Broadcast (and Round) Efficient Verifiable Secret Sharing

Abstract: Verifiable secret sharing (VSS) is a fundamental cryptographic primitive, lying at the core of secure multi-party computation (MPC) and, as the distributed analogue of a commitment functionality, used in numerous applications. In this paper we focus on unconditionally secure VSS protocols with honest majority.In this setting it is typically assumed that parties are connected pairwise by authenticated, private channels, and that in addition they have access to a "broadcast" channel. Because broadcast cannot be … Show more

“…In addition, because broadcast cannot be simulated in the information-theoretic setting on a point-to-point network when a third or more of the parties are corrupt [LSP82], it is impossible to construct VSS, and more generally, any basic MPC protocol in this setting without using a "physical broadcast channel" (that is, a black box which securely implements broadcast), or some equivalent addition to the model. Consequently, a recent line of research [GGOR13] has sought to minimize the use of this expensive resource. Our anonymous channel protocol's reduction to VSS is broadcast-round-preserving, thus making the fewest (known to-date) calls to the broadcast channel (namely, two) while running in an overall constant number of rounds.…”

“…Linear, constantround VSS protocols for the t < n/2 regime are presented in [RB89, Rab94, CDD + 01, GGOR13] 6 ; the protocol presented in [GGOR13], in particular, only requires the use of the broadcast channel twice in the sharing phase and none in reconstruction, although is not as round-efficient 7 .…”

“…By having the parties simply invoke protocol AnonChan (Figure 1) for each Pi, 1 ≤ i ≤ n, acting as receiver for many sessions in parallel, the duration of the setup phase is reduced from Ω(n 2 ) to constant-the number of rounds that AnonChan takes. Further, by using the broadcast-efficient VSS protocol in [GGOR13], the use of the physical broadcast channel is reduced to 2 (also from Ω(n 2 ) in [PW96]). On the other hand, we should note that the pseudosignature setup in [PW96] works for any t < n, while ours is limited to t < n/2.…”

“…Its total round complexity is rVSS-share +rcomp +req +rmult, where rVSS-share, rcomp, req, rmult are the round complexities of the corresponding functionalities. If all r's are constant (e.g., VSS is implemented as in [RB89,GGOR13] and comparison, equality testing and multiplication as in [DFK + 06]), then the overall round complexity of the protocol is constant. In contrast, the round complexity of the anonymous channel protocol presented in this paper is essentially equal to rVSS-share, which currently is significantly faster than the [Zha11] construction given that comparison and equality testing functionalities require bit decomposition of the shared values, whose round costs are significantly larger than that of a single VSS execution-i.e., 114 rounds for bit decomposition [DFK + 06] vs. 7 rounds for VSS sharing [RB89].…”

“…Our constant-round, most broadcast-efficient construction, based on[GGOR13], will only be statically secure, for example.4 This result is mentioned also in[BGW88,RB89];[CCD88] give an informal argument and [DDWY93] a formal proof.…”

Fast and unconditionally secure anonymous channel

“…In addition, because broadcast cannot be simulated in the information-theoretic setting on a point-to-point network when a third or more of the parties are corrupt [LSP82], it is impossible to construct VSS, and more generally, any basic MPC protocol in this setting without using a "physical broadcast channel" (that is, a black box which securely implements broadcast), or some equivalent addition to the model. Consequently, a recent line of research [GGOR13] has sought to minimize the use of this expensive resource. Our anonymous channel protocol's reduction to VSS is broadcast-round-preserving, thus making the fewest (known to-date) calls to the broadcast channel (namely, two) while running in an overall constant number of rounds.…”

“…Linear, constantround VSS protocols for the t < n/2 regime are presented in [RB89, Rab94, CDD + 01, GGOR13] 6 ; the protocol presented in [GGOR13], in particular, only requires the use of the broadcast channel twice in the sharing phase and none in reconstruction, although is not as round-efficient 7 .…”

“…By having the parties simply invoke protocol AnonChan (Figure 1) for each Pi, 1 ≤ i ≤ n, acting as receiver for many sessions in parallel, the duration of the setup phase is reduced from Ω(n 2 ) to constant-the number of rounds that AnonChan takes. Further, by using the broadcast-efficient VSS protocol in [GGOR13], the use of the physical broadcast channel is reduced to 2 (also from Ω(n 2 ) in [PW96]). On the other hand, we should note that the pseudosignature setup in [PW96] works for any t < n, while ours is limited to t < n/2.…”

“…Its total round complexity is rVSS-share +rcomp +req +rmult, where rVSS-share, rcomp, req, rmult are the round complexities of the corresponding functionalities. If all r's are constant (e.g., VSS is implemented as in [RB89,GGOR13] and comparison, equality testing and multiplication as in [DFK + 06]), then the overall round complexity of the protocol is constant. In contrast, the round complexity of the anonymous channel protocol presented in this paper is essentially equal to rVSS-share, which currently is significantly faster than the [Zha11] construction given that comparison and equality testing functionalities require bit decomposition of the shared values, whose round costs are significantly larger than that of a single VSS execution-i.e., 114 rounds for bit decomposition [DFK + 06] vs. 7 rounds for VSS sharing [RB89].…”

“…Our constant-round, most broadcast-efficient construction, based on[GGOR13], will only be statically secure, for example.4 This result is mentioned also in[BGW88,RB89];[CCD88] give an informal argument and [DDWY93] a formal proof.…”

Fast and unconditionally secure anonymous channel

Broadcast (and Round) Efficient Verifiable Secret Sharing

Practical Governmental Voting with Unconditional Integrity and Privacy