Page 1

Simplified VSS and Fast-track Multiparty Computations

with Applications to Threshold Cryptography

(Regular presentation submission)

ROSARIO GENNARO

?

MICHAEL O. RABIN

y

TAL RABIN

z

Abstract

The goal of this paper is to introduce a simple verifiable secret sharing scheme, and to improve the efficiency

of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of

applications which use these protocols.

First we present a very simple Verifiable Secret Sharing protocol which is based on fast cryptographic

primitivesand avoids altogether the need for expensive zero-knowledge proofs.

This is followed by a highly simplified protocol to compute multiplications over shared secrets. This is a

major component in secure multiparty computation protocols and accounts for much of the complexity of

proposed solutions. Using our protocol as a plug in unit for known protocols reduces their complexity.

Weshowhowtoachieveefficientmultipartycomputationsinthecomputationalmodel,throughtheapplication

of homomorphic commitments.

Finally, we borrow from other fields and introduce into the multiparty computation scenario the notion of

fast-track computations. In a model in which malicious faults are rare we show that it is possible to carry

out a simpler and more efficient protocol which does not perform all the expensive checks needed to combat

a malicious adversary from foiling the computation. Yet, the protocol still enables detection of faults and

recovers the computation when faults occur without givingany informationadvantage to the adversary. This

results in protocols which are much more efficient under normal operation of the system i.e. when there are

no faults.

Asanexampleofthepractical impactofourworkweshowhowourtechniquescanbeusedtogreatlyimprove

the speed and the fault-tolerance of existing threshold cryptography protocols.

?IBM T.J. Watson ResearchCenter, PO Box 704, Yorktown Heights, New York 10598, USA Email: rosario@watson.ibm.com.

yHarvard University and Hebrew University. Email: rabin@cs.huji.ac.il

zIBM T.J. WatsonResearchCenter,POBox704,Yorktown Heights,NewYork 10598,USA Email: talr@watson.ibm.com. Contact

author.

Page 2

1 Introduction

The past twenty years have witnessed an exciting development of research in the area of cryptography and

network security. From the introduction of public-key cryptography [DH76, RSA78], to the invention of zero-

knowledgeproofs[GMR89], tothedefinitionoftheproblemof securemultipartycomputationandthesomewhat

surprisingproofthatanymultipartycomputationcanbeperformedsecurely[Yao82,GMW87,BGW88,CCD88].

The combination of these results is extremely powerful, as they show that virtually any cryptographic problem

can be solved under some reasonable appropriate assumptions.

Althoughtheoreticallyimpressive,theseresultslackintheareaofpracticalfeasibility. Intoday’sapplications

even a simple public-key operation is sometimes considered too slow in comparison to the speed required by

the application. Thus, the complicated exchanges of messages and zero-knowledge proofs in protocols like

[Yao82, GMW87, BGW88, CCD88], might render them impractical. Thus, it is a high priority to optimize such

techniques. Yet, they do provide for a sound basis for our solutions, in particular we will draw heavily on the

solution introduced in [BGW88].

For the problem of verifiable secret sharing, attempts have been made to simplify the protocols by moving

into the computational model. Such results were achieved by Feldman and Pedersen [Fel87, Ped91a], and in

fact exhibit improved results with respect to communication.

We shall concentrate in this paper on the problems of verifiable secret sharing and multiparty computations.

Theinefficiencyofthegeneralsecuremultipartyprotocols ispartiallycausedbythe“generality”ofthealgorithms.

Thus, optimization can be achieved in (at least) two ways. One is to tailor protocols to the specific problem

at hand. Examples of this kind of approach include works on threshold cryptography (see Section 6) where

efficient multiparty computation protocols are devised for the task of shared generation of digital signatures.

Another possible approach, the one which we follow in this paper, is to go back to the original works

and see if their efficiency can be directly improved. If one can devise general techniques to improve on the

computation/communicationof secure multiparty protocols it is also likely that thesetechniques would improve

the efficiency of “ad-hoc” optimizations.

OUR CONTRIBUTION. In thispaper we present new algorithmsto perform specific computations more efficiently.

Furthermore, we initiate new modes of operation to enhance overall performance. The major contributions can

be summarized as follows:

? A new simple and efficient design for Verifiable Secret Sharing scheme

? Computational simplifications of the Ben-Or et al. [BGW88] protocol

? Efficient multiparty computations in the computational model

? Expeditingcomputations through the notion of “fast-track”

? Applying all the above to a specific cryptographic problem

VSS. The first algorithm is a very simple and efficient Verifiable Secret Sharing protocol (Section 2). The

main novelty of our protocol is that it is based on an efficient commitment scheme and it avoids altogether

the expensive zero-knowledge proofs, which are usually carried out to ensure the correctness of actions of

the participants in the protocol. Our protocol improves considerably over all existing verifiable secret sharing

schemes, either in communication and/or in computation.

COMPUTATIONAL SIMPLIFICATIONS. The second protocol is a highly simplified protocol to compute multipli-

cation over shared secrets. That is, in the model where there are two secrets

distributivelyamong a set of

protocol can be used in any existing multiparty computation protocol. For example when used inside[BGW88]

it improves the speed of the computation of a multiplication gate by a factor of at least 2. When used insideour

general multiparty protocol, gains are even greater.

a and

b which are shared

n players, the protocolenables theplayers to secretly compute theproduct

ab. This

1

Page 3

EFFICIENT PROTOCOLS COMPUTATIONAL MODEL. We achieve efficient multiparty computations using construc-

tions based on homomorphic commitments. Some of these techniques have been independently devised by

[CDM97], yet they use them in the context of span programs.

FAST-TRACK. The following observation leads to an additional contribution. Secure multiparty protocols pay a

heavycostintermsofcommunication/computationinordertoguaranteerobustnessagainstmaliciousadversaries

who may cause players to behave arbitrarily during the protocol. It is a well-known phenomenon that “private”

computations (i.e. secure only against passive adversaries) are usually much simpler and efficient, as they

eliminate all verification of proper conduct.

Typically, however, one can expect malicious faults to happen quite rarely. Consider for example a very

sensitivedistributedsignaturegenerationsystem(likea root certificationauthority)wheretheserversare heavily

protected by firewalls and othersecurity mechanisms. In this case one cannot rule out malicious faults (and thus

cannot blindly use the simpler private protocols), but on the other hand would like to take advantage in some

way of the fact that faults are rare.

We would like to build on the efficiency of private protocols, which operate under the assumption that no

faultsoccur, whileavoidingthetrap ofassumingthatyou can executetheprivatecomputationuntilafaultoccurs

and then re-compute. Indeed such a computation might turn out to be insecure, and expose secret information.

Thus,we borrow from otherfields and introduceintothe multipartycomputationscenario the notionof fast-

track computations. The idea is to avoid carrying out all the verification steps, but rather to identify “critical”

verification points. Only at these critical points some verification will be carried out. Once the verification is

carried out in a critical point we are guaranteed that the computation up to this point is correct. These critical

points must be chosen in such a manner that if faults occur between two consecutive critical points

where

thesection from critical point

between

An attractive feature of our approach is that most of the verification at the critical points will not be the

standard verification steps of the protocol, but rather a subset of the verification steps which should have been

computed. For example in the general multiparty computation of an arithmetic circuit, critical points are placed

on multiplications gates. At these gates we need to verify only one VSS compared to, for example, [BGW88]

where

APPLICATIONS. As an example of the practical impact of our approach, we present its application in the area of

threshold cryptography. We show that existing threshold signature protocols can be greatly enhanced in speed

using our techniques. We exemplify this over the threshold DSS protocol of [GJKR96b]. The improvements

are quite substantial. We improve the fault-tolerance from

or the computational complexity, thanks to our simplified VSS and multiplication protocols. We also present a

fast-track version of the protocol which requires >from each server a factor of

than a fully fault-tolerant protocol (e.g. in [GJKR96b]) (see Section 6).

2 Verifiable Secret Sharing Made Very Simple

c

?and

c

?,

c

?is a later point in the protocol, then the faults will be detected at point

c

?. Furthermore, recomputing

c

?to

c

?will notviolatethesecurity ofthe computation. Thus, ifno faults occurred

c

?and

c

?we “saved” all the verifications which should have been carried out between these two points.

O?n? such VSS’s must be checked (at least one for each player).

n?? to

n?? without increasing the communication

n modular exponentiations less

Since the appearance of Shamir’s [Sha79] and Blakley’s [Bla79] seminal papers on secret sharing which

introduced the notion of sharing a secret and gave very simple solutions to the problem, the research on

this topic has been extensive. These two solutions worked in the model where there are no faults in the

system. Tompa and Woll [TW88] and McEliece and Sarwate [MS81] gave the first (partial) solutions for a

model with faults. Finally the paper of Chor et al. [CGMA85] defined the complete notion of Verifiable

Secret Sharing (VSS), and gave a solution. Under various assumptions, solutions to the problem were given

[CGMA85, GMW91, Fel87, BGW88, CCD88, RB89, Ped91a]. In order to achieve the goal of verifiability,

these protocols deviate from the original solutions’ simplicity. They require either heavy computations and/or

2

Page 4

extensivezero-knowledgeproofsofproperconduct. Furthermore, in ordertoreconstructthesecret thereis again

a need for extensive computations.

In this section we will describe a VSS protocol which returns to the original simplicity of Shamir’s scheme,

furthermoretheimplementationrequiresverylittlecomputationalandcommunicationoverhead(bothforsharing

and reconstructing). This simple solution is enabled through an observation that all existing protocols achieve

much more than is required, and by eliminating all the overhead, efficiency can be regained.

In Appendix A we present Shamir’s Secret Sharing, and in Appendix B a definition of verifiable secret

sharing due to [FM].

2.1

We now proceed to describe a protocol which satisfies the above definition of VSS. It will be based on Shamir’s

secret sharing, with an additional low cost added construction. This construction will basically be an efficient

commitment of the dealer to each one of the shares held by the players. The commitment to shares as a whole

commits the dealer to a single secret. The individual commitments can be opened as we have enough good

playerswhowillexposetheirvaluesand,throughthose,verifyallothercommitments. OurVSSprotocolappears

in Figure 1. In order to construct our protocol we need some form of commitment which satisfies the following

conditions. We shall denoteourcommitment functionby

as input the secret value

Our VSS protocol

H. It will bea randomized functionwhich will receive

x and a random value

r.

secrecy given

H?x?r? it is infeasible to compute any information about

x

collisionresistance it is infeasible to find two strings

x

?

?r

?and

x

?

?r

?such that

H?x

?

?r

?

??H?x

?

?r

?

?

universal verifiability given

not require knowledge of a secret key).

x?r and

y everybody can verify if

y?H?x?r? (i.e. the computation of

H does

For example one could conjecture that

H?x?r??SHA- ??x?r?.

Theorem 1 The protocol New-VSS in Figure 1 is a VSS protocol.

Proof appears in Appendix C.

EFFICIENCY ANDSECURITY. If

then we would like to stress the efficiency of the above VSS protocol. During the sharing phase the dealer has

to compute

computation is highly efficient. During the recover phase each player has to compute the hash

costly modular exponentiationsor complex ZK proofs are required.

The security of

resistance of SHA-1. However if one wants provable security without losing in efficiency one can use the

efficient provably secure commitment scheme of [DPP96] based on collision resistant hashing.

Hisimplementedviaacryptographichashfunction(e.g.

H?x?r??SHA-1?x?r?)

n executions of the function

H while each player computes a single evaluation, and each such

n times. No

H?x?r??SHA-1?x?r? can however be only conjectured on the basis of the collision

2.2

AlmostalltheVSSprotocolsintheliterature(withthecuriousexceptionofthefirstone[CGMA85])arebasedon

Shamir’s protocol. On top of that they add some proof from the dealer that the values shared lie on a polynomial

of degree

which will be defined more rigorously later.

In [GMW91] the shares are encrypted and then theVSPS property is proven via a “generic” zero-knowledge

(ZK)proofof an NP-completeproblem. Thepublicknowledgeof theencryptedshares also prevents bad players

from contributing bad shares during reconstruction. This approach is made more efficient in [Fel87, Ped91a]

Previous approaches

t, thus ensuringthat theshares identifya uniquesecret. We refer to this propertyas theVSPS property,

3

Page 21

I.2 Yet another VSS

In our basic VSS consider yet another implementation of

the dealer shares the secret

directly based on modular exponentiation. That is

with the polynomial , gives playerthe value

is as before. Each player

the polynomial

iwhich is his share of the secret key

and publishes. The dealer also publishes . The reconstruction

P

ibroadcasts

?

i. We accept only those that match the published

A

i. We extrapolate

?

f

?check that, for all

i???????n,

A

i

?g

?

f

?

?i?. If this check succeeds then

??

?

f ??? otherwise

???.

We name the above protocol FVSS. Although it looks similar to Feldman’s VSS [Fel87] it differs from it

because in FVSS the public commitments are to the points of the polynomial, while in Pedersen’s VSS the

commitments are to the coefficient. For this same reason however DL-VSS does not have the VSPS property

i.e. it does not insurethat the shares lie on a polynomial of degree

can be checked via a randomized test similar to the one described in Section 4.2.1.

As in Feldman’s VSS, FVSS reveals the value

security. However for the specific application of threshold DSS it is OK to reveal such a value, since it will turn

out to be part of the output of the protocol.

A joint version of FVSS can be obtained as in Section H. We will denote with Joint-VSS a joint VSS

protocol in which the underlying VSS scheme is either Feldman’s VSS or our FVSS with VSPS-Check . We

denote with FT-Joint-FVSS the fast-track version of it that can be obtained with FVSS as the underlying VSS.

t. However it is easy to see that such property

g

?

modp. In general this can be a problem in terms of

I.3Our Protocol for Threshold DSS signatures

KEY GENERATION. As noted first in [Ped91b], for any discrete-log based scheme, the distributed key generation

protocol can be implemented with Joint-VSS. Recall that as a result of this protocol player

input

P

iholds a secret

xx. The values

g

xand

g

x

iare public.

OUTLINE OF SIGNATURE PROTOCOL. The protocol follows the same structure of the one in [GJKR96b]. First

the players generate distributively a random value

that this protocol be unconditionally secure as we do want to reveal

a DSS signature. To compute

protocol to compute inverses due to Bar-Ilan and Beaver [BB89]. The idea here is to generate a random value

k by running a Joint-Uncond-VSS protocol. It is necessary

g

k, which is information not revealed by

r?g

k

??

modp modq without revealing

k, the players use a variation of a

a distributively through a Joint-VSS protocol. Recall that this reveals

the value

protocol the Mult protocol still works (one just needs to adapt the ZK proof to a special case in which one of the

committed values is not information-theoreticallysecure). Reconstruct

are caught because they cannot contribute bad shares which do not match the commitment). Then, the value

can be publicly computed as

a multiplicationprotocol Mult and a linear combination over the shared values

to notice that

The protocol is described in full in Figure 8.

g

a. Compute a sharing

?

?

??????

nof

??ka via a multiplication protocol Mult. Notice that although

a is shared with a Feldman-based

? by revealing theshares

?

i(bad players

r

?g

a

?

?

??. For the generation of the signature’s value

s, the players have to compute

k and

x (here once again one has

x is shared via a Feldman-based VSS).

Theorem 5 DSS-Thresh is a secure threshold signatureprotocol for DSS

IMPROVEMENTS. What did we gain with respect to the protocol in [GJKR96b]? First of all the use of the

simplified multiplication approach allows us to bring the fault-tolerance up to

improvement over the fault-tolerance of

complexity. A close look at the protocol reveals that each player performs

t? n??. This is a dramatic

t? n?? in [GJKR96b]. This does not come at the expenses of extra

? VSS’s as a dealer and it also

20

Page 22

DSS-Thresh

Private input to player

Public Input: The values

: A share of the secret key

?

.

and the message.

1. Generate

with two polynomials of degree

k. The players generate a secret value

k, uniformly distributed in

Z

q, by running Joint-Uncond-VSS

t,

f

k

?x? and

f

?

?x? such that

f

k

??? ?k and

f

?

?????.

Secret informationof

Public information

P

i: shares

k

i

?f?i? and

?

i

?r?i?

g

k

h

?

?g

k

i

h

?

i

???i?n.

2. Generate

r?g

k

??

modp modq

(a) Generate a random value

a, uniformlydistributedin

Z

?

q, with a polynomial of degree

t, using Joint-VSS.

Secret informationof

Public information:

P

i: a share

a

iof

a

g

a

?g

a

i

???i?n

(b) Perform protocol Mult to get shares

produces random values

?

i, of

??ka modq that lie on a polynomial of degree

t. This also

?

ithat lie on a polynomial of degree

t.

Secret informationof

Public information:

P

i: shares

?

iand

?

i

g

?

h

?

?g

?

i

h

?

i

???i?n

(c) Player

reconstruct

P

ibroadcasts

?

i,

i. Discard those that do not match

g

?

i

h

?

i. Interpolate the remaining ones to

??ka. Each player

P

icomputes locally

r

def

??g

a

?

?

??

modp modq.

Public information:

r

3. Generate

s?k?m?xr?modq

(a) Perform a protocol Mult to get shares

also produces random values

s

iof

s?k?m? xr? modq that lie on a polynomial of degree

t. This

?

ithat lie on a polynomial of degree

t.

Private Informationof Player

Public information:

P

i: shares

s

iand

?

i.

g

s

i

h

?

i,

??i?n

(b) Player

interpolatingthe accepted

P

ibroadcasts

s

i,

?

i. Discard those that do not match

g

s

i

h

?

i. Let

s be the free term of the polynomial

s

i’s.

4. Check and Output. Output

?r?s? as a signature on

m.

Figure 8: DSS Distributed signature generation

participates to

we have an increase in fault-tolerance. This is due to our improved and simplified multiplication protocols.

Basically the VSS’s used in [GJKR96b] to randomize polynomials of degree

VSS’s that at the same time reduce the degree and randomize the polynomial.

Another nice property of our protocol (which the one in [GJKR96b] does not have) is the possibility of

creating a fast-track version as we will see in the next section.

??n? ?? VSS’s dealt by other players as a participant. This is the same as in [GJKR96b], but

?t are replaced in our protocol by

ON-LINE/OFF-LINE BEHAVIOR. It is worth noting that the on-line/off-line behavior of DSS is preserved even

21

Page 23

under our new protocols. Indeed the value

computation of

of

can be precomputed off-line first. Then can be used for the

on-line. In order to avoid computing modular exponentiations during the on-line computation

(because of the VSS’s of the values) one must precompute the sharings of the valuesas well.

I.4 Fast Track version

It is possible to create a fast-track version of the protocol considered above. When run in fast-track mode the

protocol will improve its speed by a factor of

happen the protocol has to be resetted and ran in the fully fault-tolerant mode.

n if there are no faults in the system. However if a malicious fault

OUTLINE. The basic idea of the protocol is to use our DL-VSS and FVSS protocols (instead of Pedersen’s and

Feldman’s VSS) for the joint VSS used during signature generation. This is because using thos protocols will

allows us to fast-track the joint VSS’s by postponingthe VSPS check to the combined secret. Also the FT-Mult

protocolis used instead of Mult . This means that the VSPS check is doneon the resultingsharing of theproduct

rather than on the single sharings of the players. If a malicious fault is discovered it is important to notice that

the fully fault-tolerant protocol starts from the round the fault manifested itself.

USING THE PUBLIC KEY. An additional improvement to the efficiency of the fast-track version can be obtained

by performing a weaker multiplication protocol during the computation of

prove they are sharing the proper value during the multiplication protocol. This may mess up the result of the

computation of

just run the fully fault-tolerant multiplicationprotocol in the last round.

s. We will not require the players to

s. But now we can use the publickey

y?g

xto check that the signatureis correct and if it is not

Remark. In [GJKR96b] a very simple and efficient protocol is presented for the case of no malicious faults.

Players carry out simple secret sharings. One could be tempted to use this protocol for the fast-track case and

then do thefully fault-tolerantprotocol only ifthe signaturedoes not match. However we were not able to prove

that the first run of the protocol does not reveal information to the adversary. For the same reason the weaker

multiplicationprotocol can be used only at the last round and not during the computation of

r.

IMPROVEMENTS. The net result is that ifthere are no malicious faultsthe players haveto perform only oneVSPS

check per round instead of the

reduction of the overall complexity of the protocol by a factor of

n?? per round required by the fully fault-tolerant protocol. Thus, we have a

n.

22