Studies in Secure Multiparty Computation and Applications

Studies in

Secure Multiparty Computation

and Applications

Thesis for the Degree of

DOCTOR of PHILOSOPHY

Ran Canetti

Department of Computer Science and Applied Mathematics

The Weizmann Institute of Science

Submitted to the Scientic Council of

The Weizmann Institute of Science

Rehovot Israel

June

Revised March

Acknowledgements

First a very sp ecial thanks is due to Oded Goldreich my advisor On top of b eing an

exp ert on exp erts and a dear friend he is a devoted advisor far b eyond the ordinary

Oded has the sp ecial prop erty of always searching for the crux of any matter and

disgustedly ridding himself of the rest Once he sets his mind to a particular goal he is

thoroughly and uncompromisingly dedicated This together with his sharpness his p eculiar

sense of humor and his natural go o dheartedness make him a remarkable p erson indeed

My interaction with Oded deeply aected my approach to research and to life in general

Time and again his unconventional approach rst lo oks o dd and after some thought it

b ecomes clear that his is the direct simple and natural approach It also b ecomes totally

unclear how I ever thought otherwise

His colorful and creative feedback on my writing style has made each one of my drafts

a museum piece His feedback also spiced up my fearful anticipation of their return which

has happ ened at an amazing sp eed I am also thankful for the practical training I received

in the art of do dging ying sho es

During my years of study I have made some sp ecial acquaintances from whom I have

learned a lot Among these let me mention Benny Chor Amir Herzb erg who is the most

practical p erson I know Hugo Krawzcyk and Yishay Mansour

I have also enjoyed working with and learned a lot from many many p eople A very

partial list includes Amotz BarNoy Amos Beimel Mihir Bellare Cynthia Dwork Guy

Even Uri Feige Sha Goldwasser Sandy Irani Yoram Moses Moni Naor Tal Rabin

Baruch Schieber and Moti Yung

Next I wish to thank my collab orators on the results that make up this thesis I have

enjoyed and learned a lot from interacting with them The chapter on adaptive security in

the computational setting Chapter describ es joint work with Uri Feige Oded Goldreich

and Moni Naor The chapter on asynchronous secure computation Chapter describ es

joint work with Oded Goldreich and Michael BenOr The chapter on asynchronous Byzan

tine agreement Chapter describ es joint work with Tal Rabin The chapter on Proactive

Security Chapter describ es joint work with Amir Herzb erg

I have not found an appropriate list for Dana Ron but I still thank her for her company

and for sharing a b ottle of wine in countless dinners

A nal thanks is to Ronitt who b esides b eing my source of happiness and sound supp ort

has taught me more than a couple of things ab out research and life

iii

Abstract

Consider a set of parties who do not trust each other nor the channels by which they

communicate Still the parties wish to correctly compute some common function of their

lo cal inputs while keeping their lo cal data as private as p ossible This in a nutshell is the

problem of secure multiparty computation This problem is fundamental in cryptography

and in the study of distributed computations It takes many dierent forms dep ending on

the underlying network on the function to b e computed and on the amount of distrust the

parties have in each other and in the network

We study several asp ects of secure multiparty computation We rst present new def

initions of this problem in various settings Our denitions draw from previous ideas and

formalizations and incorp orate asp ects that were previously overlooked

Next we study the problem of dealing with adaptive adversaries Adaptive adversaries

are adversaries that corrupt parties during the course of the computation based on the

information gathered so far We investigate the p ower of adaptive adversaries in several

settings In particular we show how to construct adaptively secure proto cols for computing

any function in a computational setting where the communication channels can b e tapp ed

by the adversary and secure communication is achieved by cryptographic primitives based

on the computational limitations of the adversary We remark that the problem of dealing

with adaptive adversaries in a computational setting was considered to b e a hard op en

problem

Next we initiate a study of secure multiparty computation in asynchronous networks

We consider a completely asynchronous network where the parties are connected via secure

channels In this setting we present appropriate denitions and construct proto cols for

securely computing any function We present a detailed pro of of security of our proto cols

In the same asynchronous setting we apply ideas and techniques of secure multiparty

computation to a classical problem in the eld of distributed computing namely the problem

of reaching agreement in the presence of Byzantine faults We present the rst asynchronous

Byzantine Agreement proto col with optimal resilience ie an adversary may corrupt up to

e of the n parties and p olynomial complexity d

Finally we address the problem of maintaining the security of computer systems in the

presence of rep eated however transient breakins We present a new approach for dealing

with this problem Using our approach we show how systems can automatically recover

from transient breakins We introduce mechanisms for maintaining the security of internal

data of parties We use secure multiparty computation as a formal setting for developing

and analyzing our mechanisms

Table of Contents

Introduction

Some prior and related work

Dening secure multiparty computation

On semihonest parties

Adaptively secure computation

Asynchronous secure computation

Asynchronous Byzantine Agreement

Proactive security Maintaining security in the presence of transient faults

Reconstructability and an application to secure signon

Dening secure multiparty computation

Nonadaptively secure computation

Semihonest parties

Adaptively secure computation in the secure channels setting

Adaptively secure computation in the computational setting

The problems in proving adaptive security informal presentation

The secure channels setting

Adaptive security in the computational setting

Dening noncommitting encryption

A solution for nonerasing parties

Adaptively secure computation given noncommitting encryption

Constructing noncommitting encryption

Alternative implementations of noncommitting encryption

Honestlo oking parties

Asynchronous secure computation

Preliminaries

The asynchronous mo del iv

Table of Contents v

Dening secure asynchronous computation

Writing asynchronous proto cols

Primitives

Byzantine Agreement

Broadcast

Agreement on a Core Set

FailStop faults

GlobalShare and Reconstruct

Evaluating a linear gate

Evaluating a multiplication gate

The main proto col

Pro of of correctness nonadaptive case

Pro of of correctness adaptive case

Asynchronous veriable secret sharing

A denition

An AVSS scheme

Eciently nding a star

Online error correcting

Correctness of the AVSS scheme

Byzantine adversaries

Global Veriable Share

Computing a multiplication gate

The Byzantine proto col

Lower b ounds

FailStop adversaries

Byzantine adversaries

A Exp ected running times

B Pro ofs of technical lemmas

Asynchronous Byzantine agreement

Denitions

Overview of the proto cols

Tools

Information Checking Proto col ICP

Broadcast

Asynchronous Recoverable Sharing ARS

Asynchronous Weak Secret Sharing AWSS

TwoSumAWSS

Asynchronous Veriable Secret Sharing AVSS

Common Coin

Byzantine Agreement

The Voting Proto col

The Byzantine Agreement proto col

Table of Contents vi

Proactive security

Denitions

The Proto col

Analysis

Insecure Links

On the Application to Secure SignOn

An alternative denition of PP

Conclusion

Bibliography

C h a p t e r

Introduction

Consider a set of parties who do not trust each other nor the channels by which they

communicate Still the parties wish to correctly compute some common function of their

lo cal inputs while keeping their lo cal data as private as p ossible This in a nutshell is

the problem of secure multiparty computation This problem takes many dierent forms

dep ending on the underlying network on the function to b e computed and on the amount

of distrust the parties have in each other and in the network

The problem of secure multiparty computation is fundamental in cryptography as well

as relevant to practical cryptographic applications as demonstrated in the sequel In

particular almost any known cryptographic setting and problem can b e viewed as a sp ecial

case of this general problem eg encryption authentication commitment signatures zero

knowledge and many others Thus secure multiparty computation may serve as a general

uniform paradigm for the study of most of cryptography Furthermore understanding secure

multiparty computation is fundamental in the study of distributed systems in general

The parties distrust in each other and in the network is usually mo delled via an ad

versary that has control over some of the parties and p erhaps also over the communication

media or channels We call parties controlled by the adversary corrupted Many dierent

adversary types or adversary mo dels may b e considered each mo delling dierent problems

or addressing a dierent setting The requirements from solutions to secure computation

problems as well as the techniques used dier considerably with the adversary mo dels In

order to b e able to present the work done in this eld and in particular our work we

briey sketch some prominent parameters dening adversary mo dels

Computational p ower We distinguish b etween adversaries that are computationally un

b ounded and adversaries restricted to probabilistic p olynomial time PPT We re

mark that throughout this work we assume that the uncorrupted parties are restricted

to PPT

Control over the communication We distinguish three levels of control over the chan

nels or alternatively three levels of abstraction of the channel security In the most

abstract setting the adversary has no access to the channels That is each two uncor

rupted parties communicate securely without the adversary hearing or aecting the

Introduction

communication This is the secure channels assumption Alternatively we may as

sume that the adversary can hear all the communication among all parties Still the

adversary cannot alter the communication This is the insecure channels assumption

Lastly if the channels are unauthenticat ed then the adversary has full control over

the communication That is on top of hearing the communication the adversary can

delete generate and mo dify messages at wish We sometimes call insecure channels

authenticated

Synchrony In a synchronous network all parties have a common global clo ck All mes

sages are sent on a clo ck tick and are received at the next tick In an asynchronous

network no global clo ck exists Furthermore arbitrary however nite time may

lapse b etween the sending and receipt of a message In particular messages may b e

received in an order dierent than the order of sending We remark that although

often taken as a parameter of the network synchrony may b e considered as a param

eter of the adversary In particular setting the actual delays of the messages may b e

naturally considered as an additional p ower given to the adversary

Number of corrupted parties We limit the number of corrupted parties at any given

time An adversary is tlimited if at any given time at most t parties are corrupted A

proto col is tresilient if it meets it sp ecications in the presence of tlimited adversaries

tresilient proto cols for secure computation are also called tsecure

Control over corrupted parties We distinguish b etween eavesdropping adversaries that

only gather information and do not alter the b ehavior of corrupted parties and Byzan

tine adversaries that may alter the b ehavior of the corrupted parties in an arbitrary and

co ordinated way In asynchronous networks it makes sense to consider also FailStop

adversaries Here the only diversion from the proto col allowed to the corrupted parties

is to crash that is to stop sending message at some time during the computation

A crushed party may not resume sending messages For security considerations we

assume that faulty parties continue receiving messages and have an output

Adaptivity By adaptivity we mean the way in which the corrupted parties are chosen It

is simplest to assume that the set of corrupted parties is arbitrary but xed ofcourse

the uncorrupted parties do not know the identity of the corrupted parties We call

such adversaries nonadaptive Alternatively we may let the adversary choose which

parties to corrupt as the computation pro ceeds based on the information gathered so

far Once a party is corrupted it remains so for the rest of the computation We call

such adversaries adaptive

Lastly we may let the adversary corrupt in an adaptive way a dierent set of parties

at dierent times during the computations Here parties that were once corrupted

may b ecome uncorrupted again and there is no limit on the total number of par

ties that were corrupted at some time or another during the computation Such

adversaries are called mobile

In the sequel we often use the following terminology A secure channels setting refers to

computationally unbounded adversaries with secure channels A computational setting refers

to adversaries restricted to PPT and insecure channels Other parameters eg synchrony adaptivity may vary

Introduction

A great deal of work has b een done studying secure multiparty computation This

b o dy of work may b e divided to three ma jor eorts as follows First ingenious proto cols

have b een devised for securely computing in several adversary mo dels out of the ones

characterized ab ove any function whose inputs are distributed among the parties Next

ideas and techniques from multiparty computation have b een successfully applied to other

problems in cryptography and in computer science in general Another eort aims at nding

go o d denitions for secure multiparty computation in dierent adversary mo dels By

go o d we mean denitions that correctly capture our intuitive notions and are coherent

and usable Surprisingly such denitions have proved to b e very evasive In particular

in spite of considerable eorts and some appreciable results published denitions have

several shortcomings describ ed in the sequel

We remark that the current state of knowledge regarding secure multiparty computation

is somewhat paradoxical Constructions solving any proto col problem exist accompanied

by neither a pro of nor a go o d denition The value and validity of most of these construc

tions is intuitively obvious However precise denitions and pro ofs are essential To the

b est of our knowledge the rst work that contains a denition a proto col and a full pro of

for a secure multiparty computation problem is the asynchronous secure computation work

presented here In another part of our work we demonstrate a fundamental problem namely

the adaptive security problem where precise denition and analysis result in pinp ointing

the diculties and lead to a longsought solution for some imp ortant sp ecial cases

In this work we address several dierent asp ects of secure multiparty computation

ranging over the ab ove eorts In the rest of the introduction we motivate and overview our

contributions as follows We rst briey overview in Section some of the prior work

in this area that is directly relevant to our work Next for n f g Section n in

the introduction motivates Chapter n in the sequel

In Chapter we address the problem of dening secure multiparty computation We

present new formulations of denitions of secure multiparty computation in dierent adver

sary mo dels In Section we briey and roughly sketch our new ideas as well as overview

some prior denitions on which we base ours

In Chapter we investigate the extra p ower of adaptive adversaries over nonadaptive

adversaries We consider two cases the secure channels setting and the computational

setting In the secure channels setting we distinguish two very dierent variants We shed

new light on this problem and reevaluate some common b eliefs In particular we show

how to construct adaptively secure proto cols for computing any function in a computational

setting

Next we study security in asynchronous networks In Chapter we dene a notion of

secure multiparty computation in asynchronous networks We also show how any functions

can b e securely computed in our setting We present detailed pro ofs of security of our

constructions In Chapter we apply ideas and techniques of secure multiparty compu

tation to the classical Byzantine agreement problem We present the rst asynchronous

e resilient Byzantine Agreement proto col with optimal resilience our proto col is d

and p olynomial complexity

The notion of asynchronous veriable secret sharing AVSS plays a key role in b oth

Chapters and In each of the two chapters we present a very dierent construction

of AVSS The two constructions have dierent resilience prop erties We elab orate on the

Some prior and related work

dierences in the sequel

In Chapter we address the problem of maintaining the security of computer systems in

the presence of rep eated however transient breakins We present a new approach called

the proactive approach for dealing with this problem Using our approach we show how

systems can automatically recover from transient breakins We use secure multiparty

computation as a formal setting for developing and analyzing our mechanisms

We conclude by presenting in Chapter a brief p ersonal view of the work and its

merits We also prop ose some directions for further research

Some prior and related work

We briey overview three works that are immediately relevant to our work We also mention

some other prominent works in secure multiparty computation We present other relevant

works in the sequel

The problem of secure computation was rst formulated by Yao for the twoparty case

in Y Five years later Goldreich Micali and Wigderson showed how to securely

compute any function whose inputs are divided among the parties in a computational setting

GMW That is in GMW a synchronous network of n parties is considered where the

communication channels are insecure and the parties as well as the adversary are restricted

to PPT In this mo del they showed under the assumption that oneway functions with

trap do or exist how to construct nsecure proto cols for computing any function in the

presence of eavesdropping adversaries In the case of Byzantine adversaries they show

e secure proto cols for computing any function Their proto cols can b e shown secure d

in the presence of nonadaptive adversaries

BenOr Goldwasser and Wigderson BGW and indep endently Chaum Crep eau and

Damgard CCD study secure multiparty computation in the secure channels setting They

e secure proto cols show that a If the adversary is eavesdropping then there exist d

for computing any function b if the adversary is Byzantine then any function can b e

d e securely computed Furthermore they show that these b ounds on the number of

corruptions are tight These proto cols can b e shown secure in the presence of nonadaptive

adversaries Adaptive security ie security in the presence of adaptive adversaries is

provable in certain variants of this setting We elab orate on this p oint in Chapter

Goldwasser and Levin build on a long sequence of works studying the case of Byzantine

adversaries limited to PPT where a ma jority of the parties may b e corrupted GwL

Chor and Kushilevitz study secure multiparty computation with corrupted ma jority of

the parties in the secure channels setting CK Goldreich Goldwasser and Linial study

secure multiparty computation in the presence of insecure channels and computationally

unlimited adversaries GGL Ostrovsky and Yung study secure multiparty computation in

the presence of secure channels and mobile adversaries OY Micali and Rogaway MR

and also Beaver Be prop ose denitions for secure multiparty computation in the secure channels setting in the presence of adaptive adversaries

Dening secure multiparty computation

We attempt at formulating coherent lean and usable denitions that adequately capture

our intuitive notion of security of proto cols for multiparty computation in dierent adversary

mo dels In the sequel we make extensive use of our denitions when proving security of our

proto cols Our denitions build on previously known ideas We rst present these ideas as

well as a brief critique and comparison of relevant works Next we present our interpretation

and new ideas

Micali and Rogaway MR and indep endently Beaver Be introduced the following

metho dology for dening secure multiparty computation or more sp ecically secure eval

uation of a function whose inputs are distributed among the parties First an ideal mo del for

secure multiparty computation is formulated A computation in this ideal mo del describ ed

b elow captures the highest level of security we can exp ect from multiparty function eval

uation Next we require that executing a secure proto col for evaluating some function of

the parties inputs in the actual reallife setting is equivalent to evaluating the function

in the ideal mo del

A computation in this ideal mo del pro ceeds as follows First an idealmo del adversary

chooses to corrupt a set of parties either adaptively or nonadaptively learns their inputs

and p ossibly mo dies it Next all parties hand their p ossibly mo died inputs to an

incorruptible trusted party Next the trusted party computes the exp ected output ie the

function value and hands it to all parties The uncorrupted parties output whatever they

receive from the trusted party The corrupted parties output some arbitrary function of

their joint inputs random inputs and the value received from the trusted party Lo osely

sp eaking executing in the reallife setting is said to b e equivalent to evaluating the

function in the ideal mo del if the same eect on the computation achieved by a reallife

adversary can b e also achieved by an idealmo de adversary

The denitions in MR and Be dier in the notion of equivalence of computations In

MR the idealmo del adversary is required to very closely mimic the op eration of the real

life adversary down to precise details In particular the idealmo del adversary is limited to

creating a simulated environment for the reallife adversary that lo oks the same as a real

environment via a sp ecial type of blackbox simulation In Be a dierent approach is

pursued First a general notion of comparing security of proto cols is formulated as follows

Consider two proto cols and for computing the same function Essentially proto col is

at least as secure as proto col if an adversary attacking cannot aect the outputs of the

parties more than an adversary attacking Here some technical interface algorithms are

used when and op erate in dierent adversary mo dels Next a proto col for evaluating

a function is secure if it at least as secure as the trivial proto col for evaluating the function

in the ideal mo del We remark that although their approach is general b oth Micali and

Rogaway and Beaver formalize their denitions only in the secure channels setting

Our denitions use ideas from b oth works We rst dene an idealmo del adversary

based on the ab ove description Next we require that for any reallife adversary B attacking

a secure proto col there exists an idealmo del adversary A that has the same eect on the

computation as B even though A operates in the ideal model That is on any inputs for

the parties the random variable describing the outputs of all parties in the ideal mo del is

distributed similarly to the random variable describing the outputs of all parties in the

reallife mo del The particular notion of similarity eg p erfect equality or computational

Dening secure multiparty computation

indistinguishabi li ty dep ends on the sp ecic adversary mo del We emphasize that the

complexity of the idealmo del adversary A should b e comparable to the complexity of

the reallife adversary B We elab orate on this p oint in Chapters and Our denitions

incorp orate an imp ortant additional concern that was left unnoticed by previous denitions

We present this concern in Section b elow

We b elieve that our simple and straightforward notion of equivalence of computations

which do es not restrict the op eration of the idealmo del adversary suces for dening

security In the sequel we also use a more restrictive and technical notion of equivalence of

a reallife computation to a computation in the ideal mo del Here we limit the idealmo del

adversary A to blackbox simulation of the reallife adversary A more precise denition of

this simulation is presented in the sequel We note that our notion of blackbox simulation

is less restrictive than the MR notion

We remark that Goldwasser and Levin take a slightly dierent approach at dening

secure multiparty computation GwL First they extract the inevitable advantages of

the adversary in the ideal mo del we briey sketch these inevitable advantages b elow

Next they say that a proto col is robust if for any adversary there exists an equivalent

adversary that is limited to these inevitable privileges and that has the same eect on

the computation Their notion of robustness of proto cols has the advantage that it is

indep endent of the sp ecic function to b e computed except for some technical subtleties

ignored in this presentation

The inevitable privileges of the adversary extracted from the ideal mo del can b e

sketched as follows First the adversary may choose to corrupt parties either adaptively

or nonadaptively Next if the adversary is Byzantine then the inputs of the corrupted

parties may b e mo died However this is done without knowledge of the inputs of the

uncorrupted parties Next the adversary may learn the sp ecied outputs of the corrupted

parties This may inevitably reveal some information on the inputs of the uncorrupted

parties Furthermore if the adversary is adaptive then it can corrupt parties after the

computation is completed based on the output of the computation

On semihonest parties

The problem of secure computation in the presence of adaptive adversaries is intimately

related to the following concern In a distributed scenario where no party is thoroughly

trusted there is no reason to b elieve that even uncorrupted parties follow their proto cols

to the dot Honest parties internally deviate from their proto col in many reallife scenarios

such as users that keep record of their passwords sto ckmarket brokers that keep records

of their clients orders operating systems that free old memory instead of erasing or

take p erio dic snapshots of the memory for error recovery purp oses and computers that

use pseudorandom generators as their source of randomness instead of truly random bits

Consider for example a proto col in which party A is instructed to choose a random number

r for party B hand r to B and then to erase r from its own memory Can B b e certain

It turns out that if a ma jority of the parties are corrupted then in addition to the privileges describ ed

ab ove the adversary cannot b e prevented from quitting early ie disrupting the computation at any

time However this is done without knowing the output with more certainty than the uncorrupted parties We do not discuss situations of corrupted ma jority in this work

Adaptively secure computation

that A no longer knows r Furthermore can A now convince a third party or an adversary

that decides to corrupt A that he no longer knows r

For this purp ose we introduce the notion of a semihonest party Such a party app ears

as honest ie seems to b e following its proto col from the p oint of view of an outside

observer however internally it may somewhat deviate from his proto col For instance a

semihonest party may fail to erase some internal data or use randomness not as instructed

However semihonest parties do not collab orate We wish to have proto cols that are secure

even when parties are not thoroughly trusted or in other words when the uncorrupted

parties are semihonest rather than honest That is say that a proto col is a semihonest

protocol for a proto col if a party running app ears as an honest party running

We dene this notion more precisely in Chapter When the parties are not thoroughly

trusted we want the requirements from to b e satised even if the uncorrupted parties

are running some semihonest proto col for In the sequel we consider several alternative

notions of semihonest parties diering in the amount of allowed internal deviation from

the proto col

We distinguish three types of semihonest b ehaviour The most b enign and hardest to

prevent is simply not erasing internal data We call such parties nonerasing Alternatively

one may consider parties that internally deviate from the proto col in an arbitrary way as

long as the deviation is undetectable by any external test that represents a collab oration

of the other parties We call such parties honestlo oking Finally we consider parties

that deviate from their proto cols in a way that is undetectable only by parties running the

protocol Such parties are called weakly honest We elab orate on and present denitions

of the three types of semihonest parties in Chapter

We remark that the dierence b etween computations in the presence of totally honest

parties and computations in the presence of semihonest parties b ecomes evident only in

the presence of adaptive adversaries

Adaptively secure computation

We investigate adaptively secure multiparty computation that is computation secure in the

presence of adversaries that choose which parties to corrupt as the computation pro ceeds

based on the information gathered so far Unlike the case of nonadaptive adversaries

which is pretty well understo o d the case of adaptive adversaries contains various asp ects

that were previously overlooked In particular unlike folklore b elief proving adaptive

security of proto cols in b oth the secure channels and computational settings encounters

fundamental diculties We investigate these diculties and provide solutions for some

imp ortant sp ecial cases

The dierence b etween adaptive and nonadaptive adversaries may b e b est demonstrated

via an example Consider the following secret sharing proto col run in the presence of an

adversary that may corrupt t O n out of the n parties A dealer D chooses at random

t parties and shares its secret among these parties using an mout a small set S of m

ofm sharing scheme In addition D publicizes the set S Intuitively this scheme lacks in

security since S is public and jS j t Indeed an adaptive adversary can easily nd D s

We b orrow the name from an earlier version of GMW where it is used for dierent purp oses

Adaptively secure computation

secret without corrupting D by corrupting the parties in S However any nonadaptive

adversary that do es not corrupt D learns D s secret only if S happ ens to b e identical to the

predened set of corrupted parties This happ ens only with exp onentially small probability

Consequently this proto col is secure in the presence of nonadaptive adversaries

It turns out that the p ower of an adaptive adversary dep ends in a crucial way on the

amount in which uncorrupted parties internally deviate from their proto cols Consider a

party just corrupted by the adversary during the course of the computation If the party

is totally honest then the adversary will see exactly the data sp ecied in the proto col

in particular any data that was supp osed to b e erased will b e indeed erased In this case

adaptively secure computation can b e carried out using known primitives in all the settings

discussed b elow BH If however the party did not erase old data or more generally if

the party is semihonest as informally dened in Section then the adversary may see

a great deal of other data such as all the past random choices of the party and all the

messages ever received and sent by the party The adversary may also see other more

problematic types of internal data We elab orate on this p oint in the sequel Therefore

the adversary is much more p owerful in the presence of semihonest parties The more

allowed internal deviation from the proto col the stronger the adversary b ecomes

We rst consider the secure channels setting Here the BGW CCD proto cols can b e

proven adaptively secure in the presence of nonerasing parties see Section Funda

mental problems arise when trying to prove adaptive security of proto cols in the presence

of more general types of semihonest parties We sketch these problems

Finally we concentrate on the computational setting and on nonerasing parties Is

adaptively secure computation p ossible in this scenario This question has remained op en

since the result of GMW

We answer this question in the armative The problems encountered and our solution

are presented via the following transformation It is a folklore b elief that any secure proto col

in the secure channels setting can b e transformed into a secure proto col in the computa

tional setting by encrypting each message using a standard semantically secure encryption

scheme This b elief can indeed b e turned into a pro of provided that only nonadaptive ad

versaries are considered Ma jor diculties are encountered when trying to prove this b elief

in the presence of adaptive adversaries We show how these diculties are overcome if a

novel proto col for transmission of encrypted data is used instead of standard encryption

We call such encryption proto cols noncommitting Standard encryption schemes are not

noncommitting We also construct a noncommitting encryption proto col based on the

existence of a primitive called common domain trap do or systems This primitive exists under

the RSA assumption

Noncommitting encryption can b e roughly describ ed as follows Traditional encryption

schemes have the extra prop erty that the ciphertext may serve as a commitment of the

sender to the encrypted data That is supp ose that after seeing the ciphertext a third

party requests the sender to reveal the encrypted data and show how it was encrypted and

decrypted Using traditional encryption schemes it may b e infeasible or even imp ossible

for the sender to demonstrate that the encrypted data was any dierent than what was

indeed transmitted In fact many times encryption is explicitly or implicitly used for

commitment In a noncommitting encryption scheme the ciphertext cannot b e used to

commit the sender or the receiver to the transmitted data That is a noncommitting

Asynchronous secure computation

encryption proto col allows a simulator to generate dummy ciphertexts that lo ok like genuine

ones and can b e later op ened as encryptions of either or at wish We note that

communication over absolutely secure channels is trivially noncommitting since the third

party sees no ciphertext

Our construction of noncommitting data transmission requires all parties to participate

in the secure transmission of information b etween two parties For b enet of other p ossible

applications we note that our construction can b e carried out in two stages the rst stage

which requires the participation of all parties do es not dep end on the data to b e delivered

which may even b e undetermined at this stage whereas the second stage consists of a

single message transmission from the datasender to the receiver Our scheme is resilient as

long as at least one party remains uncorrupted

Asynchronous secure computation

We initiate a study of security in asynchronous networks We consider a completely asyn

chronous network of n parties connected by private channels There is no global clo ck

and messages can b e arbitrarily delayed on the channels however each message sent is

eventually received Furthermore the order of the messages on a channel need not b e

preserved

If the adversary is eavesdropping then any synchronous secure proto col can b e run in

an asynchronous network using any synchronizer eg Aw It can b e seen that in this

case the security in the synchronous sense as dened in Chapter of the proto col is

maintained However asynchrony combined with the p ossibility of faults has devastating

consequences on the computational capabilities of a network Fischer Lynch and Paterson

FLP showed that deterministic proto cols cannot achieve even the basic goal of Consensus

in an asynchronous network in the presence of even one FailStop fault Consequently every

randomized proto col reaching Consensus must have some innite runs on every input

Chor and Moscovici CM characterized the p ossible tasks in the presence of t FailStop

faults roughly sp eaking the output of any computation in the presence of t p otential

faults cannot b e based on more than n t of the inputs since up to t parties may never

join the computation

We dene secure computation in this asynchronous setting Following the metho dology

of synchronous denitions see Section we rst envision an ideal mo del for secure com

putation in our asynchronous setting This ideal mo del is dierent than the synchronous

ideal mo del We then say that a reallife computation is secure if it is equivalent to a

computation in the ideal mo del A computation in the ideal mo del pro ceeds as follows Also

here an incorruptible trusted party is added to the network Essentially in the presence of t

p otential faults or corruptions the trusted party cannot wait to hear from more than n t

parties in the network since up to t may never join the computation Instead the trusted

party outputs an estimation to the function value based on the inputs of the parties in

some core set of size at least n t This core set chosen by the adversary should b e

indep endent of the inputs of the uncorrupted parties Furthermore this core set should

app ear explicitly in the output of the uncorrupted parties otherwise the output may have

no sense The corrupted parties should learn nothing from the computation other than the estimated function value and the agreed core set

Asynchronous Byzantine Agreement

We show that whatever can b e computed in this asynchronous setting can b e computed

in a secure manner We consider two types of adversaries First we show how to tsecurely

compute any function in the asynchronous sense provided that the adversary is FailStop

and n t Next we show how to tsecurely compute any function in the presence of

Byzantine adversaries provided that n t In our proto cols there is no probability

of error in the output of the uncorrupted parties Although innite runs of our proto cols

must exist they o ccur with probability or measure zero

The resilience of our construction to FailStop adversaries is optimal That is we demon

strate functions which cannot b e nsecurely computed or even approximated b etter than

guessing at random in the presence of FailStop adversaries The resilience of our construc

tion for Byzantine adversaries is optimal with resp ect to errorless proto cols That is we

esecurely computed in the presence of Byzantine demonstrate functions that cannot b e d

adversaries if no errors are allowed Subsequent to our work BenOr Kelmer and Rabin

e securely com showed using very dierent constructions how any function can b e d

puted in the presence of Byzantine adversaries and with exp onentially small probability of

error BKR

Our constructions adapt the BGW synchronous constructions to an asynchronous envi

ronment Furthermore we develop several new to ols which may b e of separate interest We

describ e a constant time errorless Asynchronous Veriable Secret Sharing AVSS scheme

for n t dierent constructions Fe CR have a small probability of error Our AVSS

scheme employs a metho d for online error correcting of Generalized Reed Solomon co des

as well as a sp ecially tailored approximation scheme for the maximumclique problem in

a graph

Another to ol is a proto col for agreement on a common core set of parties At the

onset of this proto col each party knows of a dierent set of parties that have completed

some stage eg the sharing of their inputs has b een successfully completed The proto col

enables the uncorrupted parties to agree on a large enough core set of parties such that

all the parties in this core set have indeed completed the sp ecied stage

We present a full pro of of security of our constructions For clarity of presentation we

rst prove that our proto cols are secure against nonadaptive adversaries Next we mo dify

the pro ofs to deal with adaptive adversaries

Asynchronous Byzantine Agreement

The problem of reaching agreement in the presence of faults is one of the most fundamental

problems in the eld of distributed computing A particularly interesting variant of this

problem introduced by Pease Shostak and Lamp ort PSL allows Byzantine adversaries

A standard formulation of this problem called the Byzantine agreement BA problem

follows design a proto col that allows the uncorrupted parties to agree on a common value

The agreed value should b e the input value of one of the uncorrupted parties We remark

that Byzantine agreement is a very limited sp ecial case of secure multiparty computation

where privacy of the inputs of the parties need not b e kept Still privacymaintaining

primitives will play a key role in our construction

The BA problem was extensively investigated in various adversary mo dels out of the

ones characterized at the b eginning of the introduction We refer the interested reader to

Asynchronous Byzantine Agreement

the surveys of Fischer F and Chor and Dwork CD However despite extensive research

a few imp ortant questions have remained op en One of these questions is the fo cus of this

work

Bounds on the resilience of BA proto cols were proved in PSL There it was showed

that agreement cannot b e reached by a deterministic proto col in an nparty synchronous

e Byzantine faults Karlin and Yao KY generalized this result to ran network with d

domized proto cols These results apply also to asynchronous networks Furthermore the

imp ossibility result of Fischer Lynch and Paterson for deterministic proto cols FLP implies

that any randomized proto col reaching BA must have nonterminating runs Bracha de

scrib es an d e resilient asynchronous BA proto col which runs in exp ected time

e resilient BA proto col which Br Feldman and Micali describ e a synchronous d

runs in constant exp ected time FM Feldman Fe generalizes the FM construction to an

asynchronous setting yielding a constant exp ected time d e resilient asynchronous

BA proto col All of these works allow computationally unbounded adversaries FM Fe

assume secure channels

e A long standing op en question cf FM CD is whether there exists an d

resilient asynchronous BA proto col with p olynomial time and message complexity

We answer this question in the armative We consider a completely asynchronous

network of n parties with secure channels and computationally unlimited adaptive ad

e resilient With versaries In this setting we describ e a BA proto col that is d

overwhelming probability all the uncorrupted parties complete our proto col Given that all

the uncorrupted parties have completed the proto col they do so in constant exp ected time

The constructions we use in our proto col are of indep endent interest

Let us overview the chain of results leading to our result and sketch the techniques used

e resilient BA proto col that runs in constant exp ected Rabin MRa describ es an d

time provided that all the parties have access to a global coin namely a common source

of randomness Rabins construction can b e used in synchronous as well as asynchronous

networks Bracha Br improved the resilience of Rabins proto col to d e Furthermore

He prop osed a very simple however inecient scheme for implementing global coin This

ineciency results in exp onential running time The essence of the FM d e resilient

synchronous BA proto col is an ecient scheme for generating such a global coin once this

global coin is generated the parties pro ceed in a similar manner to Rabins and Brachas

proto cols The FM proto col for generating this global coin relies heavily on a Veriable

Secret Sharing VSS scheme The notion of VSS was introduced in CGMA Feldman

Fe describ es an asynchronous construction for global coin and BA given an r resilient

n n

e resilient d e Asynchronous VSS AVSS scheme This construction is minr d

resilient AVSS schemes are presented in Fe BCG The BCG scheme is presented in

Section Up to now no known AVSS scheme has b een more than d e resilient

e resilient AVSS scheme We also present a In this chapter we construct an d

considerably mo died version of Feldmans construction for reaching BA given an AVSS

scheme Put together these constructions constitute an asynchronous d e resilient

e resilient AVSS scheme has applications in other BA proto col We note that our d

contexts as well for instance in BE BKR

We oer an intuitive exp osition of the diculties encountered in trying to devise an

e resilient AVSS scheme Generally in an asynchronous network of n parties with d

Proactive security Maintaining security in the presence of transient faults

t p otential faults a party can never wait to communicate with more than n t other

parties b ecause the corrupted parties may not co op erate An AVSS scheme is comp osed

of two phases a sharing phase in which a dealer shares a secret among the parties

and each party veries for himself that a unique secret is dened by the shares and a

reconstruction phase in which the parties reconstruct the secret from its shares A party P

must b e able to complete the execution of the sharing phase even if he has communicated

with only n t of the parties This means that he has veried the existence of a well dened

secret only with this subset of the parties denoted C When P pro ceeds to carry out the

reconstruction phase he again can communicate with at most n t of the parties Denote

this set C The set C might include parties with whom P has not communicated in the

sharing phase hence P do es not know whether their shares are in accordance with the

secret dened by the shares of the parties in C Possibly the parties that are not in C

did not receive shares at all Thus P can dep end only on the parties in the intersection

C of the two sets Still t out of the parties in C may b e corrupted As long as n t

it holds that jC j t thus the ma jority of the parties in C are uncorrupted However

when n t it is p ossible that jC j t In this case there might b e only a single

uncorrupted party in C

We overcome these diculties by devising a to ol called Asynchronous Recoverable Shar

ing ARS assuring that with overwhelming probability the shares of al l the parties in

the set C dened ab ove will b e available in the reconstruction phase The ARS proto col

uses a to ol presented in TRa RB called Information Checking Proto col Using ARS as a

primitive we construct a secret sharing scheme called Asynchronous Weak Secret Sharing

AWSS Using AWSS we construct our AVSS scheme Both the AWSS and the AVSS

schemes generalize synchronous constructs introduced in TRa RB

Proactive security Maintaining security in the presence

of transient faults

Traditionally cryptography is fo cused on protecting interacting parties ie computers

against external malicious entities Such cryptographic tasks include private communica

tion over insecure channels authentication of parties unforgeable signatures and general

multiparty secure computation An inherent prop erty of all these scenarios is that once a

party is corrupted it remains this way

As computer systems b ecome more complex internal attacks on systems ie attacks

that corrupt comp onents within a system b ecome an even more imp ortant security threat

eg LE St Such attacks may b e p erformed for instance by internal human fraud op

erating system weaknesses or Trojan horse software eg viruses We use the generic term

breakins for all these attacks Security administrators often nd breakins more alarming

than external attacks such as line tappings

Breakins are often temp orary or transient eg ER Thus the paradigm of bad once

means bad forever do es not hold here Still known solutions to breakins do not include

mechanisms for taking advantage of p ossible automatic recovery of a comp onent in case

that the fault is transient This approach is contrasted with the traditional approach of

faulttolerance which relies heavily on the fact that faults are transient and on the reuse of

recovered comp onents We b elieve that the idea of recovering and reusing comp onents that

Proactive security Maintaining security in the presence of transient faults

have once b een corrupted can b e extremely useful also for cryptographic purp oses This

idea and in particular the recovery pro cess is the fo cus of this work

We prop ose a new approach to designing security systems in the presence of p erp etual

however transient breakins This approach which we call the proactive approach may b e

outlined as follows

a Distribute the tasks and resp onsibiliti es among several comp onents ofthe

system Design the system so that the overall security remains intact as long as

at any instance the security of only some fraction of the comp onents is compro

mised

b Design a mechanism for automatic recovery of a given comp onent from a

breakin p ossibly with the help of other comp onents Recovery will b e guaran

teed only if the comp onent is no longer corrupted ie controlled by an adver

sary

c Apply the automatic recovery mechanism p erio dically to all comp onents in

the system

This way the overall security provided by the system remains intact in the presence of

breakins as long as no large fraction of the comp onents are broken into al l at once that

is b etween two consecutive applications of the recovery mechanism

The automatic recovery pro cess is at the heart of proactive security The goal of the

recovery pro cess is to ensure that once a comp onent is recovered it will again contribute

to the overall security of the system This goal is somewhat tricky Even after the attacker

loses control of a comp onent it still knows the internal data of the comp onent eg the

private cryptographic keys Thus a rst step in the recovery pro cess must b e to somehow

hand the recovering comp onent some new secrets unknown to the attacker These secrets

can then b e used to say choose new keys The obvious way to generate such secrets is to

use some source of fresh physical randomness However such a source may not b e readily

available In the sequel we demonstrate other reasons for not using fresh randomness in

each round even when it is available In this pap er we show how using the noncorrupted

comp onents in the system new pseudorandom secrets can b e generated without fresh

randomness In Section we describ e an imp ortant application of our PP proto col to

secure signon mechanisms

We use multiparty secure computation as a formal setting for our work as follows We

consider a system network of comp onents parties where every two parties are connected

via a communication channel We elab orate b elow on the security requirements from the

channels Parties may b e temp orarily corrupted by a mobile adversary That is the

adversary may choose to corrupt dierent parties at dierent times ie communication

rounds as long as at any given time the number of infected parties is limited We stress

that there may b e no party that has never b een infected Secure multiparty computation

in the presence of mobile adversaries was previously studied by Ostrovsky and Yung OY

We remark that here the notion of semihonest parties discussed in Section is

irrelevant since all comp onents are programmed and run by the same entity In fact

erasing old data plays a key role in our constructions

We assume that even if the faults are Byzantine once the adversary has left the party

resumes executing its original proto col while its memory may b e corrupted This assump

Proactive security Maintaining security in the presence of transient faults

tion is explained as follows If the adversary can control the proto col after it leaves then

there is little meaning to recovery and regaining security would b e imp ossible Further

more in practice there are reasonable ways to ensure that the co de is not mo died such as

physical readonly storage or comparison against backup copies These techniques are used

regularly in many systems

In this work we describ e a scheme in which the parties use randomness only at the

beginning of the computation At each round the scheme supplies each uncorrupted party

with a fresh pseudorandom number unpredictable by the adversary even if this party

was corrupted in previous rounds and if the adversary knows all the other pseudorandom

numbers supplied to any party at any round In particular these pseudorandom numbers

can b e used by a recovering party just as fresh random numbers eg for regaining security

We call such a scheme a proactive pseudorandomness PP proto col

We require the following weak conditions First we assume that the adversary is limited

to probabilistic p olynomial time Next we require that in each round of computation there

is at least one secure party A party is secure at a given round if it is uncorrupted at this

round and it has a secure channel to a party that was secure in the previous round This

channel has to b e secure only during this round

Our construction is simple using pseudorandom functions GGM GGM A standard

cryptographic to ol which is b elieved to b ehave as a pseudorandom function family is the

Data Encryption Standard DES Our construction requires each server to apply DES once

p er user at each round

Reconstructability and an application to secure signon

We describ e an imp ortant application of our PP proto col to secure signon mechanisms

Reconstructability Pseudorandom generators b eing deterministic functions applied to

a random seed have the following advantage over truly random sources A pseudorandom

sequence is reconstructible in the sense that it is p ossible to generate exactly the same

sequence again by using the same seed This prop erty is very useful for several purp oses

such as rep eatable simulations and debugging Our application to secure signon also makes

use of this prop erty

In our setting we say that a PP proto col is reconstructible if the value generated within

each party at each round dep ends only on the seeds chosen by the parties at the b eginning

of the computation In particular these values should not dep end on the adversary

Reconstructability is not easily achieved for proactive pseudorandomness proto cols In

particular the basic proto col describ ed here is reconstructible only if the adversary is eaves

dropping FailStop adversaries and also Byzantine adversaries at the price of slightly

compromising the security could b e tolerated by simple mo dications

An application to Secure SignOn Unix and other op erating systems provide security

for the passwords by storing only a oneway function of the passwords on disk MT This

technique allows authentication of the users secure against eavesdropping the password le

Session security is not provided if the communication channels are not secure

When constructing secure LAN systems it is not realistic to assume that the under

lying communication channels are secure Security mechanisms therefore avoid sending

Proactive security Maintaining security in the presence of transient faults

the password on the clear Instead they use the users password to derive a session

key with which they secure the communication In b oth Kerb eros MNSS and NetSP

KryptoKnightBGH this is done by using the password as a key for exchanging a ran

dom session key this metho d also allows NetSP KryptoKnight to authenticate the user

automatically to additional systems single sign on

However this mechanism implies that some server must b e able to compute the session

key itself using some secret eg the password This in turn implies that the server has to

maintain the password le secret This secrecy requirement is a ma jor Achilles heel of any

security system Indeed NetWare provides a more complicated and computationally

intensive solution where the server keeps for each user an RSA private key encrypted

using the users password The encrypted private key is sent to the workstation which

decrypts it using the password and then uses it to derive a session key This solution only

requires the password le remains unmo died rather than secret

We show how a reconstructible proactive pseudorandomness proto col can b e used to

overcome this weakness without compromising eciency Our solution uses several proac

tive signon servers The servers run a dierent copy of our PP proto col for each user The

initial seed of each server P is a pseudorandom value derived from the users password in a

straightforward way Each server sets its key for each time p erio d to b e the current output

of the PP proto col The user knowing all the servers inputs of this reconstructible com

putation can simulate the computation and compute each servers key at any time p erio d

without need for any communication Thus a user can always interact with the server of

his choice The security of our PP proto col makes sure that a mobile adversary do es not

know the key currently used by a secure server as long as in each round there exists at

least one secure server

Our solution do es not require public key mechanisms Furthermore it is valid even if

the attacker can mo dify the login les kept by the servers

C h a p t e r

Dening secure multiparty

computation

We present denitions of secure multiparty computation in dierent adversary mo dels

Go o d denitions of secure multiparty computation are notoriously hard to formulate and

may b ecome very complex in some settings See Section for an introductory discus

sion We therefore start with a simple setting nonadaptive computationally unbounded

adversaries with secure channels in a synchronous network We later distinguish two very

dierent variants of this setting Although we do not use this denition in the sequel its

presentation captures many of the ideas needed for dening multiparty secure computation

Next we concentrate on adaptive adversaries Here the notion of semihonest parties

introduced in Section is central to our denitions The notion of semihonest parties

is irrelevant in the presence of nonadaptive adversaries We rst dene several variants

of semihonest parties diering in the amount of internal deviation from the proto col

Next we present our denition of adaptively secure computation We also consider the

computational setting where the channels are insecure and the adversary is restricted to

probabilistic p olynomial time PPT Both settings are synchronous Denitions of secure

multiparty computation in other settings can b e formulated using the same metho dology

In particular in Chapter we dene secure multiparty computation in an asynchronous

setting

Let us recall the standard denition of computational indistinguishabi li ty of distribu

tions

Denition Let A fA g and B fB g be two ensembles of probability dis

n nN n nN

tributions We say that A and B are computationally indistinguishable if for every constant

c for every polytime distinguisher D and for al l large enough n

jProbD A ProbD B j

n n

We collo quially say that A and B are computationally indistinguishable or A B

n n n n

Nonadaptively secure computation

We dene nonadaptively secure multiparty computation in the secure channels setting

That is we consider a synchronous network where every two parties are connected via

an absolutely secure communication channel ie the adversary cannot hear nor alter

messages sent b etween uncorrupted parties The adversary is computationally unlimited

We use the standard metho dology presented in Section Recall that executing a proto col

for computing some function is compared to evaluating the function in an ideal mo del

where a trusted party is used We substantiate the denition in three steps First we

give an exact denition of this ideal mo del Next we formulate our high level notion of

reallife proto col execution Finally we describ e and formalize our metho d of comparing

computations

Let f D D b e a function for some domains D and D The parties have inputs

x x x D party P has input x and wish to compute f x x The ideal

n i i n

mo deladversary S has a xed set B of up to t corrupted parties and has the inputs of

the parties in B The computation in the ideal mo del pro ceeds as follows

Input substitution stage The idealmo deladversary S may alter the inputs of the cor

rupted parties however this is done without any knowledge of the inputs of the go o d

parties Let b b e the jB jvector of the altered inputs of the corrupted parties and

let y b e the nvector constructed from the input x by substituting the entries of the

corrupted parties by the corresp onding entries in b

Computation stage The parties hand y to the trusted party party P hands y and

i i

receive f y from the trusted party

Output stage The uncorrupted parties output f y and the corrupted parties output

some arbitrary function computed by the adversary of the information gathered dur

ing the computation in the ideal mo del This information consists only of their inputs

their joint random input and consequently the altered input vector b and the result

ing function value f y We let the nvector ideal x ideal x ideal x

f S f S f S n

denote the outputs of the parties on input x and adversary S party P outputs

ideal x

f S i

In Denitions and we formally dene the output of the parties in the ideal

An immediate interpretation of this mo del is that of a closed system there is a xed number of parties all

of which know each others identity This is a conceptually simple however somewhat limiting interpretation

A more general and realistic interpretation is that of an op en system there is an unbounded number of

parties in the network each with a unique identity The parties need not b e aware of each other apriori

Still only a limited number of parties actually join the computation In most cases a limit on the number

of parties that may join needs to b e known in advance

The distinction b etween these two interpretations of the mo del is merely conceptual and is not reected

in the denitions in any way In particular in b oth cases the number of parties is taken to b e the number

of parties that actually join the computation

A more general formulation allows dierent parties to compute a dierent functions of the input

Sp ecically in this case the range of f is a nfold Cartesian pro duct and the interpretation is that the i

party should get the i comp onent of f x

In the case where each party computes a dierent function of the inputs as discussed in the previous fo otnote the trusted party will hand each party its sp ecied output

Nonadaptively secure computation

mo del These denitions capture the ab ove description and can b e skipp ed in a rst

reading First we need two technical notations

For a vector x x x and a set B n let x denote the vector x pro jected on

n B

the indices in B

For an nvector x x x a set B n and a jB jvector b b b let x

n jB j

B b

denote the vector constructed from vector x by substituting the entries in B by the

corresp onding entries from b

Denition Let S be the domain of possible inputs of the parties and let R be the do

main of possible random inputs A tlimited idealmo deladversary is a triplet S B h O

where

B is the set of corrupted parties

h n S R S is the input substitut ion function

O S R f g is an output function for the bad parties

Denition Let f D D for some domains D and D be the computed function

and let x D be an input vector The output of computing function f in the ideal mo del

with adversary S B h O on input x and random input r is an nvector ideal x

f S

ideal x ideal x of random variables satisfying for every i n

f S f S n

f y if i B

ideal x

f S i

O x f y r if i B

where r is the random input of S and y x is the substituted input vector for

B hB x r

the trusted party

Next we describ e the execution of a proto col in the reallife scenario The parties

engage in a synchronous computation in the secure channels setting running proto col A

computationally unbounded nonadaptive tlimited reallife adversary controls a xed set B

of corrupted parties Once the computation is completed each uncorrupted party outputs

whatever it has computed to b e the function value Without loss of generality we assume

that the corrupted parties output their entire view on the computation The view consists of

all the information gathered by the adversary during the computation Sp ecically the view

includes the inputs and random inputs of the corrupted parties and the communication

seen by the corrupted parties

We use the following notation Let view x r denote the view of the adversary

A when interacting with parties running proto col on input x and random input r x

and r for party P as describ ed ab ove Let view x denote the random variable de

i i A

scribing the distribution of view x r when r is randomly chosen Let exec xr

A A i

denote the output of party P after running proto col on input x x x and ran

i n

dom input r r r and with a real life adversary A Let exec x denote the

n A i

random variable describing exec xr where r is uniformly chosen Let exec x

A i A

exec x exec x We have exec x view xr for corrupted parties

A A n A i A

P i

Nonadaptively secure computation

Finally we require that executing a secure proto col for evaluating a function f b e

equivalent to evaluating f in the ideal mo del in the following sense For any reallife

adversary A there should exist an idealmo del adversary S such that for every input vector

x the output vectors ideal x and exec x are identically distributed

f S A

We require that the complexity of the idealmo del adversary S b e comparable to the

complexity of the reallife adversary A This requirement can b e motivated as follows The

idealmo del adversary is an imaginary concept whose purp ose is to formalize the following

statement whatever the adversary learns from interacting with parties running he

could have also learned in the ideal mo del in roughly the same computational eort If

we do not limit the computational p ower of the idealmo del adversary we end up with a

much weaker notion of security detached from realistic computations We remark that

in the presence of adaptive adversaries b ounding the computational p ower of the ideal

mo del adversary introduces several previously overlooked problems We elab orate on these

problems in Chapter

In the sequel whenever we refer to the secure channels setting we assume that the

complexity of the idealmo del adversary is p olynomial in the complexity of the reallife

adversary We let the unb ounded secure channels setting denote the case where the ideal

mo del adversary is computationally unbounded

Denition Let f D D for some domains D and D and let be a protocol for

n parties We say that nonadaptively tsecurely computes f in unb ounded the secure

channels setting if for any nonadaptive tlimited reallife adversary A there exists a

nonadaptive tlimited idealmodeladversary S whose running time is polynomial in the

running time of A such that for every input vector x

ideal x exec x

f S A

If the running time of S is polynomial in the running time of A then we say that

nonadaptively tsecurely computes f in the b ounded secure channels setting

Remarks

For measuring complexity we assume that the proto col the simulator S and the

adversary A are Turing machines that have n the number of parties as part of their

input We measure the complexity of S and A with resp ect to n The function f

is now a family of functions where a function corresp onds to each value of n

We stress that the two whole output nvectors must b e identically distributed Some

previous denitions of secure computation eg GMW partitioned the Security

requirement into two separate requirements a the output of the corrupted parties

b e equal in b oth scenarios and b the output of the uncorrupted parties b e equal

in b oth scenarios However as p ointed out in MR requiring a and b do es not guarantee secure computation

Semihonest parties

We dene semihonest parties or equivalently semihonest proto cols We consider three

alternative notions of semihonesty First we take a minimalist approach in which semi

honest parties deviate from the proto col only by not erasing old data We call such parties

honestbutn onerasin g or in short nonerasing More precisely say that a memory tap e is

writeonce if it consists of memory lo cations that can b e mo died only once from their

initial default contents Non erasing proto cols are dened as follows

Denition Let and be nparty protocols We say that is a nonerasing protocol

for if is identical to with the exception that in addition to the instructions of

protocol copies the contents of each memory location accessed by to a special write once

memory tape

Alternatively one may consider semihonest parties that execute some arbitrary proto col

other than the sp ecied one with the only restriction that no external test representing the

combination of all other parties can distinguish b etween such a b ehaviour and a truly honest

b ehaviour We call such parties honestlo oking We consider two variants of honestlo oking

parties In the secure channels setting the external distinguishing test is computationally

unbounded In the computational setting the external distinguishing test is computationally

b ounded More formally let com x r denote the communication among n parties running

on input x and random input r x and r for party P Let com x denote the random

i i i

variable describing com xr when r is uniformly chosen For nparty proto cols and

and an index i n let denote the proto col where party P executes and all the

i i

other parties execute

Denition Let and be nparty protocols We say that is a p erfectly honest

lo oking protocol for if for any input x for any nparty test protocol and for any

index i n

x com x com

(i )

If the test protocol is restricted to probabilistic polynomial time and com x

(i )

x then we say that is a computationally honestlo oking protocol for com

(i )

We stress that here the test proto col represents a collab oration of all parties for testing

whether P is honest

Remark Note that b oth the p erfect and the computational variants of honestlo oking

parties can do other harmful things on top of not erasing data For instance assume that

some oneway p ermutation f dened on some domain D is known to all parties When

instructed to choose a value x at random from D an honestlo oking party can instead

choose y at random from D and let x f y Thus the party cannot b e trusted to not

know f x Also let f f b e a clawfree pair of p ermutations over D Then when

instructed to choose a random input r D for use in its proto col the party can on input

f g use f r for random input instead of r This particular example is very

disturbing as will b ecome clear in the Chapter

Adaptively secure computation in the secure channels setting

An even more p ermissive approach allows a semihonest party to deviate arbitrarily

from the proto col as long as his b ehaviour app ears honest to parties executing the protocol

We stress that other external tests not sp ecied in the proto col may b e able to detect

such a party as cheating We call such semihonest parties weaklyhonest More precisely

here we require that Denition is satised only with resp ect to the original proto col

rather than with resp ect to any test proto col

Denition Let and be nparty protocols We say that is an p erfectly weakly

honest protocol for if for any input x and for any index i n

com x com x

If is restricted to probabilistic polynomial time and if com x com x then

we say that is a computationally weaklyhonest protocol for

The choice of these particular notions of semihonest parties can b e motivated as follows

Nonerasing b ehaviour is a very simple deviation from the proto col that is very hard to

prevent Even if the proto col say given to parties as a piece of software is protected

against mo dications it is always p ossible to add an external device that copies all memory

lo cations accessed by the proto col to a safe memory where the data is kept Such an

external device requires no understanding in the internal structure or in the b ehaviour

of the proto col Honestlo oking parties represent sophisticated parties that internally

deviate from the proto col in an arbitrary way but are willing to take no chance that they

will ever b e uncovered say by an unexp ected audit Weaklyhonest parties represent the

most general internal deviation from the proto col that may remain undetected by other

parties running the proto col

Adaptively secure computation in the secure channels

setting

We dene adaptively secure multiparty computation in the the secure channels setting

We use the same ideal mo del metho dology as in Section with resp ect to adaptive

adversaries Here however we require that the computation b e secure even if the parties

run any semihonest proto col for a given proto col

We start by redening how a function is evaluated in the ideal mo del Let f D D

b e a function for some domains D and D The parties have inputs x x x D

party P has input x and wish to compute f x x The idealmo deladversary S has

i i n

no initial input and is parameterized by t the maximum number of parties it may corrupt

In the sequel we limit the computational p ower of the adversary The dierence from the

nonadaptive idealmo del adversary Section are the two extra adaptive corruption

stages

First corruption stage First S pro ceeds in up to t iterations In each iteration S may

decide to corrupt some party based on S s random input and the information gathered

so far Once a party is corrupted its internal data that is its input and random

input b ecome known to S A corrupted party remains corrupted for the rest of the

computation Let B denote the set of corrupted parties at the end of this stage

Adaptively secure computation in the secure channels setting

Input substitution stage S may alter the inputs of the corrupted parties however

this is done without any knowledge of the inputs of the go o d parties Let b b e the

jB jvector of the altered inputs of the corrupted parties and let y b e the nvector

constructed from the input x by substituting the entries of the corrupted parties by

the corresp onding entries in b

Computation stage The parties hand y to the trusted party party P hands y and

i i

receive f y from the trusted party

Second corruption stage Now that the output of the computation is known S pro ceeds

in another sequence of up to t jB j iterations where in each iteration S may decide

to corrupt some additional party based on S s random input and the information

gathered so far this information now includes the value received from the trusted

party We stress that S may corrupt at most t parties in the entire computation

Output stage The uncorrupted parties output f y and the corrupted parties output

some arbitrary function computed by the adversary of the information gathered dur

ing the computation in the ideal mo del This information consists only of their inputs

their joint random input and consequently the altered input vector b and the result

ing function value f y We let the nvector ideal x ideal x ideal x

f S f S f S n

denote the outputs of the parties on input x and adversary S party P outputs

ideal x

f S i

In Denitions through we formally dene the output of the parties in the ideal

mo del These denitions capture the ab ove description and can b e skipp ed in a rst

reading We use the notations x and x as in Section

B b

Denition Let D be the domain of possible inputs of the parties and let R be the

domain of possible random inputs A tlimited idealmo deladversary is a quadruple S

t b h O where

t is the maximum number of corrupted parties

b n D R n fg is the selection function for corrupting parties the value

is interpreted as no more parties to corrupt at this stage

h n D R D is the input substitution function

O D R f g is an output function for the bad parties

The sets of corrupted parties are now dened as follows

Denition Let D be the domain of possible inputs of the parties and let S t b h O

be a tlimited idealmodeladversary Let x D be an input vector and let r R be a

random input for S The ith set of corrupted parties in the ideal model B xr is dened

as fol lows

B xr

Adaptively secure computation in the secure channels setting

Let b bB x r x (i) r For i t and as long as b let

i i

B xr

i i

B x r B xr fb g

(i)

Let i be the minimum between t and the rst i such that b Let b bB xr x f y r

B xr

where y is the substituted input vector for the trusted party

That is y x (i ) (i )

B xr hB xr x r

(i )

B (xr )

For i i t let

i i

B xr B x r b

i i

In Denition we use B instead of B x r

Denition Let f D D for some domains D and D be the computed function

and let x D be an input vector The output of computing function f in the ideal mo del with

adversary S t b h O on input x and random input r is an nvector ideal x

f S

ideal x ideal x of random variables satisfying for every i n

f S f S n

f y if i B

ideal x

f S i

O x (t) f y r if i B

t th

where B is the t set of corrupted parties r is the random input of S and y x (t) (t)

B hB x r

(t)

is the substituted input vector for the trusted party

Next we describ e the execution of a proto col in an adaptive reallife scenario The

parties engage in a synchronous computation in the secure channels setting running some

semihonest proto col for according to any one of the notions of semihonesty dened

ab ove A computationally unbounded adaptive tlimited reallife adversary may choose

to corrupt parties at any p oint during the computation based on the information known

to the previously corrupted parties and as long as at most t parties are corrupted alto

gether Once a party is corrupted the current contents of its memory as determined by the

semihonest proto col b ecomes available to the adversary From this p oint on the cor

rupted party follows the instructions of the adversary Once the computation is completed

each uncorrupted party outputs whatever it has computed to b e the function value Also

here we assume that the corrupted parties output their entire view on the computation

The view consists of all the information gathered by the adversary during the computa

tion Sp ecically the view includes the inputs and random inputs of the corrupted parties

the communication seen by the corrupted parties and the internal data of parties up on

corruption

We let view x and exec xr have an analogous meaning to Section in the

A A

presence of adaptive adversaries

Denition Let f D D for some domains D and D and let be a protocol for

n parties We say that tsecurely computes f in the unb ounded secure channels setting if

for any semihonest protocol for according to any of the Denitions through

and for any tlimited reallife adversary A there exists a tlimited idealmodeladversary S

Adaptively secure computation in the secure channels setting

whose running time is polynomial in the running time of A such that for every input vector

ideal x exec x

f S A

If the running time of S is polynomial in the running time of A then we say that

tsecurely computes f in the b ounded secure channels setting

Blackbox simulation In the sequel we use a more restricted notion of equivalence

of computations where the idealmo del adversary is limited to blackbox simulation of

the reallife setting That is for any semihonest proto col for there should exist a

idealmo del adversary S with oracle or blackbox access to a reallife adversary This

blackbox represents the inputoutput relations of the reallife adversary describ ed ab ove

For concreteness we present the following description of the mechanics of this blackbox

representing a reallife adversary The blackbox has a random tap e where the blackbox

exp ects to nd its random input and an inputoutpu t tap e Once a sp ecial start input is

given on the inputoutput tap e the interaction on this tap e pro ceeds in iterations as follows

Initially no party is corrupted In each iteration l rst the blackbox exp ects to receive

the information gathered in the l th round In the secure channels setting this information

consists of the messages sent by the uncorrupted parties to the corrupted parties Next

blackbox outputs the messages to b e sent by the corrupted parties in the l th round Next

the blackbox may issue several corrupt P requests Such a request should b e answered

by the internal data of P according to proto col Also from this p oint on P is corrupted

i i

At the end of the interaction the output of the reallife adversary is dened as the contents of

the random tap e succeeded by the history of the contents of the inputoutput tap e during

the entire interaction We let S denote the idealmo del adversary S with blackbox access

to a reallife adversary A

The simulator is restricted to probabilistic p olynomial time where each invocation of

the blackbox is counted as one op eration Furthermore we limit the op eration of the

simulator as follows We require that the start message is sent only once and that no

party is corrupted in the ideal mo del unless a request to corrupt this party is issued by the

blackbox

If Denition is satised by an idealmo del adversary limited to blackbox simulation

as describ ed ab ove then we say that tsecurely computes f in a simulatable way In this

case we call the idealmo del adversary a blackb ox simulator or in short a simulator

We remark that the only purp ose of the technical restrictions imp osed on the op eration

of the simulator is to facilitate proving comp osition theorems such as Theorem In

particular blackbox simulation is the only pro of metho d currently known in the context

of secure multiparty computation The BGW proto cols for computing any function can

b e proven secure in the presence of nonerasing parties using blackbox simulators in

probabilistic p olynomial time

For simplicity we assume that the computed function is p olynomial l y computable Alternatively the

simulator is p olynomial in the complexity of the function

Adaptively secure computation in the computational setting

Adaptively secure computation in the computational set

ting

We dene adaptively secure multiparty computation in the computational setting That is

we consider a synchronous network where the channels are insecure the adversary sees all

messages sent on all channels For simplicity we assume that the channels are authenticated

namely the adversary cannot alter the communication Authenticity can b e achieved via

standard primitives All parties as well as the adversary are restricted to probabilistic

p olynomial time Furthermore we introduce a security parameter determining how close a

reallife computation is to a computation in the ideal mo del All parties are p olynomial also

in the security parameter For simplicity of presentation we identify the security parameter

with n the number of parties

The framework of dening adaptively secure multiparty computation in this setting is

the same as in the secure channels setting Section That is we compare the real life

computation with a computation in the same ideal mo del with the exception that here

we restrict the idealmo del adversary to probabilistic p olynomial time The execution of

a proto col in the reallife scenario as well as the notations exec x and view x

A A

are also the same as in the secure channels setting with the exceptions that the reallife

adversary is p olynomially b ounded and sees all the communication b etween the uncorrupted

parties

We dene equivalence of a reallife computation to an idealmo del computation as in the

secure channel setting with the exception that here we use computational indistinguisha

bility as our notion of similarity of distributions Blackbox simulation is dened as in the

secure channels setting with the exception that the information gathered by the adversary

in each rounds includes the communication b etween all parties

Denition Let f D D for some domains D and D and let be a protocol

for n parties We say that tsecurely computes f in the computational scenario if for

any semihonest protocol for according to any of the Denitions through

and for any tlimited reallife adversary A there exists a polynomially bounded tlimited

idealmodeladversary S such that for every input vector x

ideal x exec x

f S A

If S is restricted to blackbox simulation of reallife adversaries then we say that t

simulatably computes f in the computational scenario

Remark Our convention that the reallife adversary outputs its entire view is imp ortant

for clarifying how the following diculty p ointed out in MR is settled Assume that the

corrupted parties do not output their inputs and random inputs and that the function

f to b e computed is pseudorandom Then an insecure proto col that allows a uniformly

distributed output vector exec x regardless of the parties inputs could b e considered

For simplicity we assume that the computed function is p olynomial ly computable Alternatively all par

ties as well as the reallife adversary and the idealmo deladversary should b e p olynomial in the complexity of the function

Adaptively secure computation in the computational setting

secure since it generates outputs indistinguishable from the parties outputs in the ideal

mo del ie ideal x We stress that no generality is lost by using our convention since

f S

Denition quanties over all reallife adversaries

C h a p t e r

Adaptively secure computation in

the computational setting

We study secure multiparty computation in the presence of adaptive adversaries see Sec

tion for an introductory discussion Although the emphasis of this chapter is on the

computational setting we also sketch the state of aairs in the secure channels setting We

b elieve that understanding adaptively secure computation in the computational setting is

easier if the secure channels setting is rst considered

We rst present in Section an overview of the problems encountered when trying

to prove adaptive security of proto cols rst in the secure channels setting and then in the

computational settings We also sketch our solution for the computational setting Next

in Section we dene a to ol called noncommitting encryption that is central in our

solution for the computational setting In Section we present our construction for the

case of nonerasing parties We rst show how given a noncommitting encryption scheme

any adaptively secure proto col in the secure channels setting can b e transformed into an

adaptively secure proto col in the computational setting Next we describ e our construction

of a noncommitting encryption scheme In Section we suggest a construction for the

case of honestlo oking parties

The problems in proving adaptive security informal pre

sentation

The secure channels setting

The stateoftheart with resp ect to adaptive computation in the secure channels setting can

b e briey summarized as follows Adaptively secure proto cols for computing any function

exist in the presence of nonerasing parties eg BGW CCD However in contrast

with p opular b elief not every nonadaptively secure proto col is also adaptively secure in the

presence of nonerasing parties Furthermore current techniques are insucient for proving

adaptive security of any proto col for computing a nontrivial function in the presence of

honestlo oking parties

The problems in proving adaptive security informal presentation

A standard construction of an idealmo deladversary S op erates via blackbox interac

tion with the reallife adversary A The exact mechanics of the blackbox representing A

are sp ecied in Section More sp ecically let b e a semihonest proto col for S runs

the blackbox representing A on a simulated interaction with a set of parties running S

corrupts in the ideal mo del the same parties that A corrupts in the simulated interaction

and outputs whatever A outputs From the p oint of view of A the interaction simulated by

S should b e distributed identically to an authentic interaction with parties running It is

crucial that S b e able to run a successful simulation based only on the information available

to it in the ideal mo del and in particular without knowing the inputs of uncorrupted parties

We restrict our presentation to this metho dology of proving security of proto cols where S

is restricted to probabilistic p olynomial time We remark that no other pro of metho d is

known in this context In the sequel we often call the idealmo deladversary S a simulator

Following the ab ove metho dology the simulator that we construct has to generate sim

ulated messages from the uncorrupted parties to the corrupted parties In the nonadaptive

case the set of corrupted parties is xed and known to the simulator Thus the simulator

can corrupt these parties in the ideal mo del b efore the simulation starts In the adaptive

case the corrupted parties are chosen by the simulated adversary A as the computation

unfolds Here the simulator corrupts a party in the ideal mo del only when the simulated

adversary decides on corrupting that party Thus the following extra problem is encoun

tered Consider a currently uncorrupted party P Since S do es not know the input of P

it may not know which messages should b e sent by P to the corrupted parties Still S

has to generate some dummy messages to b e sent by the simulated P to corrupted parties

When the simulated adversary A later corrupts P it exp ects to see P s internal data The

simulator should now b e able to present internal data for P that is consistent with P s

newlylearned input and with the messages previously sent by P according to the partic

ular semihonest protocol run by P It turns out that this can b e done for the BGW

proto cols for computing any function in the presence of nonerasing parties Thus the

BGW proto cols are adaptively secure in the presence of nonerasing parties We stress

however that not every proto col which is secure against nonadaptive adversaries is also

secure against adaptive adversaries

In face of honestlo oking parties Even more severe problems are encountered when

honestlo oking parties are allowed as demonstrated by the following example Consider a

proto col that instructs each party on private input to just publicize a uniformly and

indep endently chosen value r in some domain D and terminate Let f f b e a clawfree pair

of p ermutations over D Then on input f g an honestlo oking party can commit

to its input by publicizin g f r instead of publicizi ng r Now if this honestlo oking variant

of is shown secure via an ecient blackbox simulation as describ ed ab ove then the

constructed simulator can b e used to nd claws b etween f and f Similar honestlo oking

proto cols can b e constructed for the BGW CCD proto cols Consequently if clawfree

pairs of p ermutations exist then adaptive security of the BGW CCD proto cols in the

presence of honestlooking parties cannot b e proven via blackbox simulation

See example in the third paragraph of the Introduction

The problems in proving adaptive security informal presentation

Adaptive security in the computational setting

In this subsection we sketch the extra diculty encountered in constructing adaptively se

cure proto cols in the computational setting and outline our solution for nonerasing parties

Consider the following folklore metho dology for constructing secure proto cols in the com

putational setting Start with an adaptively secure proto col resilient against nonerasing

parties in the secure channels setting and construct a proto col by encrypting each message

using a standard encryption scheme We investigate the security of in the computational

setting

Proving that is nonadaptively secure We rst sketch how can b e shown non

adaptively secure in the computational setting assuming that is nonadaptively secure in

the secure channels setting Let S b e the idealmo deladversary simulator asso ciated with

in the secure channels setting We assume that S op erates via blackbox simulation of

the reallife adversary A as describ ed ab ove We wish to construct in the computational

setting a simulator S for The simulator S op erates just like S with the following excep

tion In the computational setting the reallife adversary exp ects to see the ciphertexts sent

b etween uncorrupted parties In the secure channels setting the adversary do es not see the

communication b etween uncorrupted parties Furthermore the reallife adversary exp ects

that the messages sent to corrupted parties b e encrypted S will imitate this situation

as follows First each message sent to a corrupted party will b e appropriately encrypted

Next the simulated uncorrupted parties will exchange dummy ciphertexts These dummy

ciphertexts can b e generated as say encryptions of the value The validity of simulator

S can b e shown to follow in a straightforward way from the validity of S and the security

of the encryption scheme in use

Problems with proving adaptive security When adaptive adversaries are considered

the construction of a simulator S in the computational setting encounters the following

problem which is a more severe version of the problem encountered in the secure channels

setting Consider an uncorrupted party P Since S do es not know the input of P it do es

not know which messages should b e sent by P to other uncorrupted parties Still S has to

generate dummy ciphertexts to b e sent by the simulated P to uncorrupted parties These

dummy ciphertexts are seen by the simulated adaptive adversary When the simulated

adversary later corrupts P it exp ects to see all of P s internal data as sp ecied by the semi

honest protocol Certainly this data may include the cleartexts of all the ciphertexts sent

and received by P in the past including the random bits used for encryption and decryption

resp ectively Thus it may b e the case that some sp ecic dummy ciphertext c was generated

as an encryption of and the simulated P now needs to convince the adversary that c is

in fact an encryption of or vice versa This task is imp ossible if a standard encryption

scheme ie an encryption scheme where no ciphertext can b e a legal encryption of b oth

and is used

There is also the easier problem of generating the messages sent by P to corrupted parties This was

the problem discussed in the previous subsection However our hypothesis that S is a simulator for the

secure channel mo del means that S is able to generate these cleartext messages Thus all that S needs to

do is encrypt the messages it has obtained from S

The problems in proving adaptive security informal presentation

We remark that Beaver and Hab er BH have suggested to solve this problem as follows

Instruct each party to erase say at the end of each round all the information involved

with encrypting and decrypting of messages If the parties indeed erase this data then the

adversary will no longer see up on corrupting a party how past messages were encrypted

and decrypted Thus the problem of convincing the adversary in the authenticity of past

ciphertexts no longer exists Consequently such erasing proto cols can b e shown adap

tively secure in the computational setting However this approach is clearly not valid in the

presence of semihonest parties In particular it is not known whether the BH proto cols

or any other previous proto cols are secure in the presence of nonerasing parties

Sketch of our solution We solve this problem by constructing in the multiparty com

putational setting an encryption proto col that serves as an alternative to standard en

cryption schemes and enjoys an additional prop erty roughly describ ed as follows The

additional prop erty is that one can eciently generate dummy ciphertexts that can later

b e op ened as encryptions of either or at wish Here the word ciphertext is used

to denote all the information seen by the adversary during the execution of the proto col

These dummy ciphertexts are dierent and yet computationally indistinguishable from the

valid encryptions of or pro duced in a real communication We call such encryption

proto cols noncommitting

Let E resp E denote the distribution of encryptions of the value resp in

a publickey encryption scheme For simplicity supp ose that each of these distributions is

generated by applying an ecient deterministic algorithm denoted A resp A to a

uniformly selected nbit string In a traditional encryption scheme with no decryption

errors the supp orts of E and E are disjoint alas E and E are computationally

indistinguishabl e In a noncommitting encryption scheme the supp orts of E and E

are not disjoint but the probability that an encryption of either or resides in their

intersection denoted I is negligible Thus decryption errors o ccur only with negligible

amb

probability However it is p ossible to eciently generate a distribution E which assumes

values in I so that this distribution is computational indistinguishable from b oth E and

E Furthermore each ambiguous ciphertext c I is generated together with two

random lo oking nbit strings denoted r and r so that A r A r c That is

the string r resp r may serve as a witness to the claim that c is an encryption of

resp

Using a noncommitting encryption proto col we resolve the simulation problems which

were describ ed ab ove Firstly when transforming into we replace every bit transmission

of by an invocation of the noncommitting encryption proto col This allows us to generate

dummy ciphertexts for messages sent b etween uncorrupted parties so that at a later stage

we can substantiate for each such ciphertext b oth the claim that it is an encryption of and

the claim that it is an encryption of We stress that although dummy ciphertexts app ear

This noncommitting prop erty is reminiscent of the Chameleon blobs of Br Those are commitment

schemes where the recipient of a commitment c can generate by himself decommitments of c to b oth and

Here we consider encryption schemes where an adversary can generate by himself ciphertexts which can

b e op ened b oth as encryptions of and as encryptions of

This is an over simplicatio n Actually each of these algorithms is also given an nbit encryption key

Consequently it must b e that E and E are computationall y indistingui sha bl e Thus a non committing encryption scheme is also a secure encryption scheme in the traditional sense

Dening noncommitting encryption

with negligible probability in a real execution they are computationally indistinguishabl e

from a uniformly generated encryption of either or Thus using a noncommitting

encryption proto col we construct adaptively secure protocols for computing any recursive

function in the computational model in the presence of nonerasing parties Finally we

construct a noncommitting encryption proto col based on the intractability of inverting the

RSA or more generally based on the existence of commondomain trap do or systems see

Denition Thus we get

Theorem If commondomain trapdoor systems exist then there exist secure protocols

for computing any recursive function in the computational setting in the presence of non

erasing parties and adaptive adversaries that corrupt less than a third of the parties

We remark that using standard constructs eg RB our proto cols can b e mo died to

withstand adversaries that corrupt less than half of the parties

Dealing with honestlo oking parties We also sketch a solution for the case of honest

lo oking parties assuming in addition to the ab ove also the existence of a trusted dealer

at a precomputation stage The dealer hands each party P a truly random string r to

b e used as random input Next the dealer hands the other parties shares of r so that a

coalition of all parties other than P can reconstruct r These shares enable us to force

each party to send messages according to the sp ecication of the proto col We stress that

this result do es not hold if an initial trusted setup is not allowed

Dening noncommitting encryption

We present a concise denition of a noncommitting encryption proto col in our multiparty

n n

scenario First dene the bit transmission function btr f g f g This

function is parameterized by two identities of parties ie indices s r n with the

following interpretation btr describ es the secure transmission of a bit from party P

sr s

the sender to party P the receiver That is for x x x f g let

r n

x if i r

btr x

sr i

otherwise

where btr x is the i comp onent of the vector btr x We are interested in input

sr i sr

vectors x where x ie the senders input is in f g All other inputs are assumed to b e

Denition Let s r n and s r A protocol is a tresilient in the presence of

T semihonest parties and adaptive adversaries noncommitting encryption protocol from

P to P if tsecurely computes btr in a simulatable way in the computational model

s r sr

in the presence T semihonest parties and an adaptive adversary

It may not b e immediately evident how Denition corresp onds to the informal de

scription of noncommitting encryptions presented in Section A closer lo ok how ever will show that the requirements from the simulator asso ciated with a noncommitting

A solution for nonerasing parties

encryption proto col according to Denition imply these informal descriptions In par

ticular in the case where the simulated adversary corrupts the sender and receiver only

after the last communication round the simulator has to rst generate some simulated

communication b etween the parties without knowing the transmitted bit This communi

cation serves as the dummy ciphertext When the sender andor the receiver are later

corrupted the simulator has to generate internal data that corresp ond to any value of the

transmitted bit

A solution for nonerasing parties

We show that any function can b e securely computed in the computational setting in

the presence of adaptive adversaries and nonerasing parties In Subsection we show

how using a noncommitting encryption proto col a simulatable proto col for computing

some function f in the computational setting can b e constructed from any simulatable

proto col for computing f in the secure channels setting In Subsection we present

our construction of noncommitting encryption We use the following result attributed to

BGW CCD as our starting p oint

Theorem The BGW CCD protocols for computing any function of n inputs are

e securely computable in a simulatable way in the secure channels setting in the d

presence of nonerasing parties and adaptive adversaries

Adaptively secure computation given noncommitting encryption

Theorem Let f be an nary function t n and be a protocol that tsecurely com

putes f in a simulatable way in the secure channels setting in the presence of nonerasing

parties and adaptive adversaries Suppose that is a tresilient noncommitting encryp

tion protocol resilient to nonerasing parties and adaptive adversaries for transmission

from P to P Let be the protocol constructed from as fol lows For each bit trans

s r

mitted by from party P to party P protocol invokes a copy of a for transmitting

s r sr

Then tsecurely computes f in a simulatable way in the computational setting in the

presence of nonerasing parties and adaptive adversaries

Pro of sketch Let b e a nonerasing proto col for and let S b e a simulator for

in the secure channels setting For simplicity we assume that in proto col as well as in

the interaction generated by S each party sends on bit to each other party in each round

Let b e the computationalmo del simulator that corresp onds to the nonerasing proto col

for the noncommitting encryption proto col Given these two dierent simulators we

construct a simulator S for proto col in the computational setting The simulator S will

b e a mo dication of S and will use several copies of as subroutines

Recall that S is supp osed to interact with a blackbox representing a reallife adversary

in the secure channels setting That is at each round S generates all the messages sent from

uncorrupted parties to corrupted parties Furthermore whenever the blackbox decides to

A pro of of this result can b e extracted from Chapter which deals with the more involved asynchronous mo del

A solution for nonerasing parties

corrupt some party P machine S generates internal data for P which is consistent with P s

input and with the messages previously sent by P to corrupted parties

The simulator S interacts with a black b ox representing an arbitrary reallife adversary

in the computational setting denoted A The simulator S is identical to S with the exception

that for each bit sent in the interaction simulated by S the simulator S invokes a copy of

and S incorp orates the outputs of the various copies of in its ie S s communication

with A Likewise S extracts the transmitted bits from the invocations of corresp onding

to message transmissions from corrupted parties to uncoruppted ones The way S handles

these invocation will b e discussed b elow At this p oint we stress that A is the only adversary

that S needs to simulate and to this end it emulates reallife adversaries of its choice for

the copies of In particular when S asks to corrupt some party P the simulator S

corrupts the same party P When S generates P s view in the secure channel setting S will

complete this view into P s view in the computational setting by using the various copies of

S handles the various copies of As stated ab ove S emulates a We describ e how

reallife adversary for each copy of using the communication tap es by which this copy

is supp osed to interact with its blackboxadversary The information that exp ects to

receive form its black b ox is extracted in the obvious manner from the information that

S receives from A That is S hands the messages sent by the corrupted parties that

are relevant to the corresp onding invocation of Furthermore all the past and current

requests for corrupting parties issued by A are handed over to The partial view received

from each copy of is used in the emulation of the corresp onding blackbox of this copy

as well as incorp orated in the information handed by S to A When A asks to corrupt some

party P the simulator S emulates a corrupt P request to each copy of and obtains the

internal data of P in the corresp onding subproto col which it ie S hands to A along

with the information obtained by S the secure channel simulator Finally observe that

where P and P are the designated sender and receiver also exp ects to interact

sr s r

with parties in the idealmo del This interaction consists of issuing corrupt requests and

obtaining the internal data of the ideal mo del This interaction is also emulated by S as

follows Whenever wishes to corrupt a party P which is either P or P the simulator S

s r

nds out which bit was supp osed to b e sent in this invocation of and passes to

We stress that is available to S since at this p oint in time P has already b een corrupted

S which mimics S has already obtained P s view in the secure channel and furthermore

setting Here we use Denitions and which guarantee that corrupts a party only

if this party is already corrupted by s black b ox We also use the fact that S is playing

s black b ox and is issuing a corrupt P request only after receiving such a request from

A and having simulated this corruption as S In case P is neither P not P the simulator

s r

S passes as P s input to

Let b e a nonerasing proto col for and A b e as ab ove ie an arbitrary reallife

adversary in the computational setting We claim that S ie the idealmo del adversary

S with blackbox access to A prop erly simulates the execution of We need to show that

for any adversary A and for any input x we have

ideal x exec x

f S

A solution for nonerasing parties

Here we present only a rough sketch of the pro of of this claim The plan is to construct

a reallife adversary A in the secure channels setting and prove the following sequence of

equalities by which the ab ove claim follows

d d

~ A

ideal x ideal x exec x exec x

f S A

Regardless of what A is the second equality follows immediately from the hypothesis that

S is a simulator for the nonerasing proto col for in the secure channels setting It

remains to construct A so that the other two equalities hold

The reallife adversary A of the secure channel setting will op erate via a simulation of A

the reallife adversary of the computational setting imitating the simulation carried out

by S That is for each bit communicated by machine A will invoke a copy of while

emulating an adversary in accordance with A In particular A will b e given all ciphertexts

sent in the op en as well as all internal data of corrupted parties regardless if these parties

were corrupted b efore during or after the real transmission Furthermore when A cor

rupts a party P machine A corrupts P and hands A the internal data of P along with the

outputs of the relevant copies just as S do es At the end of the computation A outputs

whatever A outputs that is A outputs As view of the computation It follows from the

denition of A that the execution of S with blackbox access to A is in fact identical to

~ A

the execution of S with blackbox access to A Thus ideal x ideal x which

f S

establishes the rst equality in Eq

It remains to show that exec x exec x Essentially the dierence b etween

these two executions is that exec x is a reallife execution in the secure channel set

ting which is augmented by invocations of p erformed by A whereas exec x is a

reallife execution in the computational setting in which honest parties use the encryption

proto col However the security of means that invocations of are indistinguishabl e

from executions by b oth in presence of adaptive adversaries Using induction on the

number of rounds one thus establishes the last equality of Eq 2

Constructing noncommitting encryption

Before describing our noncommitting encryption proto col let us note that onetimepad is

a valid noncommitting encryption proto col The drawback of this trivial solution is that

it requires an initial setup in which each pair of parties share a random string of length at

least the number of bits they need to exchange Such an initial setup is not desirable in

practice and do es not resolve the theoretically imp ortant problem of dealing with a setting

in which no secret information is shared apriori

Our scheme uses a collection of trap do or p ermutations together with a corresp onding

hardcore predicate BM Y GrL Actually we need a collection of trap do or p ermutation

with the additional prop erty that they are many p ermutations over the same domain

Assume that each pair of parties share a suciently long secret random string and each message is

encrypted by bitwise xoring it with a new segment of the shared random string Then Denition is

satised in a straightforward way Sp ecicall y the simulated message from the sender to the receiver ie

the dummy ciphertext denoted c can b e uniformly chosen in f g When either the sender or the receiver

are corrupted and the simulator has to demonstrate that c is an encryption of a bit the simulator claims

that the corresp onding shared random bit was r c Clearly r is uniformly distributed regardless of

the value of

A solution for nonerasing parties

Furthermore we assume that given a p ermutation f over a domain D but not f s trap do or

one can eciently generate at random another p ermutation f over D together with the

trap do or of f Such a collection is called a commondomain trap do or system

Denition A commondomain trap do or system is an innite set of nite permutations

ff D D g where P f g f g so that

a P

domain selection There exists a probabilistic polynomialtime algorithm G so that on

n n

input algorithm G outputs a description f g of domain D

function selection There exists a probabilistic polynomialtime algorithm G so that on

input algorithm G outputs a pair t so that P is a description

of a permutation over D and t is the corresponding trapdoor

domain sampling There exists a probabilistic polynomialtime algorithm S that on

input uniformly selects an element of D

function evaluation There exists a polynomialtime algorithm F that on inputs

P and x D returns f x

function inversion There exists a polynomialtime algorithm I that on inputs t

and y D where P returns f y

onewayness For any probabilistic polynomialtime algorithm A the probability that

on input P and y f x algorithm A outputs x is negligible in n where

the probability distribution is over the random choices of G G

x S and the coin tosses of algorithm A

Remarks

The standard denition of trap do or p ermutations can b e derived from the ab ove

by replacing the two selection algorithms G and G by a single algorithm G that

on input generates a pair t so that sp ecies a domain D as well as a

p ermutation f over this domain and t is f s trap do or Thus the standard

denition do es not guarantee any structural resemblance among domains of dierent

p ermutations Furthermore it do es not allow to generate a new p ermutation with

corresp onding trap do or for a given domain or given p ermutation Nevertheless some

p opular trap do or p ermutations can b e formulated in a way which essentially meets

the requirements of a commondomain trap do or system

Commondomain trap do or systems can b e constructed based on an arbitrary family

of trap do or p ermutations ff D D g with the extra prop erty that the domain of

n n

any p ermutation generated on input has nonnegligible density inside f g ie

j j

We construct a commondomain family where the domain is jD j

p oly j j

f g and the p ermutations are natural extensions of the given p ermutations That

n n n n

is we let G G G and extend f into g so that g x f x

if x D and g x x otherwise This yields a collection of commondomain

j j j j

p ermutations fg f g f g g which are weakly oneway Employing am

plication techniques eg Y GILVZ we obtain a prop er commondomain system

A solution for nonerasing parties

In the sequel we refer to commondomain trap do or systems in a less formal way We

say that two oneway p ermutations f and f are a pair if they are b oth p ermutations over

a b

the same domain ie a and b where the domain is D We asso ciate

the p ermutations with their descriptions and the corresp onding inverse p ermutations with

their trap do ors Finally as stated ab ove we augment any commondomain trap do or

system with a hardcore predicate denoted B That is B is p olynomialtime computable

but given f and f x is it infeasible to predict B x with nonnegligible advantage over

a a

Outline of our scheme The scheme consists of two stages In the rst stage called the

key generation stage the parties arrive at a situation where the sender has two trap do or

p ermutations f f of a commondomain system the trap do or of only one of which is

a b

known to the receiver Furthermore the simulator will b e able to generate in a simulated

execution of the proto col two trap do or p ermutations with the same distribution as in a real

execution and such that the trap do ors of b oth p ermutations are known The simulator

will later op en dummy ciphertexts as either or by claiming that the decryption key

held by the receiver is either f or f The corresp ondence b etween f g and fa bg

will b e chosen at random by the simulator and never revealed The key generation stage

is indep endent of the bit to b e transmitted and can b e p erformed b efore this bit is even

determined

Our most general implementation of this stage based on any commondomain system

requires participation of all parties It is describ ed in Section In the implementations

based on the RSA and DH assumptions see Section the keygeneration stage consists

of only one message sent from the receiver to the sender

The second stage in which the actual transmission takes place consists of only one

message sent from the sender to the receiver This stage consists of encryption and decryption

algorithms invoked by the sender and the receiver resp ectively

We rst present in Section the encryption and decryption algorithms as well

as observations that will b e instrumental for the simulation In Section we present

the key generation proto col A reader that is satised with a construction based on sp e

cic number theoretic assumptions may for simplicity skip Section and read Section

instead Finally we show that these together constitute the desired noncommitting

encryption proto col

Encryption and decryption

Let f and f b e two randomly selected p ermutations over the domain D and let B b e a

a b

hardcore predicate asso ciated with them The scheme uses a security parameter k which

can b e thought to equal log jD j

Encryption to encrypt a bit f g with encryption key f f the sender pro ceeds

a b

as follows First it chooses x x at random from D so that B x for i k

k i

and B x otherwise ie for i k k For each x it computes y f x

i i i a i

These x s and y s are asso ciated with f or with a Next it rep eats the pro cess with

i i a

resp ect to f That is x x are chosen at random from D so that B x for

b k k i

i k k and B x otherwise and y f x for i k k The

i i b i

A solution for nonerasing parties

latter x s and y s are asso ciated with f or with b Finally the sender applies a random

i i b

reordering ie p ermutation k k to y y and send the resulting vector

y y to the receiver

Decryption up on receiving the ciphertext y y when having private key f

where r fa bg the receiver computes B f y B f y and outputs the

r r

ma jority value among these bits

Correctness of decryption Let us rst state a simple technical claim

Claim For al l but a negligible fraction of the s and al l but a negligible fraction of

permutation pairs f and f over D

a b

f x B x jProbB f j is negligible

where the probability is taken uniformly over the choices of x D

Pro of Assume for contradiction that the claim do es not hold Then without loss of

generality there exists a p ositive p olynomial p so that for innitely many ns we have

Prob jfy D B f y B f y gj jD j

b a

pn pn

when f and f are indep endently generated from G This means that for these

a b

a bs B f y gives a nontrivial prediction for B f y Intuitively this cannot b e

a b

the case and indeed this lead to contradiction as follows

Given a P and y D we may predict B f y as follows First we

randomly generate a new p ermutation f over D together with its trap do or Next

we test to see if indeed B f z is correlated with B f z The testing is done by

a b

uniformly selecting p olynomially many x s in D computing z f x and comparing

i i a i

z If a nonnegligible correlation is detected then we z B x with B f B f

i i i

b a

output B f y as our prediction for B f y Otherwise we output a uniformly

b a

j must b e negligible otherwise a constant selected bit Note that jProbB x

function contradicts the hardcore hypothesis 2

From this p oint on we assume that the pair f f satises Eq

a b

Lemma Let y y y be a random encryption of a bit Then with probability

the bit decrypted from y is

Pro of Assume without loss of generality that the private key is f Then the receiver

outputs the ma jority value of the bits B f y B f y Recall that k of the

a a

y s are asso ciated with f Out of them k of the y s satisfy B f y B x

i a i i i

and k satisfy B f y B x Thus the receiver outputs only if at least

i i

k out of the rest of the y s that is the y s asso ciated with f satisfy B f y

i i b i

j is negligible for each y asso ciated However Eq implies that jProbB f y

i i

with f Thus only an exp ected k of the y s asso ciated with f satisfy B f y

b i b i

Using a large deviation b ound it follows that decryption errors o ccur with probability

A solution for nonerasing parties

Simulation assuming knowledge of b oth trap do ors In Lemma b elow we show

how the simulator knowing the trap do ors of b oth f and f can generate dummy cipher

a b

texts z z z that can b e later op ened as encryptions of b oth and Essentially

z for each z are carefully chosen so that this cheating the values B f z and B f

i i i

b a

is p ossible We use the following notations Fix an encryption key f f Let the random

a b

variable x y r f describ e a legal encryption and decryption process of the bit

That is

x x x is a vector of domain elements chosen at random as sp ecied in the

encryption algorithm

is a random p ermutation on k

y y y is generated from x and as sp ecied in the encryption algorithm

r is uniformly chosen in fa bg and f is the inverse of f Note that the decrypted

bit is dened by the ma jority of the bits B f y

We remark that the information seen by the adversary after the sender and receiver are

corrupted includes either or but not b oth

Let us rst prove a simple technical claim that will help us in proving Lemma Let

bin denote the binomial distribution over m

Claim There exists an eciently samplable distribution over f k g so that the

distribution constructed by sampling an integer from and adding k is statistically close

to bin That is the statistical distance between and bin is

k k

Pro of Let bin i denote the probability of i under bin ie bin i We

k k k

construct the distribution over f k g so that Prob i bin i k for i

n and Prob equals the remaining mass of bin ie it equals bin i

k k

bin i

It can b e easily seen that each i fk kg o ccurs under with exactly the same

probability as under bin Integers i such that i k or i k have probability under

whereas k is more likely to o ccur under than under bin Thus the statistical

distance b etween and bin equals the probability under bin that i is smaller than k

k k

or larger than k This probability is b ounded by 2

Lemma Let f f be the public key and assume that both f and f are known

a b

Then it is possible to eciently generate z x x r r such that

x z r f

(0)

x z r f

(1)

Here stands for computationally indistinguishable We stress that the same dummy

ciphertext z app ears in b oth and

Pro of Before describing how the dummy ciphertext z and the rest of the data are con

structed we summarize in Figure the distribution of the hardcore bits B f Y bF y

a a

and

B f y B f y with resp ect to a real encryption y y of the bit

k k

b b

Here bin denotes the distribution of the number of s in B f y for

k i b

A solution for nonerasing parties

I f k g I fk kg

i I y f x y f x

i a i i b i

bin B f y k

k i

iI a

k B f y bin

i k

iI b

Figure The distribution of the B f y s with resp ect to where s fa bg The

case of is similar with the exception that k is replaced for k

i k Eq implies that the statistical dierence b etween bin and bin is

k k

negligible The distribution of B f y for i k k is similar Given only or

only only threequarters of the B f y s i k and s fa bg are known Sp ecif

ically consider x y r f and supp ose that r a Then all the B f y s

r a

y B x is can b e computed using f In addition for i k k B f

i i

b a

known to o However for i k B f y B f f x is not known and in fact it is

i a i

b b

computationally unpredictable from A similar analysis holds for r b in this case

f x for i k k y B f the unpredictable bits are B f

b i i

a a

Initial construction and conditions Keeping the structure of in mind we con

struct z along with x x r and r as follows First we select uniformly

a bijection of f g to fa bg ie either a and b or the other way around

and set r and r Next we choose in the way describ ed b elow two

binary vectors and We choose random values

k k

v for each i k We uni v and B f v v such that B f

i i k

i i

formly select a p ermutation over k and let the p ermuted vector v v b e

the dummy ciphertext z z z It remains to determine and which in turn

determine x and x so that x f z ( ) 1 for i k and x f z ( )

i i

a b

otherwise This should b e done so that b oth p ermutations and are uniformly but

y not necessarily indep endently distributed and so that the known B f s match the

distribution seen in a legitimate encryption of We stress that x z r f

( )

should app ear as a valid encryption of In particular for each f g there should

exist a p ermutation over k so that

B f v ( ) B f z ( ) B x for i k

( )

i i

a a

Eg if a this means

( )

B f v ( ) B f for i k k z ( ) B x

( )

i i

a a

Eg if a this means

( )

In each of the following ve conditions the rst equality is by the construction of the v s the second

equality is by the denition of the z s and the third equality represents the relation b etween x z and

that holds in a valid encryption of In conditions through the last equality represents the relation

b etween x and that holds in a valid encryption of In condition the last equality represents the

information computable from z using the trap do or f Here we refer to the inverses of the z s which

( )

are not x s The hardcore value of these inverses should b e uniformly distributed i

A solution for nonerasing parties

B f v ( ) B f z ( ) B x for i k k

( )

i i

b b

Eg if a this means

( )

B f v ( ) B f z ( ) B x for i k k

( )

i i

b b i

Eg if a this means

( )

Let I k if b and I fk kg otherwise Then

( )

B f v ( ) B f z ( ) B f f x equals with probabil

i i

ity negligibly close to for i I

Eg for a and we have Prob for i k k

( )

for i k whereas for a and we have Prob

( )

This allows setting so that x is mapp ed to z while is uniformly

( )

distributed ie x f v ( ) f z 1 ( ) f z ( ) 1 for i k and

i i i

a a a

x f z ( ) otherwise

Initial setting of and The key issue is how to select and

so that the ve condition stated ab ove hold for b oth and As a rst step

towards this goal we consider the four sums

k k k k

X X X X

1 1 1 1

def def def def

a b b a

S S S S

( ) ( ) ( ) ( )

i i i i

i i

ik ik

The ab ove conditions imply S S k k k k as well as S bin

if b and S bin otherwise Note that S S and bin are random variables

k k

To satisfy the ab ove summation conditions we partition k into equal sized subsets

denoted I I I I eg I k I fk k g I fk kg and I

fk k g This partition induces a similar partition on the s and the s

i i

The s and the s in each set are chosen using four dierent distributions which

i i

satisfy the conditions summarized in Figure Supp ose a Then we may set

I I I I I I I I

k k

k k k

Figure The distribution of the s and s is as in Claim

k I I and fk k g I I and k I I and

fk k g I I where I J means that the p ermutation maps the

elements of the set I onto the set J It would have b een more natural but less convenient

to write I I k and I I fk k g We claim that

for each f g the ab ove setting satises the three relevant summation conditions

k Consider for example the case depicted in Figure Then S

P P

k k

and S k as required Considering S we observe that it

i i

ik ik

is distributed as k of Claim which in turn is statistically close to bin We

A solution for nonerasing parties

I f k g I I I fk k g I I

S k k S k bin

no condition S k k k

Figure Using the s and s satisfy the summation conditions S S and S

i i

stress that the ab ove argument holds for any way of setting the s as long as they ob ey

the equalities sp ecied eg for any bijection I I I I we are allowed to set

i i for all i I I The case follows similarly here S

iI I

1 3

P P

k see Figure In case k and S k S

i i

iI I iI I

1 3 2 4

I f k g I I I fk k g I I

S k k k no condition

S k bin S k k k

Figure Using the s and s satisfy the summation conditions S S and S

i i

b we set k I I fk k g I I k I I

and fk k g I I The claim that for each f g the ab ove setting

satises the three relevant summation conditions is shown analogously

Refinement of and However the ab ove summation conditions do

not guarantee satisfaction of all the ve conditions In particular we must use p ermutations

which guarantee the correct p ositioning visible bits within the k bit long blo ck That

is we must have

1 1

a a

k k

( ) ( )

1 1

a a

k k

( ) ( )

k k

that is equality b etween the sequences and not merely equality in the number of s Clearly

there is no problem to set the s so that these equalities hold and thus Conditions

through are satised It is left to satisfy Condition

Supp ose that a In this case the third summation requirement guarantees

bin This is indeed consistent with the requirement that these s

( ) k ( )

i i

are almost uniformly and indep endently distributed But this is not sucient In particular

we also need bin where J fk i k g and

( ) ( )

i i

furthermore the ab ove sum needs to b e indep endent of which in

( )

ifk k gJ

turn should b e statistically close to bin Let us start with the case In this case

we need

bin

where J fi I I g and this sum needs to b e indep endent of

i i

iI I J

3 4

By Figure we have jJ I j k We further restrict the distributions s and s

i i

A solution for nonerasing parties

so that in part I the four p ossible outcomes of the pairs are equally likely eg

i i

for exactly k integers i I we have Consider J J I note

i i

jJ j k To satisfy Eq we construct a random variable f kg analogously

def

to Claim so that p Prob j bin k j for j k with the rest of the

j k

mass on and constrain the s to satisfy Prob j p We get

i i

k bin analogously to Claim A minor problem o ccurs the new

which we want to b e distributed as some restriction on the s conditions

i i

iI J

bin k and indep endently of the reason b eing that should b e distributed

equally to However this condition has a negligible eect since we can sample and

and set the s accordingly getting into trouble only in case which happ ens with

negligible probability since Prob Prob k

The case gives rise to the requirement

bin

where J fi I I g and this sum needs to b e indep endent of

i i

iI I J

1 3

def

To satisfy Eq we restrict the s in J J I analogously to satisfy

i i

Finally we observe that generating the s and s at random so that they satisfy the

i i

ab ove requirements makes them satisfy Condition

Beyond the five conditions In the ab ove construction we have explicitly dealt with

conditions which obviously have to hold for the construction to b e valid We now show that

indeed this suces Namely we claim that

x z r f x y r f

( )

Consider the case Both r and r are uniformly chosen in fa bg and so we consider

wlog r r a Furthermore is a random p ermutation and f x z (0) for

i k and f x z (0) for i k k which matches the situation wrt

x and y It remains to compare the distributions of B f s s fa bg with resp ect to

x and with resp ect to x By the ab ove analysis we know that the entries corresp onding

to s a and to s b i k are distributed similarly in the two cases Thus we need

B f f x to compare B f f x and B f f x B f f x

a a a a k

b b k b b

Recall that the x s are selected at random sub ject to B x for i k and

i i

B x for i k k An analogous condition is imp osed on the x s but in

addition we also have B f f x for i k and some complicated conditions

for i k k ie the distribution of s here is governed on B f f x

by and furthermore in the rst k elements the number of s is distributed identically to

Thus distinguishing x from x amounts to distinguishing given f f D D and

a b

the trap do or for f but not for f b etween the two distributions

a b

u u where the u s are indep endently selected so that B u if i k

k i i

and B u otherwise and

w w where the w s are uniformly selected under the conditions

k i

B w if i k and B u otherwise

i i

A solution for nonerasing parties

B f f w for i k

a i

B f f w and

a i

ik b

B f f w for some

a i

We claim that distinguishing these two distributions yields a contradiction to the security

of the hardcore predicate B Supp ose on the contrary that an ecient algorithm A can

distinguish these two distributions Using a hybrid argument we construct an algorithm

def

A which distinguishes the the uniform distribution over D fx D B x g and

def

a distribution over D that is uniform over b oth D fx D B f f x g and

def

D fx D B f f x g where is a bit which can b e eciently determined

We stress that the latter distribution is not uniform on D but rather uniform on each

of its two parts Without loss of generality we assume It follows that A must

distinguish inputs uniformly distributed in D from inputs uniformly distributed in D

We now transform A into an algorithm A that distinguishes a uniform distribution over

fy D B f y g from a uniform distribution over fy D B f y g On

b b

input y D and f D D algorithm A rst generates another p ermutation f over

b a

D together with the trap do or for f Next it computes x f y and stop outputting

if B x ie x D Otherwise A invokes A on x and outputs A x In this case

B f f x B f y and B x so the output will b e signicantly dierent in

b b

y We observe that ProbB x y and in case B f case B f

b b

otherwise a constant function violates the security of B and conclude that one can a

random y with B f y from a random y with B f y which contradicts the

b b

security of B 2

Key generation

We describ e how the keys are generated based on any commondomain trap do or system

We use Oblivious Transfer MRa EGL in our constructions Oblivious Transfer OT is

a proto col executed by a sender S with inputs s and s and by a receiver R with input

f g After executing an OT proto col the receiver should know s and learn nothing

else The sender S should learn nothing from participating in the proto col In particular S

should not know whether R learns s or s We are only concerned with the case where R

is uncorrupted and nonerasing

We use the implementation of OT describ ed in GMW which in turn originates in

EGL This implementation has an additional prop erty discussed b elow that is useful in

our construction For self containment we sketch in Figure the GMW proto col for

OT of one bit

It can b e easily veried that the receiver outputs the correct value of in Step Also

if the receiver is semihonest in the nonerasing sense then it cannot predict with more

The sender view of the interaction is uncorrelated with than negligible advantage over

the value of f g Thus it learns nothing from participating in the proto col

The imp ortant additional prop erty of this proto col is that in a simulated execution of

the proto col the simulator can learn b oth and by uniformly selecting z z D and

This statement do es not hold if R is semihonest only in the honestlo oking sense Ironically this aw is related to the useful noncommitting feature discussed b elow

A solution for nonerasing parties

Oblivious Transfer OT

The parties pro ceed as follows using a trap do orp ermutations generator and the asso ciated

hardcore predicate B

On input f g the sender generates a oneway trap do or p ermutation f

D D with its trap do or f and sends f to the receiver

On input f g the receiver uniformly selects x x D computes y f x

sets y x and sends y y to the sender

Up on receiving y y the sender sends the pair B f y B f y

to the receiver

Having received b b the receiver outputs s b B x as the message re

ceived

Figure The GMW Oblivious Transfer proto col

having the receiver R send f z f z in Step Furthermore if R is later corrupted

then the simulator can convince the adversary that R received either or at wish by

claiming that in Step party R chose either x x z f z or x x f z z

resp ectively

In Figure we describ e our key generation proto col This proto col is valid as long as

at least one party remains uncorrupted

Simulation Adaptive security of the encryption proto col

Let denote the combined encryption and decryption proto cols preceded by the key gen

eration proto col

Theorem Protocol is an n resilient noncommitting encryption protocol for n

parties in the presence of nonerasing parties

Pro of sketch Let P b e the sender and let P b e the receiver Recall that a non

r s

committing encryption proto col is a proto col that securely computes the bit transmission

function btr in a simulatable way Let b e a nonerasing proto col for We construct

exec for any n limited adversary a simulator S such that ideal

btr S

A and for any input f g of P

The simulator S pro ceeds as follows First an invocation of the key generation proto col

This can b e is simulated in such a way that S knows b oth trap do ors f and f

b a

done using the additional prop erty of the GMW Oblivious Transfer proto col as describ ed

ab ove For each party P that A corrupts during this stage S hands A the internal data

held by P in the simulated interaction We stress that as long as at least one party remains

uncorrupted the adversary knows at most one of f f Furthermore as long as P

a b

remains uncorrupted the adversary view of the computation is indep endent of whether P

has f or f

b a

Once the simulation of the key generation proto col is completed S instructs the trusted

party in the ideal mo del to notify P of the function value This value is P s input If

r s

A solution for nonerasing parties

keygeneration

For generating an encryption key f f known to the sender and a decryption key f

a b

known only to the receiver R where r is uniformly distributed in fa bg

The receiver generates a common domain D and sends to all parties

and f Each party P generates two trap do or p ermutations over D denoted f

b i a

i i

are kept secret by P and f to R The trap do ors of f f and sends f

i b a b a

i i i i

The receiver R chooses uniformly f g and invokes the OT proto col with each

party P for a number of times equal to the length of the description of the trap do or

of a p ermutation over In all invocations the receiver uses input In the j

invocation of OT party P acting as sender uses input where resp is

Here we use the convention by which resp f the j bit of the trap do or of f

b a

i i

without loss of generality the trap do or may contain all random choices made by G

when generating the p ermutation This allows R to verify the validity of the data

received from P

Let H b e the set of parties with which all the OTs were completed successfully Let

s for P H in some canonical order f b e the comp osition of the p ermutations f

i a a

and let f b e dened analogously eg a is the concatenation of the a with i H

b i

Let r a if and r b otherwise The trap do or to f is known only to R it is

the concatenation of the trap do ors obtained in Step

R now sends the public key f f to the sender

a b

Figure The key generation proto col

A solution for nonerasing parties

at this p oint either P or P is corrupted then S gets to know the encrypted bit In this

s r

case S generates a true encryption of the bit according to the proto col If neither P nor

P are corrupted then S generates the values z x x r r as in Lemma

and lets z b e the ciphertext that P sends to P in the simulated interaction

s r

If at this stage A corrupts some party P which is not the sender or the receiver then S

hands A the internal data held by P in the simulated interaction If A corrupts P then S

corrupts P in the ideal mo del and learns Next S hands A the values x for P s

s s

internal data If A corrupts P then S corrupts P in the ideal mo del learns and hands

r r

A the value f for P s internal data

( )

The validity of the simulation follows from Lemma and from the prop erties of the

GMW Oblivious Transfer proto col 2

Alternative implementations of noncommitting encryption

We describ e two alternative implementations of our noncommitting encryption scheme

based on the RSA and DH assumptions resp ectively These implementations have the

advantage that the key generation stage can b e simplied to consist of a single message

sent from the receiver to the sender

An implementation based on RSA We rst construct the following commondomain

trap do or system The common domain given security parameter n is f g A p er

mutation over f g is chosen as follows First choose a number N uniformly from

n n

together with its factorization via Bachs algorithm Ba Next choose a

n n

prime e This way we are assured that g cde N where is Eulers

totient function even if the factorization of N is not known Let f x x mo dN if

x N and f x x otherwise With nonnegligible probability N is a pro duct of two

large primes Thus this construction yields a collection of commondomain p ermutations

which are weakly oneway Employing an amplication pro cedure eg Y GILVZ we

obtain a prop er commondomain system

This commondomain trap do or system can b e used as describ ed in Section How

ever here the keygeneration stage can b e simplied considerably Observe that it is p ossible

to choose a p ermutation from the ab ove distribution without knowing its trapdoor Sp eci

cally this is done by choosing the numbers N of the dierent instances of f in the direct

way without knowing their factorization Thus the receiver will choose two trap do or p er

mutations f f where only the trap do or to f ie f is known r fa bg Both f f

a b r R a b

are now sent to the sender who pro ceeds as in Section In a simulated execution the

simulator will choose b oth f and f together with their trap do ors

a b

An implementation based on DH Consider the following construction Although it

fails to satisfy Denition it will b e just as go o d for our needs The common domain

n n

given security parameter n is a prime p where the factorization of p is

known Also a generator g of Z is xed p and g are publicly known All computations

are done mo dulo p To choose a p ermutation over Z choose an element v Z and let

p p

v v

f x x The public description of f is y g The trap do or is u v mo dp

v v

A similar idea was used in DP

Honestlo oking parties

This construction has the following prop erties

Although it is hard to compute f if only p g y are known it is easy to generate

random elements x Z together with f x choose z Z and set x g and

R v R

p p

z v z v z

f x y This holds since f x x g y

v v

If u is known then it is easy to compute f x x

An algorithm A that inverts f given only p g y can b e easily transformed into an algo

rithm A that given p g g g outputs g that is into an algorithm that contradicts

v v

the DieHellman DH assumption Sp ecically Assume that Ap g g x x

Then on input p g g g algorithm A will run Ap g g g to obtain g

It is p ossible to choose a p ermutation from the ab ove distribution without knowing

its trapdoor Sp ecically this is done by uniformly choosing numbers y Z until a

generator is found It is easy to decide whether a given y is a generator of Z when

the factorization of p is known

Note that b oth in the encryption pro cess and in the simulation it is not necessary to

compute the p ermutations f on arbitrary inputs It suces to b e able to generate random

elements x in the domain together with their function value f x Thus this construction

is used in a similar way to the previous one

A concluding remark to Section Our solutions for nonerasing parties may ap

p ear somewhat unsatisfactory since they are based on trusting the receiver to choose trap

do or p ermutations without knowing the trap do or whereas the p ermutation can b e chosen

together with its trap do or by simple honestlo oking b ehavior Recall however that if

honestlo oking parties are allowed then no nontrivial proto col can b e proven adaptively

secure via blackbox simulation if clawfree pairs exist We do not see a meaningful way to

distinguish b etween the honestlo oking b ehavior that foils the security of our constructions

and the honestlo oking b ehavior describ ed in Section that foils provability of the

adaptive security of any proto col

Honestlo oking parties

Our construction for honestlo oking parties assumes the existence of a trusted dealer at

a precomputation stage The dealer chooses for each party P a truly random string r

and hands r to P to b e used as random input We call r a certied random input for

P P

P Next the dealer generates n shares of r so that r can b e reconstructed from all

P P

n shares but any subset of n shares are indep endent of r Finally the dealer hands

one share to each party other than P

Now all parties are able to jointly reconstruct r and thus verify whether P follows

its proto col Consequently if party P is honestlo oking ie P do es not take any chance

of b eing caught cheating then it is forced to use r exactly as instructed in the proto col

Party P is now limited to nonerasing b ehavior and the construction of Section applies

We note that the use of certied random inputs do es not limit the simulator That is

up on corruption of party P the simulator can still compute some convenient value r to P

Honestlo oking parties

b e used as P s random input and then convince the adversary that the certied random

input of P was r The adversary will not notice anything wrong since it will never have

all the shares of the certied random input

C h a p t e r

Asynchronous secure computation

We study secure multiparty computation in asynchronous networks See an introductory

presentation in Section We rst present in Section our denition of asynchronous

secure multiparty computation We consider the b ounded variant of the secure channels

setting in the presence of adaptive adversaries and nonerasing parties Here we also

describ e our conventions for presenting asynchronous proto cols Next we present in Section

asynchronous primitives used in our proto cols In Sections and we describ e our

construction of the cases of FailStop and Byzantine adversaries resp ectively In Section

we dene and construct an Asynchronous Veriable Secret Sharing AVSS scheme that

is a key to ol in our construction for Byzantine adversaries In Section we demonstrate

the optimality of our constructions

Preliminari es

The asynchronous mo del

Consider an asynchronous network of n parties where every two parties are connected via a

reliable and private communication channel Messages sent on a channel can b e arbitrarily

delayed however each message sent is eventually received Furthermore the order in which

messages are received on a channel may b e dierent from the order in which they were sent

It is convenient to regard a computation in our mo del as a sequence of steps In each

step a single party is active The party is activated by receiving a message it then p er

forms an internal computation and p ossibly sends messages on its outgoing channels We

consider the order of the steps as controlled by an adversarial entity called a scheduler We

allow computationally unbounded schedulers The privacy of the channels is mo delled by

considering only oblivious schedulers The only information known to these schedulers is

the origin and destination and p ossibly the length of each message sent More formally

For simplicity we assume that messages are not duplicated Duplication can b e prevented by standard

metho ds eg using counters

Private channels are useless in the presence of schedulers that have access to the contents of the messages

Preliminaries

an oblivious scheduler is a functionD N n N with the following interpretation

Given the list of flength source destinationg of the i rst messages sent in an execution in

some standard global ordering function D sp ecies the serial number of the next message

to b e delivered The scheduler must deliver every message exactly once and cannot deliver

unsent messages In the sequel we incorp orate the scheduler within the adversary

We distinguish two types of adversaries FailStop and Byzantine If the adversary is

Failstop then the corrupted parties may stop sending messages at some time during the

computation however we assume that the corrupted parties continue to receive messages

and have an output If the adversary is Byzantine then the corrupted parties may deviate

from their proto cols in any way We consider adaptive adversaries

Dening secure asynchronous computation

We use the ideal mo del metho dology describ ed in Section and Chapter for dening

asynchronous secure computation The asynchronous version of the ideal mo del should re

ect the sp ecial prop erties of the asynchronous setting In particular the following prop erty

of the asynchronous setting remains unchanged even in the presence of a trusted party In

an asynchronous network with t p otential corruptions the uncorrupted parties as well as

the trusted party cannot wait to communicate with more than n t parties b efore deciding

on the output of a computation since up to t parties may never join the computation Con

sequently unlike synchronous computations the output of an asynchronous computation

can b e based only on some core subset of size at least n t of the inputs Furthermore

the t inputs that were left out are not necessarily inputs of corrupted parties they can b e

inputs of slow however uncorrupted parties

Therefore we suggest the following asynchronous ideal mo del Evaluating a function f

in this mo del pro ceeds in the same way as in the synchronous ideal mo del see Section

on page with the only exception that the computation stage is mo died as follows

Computation stage asynchronous version The adversary chooses an arbitrary core

set of size at least n t this subset denoted C is indep endent of the inputs of the

uncorrupted parties A scheduler delivers only the messages of the parties in C to

the trusted party

Up on receiving the p ossibly substituted inputs of the parties in subset C the trusted

party computes some predened approximation to the function value based on C

and the inputs of the parties in C For concreteness we use the following approxi

mation set the inputs of the parties in C to and compute the original function

In order for the output to make more sense the trusted party outputs the subset C

as well as the approximated function value

for instance such a scheduler can set the delivery order of the messages so that the rst bit in the rst message

received by party P will b e the same as the fth bit in the rst message that party P sent on its private

channel to P thus breaking the privacy of this channel

Chor and Moscovici describ e this prop erty of the asynchronous mo del in more detail CM Furthermore

they give an exact characterization of the achievable tasks in the presence of a given number of FailStop

corruptions when the privacy of the inputs is disregarded

A consequence of this phenomenon is that no asynchronous computation can b e equivalent to a

computation in the synchronous trusted party scenario

Preliminaries

Consequently the output of the parties in this ideal mo del is as follows On input

x x x of the parties input x to party P let C b e the set describ ed ab ove and

n i i

let y denote the p ossibly mo died inputs of the parties in C Let f denote the approxi

mation of the function f made by the trusted party Then the uncorrupted parties output

C f y The corrupted parties output an arbitrary function of the information gathered

by the adversary in the computation this information consists of the identity and inputs

of the corrupted parties their random inputs and the resulting approximation f y Also

here we let the nvector ideal x ideal x ideal x denote the outputs of

f S f S f S n

the parties on input x and idealmo del adversary S party P outputs ideal x

i f S i

In Denitions through we present notations for the output of the parties in the

asynchronous ideal mo del These notations capture the ab ove description in an analogous

way to Denitions through in the synchronous setting and can b e skipp ed in a

rst reading We use the same technical notations as in Section

For a vector x x x and a set C n let x denote the vector x pro jected on

n C

the indices in C

For an nvector x x x a set B n and a jB jvector b b b let x

n jB j

B b

denote the vector constructed from vector x by substituting the entries in B by the

corresp onding entries from b

Using these notations the approximation of function f based on a subset C n is

dened by f x f x

Denition Let D be the domain of possible inputs of the parties and let R be the do

main of possible random inputs A tlimited asynchronous idealmo deladversary is a quintuple

S t b h c O where

t is the maximum number of corrupted parties

b n D R n fg is the selection function for corrupting parties the value

is interpreted as no more parties to corrupt at this stage

h n D R D is the input substitution function

c A R fC nj jC j n tg is a core set selection function

O D R f g is an output function for the bad parties

The sets of corrupted parties are now dened as follows

Denition Let D be the domain of possible inputs of the parties and let S t b h c O

be a tlimited idealmodeladversary Let x D be an input vector and let r R be a

random input for S The ith set of corrupted parties in the ideal model denoted B x r

is dened as fol lows

B xr

Let b bB x r x (i) r For i t and as long as b let

i i

B xr

i i

B x r B xr fb g i

Preliminaries

Let i be the minimum between t and the rst i such that b Let b bB xr x (i) f y r

i C

B xr

where y is the substituted input vector for the trusted party and C is the selected core

subset That is y x (i ) (i ) and C cx (i ) r

B xr hB xr x r B xr

(i )

B (xr )

For i i t let

i i

B xr B x r b

i i

In Denition we use B instead of B x r

Denition Let f D D for some domains D and D be the computed function

and let x D be an input vector The output of computing function f in the asynchronous

ideal mo del with adversary S t b h c O on input x and random input r is an n

vector ideal x ideal x ideal x of random variables satisfying for every

f S f S f S n

i n

C f y if i B

ideal x

f S i

O x (t) f y r if i B

t th

where r is the random input of S B is the t set of corrupted parties y x (t) (t)

B hB x r

(t)

r is the selected core is the substituted input vector for the trusted party and C cx

subset

Next we describ e the execution of a proto col in the asynchronous reallife scenario

where the uncorrupted parties run some semihonest proto col for and in the presence

of a computationally unbounded adaptive tlimited asynchronous reallife adversary A We

incorp orate the scheduler describ ed in Section in A The computation pro ceeds as

follows Initially and up on the receipt of a message each party sends messages according

to The adversary playing the scheduler sees the sender receiver and length of each

message sent It also sees the contents of the messages sent to corrupted parties After the

sending of each message the adversary may decide to deliver one of the messages that were

sent and not yet delivered It may also decide to corrupt some parties Up on corruption

of a party P the adversary sees all the data kept by P according to As in Section

we assume that the corrupted parties output the adversary view of the comutation ie

all the information gathered by the adversary during the computation We let view x

and exec x have an analogous meaning to that of Section with resp ect to the

asynchronous setting

In Denition b elow we concentrate on the b ounded variant of the asynchronous

secure channels setting See Section for a presentation of the variants

Denition Let f D D for some domains D and D and let be a protocol for n

parties that runs in PPT We say that asynchronously tsecurely computes f in the b ounded

secure channels setting if the fol lowing requirements hold for any semihonest protocol for

according to one of the Denitions through and for any asynchronous tlimited

reallife adversary A

Termination On al l inputs al l the uncorrupted parties complete execution of the protocol with probability

Preliminaries

Security there exists an asynchronous tlimited idealmodeladversary S whose complex

ity is polynomial in the complexity of A such that for every input vector x

ideal x exec x

f S A

Remarks

We remark that the Termination prop erty is implicit in the security prop erty parties

that did not complete the proto cols do not have an output We explicitly require

Termination to stress the imp ortance and delicacy of this requirement in an asyn

chronous setting In particular we note that Consensus is a very limited sp ecial

case of secure computation The FLP imp ossibility result for deterministic proto cols

implies that in an asynchronous network with p otential faults there must exist non

terminating runs of any randomized proto col reaching Consensus Thus we only

require a secure proto col to terminate with probability or measure

If only FailStop adversaries are allowed then the reallife adversary A only sp ecies

a the conditions up on which the corrupted parties should stop sending messages

and b the output of the corrupted parties Consequently the input substitution

function h of the trustedparty adversary are the identity function

Writing asynchronous proto cols

We review the way in which an asynchronous computation is carried out and describ e

some useful writing conventions for asynchronous proto cols In Section we describ ed

an asynchronous computation as a sequence of steps This is a global external view of the

computation From the p oint of view of a party a computation is a sequence of cycles A

cycle is initiated up on receiving a message it consists of executing an internal computation

and p ossibly sending messages to other parties Once a cycle is completed the party waits

for the next message The set of instructions to b e executed up on the receipt of a message

is called an asynchronous protocol These instructions may dep end on the internal state of

the party and on the contents of the message received

However for clarity of presentation and analysis our description of an asynchronous

proto col is somewhat dierent we partition the proto col into several mo dules called sub

protocols Each subproto col is rst presented and sometimes analyzed as if it were the

only proto col run by the party Subproto cols are combined by letting one subproto cols

call other subproto cols during its execution We present our interpretation of this writing

style of asynchronous proto cols

The party keeps track of the subproto cols that are currently in execution initially

only one predened subproto col is in execution when some subproto col is called by

another subproto col it is added to the subproto cols in execution

We assume that each message applies to one subproto col only Thus Up on the receipt

of a message the party invokes a cycle of the relevant subproto col If the received message

refers to a subproto col which is not in execution then the party keeps the message once

the subproto col has started a cycle is invoked for each one of the kept messages

We asso ciate input and output values with each subproto col furthermore the output of

one subproto col may b e the input of another subproto col However the latter subproto col

Primitives

may b e in execution b efore the former subproto col has completed up dating its output

consequently the input of the latter subproto col may b e changed during its execution We

call such input a dynamic input namely unlike regular input dynamic input variables may

have dierent input values in dierent cycles in the same run of a subproto col

The variables we use for dynamic input will only have items added to them It is

convenient to regard such variables as monotonically increasing sets Namely let U b e such

a variable and let U denote the set held in U when this set is of size c for the rst time

c d

then if c d we have U U We call these variables accumulative sets In the sequel

we will use calligraphic letters eg U to denote accumulative sets

Using the ab ove conventions the shorthand Set a b stands for a call sub

proto col with b for input b Let a denote its output Note that b may b e a dynamic

input of similarly the output a may b e up dated as long as subproto col is in execution

Another shorthand used is as follows Let condition denote some relation eg there

are at least k elements in the accumulative set We use Wait until condition to denote

If condition holds continue to the next instruction Else end this cycle In the sequel we

do not distinguish b etween proto cols and subproto cols

Primitives

In this section we describ e primitives used in our constructions in b oth the FailStop and

the Byzantine cases We rst dene the requirements of each primitive and then describ e

or give a reference to an implementation

Byzantine Agreement

We present the standard denition of asynchronous Byzantine Agreement When the

adversary is FailStop this primitive is sometimes called Consensus

Denition Let be an nparty protocol where each party has binary input Protocol

is a tresilient Byzantine Agreement protocol if the fol lowing hold for every input every

scheduler and every coalition of up to t corrupted parties

Termination With probability al l the uncorrupted parties eventual ly complete the

protocol ie terminate locally

Correctness Al l the uncorrupted parties that complete the protocol have an identical

output Furthermore if al l the uncorrupted parties have the same input denoted

then al l the uncorrupted parties output

e resilient asynchronous BA proto col running in Feldman Fe describ es an d

constant exp ected time d e resilient Consensus can b e reached by substituting the

AVSS scheme in Chapter by a simple secret sharing scheme For instance use the scheme

describ ed in Section

We dene the running time of an asynchronous proto col in Section A

Primitives

Broadcast

We present a denition of a broadcast proto col

Denition Let be an nparty protocol initialized by a special party called the sender

having input m the message to be broadcast Protocol is a tresilient Broadcast protocol

if the fol lowing hold for every input scheduler and coalition of up to t corrupted parties

Termination If the sender is uncorrupted then al l the uncorrupted parties even

tual ly complete the protocol

If any uncorrupted party completes the protocol then al l the uncorrupted parties

eventual ly complete the protocol

Correctness If the uncorrupted parties complete the protocol then they do so with a

common output m Furthermore if the sender is uncorrupted then m m

We stress that the Termination prop erty of Broadcast is much weaker than the Ter

mination prop erty of Byzantine Agreement for Broadcast we do not require that the

uncorrupted parties complete the proto col in case that the sender is corrupted

In Figure we describ e a simple Broadcast proto col for the FailStop mo del

Proto col BC

Co de for the sender on input m

Send MSG m to all the parties and complete the proto col with output m

Co de for the other parties

Up on receiving the rst MSG m or ECHO m message send ECHO m to all

the parties and complete the proto col with output m

Figure A simple broadcast proto col for Failstop adversaries

Prop osition Protocol BC is an nresilient Broadcast protocol for Failstop adversaries

Pro of If the sender is uncorrupted then all uncorrupted parties receive a MSG m

message and thus complete the proto col with output m If a uncorrupted party completed

the proto col with output m then it has sent an ECHO m message to all the parties thus

every uncorrupted party will complete the proto col with output m 2

Bracha Br describ es an d e resilient Broadcast proto col for the Byzantine setting

For selfcontainment we present Brachas Byzantine Broadcast BB proto col in Figure

Convention in the sequel we use party P received an m broadcast to shorthand

party P completed a Broadcast proto col with output m We assume that the identity of

the sender app ears in m

Primitives

Proto col BB

Co de for the sender on input m

send message MSG m to all the parties

Co de for party P

Up on receiving a message MSG m send ECHO m to all the parties

Up on receiving n t messages ECHO m that agree on the value of m

send READY m to all the parties

Up on receiving t messages READY m that agree on the value of m

send READY m to all the parties

Up on receiving n t messages READY m that agree on the value of m

send OK m to all the parties and accept message m as a broadcast message

Figure Brachas Broadcast proto col

Agreement on a Core Set

We rst illustrate a setting in which an Agreement on a Core Set ACS primitive is needed

Assume each party initiates a Broadcast of some value next the parties wish to agree on a

common core set of at least n t parties whose Broadcast has b een successfully completed

Clearly each uncorrupted party can wait to lo cally complete n t Broadcasts and keep

the senders of these Broadcasts However if more than n t Broadcasts have b een globally

completed then we cannot b e sure that all the uncorrupted parties keep the same set of

parties For this purp ose the parties use the Agreement on a Core Set ACS primitive

the parties output of this primitive when used in this context is a common set of at least

n t parties whose Broadcast has b een completed

We pro ceed to formally dene the prop erties required of an ACS primitive Recall the

denition of an accumulative set describ ed in Section on page we let U denote

the value of variable U in cycle c of the proto col An accumulative set U is a variable holding

c d

a set such that for every two cycles c and d if c precedes d then U U

Denition Let m M N in out context we use m n t and M n and let

U U M be a collection of accumulative sets so that party P has U We say that

n i i

the collection is m tuniform if the fol lowing hold for every scheduler and every coalition

of up to t corrupted parties

j m For every uncorrupted party P there exists a cycle c such that jU

For every two uncorrupted parties P and P if k U for some cycle a within party

i j

namely P and P wil l P then there exists a cycle b within party P so that k U

i j i j

eventual ly have U U

i j

Denition Let m M and let be an nparty protocol with parameters m M where

the input of every uncorrupted party P is an accumulative set U Protocol is a tresilient

i i

Primitives

protocol for Agreement on a Core Set with parameters m M if the fol lowing hold for every

coalition of up to t corrupted parties and every scheduler

Termination If the collection U U is m tuniform then with probability al l

the uncorrupted parties eventual ly complete the protocol

Correctness Al l the uncorrupted parties complete the protocol with a common output

C M so that jC j m Furthermore every uncorrupted party has C U where

U is the value of U upon the completion of protocol

Before presenting our construction let us remark that in BKR a simpler construction

e reslient proto col for agreement on a core set is describ ed Furthermore the of an d

BKR proto col runs in constant exp ected time Let n t Our construction with

parameters m and M consists of two phases

Phase I In the rst phase each party rst waits until its dynamic input is of size m then

it p erforms log n iterations In each iteration the party sends the current contents of its

dynamic input to all the other parties then the party collects the sets sent by the other

parties in this iteration and waits until its dynamic input contains n t such sets then

the party continues to the next iteration It will b e shown b elow that the intersection of

the dynamic inputs of all the uncorrupted parties that have completed this phase is of size

at least m

Phase I I In the second phase the parties concurrently run M Byzantine Agreement

proto cols in the cth Byzantine Agreement the parties decide whether element c M will

b e in the agreed set C Namely each partys input to the cth Byzantine Agreement is i c

b elongs to the partys dynamic input the element c b elongs to the set C i the common

output of the cth Byzantine Agreement is The prop erties of Byzantine Agreement assure

us that the set C contains the intersection of the dynamic inputs of all the parties that have

completed the rst step therefore the set C is large enough

Remark Our construction applies to b oth the FailStop and the Byzantine cases using

the appropriate agreement primitive either BA or Consensus

Proto col ACS is describ ed in Figure

e resilient protocol for Agreement Prop osition Protocol ACSm M is a min r d

on a Core Set in a network of n parties where r is the resilience of the agreement protocol

used

Pro of We rst assert the Termination condition Assume that the accumulative sets

U U dene an m tuniform collection We show that every uncorrupted party P will

n i

eventually complete the proto col

Clearly Step will b e completed It can b e seen by induction on the number of

iterations that every iteration in Step will b e completed in each iteration r party P will

eventually receive the r S message from every uncorrupted party Furthermore for every

This problem of assuring a large intersection of the sets of a uniform collection was previously addressed

by Fe as well as BE Both works present partial solutions to this problem let m n t Feldman

Fe made sure that the intersection of the sets held by all the uncorrupted parties is of size n but

not necessarily m BenOr and ElYaniv BE made sure that the intersection of the sets held by n t

uncorrupted parties is of size at least m

Primitives

Proto col ACSm M U

Party P acts as follows on inputs m M and accumulative set U

i i

Wait until jU j m

For r blog nc do

a Send r U to all the parties

b Let F fP j an r S message was received from P g

j j j

Wait until S U for at least n t parties P F

j i j

Note that sets S that were not contained in U when they were received may

j i

later b e contained in U if elements are added to it

Run M Byzantine Agreement proto cols BA B A with input to BA i j U

M j i

Set C fj jthe output of BA is g Wait until C U

i j i i

Output C

Figure ACS A proto col for Agreement on a Core Set

uncorrupted party P party P will eventually have S U since the collection U U

j i j i n

is uniform

Step will b e completed with probability since all the Byzantine Agreement proto cols

are completed with probability To see that Step will b e completed we note that if a

Byzantine Agreement proto col BA has output then there exists a uncorrupted party P

j k

that started BA with j U thus party P will eventually have j U

j k i i

We assert the Correctness prop erty The unanimity of the outputs of the parties follows

directly from the denition of Byzantine Agreement Step of the proto col assures us that

C U within each uncorrupted party P It is left to show that jC j m

Let U denote the value of accumulative set U up on completion of iteration r of Step

by party P We show by induction on r that every set D of at most uncorrupted parties

all of which have completed iteration r satises j U j m

j D

The base of induction r is immediate from Step of the proto col For the induction

step consider a set D of up to uncorrupted parties We rst observe that for every two

r r r

parties P P D we have jF F j t since n t and jF j n t for each j

j k

j k j

r r

Therefore there exists at least one uncorrupted party P F F we call P an arbiter of

l l

j k

P and P Party P resp P has received the r S message furthermore U S

j k j k l l

r r

Thus U U resp U U

l j l k

Consider an arbitrary partition of the set D to pairs of parties choose an arbiter for each

pair and let D b e the set of these arbiters thus jD j By the induction hypothesis

r r

we have m j U j Every party in D has an arbiter in D thus U U

j D j D j D

j j

Therefore we have m j U j

j D

Let D b e the set of uncorrupted parties that start Step of the proto col and let

log n

C U by the ab ove induction we have jC j m For every j C the inputs

j D

of all the uncorrupted parties to the BA proto col is Therefore by the denition of

Byzantine Agreement the output of every BA proto col is Thus C C and jC j m j

FailStop faults

We show how to securely tcompute any function whose input is partitioned among n parties

when n t and the faults are FailStop Our costruction follows the outline of the

rst BGW construction namely the construction resilient against corrupted parties which

only try to gather information but otherwise follow the proto col

Let F b e a nite eld known to the parties with jF j n and let f F F b e the

computed function Namely we restrict our discussion to functions where the input of

each party as well as the function value are eld elements We note that no generality is

lost in this restriction if the range of the computed function do es not t into F then the

function can b e partitioned into several functions whose range is F Furthermore a party

can have more than one eld element for input in this case it executes a dierent copy of

the proto col for each eld element

We assume that the parties have an arithmetic circuit computing f the circuit consists

of addition and multiplication gates of indegree we regard adding a constant as a sp ecial

case of addition All the computations in the sequel are done in F

An outline of the proto col follows Let x b e the input of P As a rst step each party

i i

shares its input among the parties using a technique similar to Shamirs secret sharing

scheme Sh Namely for each party P that successfully shared its input a random p oly

nomial p of degree t is generated so that each party P has p j and p is P s input

i j i i i

value We say that p j is P s share of p Next the parties agree using proto col ACS

i j i

on a core set C of parties that have successfully shared their input Once C is computed

the parties pro ceed to compute f x in the following way First the input values of the

parties not in C are set to a default value say then the parties evaluate the given circuit

gate by gate in a way describ ed b elow Note that the output of the proto col is xed once

the set C is xed

For each gate the parties use their shares of the input lines to jointly and securely

generate a random p olynomial p of degree t such that every party P computes pi

and p is the output value of this gate Namely pi is P s share of the output line of

this gate Once enough parties have computed their shares of the output line of the entire

circuit the parties reveal their shares of the output line and interpolate the output value

In the rest of this section we describ e our construction in more detail First we describ e

the GlobalShare and Reconstruct proto cols Next we describ e the evaluation of a linear

gate and of a multiplication gate Finally we put all the pieces together to describ e the

main proto col and prove its correctness

When presenting each proto col we describ e the uncorrupted parties outputs of the

proto col We p ostp one the formal pro of of security to Section

GlobalShare and Reconstruct

The GlobalShare proto col denoted GShare consists of two phases First each party shares

a secret among the parties next the parties use an ACS proto col in order to agree on a set

of size at least n t of parties that have successfully shared their secret Party P s output i

FailStop faults

of the GShare proto col is the set of parties that have successfully shared their inputs along

with the ith share of the input of each of the parties in this set

This proto col is applied once at the b eginning of the proto col where each party shares

its input of the main proto col and twice in each invocation of the proto col for computing

a multiplication gate see Section Proto col GShare has a security parameter d

This parameter will b e set to either t or t according to the context in which the proto col

is activated Proto col GShare is presented in Figure

Proto col GSharedx

Party P acts as follows on inputs x d

i i

Share x

a Cho ose a random p olynomial h of degree d such that h x

i i i

For each j n send h j to party P

i j

b Broadcast Party P completed sharing

Up on receiving the share s of P s secret and the Party P completed sharing

ij j j

broadcast add j to a set C of parties that have successfully shared their secret

Set C ACSn t nC

Output C and fs jj C g

Figure GShare The global sharing proto col

We note that the accumulative sets C C of Step dene an n t tuniform

collection Thus all the uncorrupted parties complete proto col ACS and hence the entire

GShare proto col with the desired output Furthermore the corrupted parties have no

information ab out the values shared by the uncorrupted parties

In the Reconstruct proto col describ ed in Figure the parties reconstruct a secret

from its shares The parameters of this proto col are the security parameter d and a set R

of the parties to which the secret is to b e revealed Party P s input is the ith share of the

secret denoted s The Reconstruct proto col is invoked once for every multiplication gate

and once at the end of the proto col Parameter R is necessary in the multiplication gate

invocation In the other invocation it is set to R n

We note that if d n t then a Reconstruct proto col that is run by all the parties

will b e completed Furthermore if there exists a p olynomial p of degree d such that the

share of each active party P is s pj then all the uncorrupted parties in R will output

j j

Evaluating a linear gate

We describ e the evaluation of a linear gate instead of a simple addition gate this more gen

eral formulation will b e convenient in presenting the proto col for computing a multiplication

gate

Evaluating a linear gate is easy and requires no communication Let c a b e

j j

a linear gate where a a are the input lines of the gate are xed co ecients

k k

FailStop faults

Proto col Reconstructd Rs

Party P acts as follows on input s and parameters d ft tg and R fP P g

i i n

Send s to all the parties in R

If P R output

Otherwise up on receiving d values value v from party P interpolate a p oly

j j

nomial p of degree d such that pj v for each received value v

i j j

Output p

Figure Reconstruct The reconstruction proto col

and c is the output line Let A b e the p olynomial asso ciated with the j th input line

namely party P s share of this line is a A i

i ij j

Each party P lo cally sets its share of the output line to c a It can b e

i i j ij

easily seen that the shares c c dene a random p olynomial C of degree t with the

correct free co ecient and with C i c for all i

Evaluating a multiplication gate

Let c a b b e a multiplication gate and let A B b e the p olynomials asso ciated with

the input lines namely each party P s shares of these lines are Ai and B i resp ectively

The parties will jointly compute their shares of a random p olynomial C of degree t

satisfying C A B namely each uncorrupted party P s share of the output line

will b e C i

Initially each party lo cally computes its share of the p olynomial E A B by

setting E i Ai B i Clearly E has the required free co ecient However E is of

degree t moreover it is not uniformly distributed The parties use their shares of E to

compute their shares of the desired p olynomial C in a secure manner The computation

pro ceeds in two steps rst the parties jointly generate a random p olynomial D of

degree t so that D E namely each party P will have D i Next the parties

will use their shares of D in order to jointly compute their shares of p olynomial C

These steps are describ ed b elow

Randomization We describ e how p olynomial D is generated First the parties gen

erate a random p olynomial H of degree t and with H namely each party P will

have H i

We rst describ e how the p olynomial H is shared in a synchronous setting BGW

Each party P selects a random p olynomial H of degree t with H and shares

i i i

it among the parties namely each party P receives H j Polynomial H is set to

j i

P P

n n

H H namely each party P computes H i H i

j i j

j j

In our asynchronous setting a party cannot wait to receive its share from all the other

parties Instead the parties agree using proto col ACS on a set C of parties that have

successfully shared their H p olynomials next p olynomial H will b e set to H i

FailStop faults

H In other words the parties run proto col GSharet on output C fH ijj

j j

j C

H i C g of the GShare proto col party P computes H i

j i

j C

Polynomial D is now dened as D E H namely each party P computes

D i E i H i Clearly D A B and all the other co ecients of D are

uniformly and indep endently distributed over F

Degreereduction In the degreereduction step the parties use their shares of D in

order to jointly and securely compute their shares of a random p olynomial C of degree

t with C D Polynomial C will b e set to the truncation of p olynomial D to

degree t namely the t co ecients of C are the co ecients of the t lower degrees of

D An imp ortant observation is that the information gathered by the corrupted parties

namely t shares of p olynomial D along with t shares of the truncation p olynomial C

is indep endent of C This statement is formalized in Lemma on page and used

in proving the security of the entire proto col

Let d D D n and let c C C n BGW noted that there exists a xed

n n matrix M such that c dM It follows that the desired output of each party P

D i M We is a linear combination of the inputs of the parties C i dM

ji i

collo quially call such an op eration multiplying the inputs by a xed matrix In this case

the parties inputs are their shares of the p olynomial D

In a synchronous setting multiplying the inputs by a xed matrix can b e done by

securely computing the appropriate n xed linear combinations of the inputs so that the

value of the ith linear combination is revealed to party P only Linear combinations are

securely computed as follows First each party shares its input next each party computes

the linear combination of its shares as in Section and reveals this linear combination

to the sp ecied party nally the sp ecied party computes the output value by interpolating

a degree t p olynomial from the received combinations

Linear combinations of al l the inputs cannot b e computed in an asynchronous setting

Thus the synchronous metho d describ ed ab ove cannot b e used We outline our solution for

the asynchronous setting First we describ e a technique for multiplying inputs by a xed

matrix in an asynchronous setting for the case where the matrix and the set of inputs are

related in a sp ecial way describ ed b elow Next we note that the matrix M and the set of

p ossible inputs of the degreereduction step are related in this sp ecial way

Denition Let A be an n n matrix and let S F be a set of input vectors we

say that S is tmultipliable by A if for every set G n with jGj n t there exists an

easily computable matrix A of size jGj n such that for every input x S we have

x A x A

G G

Let S b e tmultipliable by A Then the proto col describ ed in Figure multiplies

inputs in S by the matrix A Let x S The parties rst execute a GShare proto col

applied on the input vector x once the common set G is computed each party lo cally

computes A Next the parties run n Reconstruct proto cols in the ith Reconstruct the

Note that computing a linear combination of input values is harder than computing a linear combination

of alreadyshared values ie the problem addressed in section the former computation involves

sharing of all the inputs

FailStop faults

parties let P compute x A by sending him the appropriate linear combination of their

i G G i

Proto col MATx A

Party P acts as follows on input x and matrix A

i i

Set G fs jj Gg GSharetx

ij i

s Enumerate G g g and let s s

ig i ig

jGj

Compute A

For k n set y Reconstructs A t fk g

k i G k

Output y

Figure MAT A proto col for multiplying the input by a xed matrix

We say that an input vector x is dgenerated if there exists a p olynomial P of degree

d satisfying x P i for every i the set of p ossible inputs of the degreereduction step is

the set of tgenerated vectors

Prop osition Let M be the n n matrix introduced in BGW Then the set of

tgenerated nvectors is tmultipliable by M when n t

Pro of Recall that matrix M used in BGW is constructed as M V TV where V

is a Vandermonde n n matrix dened by V i and T is constructed by setting all

but the rst t rows of a Unit matrix to Let d c b e as dened ab ove To see that

d M c note that d V is the co ecients vector of the p olynomial D thus d V T

is the co ecients vector of C and d V TV c

Let G n with jGj n t and let G g g Matrix M is constructed as

jGj G

follows Let the jGj jGj matrix V b e the matrix V pro jected on the indices in G namely

G j

V g Next construct the jGj n matrix V by app ending n jGj zero columns to

V Finally set M VTV where T is dened ab ove

Since n t we have jGj t it can b e veried that in this case x V is

once again the co ecients vector of D namely x V x V Thus x VTV

G G

x V TV x M as required 2

Combining the Randomization and Degreereduction steps we derive a proto col for

computing a multiplication gate This proto col denoted MUL is presented in Figure

The main proto col

Let f F F b e given by an arithmetic circuit A Our proto col for securely tcomputing

f is describ ed in Figure

Theorem Let f F F for some eld F with jF j n and let A be a circuit

e securely computes f in computing f Then protocol FScomputeA asynchronously d

the bounded secure channels setting with n nonerasing parties provided that only FailStop adversaries are considered

FailStop faults

Proto col MULa b

i i

Party P acts as follows on inputs a b

i i i

Set C fh jj C g GSharet

Let d a b h

i i i ij

j C

Let M b e the matrix introduced in BGW

Set c MATd M

i i

Output c

Figure MUL A proto col for computing a multiplication gate

Proto col FScomputeAx

Party P acts as follows on lo cal input x and given circuit A

i i

Set C fs jj C g GSharetx

ij i

For a line l in the circuit let l denote the share of party P in the value of this

i i

line If l is the j th input line of the circuit then set l s if j C and l

otherwise

For each gate g in the circuit wait until the ith shares of all the input lines of g are

computed Then do the following

a If g is an addition gate with output line l and input lines l and l then set

i i

l l l

i i

b If g is a multiplication gate l l l then set l MULl l

Let l b e the output line of the circuit

out

Once l is computed send Ready to all the parties

out

The only role of the Ready messages is simplifying the pro of of correctness b elow

Wait to receive n t Ready messages

Set y Reconstructt nl

out

Output C y

Figure FScompute The proto col for FailStop faults

FailStop faults

We present the pro of of Theorem in two steps First we show security of the

proto col in the presence of nonadaptive adversaries When the adversary is nonadaptive

there is no dierence b etween the cases where the uncorrupted parties are semihonest or

honest We thus assume that the uncorrupted parties are honest We do not present a

denition of nonadaptively secure computation in asynchronous networks However such

a denition can b e easily assembled from the denition of adaptive security in asynchronous

networks Denition and denition of nonadaptive security in synchronous networks

Denition

Next we show adaptive security of proto col FScompute in the presence of nonerasing

parties We remark that proto col FScompute can b e shown adaptively secure also in the

presence of honestlo oking parties using similar constructs to those describ ed in Section

Pro of of correctness nonadaptive case

let A b e a nonadaptive Failstop adversary and let B b e the set of corrupted parties we

incorp orate the scheduler in A

Termination

We use FS to shorthand proto col FScomputeA We show that for every input x with

probability all the uncorrupted parties terminate proto col FS

Proto col FS consists of several invocations of proto cols GShare and Reconstruct if a

uncorrupted party terminates all these invocations then this party terminates the entire

proto col as well We have seen that a Reconstruct proto col always terminates provided

that n t If all the Consensus proto cols invoked in a GShare proto col terminate

then the GShare proto col terminates as well

Each one of these Consensus proto cols terminates with probability by the denition

of Consensus Thus with probability all the Consensus proto cols invoked in the entire

proto col terminate therefore with probability all the GShare proto cols terminate as well

Security

e limited reallife adversary A we construct a ideal For any reallife nonadaptive d

mo del adversary S so that for every input x we have ideal x exec x The

f S FS A

notations S and ideal as well as exec for a proto col here FS are dened

f S A

in Section on page Here the set of corrupted parties denoted B is xed We

represent the idealmo del adversary S as a quadruple A B h c O

Construction of the idealmo del adversary We remark that adversary S op erates

via blackbox simulation of the reallife adversary Blackbox simulation was describ ed

for the synchronous setting in Section The asynchronous version is analogous Here

the set B of parties corrupted by the reallife adversary A is xed Adversary S corrupts

the parties in B The input substitution function h the core set selection function c and

the output function O are computed via the following simulated interaction b etween the

reallife adversary A and parties executing proto col FS

On input x and random input r S extends x to an nvector x by lling the extra

B B

entries with say zeros Partition r into n sections r r and let r r r Simulate

n n

FailStop faults

an execution of proto col FS with adversary A and with x as input and r as random input

of each party P In the sequel we incorp orate D in A Let C b e the core set decided up on

in the GShare invocation in Step of the proto col For each P C let y b e the value

i i

shared by P namely y x for P C let y Let y y y Set hx r y

i i i i i n B B

and cx r C

Our next step is computing the output function O of the corrupted parties in the ideal

mo del The inputs to this function are x r and f y Recall that f y is the value

B C C

received from the trusted party We continue the ab ove simulation of proto col FS with the

following mo dication Step of the proto col assures us that by the time the rst uncor

rupted party starts executing the Reconstruct proto col of Step at least t uncorrupted

parties have computed their shares of the output line In the pro of of Lemma b elow

we show that these shares determine a unique p olynomial of degree t let p denote this

p olynomial Once the rst uncorrupted party reaches the nal Reconstruct proto col the

simulator computes the ab ove p olynomial p and chooses a random p olynomial p of

degree t such that p f y and p i pi for every corrupted party P In the sim

C i

ulated run every uncorrupted party P executes the last Reconstruct proto col with input

p j instead of pj Let w denote the output of the corrupted parties after this simulated

run of proto col FS Set O x r f y w

B C

Validity of the idealmo del adversary It is left to show that for every input vector

x the output vector exec x of the parties in the real computation has the same

FS A

distribution as the output vector ideal x of the parties in the ideal mo del An outline of

f S

our pro of follows Recall the denition of the adversary view of the computation we redene

this notion in more detail b elow This notion captures the information gathered by the

adversary during the computation combined with the information seen by the scheduler In

Lemma b elow we show that the adversary view of the real computation is distributed

equally to the adversary view in the interaction simulated by the idealmo del adversary

We complete our pro of by showing that whenever the adversary view of the real execution

equals the adversary view of the simulated execution the output vector of al l the parties

in the reallife mo del equals the output vector of al l the parties in the ideal mo del

We pro ceed to redene the adversary view First dene the transcript of a computation

The transcript U consists of the inputs x of all the parties their random inputs r and the

entire communication among the parties The communication is organized in events each

event e consists of a message received by a party and its corresp onding resp onses The

order of events is induced by the order of delivery of the messages Namely we have

U xre e

We partition each message in proto col FS to its contents and its frame The contents of

Since the faults are FailStop we could let the input substitution function h b e the identity function

However this formulation is valid for the pro of of Theorem Security of the Byzantine proto col as well

Note that f y f y in the sequel we leave the subscript C for clarity

Step of the algorithm is a technical step whose purp ose is making the fact that p is xed at this

stage more obvious It can b e seen that even without Step by the time the rst uncorrupted party starts

executing the last Reconstruct proto col at least n t uncorrupted parties have computed their shares of

the output line

The output of the corrupted parties is dened as the contents of their output tap es after all the messages sent by the uncorrupted parties have b een received

FailStop faults

a message consists of the elements of the eld F app earing in this message The frame of a

message is the message itself where each eld element is replaced by a blank In particular

the frame contains the type of the message the name of the proto col and invocation that

the message b elongs to and the identity of the sender and the receiver Messages that do

not contain any eld elements have empty contents Informally the scheduler sees only

the frame of each message sent while the receiver sees the entire message

Let S b e a set of parties and let U xre e b e a transcript of some com

putation The view of the computation as seen by the parties in S is the sequence

U x r e e where x is the inputs of the parties in S and r is their ran

S S S k S S

dom inputs Eache is a semievent namely if the recipient party of event e is in S thene

i i i

consists of the full received message and the subsequent resp onses Otherwisee consists of

only the frame of the received message and resp onses The adversary view is the view of the

set B of corrupted parties We note that the adversary view contains all the information

gathered by the adversary during the relevant computation Without loss of generality we

O assume that the corrupted parties output of a computation is the adversary view Let

denote this function

Fix an input vector x Dene the random variable for each random input r set

to b e the corrupted parties view of the execution of proto col FS on input x random

input r and adversary A Let the random variable b e similarly dened with resp ect to

the simulated proto col describ ed ab ove In Lemma b elow we show that and are

identically distributed

Lemma The random variables and are identically distributed

The pro of of Lemma is given at the end of this section

It is left to show that the following two quantities are equal with resp ect to every

p ossible view V of the corrupted parties ie every view V in the supp ort set of and

a The output of al l the parties in the ideal mo del with the adversary S describ ed ab ove

when the corrupted parties view of the simulated execution is V

b The output of al l the parties after an execution of proto col FS when the view of the

corrupted parties is V

Equality is proven by showing that in b oth cases the output of the corrupted parties

is O V and the output of the uncorrupted parties is C f y where C is the core set

app earing in V and y is the substituted input vector dened ab ove Note that b oth C and

y are uniquely determined by x and V

Case a the ideal mo del By the denition of the output of the parties in the ideal

mo del Denition on page the uncorrupted parties output C f y and the

corrupted parties output O x r f y in the ab ove construction of S we have set

B C

O x r f y OV

B C

Note that this partitioning of a message to its contents and frame is sp ecic to proto col FS A more

general denition may let the frame of a message b e its length only However the present denition of a

frame is more natural for our proto col furthermore it simplies our pro of of Lemma b elow

We use V to shorthand U B

FailStop faults

Case b an execution of proto col FS The corrupted parties output O V by the

denition of function O In Lemma b elow we show that the uncorrupted parties

output f y 2

Lemma Consider an execution of protocol FS on input x with adversary B and let C

and y be the quantities dened above with respect to this execution Then the uncorrupted

parties output of this execution is f y

Pro of For each line l in the computed circuit let v b e the value of this line when the

input of the circuit is y Let l denote the output line of the computed circuit since the

out

circuit computes the function f we have v f y f y

l C

out

Consider an execution of proto col FS as in the Lemma For each line l let p b e the

lowest degree p olynomial such that the share of each uncorrupted party P in this line in

this execution is p i It can b e seen by induction on the structure of the circuit that

every p is of degree at most t and that p v each line is either an input line

l l l

an output of a linear gate or an output of a multiplication gate These cases were dealt

with in the sections describing the initial commit the linear gate and the multiplication

gate proto col resp ectively Thus in the nal Reconstruct proto col the uncorrupted parties

retrieve and output p v f y 2

l l C

out out

Pro of of Lemma We show by induction on the number of communication events

that every prex of has the same distribution as the corresp onding prex of with the

same number of events

We use the following notations For every i let denote the prex of that ends

after the ith semievent Let b e similarly dened with resp ect to Fix an instance

V of and let b e the random variable describing the distribution of the i th

i i i

semievent in given that the corresp onding prex of is V Namely for each semievent

Prob e Prob V e j V

i i i i i

Recall that each semievent consists of a received message and the subsequent resp onse

messages Let and b e the random variables having the distributions of the received

i i

message and the resp onse messages in resp ectively Let and b e similarly

i i i

dened with resp ect to

For the base of induction we note that x x and b oth random inputs r and r

B B

are uniformly distributed thus x r and x r are identically distributed

B B

For the induction step we show that for every i and for every instance V the

random variables and are identically distributed

First note that V contains all the information seen by the scheduler when delivering

the i st message Therefore the frame of the i st message is uniquely determined

by V In particular the sender resp the recipient of the i st message is the same

party in b oth computations We distinguish two cases

a The recipient party is uncorrupted In this case it is left to show that the frames

of the resp onse messages sent in this event are identically distributed However it can b e

seen by observing the proto col that the frames of the messages sent by a uncorrupted

party are uniquely determined by the frames of the messages received by this party so far

these frames are part of the common instance V of the prexes and

i i i

FailStop faults

b The recipient party is corrupted Clearly if the received messages and are

identically distributed then the resp onse messages and are identically distributed

as well If the sender is corrupted then entire received message is explicitly written in the

instance V which is the same in b oth computations It remains to consider the case in

which the sender is uncorrupted We have that the frames of and are equal We show

that the contents of and are identically distributed

Every message in proto col FS b elongs either to some invocation of proto col GShare or

to some invocation of proto col Reconstruct We consider these two cases separately In

the sequel we say that a random variable is a semirandom p olynomial of degree d if its

instances are p olynomials of degree at most d such that all the co ecients other than the

free co ecient are uniformly and indep endently distributed The free co ecient may have

any distribution

GShare messages The only messages of a GShare proto col having nonempty contents

are shares of some secret However the corrupted parties receive only up to t shares

of each secret shared by a uncorrupted party namely up to t shares of a semirandom

p olynomial of degree t Consequently b oth in and in the contents is distributed

uniformly and indep endently over the eld F regardless of the shared values

In an invocation of Reconstruct the corrupted parties receive n shares of a semirandom

p olynomial p of degree t Thus the contents of the rst t messages are uniformly dis

tributed b oth in and in The contents of the other messages are uniquely determined

by the t shares known to the corrupted parties namely the contents of the rst t messages

of the same invocation and the free co ecient of p Thus it suces to show that the

free co ecient of p namely the output of this invocation of Reconstruct is identically

distributed in and We distinguish two types of invocations of Reconstruct a Recon

struct within a multiplication step namely a Reconstruct invoked in Step of proto col

MAT and the nal invocation of Reconstruct in Step of proto col FS

Reconstruct as a part of a multiplication step Consider an invocation of proto col

MUL see Figure on page We show that the corrupted parties outputs of

the t invocations of Reconstruct along with the contents of the other messages of

this invocation of MUL received by the corrupted parties are uniformly and inde

p endently distributed regardless of the values of the input lines of the corresp onding

multiplication gate

The p olynomial H generated by the parties in the Randomization phase Step of

proto col MUL is a semirandom p olynomial of degree t with zero free co ecient

The contents of the GShare messages of Step received by the corrupted parties

add up to t shares of the p olynomial H Fix some arbitrary p olynomials A and

B asso ciated with the input lines of the corresp onding multiplication gate and let

D H A B Then b oth in and in D is a semirandom p olynomial

of degree t with some xed free co ecient

The data gathered by the corrupted parties during the entire invocation of MUL

consists of t shares of the semirandom p olynomial D along with t shares of the

truncation p olynomial C namely the outputs of the t invocations of Reconstruct

Let s A B Lemma b elow shows that there exists a unique instance

FailStop faults

of D namely a unique p olynomial of degree t whose free co ecient is s that

corresp onds to each sequence of t eld elements gathered by the corrupted parties

Consequently the sequence of t eldelements gathered by the corrupted parties is

uniformly distributed b oth in and in

Final Reconstruct Let C b e the core set determined by V and let y b e the substi

tuted input vector describ ed ab ove By Lemma the parties output of the nal

Reconstruct in a computation of proto col FS is f y By the construction of the

idealmo del adversary S the parties output of the nal Reconstruct in the simulated

execution is also f y

This concludes our pro of that and have the same distribution 2

Lemma technical lemma Let F be a nite eld with jF j d and let s F Then

for every sequence v v u u of eldelements there exists a unique polynomial

d d

p of degree d with p s such that

For i d we have pi v

For i d we have q i u where q is the truncation of p to degree d

Namely the coecients of q are the coecients of the d lower degrees of p

Pro of See Section B 2

Pro of of correctness adaptive case

Let A b e a tlimited adaptive Failstop adversary where n t we incorp orate the

scheduler within the adversary Termination is shown as in the nonadaptive case pro

vided that the Consensus proto col in use is resilient against adaptive adversaries To show

Security we construct an idealmo del adversary S t b h c O as in Denition We

remark that our construction of S uses only with blackbox access to A Here we assume

nonerasing parties That is each party keeps all the information gathered during the

computation This information consists of the partys input and random input and the

messages received from other parties

Construction of the idealmo del adversary The functions b h c O are determined

via a simulated execution of proto col FS with adversary A That is S hands A information

on the computation in an interactive pro cess that simulates a reallife computation We

use the description of a reallife computation presented immediately ab ove Denition

on page

Recall the denition of the contents and frame of a message presented on page The

information handed to A in the simulated interaction is as follows

S hands A the frame of each message sent by each party according to proto col FS

This is the information seen by the scheduler We note that proto col FS has the

following prop erty At any p oint during the computation the frames of the messages

In Lemma we assume without loss of generality that the corrupted parties are P P

FailStop faults

received by a party so far determine the frame of the next message sent by this party

Thus the frames of the messages sent by the uncorrupted parties are predictable by

the adversary

Up to the decision p oint dened b elow The contents of each message sent from an

uncorrupted party to a corrupted party is set to uniformly chosen random elements

in the eld F

Up to the decision p oint whenever the adversary decides to corrupt a party P the

simulator S pro ceeds as follows

First S hands A simulated contents of all the messages previously received by P The

simulated contents of the messages sent by corrupted parties including parties that

were uncorrupted at the time of sending but b ecame corrupted since are consistent

with the contents already known to the adversary The simulated contents of messages

sent by still uncorrupted parties are chosen uniformly from F

Next S decides to corrupt P in the idealmo del in the rst corruption stage Up on

learning x the input of P the simulator chooses in a way describ ed b elow a simu

i i

lated random input r for P that is consistent with input x with the contents of the

i i i

messages previously received by P as chosen ab ove and with the messages previ

ously sent by P to corrupted parties Note that r determines also the messages that

were supp osedly sent by P to uncorrupted parties Finally S hands A the input x

i i

and the simulated random input r

Functions b c h are determined as follows Let the decision p oint b e the time where

the rst uncorrupted party invokes the nal Reconstruct ie the Reconstruct of Step of

proto col FS see Figure The selection function b of corrupted parties is determined

as describ ed in Step ab ove Let B b e the set of corrupted parties at the decision p oint

Let C b e the core set decided up on in the initial GShare ie in the GShare of Step of the

proto col For each P C let y b e the value shared by P namely y x for P C

i i i i i i

let y Let y y y Set hx r y and cx r C

i n B B B

The output function O of S is determined as follows At the decidion p oint S asks

the trusted party for the computed function value S continues the ab ove simulation of

proto col FS with the following mo dications At the decision p oint S computes each

corrupted partys share of the output line of the circuit This can b e eciently done based

on S s information on the computation Next S chooses a random p olynomial p such

that p f y and for each corrupted party P the value p j equals P s share of

C j j

the output line The p olynomial p plays a similar role as in the nonadaptive case

In the simulated run each uncorrupted party P executes the nal Reconstruct proto col

with input p i If the adversary decides to corrupt P after the decision p oint then S

pro ceeds as in Step ab ove with the exception that the chosen random input r should b e

consistent also with P having p i as input to the nal Reconstruct In the ideal mo del

these corruptions are part of the second corruption stage Let w denote the output of the

corrupted parties after this simulated run of proto col FS and let B b e the set of faulty

parties in this run Set O x r f y w

B C

It remains to describ e how the random input r is chosen up on the corruption of a

party P Assume rst that P is corrupted b efore the decision p oint We distinguish the

i i following cases

FailStop faults

Random input for the initial invocation of GShare Here the relevant information

known to the adversary consists of up to t uniformly chosen elements in F sent

by P to corrupted parties S chooses a random p olynomial q of degree t such that

q x where x is P s input and for each corrupted party P the value of q at

i i i j

p oint j equals the value sent by P to P We note that q can b e chosen eciently

i j

Furthermore q has the distribution of a semirandom p olynomial of degree t with

q x This is so since the values sent by the simulated P to corrupted parties

i i

were uniformly chosen from F S sets the random input of P for the initial invocation

of GShare so that the p olynomial chosen in Step a of GShare See Figure is

We remark that the messages received by P from other parties during this invocation

of GShare are irrelevant to P s random choices

Random input for an invocation of MULT The relevant information gathered by A

on P in an invocation of MULT is as follows

P s shares of the input lines of the corresp onding gate These shares are deter

mined by the simulated invocations of the pro cedures for evaluating the input

lines of this gate

Up to t shares of the degreet p olynomial chosen by P in the invocation of

GShare in the Randomization Step Step of MULT see Figure These are

the shares sent by P to corrupted parties

P s shares of the p olynomials shared by other parties in this invocation of

GShare S hands A these uniformly chosen shares up on the corruption of P

as describ ed in Step ab ove

Up to t shares of the degreet p olynomial chosen by P in the DegreeReduction

Step Step of MAT see Figure These are the shares sent by P to corrupted

parties

Let the ngerprint of an invocation of MULT within P consist of this information

seen by A Each ngerprint is consistent with an equal number of random inputs

of this invocation of MULT ie with an equal number of p olynomials chosen by P

in Steps of MULT and MAT This can b e seen in a similar way to Lemma

Each ngerprint can b e completed in the same number of ways to a sequence that

uniquely determines the p olynomials chosen by P Furthermore as remarked in the

pro of of Lemma sampling these p olynomials with the appropriate probability

given a ngerprint can b e done eciently

If P is corrupted after the decision p oint then it may b e the case that P has already

i i

started the nal Reconstruct and has sent p i to corrupted parties In this case P s

simulated random input should b e consistent with P having p i for its share of the output

line of the circuit Such random input can b e eciently sampled in a similar way to the

previous case ie the case where P is corrupted b efore the decision p oint

We note that randomness is used also in the various invocations of Consensus S uses

and hands A up on corruption of P uniformly chosen random inputs for the use of P in

i i the simulated invocations of Consensus

Asynchronous veriable secret sharing

Validity of the idealmo del adversary The validity of the simulation is shown in a

similar way to the nonadaptive case with the exception that an additional type of event is

added to the adversary view of the computation corruption of some party Consequently

the case of corruption of a party has to b e considered in the inductive pro of of Lemma

In Lemma we state the inductive claim of Lemma for the case of a corruption

event A full pro of of this lemma is omitted

Lemma Consider n parties running protocol FS on some input x Let consist of

the rst i events in some instance of the adversary view of this computation such that

l l

the i th event in is the corruption of party P Let c resp c denote the random

variable having the distribution of the information gathered by the adversary in the i th

event in an authentic resp simulated computation given that the adversary view up to

l l

the ith event is Then c and c are equally distributed 2

Asynchronous veriable secret sharing

We dene Veriable Secret Sharing in an asynchronous setting AVSS and describ e an

AVSS scheme Our AVSS scheme is resilient against tlimited Byzantine adversaries in a

network of n parties as long as n t

Our construction uses ideas app earing in BGW FM Fe In particular Fe and CR

describ e dierent AVSS schemes for n t and n t resp ectively the CR

scheme is presented in Chapter However in those schemes the parties have a small

probability of error in reconstructing the secret and in CR also a small probability of not

terminating whereas our scheme has no probability of error

We describ e our AVSS scheme as a preamble for our construction for Byzantine adver

saries In our construction we do not use the AVSS scheme as such in an AVSS scheme

the dealer shares a secret among the parties later the parties reconstruct the secret from

its shares In our proto col the parties shares of the secret are further pro cessed and the

reconstructed secret is dierent than the shared secret much as in the FailStop case

Nevertheless for clarity and completeness we rst dene AVSS and describ e a standalone

AVSS scheme the comp onents of this scheme will b e used in the Byzantine proto col

In Section we dene AVSS In Sections through we describ e our AVSS

scheme In Section we prove the correctness of our scheme

A denition

A Veriable Secret Sharing scheme either synchronous or asynchronous consists of two

proto cols a sharing proto col in which a dealer shares a secret among the other parties

and a reconstruction proto col in which the parties reconstruct the secret from its shares

An AVSS scheme should have the following prop erties rst a uncorrupted dealer should

b e able to share a secret in a reconstructible way Furthermore if one uncorrupted party

accepts a sharing of a secret then al l the uncorrupted parties accept this sharing and a

unique secret will b e reconstructed even if the dealer is corrupted Finally if the dealer

is uncorrupted then the shared secret should remain unknown to the corrupted parties

as long as no uncorrupted party has started the reconstruction proto col The following

denition formalizes these requirements in our asynchronous setting

Asynchronous veriable secret sharing

Denition Let S R be a pair of protocols such that each uncorrupted party that

completes protocol S subsequently invokes protocol R with its local output of protocol S as

local input We say that S R is a tresilient AVSS scheme for n parties if the fol lowing

holds for every tlimited adversary

Termination If the dealer is uncorrupted then every uncorrupted player wil l even

tual ly complete protocol S

If some uncorrupted party has completed protocol S then al l the uncorrupted

parties wil l eventual ly complete protocol S

If a uncorrupted party has completed protocol S then it wil l complete protocol R

Correctness Once the rst uncorrupted party has completed protocol S a unique value

r is xed such that

r is each uncorrupted partys output of prtocol R

If the dealer is uncorrupted sharing a secret s then r s

Secrecy If the dealer is uncorrupted and as long as no uncorrupted party has invoked

protocol R then the adversary view of the computation is distributed independently of

the shared secret

Remark We stress that a uncorrupted party is not required to complete proto col S

in case that the dealer is corrupted We do not distinguish b etween the case where a

uncorrupted party did not complete proto col S and the case where a uncorrupted party

has completed S unsuccessfully

An AVSS scheme

We present an outline of our scheme Roughly sp eaking the sharing proto col denoted

VShare consists of three stages rst each party waits to receive its share of the secret

from the dealer Next the parties jointly try to verify that their shares dene a unique

secret Once a party is convinced that a unique secret is dened it lo cally computes and

outputs a corrected share of the secret using the information gathered in the verication

stage

Our AVSS scheme has the following additional prop erty There exists a p olynomial p

of degree t such that each uncorrupted party P s output of proto col VShare is pi and

p is the shared secret This prop erty is at the heart of our construction for Byzantine

adversaries

In the reconstruction proto col denoted VRecon each party sends its share to the

parties in some predened set R the set R is an external parameter with the same role as

in the FailStop case Next each party in R waits to receive enough shares to uniquely

determine a secret and outputs the reconstructed secret In order to deal with p ossibly

erroneous shares we use a pro cedure for error correcting of Generalized ReedSolomon

GRS co des in an online fashion This pro cedure is presented in Section b elow

Asynchronous veriable secret sharing

We turn to describing the VShare proto col in more detail To share a secret s the dealer

chooses at random a p olynomial h of degree t in two variables such that h s

and sends each party P the tdegree p olynomials f hi and g h i Each

i i i

party P now sends a verication message v f j to each party P If the verication

i ij i j

message sent from P to P is correct then party P has v f j hi j g i in

i j j ij i j

this case P conrms party P by Broadcasting OK j i Party P accepts the shared

j i i

secret when it nds a large enough set of parties that have conrmed each other in a dense

enough manner describ ed b elow

We describ e each partys view of the OK Broadcasts in terms of a graph Namely let

the OK graph b e the undirected graph over the no des n where an edge j k exists

if party P completed b oth the OK j k Broadcast initiated by P and the OK k j

i j

Broadcast initiated by P Dene an n tstar in a graph

Denition Let G be a graph over the nodes n We say that a pair C D of sets

such that C D n is an n tstar in G if the fol lowing hold

jC j n t

jD j n t

for every j C and every k D the edge j k exists in G

In the sequel we use star to shorthand n tstar Party P accepts a shared secret when

it nds a star in its OK graph Lemma on page b elow implies that provided that

n t the shares of the uncorrupted parties in a star in the OK graph dene a unique

p olynomial of degree t in two variables Lemma implies that the p olynomials dened

by the stars of every two parties are equal Thus once a uncorrupted party nds a star a

unique secret is dened

Remark conceptually we could have let a party wait to have a clique of size n t instead

of a star in its OK graph b efore accepting a shared secret if the dealer is uncorrupted

then the OK graph will eventually contain such a clique However nding a maximum size

clique in a graph is an NPcomplete problem Instead the party will try to nd a star In

Section we describ e an ecient pro cedure for nding a n tstar in a graph provided

that the graph contains a clique of size n t

We want to make sure that if a uncorrupted party nds a star in its OK graph then

all the uncorrupted parties will nd a star even when the dealer is corrupted and the OK

graph do es not contain a clique For this purp ose up on nding a star the party sends it

to all the other parties Up on receiving an OK Broadcast a party that has not found

a star checks whether any of the suggested stars is indeed a star in its OK graph Note

that an edge in the OK graph of a uncorrupted party will eventually b e an edge in the OK

graph of every uncorrupted party since all the OK messages are Broadcasted thus a

star in the OK graph of some uncorrupted party will eventually b e a star in the OK graph

of every other uncorrupted party

P P

t t

i j

h x y where h s and all the other co ecients h h are That is hx y

ij tt

j i

chosen uniformly and indep endently over F

Our denition of an n tstar is dierent than the standard denition

Asynchronous veriable secret sharing

Party P s output of proto col VShare will b e h i where h is the unique

i i i

p olynomial dened by the star found by P If P is a member of its own star then the

i i

p olynomial g that P received from the dealer satises g h i and P outputs

i i i i i

g If P is not a member of its own star then g may b e erroneous p ossibly P didnt

i i i i

even receive g Therefore up on nding a star C D and if P D then P computes

i i i i i i

h i using the verication messages v it has received or still exp ects to receive from

i ji

the parties P D For the t uncorrupted parties P D we have v h j i

j i j i ji i

Therefore the values received from the parties in D uniquely determine the p olynomial

h i In Section we describ e how this computation is carried out

The co de of the VShare and VRecon proto cols is describ ed in Figures and

resp ectively

proto col VShare

Co de for the dealer on input s

choose a random p olynomial h of degree t in two variables such that h s

For every i n send the p olynomials f h i and g hi to party

i i

Co de for party P

Up on receiving f and g from the dealer and for each j n

i i

send f j to party P

i j

Up on receiving v from party P if v g j then broadcast OK i j

ij j ij i

Up on receiving a broadcast OK j k check for the existence of a star in OK using

pro cedure STAR describ ed in Section b elow If a star C D is found go to

i i

Step and send C D to all the parties

i i

Up on receiving a message C D add C D to the set of suggested stars As

j j j j

long as a star is not yet found then whenever an OK k l Broadcast is received

check whether C D form a star in the OK graph

j j i

Up on nding a star C D and if i D correct p olynomial g based on the

i i i i

verication messages received from the parties in D and using the error correcting

pro cedure OEC describ ed in Section

Namely let V fj v jj D g set g OECt tV

i ij i i i

Once g is corrected lo cally output g

i i

Figure VShare The veriable sharing proto col

Eciently nding a star

We describ e an ecient pro cedure for nding a n tstar in a graph of n no des see Deni

tion on page provided that the graph contains a clique of size n t Namely our

pro cedure outputs either a star in the graph or a message star not found whenever the

input graph contains a clique of size n t then the pro cedure outputs a star in the graph

We follow an idea of Gabril app earing in GJ p There the following approxi

Asynchronous veriable secret sharing

Proto col VReconRa

Co de for party P on input a and with parameter R fP P g

i i n

Send a to the parties in R

Let S fj a j a has b een received from P g

i j j j

If P R terminate without output

Otherwise set z OECt tS and output z

i i i

Figure VRecon The veriable reconstruction proto col

mation algorithm is describ ed if the input graph contains a clique of size n k then a

clique of size n k is found The algorithm is simple nd a maximal matching in the

complementary graph and output the set of unmatched no des Clearly the output is an

indep endent set in the complementary graph thus it forms a clique in the original graph

Furthermore if a graph contains a clique of size n k then any maximal matching in the

complementary graph involves at most k edges and k no des

We rst restate our problem in terms of the complementary graph if the input graph

has an indep endent set of size n t nd sets C D of no des such that jC j n t

jD j n t and no edges exist b etween no des in C and no des in C D We call such a

star In the rest of this section we refer to the complementary graph pair of sets an n t

only

In our pro cedure we nd a maximum matching in the graph say using Ed or MV

Based on this matching we compute sets C D of no des and check whether C D form

star in the graph If the input graph contains an indep endent set of size n t an n t

then the computed sets C D form an n t star in the input graph

We describ e how sets C and D are computed Consider a matching we say that a

no de is a trianglehead if it is unmatched and two of its neighbours are a matched pair

namely the edge b etween these two neighbours is in the matching Let C denote the set

of unmatched no des that are not triangleheads Let B b e the set of matched no des that

have neighbours in C and let D n B

Our pro cedure is describ ed in Figure Figure illustrates the relations among

the dierent subsets of no des

Prop osition Assume procedure STAR outputs C D on input graph G Then

star in G C D form a t

Pro of Clearly if algorithm STAR outputs C D then jC j n t and jD j n t

and C D We show that for every i C and every j D the no des i and j are not

neighbours in G

A matching in a graph is a set M of edges such that no two edges in M have a common endp oint A

matching is maximal if every edge added to it has a common endp oint with an edge in the matching

The complementary graph is the graph in which an edge exists i it do es not exist in the original graph

In fact we only need that the matching cannot b e improved by augmenting paths of length at most

Asynchronous veriable secret sharing

Pro cedure STARtG

input an undirected graph G over the no des n a parameter t

a tstar in the graph G or a message star not found output

Find a maximum matching M in G

Let N b e the set of matched no des namely the endp oints of the edges in M and

let N n N

Verify that the matching M has prop erty P

a Let T b e the set of triangleheads namely set

T fi N j j k st j k M and i j i k Gg

Let C N T

b Let B b e the set of matched no des that have neighbours in C

namely let B fj N j i C st i j Gg

Let D n B

c If jC j n t and jD j n t output C D Otherwise output star not

found

star in a graph Figure STAR A pro cedure for nding a

Figure Partition of the graph G

Asynchronous veriable secret sharing

Assume that i C and j D and that i j is an edge in G As j D we must

have j B By The denition of B we have j N if i C and j N then j B

Furthermore i C N Thus b oth i and j are unmatched Consequently the edge

i j can b e added to the matching to create a larger matching and the matching is not

maximum in this case it is not even maximal 2

Prop osition Let G be a graph over n nodes containing an independent set of size

star in G n t Then procedure STAR outputs a t

Pro of We show that if the input graph G contains an indep endent set of size n t then

the sets C and D determined in Steps a and b of pro cedure STAR are large enough

ie jC j t and jD j n t Consequently the pro cedure outputs C D in Step

Prop osition assures us that C D form a star in G

First we show that jC j n t Let I n b e an indep endent set of size n t in G

and let I n I We adopt the denitions of N T and C in the pro cedure see Figure

Let F I C We show b elow that jF j jI j However jI j t Consequently we have

jC j jI j jF j n t

To see that jF j jI j we show a onetoone corresp ondence F I Let i F since

i C we have either i N or i T

Case i N Then let i b e the no de matched to i in M Clearly i I otherwise

we had an edge i i where b oth i and i are in an indep endent set

Case i T By the denition of T no de i has two neighbours j k such that j k M

Arbitrarily set i j Clearly b oth j and k are in I

Wo show that is onetoone Consider two distinct no des l m F we distinguish

three case

Case l m N In this case l m since M is a matching

Case l N and m T Since m T there exists an edge b etween m and the

no de matched to m Since l N the no de matched to l is l Now assume

that l m Thus l m is an edge in G However b oth l and m are in the

indep endent set I a contradiction

Case l m T Assume l m Let a b e the no de matched to m in M then

b oth l and m are neighbours of b oth m and a However in this case the matching

M is not maximum since for instance M fm ag fm l a mg is a larger

matching

It remains to show that jD j n t Recall that D n B We show b elow that

jB j jM j since G contains an indep endent set of size n t we have jM j t Thus

jD j n jB j n jM j n t

To see that jB j jM j we show that at most one of the endp oints of every edge

a b M is in B Supp ose on the contrary that b oth a and b have neighbours in C and

let c d C b e the neighbours of a and b resp ectively Surely c d otherwise c was a

trianglehead and we had c C However in this case the matching M is not maximum

since for instance M fa bg fa c b dg is a larger matching 2

Asynchronous veriable secret sharing

Online error correcting

Consider the following scenario A party exp ects to receive messages from m parties mes

sage a from party P so that there exists a p olynomial p of degree d satisfying pj a

j j j

for every message a The messages arrive one by one in some arbitrary order further

more up to t of the messages may b e wrong or missing In our context we have m n t

and d t We describ e an ecient pro cedure that enables the party to compute this

p olynomial online namely the party will recognize when the received messages dene a

unique interpolated p olynomial of degree d and compute this p olynomial The following

denitions provide to ols for precisely stating this problem

Denition Let and be integers and let S n F such that for every two

elements i a and i a in S we have i i We say that S is interp olated if there

exists a polynomial p of degree so that at most elements i a S do not satisfy

pa e We say that p is a interp olated p olynomial of S

Remark A dinterpolated vector dened in Section on page is a dierent

formulation of a d interpolated set Note that the interpolated p olynomial of a

interpolated set S is unique provided that jS j Pro of assume S has

two interpolated p olynomials p q Then for at least jS j elements a e S

we have pa e q a However jS j thus p q

Denition Let I be an accumulative set We say that I is eventually

interp olated if for every limited adversary and every run there exists an integer

such that I wil l eventual ly hold a interpolated set of size at least

Let I b e an eventually interpolated accumulative set Using a similar argument

to the one used ab ove it can b e seen that all the interpolated sets of size at least

held in I have the same interpolated p olynomial We call this p olynomial the

interp olated p olynomial of I

Using these notations the dynamic input of the pro cedure describ ed in this section is

an eventually d tinterpolated accumulative set I The required output of this pro cedure

is the d tinterpolated p olynomial of I Denition assures us that at least d t

values in I will sit on a p olynomial of degree t At least t of thus values originate with

uncorrupted parties Consequently the d tinterpolated p olynomial of I is b ound to b e

the correct p olynomial namely the p olynomial dened by the values of the uncorrupted

parties

Our pro cedure denoted OEC for Online Error Correcting consists of up to t it

erations In iteration r the party waits until the accumulative set I is of size at least

d t r then the party uses a pro cedure describ ed b elow that determines whether

this set is d r interpolated and computes the corresp onding interpolated p olynomial If

a d r interpolated p olynomial is found then we output this p olynomial and terminate

Otherwise we pro ceed to iteration r since I is d teventually interpolated it is b ound

to have at least one more element thus iteration r will b e completed

Accumulative sets are dened in Section on page

Asynchronous veriable secret sharing

It is left to describ e how to determine if a given set is d r interpolated and how to

compute the interpolated p olynomial We use a result from Co ding theory Consider the

following co de a word W i a i a is a co deword i there exists a p olynomial

l l

p of degree d such that pi a for every j l This is a Generalized Reed

j j

Solomon GRS co de GRS co des have an ecient error correcting pro cedure that detects

and corrects up to r errors in an input word W provided that jW j d r see

for instance MS pp Let EC denote such a pro cedure Namely let S b e a

d r interpolated set of size at least d r then pro cedure EC on input d r S

outputs the d r interpolated p olynomial of S

Pro cedure OEC is describ ed in Figure

Pro cedure OECd tI

For r t do

Let I denote the contents of accumulative set I when I contains d t r

elements

Wait until jI j d t r Then run ECd r I and let p b e the output

p olynomial

If p is a d r interpolated p olynomial of I namely if for d t elements

i a I we have pi a output p Otherwise pro ceed to the next iteration

Figure OEC A pro cedure for online error correcting

Prop osition Let I be an eventual ly d tinterpolated accumulative set Then pro

cedure OECd tI halts and outputs the d tinterpolated polynomial of I

Pro of Let r b e the smallest r such that I is d rinterpolated since I is eventually

d tinterpolated we have r t All the iterations up to iteration r will b e completed

unsuccessfully The d tinterpolated p olynomial of I will b e found in iteration r 2

Correctness of the AVSS scheme

Theorem The pair VShareVRecon is a tresilient AVSS scheme in a network of

n parties provided that n t

Pro of We assert the Correctness Termination and Secrecy requirements of Denition

on page

Correctness We asso ciate with every uncorrupted party P that completed proto col V

Share a unique p olynomial h of degree t in two variables and show that every two

uncorrupted parties P and P have h h Next we show that Conditions and

i j i j

of the Correctness requirement are met with resp ect to r h for some uncorrupted

party P Moreover we show that party P s output of proto col VShare is h i

i i i

We use two technical lemmas

Asynchronous veriable secret sharing

Lemma Let m d and let f f and g g be polynomials of

m m

degree d over a eld F with jF j m such that for every i d and every j m

we have f j g i and g j f i Then there exists a unique polynomial h of

i j i j

degree d in two variables so that for every i m we have h i f and hi g

i i

Pro of See App endix B 2

Lemma Let h h be two polynomials of degree d in two variables over a

eld F with jF j d and let v v be distinct elements in F Assume that for every

i j d we have hv v h v v Then h h

i j i j

Pro of See App endix B 2

Let P b e a uncorrupted party that completed proto col VShare and let C D b e the

i i i

star found by P Let D b e the set of uncorrupted parties in D and let C b e the set of

i i

uncorrupted parties in C thus jD j jD j t n t and jC j jC j t n t t

i i

since n t Applying Lemma we get that the p olynomials f g of the

j j

parties j D determine a unique p olynomial of degree t in two variables Let h denote

this p olynomial Namely h is the p olynomial asso ciated with P Note that h

i i i

is xed once P has completed proto col VShare

For every other uncorrupted party P let I b e the set of uncorrupted parties in D D

j ij i j

Since n t we have jD D j n t t thus jI j t For every two

i j ij

parties k l I we have h k l v h k l where v is the verication piece sent

ij i k l j k l

by P to P in Step of proto col VShare Applying Lemma we have h h

k l i j

The value r required in the Correctness condition is r h

We assert Condition namely that if the dealer is uncorrupted and has shared a value

s then r s If the dealer is uncorrupted and has chosen a p olynomial h in Step

then for every two parties P P D we have h k l hk l Applying Lemma

k l i

again we get h h In the sequel we omit the subscript from the p olynomial

Next we show that each uncorrupted party P s output of proto col VShare is hi

Polynomial hi is the only interpolated p olynomial of P s accumulative set V in Step

i i

Therefore the output of the error correcting pro cedure OEC in Step will b e hi

and the output of proto col VShare will b e hi

It remains to assert Condition namely that P s output of VRecon is r Every

uncorrupted party P will Broadcast hj in Step thus h is the only interpolated

p olynomial of P s accumulative set S in Step Therefore the output of the error cor

i i

recting pro cedure OEC in Step will b e h and the output of proto col VRecon will

b e h r

Termination Condition If the dealer is uncorrupted then for every two uncorrupted

parties P and P b oth OK j k and OK k j will b e broadcasted since f k hk j

j k j

g j and g k hj k f j Thus every uncorrupted party P will eventually have

k j k i

a clique of size n t in its OK graph Therefore pro cedure STAR will nd a star in

OK and Step will b e completed Step will b e completed since the input of pro cedure

OEC namely the accumulative set V which is based on the star found in Steps or is

eventually t tinterpolated

Condition Let P b e a uncorrupted party that completed proto col VShare and

let C D b e the star found by P Then C D will eventually b e a star in the OK

i i i i i j

Byzantine adversaries

graph of every uncorrupted party P unless P has already completed proto col VShare

j j

Furthermore party P will receive the C D message sent by P in Step and will

j i i i

verify in Step that the sets C D form a star in OK Up on nding a star P will

i i j j

execute Step and complete proto col VShare

Condition If all the uncorrupted parties have started proto col VRecon then the

accumulative set S of Step of each uncorrupted party P is eventually t tinterpolated

i i

Thus all the uncorrupted parties will complete pro cedures OEC and VRecon

Secrecy We use the following notations

For a value v let H denote the set of p olynomials of degree t in two variables with

free co ecient v

We say that a sequence f f g g of p olynomials is interleaved if

t t

for every i j t we have f j g i Let I denote the set of interleaved

i j

sequences of t p olynomials of degree t

Lemma Let F be a eld with jF j d and let s F Then for every interleaved

sequence f f g g in I there exists a unique polynomial h H

d d s

so that for every i d we have h i f and hi g

i i

Pro of See App endix B 2

Assume a uncorrupted dealer and let s b e the shared value Then the dealer has

chosen in Step of proto col VShare a p olynomial h with uniform distribution over

H Furthermore all the relevant information a set of t parties received during an execution

of proto col VShare is an interleaved sequence f f g g in I so that

t t

for every i t we have h i f and hi g

i i

Lemma implies that for every shared value s F this corresp ondence b etween

p olynomials in H and interleaved sequences in I is one to one and onto Therefore a

uniform distribution over the p olynomials in H induces a uniform distribution over the

interleaved sequences in I

Thus all the corrupted parties have after executing proto col VShare is a sequence of

interleaved p olynomials of degree t chosen with uniform distribution over I regardless of

the shared value 2

Byzantine adversaries

As in the FailStop case let the computed function b e f F F and assume that the

parties have an arithmetic circuit computing f We describ e an n party proto col for securely

tcomputing f in an asynchronous network with arbitrary ie Byzantine adversaries

provided that n t

We follow the outline of the FailStop proto col mo difying its comp onents to the Byzan

tine setting First we extend Shamirs Secret Sharing scheme used for FailStop adver

saries to an Asynchronous Veriable Secret Sharing AVSS scheme Next The multipli

cation step is adapted to a Byzantine setting

In our proto col we do not use the AVSS scheme as such in an AVSS scheme the dealer

shares a secret among the parties later the parties reconstruct the secret from its shares In our proto col the parties shares of the secret are further pro cessed and the reconstructed

Byzantine adversaries

secret is dierent than the shared secret much as in the FailStop case Nevertheless for

clarity and completeness we rst dene AVSS and describ e a standalone AVSS scheme

the comp onents of this scheme will b e used in the Byzantine proto col

Our AVSS scheme as well as the multiplication step proto col makes use of error correct

ing techniques for Generalized ReedSolomon GRS co des In the AVSS scheme we describ e

a pro cedure run lo cally by each party that enables the party to lo cate and correct in an

online fashion erroneous or missing messages in a sequence of received messages In the

multiplication step a GRS co deword is generated so that each party holds a piece of this

co deword Each party shares its piece using AVSS then the parties agree without learn

ing further information on a set of parties whose shared pieces are indeed the pieces of the

original co deword

Global Veriable Share

The Global Veriable Share GVShare proto col describ ed in Figure is the Byzantine

counterpart of the FailStop GShare proto col describ ed in Figure on page It

consists of two phases rst each party shares its input using the VShare proto col of the

AVSS scheme Figure on page next the parties use proto col ACS Section on

page to agree on a set C of at least n t parties who prop erly shared their inputs Party

P s output of proto col GVShare is this set C and the ith share of each secret shared by

a party in C Recall that proto col GShare had an additional security parameter d here

the security parameter is xed to d t

Proto col GVSharex

Co de for Party P on input x

i i

Initiate VShare x with P as the dealer

i i i

For j n participate in VShare

Let v b e the output of VShare

j j

Let U fj j VShare has b een completedg Set C ACSn t nU

i j i

Once the set C is computed output C fv jj C g

Figure GVShare The global veriable sharing proto col

Computing a multiplication gate

Let c a b b e a multiplication gate and let A B b e the p olynomials asso ciated with

the input lines Namely each uncorrupted party P s shares of these lines are Ai and B i

resp ectively and A a and B b As in the FailStop case the parties will jointly

compute their shares of a random p olynomial C of degree t with C A B so

that each uncorrupted party P s share of the output line will b e C i

The Byzantine multiplication pro cedure follows the outline of its FailStop counterpart

Namely the parties rst generate a random p olynomial D of degree t with free co ecient

Byzantine adversaries

D A B Then the parties compute their shares of the truncation p olynomial

of D to degree t this truncation p olynomial is the output p olynomial C

We pro ceed to describ e the Byzantine implementations of these two steps

Randomization

The Byzantine randomization step follows the outline of its FailStop counterpart Namely

each party P rst shares in a way describ ed b elow a random p olynomial H of degree

i i

t with H Next the parties use proto col ACS to agree on a set C of parties

that have successfully shared their p olynomial Finally each party P lo cally computes

H i and D i Ai B i H i H i

j C

It remains to describ e how each party P shares its p olynomial H We use the BGW

i i

metho d This metho d has the eect of sharing p olynomial H in the straightforward

way Namely on one hand each party P will have H j on the other hand the information

j i

gathered by the corrupted parties will b e equivalent to each corrupted party knowing only

its share of H Consequently the information gathered by the corrupted parties in the

entire multiplication step will b e indep endent of the computed value ie A B

We describ e this sharing metho d Each party P shares t uniformly chosen values using

t invocations of VShare Let z b e party P s output of the j th invocation of VShare

ijk k

where P is the dealer Up on completing all the t invocations of VShare each party P

i k

k z lo cally computes H k

ijk i

Let us reason this slightly unintuitive sharing metho d for a formal pro of see the pro of

of Theorem on page Let S b e the p olynomial of degree t dened by the j th V

Share initiated by P namely S k z for every uncorrupted party P Polynomial

i ij ijk k

H is now dened as H x x S x each party P lo cally computes H k

i i ij k i

P P

t t

j j l

k S k k z Let s b e the co ecient of x in S x it might b e

ij ijk ijl ij

j j

helpful to visualize

H x

t t

s x s x s x s x

i i it it

t t t

s x s x s x s x

i t it it

t t t

s x s x s x

it it itt

The free co ecient of H is thus H Each p olynomial S is of degree

i i ij

t thus H x is of degree t Furthermore it can b e seen that the co ecients of the

monomials x x in H x and thus the same co ecients of the sum p olynomial H

and in p olynomial D are uniformly distributed over F Consequently the co ecients of

all the nonzero p owers of the truncation p olynomial C are uniformly distributed over

Clearly the corrupted parties gather some extra information on top of the t shares of

H However it is plausible that this information is indep endent of A B party P

i i

t random co ecients and the corrupted parties receive only t values In the chooses t

pro of of Lemma on page we show that the information gathered by the corrupted

parties during the whole multiplication proto col is indep endent of A B

Byzantine adversaries

Degreereduction

Next the parties use their shares of p olynomial D in order to jointly and securely compute

their shares of the truncation of D to degree t namely the t co ecients of the output

p olynomial C are the co ecients of the t lower degrees of D

In the FailStop proto col the parties computed their shares of C by invoking a pro

to col for multiplying the inputs vector by a xed matrix we shortly review this proto col

Let d D D n let c C C n and let M b e the n n matrix such that

d M c First each party P shared its input D i next the parties agreed on a set

of parties that have successfully shared their inputs Once this set G was agreed up on

each party lo cally computed the appropriate matrix M and the pro ducts of his shares by

M Finally the parties invoked n Reconstruct proto cols so that in the ith invocation of

d M Reconstruct party P computed C i

j i

j G ji

In the Byzantine setting the parties will use VShare and VRecon instead of the simple

sharing scheme of the FailStop case Still a ma jor problem remains the agreed set G may

contain corrupted parties P that have shared some value dierent than the exp ected

value D i in this case the parties will not have the exp ected outputs In the rest of this

section we describ e how the parties make sure that the value asso ciated with each party

P in the agreed set namely the free co ecient of the tdegree p olynomial dened by the

uncorrupted parties shares of P s input is indeed D i

For a party P let s b e the value asso ciated with P recall that s is xed once the rst

i i i i

uncorrupted party has completed P s VShare for a set A of parties let S fi s jP

i A i i

Ag We rst note that it is enough to agree on a set G of at least t parties such

that S is t interpolated namely all the values shared by the parties in G sit on a

p olynomial of degree t This is so since the set G b eing of size t contains at least

t uncorrupted parties thus the interpolated p olynomial of S is b ound to b e D

We describ e a proto col for agreement on a set A of parties such that S is t

interpolated This proto col denoted AIS for Agreement on an Interpolated Set is a

distributed implementation of pro cedure OEC describ ed in Section on page

Proto col AIS consists of up to t iterations In iteration r r t the parties rst use

proto col ACS Figure on page to agree on a set G of at least t r parties that

have successfully shares their inputs Next the parties p erform a computation describ ed

b elow to check whether S is t r interpolated If S is t r interpolated then there

G G

r r

exists a set G G of size at least t such that S is t interpolated the parties

r G

will compute and output G Otherwise ie S is not t r interpolated the parties

r r

will pro ceed to the next iteration We stress that the parties will not know the interpolated

p olynomial of each S They will only know whether such a p olynomial exists

It remains to describ e how to check given a set G of size t r whether S is t r

interpolated and how to compute the corresp onding set G ie G G jG j t and

S is t interpolated As in pro cedure OEC we use error correcting for Generalized

ReedSolomon co des However in pro cedure OEC the word S was a dynamic input

of one party Thus each party could lo cally run an error correcting pro cedure In our

setting each party has only one share of each element of S the parties will invoke a joint

computation implementing a sp ecic error correcting pro cedure and use it to check whether

Interpolated sets and interpolated p olynomial s were dened in Section on page

Byzantine adversaries

G is t r interpolated and to compute G

Let us rst outline the particular error correcting pro cedure we will b e implementing

The inputs to this pro cedure are d r W If jW j d r and W is d r interpolated

then the output is the interpolated p olynomial of W Otherwise an appropriate message

is output The pro cedure consists of three steps

Computing the syndrome For an input word W i s i s let V b e the

l l ll

Vandermonde matrix dened by V i Let a s s The syndrome of W

jk k l

is the l d right most elements of the l vector pro duct a V

First compute the syndrome of W

Remark Let Q b e the p olynomial so that for every i a W we have Qi a Then the

vector a V is the vector of the co ecients of Q the syndrome consists of the co ecients

d l

of the monomials x x of Qx In particular if Q is of degree d namely W is a

co deword then the syndrome is the zero vector

Computing the errorvector The errorvector is the l vector e e e where e is

l j

the displacement of s from the correct value Namely assume that W is d r

interpolated and let P b e the d r interpolated p olynomial of W then e

P i s for every element i s W The errorvector is unique since the

j j j j

interpolated p olynomial P is unique

Compute the errorvector using the syndrome A widely used implementation of this

step is the BerlkampMassey algorithm see MS pp

Remark We stress that the errorvector can b e computed based on the syndrome only If the

input word W is not d r interpolated then the computed errorvector may b e erroneous

Computing the output p olynomial Cho ose t correct elements in W namely el

ements i a such that e and use them to interpolate P This step will

j j j

not b e implemented

An imp ortant observation is that the syndrome can b e represented as a function of the

error vector only thus it holds no information on the d r interpolated p olynomial P

of W Namely let P resp Q b e the co ecients vector of the p olynomial P resp Q

completed to length l Polynomial Q is the p olynomial satisfying Qi a for every pair

i a W Then

Q a V P V e V P e V

The last l d elements in P are zero Therefore for l d i l we have

Q e V Consequently the last l d elements in Q namely the syndrome are

i i

a linear combination of the elements of e only

Let us now describ e how we implement and use this error correcting pro cedure in our

setting Each element of the syndrome is a linear combination of the inputs thus the

parties can jointly compute the syndrome That is given an agreed set G each element

of the syndrome of S is computed as follows Each party computes the appropriate linear

combination of its shares and invokes a VRecon proto col with the result of this linear

combination as input Once all these VRecon proto cols are completed each party has the

full syndrome of S G

Byzantine adversaries

Once the syndrome is computed each party uses the BerlkampMassey algorithm in

order to locally compute the error vector If in iteration r S is t r interpolated then

the computed error vector is the true error vector of S however if S is not t r

G G

r r

interpolated then the computed error vector may b e incorrect Consequently the parties

draw the following conclusions Each party draws these conclusions lo cally still all the

uncorrupted parties draw the same conclusions If the computed error vector denoted e

contains more than r nonzero elements then surely S is not t r interpolated and the

parties pro ceed to the next iteration If e contains up to r nonzero elements then the

parties still have to verify that e is the correct error vector let G b e the set of parties

P such that e the parties will recompute the syndrome based on G alone If the

i r

is t interpolated and the parties output recomputed syndrome is all zeros then S

G and terminate If the recomputed syndrome is nonzero the parties conclude that S

r r

is not t r interpolated and pro ceed to the next iteration

Proto col AIS is describ ed in Figure Let z b e P s share of the value shared by P

ij i j

The dynamic input of each party P is the following accumulative set denoted Z once

i i

P has successfully completed P s VShare the pair j z is added to Z The parties

i j ij i

common output is a set G of at least t parties such that each uncorrupted party P

has completed the VShare of every party in G namely G fP jj z Z g and S is

j ij i G

t interpolated

Claim Assume that protocol AIS is run with dynamic inputs Z Z as described

above Then al l the uncorrupted parties terminate protocol AIS with a common set G of at

least t parties such that S is t interpolated

Pro of First assume that the ACS proto col of Step of some iteration is completed by

the uncorrupted parties Then all the uncorrupted parties compute the same syndrome in

Step of this iteration thus all the uncorrupted parties make the same decisions in Step

Consequently all the uncorrupted parties complete this iteration furthermore either all

the parties output a t interpolated set of size at least t or all the parties pro ceed

to the next iteration

Next we show by induction on the number of iterations that as long as the required

set is not found all the uncorrupted parties will complete each invocation of ACS For the

base of induction we note that the sequence U U of the accumulative sets dened in

i n

Step of the rst iteration is t nuniform see Denition on page Thus

all the uncorrupted parties will complete the ACS invocation of the rst iteration For the

induction step assume that the uncorrupted parties have completed the ACS proto col of

iteration r Consequently the sequence U U is t r tuniform Assume further

that the set agreed up on in iteration r is not t r interpolated let G denote this set

Then G contain at most t uncorrupted parties Thus there exists at least one uncorrupted

party in n G This uncorrupted party will eventually b e in the accumulative sets of all

the uncorrupted parties thus the collection U U is t r tuniform Consequently

all the uncorrupted parties will complete the ACS invocation of iteration r

A more timeecient version of this proto col lets the parties execute all the t iterations in parallel

consequently the running time of the proto col is the running time of the slowest iteration In this parallel

version dierent parties may complete the iterations in dierent order Thus the parties need to execute

an additional simple proto col to agree on the iteration whose output is adopted

Byzantine adversaries

Proto col AISZ

Co de for party P on dynamic input Z

i i

for r t do

Let U fP jj z Z g

i j ij i

Set G ACSt r nU

Once G is computed compute the syndrome of S

Let V b e the Vandermonde matrix of the indices in G Namely let G k k

jGj

then V k

ij j

z Let z z

ik i ik

jGj

For t j jGj set VReconz V n

j i j

Let is the syndrome of S

tr G

Run the BerlkampMassey algorithm on and let e b e the output

a If e has more than r nonzero elements continue to the next iteration S is

not t r interpolated

b If e has up to r nonzero elements verify that e is correct

Let G b e the set of parties in G whose corresp onding entry in e is zero Rep eat

step with resp ect to G

is the zero vector output G and halt If the syndrome of S

Otherwise pro ceed to the next iteration S is not t r interpolated

Figure AIS The agreement on an interpolated set proto col

Byzantine adversaries

Finally we note that G namely the set n is t tinterpolated thus the required

set will b e found in iteration t unless it was found b eforehand 2

The multiplication proto col

Combining the Randomization and the DegreeReduction steps we derive a proto col for

computing a multiplication gate The co de is presented in Figure

Proto col BMUL

Co de for party P on inputs a and b

i i i

Randomization

For k t execute VShare r where r F and P is the dealer

ik k k R i

For j n for k t participate in VShare

Let h b e P s output of VShare

ijk i jk

Let U fP j VShare has completed for all k ng

i j jk

Set G ACSn t nU

P P

Set h i h and d a b h

i ijk i i i i

k j G

DegreeReduction

Once d is computed execute VShare d where P is the dealer

i i i i

For j n participate in VShare

Let z b e P s share of P s shared secret

ij i j

and let Z fj z j VShare has b een completedg

ij j

Set G AISZ

Let V b e the matrix used in the FailStop multiplication step as describ ed in section

where j j are the indices of the z on page and let z z

ij i ij

jG j

parties in G

G i

V fj g For j n Set c VReconz

j j

Once c is computed output c

i i

Figure BMUL The Byzantine multiplication gate proto col

The Byzantine proto col

The overall structure of the Byzantine proto col is the same as that of the FailStop proto col

Namely in the Byzantine proto col denoted Bcompute the parties execute the co de of

proto col FStop with the exception that proto cols GShare MUL and Reconstruct are

replaced by proto cols GVShare BMUL and VRecon resp ectively

Theorem Let f F F for some eld F with jF j n and let A be a circuit

e securely computes f in computing f Then protocol BcomputeA asynchronously d

the bounded secure channels setting in the presence of adaptive adversaries and nonerasing parties

Byzantine adversaries

Pro of Here we consider only the case of nonadaptive adversaries The case of adaptive

adversaries is proven in the same way as in Section

The pro of of the Termination prop erty as well as the construction of the idealmo del

adversary is the same as in the pro of of Theorem on page security of proto col

FSCompute We stress that our construction of the idealmo del adversary for FailStop

adversaries is valid even for corrupted parties that change their inputs although in the

FailStop case the inputs of the corrupted parties are not changed

The validity of this construction in the Byzantine setting is shown in the same way

as in the FailStop case with the exception that lemmas analogous to Lemmas and

on pages and resp ectively need to b e proven The pro of of the Byzantine

analogue of Lemma is similar to the pro of of Lemma with the exception that

now the correctness of the uncorrupted parties outputs of the Byzantine implementations

of the dierent proto cols namely GVShare VRecon and BMUL need to b e proven

Correctness of the GVShare and VRecon proto cols is implied by the correctness of the

AVSS scheme correctness of proto col BMUL is discussed in Section

In order to state the Byzantine analogue of Lemma let us redene some notations

The view of a set of parties is dened as in the pro of of Theorem Fix an adversary and

an input vector x The random variables resp take the distribution of the corrupted

parties view of proto col Bcompute run on input x resp the corrupted parties view of

a simulated computation Lemma b elow is the Byzantine analogue of Lemma

Our pro of of Theorem is thus completed 2

Lemma Fix an adversay and an input vector Then the corresponding random vari

ables and are identically distributed

Pro of We use the notations of Lemma Namely x a prex V of length i of a view

namely V is a prex of an instance of either or The random variable s resp

i i

s describ es the distribution of the i th delivered message in resp given that

V is the corresp onding prex of the view

As in the pro of of Lemma it is enough to show that the contents ofs ands are

identically distributed for the case that the sender ofs is uncorrupted and the recipient

is corrupted Each message of proto col Bcompute falls into one of the following cases

Messages of some invocation of VShare We distinguish two cases if the dealer of

the relevant invocation of VShare is uncorrupted then equality of the distributions

of s and s is implied by the pro of of the privacy prop erty of the AVSS scheme

Theorem on page If the dealer is corrupted then the contents of s and

s can b e inferred from the common prex V and are thus equal

Messages of some invocation of ACS This case is trivial since messages of proto col

ACS have empty contents

The last three cases are dierent types of invocations of proto col VRecon We note

that as in the FailStop case in order to show that the contents of al l the messages of

some invocation of VRecon are identically distributed in the two computations it suces

to show that the output of this invocation of VRecon is identically distributed in the two computations

Byzantine adversaries

Messages of the nal invocation of VRecon Namely Step of proto col Bcompute

See gure on page This case is shown using similar considerations to those of

the FailStop case

Messages of an invocation of VRecons within proto col AIS Namely Step of

the AIS See Figure on page We have seen in Section that the outputs

of the VRecons of the AIS proto col are the dierent syndromes computed by the

parties furthermore we have seen that the syndromes are uniquely determined by

the errors introduced by the corrupted parties However these errors can b e inferred

from the common prex V the values asso ciated with each corrupted party P in

i i

each set G can b e inferred from the messages sent by P in the corresp onding invo

r i

cation of VShare these messages app ear in the common prex V Thus the errors

introduced by the corrupted parties as well as the dierent syndromes are identical

in the two computations

Messages of an invocation of VRecon within proto col BMUL Namely Step of

BMUL See Figure on page As in the FailStop case we show that the cor

rupted parties outputs of the t invocations of VRecon along with the contents of

the other messages of this invocation of BMUL received by the corrupted parties are

uniformly and indep endently distributed regardless of the values of the input lines of

the corresp onding multiplication gate

The p olynomial H x interpolated by the parties in Step Randomization of pro

P P

x S x The set G is the output of the cor to col BMUL is H x

j iG

resp onding invocation of ACS and each p olynomial S is the p olynomial dened

by the uncorrupted parties outputs of P s j th invocation of VShare See Section

on page for more details Let us rst regard this p olynomial in a more

convenient way reversing the order of summation we have H x x S x

S All the co ecients of each p olynomial S are uni where S

ij j j

formly distributed since the set G contains uncorrupted parties The contents of the

randomizationphase messages received by the corrupted parties constitute t shares

of each p olynomial S Consequently the data gathered by the corrupted parties

during the entire BMUL proto col adds up to t shares of each one of the t p olynomials

S S along with the outputs of the t invocations of VRecon namely t

shares of the truncation p olynomial C

Fix some arbitrary input p olynomials A and B of the multiplication step Lemma

b elow shows that for each sequence of t t eld elements gathered by the

corrupted parties there exists a unique choice of the p olynomials S S that

yield this sequence However the p olynomials S S are uniformly distributed

thus the sequence of eldelements gathered by the corrupted parties is uniformly

distributed b oth in and in

In Lemma we assume without loss of generality that the corrupted parties are P P

Lower b ounds

Lemma Let F be a nite eld with jF j d and let A and B be polynomials of

degree d over F Then for every sequence a a c c of elements in F there

dd d

exists a unique sequence S S of polynomials of degree d such that

Fore each i j d we have S j a

i ij

Let C be the truncation to degree d of the polynomial

D x Ax B x x S x

Then for i d we have C i c

Pro of See Section B 2

Lower b ounds

We show that our proto cols have optimal resilience b oth in the FailStop and in the Byzan

tine cases Firsr we show in Theorem that there exist functions that cannot b e

esecurely computed in an asynchronous network of n parties if FailStop adversaries are d

allowed We prove this result in two steps First we reduce the problem of secure com

putation in a synchronous network with n t to the problem of secure computation in

an asynchronous network with n t Next we use the results of BGW and also Chor

and Kushilevitz CK that there exist functions that cannot b e securely computed or even

approximated when n t Simple examples of such functions are the OR and AND

functions of n b o olean inputs Even though a direct and conceivably shorter imp ossiblity

pro of for the asynchronous case is p ossible we b elieve that our pro of by reduction is clearer

as well as more general

esecurely Next we show in Theorem that there exist functions that cannot b e d

computed with no probability of error in an asynchronous network if general Byzantine

adversaries are allowed This pro of is a generalization of a technique used in BGW Both

Theorems and apply even to nonadaptive adversaries

We remark that BenOr Kelmer and T Rabin BKR show using techniques from

e securely computed BGW CCD CR how any function can b e asynchronously d

in the presence of Byzantine adversaries with exp onentially small but p ositive probability

of either not terminating or having wrong outputs

For the pro of we use the following notations For an asynchronous proto col a set

G of parties an adversary A and input x let x b e the random variable having the

distribution of the view of the parties in G when running proto col with adversary A and

input x Unlike the notion of adversary view dened in previous sections here the view of

a set of parties do es not include the information seen by the scheduler

A partys output of a computation is a function of its view only Consequently if

x and x are identically distributed for some proto col input x some set

GA GA

G of parties two adversaries A and A and some input x then the output of the parties in

G is identically distributed with adversaries A and A

Lower b ounds

FailStop adversaries

We use the following result of CK This result refers to synchronous networks where the

adversaries are eavesdropping namely the corrupted parties only try to gather information

but otherwise follow the proto col In this mo del we say that a proto col approximates a

the uncorrupted parties b o olean function if for every input with probability greater than

output the function value Informally a proto col is tprivate if every adversary gathers no

information from executing the proto col other than the output of the uncorrupted parties

namely the computed function value

Theorem BGW CK For every n there exist boolean functions f such that

eprivate protocol for n parties that approximates f there is no synchronous d

Some intuition for the pro of of Theorem follows Consider the case where n

and f is the OR function of two b o olean inputs The rst party A should make sure that

if the input of the other party B is then the communication b etween the parties will

b e indep endent of As input otherwise B will learn ab out As input Similarly B should

make sure that if the input of A is then the communication b etween the parties will b e

indep endent of B s input Now consider the case where b oth A and B have input Since

the communication must b e indep endent of b oth inputs the parties will never b e able to

decide on an output

This argument can b e generalized in a simple way to deal with three parties in an

asynchronous network with one p ossible Failstop fault Assume that A is go o d and the

third party C do es not resp ond to As messages Then A must complete the proto col based

only on its communication with B since C may b e faulty Furthermore the communication

with B should b e indep endent of As input for the case where C is go o d but slow and B

is faulty with input The argument now continues as in the synchropbous case

To b e more precise we prove the following lower b ound based on Theorem

Theorem For every n there exist boolean functions f such that no asynchronous

ecomputes f when FailStop adversaries are al lowed protocol for n parties securely d

n n m n

Pro of Let n and let m n d e Hence m b c and d e d e Let

f f g f g b e a b o olean function as in Theorem namely f cannot b e

approximated by any d eprivate proto col Construct the function f f g f g so

that for every nvector x we have f x f x We show that if there exists a proto col

ecomputes f in an asynchronous network of n parties with FailStop that securely d

eprivate synchronous proto col for m parties that adversaries then there exists an d

approximates f The theorem follows

Supp ose we have an nparty asynchronous proto col that securely d ecomputes f

We construct an mparty synchronous proto col as follows In proto col each party

will simulate a party executing proto col in an asynchronous network of n parties The

simulation pro ceeds as follows Let P P b e the parties of the actual synchronous

network Let P P b e the virtual parties addressed by proto col Actual party P

will simulate virtual party P parties P P are not simulated Each actual party

i m n

keeps a queue of incoming messages In each synchronous communication round the

party invokes a cycle of proto col for the rst message in the queue Whenever proto col

Lower b ounds

instructs to send a message to virtual party P for i m the party sends this message

to P If i m the instruction is ignored Once virtual party P terminates actual party

P terminates with the output of proto col P

We note that if the asynchronous proto col do esnt terminate then the synchronous

proto col do esnt terminate as well Thus there may exist executions in which proto col

do esnt terminate We describ e how we avoid this phenomenon at the end of the pro of

eprivate and ap We assert the validity of proto col namely we show that it is d

proximates f An outline of the pro of follows For every synchronous adversary interacting

with proto col we describ e three synchronous adversaries denoted A A and A for

proto col

Adversary A is the adversary that corresp onds to the virtual execution of proto col

when run by proto col With this adversary the messages sent by t parties re

delayed these are the parties P P and additional t parties are corrupted

m n

these are the parties that corresp ond to the actual corrupted parties

Adversary A delivers the messages in the same order as adversary A However

the parties P P are uncorrupted and the parties P P are corrupted The

m m n

security of proto col asserts that with this adversary the parties P P output the

correct function value

Adversary A delivers the messages sent by the parties P P in the same order

as adversary A The messages of the parties P P are p ostp oned until there

m n

are no undelivered messages from the parties P P The corrupted parties are the

parties that corresp ond to the actual corrupted parties The security of proto col

asserts that with this adversary the set of corrupted parties gathers no information

other than the output of the uncorrupted parties

We show b elow that for any synchronous adversary that interacts with the outputs

of the parties P P running proto col are identically distributed in the presence of

all three asynchronous adversaries It follows that for every synchronous adversary the

uncorrupted parties output the correct function value and the corrupted parties gather

no information other than the computed function value Consequently the synchronous

proto col is tprivate and approximates f

We now describ e adversaries A A and A in more detail We partition the set of

parties of proto col namely P P as follows Let B b e the set of parties that

corresp ond to the corrupted parties the synchronous network namely P B i P is

corrupted Let G b e the set of parties that corresp ond to uncorrupted parties in the

synchronous network ie G fP P g B Let L b e the set of silent parties

namely L fP P g

m n

the corrupted parties are the parties in B they follows Adversary A Corrupted parties

the proto col without failstopping

Scheduler messages sent from the parties in P P are delivered in a round

robin messages sent from the parties in L are not delivered

Adversary A Corrupted parties the corrupted parties are the parties in L they do not

send any messages

messages sent from the parties P P are delivered in a round robin Scheduler

Lower b ounds

By the denition of asynchronous secure computation Denition on page the

following prop erty holds with adversary A on every input x the parties in G B must

complete proto col with output f x for some core set C of size at least m n d e

The only inputs available are the inputs of the parties P P Thus with adversary

A the parties in G B output f x In the sequel we use this observation only for the

parties in G

Furthermore it can b e seen by induction on the number of communication events that

the following relation holds for every asynchronous proto col and for every input vector

x Every prex of a view of the parties P P when running proto col on input x is

identically distributed with adversaries A and A Thus x and x are

mA mA

1 2

identically distributed Consequently the outputs of the parties P P are identically

distributed with adversaries A and A

as with adversary A Adversary A Corrupted parties

messages sent from the parties P P are delivered in a round robin Scheduler

messages sent from the parties in L are delayed until all the messages from parties in

P P are delivered

For every input x let x denote the longest prex of x that do es not

contain messages sent by parties in L It can b e seen again by induction on the number

of events in a prex of a view that the random variables x and x

are identically distributed in particular they have the same supp ort set We have seen

ab ove that in every execution where the view of the parties in G is in the supp ort set

of x these parties terminate Consequently with adversary A the parties in

G terminate deciding on an output once their view is in the supp ort set of x

ie b efore any message from a party in L is delivered Furthermore the parties in G

have the same output as with adversary A namely f x In addition since proto col

is secure adversary A gathers no information other than the output of the uncorrupted

parties namely f x Consequently the corrupted parties gather no information other

than the computed function value with adversary A

It remains to x the termination condition of proto col We use the following provi

sion If in the simulated execution proto col do esnt terminate after some predened

large enough number of rounds then the party terminates with some default output We

compute this limit on the number of rounds With adversary A proto col terminates

with probability Consequently there exist an integer k such that on every input with

all the uncorrupted parties complete proto col after k communica probability at least

is arbitrary Any number in the interval would do We tion events The limit

x the limit on the number of rounds to k Thus proto col always terminates and with

the uncorrupted parties output the output of proto col namely probability at least

f x f x We note that this truncated synchronous proto col is d eprivate

m m

since the limit k is indep endent of the inputs 2

Byzantine adversaries

For the pro of of the lower b ound for the Byzantine case we use the following additional

notation Fix some adversary and input vector Let A b e a set of parties Let the conver

sation C among the parties in A b e the random variable having the distribution of the A

Lower b ounds

sequence of all messages sent among the parties in A The order of the messages in each

instance of the conversation is induced by their order in the corresp onding view

Theorem For every n there exist functions f such that no asynchronous protocol

for n parties securely d ecomputes f if Byzantine adversaries are al lowed

Pro of sketch First we note that the straightforward reduction to the synchronous case

used in the previous pro of do es not hold in the Byzantine case for the following reason In

the FailStop case a uncorrupted party has no way of telling whether a party is uncorrupted

or corrupted therefore each uncorrupted party must terminate whenever any set of n t

parties are ready to terminate in the presence of Byzantine adversaries there may exist

strategies for the corrupted parties that cause the uncorrupted parties to recognize some

party P as corrupted In this case the uncorrupted parties can wait for n t parties other

than P Consequently in the simulation of the previous pro of if some corrupted party is

recognized as corrupted then the uncorrupted parties may never terminate

We prove the Theorem for the case n The pro of can b e easily generalized to all n

Let b e a four party proto col that securely computes the following function

if x x

f x x x x

otherwise

Let P P P and P b e the parties and let x b e the input of P

i i

Consider the following setting Party P is corrupted with a strategy describ ed b elow

and the adversary delivers the messages of parties P P and P in a round robin messages

sent by P are delivered only when there are no undelivered messages of the other parties

We show b elow that with small but nonzero probability b oth P and P do not recognize

P as b eing corrupted In this case b oth P and P will terminate before any message of P

is delivered this can b e shown using similar considerations to those of the previous pro of

We show that in this case the output of P is dierent than the output of P

We rst observe that the conversation C is indep endent of b oth x and x consider

fP P g

2 3

for contradiction the rst message in C that dep ends on the input of its sender say

fP P g

2 3

P Then P can learn x regardless of the value of x Consequently it is the combination

of the conversations C and C that determines the output of P Similarly it is

fP P g fP P g

2 3 2 1

the combination of the conversations C and C that determines the output of P

fP P g fP P g

3 2 3 1

Now assume the following strategy of P send some random string instead of each

message exp ected of P Let x x With small but nonzero probability the

combination of the conversations C and C is consistent with input of P and

fP P g fP P g

1 2 2 3

some input of P and at the same time the combination of the conversations C and

fP P g

1 3

C is consistent with input of P and some input of P In this case b oth P and P

fP P g

3 2

terminate before any message of P is delivered Furthermore P outputs and P outputs

That is P and P have dierent outputs and the proto col is not secure 2

Remark Using a technique similar to the technique of the ab ove pro of it can b e shown

that there exist functions that cannot b e securely computed in a synchronous network where

a third of the parties are corrupted This result is stated in BGW Moreover the result

for the synchronous case is much stronger consider a secure synchronous proto col for

computing the AND function of three variables ie ANDx x x i x x

x in a network where the parties are fP P P g and one corrupted party P do es

A Exp ected running times

not send any messages Using the same argument as in the ab ove pro of it can b e shown

that the view of party P is indep endent of the input of P and the view of party P is

indep endent of the input of P Consequently there must exist inputs for which the output

of the uncorrupted parties is incorrect with probability at least one half instead of negligible

probability in the ab ove pro of

We note that this synchronous strategy for the corrupted party is useless in our asyn

chronous mo del if a corrupted party P do es not send messages or alternatively if this

party is caught sending nonsense messages then the uncorrupted parties may interact

with n t parties other than P

A Exp ected running times

We analyze the running times of proto cols FScompute and Bcompute First let us infor

mally present the standard denition of the running time of an asynchronous proto col

Consider a virtual external clo ck measuring time in the network of course the players

cannot read this clo ck Let the delay of a message b e the time elapsed from its sending

to its receipt Let the p erio d of a nite execution of a proto col b e the longest delay of a

message in this execution The duration of a nite execution is the total time measured by

the global clo ck divided by the p erio d of this execution Innite executions have innite

duration

The exp ected running time of a proto col is the maximum over all inputs and applicable

adversaries of the average over the random inputs of the players of the duration of an

execution of the proto col

Let n b e the number of parties and let d b e the depth of the computed circuit Consider

proto col FScompute The exp ected running time of proto col ACS is O log n thus the

exp ected running time of proto col GShare is also O log n Proto col Reconstruct runs in

constant time Consequently each invocation of proto col MUL has exp ected running time

of O log n and Proto col FScompute has exp ected running time of O d log n

Consider proto col Bcompute Proto cols VShare and VRecon run in constant time

Proto col AIS as presented in Figure on page consists of O n iterations where

each iteration has exp ected running time of O log n However as remarked at the end of

Section we can let all iterations run in parallel in this version proto col AIS has

exp ected running time of O log n Consequently proto col Bcompute runs in O d log n

exp ected time

B Pro ofs of technical lemmas

k k j

In the sequel we let V denote the k k Vendermonde matrix where V i

Note that V is nonsingular When the dimension k is obvious we write V instead of

Lemma Let F be a nite eld with jF j d and let s F Then for every sequence

v v u u of eldelements there exists a unique polynomial p of degree d with

d d

p s such that

For i d we have pi v i

B Pro ofs of technical lemmas

For i d we have q i u where q is the truncation of p to degree d ie

the coecients of q are the coecients of the d lower degrees of p

Pro of Let p p b e the co ecients of p olynomial p claimed in the Lemma Then

the following d equations hold

d d d

p p p p v

d d d

p d p d p d p d v

d d d d

p s

p p u

p d p d u

d d

We show that the equations in the variables p p are linearly indep endent

The co ecients matrix M of the left hand side of can b e partitioned into

A B

dd dd

Matrix C equals V thus the last d rows of M are linearly indep endent

We show that matrix B is nonsingular let D b e the d d diagonal matrix where

d d d

D i then B D V Matrices V and D are nonsingular thus B is nonsingular

as well Therefore the rst d rows of M are linearly indep endent

Assume that some linear combination c of the rst t rows of M equals a linear combina

tion of the last d rows Then the same linear combination c restricted to the columns

of B yields a row of d zeros in contradiction with the nonsingularity of matrix B

We remark that the p olynomial p can b e eciently computed Furthermore given

a degree t d it is p ossible to eciently sample a random p olynomial of degree t that

satises conditions and of the lemma 2

Lemma Let m d and let f f and g g be polynomials of degree

m m

d over a eld F with jF j m such that for every i d and every j m we

have f j g i and g j f i Then there exists a unique polynomial h of degree

i j i j

d in two variables so that for every i m we have h i f and hi g

i i

Pro of Let E b e the d d matrix where E is the co ecient of x in f x

ij i

Then the i j th entry in E V is f j

Let H V E and let hx y b e the p olynomial of degree d in two variables

i j

where the co ecient of x y is H Then for every i j d we have

hi j V H V E V f j g i

i j

Consequently for every i d the p olynomials f and hi are two p olynomials

of degree d that are equal in d places Thus f hi Similarly g h i

i i

P P

d d

i j

Namely hx y a x y where a a are xed co ecients

ij dd

i j

B Pro ofs of technical lemmas

Now consider an index d i m For every j d we have f j g i by

i j

the construction of p olynomial h we also have h j g i Namely f and hi

j i

are p olynomials of degree d that are equal in d places Consequently f hi

Similarly g h i 2

Lemma Let h h be two polynomials of degree d in two variables over a eld

F with jF j d and let v v be distinct elements in F Assume that for every

i j d we have hv v h v v Then h h

i j i j

Pro of Let W denote the d d Vendermonde matrix dened by W v

ij j

i j

Let H b e the d d matrix where H is the co ecient of x y in hx y Let H

b e similarly dened with resp ect to h x y Using these notations we have

T T

W H W W H W

2 Note that W is nonsingular since v v are distinct Consequently H H

Lemma Let F be a eld with jF j d and let s F Then for every sequence

f f g g of polynomials of degree d such that f j g i for every

t t i j

i j d there exists a unique polynomial h of degree d in two variables with

h s so that for every i d we have h i f and hi g

i i

Pro of Let E b e the following d d matrix For i j d let E f j

ij i

g i let E g and E f Finally let E s Let H V E V

j j j i i

and let hx y b e the p olynomial of degree d in two variables such that the co ecient of

i j

x y is H Similar arguments to those of the pro of of Lemma show that hx y is

the required uniquely dened p olynomial 2

Lemma Let F be a nite eld with jF j d and let A and B be polynomials of

degree d over F Then for every sequence a a c c of elements in F there

dd d

exists a unique sequence S S of polynomials of degree d such that

Fore each i j d we have S j a

i ij

x Let C be the truncation to degree d of the polynomial D x Ax B x

S x Then for i d we have C i c

j i

Pro of Let a a c c b e a sequence of eld elements and let s b e the

dd d ij

co ecient of x in the ith p olynomial in a sequence S S of p olynomials satisfying

requirements and of the Lemma Then requirements and translate to d d equations

in the d d variables s s It remains to show that the d d d d matrix

M of the co ecients of these equations is nonsingular Matrix M has the following form

U U U

B Pro ofs of technical lemmas

where each submatrix W of dimensions d d is constructed by deleting the last

row from V and every matrix U of dimensions d d is constructed by deleting

the i leftmost columns from a V matrix and app ending i zero columns on the right

Clearly the rst d rows in M are linearly indep endent and the last d rows in M are

linearly indep endent It remains to show that no nontrivial linear combination of the rst

d rows equals a linear combination of the last d rows

Let the d dvector L b e a linear combination of the rst d rows let the d d

vector L b e a linear combination of the last d rows and assume that L L We show

that L L Partition L to d blo cks where each blo ck contains d elements the

ith blo ck is a combination of the elements in U

The d rightmost columns of U are zero and the d rightmost columns of W are linearly

d d

indep endent Thus L L involves no rows of W Consequently al l the last d entries

namely the dth blo ck in L are zero

However U is a shiftright by one of U Thus the d rightmost entries in the d th

d d

blo ck of L are zero as well Using a similar argument to that of the last paragraph we get

that al l the entries in the d th blo ck in L are zero

Applying this argument d more times we get that L L 2

C h a p t e r

Asynchronous Byzantine agreement

e resilient asynchronous Byzantine agreement proto col with We describ e the rst d

p olynomial complexity We use ideas and techniques that emerge from secure multiparty

computation See Section for an introductory presentation and discussion

In Section we recall the asynchronous mo del and denitions of Byzantine Agreement

and Asynchronous Veriable Secret Sharing AVSS In Section we state our main

theorems and present an overview of our proto cols In Section we describ e to ols used

e resilient AVSS in our construction In Sections through we describ e our d

scheme In Sections and we describ e our BA proto col given an AVSS scheme

Denitions

We assume the same mo del as in Chapter see Section on page We also use the

same conventions for writing asynchronous proto cols see Section and the same mea

sure of running times of asynchronous proto cols see Section A We redene Byzantine

agreeement and AVSS The denitions here are identical to the denitions in Chapter

Denitions and resp ectively with the exception that here we allow the parties

to not terminate and in AVSS also to have wrong output with small probability

Denition Let be an asynchronous protocol for which each party has binary input

We say that is a terminating tresilient Byzantine Agreement protocol if the fol lowing

requirements hold for every tadversary and every input

Termination With probability al l the uncorrupted parties complete the protocol

ie terminate locally

Correctness Al l the uncorrupted parties who have terminated have identical outputs

Furthermore if al l the uncorrupted parties have the same input then al l the uncorrupted

parties output

Denition Let S be a nite set Let S R be a pair of protocols in which a dealer

D shares a secret s S Al l parties invoke protocol S and later invoke protocol R with the

Overview of the proto cols

local output of protocol S as local input We say that S R is a correct tresilient

AVSS scheme for n parties if the fol lowing hold for every tadversary

Termination With probability the fol lowing requirements hold

If the dealer is uncorrupted then each uncorrupted party wil l eventual ly complete

protocol S

If some uncorrupted party has completed protocol S then each uncorrupted party wil l

eventual ly complete protocol S

If al l the uncorrupted parties have completed protocol S then al l the uncorrupted

parties wil l complete protocol R

Correctness Once the rst uncorrupted party has completed protocol S then a value r

is xed such that the fol lowing requirements hold with probability

Each uncorrupted party outputs r Namely r is the reconstructed secret

If the dealer is uncorrupted then r is the shared secret ie r s

Secrecy If the dealer is uncorrupted and no uncorrupted party has begun executing proto

col R then the information gathered by the adversary during the computation is independent

of the shared secret

Remark We stress that an uncorrupted party is not required to complete proto col S

in case that the dealer is corrupted We do not distinguish b etween the case where an

uncorrupted party did not complete proto col S and the case where an uncorrupted party

has completed S unsuccessfully

Overview of the proto cols

First let us state our main results

Theorem AVSS Let n t For every there exists a correct

tresilient AVSS scheme for n parties Conditioned on the event that the honest parties

terminate they do so in constant time Furthermore the computational resources required

of each party are polynomial in n and log

Theorem BA Let n t For every there exists a terminating

tresilient asynchronous Byzantine Agreement protocol for n parties Conditioned on the

event that the honest parties terminate they do so in constant expected time Furthermore

the computational resources required of each party are polynomial in n and log

Our Byzantine Agreement proto col is complex and involves many layers To facilitate

the reading we rst present an overview of our proto col Let F b e a eld of size greater

than n All the computations in the sequel are done in F The BA proto col employs the

idea of using common coins to reach agreement as follows

BA using Common Coin This part of our proto col follows the constructions of Rabin

Bracha and Feldman MRa Br Fe The proto col pro ceeds in rounds In each round each

party has a mo died input value In the rst round the mo died input of each party is

his lo cal input In each round the parties invoke two proto cols called Vote and Common

Coin Proto col Common Coin has the following prop erty Each party has a random input

al l the honest and binary output For every value f g with probability at least

Tools

parties output In proto col Vote each party tries to establish whether there exists a

distinct ma jority for some value amongst the parties mo died inputs of this round we

dene distinct ma jority in the sequel If a party recognizes a distinct ma jority for some

value he takes this value to b e his mo died input for the next round Otherwise he sets his

mo died input for the next round to b e the output of proto col Common Coin We show

that no two honest parties ever recognize a distinct ma jority for two dierent values This

all parties have the same is used to show that in each round with probability at least

mo died input

If all the honest parties have the same mo died input in some round then all the

honest parties will recognize this and terminate outputting this value It follows that the

BA proto col terminates within a constant exp ected number of rounds Given that all the

honest parties complete all Common Coin proto cols they invoked then each round of the

Byzantine Agreement proto col terminates in constant time

Common Coin using AVSS Our construction follows Feldman and Feldman and Micali

Fe FM The proto col pro ceeds roughly as follows First each party shares n random

secrets using our AVSS scheme Once a party is assured that enough secrets have b een

prop erly shared he starts reconstructing the relevant secrets Once all these secrets are

reconstructed each party lo cally computes his output based on the reconstructed secrets

AVSS from scratch Our AVSS scheme is constructed in three layers Each layer con

sists of a dierent secret sharing scheme with an allowederror parameter The scheme

of the lowest layer is called Asynchronous Recoverable Sharing ARS The next scheme

is called Asynchronous Weak Secret Sharing AWSS The last top layer is an AVSS

scheme as in Denition Each scheme is used as a building blo ck for the next All

three sharing schemes satisfy the termination and secrecy requirements of Denition

In all three schemes if the dealer is honest then the honest parties always reconstruct the

secret shared by the dealer The correctness prop erty for the case that the dealer is faulty

is upgraded from ARS to AWSS and nally to AVSS

ARS Once the rst honest party completes the reconstruction phase a subset S F

of size t is xed With probability each honest party will reconstruct a value

r S fnul l g We stress that it is not required that all honest parties end up with the

same reconstructed value

AWSS Once the rst honest party completes the sharing phase a value s is xed With

probability each honest party will reconstruct either s or nul l

AVSS Once the rst honest party completes the sharing phase a value s is xed With

probability each honest party will reconstruct s

Tools

Information Checking Proto col ICP

The Information Checking Proto col ICP is a to ol for authenticating messages in the

presence of computationally unbounded faulty parties The ICP was introduced by T

Tools

ICP

Generation phase Gen

The dealer D having a secret s F chooses random values y y and

b s y for i k b b uniformly distributed in F He computes c

i i k i

y y to I D sends s and y

k s

D sends the check vectors b c b c to R

k k

Verication Ver

I chooses k distinct random indices d d d k and asks R to reveal

k i

c b c b

d d d d

k k 1 1

R reveals these values The remaining indices will b e the unrevealed indices

If al l k c y For each one of the revealed indices d I tests whether s b

d d i d

i i i

indices satisfy this requirement then I sets Ver Otherwise he sets Ver

Authentication Auth

I sends s and the rest of the y s to R

then R sets c y If k out of the unrevealed indices d satisfy s b

d d i d

i i i

Auth s otherwise Authnul l

Figure The Information Checking Proto col of TRa RB

Rabin and BenOr TRa RB We rst state the prop erties of this proto col Next we sketch

the TRa RB construction

The proto col is executed by three parties a dealer D an intermediary I and a receiver

R The dealer hands a secret value s over to I At a later stage I is required to hand this

value over to R and to convince R that s is indeed the value which I received from D

More precisely the proto col is carried out in three phases

Generations is initiated by D In this phase D hands the secret s to I and some

auxiliary data to b oth I and R

Verification is carried out by I and R In this phase I decides whether to continue or

ab ort the proto col I bases his decision on the prediction whether in the Authentication

phase R will output s the secret held by I We denote continuation resp ab ortion by

Ver resp

Authentication is carried out by I and R In this phase R receives a value s from I

along with some auxiliary data and either accepts or rejects it We denote acceptance of a

secret s resp rejection by Auth s resp null

The ICP has the following prop erties given an allowederror parameter

Correctness

If D holding a secret s I and R are all honest then Ver and Auth s

If I and R are honest and I has decided in the Verication phase to continue the proto

col with lo cal input s then with probability R will output s in the Authentication

phase

If D and R are honest and R accepted a secret s in the Authentication phase then

Asynchronous Recoverable Sharing ARS

s s with probability

Secrecy

If D and I are honest then as long as I has not joined in the Authentication phase R

has no information ab out the secret s

For self containment we sketch the TRa RB construction in Figure

Broadcast

We use the same denition of Bro eadcast as in Chapter see Section We also use

the elegant implementation of Bracha Br describ ed there

Asynchronous Recoverable Sharing ARS

Unlike synchronous systems in an asynchronous system it is not p ossible to decide whether a

party from which messages do not arrive is faulty or just slow As argued in the Introduction

this diculty causes known techniques for AVSS to fail when n t We overcome this

diculty using the Information Checking Proto col ICP describ ed in the previous section

We rst show how the ICP is used to construct ARS

An ARS scheme satises the termination and secrecy requirements of AVSS Denition

Also if the dealer is honest then the honest parties always reconstruct the secret

shared by the dealer The dierence from AVSS lies in the case where the dealer is faulty

For ARS we only require that

Correctness of ARS for the case that the dealer is faulty once the rst honest party

completes the reconstruction phase a subset S F of size n t is dened With

probability each honest party wil l reconstruct a value r S fnul l g We stress

that it is not required that al l honest parties end up with the same reconstructed value

ARS has a synchronizing eect on the network in the sense that it guarantees a

b ounded wait for receiving values even from faulty parties That is if we have completed

the sharing of a value by some party then we are guaranteed to eventually reconstruct some

not necessarily valid value We use this prop erty in the construction of AWSS in the next

section

We describ e our construction Basically we use Shamirs classic secret sharing scheme

Sh while using ICP to verify the shares This way we can make sure that the following

two prop erties hold simultaneously with overwhelming probability a the shares of at

least t honest parties will always b e available at reconstruction and b if the dealer

is honest then all the shares available at reconstruction are the originally dealt shares A

more detailed description of our construction follows

Remark Here as well as in all subsequent secret sharing schemes we use the convention

that the dealer in addition to executing his sp ecic co de also participates as one of the

parties and will eventually have a share of the secret

In fact the version presented here diers from the one in TRa RB in the decision rule for R in the

Authentication stage in the original construction R accepted the secret if there existed an index d that

satised the requirement This mo dication allows us to tolerate elds of size only slightly larger than the number of parties

Asynchronous Recoverable Sharing ARS

Sharing proto col The dealer having a secret s chooses values a a F and

t R

denes the p olynomial f x a x a x s We call this pro cess cho osing a

random p olynomial f x for s Next for each i the dealer sends f i to P We

i i

say that is P s share of s In addition for each share and for each party P the

i i i j

dealer executes the Generation phase of ICP describ ed in Section with party P

acting as the intermediary and party P acting as the receiver The ICP proto col will have

We denote this execution of the appropriate allowed error parameter we set

the Generation phase by Gen In the sequel we omit the parameter from

D ij i

the notation Next every two parties P and P execute the Verication phase of ICP

i j

denoted Ver Success of Ver assures P that with probability P will

ij ij i j

later authenticate his share Once P successfully ie with output terminates t

i i

invocations of Ver he broadcasts OK P A party completes the sharing proto col

up on completing t broadcasts of the form OK P Our proto col denoted ARS

Share is presented in Figure

Denition Let F be a eld and let r t A set fi i g where

i r i

1 r

F is said to dene a secret s if there exists a unique polynomial f x of degree at

most t such that f s and f i for j r We shal l interchangeably say

j i

that the shares dene the polynomial f x

i i

1 r

Using interpolation one can eciently check whether a given set of shares dene a

secret

Reconstruction proto col First each party P initiates an broadcast of his share He

i i

then executes the Authentication phase of ICP with every other party P We denote this

execution by Auth For each party P whose share is accepted namely Auth

ij j ji

party P broadcasts P authenticates P

i i j

Party P considers a share legal if P has b een authenticated by at least t parties

i j j

Once P has t legal shares he computes the secret which they dene and broadcasts it

If there exists a value which is broadcasted by at least n t parties then P output this

value Otherwise P outputs nul l This extra broadcast is required to limit the size of the

set of p ossible values reconstructed by the dierent parties

The reconstruction proto col denoted ARSRec is presented in Figure

Theorem Let n t Then for every the pair ARSShareARSRec

is a correct tresilient ARS scheme for n parties

Pro of Fix a tadversary We show that the Termination and Secrecy requirements of

Denition AVSS are met as well as the Correctness prop erty for the case that the

dealer is honest The Correctness for the case that the dealer is honest was stated ab ove

Termination When the dealer is honest the Verication phase of ICP b etween

every two honest parties will terminate with Ver see the denition of ICP on page

Therefore each honest party will have t successful verications for his share Thus

each honest party P will initiate an broadcast of OK P Consequently each honest

i i

party will complete participation in t broadcasts of the form OK P and terminate

proto col ARSShare

We let e D denote an element e chosen uniformly at random from domain D R

Asynchronous Recoverable Sharing ARS

Proto col ARSShare

Co de for the dealer with secret s

Cho ose a random p olynomial f x for s

f i for i n Set

Execute Gen for i j n Let

2 D ij i

Co de for party P

For all j n Wait until Gen is completed then initiate Ver

D ij ij

If Ver for t parties P then initiate broadcast OK P

ij j i

Up on completing participation in t dierent broadcasts of the form OK P

terminate

Figure The ARS sharing proto col

In this and all subsequent sharing proto cols the dealer also executes the co de of a regular party

Proto col ARSRec

Co de for party P

Broadcast the share

For each party P for whom the broadcast of his share has b een completed with

initiate Auth

If Auth then initiate the broadcast P authenticates P

ji i j

Consider a share legal if at least t broadcasts of the form P authenticates

P have b een completed Create a set called IS standing for Interp olation Set

j i

Add every legal share to IS

Once jIS j t compute using interpolation the secret s dened by the shares

in IS Broadcast P suggests secret s

i i

Wait until completing n t P suggests secret s broadcasts

If there is a value s which app ears in at least n t such broadcasts then output

s Otherwise output nul l

Figure The ARS reconstruction proto col

Termination If one honest party has completed ARSShare then he has com

pleted participation in t OK P broadcasts By the prop erties of broadcast De

nition every honest party will complete these t broadcasts and will thus complete

ARSShare

Termination Let E b e the event that no errors o ccur in all the invocations of

ICP That is all the requirements listed in Section hold with no probability of error

We know that event E o ccurs with probability at least n

Asynchronous Weak Secret Sharing AWSS

If some honest party P has completed the ARSShare proto col then t parties

have broadcasted OK in Step of ARSShare Out of these broadcasts at least

t have originated with honest parties Let G b e this set of at least t honest parties

relative to party P

For each party P G there exist t honest parties who have broadcasted OK P

j i j

Now assume event E o ccurs By the prop erties of ICP for each P G there will b e

j i

t parties P who broadcast P authenticates P Thus the share of each party

k k j

P G will b e considered legal by each honest party Therefore every honest party will

j i

have t legal shares in Step of ARSRec and will suggest some secret Consequently

each honest party will have n t suggested secrets and will complete proto col ARSRec

Correctness If the dealer is honest and event E o ccurs then each share in

the set IS of each honest P has originated with D namely f j Therefore the

i i j

shares in IS dene the secret s shared by the dealer and P will broadcast P suggests

i i i

secret s Consequently each honest party will complete n t such broadcasts out of

which at least n t suggest the secret s Hence each honest party will output s

Correctness Let P b e the rst honest party to complete n t broadcasts of

the form P suggests secret Let S denote the set of secrets suggested in these

n t broadcasts Now consider another honest party P At least n t out of the n t

broadcasts completed by P in Step of ARSRec are of values in S P outputs a non

j j

null value r only if this value app ears n t times in the broadcasts which he completes

However in this case it must b e that r S

Secrecy If the dealer is honest and no honest party has initiated proto col ARSRec

then any set of t t parties have only t shares of the secret along with the data received

during the ICP Generation and Verication Proto cols with resp ect to the other parties

shares of the secret The secrecy prop erties of ICP and Shamirs secret sharing scheme

imply that the shared secret is indep endent of this data 2

Asynchronous Weak Secret Sharing AWSS

We construct an asynchronous secret sharing scheme called Asynchronous Weak Secret

Sharing AWSS An AWSS scheme satises the termination and secrecy requirements of

AVSS Denition on page The correctness requirement is as follows If the dealer

is honest then the honest parties always reconstruct the secret shared by the dealer as in

AVSS The dierence from AVSS lies in the case where the dealer is faulty For AWSS we

only require that

Correctness of AWSS for the case that the dealer is faulty Once an honest party

completes the sharing protocol a value r F fnul l g is xed With probability

each honest party outputs either r or nul lupon completing the reconstruction protocol

Remarks

We stress that if r nul l then some of the honest parties may output r and some

may output nul l The adversary can decide during the execution of the reconstruction

proto col which parties will output nul l

Asynchronous Weak Secret Sharing AWSS

Our construction of ARS describ ed in the previous section do es not satisfy the

requirements from an AWSS scheme There in case that the dealer is faulty the

adversary has the p ower to decide at the reconstruction stage which value each honest

party reconstructs out of the predened set of size t

Our construction Our construction follows the synchronous WSS version of TRa RB

The idea is to make sure that at the end of the sharing proto col each party will have an

interp olation set of parties whose shares will b e available in the reconstruction stage The

availability of these shares is guaranteed using ARS as describ ed b elow The interpolation

sets of every two honest parties P and P will have an intersection of at least t parties

i j

This way if the shares of the parties in the interpolation sets of P and P dene some

i j

secret then they dene the same secret

In the reconstruction stage the shares of all the parties are jointly reconstructed Next

each party computes and outputs the secret dened by the shares of the parties in his

interpolation set If these shares do not dene a secret then the party outputs nul l

Sharing proto col The dealer sharing a secret s F chooses a random p olynomial

f x of degree t for s For each i the dealer sets f i In addition for each share

and for each party P the dealer executes the generation phase of ICP with party P

i j i

acting as the Intermediary and party P acting as the Receiver This part is the same as

in ARSShare

Next each party shares each value received from the dealer including the values re

ceived in the ICPGeneration Proto col using ARSShare Figure Party P creates

a dynamic set C See Section on page for a denition of dynamic sets Once

P completes all the ARSShares of P s values P is added to C Next party P initiates

i j j i i

the ICPVerication Proto col for with each party P C and with the appropriate

i j i

allowederror parameter We denote this execution by Ver

ij i

Let A b e P s set of parties P such that Ver Once jA j t party P

i i j ij i i i

broadcasts A This acceptance set A is the set of parties who will later accept with

i i i

high probability

Let E b e P s dynamic set of parties P C whose broadcast of A has b een completed

i i j i j

E This eligibility set E is and A C Once jE j t party P broadcasts IS

i j i i i i

the set of parties whose share will b e later considered either legal or nul l The interpolation

set IS is the set of parties whose shares will later dene the secret asso ciated with P

i i

Let F b e P s set of parties P whose IS broadcast has b een completed and IS E

i i j j j i

Once jF j n t party P completes the sharing proto col This nal set F is the set of

i i i

parties with whom P will later asso ciate a secret

Reconstruction proto col Remark it will b e seen that when party P executes the

reconstruction proto col he essentially doubles up as each other party ie he lo cally executes

the proto cols of the other parties Initially each party P reconstructs the values shared

using ARSShare by each party P E as follows Recall that each party in E shared in

j i i

the sharing proto col values he received as an intermediary of ICP and values he received

as a receiver of ICP Party P rst invokes ARSRec for all the values that the parties in

E received as intermediaries in ICP Call these invocations of ARSRec preliminary For

each party P E once all the preliminary ARSRec have b een completed P invokes the

j i i

ARSRec of the rest of the values shared by each P A We note that the order in

l j

which the ARSRec are invoked is crucial for the correctness of the scheme

Asynchronous Weak Secret Sharing AWSS

For each party P E and for each party P A once all the necessary values are

j i l j

reconstructed P computes P s exp ected result of Auth by doubling up as P

i l jl l

Next P asso ciates a value with party P as follows If P nds out that t parties in A

i j i j

have outputted Auth then P asso ciates with P We then say that is legal

jl j i j j j

Otherwise P asso ciates the value null with P

i j

Now for each party P F once the values asso ciated with all the parties in IS are

k i k

computed if all the legal shares in IS dene a secret s then P considers s to b e the

k i

secret suggested by P Otherwise the secret suggested by P is nul l

k k

Once the values shared by all the parties in E are reconstructed P computes the secrets

i i

suggested by all the parties in F Again this is done by doubling up as each party in

F If all the parties in F suggest the same secret s then P outputs s Otherwise P

i i i i

outputs nul l Equivalently P can output the secret dened by the reconstructed shares of

the parties in IS If these shares do not dene a secret then P outputs nul l

P F j i

j i

The AWSSShare and AWSSRec are describ ed in Figures and resp ectively

Proto col AWSSShare

Co de for the dealer on parameter and secret s

Cho ose a random p olynomial f x for s Set and to the appropriate values

dep ending on

f i For each two parties P and P execute Gen Set

i j D ij i i

Co de for party P on parameter

Invoke ARSShare as a dealer for each value received from D in Step Partic

ipate in all other invocations of ARSShare

Create a dynamic Communication Set C Add party P to C if all the ARS Shares

i j i

initiated by P have b een completed

For each party P invoke Ver

j ij i

Create an Acceptance Set A Add party P C to A if Ver

i j i i ij i

Once jA j t broadcast Acceptance SetP A

i i i

Create a dynamic Eligibility Set E which will contain the parties P for whom the

i j

broadcast of the form Acceptance SetP A has b een completed and P C

j j j i

and A C

j i

E Broadcast Interpolation setP IS Dene the Interp olation Set IS

i i i

Create a Final Set F which will contain the parties P for whom the broadcast of

i j

the form Interpolation SetP IS has b een completed and IS E

j j j i

Once jF j n t terminate

Figure The AWSS Sharing Proto col

Theorem Let n t Then for every the pair AWSSShareAWSSRec

is a correct tresilient AWSS scheme for n parties

Asynchronous Weak Secret Sharing AWSS

Proto col AWSSRec

Co de for party P on parameter

For each party P E and for each party P A

j i l j

a Execute ARSRec Figure of and of P s values needed for

j j

Auth These values were shared by P in Step of AWSSShare

jl j

b Up on ending the previous step execute the ARSRec of P s values needed for

Auth These values were shared by P in Step of AWSSShare

jl l

c Using the reconstructed values from the two previous steps simulate Auth

acting b oth as P and P If at least t Auth then asso ciate the

j l j j

share with party P else asso ciate null with P

j j j

Let B f j nul l is asso ciated with party P and P IS P F g If all

l l j j i

the shares of B dene a secret s then output s else output nul l

Figure The AWSS Reconstruction Proto col

As in the pro of of Theorem let E b e the event that no errors o ccur in all the invoca

tions of ICP That is all the requirements listed in Section hold with no probability

of error In proving Theorem we assume that event E o ccurs For convenience and

clarity we partition the pro of of Theorem to several short lemmas The Termination

and Secrecy prop erties are taken from Denition

Lemma If P P are honest then eventual ly C C

i j i j

Pro of Let us lo ok at some P C If party P has placed P in C Step then P

l i i l i i

has completed P s ARSShare of Step Due to the Termination prop erty of the ARS

proto col we know that eventually P will also conclude that ARSShare has ended and then

P will add P to C 2

j l j

Lemma If P P are honest then eventual ly E E

i j i j

Pro of Let us lo ok at some P E If party P placed P in E then P has completed

l i i l i i

the broadcast Acceptance setP A and P C and A C Due to the broadcast

l l l i l i

prop erty P will also complete the ab ove broadcast and eventually we will have due to

Lemma P C C and A C C Then P will add P to E 2

l i j l i j j l j

Lemma Termination If the dealer is honest then each honest party wil l

complete protocol AWSSShare

Pro of All honest parties will eventually b e in the sets C and A of every honest party

i i

P Thus A will eventually b e of size t and every honest party P will broadcast

i i i

Acceptance SetP in Step of AWSSShare Thus all honest parties will even

tually b e in the set E of every honest party Consequently every honest party P will

i i

broadcast Interpolation SetP IS in Step Thus every honest party will eventu

i i

ally have jF j t and will complete proto col AWSSShare 2 i

Asynchronous Weak Secret Sharing AWSS

Lemma Termination If some honest party P completes protocol AWSS

Share then each honest party P wil l eventual ly complete protocol AWSSShare

Pro of Assume that party P has completed AWSSShare Thus jF j n t which means

i i

that P has completed n t broadcasts of the form Interpolation setP IS and

i l l

IS E Due to the prop erties of broadcast P will eventually complete these invocations

l i j

of broadcast Due to Lemma we have that eventually E E hence the requirement

j i

that IS E will b e satised and P will complete AWSSShare 2

l j j

Lemma Termination If one honest party has completed protocol AWSS

Share then each honest party wil l complete protocol AWSSRec

Pro of Consider an honest party P For each P F we have P C thus P has

i j i j i i

completed all the ARSShare where P is the dealer Thus P will complete in Steps a

j i

and b of AWSSRec the ARSRec of all the values shared by P Consequently P

j i

will asso ciate a value in Step of AWSSRec with each party P F and will complete

j i

AWSSRec 2

The Correctness prop erty is proven in Lemma through Lemma

Lemma Let be the share that party P received from the dealer in Step of AWSS

j j

Share With overwhelming probability the value which an honest party P associates with a

party P E in Step c of AWSSRec is as fol lows

j i

honest dealer faulty dealer

P honest

j j j

P faulty or nul l

j j

Pro of Party P will asso ciate a value with party P if the following two requirements

i j

hold

is the value which was reconstructed by the ARSRec of P s share

There are at least t parties in A for whom Auth

j j

Consider rst the case where P is honest In this case P shared the value in Step

j j j

of AWSSShare From the correctness of ARS we have that P will reconstruct in Step

a of AWSSRec the correct values of and of P s data needed for executing Auth

j j jl

for each party P A Furthermore at least t out of the parties in A are honest The

l j j

data of these t parties will also b e correctly reconstructed in Step b of AWSSRec

Thus it follows from the prop erties of ICP that P will successfully verify in Step c that

Auth for at least t parties P A and will asso ciate with P

jl l l j j j

Consider the case where P is faulty and the dealer is honest and assume that the value

reconstructed in the ARSRec of P s share is dierent than Party P will in Step

j j i

c of AWSSRec aso ciate a nonnull value with P only if P has Auth for at least

j i jl

t parties P one of these t parties must b e honest We show that if P is honest then

l l

P computes Auth only with negligible probability

i jl

Let i resp r denote the value that P reconstructs in Step a resp b

ijl ijl i

of AWSSRec for P s resp P s data relevant to Auth This data was resp ectively

l j jl

Asynchronous Weak Secret Sharing AWSS

shared by P and P in Step of AWSSShare Recall that here P acts as the Intermediary

j l j

in ICP and P acts as the Receiver Since P is honest ARS ensures that r is indeed

l l ijl

P s data in Auth Therefore if it were true that i is determined by the adversary

l jl ijl

indep endently of r then Prop erty of ICP see Section would imply that P sets

ijl i

Auth with negligible probability However since P is faulty ARS ensures only a

jl j

weaker requirement on i We show that this prop erty suces

ijl

ARS allows i to b e set by the adversary during the reconstruction stage However

ijl

once the rst honest party completes ARSRec a small set S of t p ossible values for

i is xed By the time that S is xed no honest party has yet started the reconstruction

ijl

of r ie of the data shared by P in Step of AWSSShare Thus r is unknown

ijl l ijl

to the adversary when S is xed It follows that the probability that for a given P and

P there exist an honest P and a value such that P computes Auth is

j l j i jl

j j

exp onentially small 2

We dene the following value asso ciated with each party P who has completed AWSS

Share Let

V fk j is the share of an honest party P P IS g

i k k k k j

P F

j i

Let

v if V denes a secret v

i i i

nul l otherwise

We stress that P do es not know V Still V is a useful to ol in our analysis

i i i

We set the value r from the Correctness requirement to b e the value r asso ciated with

the rst honest party P who completes AWSSShare with r nul l Note that jV j t

i i i

and that V and consequently r are dened once P has completed AWSSShare

i i i

Lemma If the values r and r of two honest parties P and P do not equal nul l then

i j i j

r r

i j

Pro of Consider a party P F F F F since b oth F and F are of size n t

l i j i j i j

In IS there are at least t honest parties the shares of which dene a single secret Since

V and V dene a secret it must b e the same secret dened by the shares in IS Hence

i j l

r r 2

i j

Lemma Every honest party P outputs upon completing AWSSRec either r or nul l

i i

Pro of It follows from Lemma that the value that P asso ciates with each honest party

in F is even if the dealer is faulty Note that F contains at least t honest parties

i i i

Thus if the values asso ciated with the parties in F dene a secret then this secret is r

i i

Consequently P outputs either r or nul l 2

i i

Lemma If the dealer is honest sharing a secret s then every honest party P outputs

Pro of It follows from the denition of r that if the dealer is honest then r s Further

i i

more Lemma implies that if the dealer is honest then the values asso ciated with the

parties in F always dene a secret Since the dealer is honest P do es not output nul l It

i i

now follows from Lemma that P outputs s 2 i

Asynchronous Weak Secret Sharing AWSS

Lemma Secrecy If the dealer is honest then the information gathered by the

adversary during AWSSShare is independent of the shared secret

Pro of The pro of is the same as the pro of of Secrecy for the ARS proto col Theorem

We add that the distribution of the information gathered by the adversary in the

invocations of ARSShare during AWSSShare is indep endent of the shared secret 2

TwoSumAWSS

In our AVSS scheme we do not use AWSS as such Instead we use a slight variation of

AWSS called TwoSumAWSS A dealer shares a secret s together with a set fa a g

of auxiliary secrets in a way that allows the parties to separately reconstruct the secret any

one of the auxiliary secrets and the sum s a of the secret with any one of the auxiliary

secrets That is several invocations of the reconstruction proto col will use the shares

obtained in a single invocation of the sharing proto col For each i reconstructing any

single value out of fs a s a g reveals no information on the other two The correctness

i i

prop erty of TwoSumAWSS is stated more formally as follows

Correctness of TwoSumAWSS

If the dealer is honest sharing s fa a g then with probability when

reconstructing the secret resp the ith auxiliary secret or the sum of the secret

and the ith auxiliary secret each honest party outputs s resp a or s a

i i

Once an honest party completes the sharing protocol the values

r fr r g fr r g F fnul lg

s a a sa sa

1 k 1 k

are xed

a With probability when reconstructing the secret resp the ith auxiliary

secret or the sum of the secret and the ith auxiliary secret each honest

party outputs either r resp r or r or nul l

s a sa

i i

b If r is nul l then for each i at least one of fr r g is nul l If r r and

s a sa s a

i i i

r are not nul l then r r r

sa sa s a

i i i

Even if for each i one value out of fa s a g are reconstructed the adversary

i i

gathers no information about the secret s

Our construction of TwoSumAWSS presented in Figure is a straightforward

generalization of our AWSS scheme The scheme is based on the synchronous TwoSum

WSS presented in TRa

The reconstruction proto col is identical to AWSSRec with the addition of parameters

sp ecifying which value should b e reconstructed We denote by AWSSRec resp AWSS

Rec AWSSRec the invocation for reconstructing the secret resp the ith auxiliary

a sa

secret the sum of the secret and the ith auxiliary secret

The correctness of TwoSum AWSS is proven in a way similar to the pro of of correctness

of the AWSS scheme Similar pro ofs app ear in TRa

Asynchronous Weak Secret Sharing AWSS

Proto col TwoSum AWSSShare k

Co de for the dealer on input s a a and

Cho ose random p olynomials f for s and g for each a Let f i and

l l i

g i for l k and i n Let

i li l li li

Send f g to each party P

i i k i i

For every two parties P P invoke Gen Gen Gen

i j D ij i D ij i D ij k i

and Gen Gen

D ij i D ij k i

Co de for party P

Invoke ARSShare as a dealer for each value received from the dealer in

Steps and Participate in all other invocations of ARSShare

Create a dynamic Communication Set C which is the set of all parties for whom all

the invocations of ARS Share have b een completed

For each party P invoke Ver Ver Ver and

j D ij i D ij i D ij k i

Ver Ver

D ij i D ij k i

Create an Acceptance Set A Add party P C to A if all the ab ove invocations of

i j i i

Ver were completed successfully

D ij

Execute the rest of the co de of AWSSShare ie Steps through of Figure

Figure The TwoSum AWSS Sharing Proto col

Asynchronous Veriable Secret Sharing AVSS

The idea of the AVSS scheme is as follows First the dealer sends each party a share

of the secret as in the previous schemes The parties will then commit to their shares

by resharing them using AWSS Next the parties will make sure using a cutandchoose

metho d as in CCD Fe that enough AWSSSharings have b een successful and that the

committed up on shares indeed dene a secret We describ e the scheme in some more

detail Full details app ear in Figure

Sharing proto col The dealer sharing a secret s chooses a random p olynomial f x for

s For each i the dealer sends f i to P In addition the dealer chooses k n t random

p olynomials g x g x of degree t where k is an appropriate security parameter

k nt

p olynomial in log For each such p olynomial g x and for each i the dealer sends

g i to party P Up on receiving all the exp ected values from the dealer each P reshares

i i

the values f i fg i g ig using TwoSumAWSSShare with the appropriate

k nt

allowederror parameter see Section

Next the dealer proves to the parties that their shares indeed dene a secret Each party

P is lo oking for a set IS of at least n t parties such that the TwoSumAWSSShares of

i i

these parties have b een completed and the corresp onding values dene a p olynomial For

this purp ose P participates in up to t iterations as follows Initially all parties are valid

At the b eginning of each iteration P waits until he has completed the TwoSumAWSS

Share of n t valid parties Let IS denote this set of parties in iteration r Next P

ir i

veries using cutandchoose as describ ed in the co de that the share of each party in IS

is valid in a sense dened in Figure P removes from the set of valid parties all the

parties in IS whose validation failed If the validity of the shares of at least n t parties in

IS is conrmed then we say that the iteration was successful In this case P broadcasts

ir i

P confirms P for each party P IS Now P is assured that the shares of the

i j j ir i

parties in IS dene a p olynomial When the verication pro cedure is completed and P

ir i

has completed the TwoSumAWSSShare of at least one other valid party P pro ceeds to

the next iteration

Let F b e P s set of parties who were conrmed by at least t parties Party P

i i i

completes the sharing proto col once jF j t

Reconstruction proto col The reconstruction proto col is simple The share of each

party P is reconstructed using TwoSumAWSSRec Once t shares of parties in

i is

F are reconstructed with a nonnull value party P computes the secret dened by these

i i

shares and terminates

Proto cols AVSSShare and AVSSRec are presented in Figures and resp ectively

Theorem Let n t Then for every the pair AVSSShareAVSSRec

is a correct tresilient AVSS scheme for n parties

Partitioning the proto col into t iterations is done for clarity of exp osition All these iterations are

completed in a constant number of asynchronous time steps

We let TwoSumAWSSRec denote an invocation of TwoSumAWSSRec that corresp onds to the

TwoSumAWSSShare of P i

Asynchronous Veriable Secret Sharing AVSS

Proto col AVSSShare

Co de for the dealer on parameter and secret s

Cho ose a random p olynomial f x for s Send f i to each party P

i i

For l k for j n and for r t do Set k O n log

Pick a random p olynomial g x of degree t and send g i to each party P

ljr ljr i

Up on completing an broadcast

Random vectorb b iteration r partyP see Step a broadcast

jr k jr j

Polynomials of P iteration r g f b g f b

j ir ir k ir k ir

Co de for party P on parameter

Set n Share fg i g ig using

i k nt

TwoSumAWSSShare n k t see Figure Participate in the TwoSum

AWSSShare of other parties

Create a dynamic set C Add each party whose TwoSumAWSSShare of the pre

vious step has b een completed to C

Let V b e the set of valid parties Initially V f ng

i i

A lo cal variable r is set to Initialize sets IS F

ir i

As long as jF j t do

a Wait until jC V j n t and C V IS Set r r Let IS C V

i i i i ir ir i i

Cho ose b b f g and broadcast Random

ir k ir R

vectorb b iteration r partyP

ir k ir i

b Up on completing an broadcast Polynomials of P see Step for l

If b k m n if b execute TwoSumAWSSRec

ljr ljr ma

ljr

then execute TwoSumAWSSRec

msa

ljr

c If any TwoSumAWSSRec of a share of party P terminates with nul l or if

any reconstructed share of P do es not agree with the corresp onding p olynomial

broadcasted by the dealer then P is removed from V and from IS

m i ir

Once all the relevant invocations of TwoSumAWSSRec of shares of parties

in IS are completed if jIS j n t then for each P IS broadcast

ir ir m ir

P confirms partyP In this case we say that the iteration was success

i m

ful

Once there are t broadcasts of the form confirms partyP for some

P see Step c then add P to F

m m i

Figure The AVSS Sharing Proto col

Asynchronous Veriable Secret Sharing AVSS

Proto col AVSSRec

Co de for party P on parameter

For each party P execute TwoSumAWSSRec P s share was shared by

j js j j

P in the TwoSumAWSSShare of Step of AVSSShare

Take any t reconstructed nonnull shares of parties in F and output the secret

dened by these shares

Figure The AVSS Reconstruction Proto col

For convenience and clarity we partition the pro of of Theorem to several lemmas

Throughout the pro of we assume that the following event E o ccurs All invocations of

TwoSumAWSS have b een prop erly completed That is if an honest party has completed

TwoSumAWSSShare then all honest parties will complete all corresp onding invocations

of AWSSRec outputting either the required value or nul l See the Correctness requirement

of TwoSumAWSS on page Event E o ccurs with probability at least n

Lemma Termination If the dealer is honest then each honest party wil l

complete protocol AVSSShare

Pro of Each honest party P will complete the TwoSumAWSSShare of the shares of

each honest party P in Step Thus P will eventually b e in the set IS of P for some

j j ir i

iteration r If the dealer is honest then P s reconstructed shares will agree in Step c

with the p olynomials broadcasted by the dealer Thus P will not b e removed from IS or

j ir

V Hence there will exist an iteration r where all n t honest parties are in IS causing

i ir

each honest party P to broadcast P confirmsP Consequently each honest party

i i j

will b e in the nal set F of each honest P Thus P will have jF j t and will

k k k k

complete AVSSShare We note that all honest parties terminate in a constant number of

asynchronous rounds 2

Lemma Termination If some honest party P completes protocol AVSS

Share then each honest party wil l eventual ly complete protocol AVSSShare

Pro of Assume an honest party P completed proto col AVSSShare Then jF j t

i i

It follows from the correctness prop erties of broadcast that for any honest party P any

party in F will eventually b e in F Thus P will complete AVSSShare 2

i j j

Lemma Termination If AVSSShare has been completed by the honest par

ties then each honest party wil l complete protocol AVSSRec

Pro of Each honest party P has at least t honest parties in F It follows from

i i

the correctness of TwoSumAWSS that the share of each honest party P F will b e

j i

successfully reconstructed by P in Step of AVSSRec Thus P will have at least t

i i

nonnull shares in Step of AVSSRec and will complete the proto col 2

Asynchronous Veriable Secret Sharing AVSS

Lemma Secrecy If the dealer is honest then the information gathered by the

adversary during AVSSShare is independent of the shared secret

Pro of Assuming that TwoSumAWSSShare is secure the relevant information gathered

by the adversary in AVSSShare consists of up to t shares of the p olynomial f shared by

the dealer in Step and up to t shares of each of the random p olynomials shared in Step

Furthermore for each random p olynomial g only one of g or f g is known

It can b e veried that this information is distributed indep endently of the shared secret 2

The Correctness prop erty is proven via Lemmas through

Lemma Once an honest party P executes Step a of AVSSShare in iteration r a

value F nul l is xed for each P IS Furthermore if iteration r was successful

m ir

as dened in Step c of AVSSShare then the fol lowing properties hold with overwhelming

probability

For each P IS nul l

m ir

The set C fm jP IS g denes a secret s

ir m ir

If the dealer is honest then s is the secret s shared by the dealer

When reconstructing P s share using TwoSumAWSSRec in Step of AVSS

m ms

Rec each honest party outputs nul l

Pro of Dene the value to b e the value xed for the secret shared by P in the

TwoSumAWSSShare of Step Once P executes Step a in iteration r he has com

pleted the TwoSumAWSSShare of each P IS It follows from the correctness of

m ir

TwoSumAWSS that the value is xed Part of the lemma also follows

Part It follows from the correctness of TwoSumAWSS that if nul l then

for each l k at least one out of fTwoSumAWSSRec TwoSumAWSS

lir

Rec g will have output nul l Thus for each l k P will have nul l output with

ms+a i

lir

The probability that P has in Step c nonnull output of all the k probability at least

invocations of TwoSumAWSSRec is at most Thus executions where nul l and

iteration r is successful o ccur only with negligible probability

Part We use the same cutandchoose argument as in part Assume that C do es

not dene a secret It follows that for each l k there exists a P such that either the

output of TwoSumAWSSRec is not equal to h m or the output of TwoSum

ma lir

lir

AWSSRec is not equal to h m where h is the corresp onding p olynomial

ms+a lir lir

lir

broadcasted by the dealer Thus for each l k P will detect an error with probability

The probability that P has not detected an error in all the k invocations of at least

TwoSumAWSSRec in Step c is at most Thus iteration r is successful only with

negligible probability

Part The correctness of TwoSumAWSS assures that the value reconstructed

in TwoSumAWSSRec equals the sum of the values reconstructed in TwoSum

ms+a

lir

AWSSRec and in TwoSumAWSSRec Since the dealer is honest he broadcasts

ma ms

lir

in Step of AVSSShare the same p olynomials that he shared in Step Part follows

using the same cutandchoose argument as in parts and 2

Lemma Let C fm jP F and P is honestg where is the value xed for

m i i

m m

P See Lemma Then the fol lowing properties hold with overwhelming probability m

Common Coin

The set C denes a secret s

If the dealer is honest then s is the shared secret s

Pro of Consider two parties P C Then and P m such that m

m m 2 1

1 m 2 m

2 1

b oth P and P were conrmed by honest parties Assume P was conrmed by honest

m m m

1 2 1

party P in iteration r and P was conrmed by honest party P in iteration r Let

j 1 m j 2

1 2 2

C fm jP IS g and let C fm jP IS g Then the inter

j r m j r j r m j r

1 1 m 1 1 2 2 m 2 2

section I C C is of size at least t Lemma implies that the values in I

j r j r

1 1 2 2

are nonnull with overwhelming probability even if the corresp onding parties are faulty It

follows that C and C dene the same secret Part follows

j r j r

1 1 2 2

Part follows from part of Lemma 2

Lemma Let r denote the secret dened by the set C see Lemma An honest

party has output dierent than r of AVSSRec only with negligible probability

Pro of Consider an honest party P The set fm jP F g is a subset of C Thus it

i m i

denes the same secret r P will have at least t honest parties P in F the corresp onding

i j i

reconstructed values will b e nonnull Thus P will b e able to interpolate a value and

this value will b e r 2

Common Coin

We dene an asynchronous common coin primitive and describ e an construction We

employ the AVSS scheme describ ed in Section We rst present a denition of a common

coin primitive

Denition Let be a protocol where each party has local random input and binary

output We say that is a terminating tresilient Common Coin protocol if the

fol lowing requirements hold for every tadversary

Termination With probability al l the honest parties terminate

al l the honest parties Correctness For every value f g with probability at least

output

Our construction with termination parameter Roughly sp eaking the proto col con

sists of two stages First each party shares n random secrets using the AVSSShare proto col

Say that the ith secret shared by of our AVSS scheme with allowed error parameter

each party is assigned to party P Once a party P completes t AVSSShare proto cols

i i

of secrets assigned to him he broadcasts the identity of the dealers of these secrets We

say that these t secrets are attached to P Later the value asso ciated with P will b e

i i

computed based on the secrets attached to him

Up on completing the AVSSShare of all the secrets attached to some P party P is

j i

certain that a xed and yet unknown value is attached to P The way in which this value

will b e computed is describ ed in the proto col Once P is assured that the values attached

to enough parties has b een xed he starts reconstructing the relevant secrets This pro cess

of ensuring that enough values have b een xed is at the heart of the proto col Once all

Common Coin

the relevant secrets are reconstructed each party lo cally computes his output based on the

reconstructed secrets in a sp ecial way describ ed in the sequel The proto col is presented in

Figure b elow

Proto col CommonCoin

Co de for party P given termination parameter

For j n choose a random secret x F and execute AVSS Let

2 ij R

Share for this value Denote the execution by AVSSShare x

ij ij

Participate in all the other AVSSShare proto cols

Create a dynamic communication set C Add party P to C if AVSSShare has

i j i jl

b een completed for all l n

(t+1)

Wait until jC j t Then set C C and broadcast Attach A to P

i i i i

We say that the secrets fx jP C g are the secrets attached to party P

ji j i i

Accept a party P if the broadcast Attach A to P has b een completed and

j j j

C C Let G b e the dynamic set of accepted parties

j i i

(nt)

Wait until jG j n t Then let G G and broadcast P accepts H

i i i i

Say that party P is supp ortive if the P accepts H broadcast has b een received

j j j

and each party in G is accepted namely if G G

j j i

Wait until n t parties are supp ortive Then raise ag reconstruct enabled

Let H denote the current contents of G

i i

Note that a party P who was not considered supp ortive since some P G was

j k j

not in G can b ecome supp ortive later if P is added to G

i k i

Wait until the ag reconstruct enabled is raised Then reconstruct the secrets

attached to all the accepted parties That is for each P C such that P G

k j j i

invoke AVSSRec and let r b e the corresp onding output

k j k j

Note that some parties may b ecome accepted after the ag reconstruct enabled

has b een raised The corresp onding AVSSRec proto cols are invoked immediately

Let u dne For every party P G let V the value asso ciated with P b e the

j i j j

r mo d u sum mo dulo u of all the secrets attached to P That is V

k j j j

k C

Wait until the values asso ciated with all the parties in G are computed If there

exists a party P H where V output

j i j

Otherwise output

Figure The Common Coin proto col

Theorem Let n t Then for every protocol CommonCoin is a

terminating tresilient common coin protocol for n parties

The Termination prop erty is asserted in Lemma The Correctness prop erty is

asserted in Lemmas through Throughout the pro of we assume that the following

event E o ccurs All invocations of AVSS have b een prop erly completed That is if an

honest party has completed AVSSShare then a value s is xed All honest parties will

complete the corresp onding invocation of AVSSRec outputting s If the dealer is honest

Common Coin

then s is the shared secret See Denition Event E o ccurs with probability at least

Lemma Al l the honest parties complete protocol CommonCoin in constant time

Pro of Assume event E o ccurs and let P b e an honest party Then P will complete all

i i

the AVSSShare proto cols initiated by honest parties in Step Thus C will eventually b e

of size t and Step will b e completed

For every honest party P the broadcast Attach A to P will b e received by P

j j j i

Furthermore since P completed the AVSSShare proto col for every P C then P

j k j k j i

will complete these AVSSShare proto cols as well Therefore every honest party will

k j

eventually b e considered accepted by P namely added to the set G Thus G will

i i i

eventually b e of size n t and Step will b e completed Similar reasoning implies that

every honest party will eventually b e considered supp ortive by every honest party in Step

Consequently every honest party will raise his reconstruct enabled ag and will

invoke his AVSSRecs of Step

It remains to b e shown that all the AVSSRec proto cols invoked by each honest party

will b e completed If an honest party received an Attach A to P broadcast then all

j j

the honest parties will receive this broadcast Thus if an honest party invokes AVSSRec

then all the honest parties will invoke AVSSRec Event E now assures us that all the

honest parties will complete all their AVSSRec proto cols Therefore all the honest parties

will execute Step and complete the proto col The invocations of AVSSShare with faulty

dealers need not b e terminated Once an honest party completes Step he may ab ort all

nonterminated invocations of AVSSShare

Given event E all invocations of AVSSShare and AVSSRec terminate in constant time

Proto col broadcast terminates in constant time Thus proto col CommonCoin terminates

in constant time as well 2

Lemma Let u dne Let P be a party whose broadcast Attach A to P in

i i i

Step has been completed by some honest party Then there exists a value v such that

al l the honest parties associate v with P in Step Furthermore

i i

v is xed once the rst honest party has completed the Attach A to P broad

i j j

cast

v is distributed uniformly over u and is independent of the values associated

with the other parties

Pro of Let P b e a party whose Attach A to P broadcast of Step has b een com

i i i

pleted by some honest party Then all the honest parties will complete this broadcast with

output C Furthermore The denition of AVSS assures us that for each party P C

i j i

there exists a xed value r such that all the honest parties reconstruct have r as their

ji ji

output of AVSSRec in Step that is r is the value shared by P and attached

ji ji j

to P Consequently the value that each honest party asso ciates with P in Step is

i i

r mo d u let v b e this value This value is xed once C is xed namely by the

ji i i

P C

j i

time that the rst honest party has completed the broadcast Attach A to P

j j

In remains to show that v is uniformly distributed over u and is indep endent of the

values asso ciated with the other parties Recall that an honest party starts reconstructing

Common Coin

the secrets attached to P namely invokes the AVSSRec proto cols for P C only

i ji j i

after it completes the Attach A to P broadcast Namely the set C is xed before

i i i

any honest party invokes an AVSSRec for some k The Privacy prop erty of AVSS now

k i

assures us that the bad parties have no information on the secrets shared by the honest

parties when the set C is xed Thus the set C as well as the values that were shared

i i

by bad parties are indep endent of the values shared by honest parties Furthermore each

set C contains at least one honest party and honest parties share uniformly distributed

mutually indep endent values Consequently the sum v is uniformly and indep endently

distributed over u 2

Lemma Assume that some honest party has raised the reconstruct enabled ag

Then there exists a set M such that

For each party P M the Attach A to P broadcast of Step has been com

j j j

pleted by some honest party Note that Lemma applies to each P M

When any honest party P raises his reconstruct enabled ag it wil l hold that

M H

jM j

Pro of Let P b e the rst honest party to raise his reconstruct enabled ag Let M

b e the set of parties P for whom P G for at least t parties P who are considered

k k l l

supp ortive by P in Step We show that the set M has the prop erties required in the

Lemma

Clearly M H Thus party P has received the broadcast Attach A to P of

i i k k

every party P M This asserts the rst prop erty of M We now assert the second

prop erty Let P M An honest party P raises his reconstruct enabled ag when

k j

he has found at least n t parties who are supp ortive in Step However P G for at

k l

least t of the P accepts H broadcasts thus there must exist a party P such that

l l l

P G and G H Consequently P H

k l l j k j

We use a counting argument Let m jH j We have It remains to show that jM j

m n t Consider the m n table T relative to party P where T one i P has

i lk i

received the P accepts H broadcast and P G The set M is the set of parties P

l l k l k

such that the k th column in T has at least t one entries There are n t one entries

in each row of T thus there are m n t one entries in T

Let q denote the minimum number of columns in T that contain at least t one

Clearly the worst distribution of the one entries in this table entries We show that q

is letting q columns b e all ones namely each of the q columns has m one entries and

letting each of the remaining n q columns have t one entries This distribution requires

that the number of one entries b e no more than q m n q t However there are

m n t one entries in T Thus we must have

q m n q t m n t

m(nt)nt

Since m n t and n t we have or equivalently q

2 2 2

(nt) nt (n2t) +nt3t m(nt)nt

nt3t t n

n t n t q

mt n2t n2t n2t n2t 3

Byzantine Agreement

Lemma Let and assume that al l the honest parties have completed protocol

CommonCoin Then for every value f g with probability at least al l the

honest parties output

Pro of By Lemma we have that for every party P who is accepted by some honest

party there exists a value v distributed uniformly and indep endently over u such

all the honest parties asso ciate v with P in Step Consequently that with probability

j j

with probability all the honest parties agree on the value asso ciated with each one of

the parties

Consider the case Let M b e the set of parties guaranteed by Lemma

Clearly if v for some party P M and all the honest parties asso ciate v with P

j j j j

then all the honest parties output The probability that at least one party P M has

n 1

jM j

Recall that u dne and that jM j Therefore for all v is

u 3

jM j 038

e Thus Prob all the honest parties output n we have

Consider the case Clearly if no party P has v and all the honest parties

j j

asso ciate v with every P then all the honest parties output The probability of this

j j

n 115

e Thus Prob all the honest parties event is at least

output 2

Byzantine Agreement

Before describing the Byzantine Agreement proto col let us describ e another proto col used

in our construction Roughly sp eaking this proto col denoted Vote do es whatever can b e

done deterministically to reach agreement

The Voting Proto col

In proto col Vote each party tries to nd out whether there is a detectable ma jority for

some value among the binary inputs of the parties More precisely each partys output

of the proto col can take ve dierent values For f g the output stands for

overwhelming ma jority for Output stands for distinct ma jority for Output

stands for nondistinct ma jority It will b e shown that if all the honest parties

have the same input then all honest parties output Furthermore if some honest

party outputs then every honest party will output either or If some

honest party outputs then either all outputs are in f g or all outputs are

in f g

The proto col consists of three rounds having similar structure In the rst round

each party broadcasts his input value waits to complete n t broadcasts of other parties

and sets his vote to the ma jority value among these inputs In the second round each

party broadcasts his vote along with the identities of the n t parties whose broadcasted

inputs were used to compute the vote waits to complete n t broadcasts of other votes

that are consistent with the broadcasted inputs of the rst round and sets his revote to

the ma jority value among these votes In the third round each party broadcasts his revote

Byzantine Agreement

along with the identities of the n t parties whose broadcasted votes were used to compute

the revote and waits to complete n t broadcasts of other revotes that are consistent with

the consistent votes of the second round

Now if all the consistent votes received by a party agree on a value then this party

outputs Otherwise if all the consistent revotes received by the party agree on a

value then the party outputs Otherwise the party outputs

Proto col Vote is presented in Figure b elow

Proto col Votex

Co de for party P on input x

i i

Broadcast InputP x

i i

Dene a dynamic set A Add P x to A if the InputP x broadcast is

i j j i j j

completed

(nt)

Wait until jA j n t Set A to A Then set v to the ma jority bit among

i i i

fx jP x A g and broadcast VoteP A v

j j j i i i i

Dene a dynamic set B Add P A v to B if the VoteP A v broadcast

i j j j i j j j

has b een completed a A and v is the ma jority bit of A

j i j j

(nt)

Wait until jB j n t Set B to B Then set r v to the ma jority bit among

i i i

fv jP vote A B g and broadcast RevoteP B r v

j j j j i i i i

Dene a set C Add P B r v to C if the RevoteP B r v broadcast has

i j j j i j j j

b een completed B B and r v is the ma jority bit of B

j i j j

Wait until jC j n t

If all the parties P B had the same vote v then output and terminate

j i j

Otherwise if all the parties P C have the same revote r v then output

j i j

and terminate

Otherwise output and terminate

Figure The Vote proto col

In Lemmas through we assert the prop erties of proto col Vote as describ e

ab ove The Lemmas hold for every input and every tadversary

Lemma Al l the honest parties terminate protocol Vote in constant time

Pro of The InputP x broadcast of every honest party P in Step will b e completed

j j j

Thus every honest party P will eventually have jA j n t in Step and will broadcast

i i

VoteP A v For every honest party P the broadcast of Step will b e completed An

i i i j

honest party P will add P A v to B for each honest P in Step Thus every honest

i j j j i j

party P will eventually have jB j n t in Step and will broadcast RevoteP B r v

i i i i i

Similarly P will add every honest party P to C Thus every honest party P will

i j i i

eventually have jC j n t in Step Consequently P will complete the proto col We

i i

note that the proto col runs in constant time 2

Lemma If al l the honest parties have input then al l the honest parties output

Byzantine Agreement

Pro of Consider an honest party P If all the honest parties have input then at most t

parties will broadcast as their input in Step Therefore each party P who was added

to B in Step has a ma jority for the value in his A set and v Thus P outputs

i k k i

in Step 2

Lemma If some honest party outputs then each honest party outputs either

Pro of Assume that honest party P outputs The size of B is n t hence for each

i i

other honest party P it holds that B B is of size at least t Thus P will set his

j i j j

revote r v to Therefore every honest party outputs either or in Step 2

Lemma If some honest party outputs and no honest party outputs then

each honest party outputs either or

Pro of Assume some honest party outputs Then at most t parties P broadcasted

a revote r v in Step therefore no honest party P has a unanimous revote

j j j

in Step and no honest party outputs Furthermore at least t parties P have

broadcasted vote in Step therefore no honest party had a unanimous vote in Step

and no honest party outputs 2

The Byzantine Agreement proto col

The Byzantine Agreement proto col pro ceeds in iterations In each iteration each party

has a mo died input value in the rst iteration the mo died input of each party is his

lo cal input In each iteration the parties invoke two proto cols Vote and CommonCoin

Proto col CommonCoin is invoked only after proto col Vote is completed The reason for

this provision will b ecome clear in the pro of of Lemma b elow If a party recognizes a

distinct ma jority for some value in the output of proto col Vote namely output

or then he sets his mo died input for the next iteration to Otherwise he sets

his mo died input for the next iteration to b e the output of the CommonCoin proto col

Proto col CommonCoin is invoked by all parties in each iteration regardless of whether

their output is used Once a party recognizes an overwhelming ma jority for some value

namely output of proto col Vote he broadcasts Once a party completes t

broadcasts for some value he terminates with output

The co de of the Byzantine Agreement proto col is presented in Figure b elow

In Lemmas through we assert the validity of proto col BA These Lemmas hold

for every input and every tadversary

Lemma If al l the honest parties have input then al l the honest parties terminate

and output

Pro of Assume that all the honest parties have input By Lemma every honest

party P has y m by the end of Step of the rst iteration Therefore every

i 1 1

honest party broadcasts Terminate with in Step of the rst iteration Therefore

every honest party will receive at least n t Terminate with broadcasts and at most

t Terminate with broadcasts Consequently every honest party will output 2

Byzantine Agreement

Proto col BAx

Co de for party P on input x and termination parameter

i i

Set r Set v x

1 i

Rep eat until terminating

Set r r Set y m Votev

r r r

Wait until Votev is completed Then set c CommonCoin

r r

a If m set v y and broadcast Terminate with v

r r r r

Participate in only one more Vote proto col and only one more CommonCoin

proto col

b If m set v y

r r +1 r

c Otherwise set v c

r +1 r

Up on receiving t Terminate with broadcasts for some value output

and terminate

Figure The Byzantine Agreement proto col

The purp ose of this restriction is to prevent the parties from participating in an unbounded

number of iterations b efore enough Terminate with broadcasts are completed

Lemma If an honest party terminates with output then al l honest parties terminate

with output

Pro of Let us rst establish that if an honest party broadcasts Terminate with for

some value then all honest parties eventually broadcast Terminate with Let k

b e the rst iteration in which an honest party initiated a Terminate with broadcast

for some value By Lemma every honest party P has y and either m

i k k

or m Therefore no honest party broadcasts Terminate with at iteration k

Furthermore all the honest parties execute the Vote proto col of iteration k with input

Lemma now implies that by the end of Step of iteration k every honest party

has y m Thus all the honest parties broadcast Terminate with

k +1 k +1

either at iteration k or at iteration k

Now assume an honest party terminates with output Thus at least one honest

party broadcasted Terminate with Consequently all the honest parties broadcast

Terminate with Hence every honest party will receive at least n t Terminate

with broadcasts and at most t Terminate with broadcasts Therefore every

honest party will output 2

Lemma Assume al l honest parties have initiated and completed some round k Then

al l honest parties have the same value for v with probability at least

k +1

Pro of We distinguish two cases If all the honest parties execute Step c in iteration k

then all the honest parties set their v value to their lo cal output of proto col Common

k +1

Coin In this case all the parties have the same v value with probability at least

k +1 2

Byzantine Agreement

Otherwise some honest party has set v for some f g either in Step a or

k +1

Step b of iteration k By Lemma no honest party will use either Step a or Step

b to set his v variable to Furthermore with probability at least all the honest

k +1

parties have output of the CommonCoin proto col of Step Therefore with probability

all the honest parties have v at the end of iteration k Note that the at least

k +1

parties outputs of proto col Vote are xed before CommonCoin is invoked Were it not the

case the bad parties could force the output of proto col Vote to prevent agreement 2

Let C denote the event that each honest party completes all the iterations he initiated

up to and includin g the k th iteration that is for each iteration l k and for each

party P if P initiated iteration l then he computes v Let C denote the event that C

l+1 k

o ccurs for all k

Lemma Conditioned on event C al l the honest parties complete protocol BA in con

stant expected time

Pro of We rst establish that all the honest parties terminate proto col BA within constant

time after the rst honest party initiates a Terminate with broadcast in Step a

of the proto col Assume the rst honest party initiates a Terminate with broadcast

in iteration k Then all the honest parties participate in the Vote and CommonCoin

proto cols of all the iterations up to iteration k We have seen in the pro of of Lemma

that in this case all the honest parties initiate a Terminate with broadcast by

the end of iteration k All these broadcasts terminate in constant time Each honest

party terminates up on completing t of these broadcasts

Let the random variable count the number of iterations until the rst honest party

broadcasts Terminate with If no honest party broadcasts Terminate with

then Conditioned on event C all the honest parties terminate each iteration in

constant time It is left to show that E jC is constant We have

Prob k jC Prob jC Prob k jC k

k k k

If follows from Lemma that each one of the k multiplicands of the right hand side of

3 3

Thus Prob k jC It follows via a simple the ab ove equation is at most

4 4

calculation that E jC 2

Lemma ProbC

Pro of We have

C Prob k C jC Prob

k +1 k

k 1

Prob k jC Prob C jC k

k k +1 k

k 1

We have seen in the pro of of Lemma that Prob k jC We b ound the

C jC k If all the honest parties execute the k th iteration and complete term Prob

k +1 k

the k th invocation of CommonCoin then all the honest parties complete the k th iteration

Thus with probability Proto col CommonCoin is invoked with termination parameter 4

Byzantine Agreement

all the honest parties complete the k th invocation of CommonCoin Therefore for

k 1

Inequality yields Prob each k Prob 2 C jC k C

k +1 k

k 1

4 4 4

We have thus shown

Theorem Byzantine Agreement Let n t Then for every

protocol BA is a terminating tresilient asynchronous Byzantine Agreement

protocol for n parties Given that the parties terminate they do so in constant expected

time Furthermore the computational resources required of each party are polynomial in n

and log

C h a p t e r

Proactive security

We introduce a metho d for maintaining the security of systems in the presence of rep eated

however transient breakins to system comp onents We use secure multiparty computation

as a formal setting and use mobile adversaries as a vehicle for concentrating on the mech

anism of recovery from breakins This construction has applications to key management

schemes in actual security systems See Section for an introductory presentation

In Section we dene PP proto cols and recall the denition of pseudorandom function

families In Sections and we describ e our PP proto col and prove its correctness In

Section we describ e some mo dications to our application to secure signon proto cols

In Section we oer an alternative denition of PP proto cols and show that it is implied

by our rst denition

Denitions

The setting We consider a synchronous network with secure channels and computation

ally b ounded mobile adversaries In Section we describ e a relaxation of this security

requirement on the channels For simplicity we assume that at the end of each round each

party can send a message to each other party these messages are received at the b eginning

of the next round It is simple to extend our results to more realistic communication and

synchronization mo dels We remark that here the rounds formalize the applications of the

automatic recovery mechanism describ ed in Section These are dierent than commu

nication rounds Typically a recovery round may take place every several days where a

communication round lasts only a fraction of a second

The Adversary At the b eginning of each round the adversary may corrupt parties

The adversary adaptively decides which parties to corrupt at each round Up on corruption

of a party the entire contents of the partys memory b ecomes known to the adversary

Furthermore the adversary can alter the partys memory and program After some time

the adversary leaves the party Once the adversary has left the party returns to execute

its original program however its memory may have b een altered We call this adversary

a mobile adversary We say that a mobile adversary is tlimited if in each round at most

Denitions

t parties are corrupted We stress that there may exist no party that has never b een

corrupted

A denition of proactive pseudorandomness Consider a network of parties p er

forming some computation in the presence of a mobile adversary The parties have access

to randomness only at the b eginning of the computation Once the interaction starts no

additional randomness is available

The parties will run a sp ecial deterministic proto col this proto col will generate a new

value within each party at each round Given that the parties initial inputs of this proto col

are randomly chosen the value generated within each party at each round will b e indis

tinguishable from random from the p oint of view of a mobile adversary even if the values

generated within al l the other parties at al l rounds are known We call such a proto col a

proactive pseudorandomness PP proto col

We stress that at each round the adversary may know in addition to the data gathered

by the adversary the outputs of all the parties including the uncorrupted ones at all the

previous rounds Still it cannot distinguish b etween the current output of an uncorrupted

party and a random value

More formally consider the following attack called an online attack with resp ect to an

nparty PP proto col Let the input of each party b e taken at random from f g where

k is a security parameter assume n k Furthermore each partys output at each round

is also a value in f g

Online attack

The proto col is run in the presence of a mobile adversary for m rounds m is p olynomial

in n and k where in addition to the data gathered by the adversary the adversary knows

the outputs of all the parties at all the rounds At a certain round l chosen online by

the adversary the adversary chooses a party P out of the uncorrupted parties at this

round The adversary is then given a test value v instead of P s output at this round

The execution of the proto col is then resumed for rounds l m Our denition will

require that the adversary b e unable to say whether v is P s output at round l or a random

value

F or an nparty proto col and a mobile adversary A let A PR resp ectively A R

denote the output of A after an online attack on and when the test value v given to A is

indeed the output of the sp ecied party resp ectively when v is a random value Without

loss of generality we assume that A PR f g

Denition Let be a deterministic nparty protocol with security parameter k We

say that is a tresilient proactive pseudorandomness protocol PP if for every tlimited

polynomial time mobile adversary A for al l c and al l large enough k we have

jProbA PR ProbA R j

where m is the total number of rounds of protocol and the probability is taken over the

parties inputs of and the choices of A We stress that m is polynomial in k

We say that is ecient if it uses resources polynomial in n and k

The Proto col

An alternative denition Using Denition ab ove it can b e shown that the following

prop erty holds for any randomized application proto col run by the parties Consider a

variant of that runs a PP proto col along with and uses the output of as random

input for at each round Then The parties outputs of and are indistinguishable

furthermore running the adversary gains no knowledge it did not gain running In

fact this prop erty may serve as an alternative denition for PP proto cols In Section

we present a more precise denition of this prop erty

Pseudorandom function families Our constructions make use of pseudorandom func

tions families We briey sketch the standard denition

k k

Let F denote the set of functions from f g to f g Say that an algorithm D with

oracle access distinguishes b etween two random variables f and g over F with gap sk if

the probability that D outputs with oracle to f diers by sk from the probability that

D outputs with oracle to g Say that a random variable f over F is sk pseudorandom if

no p olynomial time in k algorithm with oracle access distinguishes b etween f and g F

R k

with gap sk Throughout the pap er we let e D denote the pro cess of choosing an

element e uniformly at random from domain D

We say that a function family F ff g where each f F is sk pseudorandom

k f01g k

if the random variable f where f g is sk pseudorandom A collection fF g is

R k k N

pseudorandom pseudorandom if for all c and for all large enough k the family F is

c k

We consider pseudorandom collections which are eciently constructible Namely there

exists a p olytime algorithm that on input x f g outputs f x

Pseudorandom function families and their cryptographic applications were introduced

by Goldreich Goldwasser and Micali GGM GGM Applications to practical key distri

bution and authentication proto cols were shown by Bellare and Rogaway BR In GGM

it is shown how to construct pseudorandom functions from any pseudorandom generator

which in turn could b e constructed from any oneway function HILL However practition

ers often trust and use much simpler constructions based on DES or other widely available

cryptographic functions

The Proto col

In this section we describ e the basic proto col Several mo dications useful for the application

to secure signon are describ ed in Section

Consider a network of n parties P P having inputs x x resp ectively Each

1 n 1 n

input value x is uniformly distributed in f g where k is a security parameter We as

sume that parties have agreed on a predened pseudorandom function family F ff g

f01g

k k

where each f f g f g

In each round l each party P computes an internal value called a key in a way

i il

describ ed b elow P s output at round l denoted r is set to b e r f where is

i il il

an arbitrary xed value

The key is computed as follows Initially P sets its key to b e its input value namely

il i

x At the end of each round l party P sends f j to each party P Next P

i0 i i j i

erases its key for round l and sets its key for round l to the bitwise exclusive or of the

Analysis

values received from all the parties at this round

f i

il+1

j =1 jl

We stress that it is crucial that the parties erase the old keys In fact if parties cannot

erase their memory proactive pseudorandomness is imp ossible In particular once each

party has b een corrupted in the past the adversary has complete information on the system

at say the rst round Now the adversary can predict all the subsequent outputs of this

deterministic proto col

Analysis

We rst oer some intuition for the security of our proto col This intuition is based on

an inductive argument Assume that at round l the key of an uncorrupted party is

pseudorandom from the p oint of view of the adversary Therefore the value that this

party sends to each other party is also pseudorandom Furthermore the values received by

dierent parties seem unrelated to the adversary thus the value that each party receives

from an uncorrupted party is pseudorandom from the p oint of view of the adversary even if

the values sent to other parties are known Thus the value computed by each uncorrupted

party at round l b eing the bitwise exclusive or of the values received from all the parties

is also pseudorandom

Naturally this argument serves only as intuition The main inaccuracy in it is in the

implied assumption that we do not lose any pseudorandomness in the rep eated applications

of pseudorandom functions A more rigorous pro of of correctness using known techniques

is presented b elow

Theorem Our protocol given a pseudorandom function family is an ecient n

resilient PP protocol

Pro of Let denote our proto col run for m rounds Assume there exists a p olytime

mobile adversary A such that

jProbA PR ProbA R j

for some constant c and some value of k For simplicity we assume that A corrupts

exactly n parties at each round and that A always runs the full m rounds b efore

outputting its guess The pro of can b e easily generalized to all A We show that F is not

pseudorandom Sp ecically we construct a distinguisher D that distinguishes with gap

b etween the case where its oracle is taken at random from F and the case where its oracle

is a random function in F

In order to describ e the op eration of D we dene hybrid probabilities as follows First

dene m hybrid proto cols H H related to proto col Proto col H instructs

0 m i

each party P to pro ceed as follows

In rounds l i party P outputs a random value and sends a random value to each

other party P instead of f and f t resp ectively In other words P uses

t s

sl sl

a random function from F instead of f for his computations

k sl

Analysis

In rounds l i party P executes the original proto col

Ofcourse whenever a party is corrupted it follows the instructions of the adversary

Distinguisher D given oracle access to function g op erates as follows First D chooses

at random a round number l m Next D runs adversary A on the follow

0 R

ing simulated online attack on a network of n parties The corrupted parties follow the

instructions of A The single uncorrupted party at each round l denoted P pro ceeds

(l)

as follows

In rounds l l party P outputs a random value and sends a random value to

0 (l)

each other party as in the rst steps of the hybrid interactions

In round l party P uses the oracle function g to compute its output and messages

0 (l )

Namely it outputs g and sends g j to each other party P

In rounds l l party P follows proto col

0 (l)

Note that D knows which parties are corrupted by A at each round

Once a round is completed D reveals all the parties outputs of this round to A as

exp ected by A in an online attack When A asks for a test value v D pro ceeds as follows

First D chooses a bit b f g If b then D sets v to the actual corresp onding

output of the party chosen by A Otherwise D sets v to a random value Finally if b

then at the end of the simulated interaction D outputs whatever A outputs If b then

D outputs the opposite value to whatever A outputs

The op eration of D can b e intuitively explained as follows It follows from a standard

hybrids argument that there must exist an i such that either

jProbAH PR ProbAH PR j is large or jProbAH R ProbAH R

i i+1 i i+1

j is large Thus if D chooses the correct values for l and b it can use the output of A

to distinguish b etween the two p ossible distributions of its oracle We show that a similar

distinction can b e achieved if l and b are chosen at random

ProbAH PR Namely PR We analyze the output of D as follows Let PR

i i i

is the probability that A outputs after interacting with parties running proto col H and

when the test value given to A is indeed the corresp onding output value of the party that

ProbAH R Let resp b e a random variable A chose Similarly let R

i i

distributed uniformly over F resp over F Assume that D is given oracle access to

k k

Then at round l party P outputs a random value and sends random values to all

0 (l )

the other parties Thus the simulated interaction of A is in fact an online attack of A on

proto col H Therefore if b resp if b then D outputs with probability PR

l l

0 0

resp R Similarly D is given oracle access to then the simulated interaction of A

is an online attack of A on proto col H In this case if b resp if b then D

l +1

outputs with probability PR resp R Thus

l +1 l +1

0 0

m1 m1

X X

PR R PR R ProbD ProbD

i i i+1 i+1

m m

i=0 i=0

PR R PR R

i i i+1 i+1

i=0

PR R PR R

0 0 m m

On the Application to Secure SignOn

Clearly H is the original proto col Thus by the contradiction hypothesis jPR R j

0 0 0

On the other end in proto col H the parties output random values in all the m rounds

c m

1 m 1

2 thus PR R We conclude that jProbD ProbD j

c c m m

2m k 2k

Insecure Links

When describing the mo del we assumed that all the communication channels are secure

ie private and authenticated Here we discuss the eect of insecure channels on our

proto col We note that the proto col remains a PP proto col even if in each round l only a

single uncorrupted party P has a single channel which is secure in round l to a party P

i j

that wasnt corrupted in round l and P had in round l a secure channel to an

uncorrupted party etc

This security requirement on the channels is minimal in the following sense If no

randomness is allowed after the interaction b egins then a mobile adversary that sees the

entire communication can continue simulating each party that has once b een corrupted

even after the adversary has left this party Thus after few rounds the adversary will b e

able to simulate all parties and predict the output of each party at each subsequent round

On the Application to Secure SignOn

In subsection we discussed reconstructible proto cols and describ ed an application of our

PP proto col to proactive secure signon using its reconstructability However as mentioned

there the proto col describ ed in Section is reconstructible only if all the parties servers

follow their proto cols at all times that is the adversary is only eavesdropping

In this section we describ e mo dications of our proto col aimed at two goals one goal

is to make the proto col more ecient for the user the other goal is to maintain the recon

structability prop erty for the case where the servers dont follow their proto cols

We start by describing a variant of the proto col which is more ecient for the user Using

the proto col describ ed in Section the user had to simulate the computation p erformed

by the servers step by step In case that many rounds have passed since the last time the

user up dated its keys this may p ose a considerable overhead Using this variant denoted

the user can compute its up dated key simulating only one round of computation of the

servers On the other hand this variant has a weaker resilience prop erty it assures that

the servers keys b e unpredictable by the adversary only if there exists a server that has

never b een corrupted

The variant is similar in structure to the original proto col with the following mo dica

tion Each P has a master key which is never erased This master key is set to b e the initial

key derived say from the password The master key is used as the index for the

function at all the rounds Namely the key at round l is computed by f i

il il

j =1 j0

It is also p ossible to combine the original proto col with the variant describ ed ab ove

in order to reach a compromise b etween eciency and security We dene a sp ecial type

of round a major round For instance let every th round b e a ma jor round The

parties now up date their master keys using the original proto col only at ma jor rounds In nonma jor rounds the servers use their current master key as the index for the function

An alternative denition of PP

This combined proto col has the following prop erties On one hand the user has one

tenth of the rounds to simulate than in the original scheme On the other hand we only

need that in any p erio d of rounds there exists a server that has not b een corrupted We

b elieve that such versions may b e a more reasonable design for actual implementations

Next we describ e additions to the proto col aimed at maintaining the reconstructability

prop erty for the case where the servers dont follow their proto cols We note that it is

p ossible to withstand crash failures of servers if the servers co op eratively keep track of

which servers crashed at each round this co ordination can b e done using standard consensus

proto cols

The following addition to the proto col handles the case of Byzantine faults if variant

describ ed ab ove is used The only way an adversary controlling party P could interfere

with the reconstructability of variant is by sending a wrong value instead of f i to

some server P However P can when unable to authenticate a user compare each of the

i i

f i values with the user eg using the PP proto col BGH without exp osing any of

the values If there are more than half of the values which match the server and the user

may use the exclusive or of these values only This technique requires that at any round

the ma jority of the servers are nonfaulty otherwise the server may end up using values

which are all known to the adversary We note that this idea do es not work if the basic

proto col that of Section is used instead of variant

An alternative denition of PP

We oer an alternative denition of a PP This denition follows from Denition Bor

rowing from the theory of secure encryption functions we call Denition PP in the

sense of indistinguishabi l ity or in short PP whereas Denition b elow is called

semantic PP or in short SPP We rst recall the standard denition of p olynomial

indistinguishabi li ty of distributions

Denition Let A fA g and B fB g be two ensembles of probability distri

k k N k k N

butions We say that A and B are p olynomially indistinguishable if there exists a constant

c such that for every polytime distinguisher D and for al l large enough k

jProbD A ProbD B j

k k

We collo quially let A B denote fA g and fB g are p olynomially indistinguishable

k k k k

Let b e some distributed randomized proto col which is resilient against tlimited

mobile adversaries for some value of t We wish to adapt proto col to a situation where

no randomness is available once the interaction starts Namely we want to construct a

proto col in which the parties use randomness only b efore the interaction starts and the

parties outputs of proto col are the same as their outputs of proto col

A general framework for a solution to this problem pro ceeds as follows The parties

run proto col along with another deterministic proto col Each partys lo cal input of

proto col is chosen at random at the b eginning of the interaction In each round each

party sets the random input of proto col for this round to b e the current output of proto col

We call a semantically secure proactive pseudorandomnessSPP proto col We refer

to proto col as the application proto col

An alternative denition of PP

We state the requirements from a SPP proto col Informally we want the following

requirement to b e satised for every application Whatever an adversary can achieve by

interacting with combined with proto col as describ ed ab ove could also b e achieved by

interacting with the original proto col when combined with a truly random oracle More

formally

for an nparty randomized application proto col a mobile adversary A an input

vector x x x and i n let xA denote party P s output of proto col

1 n i i

with a random oracle when party P has input x and in the presence of adversary A

j j

Let xA denote As output of this execution Let xA xA x A

0 0 n

For a randomized proto col and a deterministic proto col for which each party

has an output at each round let denote the proto col in which and are run

simultaneously and each party at each round sets the random input of to b e the

current output of

Denition We say that an n party deterministic protocol is a tresilient SPP protocol

if for every randomized application protocol and every tlimited mobile adversary A there

exists a tlimited mobile adversary A such that for every input vector x for protocol we

have

x A x A

where the probabilities are taken over the inputs of and the random choices of A and of

the oracle of

Theorem If a protocol is a tresilient PP protocol then it is a tresilient SPP protocol

C h a p t e r

Conclusion

In this brief chapter we present a p ersonal view of our work and try to p oint out its merits

We also outline some directions for further research

Merit of this work An imp ortant contribution of this work is in our opinion the

precise and workable denitions of secure multiparty computation presented in Chapter

and Section These denitions allow us for the rst time to have a clear and precise

notion of a secure multiparty proto col and to prove security of our proto cols

We b elieve that without these denitions we would not have b een able to come up with

proto cols that solve the adaptive security problem and the problem of secure computation in

asynchronous networks Hop efully the framework and to ols developed for these denitions

will prove helpful in formulating precise denitions of primitives encountered in the future

The longsought solution for the adaptive security problem Chapter allows us to

present secure solutions for an abundance of known proto col problems in the presence

of adaptive adversaries which seem to b e a b etter mo del of reality than nonadaptive

ones Our solution stems from a b etter understanding of the nature of secure multiparty

computation This understanding resulted in a b etter mo deling of the degree of trust the

party have in each other namely in the notion of a semihonest party

Our solution works only for nonerasing parties Investigating this notion of semi

honesty only slightly further one nds out that in a very natural arguably even the

most natural trustmo del namely that of honestlo oking parties we are unable to prove

adaptive security of practically any nontrivial proto col unless a trusted dealer is available

in an initial prepro cessing phase This holds even in the presence of absolutely secure

channels This surprising phenomenon should b e taken into account whenever adaptive

adversaries are considered

The main to ol used in solving the adaptive security problem is noncommitting encryp

tion The essence of these encryptions is separating encryption from commitment Until

this work encryption was thought of as an inevitably committing primitive in the sense

that the ciphertext could serve as a commitment of the sender and of the receiver to

the plaintext We showed that encryption can b e done without commitment and demon

strated the b enets of this separation We b elieve that noncommitting encryption is of

Conclusion

indep endent interest In particular noncommitting encryption may prove to b e a more

secure way to encrypt data than standard encryption in many other scenarios

In the chapter on asynchronous secure computation Chapter we dene what it means

to securely compute or rather approximate a function in an asynchronous setting with

faults We also show in a detailed way how known techniques for constructing proto cols

for securely computing any function can b e adapted to the asynchronous setting Finally

to the b est of our knowledge this is the rst and so far only place where a ful l proof of

security of a construction for securely computing any function app ears in any mo del of

computation In particular a security pro of of the BGW construction can b e extracted

from the pro of presented here

The chapter on asynchronous Byzantine agreement Chapter applies ideas and tech

niques from secure multiparty computation to constructing the rst asynchronous Byzantine

agreement BA proto col with optimal resilience and p olynomial complexity The construc

tion is quite involved using many layers and techniques The main technical contributions

are in our opinion two First we adapt techniques from RB TRa to construct the rst

Asynchronous Veriable Secret Sharing AVSS scheme with optimal resilience Next we

slightly mo dify the F scheme which was never published and unaccessible for reaching

BA given an AVSS scheme and present it in a hop efully readable way Indeed this work

is the rst accessible source to any asynchronous BA proto col with linear resilience and

p olynomial complexity

The chapter on proactive security Chapter introduces a new approach to maintaining

the security of computer systems in the presence of transient and rep eated breakins or

failures We hop e and b elieve that this approach will b ecome a standard in the eort to

protect computer systems In fact a number of works have already followed this approach

eg ChH HJKY CHH HJJKY

Subsequent and future work We mention two directions for subsequent research The

rst deals with an additional security requirements from multiparty proto cols Namely we

require that the computation will not leave a trace that can b e later used against the

parties An example is a maa that records the transcript and later uses it to co erce

parties to reveal their inputs Some research in this direction has b een done BT SK

CDNO CG however many questions remain op en

Another issue not addressed in this work at all is how to deal with unauthenticated

communication channels that can b e actively controlled by the adversary In fact how

again to precisely dene the problem Here additional denitional problems are encoun

tered For instance the adversary may always prevent the parties from completing the

computation by simply not delivering messages A somewhat restricted denition as well

as a solution for a certain quite p owerful adversary mo del is presented in CHH Still many questions remain op en

Bibliography

AFL E Arjomandi M Fischer and N Lynch Eciency of Synchronous Versus Asyn

chronous Distributed Systems Journal of the ACM No Vol pp

Aw B Awerbuch The complexity of Network Synchronization JACM Vol no

Ba E Bach How to generate factored random numbers SIAM J on Comput Vol

No pp

Be D Beaver Foundations of Secure Interactive Computing CRYPTO

BH D Beaver and S Hab er Cryptographic Proto cols Provably secure Against Dynamic

Adversaries Eurocrypt

BR M Bellare and P Rogaway Entity authentication and key distribution Advances

in Cryptology Proc of Crypto August pp

BR M Bellare and P Rogaway Random oracles are practical A paradigm for designing

ecient proto cols First ACM conf on Computer and Comm Security November

BT Josh Benaloh and Dwight Tunistra ReceiptFree SecretBallot Elections th

STOC pp

BCG M BenOr R Canetti and O Goldreich Asynchronous Secure Computations

th STOC pp

BE M BenOr and R ElYaniv Interactive Consistency in Constant Time submitted

for publication

BGW M BenOr S Goldwasser and A Wigderson Completeness Theorems for Non

Cryptographic FaultTolerant Distributed Computation th STOC pp

Bibliography

BKR M BenOr B Kelmer and T Rabin Asynchronous Secure Computation with

Optimal Resilience th PODC pp

BGH R Bird I Gopal A Herzb erg P Janson S Kutten R Molva and M Yung A

family of lightweight proto cols for authentication and key distribution Submitted

to IEEE T Networking

BGH R Bird I Gopal A Herzb erg P Janson S Kutten R Molva and M Yung

Systematic design of a family of attackresistant authentication proto cols IEEE

Journal on Selected Areas in Communications Sp ecial issue on Secure Com

munications June pp See also a dierent version in Crypto

BM M Blum and S Micali How to generate Cryptographically strong sequences of

pseudorandom bits em SIAM J on Computing Vol pp

Br G Bracha An Asynchronous bn cresilient Consensus Proto col rd PODC

BCC G Brassard D Chaum and C Crep eau Minimum Disclosure Pro ofs of Knowl

edge Journal of Computing and System Sciences Vol No pp

C R Canetti Asynchronous Secure Computation Technical Report no CS

department Technion

CDNO R Canetti C Dwork M Naor and R Ostrovsky Deniable Encryptions

manuscript

CFGN R Canetti U Feige O Goldreich and M Naor Adaptively Secure Computa

tion th STOC

CG R Canetti and R Genaro Deniable Multiparty Computation manuscript

CHH R Canetti S Halevi and A Herzb erg How to Maintain Authenticated Commu

nication in the Presence of Breakins manuscript

CaH R Canetti and A Herzb erg Maintaining security in the presence of transient

faults Crypto pp

CR R Canetti and T Rabin Optimal Asynchronous Byzantine Agreement th

STOC pp

CCD D Chaum C Crep eau and I Damgard Multiparty unconditionally secure proto

cols th STOC pp

CD B Chor and C Dwork Randomization in Byzantine Agreement Advances in

Computing Research Vol pp

CGMA B Chor S Goldwasser S Micali and B Awerbuch Veriable Secret Sharing and

Achieving Simultaneity in the Presence of Faults th FOCS pp

CK B Chor and E Kushilevitz A ZeroOne Law for Bo olean Privacy SIAM J on

Disc Math Vol no pp

Bibliography

CM B Chor and L Moscovici Solvability in Asynchronous Environments th FOCS

ChH C Chow and A Herzb erg A reconstructible proactive pseudorandomness proto

col Work in progress June

DP A DeSantis and G Persiano ZeroKnowledge pro ofs of knowledge without inter

action rd FOCS pp

DH W Die and M Hellman New directions in cryptography IEEE Trans on Info

Theory IT pp

Ed J Edmonds Paths Trees and Flowers Canadian J of Math Vol pp

DDN D Dolev C Dwork and M Naor Nonmalleable Cryptography rd STOC

ER M Elchin and J Ro chlis With microscop e and tweezers An analysis of the internet

virus of november IEEE Symp on Security and Privacy pp

EGL S Even O Goldreich and A Lemp el A randomized proto col for signing contracts

CACM vol No pp

Fe P Feldman Asynchronous Byzantine Agreement in Constant Exp ected Time

unpublished manuscript

FM P Feldman and S Micali An Optimal Algorithm For Synchronous Byzantine

Agreement th STOC pp

F M Fischer The Consensus Problem in Unreliable Distributed System Technical

Report Yale University

FLP M Fischer N Lynch and M Paterson Imp ossibility of Distributed Consensus with

One Faulty Pro cess JACM Vol no pp

GJ M R Garey and D S Johnson Computers and Intractability a guide to NP

Completeness WH Freeman ed NY

G O Goldreich Foundations of Cryptography Fragments of a Bo ok ed Dept of

Computer Science and Applied Mathemetics Weizmann Institute

GGL O Goldreich S Goldwasser and N Linial FaultTolerant Computation in the

Full Information Mo del nd FOCS pp

GGM O Goldreich S Goldwasser and S Micali On the cryptographic applications of

random functions Advances in Cryptology Proc of Crypto pp

GGM O Goldreich S Goldwasser and S Micali How to construct random functions

J ACM pp Extended abstract in FOCS

GILVZ O Goldreich R Impagliazzo L Levin R Venkatesan and D Zuckerman Secu

rity Preserving Amplication of Hardness FOCS pp

Bibliography

GrL O Goldreich and L Levin A HardCore Predicate to any OneWay Function

st STOC pp

GMW O Goldreich S Micali and A Wigderson How to Play any Mental Game th

STOC pp

GwL S Goldwasser and L Levin Fair Computation of General Functions in Presence

of Immoral Ma jority CRYPTO

HILL J HastadR Impagliazzo L Levin and M Luby Construction of pseudorandom

generator from any oneway functions Manuscript see preliminary versions by

Impagliazzo et al in st STOC and Hastadin nd STOC

HJJKY A Herzb erg M Jakonsson S Jarecki H Krawczyk and M Yung Proactive

PublicKey and Signature Systems manusript

HJKY A Herzb erg S Jarecki H Krawczyk and M Yung Proactive Secret Sharing or

How to Cop e with Perpetual Leakage CRYPTO

IR R Impagliiazzo and S Rudich Limits on the provable consequences of oneway

p ermutations th STOC pp

KY A Karlin and A Yao Probabilistic Lower Bounds for Byzantine Agreement un

published manuscript

LE T A Longsta and S E Eugene Beyond preliminary analysis of the wank and oilz

worms A case of study of malicious co de Computers and Security

MS F J Macwiliams and N J A Sloane The Theory of Error Correcting Codes

NorthHolland

MR S Micali and P Rogaway Secure Computation in preparation Preliminary ver

sion in CRYPTO

MV S Micali and V Vazirani An O jV j jE j Algorithm for Finding Maximum

Matching in General Graphs st FOCS

MNSS S P Miller C Neuman J I Schiller and J H Saltzer Kerb eros authentication

and authorization system Project Athena Technical Plan Massachusetts Institute

of Technology July

MT R H Morris and K Thompson Unix password security Comm ACM

November pp

OY R Ostrovsky and M Yung How to withstand mobile virus attacks Proceedings

of the Annual ACM Symposium on Principles of Distributed Computing

PSL R Pease Shostak and L Lamp ort Reaching Agreement in the Presence of Faults

JACM Vol No pp

Bibliography

MRa M Rabin How to exchange secrets by oblivious transfer Tech Memo TR

Aiken Computation Lab oratory Harvard U

MRa M Rabin Randomized Byzantine Generals th FOCS pp

RB T Rabin and M BenOr Veriable Secret Sharing and Multiparty Proto cols with

Honest Ma jority st STOC pp

TRa T Rabin Robust Sharing of Secrets When The Dealer is Honest or Faulty

Journal of the ACM No Vol pp

Re R Reischuk A new solution to the byzantine generals problem Information and

Control pp

SK K Sako and J Kilian ReceiptFree MixType Voting Scheme Eurocrypt

Sh A Shamir How to share a secret CACM Vol No pp

St C Stoll How secure are computers in the usa Computers and Security

Y A Yao Proto cols for Secure Computation th FOCS pp

Y A Yao Theory and applications of trap do or functions rd FOCS pp