR96b], but
?t are replaced in our protocol by
ON-LINE/OFF-LINE BEHAVIOR. It is worth noting that the on-line/off-line behavior of DSS is preserved even
under our new protocols. Indeed the value
can be precomputed off-line first. Then can be used for the
on-line. In order to avoid computing modular exponentiations during the on-line computation
(because of the VSS’s of the values) one must precompute the sharings of the valuesas well.
I.4 Fast Track version
It is possible to create a fast-track version of the protocol considered above. When run in fast-track mode the
protocol will improve its speed by a factor of
happen the protocol has to be resetted and ran in the fully fault-tolerant mode.
n if there are no faults in the system. However if a malicious fault
OUTLINE. The basic idea of the protocol is to use our DL-VSS and FVSS protocols (instead of Pedersen’s and
Feldman’s VSS) for the joint VSS used during signature generation. This is because using thos protocols will
allows us to fast-track the joint VSS’s by postponingthe VSPS check to the combined secret. Also the FT-Mult
protocolis used instead of Mult . This means that the VSPS check is doneon the resultingsharing of theproduct
rather than on the single sharings of the players. If a malicious fault is discovered it is important to notice that
the fully fault-tolerant protocol starts from the round the fault manifested itself.
USING THE PUBLIC KEY. An additional improvement to the efficiency of the fast-track version can be obtained
by performing a weaker multiplication protocol during the computation of
prove they are sharing the proper value during the multiplication protocol. This may mess up the result of the
just run the fully fault-tolerant multiplicationprotocol in the last round.
s. We will not require the players to
s. But now we can use the publickey
xto check that the signatureis correct and if it is not
Remark. In [GJKR96b] a very simple and efficient protocol is presented for the case of no malicious faults.
Players carry out simple secret sharings. One could be tempted to use this protocol for the fast-track case and
then do thefully fault-tolerantprotocol only ifthe signaturedoes not match. However we were not able to prove
that the first run of the protocol does not reveal information to the adversary. For the same reason the weaker
multiplicationprotocol can be used only at the last round and not during the computation of
IMPROVEMENTS. The net result is that ifthere are no malicious faultsthe players haveto perform only oneVSPS
check per round instead of the
reduction of the overall complexity of the protocol by a factor of
n?? per round required by the fully fault-tolerant protocol. Thus, we have a