Improving the Round Complexity
of VSS in Point-to-Point Networks
Jonathan Katz (University of Maryland)
Chiu-Yuen Koo (Google Labs)
Ranjit Kumaresan (University of Maryland)
Verifiable secret sharing (VSS)

Two-phase protocol



If the dealer is honest



A dealer shares a secret among a set of n parties
in the sharing phase
The secret is recovered in a reconstruction phase
No information about the secret is leaked in the
sharing phase
All honest parties recover the dealer’s secret
Even if the dealer is dishonest

The view of the honest parties in the sharing
phase defines a value s such that each honest
party outputs s in the reconstruction phase
Feasibility and efficiency?



We study perfect (i.e., 0-error) VSS
This is known to be possible iff t < n/3
(even if broadcast is available)
What is the inherent round complexity of
this task?


3 rounds necessary (even w/ b’cast) [GIKR01]
O(1)-round protocol only possible if there is at
least 1 round of broadcast
Upper bounds?


Gennaro et al. show an efficient 4-round
protocol and an inefficient 3-round protocol
Fitzi et al. give an efficient 3-round protocol


Using broadcast in two of the rounds
What happens if their protocol is
implemented in a point-to-point network…?



Simulating broadcast is expensive…
Sequential composition of broadcast is
expensive…
The protocol requires 55 rounds (in expectation)!
The upshot


If the goal is to optimize round complexity
for point-to-point networks, crucial to
minimize the number of broadcast rounds
Does there exist a VSS protocol that is
simultaneously optimal in the number of
rounds and the number of broadcasts?

Recall: 1 round of broadcast is (essentially)
necessary
Our results

We give a positive answer to this question



A 3-round protocol using a single round of
broadcast
Secure against an adaptive, rushing adversary
Our VSS protocol also satisfies a useful
property (2-level sharing) not satisfied by
the protocol of Fitzi et al.
The rest of the talk

WSS



A weaker variant of VSS
A 3-round WSS protocol using 1 round of
broadcast
VSS

A 3-round VSS protocol using the WSS protocol
as a building block
WSS: definition

WSS is similar to VSS

Weaker guarantee for dishonest dealer:

The view of the honest parties in the sharing phase
defines a value s such that each honest party
outputs either s or  in the reconstruction phase
WSS protocol: sharing phase

Round 1




D chooses F(x,y) with F(0,0) = s
D sends to Pi, fi(x) := F(x,i), gi(y) := F(i,y)
Each Pi sends a random pad ri,j to both Pj and D
Round 2

For every ordered pair (i, j)



Pi sends ai,j := fi(j) to Pj
Pj sends bj,i := gj(i) to Pi
Pj sends r’i,j = ri,j to D
Sharing phase, continued


Round 3 (broadcast round)
For every ordered pair (i, j):

Pi broadcasts
(“disagree”, fi(j), ri,j) if bj,i ≠ fi (j)
 (“agree”, fi(j)+ri,j) otherwise



Pj broadcasts

(“disagree”, gj(i), ri,j) if ai,j ≠ gj(i)

(“agree”, gj(i)+ri,j), otherwise
D broadcasts
(“not equal”, F(j,i)) if ri,j ≠ r’i,j
 (“equal”, F(j,i)+ri,j) otherwise

Local computation

Ordered pair (Pi ,Pj) are conflicting if:





Pi broadcasts (“disagree”, fi(j), ri,j )
Pj broadcasts (“disagree”, gj(i), r’i,j )
and ri,j = r'i,j
Note: If D is honest, then no two honest
parties will be conflicting
Note: all honest parties agree on who is
conflicting
Local computation

In conflicting pair (Pi, Pj), we say Pi is
unhappy if either:





D broadcasts (“not equal”, di,j) and di,j≠ fi(j)
D broadcasts (“equal”, di,j) and di,j ≠ fi(j)+ri,j
If there are more than t unhappy parties,
then D is disqualified
Note: honest dealer never disqualified
Note: all honest parties agree on who is
unhappy
WSS protocol: reconstruction phase

If Pj not unhappy, it sends fj(x) and gj(y) to all
parties


Pi constructs a consistency graph Gi



Let fij and gij denote the polynomials Pi sends to Pj
Edge between Pj and Pk in Gi iff fji(k)=gki(j) and
gji(k)=fki(j)
Iteratively remove vertices in Gi with degree < n−t
Let Corei be the parties left in Gj


If |Corei|< n-t, then Pi outputs 
Else, let F’(x,y) be the polynomial defined by any t+1
parties in Corei, and output s':=F'(0,0)
Proof sketches

Privacy



t points on a degree-t polynomial do not reveal
information about the constant term
No information about s leaked in round 3 due to use of
random pads
Correctness for honest D: If Pi honest, then:



All honest parties are in Corei, so |Corei| ≥ n-t
Any party in Corei must have sent polynomials that
agree with at least 2t+1 parties in Corei, out of which
at least t+1 are honest
Since the polynomials sent by honest parties all agree
with the dealer’s polynomial F, we see that Pi will
correctly recover F and output the dealer’s secret
Proof sketches, continued

Weak commitment (for dishonest D):





Assume dealer is not disqualified (so at most t
unhappy parties, and at least n-2t ≥ t+1 honest
parties who are not unhappy)
Claim: the poly’s fi sent by D to the first t+1 such
parties define a poly F such that any honest Pi
outputs either F(0,0) or  in reconstruction phase
If |Corei| < n-t, we are done
Otherwise, argument is similar to (though slightly
more involved than) before
This completes the proof
VSS


We now construct a 3-round VSS protocol
(using 1 round of broadcast) using the
previous WSS protocol as a subroutine
Our VSS protocol also achieves “2-level
sharing”…
2-level sharing

At the end of the sharing phase each
honest Pi outputs si and {si,j} such that



The {si} lie on a degree-t polynomial whose
constant term is the value s that honest parties
will output in the reconstruction phase
For each j, the {si,j} lie on a degree-t polynomial
whose constant term is sj
Useful when VSS is used as a building block
for general secure MPC
Overview of the protocol


Sharing done essentially as in WSS, but
now parties reveal their random pads in the
reconstruction phase
To ensure correctness, we use WSS to
generate the random pads


Random pads no longer independent, but lie on a
random degree-t poly (which suffices for secrecy)
To obtain 2-level sharing, we have the
dealer choose a symmetric bivariate
polynomial
VSS protocol: high level

Round 1





D chooses symmetric F(x,y) with F(0,0) = s
D sends to Pi, fi(x):=F(x,i)
Each Pi chooses a random si and shares it using
WSS; let Fipad be the polynomial used
Pi sends Fipad(x,j) to each Pj and Fipad(0,y) to D
Round 2


Set ri,j = Fipad(i,j); rest is as before
Run second round of all WSS sub-protocols
VSS protocol: high level

Round 3


As before
Also run third round of all WSS sub-protocols
Local computation

We define a conflicting pair and an unhappy party as
before

Core is the set of all happy parties

Corei is the set of all happy parties in WSSi

All players agree on Core and {Corei}
Local computation, continued

For all i, j remove Pj from Corei if, in round 3:


Pi broadcasts (“agree”, y) and Pj did not broadcast (“agree”,
y)
OR
Pi broadcasts (“disagree”,*,w) and Pj broadcasts anything
other than (“disagree”,*,w)

Remove Pi from Core if |Core ∩ Corei|< n−t

If |Core| < n−t, then D is disqualified

Each party Pi computes fi(x) as follows:



If Pi  Core, then fi(x) is the polynomial received from D in
round 1
See paper for the other case
Each Pi outputs si = fi(0) and si,j = fi(j)
VSS: reconstruction phase

Each party Pi sends si to all other parties



Let s'j,i be the value that Pj sends to Pi
Pi computes a degree-t poly f(x) such that
f(j)=s’j,i for at least 2t+1 values of j
Pi outputs f(0)
Proof sketches

Privacy



Same as WSS except for random pads
Random pads lie on random degree-t polynomials and
hence reveal no additional information about s
Correctness with 2-level sharing (D honest):

For honest Pi, all other honest parties belong to Corei

All honest parties remain in Core


p(x)=F(0,x) and pj(x)=F(j,x) imply 2-level sharing
The reconstruction phase succeeds since there are at
most t bad shares out of n>3t shares
Proof sketches, continued

Correctness with 2-level sharing (dealer
dishonest):


Refer to the full version of the paper for a proof
http://eprint.iacr.org/2007/358
Open questions



What is the optimal (expected) round
complexity of VSS in a point-to-point
network?
Can better round complexity be achieved
for statistical VSS?
How about (statistical) VSS for t < n/2?

See Patra et al. for some recent progress on
these questions
Thank you!
Local computation, continued

If Pi not in Core,

Core'i : Pj is in Core'i if and only if


Pj ∈ Core and Pi ∈ Corej
{pj,k}k are consistent with a polynomial Bj (x) of degree
at most t, where




pj,k:=yj,k - if in step 1 of round 3 for the ordered
pair (j, k), party Pj broadcasted (“agree”, yj,k)
pj,k:=wj,k+zj,k - If Pj broadcasted (“disagree”,wj,k,zj,k)
For each Pj ∈ Core'i, pj:=pj,i−fj,ipad(0). Let fi be the
interpolating polynomial for pj with Pj∈ Core'i
Finally, Pi outputs si:=fi(0) and si,j:=fi(j)
Proof sketches, continued

Correctness with 2-level sharing (D dishonest):







For honest Pi, |Core’i|>t
Core contains atleast t+1 honest parties.
For an honest Pj, Corej contains Pi.
pj,k computed by Pi lie on Bj(x)=fj(x)+Fjpad(0,x), since
Pj∈Core, and D do not disagree on broadcasted values.
There are t+1 honest parties in Core
F(x,y) is defined naturally by these parties.
Polynomials of honest Pi∈ Core agree with F(x,y).
Proof sketches, continued

Constructed polynomials of Honest Pi not in
Core agree with F(x,y).





For any Pk∈Corej, we have fj,kpad(x)=Fjpad(0,k) and
fk(j)=F(k,j) (otherwise removed from Corei).
Bj(k) is recovered for atleast t+1 values of k.
Bj(x)=F(x,j)+Fjpad(0,x) is recovered.
pj=pj,i-fj,ipad(0)=Bj(i)–Fjpad(0,i)=F(i,j).
Hence Pi recovers F(i,x)=F(x,i)