On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase
نویسندگان
چکیده
Consider a scenario where an l-bit secret has been distributed among n players by an honest dealer using some secret sharing scheme. Then, if all players behave honestly, the secret can be reconstructed in one round with zero error probability, and by broadcasting nl bits. We ask the following question: how close to this ideal can we get if up to t players (but not the dealer) are corrupted by an adaptive, active adversary with unbounded computing power? and where in addition we of course require that the adversary does not learn the secret ahead of reconstruction time. It is easy to see that t = b(n − 1)/2c is the maximal value of t that can be tolerated, and furthermore, we show that the best we can hope for is a one-round reconstruction protocol where every honest player outputs the correct secret or “failure”. For any such protocol with failure probability at most 2−Ω(k), we show a lower bound of Ω(nl + kn) bits on the information communicated. We further show that this is tight up to a constant factor. The lower bound trivially applies as well to VSS schemes, where also the dealer may be corrupt. Using generic methods, the scheme establishing the upper bound can be turned into a VSS with efficient reconstruction. However, the distribution phase becomes very inefficient. Closing this gap, we present a new VSS protocol where the distribution complexity matches that of the previously best known VSS, but where the reconstruction phase meets our lower bound up to a constant factor. The reconstruction is a factor of n better than previous VSS protocols. We show an application of this to multi-party computation with pre-processing, improving the complexity of earlier similar protocols by a factor of n.
منابع مشابه
On the Cost of Reconstructing a Secret , or VSSwith Optimal Reconstruction
Consider a scenario where an l-bit secret has been distributed among n players by an honest dealer using some secret sharing scheme. Then, if all players behave honestly, the secret can be reconstructed in one round with zero error probability, and by broadcasting nl bits. We ask the following question: how close to this ideal can we get if up to t players (but not the dealer) are corrupted by ...
متن کاملThe Round Complexity of Verifiable Secret Sharing Revisited
The round complexity of interactive protocols is one of their most important complexity measures. In this work we prove that existing lower bounds for the round complexity of VSS can be circumvented by introducing a negligible probability of error in the reconstruction phase. Previous results show matching lower and upper bounds of three rounds for VSS, with n = 3t + 1, where the reconstruction...
متن کاملBroadcast and Verifiable Secret Sharing: New Security Models and Round Optimal Constructions
Title of dissertation: BROADCAST AND VERIFIABLE SECRET SHARING: NEW SECURITY MODELS AND ROUND-OPTIMAL CONSTRUCTIONS Ranjit Kumaresan, Doctor of Philosophy, 2012 Dissertation directed by: Professor Jonathan Katz Department of Computer Science Broadcast and verifiable secret sharing (VSS) are central building blocks for secure multi-party computation. These protocols are required to be resilient ...
متن کاملStudies on Verifiable Secret Sharing, Byzantine Agreement and Multiparty Computation
This dissertation deals with three most important as well as fundamental problems in secure distributed computing, namely Verifiable Secret Sharing (VSS), Byzantine Agreement (BA) and Multiparty Computation (MPC). VSS is a two phase protocol (Sharing and Reconstruction) carried out among n parties in the presence of a centralized adversary who can corrupt up to t parties. Informally, the goal o...
متن کاملThe Round Complexity of General VSS
The round complexity of verifiable secret sharing (VSS) schemes has been studied extensively for threshold adversaries. In particular, Fitzi et al. showed an efficient 3-round VSS for n ≥ 3t+1 [4], where an infinitely powerful adversary can corrupt t (or less) parties out of n parties. This paper shows that for non-threshold adversaries, 1. Two round VSS is possible iff the underlying adversary...
متن کامل