Asynchronous Verifiable Secret Sharing and Proactive Ý Cryptosystems£

Christian Cachin Klaus Kursawe Anna LysyanskayaÞ Reto Strobl IBM Research Zurich Research Laboratory CH-8803 R¨uschlikon, Switzerland {cca,kku,rts}@zurich.ibm.com

ABSTRACT However, when a threshold cryptosystem operates over a longer Verifiable secret sharing is an important primitive in distributed time period, it may not be realistic to assume that an adversary cor- cryptography. With the growing interest in the deployment of rupts only Ø servers during the entire lifetime of the system. Proac- threshold cryptosystems in practice, the traditional assumption of tive cryptosystems address this problem by operating in phases; a synchronous network has to be reconsidered and generalized to they can tolerate the corruption of up to Ø different servers dur- an asynchronous model. This paper proposes the first practical ing every phase [18]. They rely on the assumption that servers may verifiable secret sharing protocol for asynchronous networks. The erase data and on a special reboot procedure to remove the adver- protocol creates a discrete logarithm-based sharing and uses only sary from a corrupted server. The idea is to proactively reboot all a quadratic number of messages in the number of participating servers at the beginning of every phase, and to subsequently refresh servers. It yields the first asynchronous Byzantine agreement pro- the secret key shares such that in any phase, knowledge of shares tocol in the standard model whose efficiency makes it suitable for from previous phases does not give the adversary an advantage. use in practice. Proactive cryptosystems are another important ap- Thus, proactive cryptosystems tolerate a mobile adversary [20], plication of verifiable secret sharing. The second part of this paper which may move from server to server and eventually corrupt every introduces proactive cryptosystems in asynchronous networks and server in the system. presents an efficient protocol for refreshing the shares of a secret Since refreshing is a distributed protocol, the network model de- key for discrete logarithm-based sharings. termines how to make a cryptosystem proactively secure. For syn- chronous networks, where the delay of messages is bounded, many proactive cryptosystems are known (see [6] and references therein). Keywords However, for asynchronous networks, no proactive cryptosystem is Asynchronous, Secret Sharing, Proactive, Model known so far. Because of the absence of a common clock and the arbitrary delay of messages, several problems arise: First, it is not 1. INTRODUCTION clear how to define a proactive phase when the servers have no The idea of threshold cryptography is to distribute the power of common notion of time. Second, even if the notion of a common a cryptosystem in a fault-tolerant way [12]. The cryptographic op- phase is somehow imposed by external means, a message of the refresh protocol might be delayed arbitrarily across phase bound- eration is not performed by a single server but by a group of Ò aries, which poses additional problems. And last but not least, one servers, such that an adversary who corrupts up to Ø servers and observes their secret key shares can neither break the cryptosystem needs an asynchronous share refreshing protocol. nor prevent the system as a whole from correctly performing the The distributed share refreshing protocols of all proactive cryp- operation. tosystems rely on verifiable secret sharing. Verifiable secret shar- ing is a fundamental primitive in distributed cryptography [11] that £ This work was supported by the European IST Project MAFTIA has found numerous applications to secure multi-party computa- (IST-1999-11583). However, it represents the view of the authors. tion, Byzantine agreement, and threshold cryptosystems. A veri- The MAFTIA project is partially funded by the European Commis- fiable secret sharing protocol allows a distinguished server, called sion and the Swiss Department for Education and Science. the dealer, to distribute shares of a secret among a group of servers ÝExtended abstract. Full version available at http://eprint. such that only a qualified subgroup of the servers may reconstruct iacr.org/2002/134. the secret and the corrupted servers do not learn any information ÞBrown University, Providence, RI 02912, USA. anna@cs. about the secret. Furthermore, the servers need to reach agreement brown.edu. Work done at IBM Zurich. on the success of a sharing in case the dealer might be faulty. Asynchronous verifiable secret sharing protocols have been pro- posed previously [1, 9, 5]. However, all existing solutions are pro- hibitively expensive to be suitable for practical use: the best one

Permission to make digital or hard copies of all or part of this work for 5

´Ò µ has message complexity Ç and communication complexity

personal or classroom use is granted without fee provided that copies are

6

´Ò ÐÓg Òµ not made or distributed for profit or commercial advantage and that copies Ç . This is perhaps not surprising because they achieve bear this notice and the full citation on the first page. To copy otherwise, to unconditional security. In contrast, we consider a computational

republish, to post on servers or to redistribute to lists, requires prior specific setting and obtain a much more efficient protocol. Our protocol

¾

´Ò µ permission and/or a fee. achieves message complexity Ç and communication complex-

CCS’02, November 18-22, 2002, Washington, DC, USA. ¿

´Ò µ  ity Ç , where is a security parameter, and optimal resilience Copyright 2002 ACM 1-58113-612-9/02/0011 ...$5.00.

88

¿Ø Ò> . We assume that every pair of servers is linked by a secure Specifically, we assume hardness of the discrete-logarithm prob- asynchronous channel that provides privacy and authenticity with lem. Our protocol is reminiscent of Pedersen’s scheme [22], but the scheduling determined by the adversary. (This is in contrast to [3], dealer creates a two-dimensional polynomial sharing of the secret. where the adversary observes all network traffic.) Formally, we Then the servers exchange two asynchronous rounds of messages model such a network as follows. All communication is driven by

to reach agreement on the success of the sharing, analogous to the the adversary. There exists a global set of messages Å, whose el-

×; Ö;е ×

deterministic reliable broadcast protocol of Bracha [2]. ements are identified by a label ´ denoting the sender , the Ð

Combining our verifiable secret sharing scheme with the pro- receiver Ö , and the length of the message. The adversary sees the Å tocol of Canetti and Rabin [9], we obtain the first asynchronous labels of all messages in Å, but not their contents. is initially

Byzantine agreement protocol that is provably secure in the stan- empty. The system proceeds in steps. At each step, the adver- È

dard model and whose efficiency makes it suitable for use in prac- sary performs some computation, chooses an honest server i , and

Ñ ¾Å ´×; i; Ð µ È

tice. selects some message with label . i is then acti-

Ñ È

With respect to asynchronous proactive cryptosystems, our con- vated with on its communication input tape. When activated, i tributions are twofold. On a conceptual level, we propose a formal reads the contents of its communication input tape, performs some model for cryptosystems in asynchronous proactive networks, and computation, and generates one or more response messages, which

on a technical level, we present an efficient protocol for proactively it writes to its communication output tape. A response message Ñ

refreshing discrete logarithm-based shares of a secret key. may contain a destination address, which is the index j of a server.

Ñ Å ´i; j; jÑjµ È

Our model of an asynchronous proactive network extends an Such an is added to with label if j is honest; if

È Ñ asynchronous network by an abstract timer that is accessible to ev- j is corrupted, is given to the adversary. In any case, control ery server. The timer is scheduled by the adversary and defines the returns to the adversary. This step is repeated arbitrarily often until phase of a server locally. We assume that the adversary corrupts the adversary halts.

at most Ø servers who are in the same local phase. Uncorrupted These steps define a sequence of events, which we view as logi- servers who are in the same local phase may communicate via pri- cal time. We sometimes use the phrase “at a certain point in time”

vate authenticated channels. Such a channel must guarantee that to refer to an event like this. È every message is delayed no longer than the local phase lasts and We assume an adaptive adversary that may corrupt a server i

that it is lost otherwise. at any point in time instead of activating it on an input message. In

¾Å ´¡;i;jÑjµ A proactive cryptosystem refreshes the sharing of the secret key that case, all messages Ñ with label are removed

at the beginning of every phase (i.e., when sufficiently many servers from Å and given to the adversary. She gains complete control

È È i

enter the same local phase). Our model implies that liveness for the over i , obtains the entire view of up to this point, and may

i; ¡; jÑjµ cryptosystem is only guaranteed to the extent that the adversary now send messages with label ´ . The view of a server con- does not delay the messages of the refresh protocol for longer than sists of its initialization data, all messages it has received, and the the phase lasts. Otherwise, the secret key may become unaccessi- random choices it made so far. ble. Despite this danger, we believe that our model achieves a good coverage for real-world loosely synchronized networks, such as the Internet, since a phase typically lasts much longer than the maximal Termination. We define termination of a protocol instance only delay of a message in the network. to the extent that the adversary chooses to deliver messages among Finally, we propose an efficient proactive refresh protocol for the honest servers [4]. Technically, termination of a protocol fol- discrete logarithm-based sharings. It builds on our verifiable secret lows from a bound on the number of messages that honest servers sharing protocol and on a randomized asynchronous multi-valued generate on behalf of a protocol, which must be independent of the Byzantine agreement primitive [3]. The refresh protocol achieves

adversary.

> ¿Ø

optimal resilience Ò and has expected message complexity 5

¿ We say that a message is associated to a particular protocol in-

´Ò µ Ç ´Ò µ Ç and communication complexity . stance if it was generated by any server that is honest throughout the protocol execution on behalf of the protocol. 2. PRELIMINARIES The message complexity of a protocol is defined as the number of associated messages (generated by honest servers). It is a random

2.1 Asynchronous System Model variable that depends on the adversary and on . We adopt the basic system model from [4, 3], which describe an Similarly, the communication complexity of a protocol is defined asynchronous network of servers with a computationally bounded as the bit length of all associated messages (generated by honest adversary. servers). It is a random variable that depends on the adversary and Our computational model is parameterized by a security param- on .

Recall that the adversary runs in time polynomial in . We as-

¯´µ c > ¼

eter ; a function is called negligible if for all there

½ 

sume that the parameter Ò is bounded by a fixed polynomial in ,

 ¯´µ < >

¼ ¼ exists a such that c for all .

 independent of the adversary, and that the same holds for all mes-

Ò È ; :::;È Ò Network. The network consists of servers ½ , which are sages in the protocol, i.e., larger messages are ignored.

probabilistic interactive Turing machines (PITM) as defined in [15] For a particular protocol, a protocol statistic X is a family of

 fX ´µg

that run in polynomial time (in ). There is an adversary, which is real-valued, non-negative random variables A , parameter-

 A  X ´µ a PITM that runs in polynomial time in . Some servers are con- ized by adversary and security parameter , where each A

trolled by the adversary and called corrupted; the remaining servers is a random variable induced by running the system with A. (Mes-

are called honest. An adversary that corrupts at most Ø servers is sage complexity is an example of such a statistic.) We restrict our-

called Ø-limited. There is also an initialization algorithm, which is selves to protocol statistics that are bounded by a polynomial in the

Ò Ø run by a trusted party before the system starts. On input , , , adversary’s running time.

and further parameters, it generates the state information used to We say that a protocol statistic X is uniformly bounded if there

´µ A initialize the servers, which may be thought of as a read-only tape. exists a fixed polynomial Ô such that for all adversaries , there

89

¯   ¼ is a negligible function A , such that for all , We specify a condition in the form of receiving messages or

events. In this case, messages describes a set of one or more proto-

ÈÖ [X ´µ >Ô´µ]  ¯ ´µ: A A col messages and events describes a set of local events (e.g., outputs

A protocol statistic X is called probabilistically uniformly bounded from a sub-protocol) satisfying a certain predicate, possibly involv-

´µ

if there exists a fixed polynomial Ô and a fixed negligible func- ing other state variables. Upon executing this command, a thread A

tion Æ such that for all adversaries , there is a negligible function enters a wait state, waiting for the arrival of messages satisfying the

¯ Ð  ¼   ¼

A , such that for all and , given predicate; moreover, when this predicate becomes satisfied,

the matching messages are moved out of the input buffer into local

ÈÖ[X ´µ >ÐÔ´µ]  Æ ´Ð µ·¯ ´µ: A

A state variables. If there is more than one set of matching messages, Ô

If X is probabilistically uniformly bounded by , then for all adver- one is chosen arbitrarily.

A E[X ´µ] = Ç ´Ô´µµ

saries , we have A , with a hidden constant We also may specify a condition of the form of detecting mes- Y

that is independent of A. Additionally, if is probabilistically sages. The semantics of this are the same as for receiving messages,

X ¡ Y

uniformly bounded by Õ , then is probabilistically uniformly except that the matching messages are copied from the input buffer

¡ Õ X · Y

bounded by Ô , and is probabilistically uniformly bounded into local state variables.

· Õ by Ô . Thus, (probabilistically) uniformly bounded statistics are There is a global implicit wait for statement that every proto- closed under polynomial composition, which is their main benefit col instance repeatedly executes; it matches any of the conditions for analyzing the composition of randomized protocols [3]. given in the clauses of the form upon condition block. Every time a condition is satisfied, the corresponding block is executed. If there Protocol execution and notation. We now introduce our notation is more than one satisfied condition, all corresponding blocks are for writing asynchronous protocols. Recall that a server is always executed in an arbitrary order. activated with an input message; this message is added to an inter- nal input buffer upon activation. 2.2 Cryptographic Assumptions

In our model, protocols are invoked by the adversary. Every pro-

Õ Õ j´Ô ½µ Õ>Ò Let Ô and be two large primes satisfying , and .

tocol instance is identified by a unique string ÁD , also called the

G Õ Z g

tag, which is chosen by the adversary when it invokes the instance. Let denote a multiplicative subgroup of order of Ô, and let G

There may be several threads of execution for a given server, but and h be two generators of chosen by an initialization algorithm h such that no server knows ÐÓg .

no more than one is active concurrently. When a server is activated, g Ù The discrete-logarithm problem is to compute ÐÓg given a de-

all threads are in wait states. A wait state specifies a condition de- g

g G Ù ¾ G fined on the received messages contained in the input buffer and scription of G, a generator of , and an element .We other local state variables. If one or more threads are in a wait state assume that this problem is hard to solve in G, which means that whose condition is satisfied, one such thread is scheduled arbitrar- any probabilistic polynomial-time algorithm solves this problem at ily, and this thread runs until it reaches another wait state. This most with negligible probability. process continues until no more threads are in a wait state whose condition is satisfied. Then, the activation of the server is termi- 2.3 Multi-valued Validated Byzantine nated, and control returns to the adversary. Agreement There are two types of messages that protocols process and gen- Byzantine agreement is a fundamental problem in distributed erate: The first type contains input actions, which represent a local computation [21]. In asynchronous networks, it is impossible to activation and carry input to a protocol, and output actions, which solve by deterministic protocols [13], which means that one must signal termination and potentially carry output of a protocol; such resort to randomized protocols. The first polynomial-time solution messages are called local events. The second message type is an to this problem was given by Canetti and Rabin [9, 5]. The standard ordinary point-to-point network message, which is to be delivered notion of Byzantine agreement implements only a binary decision to the peer protocol instance running on another server; such mes- in asynchronous networks. It can guarantee a particular outcome

sages are also called protocol messages. only if all honest servers propose the same value. Validated Byzan-

ÁD ;:::µ ÁD All messages are denoted by a tuple ´ ; the tag de- tine agreement [3] extends this to arbitrary domains by means of

notes the protocol instance to which this message is associated. In- a so-called external validity condition. It is based on a global,

´ÁD ; ; ;:::µ É

put actions are of the form in type , and output actions polynomial-time computable predicate ÁD known to all servers,

ÁD ; ; ;::: µ

are of the form ´ out type , with type defined by the pro- which is determined by an external application. Each server may

ÁD ; ; :::µ

tocol specification. All other messages of the form ´ type propose a value that perhaps contains validation information. The É are protocol messages, where type is defined by the protocol imple- agreement ensures that the decision value satisfies ÁD , and that it

mentation. has been proposed by at least one server. È

We describe protocols in a modular way: A protocol instance When a server i starts a validated Byzantine agreement (VBA)

£

ÁD Ú ¾f¼; ½g È

may invoke another protocol instance by sending it a suitable in- protocol with a tag and input ,wesay i proposes ÁD

put action and obtain its output via an output action of the sub- Ú for . W.l.o.g. the honest servers propose values that satisfy É

protocol. This is realized by a server-internal mechanism, which, ÁD . When a server terminates a validated Byzantine agreement

ÁD Ú È Ú for any message generated by the calling protocol that contains an protocol with tag and outputs a value , we say i decides for

input action for a sub-protocol, creates the corresponding proto- ÁD . col instance (if not already running) and delivers the input action; The protocol of Cachin et al. [3] for multi-valued validated furthermore, it passes all output actions of the sub-protocol to the Byzantine agreement is based on a so-called consistent broadcast calling protocol by adding them to the input buffer. protocol and on a protocol for binary Byzantine agreement, which The pseudo-code notation used for describing our protocols is as rely on threshold signatures and on a threshold coin-tossing pro- follows. To enter a wait state, a thread may execute a command of tocol [4]. Both sub-protocols can be implemented efficiently in

the form wait for condition, where condition is an ordinary predi- the random oracle model. With these primitives, the expected mes-

¾

´Ò µ

cate on the input buffer and other state variables. Upon executing sage complexity of multi-valued validated agreement is Ç , and

¿ ¾

· Ò ´Ã · jÚ jµµ ´Ò this command, a thread enters a wait state with the given condition. the expected communication complexity is Ç ,

90

à ÁD :d ÁD :d where Ú is the longest value proposed by any server and is the , then all honest servers complete the sharing and

length of a threshold signature. These protocols have been proven if all honest servers subsequently start the reconstruction for

ÁD :d È Þ i

secure only against static adversaries [3]. , then every honest server i reconstructs some for :d As we show in this paper, binary asynchronous Byzantine agree- ÁD , except with negligible probability. ment can also be implemented efficiently in the standard model and

with adaptive security based on verifiable secret sharing. This solu- Correctness: Once k honest servers have completed the sharing

ÁD :d Þ ¾ Z tion incurs a larger communication complexity than the one in [3], , there exists a fixed value Õ such that the follow-

however. ing holds except with negligible probability:

ÁD :d

3. ASYNCHRONOUS VERIFIABLE 1. If the dealer has shared × using and is honest

= × throughout the sharing stage, then Þ .

SECRET SHARING

È Þ ÁD :d i 2. If an honest server i reconstructs for , then

In this section we define asynchronous verifiable secret sharing

Þ = Þ

i . (AVSS) and propose a novel efficient AVSS protocol based on the

discrete-logarithm problem.

ÁD :d

Privacy: If an honest dealer has shared × using and less than

Ø ÁD :d 3.1 Definition k honest servers have started the reconstruction for ,

the adversary has no information about ×. We consider dual-threshold sharings, which generalize the stan-

dard notion of secret sharing by allowing the reconstruction thresh- :d Efficiency: For every ÁD , the communication complexity is uni-

old to exceed the number of corrupted servers by more than formly bounded.

Ò; k ; ص Ò one [23]. In an ´ dual-threshold sharing, there are servers

holding shares of a secret, of which up to Ø may be corrupted by The first two conditions are liveness conditions. They imply the

an adversary, and any group of k or more servers may reconstruct same form of termination and agreement as required by the Byzan-

Ø  k > Ø the secret (Ò ). Such dual-threshold sharings are tine generals problem [19], which implements a reliable broad- an important primitive for distributed computation and agreement cast with Byzantine faults [17, 3] from a distinguished server to

problems [4]. all others. The servers must terminate the protocol only if the dis-

ÁD :d × ¾ Z A protocol with a tag to share a secret Õ consists of a tinguished server is honest, but they agree on the termination of the sharing stage and a reconstruction stage as follows. protocol such that either none or all honest servers terminate the protocol and generate some output. Sharing stage. The sharing stage starts when a server initializes This definition is analogous to the definition of AVSS in the

the protocol. In this case, we say the server initializes a shar- information-theoretical model by Canetti and Rabin [9].

ÁD :d È

ing . There is a special server d , called the dealer,

which is activated additionally on an input message of the 3.2 Implementation

´ÁD :d; ; ;×µ È

form in share . If this occurs, we say d shares This section describes a novel verifiable secret sharing protocol

ÁD :d

× using among the group. A server is said to complete for an asynchronous network with computational security. Our pro- :d

the sharing ÁD when it generates an output of the form tocol creates a discrete logarithm-based sharing of the kind intro-

ÁD :d; ; µ ´ out shared . duced by Pedersen [22], and it is much more efficient than the pre- vious VSS protocols for asynchronous networks [1, 9, 5] (which Reconstruction stage. After a server has completed the sharing, it

were proposed in the information-theoretic model). Our protocol

ÁD :d; ; µ may be activated on a message ´ in reconstruct . uses exactly the same communication pattern as the asynchronous In this case, we say the server starts the reconstruction for

broadcast primitive proposed by Bracha [2], which implements the :d ÁD . At the end of the reconstruction stage, every server

Byzantine generals problem in an asynchronous network. È

should output the shared secret. A server i terminates the

Ò; k ; ص Protocol AVSS creates an ´ dual-threshold sharing for

reconstruction stage by generating an output of the form

¾Ø  k>Ø

any Ò . The sharing stage works as follows (assume

´ÁD :d Þ µ

, out, re-constructed, i . In this case, we say

Ò·Ø·½

d e

k for the moment).

¾

È Þ ÁD :d i i reconstructs for . This terminates the protocol.

The definition of asynchronous verifiable secret sharing is the 1. The dealer computes a two-dimensional sharing of the secret

f ¾ Z [Ü; Ý ]

same as in synchronous networks, except that some extra care is by choosing a random bivariate polynomial Õ

½ f ´¼; ¼µ = ×

of degree at most k with . It commits to

required to ensure that all servers agree on the fact that a valid shar- È

k ½

j Ð

f Ü Ý f ´Ü; Ý µ=

jÐ using a second random polyno- =¼

ing has been established. Our definition provides computational j;Ð

¼

f ¾ Z [Ü; Ý ] k ½

correctness and unconditional privacy. mial Õ of degree at most by computing a

¼

f

f

jÐ

jÐ

C = fC g C = g j; Ð ¾ [¼;k ½] h jÐ matrix jÐ with for .

Definition 1. A protocol for asynchronous verifiable dual- È

Then the dealer sends to every server i a message contain- threshold secret sharing satisfies the following conditions for any

ing the commitment matrix C as well as two share polyno-

Ø ¼

-limited adversary: ¼

a ´Ý µ:=f ´i; Ý µ a ´Ý µ:= f ´i; Ý µ i

mials and i and two sub-

¼ ¼

b ´Üµ:= f ´Ü; iµ b ´Üµ:= f ´Ü; iµ i Liveness: If the adversary initializes all honest servers on a sharing share polynomials and i ,

respectively.

ÁD :d È

, delivers all associated messages, and the dealer d is honest throughout the sharing stage, then all honest servers complete the sharing, except with negligible probability. 2. When they receive the send message from the dealer, the

servers echo the points in which their share and sub-share È

Agreement: Provided the adversary initializes all honest servers polynomials overlap to each other. To this effect, i sends an

¼ ¼

´j µ ´j µ ÁD :d C a ´j µ a b ´j µ b i

echo i i

on a sharing and delivers all associated messages, the message containing , , i , , and È

following holds: If some honest server completes the sharing to every server j .

91 C

3. Upon receiving k echo messages that agree on and con- È

tain valid points, every server i interpolates its own share

¼ ¼

 

a ; a ; b b

i i i

and sub-share polynomials i , and from the re-

È ÁD :d

ceived points using standard Lagrange interpolation. (In case Protocol AVSS for server i and tag (sharing stage) the dealer is honest, the resulting polynomials are the same

upon initialization: È

as those in the send message.) Then i sends a ready

¼ ¼

 

C

; a ´j µ; a ´j µ; b ´j µ b ´j µ

C for all do

i i i

message containing i , and to ev-

e ¼ Ö ¼

C C

È ;

ery server j .

¼ ¼

A ; B ; B ; A ;

C C C

; C ; ;

It is also possible that a server receives k valid ready mes-

C

ÁD :d; ; ;×µ

sages that agree on and contain valid points, but has not upon receiving a message ´ in share : ¼ yet received k valid echo messages. In this case, the server

choose two random bivariate polynomials f; f over

interpolates its share and sub-share polynomials from the

Z [Ü; Ý ] k ½ f ´¼; ¼µ = f = × ¼¼

Õ of degree with , i.e.,

È

k ½ Ð

ready messages and sends its own ready message to all j

f ´Ü; Ý µ= f Ü Ý

jÐ , and

j;Ð=¼

servers as above. È

k ½

¼ ¼ j Ð

f ´Ü; Ý µ= f Ü Ý

jÐ

j;Ð=¼

¼

f

f

k · Ø ready jÐ

4. Once a server receives a total of messages that jÐ

C fC g C = g h

jÐ jÐ

¾[¼;k ½] j;Ð , where

agree on C,itcompletes the sharing. Its share of the secret

¾ [½;Ò]

for j do

¼ ¼

¼ ¼

´× ;× µ=´a ´¼µ; a ´¼µµ

i i i

is i .

a ´Ý µ f ´j; Ý µ a ´Ý µ f ´j; Ý µ j

; j ;

¼ ¼

b ´Üµ f ´Ü; j µ b ´Üµ f ´Ü; j µ j

; j

È

¼ ¼

The reconstruction stage is straightforward. Every server i re-

´ÁD :d; ; C;a ;a ;b ;b µ È

j j

send j j

send j to

¼

´× ;× µ k i

veals its share i to every other server, and waits for such

¼ ¼

ÁD :d; ; C;a;a ;b;b µ È shares from other servers that are consistent with the commitments ´

upon receiving a message send from d

f ´¼; ¼µ

C. Then it interpolates the secret from the shares. for the first time:

Ò·Ø·½

¼ ¼

Ø

For smaller values of k , in particular for , the

¾

C;i;a;a ;b;b µ

if verify-poly´ then

Ò·Ø·½ e

protocol has to be modified to receive d echo messages in

j ¾ [½;Ò]

¾ for do

step 3. This guarantees the uniqueness of the shared value. È

send to j the message ¼

A detailed description of the protocol is given in Figures 1 and 2. ¼

ÁD :d; ; C;a´j µ;a ´j µ;b´j µ;b ´j µµ ´ echo

In the protocol description, the following predicates are used:

¼ ¼

ÁD :d; ; C;«;« ;¬;¬ µ

upon receiving a message ´ echo from

¼ ¼ ¼ ¼

È

´C;i;a;a ;b;b µ a a b b

verify-poly , where , , , and are polyno- Ñ for the first time:

È

k ½

Ð ¼

¼ ¼

a Ý ;a´Ý µ = k ½ a´Ý µ =

´C;i;Ñ;«;« ;¬;¬ µ

mials of degree , i.e., Ð if verify-point then

Ð=¼

È È È

¼ ¼ ¼

k ½ k ½ k ½

Ð j ¼ j ¼ ¼

[f´Ñ; « µg A A A [f´Ñ; «µg A

C C

Ý ;b´Üµ= b Ü ; a Ü b ´Üµ= b

C ; C

j

j

Ð and ;

j =¼ Ð=¼ j =¼

¼ ¼ ¼

B B [f´Ñ; ¬ µg [f´Ñ; ¬ µg B B

C C C

the predicate verifies that the given polynomials are share ; C

e e ·½

C C

È C

and sub-share polynomials for i consistent with ;itis

Ò·Ø·½

¼

a a

e =ÑaÜfd e;kg Ö

Ð

C C

Ð if and then

¾

Ð ¾ [¼;k ½] g h

true if and only if for all , it holds =

¼ ¼ ¼

 

É

¼

j

a a A A B b b

k ½

b

b i

C C

C

j interpolate , , , and from , , ,

j

j ¾ [¼;k ½] g h = ´C µ

jÐ , and for all , it holds

¼

j =¼

B

C

É and , respectively

Ð

k ½

i

´C µ

jÐ

¾ [½;Ò]

. j =¼

Ð for do È

send to j the message

¼ ¼

´C;i;Ñ;«;« ;¬;¬ µ ¼

verify-point verifies that the given val- ¼

 

ÁD :d; ; C; a ´j µ; a ´j µ; b´j µ; b ´j µµ

´ ready

¼ ¼

« ¬ ¬ f ´Ñ; iµ

ues «, , , and correspond to the points ,

¼ ¼

¼ ¼

f ´Ñ; iµ f ´i; ѵ f ´i; ѵ

ÁD :d; ; C;«;« ;¬;¬ µ

, , and , respectively, committed to upon receiving a message ´ ready from

C È È

i Ñ in , which supposedly receives from ; it is true È

Ñ for the first time:

É

¼ ¼ j Ð

k ½

« « ¬ ¬ Ñ i

¼ ¼

g h g h = ´C µ =

´C;i;Ñ;«;« ;¬;¬ µ

if and only if jÐ and verify-point

=¼ j;Ð if then

¼ ¼ ¼

É

j Ð

k ½

i Ñ

[f´Ñ; « µg A A A [f´Ñ; «µg A

C C C

; C

´C µ

jÐ .

j;Ð=¼

¼ ¼ ¼

[f´Ñ; ¬ µg B B [f´Ñ; ¬ µg B B

C C C

; C

¼ ¼

Ö Ö ·½

C C

C;Ñ;; µ ´; µ

verify-share´ verifies that the pair forms a

Ò·Ø·½

Ö = k e < ÑaÜfd e;kg C

if C and then

È C ¾

valid share of Ñ with respect to ; it is true if and only if

¼ ¼ ¼

É

¼ j

 

k ½

  Ñ

a a b b A A B

C C

interpolate , , , and from , C , ,

g h = ´C µ ¼

j .

j =¼

¼ B

and C , respectively

¾ [½;Ò] for j do

The servers may need to interpolate a polynomial a of degree at È

send to j the message

k ½ Z A k f´Ñ ;« µ;:::;

½ Ñ

most over Õ from a set of points

½

¼ ¼

 

ÁD :d; ; C; a ´j µ; a ´j µ; b´j µ; b ´j µµ

´ ready

a´Ñ µ=« j ¾ [½;k] µg ´Ñ ;«

j Ñ Ñ

k such that for . This can be

j

k

Ö = k · Ø

done using standard Lagrange interpolation. We abbreviate this by else if C then



C C

A A

saying a server interpolates a from ; should contain more than

¼ ¼

´× ;× µ ´a´¼µ; a ´¼µµ

i

i k

k elements, an arbitrary subset of elements is used for interpola-

ÁD :d; ; µ

tion. output ´ out shared Ö In the protocol description, the variables e and count the num- ber of echo and ready messages, respectively. They are instan- Figure 1: Protocol AVSS for asynchronous verifiable secret shar-

tiated separately only for values of C that have actually been re- ing (sharing stage). ceived in incoming messages.

Intuitively, protocol AVSS performs a reliable broadcast of C using the protocol of Bracha [2], where every echo and ready

92

È È D j

message between two servers i and additionally contains the which we will denote by , to every send message:

¼ ¼

f ´i; j µ f ´j; iµ f ´i; j µ f ´j; iµ

´¼µ values , , , and , which they have in ´¼µ B 1. A and ;

common.

h = ´h ;:::;h µ h = ´h ;::: ;h µ

a a;¼ a;Ò

b;¼ b;Ò

2. and b , where

´j µ ´j µ

È ÁD :d

Protocol AVSS for server i and tag (reconstruction

h = À ´A µ h = À ´B µ a;j and b;j .

stage)

¼ ¼

a a b b

i i i

In addition, the dealer sends the polynomials , i , and to

ÁD :d; ; µ

´ in reconstruct

Ò upon receiving a message : È

each server i as before. Note that as a result, the dealer sends

c ¼ Ë ;

´Òµ

; messages of length Ç each.

¾ [½;Ò]

for j do

È i

¼ Modifications to ’s part of the sharing protocol. In the modi-

´ÁD :d; ;× ;× µ È j

reconstruct-share i

´iµ ´iµ

send i to

È A B

fied protocol, i computes the lists and from the received

¼ echo ready

ÁD :d; ;; µ

upon receiving ´ reconstruct-share from data and adds them to every or message, together D

È with the public from the dealer’s message. This allows every

Ñ : ¼

 server to perform the same checks as before, but reduces the length

C;Ñ;; µ

if verify-share´ then

´Òµ

of every message to Ç . Furthermore, messages are counted

Ë Ë[f´Ñ;  µg C

separately with respect to D instead of .

c ·½

c The modified protocol uses the following predicates (in each,

= k

if c then

´¼µ ´¼µ

D =´A ;B ;h ;h µ a

b as described above):

a Ë

interpolate ¼ from

´ÁD :d; ; ;a ´¼µµ

output out reconstructed ¼

D;i;A;Bµ A B ´Ò ·½µ

check-poly´ , where and are -element ´¼µ

halt ´¼µ

A = B B = A h = À ´Aµ

¼ a;i

lists, is satisfied if ¼ , , ,

i i

h = À ´B µ

and b;i .

Figure 2: Protocol AVSS for asynchronous verifiable secret shar-

¼

C; ­ ; ­ µ C ­

ing (reconstruction stage). check-point´ checks that is a commitment to and

¼

¼ ­ ­

C = g h

­ ; it is satisfied if and only if .

¾

´Ò µ

The protocol uses Ç messages and has communication com-

¼ ¼ ¼ ¼

4

;b;b µ D;i;a;a a a b b

verify-poly´ , where , , , and are poly-

Ç ´Ò C

plexity µ. The size of the messages is dominated by ; it can

½ nomials of degree k , is satisfied if and only if

be reduced by a factor of Ò as shown in Section 3.3.

´D;i;A;Bµ A =´A ::: A µ Ò

check-poly for the lists ¼ , , and

Ò; Ø ·½;ص

Note that protocol AVSS creates an ordinary ´ -sharing

¼

a´j µ a ´j µ

B =´B ;:::;B µ A = g h

Ò>¿Ø ´Ò; ¾Ø ·½;ص

Ò j

with optimal resilience , and an -sharing with ¼ formed by setting and

¼

b´j µ b ´j µ

Ò>4Ø

= g h resilience . It is an open problem to develop an AVSS proto- B j , respectively.

col with comparable efficiency that creates arbitrary dual-threshold

¼ ¼

D;i;Ñ;A;B;«;« ;¬;¬ µ A B

verify-point´ , where and are

=¾Ø ·½

sharings (or even sharings with k ) with optimal resilience.

´Ò · ½µ È

We prove the following theorem in the full version of the paper. the -element lists received from Ñ , verifies

¼ ¼

« ¬ ¬

that the given values «, , , and correspond to ¼

Theorem 1. Assuming the hardness of the discrete-logarithm prob- ¼

´Ñ; iµ f ´Ñ; iµ f ´i; ѵ f ´i; ѵ the points f , , , and , re- lem, protocol AVSS implements asynchronous verifiable dual-

spectively, committed to in D; it is true if and only

¼

Ò ¾Ø  k>Ø

D;Ñ;A;Bµ ^ ´A ;«;« µ ^ threshold secret sharing for . ´

if check-poly check-point i

¼

´B ;¬;¬ µ

3.3 Reducing Message Sizes check-point i .

¼ ¼

D;Ñ;; µ ´; µ

In the sharing stage of the protocol AVSS described above, every verify-share´ verifies that the pair forms a

È D

Ñ C È valid share of with respect to ; it is true if and only if

server i resends the commitment matrix with every message it

¼

´¼µ

 

= A g h sends. Intuitively, this is needed for two reasons: first, to allow Ñ . the honest servers to agree on the value that is a commitment to The remaining details of the modified protocol can now easily be the secret being shared, and second, to allow the servers to verify filled in. The part for reconstructing the secret remains the same, that the secret shares they receive correspond to this commitment. except for the new definition of the verify-share predicate. We show in this section how to guarantee these two ends without It is clear that the message complexity of the revised protocol is having the servers resend so much data. the same as the message complexity of the protocol in Section 3.2.

The new protocol relies on a collision-resistant hash function À .

It is also clear that the communication complexity is reduced to

This is not an extra assumption because it is well-known that ¿

´Ò µ Ç because every single message sent out by the new protocol

the hardness of the discrete-logarithm problem implies efficient

Ç ´Òµ C includes D, which is of size , instead of , which is of size

collision-resistant hash functions. In practice, hash functions can ¾

´Ò µ Ç . be implemented at very little cost. The analysis of the revised protocol is omitted from this extended Recall from Section 3.2 that to create a secret sharing, the dealer

¼ abstract. f

selects two bivariate polynomials f and . Also, recall the nota-

¼ ¼ ´iµ

a a b b A =

i i i

tion , i , , from the description in Section 3.2. Let Further Improvements. Suppose instead of using just the two

´iµ ´iµ ´iµ

g h G g ;:::; g

½ Æ

µ A ;A ;:: :;A ´Ò ·½µ ´ generators and of the group , we use generators ,

Ò denote the -element list formed by

¼ ½

¼

´iµ

a ´j µ a ´j µ ´iµ

h Æ × ;:::; ×

i

½ Æ

i and . Then, in order to share secrets , the

= g h j ¾ [¼;Ò] B

setting A for . Let be derived

j

Æ ·½ f ;:::;f

½ Æ

´¼µ ´¼µ

¼ dealer computes bivariate polynomials , and

b b A B

i ¼

analogously from and i . Define lists and analo-

f C C =

¼ ¼

, and forms the entries of the verification matrix as jÐ

´¼µ ´¼µ

f ´¼;j µ f ´¼;j µ f ´j;¼µ f ´j;¼µ

¼

A B = g h = g h

f ´j;е f ´j;е f ´j;е

f ´j;е

gously with and Ò

½ ¾

j j

h g g ¡¡¡g

Ò . The rest of the protocol is car-

½ ¾

¾ [¼;Ò] for j .

ried out analogously to the protocol described above. As a result,

¾

Ç ´Ò µ

Modifications to the dealer’s part of the sharing protocol. In- we can have a dealer share Æ secrets at the cost of messages

¾

´Ò · Æ µµ C È Ç ´Ò stead of sending to each server, d adds the following values, and communication.

93 3.4 Application to Asynchronous Byzantine some synchronization primitive is needed to define the length of a Agreement phase in a meaningful way. It turns out that a single time signal or Byzantine agreement is a fundamental problem in distributed clock tick, which defines the start of every phase locally, is enough. computation [21]. In asynchronous networks, it is impossible to In our formal model, we leave the scheduling of this signal up to the solve by deterministic protocols [13], which means that one must network, i.e., the adversary. In practice, this might be an impulse resort to randomized protocols. The first polynomial-time solu- from an external clock, say every day at 0:00 UTC. Hence, phases tion to this problem was given by Canetti and Rabin [9, 5]. How- are defined locally to every server. The adversary may corrupt up ever, this result is a proof of concept and not a practical solution to Ø servers who are in the same local phase. because the complexity of their protocol is rather high: the mes- Second, the channels that link the servers have to be adapted

6 to this model. Recall that all servers are linked by secure chan-

´Ò µ sage complexity is Ç and the communication complexity is

8 nels (i.e., private and authenticated links), which are scheduled by

´Ò ÐÓg Òµ Ç . The cost of this protocol is dominated by their asynchronous ver- the adversary. Given only locally defined phases and purely asyn- chronous scheduling, however, it would be possible for the adver- ifiable secret sharing protocol for sharing Ò secrets. Our protocol

¿ sary to break the secure channels assumption as follows. Suppose

Ò µ for the same task from the previous section is ¢´ times more

4 all servers are in the same local phase and the adversary has cor-

Ò µ efficient for message complexity, and approximately ¢´ times more efficient for communication complexity. We propose to plug rupted Ø of them. In order to read any message sent between two our AVSS protocol directly into the Byzantine agreement protocol honest servers, the adversary may delay the message until the re- of Canetti and Rabin [9] (an excellent exposition of how AVSS is ceiver enters the next phase and some of the previously corrupted used in asynchronous Byzantine agreement is given in [5]). As a servers are again honest. Then she corrupts the receiver and ob- result, assuming the hardness of the discrete-logarithm problem, serves the message, which gives her access to private information

the complexity of asynchronous Byzantine agreement is reduced to from the previous phase of more than Ø servers. 4

¿ Therefore, we assume that secure channels in the proactive

´Ò µ Ç ´Ò µ Ç message complexity and communication complex- ity. model guarantee that messages are delivered in the same local We stress that this works in the computational setting, whereas phase in which they are sent. More precisely, a message sent in Canetti and Rabin [9] use an unconditional model. We also mention some local phase of the sender arrives when the receiver is in the that in the so-called random-oracle model, a more efficient protocol same local phase or it is invariably lost. Under these restrictions, we exists, which is secure against a static adversary [4]. However, the leave all scheduling up to the adversary. In practice, such proactive random-oracle model makes an idealizing assumption about cryp- secure channels might be implemented by re-keying every point- tographic hash functions, which involves certain problems [7], and to-point link when a phase change occurs, as discussed below. a proof in this model falls short from a proof in the real world. We now proceed to the formal description of the model. Hence, our AVSS protocol yields the first asynchronous Byzantine Formal Model. A server is a PITM as before, which can now agreement protocol that is provably secure in the standard model also erase information. We define erasing in terms of restricting and whose efficiency makes it suitable for use in practice. a server’s view. To erase information means to exclude the corre- sponding values from the server’s view. 4. ASYNCHRONOUS PROACTIVE As before, the adversary may corrupt a server at any point in MODEL time, but now it can also be removed from a corrupted server by a reboot procedure. In this case, the server is restarted with correct In this section, we propose an extension of the asynchronous sys- initialization data, and the proactive protocols running before the tem model given in Section 2 for proactive cryptosystems. We ar- corruption are invoked again (how these protocols are determined gue that such an extension is necessary and that our proposal is is outside our model). The internal state of the server may have minimal. An asynchronous proactive refresh protocol for shared been modified arbitrarily by the adversary. secrets, which forms the core of every proactive cryptosystem, is Every server operates in a sequence of local phases, which are presented in the next section. defined with respect to a trivial protocol timer. Every honest server Motivation. A proactive cryptosystem is a threshold cryptosystem continuously runs one instance of this protocol, which starts when that tolerates a mobile adversary who can gradually break into any the server is initialized. Upon initialization, the protocol sends a number of servers [20, 18]. To protect against leaking the secret timer message called a clock tick to itself. Whenever the server

key, it operates in a sequence of phases and the servers periodically receives a clock tick, the server resends the message to itself over È refresh their shares between two phases. The new set of shares the network. The local phase of an uncorrupted server i is de-

is independent of the previous one and the old shares are erased. fined as the number of clock ticks that it has received so far. If  Thus, the adversary may corrupt up to Ø different servers in any the adversary corrupts a server during some phase , we define the

phase without learning anything about the secret key. corrupted server to remain in local phase  until it is rebooted and The underlying assumption is that breaking into a server requires the adversary is removed. We assume that after a reboot, a server a certain amount of time, which occurs for every server that is cor- is automatically activated on a clock tick and continues to operate rupted, independent from other corruptions. It must also be possi- in the subsequent phase. Hence every server is honest at the point ble to remove the adversary by rebooting a server in a trusted way in time when it enters the next local phase. However, the adversary (e.g., from a read-only device) and to erase information on a server can cause a server to appear corrupted during multiple subsequent permanently. phases (and across the phase changes) by corrupting it again imme- This concept maps onto a synchronous network in a straightfor- diately after the phase change. ward way. In an asynchronous network, however, the following Since the set of honest servers may change from one phase to two issues regarding phases and secure channels arise. another, we also define the set of associated messages accordingly.

First, the notion of a common phase is not readily available be- An adversary in the proactive network model is called Ø-limited

 ¼ Ø cause there is no common clock. Since refreshing requires a dis- if for every phase index  , it corrupts at most servers in

tributed protocol, in which all servers should participate, at least local phase  . Recall that activations are atomic and cannot be

94 interrupted by a corruption. This allows an honest server to perform 5. ASYNCHRONOUS PROACTIVE RE- some actions, like erasing critical data, at the very beginning of a FRESH PROTOCOL phase (upon detecting a clock tick) before it can be corrupted by the adversary during this phase. In this section, we describe how a group of servers holding shares We assume that every pair of servers is linked by a proactive of a secret may refresh these shares in an asynchronous proactive secure asynchronous channel, which is defined as follows. Recall network such that the adversary does not learn anything about the that in our asynchronous network model, the adversary can sched- secret. Such protocols form the basis of any proactive cryptosys-

tem. We define the notion of a verifiable sharing and the properties

´×; Ö;е ule messages in a set Å with labels of the form . In the of a protocol to refresh such a sharing. Then we propose an imple- proactive network, a number  is added to every label denoting the

mentation of a refresh protocol for discrete logarithm-based verifi- È local phase in which × has sent the message. Then we restrict the

able sharings as established by protocol AVSS from Section 3. We

È 

scheduling as follows. If j enters local phase , all messages in

Ò; Ø ·½;ص

restrict ourselves to ordinary ´ -sharings in this section.

´¡;j; ¡;µ < Å Å with labels where are removed from . Fur-

thermore, the adversary may not schedule any message with label 5.1 Definitions

´¡;j;¡;µ È 

before j has entered its local phase . We say that the

× ¾ Z Õ

adversary delivers messages within phases to denote an adversary Verifiable sharing. A sharing of a (secret) value ¼ can be

Å ´¡;j;¡;µ

× Ë i

that delivers all messages in with a label of the form to seen as an encoding of ¼ into a set of shares such that all sets

È È 

j j Ø ·½ ×

a receiver when is in local phase . If the adversary corrupts of at least shares uniquely define ¼ , whereas any other set of

È  Ñ ¾ Å

× j

a server during its local phase , then all messages shares does not give any information about ¼ .

¡;j; ¡;µ Å

with label ´ are removed from and given to the adver- Such a sharing results, for example, from the first stage of an

j; ¡; ¡;µ sary, who may now send messages with label ´ . AVSS protocol. A sharing is robust against erasures in the sense Note that every honest server runs a separate instance of the timer that a unique secret can also be reconstructed from a subset the

protocol, and that we view this protocol as an integral part of the shares. Missing shares of honest servers are denoted by ?. proactive system model. As such, it is not required to terminate A verifiable sharing,orv-sharing for short, has the additional or to satisfy a uniform bound on its communication complexity. It property that the secret is defined uniquely even if the adversary

will simply run until the adversary halts. corrupts up to Ø servers and modifies their shares in an arbitrary way. Implementation. In practice, asynchronous proactive secure chan- We define a verifiable sharing in terms of an algorithm recon-

nels with the described properties could be implemented using se-

fË g

struct that takes as input a set of shares i and outputs a value in

cure co-processors as follows. The communication link between

Z ?

Õ or .

every pair of servers is encrypted and authenticated using a phase × session key that is stored in secure hardware. A fresh session key is Definition 2. We say the servers hold a verifiable sharing of ¼

established in the co-processor as soon as both enter a new phase, with tag ÁD and with respect to an algorithm reconstruct, if every

È Ë i with authentication based on data stored in secure hardware (if a server i holds a share such that the following conditions are public-key infrastructure is used, this may be a single root certifi- satisfied:

cate). Thus, even if the adversary corrupts a server, she gains access

fË g Ø ·½ to the phase session key only through calls to the co-processor. The Integrity: For any set i of shares that contains at least

external clock which triggers the phase changes must have a trusted shares of honest servers different from ?, running recon-

fË g × ¼ path into the secure co-processor and an intruder must not be able struct on input i yields , except with negligible proba- to influence it. bility.

The related problem of maintaining proactive authenticated com-

fË g Ø

Privacy: Any set i of at most shares contains no information

munication in a synchronous network has been investigated by ×

about ¼ . Canetti et al. [8]. Notice that the integrity property is computational and the pri- Related Work. Proactive systems in asynchronous networks have vacy property unconditional. been discussed by Castro and Liskov [?] and by Zhou [?]; the former aims at maintaining a common state, and the latter at main- Refreshing a verifiable sharing. The goal of a proactive refresh taining a shared secret. In these works, the phases are defined with protocol is to protect a verifiable sharing by providing the servers respect to proactive protocols, i.e., a phase ends upon the termina- with new shares for the next phase such that the adversary’s knowl-

tion of the corresponding refresh protocol. Our approach is more edge of shares from the previous phase is rendered useless.

Ë ;:::; Ë ×

Ò ¼ general in the sense that we define the phases only with respect to a Suppose the servers hold a v-sharing ½ of a value

timeout mechanism, independent of proactive protocols. This mod- with tag ÁD and with respect to an algorithm reconstruct at some

½

els also systems where a refresh protocol may not terminate within point in time where all honest servers are in local phase  . Then

ÁD Ë a phase. Our protocols therefore guarantee two types of conditions: an honest server starts a refresh protocol with tag and input i liveness conditions (like correctness), which hold only if the proto- as soon as it detects and receives the next clock tick (all ongoing

col terminates within a phase, and safety conditions (like privacy), computations are aborted as soon as the clock tick is detected). This

½  which hold in any case. also marks the end of local phase  and the begin of phase .

Another difference lies in our network model, which identifies The refresh protocol terminates either when the server generates an

ÁD ; µ the main security requirements on asynchronous proactive secure output of the form ´ refreshed or when it detects the next communication. While authenticity of messages in such a setting clock tick. In the first case, we say the server completes the refresh

is addressed in terms of a special freshness requirement in [10], a of sharing ÁD .

formal treatment of these aspects is missing in [24]. The refresh protocol must ensure that the honest servers compute

× Ø

From a practical point of view, our implementation of the refresh a fresh v-sharing of the same value ¼ and that any -limited adver- ×

protocol is much more efficient than the one of Zhou [24]. It has an sary does not learn any information on ¼ . This is captured by the

¡

Ò

¿

µ µ ´Ò Ç ´

expected message complexity of Ç as opposed to . following definition. Ø

95

Definition 3. Suppose the servers hold a verifiable sharing of some by using a proactively secure refresh protocols. The details of this

× ÁD value ¼ with tag and with respect to some algorithm recon- are beyond the scope of this paper. struct.Anasynchronous secure refresh protocol satisfies the fol- The verifiable sharing. We investigate how to refresh a discrete lowing conditions for any Ø-limited adversary:

logarithm-based verifiable sharing as computed by protocol AVSS È

Liveness: If the adversary activates all honest servers on a clock from Section 3. The share of an honest server i is of the form

¼

Ë = ´i; × ;× ;Î Î = ´Î ;:::;Î µ

i i ¼ Ø

tick and delivers all associated messages within phases, then i ), where is the same for all

É

¼ j

Ø

× × i

i

i

ÁD

g h = ´Î µ

all honest servers complete the refresh of sharing , except servers and j ; in other words, there exist two

j =¼

È È

Ø Ø

¼ ¼ j

with negligible probability. j

a´Üµ= a Ü a ´Üµ= a Ü Z

j Õ

polynomials and j over

j =¼ j =¼

¼ ¼

a´iµ=× a ´iµ= × Ë

i i

such that and i for all correct shares , and ·½

Correctness: If at least Ø honest servers have completed the

¼

a

a

j

j

= Î g h j ¾ [¼;Ø] Î = C

ÁD

j j ¼

refresh of sharing and have not detected a subsequent for . (Note that j using the notation ×

clock tick, the servers hold a verifiable sharing of ¼ with tag of protocol AVSS.) Ë

ÁD and with respect to reconstruct, except with negligible Algorithm reconstruct works as follows. On input a set of

Ø ·½

probability. shares, it selects a value Î that is found in at least shares Î and discards shares that contain a different value for Î .If is not Privacy: In any polynomial number of consecutive executions of

unique or does not exist, it returns ?; otherwise, it computes a set

É

j ¼

Ø

i × ×

the protocol, the adversary’s view is statistically independent ¼

i

i

= ´Î µ G Ë ´i; × ;× ;Î µ g h

j i

of tuples i that satisfy .

j =¼ ×

of ¼ .

 Ø ? a

If jG j , it returns ; otherwise it interpolates a polynomial

¼

Ø f´i; × µj´i; × ;× ;Î µ ¾ Gg

i i ÁD

Efficiency: For every , the communication complexity of in- of degree at most from the set i and

a´¼µ stance ÁD is probabilistically uniformly bounded. returns .

From a high-level point of view, the protocol works in three

× ×

Note that this definition guarantees that the servers complete the È

i ¼ stages. First, every server i shares its share of using an

refresh only when the adversary delivers messages within phases. AVSS protocol. Second, the servers use multi-valued Byzantine ·½ Otherwise, the model allows the adversary to cause the secret to be agreement to select Ø such sharings that have successfully ter-

lost, in order to preserve privacy. One could also imagine a different ×

minated. Third, they compute a fresh share of ¼ from the set of formalization of asynchronous proactive refresh protocols that pre- sharings which they agreed on.

serves correctness at the cost of privacy, i.e., where the adversary More precisely, suppose the servers hold a verifiable sharing of ÁD

may learn the secret. Such a trade-off between privacy and correct- ×

¼ with tag as described in the previous paragraph and have ness seems unavoidable in asynchronous networks where messages set up a digital signature scheme such that every server can verify may be delayed for longer than the duration of a proactive phase; signatures issued by any other server. Then every server executes

interestingly, it does not arise for proactive cryptosystems in syn- the following steps for protocol Refresh in phase  .

chronous networks.

È Ò ´Ò; Ø · ½;ص

Another difference to the synchronous case is the fact that our 1. Server i initializes verifiable -sharings

j :j j ¾ [½;Ò]

phases do not overlap. As a consequence of this, a server must ÁD avss for using an extended version of

¼

× × ÁD j :i

i avss

erase the old share during the same activation in which it receives protocol AVSS. Then it shares and i using ,

[ÁD j :i] ¼

¼ avss

f ´¼; ¼µ ×

the clock tick (in order to guarantee privacy of the secret). This where is set to i , and immediately

point in time corresponds to the beginning of the refresh proto- erases the current share and the sharing polynomials

[ÁD j :i]

[ÁD j ¼ ]

avss:i avss

f ÁD j :i col, before the server may receive messages from other servers or f and in instance avss . become corrupted in the new local phase. In contrast, two subse- The extension of protocol AVSS is that each server quent phases in synchronous proactive cryptosystems are usually adds a digital signature to every ready message; in

assumed to overlap for the duration of the refresh protocol, and a

j :j AVSS instance ÁD avss , the signature is computed on

server may delay the erasure of an old share until the end of the

ÁD j :j;  ; µ ¥ ¾Ø ·½ ´ avss ready . A list of such signatures is refresh protocol. output when the server completes the sharing and may serve

5.2 Implementation as a proof for this fact.

Î =´Î ; :::; Î µ Ø This section describes protocol Refresh for refreshing a dis- The server also sends its current value of ¼

all other servers in a recover message. Then it waits for

Ò; Ø ·½;ص

crete logarithm-based verifiable ´ -sharing in an asyn- ·½ chronous network. Its implementation needs the multi-valued vali- receiving Ø identical recover messages and assigns the dated Byzantine agreement protocol from Section 2.3, a digital sig- value found in them to D .

nature scheme secure against adaptive chosen-message attacks [16] ·½

2. The server waits for completing Ø sharing protocols

[ÁD j ]

for every server, and the AVSS protocol from Section 3 as building avss:j

j :j C D

ÁD avss such that is consistent with , É

blocks. We assume that such sub-protocols have the property that Ð

[ÁD j :j ] Ø

avss j

C = ´D µ

i.e., Ð . Recall that the extended

¼¼ =¼

the calling protocol can access and modify their internal state and Ð ¥ abort them if necessary by terminating the corresponding instance AVSS protocol also returns a proof j for the completion of the sharing.

and erasing all associated local data. A local variable Ü associated

[ÁD ]

ÁD Ü È

with sub-protocol instance is denoted . Next, i proposes the set of completed sharings for validated j

Recall that these primitives were defined in a purely asyn- Byzantine agreement with tag ÁD vba. Its proposal is a set

Ä = f´j; ¥ µg Ø ·½ È

j j

chronous, non-proactive network. Hence, we use them only as i of tuples, indicating the dealer of ¥ sub-protocols running within a single phase; if a protocol does not every completed sharing and containing the list j of sig- terminate before the end of the phase, it must be aborted by the natures on ready messages from the extended sharing. The

calling protocol. The security of the keys for the digital signature predicate of the VBA protocol is set to verify-termination´µ, ·½ scheme and for the VBA protocol in the proactive corruption model described below, which verifies that a proposal contains Ø has to be guaranteed by storing them inside secure co-processors or valid lists of signatures from instances of protocol AVSS.

96

3. After the server decides in the VBA protocol for a set Ä that [5] R. Canetti. Studies in Secure Multiparty Computation and ·½

indicates Ø AVSS instances, it waits for these sharings Applications. PhD thesis, Weizmann Institute, 1995. È

to complete. Then i computes its new share as follows: it [6] R. Canetti, R. Gennaro, A. Herzberg, and D. Naor. Proactive Z interpolates two polynomials over Õ from the set of shares security: Long-term protection against break-ins. RSA

computed in the AVSS instances indicated by Ä. More pre- Laboratories’ CryptoBytes, 3(1), 1997.

a Ø

cisely, the polynomial  of degree is interpolated from the [7] R. Canetti, O. Goldreich, and S. Halevi. The random oracle

[ÁD j ]

avss:j

f´j; × µj´j; ¥ µ ¾ Äg

set j ; similarly, the polyno-

i methodology, revisited. In Proc. 30th Annual ACM Symp. on

[ÁD j :j ] ¼

¼ avss

a f ´j; × µ j ´j; ¥ µ

 Theory of Computing, pages 209Ð218, 1998. j

mial is interpolated from i

¼

¾Äg × × a ´¼µ

i [8] R. Canetti, S. Halevi, and A. Herzberg. Maintaining

. Then the server sets the shares and i to and

¼

a ´¼µ Î  , respectively. The new commitments are computed authenticated communication in the presence of break-ins. analogously. J. Cryptology, 13(1):61Ð106, 2000.

[9] R. Canetti and T. Rabin. Fast asynchronous Byzantine

j :j Finally, the server aborts all sub-protocols ÁD avss , which automatically erases all information of these protocol agreement with optimal resilience. In Proc. 25th Annual instances. ACM Symp. on Theory of Computing, pages 42Ð51, 1993.

[10] M. Castro and B. Liskov. Proactive recovery in

ÁD j ;;ĵ

Predicate verify-termination´ vba used in VBA in- Byzantine-fault-tolerant systems. In Proc. 3rd USENIX

j Ä Ø ·½ stance ÁD vba verifies that contains tags of AVSS pro- Symposium on Operating System Design and Implementation

tocols with the proofs that these protocols will actually terminate. (OSDI’99), 1999.

jÄj = Ø ·½ ´j; ¥ µ ¾ Ä

It is true if and only if and for every j , [11] B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch.

¥ ¾Ø ·½

the list j contains at least valid signatures on the string Verifiable secret sharing and achieving simultaneity in the

ÁD j :j;  ; µ ´ avss ready from distinct servers. presence of faults. In Proc. 26th IEEE Symp. on Found. of As mentioned before, a key point of the protocol is that every Computer Science, pages 383Ð395, 1985. server erases its old share in the first activation before waiting for [12] Y. Desmedt. Threshold cryptography. European Trans. on

any network input. The event of receiving the clock tick and start- Telecommunications, 5(4):449Ð457, 1994.

½ ing the refresh protocol defines the end of local phase  . Thus,

[13] M. J. Fischer, N. A. Lynch, and M. S. Paterson. Impossibility

½ one cannot tolerate to leave share information from phase  of distributed consensus with one faulty process. J. ACM, around when entering a wait state in phase  because at any point 32(2):374Ð382, Apr. 1985. in time afterwards, a corruption might occur that counts towards [14] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure phase  . This is also the reason why the protocol does not follow the approach of Gennaro et al. [14], which is to establish a set of key generation for discrete-log based cryptosystems. In sharings of the value 0 and to add these shares to the shares of the J. Stern, editor, EUROCRYPT ’99, volume 1592 of LNCS,

pages 295Ð310. Springer, 1999.

½ secret from phase  later on. Instead, our protocol creates shar- ings of previous shares of the secret and uses the agreed-on set of [15] S. Goldwasser, S. Micali, and C. Rackoff. The knowledge such sharings as a polynomial sharing of the secret itself. complexity of interactive proof systems. SIAM J. Computing, The purpose of the recover messages is to supply the verifi- 18(1):186Ð208, Feb. 1989.

[16] S. Goldwasser, S. Micali, and R. L. Rivest. A digital

 ½ cation information Î of phase to those honest servers that

signature scheme secure against adaptive chosen-message

½ might have been corrupted in phase  and have been rebooted attacks. SIAM J. Computing, 17(2):281Ð308, Apr. 1988. into phase  .

Protocol Refresh invokes Ò protocols for AVSS and one VBA [17] V. Hadzilacos and S. Toueg. Fault-tolerant broadcasts and

sub-protocol. With AVSS implemented according to Section 3.3 related problems. In S. J. Mullender, editor, Distributed

¿

´Ò µ

and VBA from [3], its expected message complexity is Ç and Systems. ACM Press & Addison-Wesley, New York, 1993.

4

´Ò µ its expected communication complexity is Ç . We prove the [18] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. following theorem in the full version of the paper. Proactive secret sharing or how to cope with perpetual leakage. In D. Coppersmith, editor, CRYPTO ’95, volume Theorem 2. Assuming the hardness of the discrete-logarithm prob- 963 of LNCS, pages 339Ð352. Springer, 1995. lem, protocol Refresh is an asynchronous secure refresh protocol

[19] L. Lamport, R. Shostak, and M. Pease. The Byzantine

¿Ø for Ò> . generals problem. ACM Trans. on Programming Languages and Systems, 4(3):382Ð401, July 1982. 6. REFERENCES [20] R. Ostrovsky and M. Yung. How to withstand mobile virus [1] M. Ben-Or, R. Canetti, and O. Goldreich. Asynchronous attacks. In Proc. 10th ACM Symp. on Principles of secure computation. In Proc. 25th Annual ACM Symp. on Distributed Computing, pages 51Ð59, 1991.

Theory of Computing, 1993. [21] M. Pease, R. Shostak, and L. Lamport. Reaching agreement

Ò ½µ=¿] [2] G. Bracha. An asynchronous [´ -resilient consensus in the presence of faults. J. ACM, 27(2):228Ð234, Apr. 1980. protocol. In Proc. 3rd ACM Symp. on Principles of [22] T. P. Pedersen. Non-interactive and information-theoretic Dist. Computing, pages 154Ð162, 1984. secure verifiable secret sharing. In J. Feigenbaum, editor, [3] C. Cachin, K. Kursawe, F. Petzold, and V. Shoup. Secure and CRYPTO ’91, volume 576 of LNCS, pages 129Ð140. efficient asynchronous broadcast protocols (extended Springer, 1992. abstract). In J. Kilian, editor, CRYPTO 2001, volume 2139 of [23] V. Shoup. Practical threshold signatures. In B. Preneel, LNCS, pages 524Ð541. Springer, 2001. editor, EUROCRYPT 2000, volume 1087 of LNCS, pages [4] C. Cachin, K. Kursawe, and V. Shoup. Random oracles in 207Ð220. Springer, 2000. Constantinople: Practical asynchronous Byzantine [24] L. Zhou. Towards fault-tolerant and secure on-line services. agreement using cryptography. In Proc. 19th ACM Symp. on PhD thesis, Cornell University, USA, 2001. Principles of Distributed Computing, pages 123Ð132, 2000.

97