Proactive Secret Sharing with Constant Communication

Abstract

This paper presents the first protocols for Proactive Secret Sharing (PSS) that only require constant (in the number of parties, n) communication per party per epoch. By harnessing the power of expander graphs, we are able to obtain strong guarantees about the security of the system. We present the following PSS protocols:

• A PSS protocol that provides privacy (but no robustness) against an adversary controlling \(\mathcal {O}(n)\) parties per epoch.

• A PSS protocol that provides robustness (but no privacy) against an adversary controlling \(\mathcal {O}(n)\) parties per epoch.

• A PSS protocol that provides privacy against an adversary controlling \(\mathcal {O}(n^a)\) parties per epoch and provides robustness against an adversary controlling \(\mathcal {O}(n^{1-a})\) parties per epoch, for any constant \(0 \le a \le 1\). Instantiating this with \(a=\frac{1}{2}\) gives a PSS protocol that is proactively secure (private and robust) against an adversary controlling \(\mathcal {O}(\sqrt{n})\) parties per epoch.

Additionally, we discuss how secure channels, whose existence is usually assumed by PSS protocols, are challenging to create in the mobile adversary setting, and we present a method to instantiate them from a weaker assumption.

Appendices

Supplemental Material

A Previous Work

The Mobile adversary model is particularly challenging, because eventually a mobile adversary will have corrupted all the parties (but not all simultaneously). This means that an adversary who corrupts a party should (1) not be able to read the party’s historical state, and (2) should not be able to predict the party’s randomness in the future.

This means that at minimum parties need secure deletes, since otherwise an adversary who corrupted a party at time t, could read all of the messages received by the party during all previous rounds of the protocol, as well as fresh randomness, so that an adversary cannot predict the behavior of parties it has corrupted in the past.

In the original work introducing the mobile adversary [OY91], they imagined removing an adversary (and securely deleting previous state) by imagining a “clean” version of the program sitting in read-only memory, a piece of trusted hardware that would periodically “reboot” the machine to remove the adversary (as well as the history). They also assumed that either “each coin-flip is generated online (which is the practical assumption on generating randomness from physical devices), or, more abstractly, that the entire random tape of the machine is replaced with a new one during reboot.”

Our works, like essentially all prior works in the PSS literature assume parties can securely delete state variables, and can be securely “rebooted” to obtain a clean copy of the PSS program.

1.1 A.1 PSS Protocols

The mobile-adversary model was introduced in [OY91], where they provided an information-theoretic protocol for secure computation. Proactive secret sharing has been widely studied e.g. [OY91, HJKY95, FGMY97, Rab98, CKLS02, ZSVR05] [BHNS99, SLL10, BEDLO14, MZW+19, YXD22] and some works (e.g. [FGMY97, Rab98]) focused on proactive secret sharing of keys for specific cryptosystems (e.g. RSA).

The main challenge in developing a PSS protocol is how to refresh the shares. In the semi-honest model, the linearity of secret sharing schemes like Shamir’s scheme [Sha79] make it straightforward to re-randomize shares when parties are semi-honest. One method is to have each party generate a fresh sharing of zero, then each party locally adds all the shares they received. So the secret, s, can be shared according to a polynomial f(x), where party i holds f(i), and \(f(0) = s\). In this method of refreshing, party i generates a polynomial \(g_i(x)\), such that \(g_i(0) = 0\), and gives \(g_i(j)\) to party j, and party j calculates their new share as \(f(j) + \sum _i g_i(j)\). This is the refresh method laid out in [HJKY95].

Another method is to have party i re-share their share, i.e., party i generates a new polynomial \(g_i(x)\) such that \(g_i(0) = f(i)\), and gives \(g_i(j)\) to party j. This re-sharing technique is widely used in Secure Multiparty Computation [GRR98]. Since polynomial interpolation is a linear operation, party j can compute a new sharing of the original secret, s, by doing local, linear operations on the shares \(\left\{ g_{j} \right\} _i\). This is the refresh method laid out in [CKLS02].

Other works [ELL20, MZW+19, YXD22] share using bivariate polynomials. To obtain security against malicious adversaries (instead of semi-honest adversaries), these simple refresh protocols were combined with Verifiable Secret Sharing (like Feldman VSS [Fel87]), as well as BFT consensus.

The mobile adversary model relies on “epochs” – the adversary is static within an epoch – and this introduces some amount of synchrony into the model. It is possible to consider an asynchronous model of PSS, where there is still a global notion of epochs, but communication within an epoch is asynchronous (and adversarially controlled). PSS protocols that can tolerate asynchronous communication within an epoch include [CKLS02, ZSVR05, SLL10, YXD22]. Some PSS schemes have been implemented [SLL10, MZW+19, YXD22].

As is evident from the brief description of prior works, they all require for each party to carry out a secret sharing in the refresh phase, even in the semi-honest model. This results in an all-to-all communication between the parties during the share refresh. In our work, parties do not have all-to-all communication every epoch, instead they communicate according to an expander graph. Expander graphs have been used to build Robust Secret Sharing schemes [HO18], but those constructions only consider a static adversary.

To reduce communication, some protocols can handle batches of independent secrets, which can reduce amortized communication complexity. Batched PSS protocols include [BEDLO14, BDLO15, ELL20].

1.2 A.2 Refreshing Secure Channels

Most secure multiparty protocols assume that parties can communicate using “secure, authenticated channels.” In practice, however, these secure channels are usually secured using public-key encryption, and authenticated using digital signatures. This works well in the static adversary model.

In the mobile adversary model, parties cannot use persistent keys to secure and authenticate their channels, because once an adversary has corrupted a party (and in doing so learned their private keys), the adversary can read all messages sent to that party during future rounds of the protocol (using the party’s decryption key) and impersonate the party in all future rounds of the protocol (using the party’s signing key).

This problem is not readily solved. If a party is securely rebooted (and generates new key material), how can they communicate their new public encryption and verification keys to the other parties? They cannot simply sign their new key using their old key, since an adversary (who had corrupted the party in the previous round) could generate a competing key, and sign it using the party’s old, valid key.

One way to side-step this problem is to assume that parties are connected via persistent, secure authenticated channels (e.g. secure hardware channels), thus eliminating the need for key management. This is the approach taken in [OY91] as well as many subsequent works including [CKLS02, BEDLO14, MZW+19, YXD22].

In [HJKY95] they addressed this problem by assuming that all parties had access to an uncensorable broadcast channel. When a party was rebooted, they would generate new key material, and sign the new key using their old key, and broadcast their new (signed) key. As noted above, the adversary could do the same, by generating a new (adversarially controlled) key, and signing this key with the old key. In this case, however, since the broadcast channel is uncensorable, honest parties would see two new keys broadcast after the reboot. They would not be able to distinguish which one was valid, but they could refuse to use either key until the offending party was rebooted again. This provides a method whereby an adversary could halt the network (by continually broadcasting false keys after a reboot), but could never violate security.

This problem was explored in depth in [CHH97], where they propose a solution involving proactive, threshold signature schemes. Essentially, the construction of [CHH97] works as follows: At the start of the protocol, it is assumed that all parties hold a share of a private signing key, and the corresponding verification key is baked into their read-only memory. This persistent verification key will then be used to authenticate all short term secrets as follows. When a party reboots, and generates new key material, they will send their new public keys to all parties, at which point the parties will run a byzantine agreement protocol to agree on the party’s public key. Then they will use their long-term key shares to generate a threshold signature on the party’s new signing key. Unfortunately, this construction rests on a proactive threshold signature scheme, to avoid circularity, they show how to convert any proactive threshold signature scheme (that requires authenticated channels) to one that does not require authenticated channels, using byzantine agreement.

Some PSS protocols (e.g. [SLL10]) consider a dynamic committee model, where there is a completely new committee in each epoch (and the public keys of all the new committee members are known in advance), so there is no need to refresh channel keys. This model does allow members from old committees to be corrupted (even after their role on a committee is done), so parties use a forward-secure cryptosystem [CHK03]. This means that an adversary who corrupts a party cannot decrypt ciphertexts sent to that party in previous epochs. Unfortunately, forward-secure cryptosystems do not prevent the adversary from learning messages sent in future epochs.

[ZSVR05] suggests a few possible approaches for creating persistent secure channels between parties. One approach is to use trusted hardware to implement a signing oracle with a monotonically increasing counter. Every time the oracle signs a message, it would include the counter (that is incremented every epoch), that ensures that the message was sent during the current epoch. They also suggest an alternative approach with a trusted administrator (with a static public key), who can identify each party and sign their new keys after each refresh. They do not, however, describe how a party can authenticate themself to the trusted administrator after a reboot.

[CKLS02] suggests that if each party has a trusted co-processor (e.g. Intel SGX [MAA+16]), then the co-processor can have a trusted clock (that is timed to the epochs), as well as a persistent signing key. Then the co-processor can generate new session keys every epoch, and sign these new epoch-keys together with the epoch number (from its trusted clock), using its persistent signing key. Now that these trusted co-processors are prevalent in commodity hardware, this is a promising approach. Below (Sect. 8) we show how to eliminate the need for a full-blown trusted co-processor with a tamper-proof clock.

The assumption that persistent, trusted channels exist (e.g. [OY91, CKLS02, BEDLO14, MZW+19, YXD22]) is an extremely strong assumption, which we would like to avoid. Weaker assumptions, assuming a censorship resistant broadcast channel as in [HJKY95], or byzantine agreement and threshold secret sharing (as in [CHH97]) are unsatisfactory in our setting because they require all-to-all O(n) communication per-party, something that we wish to avoid in our protocol.

In Sect. 8, we outline a novel solution for re-establishing secure, authenticated channels in the presence of a mobile adversary. Our solution is compatible with any other proactive secret sharing scheme that requires secure channels and has the added benefit that it is compatible with essentially any communication pattern, i.e., it only requires communication between the sender and receiver in order to set up a secure channel between the two parties.

B Ramanujan Expanders

Ramanujan expanders are expanders with essentially optimal spectral expansion. The spectral expansion of a graph is the largest absolute value of an eigenvalue of the adjacency matrix (apart from the trivial eigenvalues \(\pm d\)). Ramanujan graphs have spectral expansion at most \(2 \sqrt{d-1}\). This is optimal in the sense that for any \(\epsilon > 0\), any infinite family of d-regular graphs contains at least some graphs with spectral expansion greater than \((2 \sqrt{d-1} - \epsilon )\) [Nil91].

Definition 3

A d-regular graph, G, is called a Ramanujan Graph if the spectral radius of G is bounded by \(2\sqrt{d-1}\), i.e., for every eigenvalue \(\lambda \) of the adjacency matrix of G, if \(\left| \lambda \right| < d\), then \(\left| \lambda \right| < 2 \sqrt{d-1}\).

In particular, we use balanced bipartite Ramanujan expanders. Balanced bipartite Ramanujan graphs can be efficiently computed for all degrees and sizes [MSS13, MSS18, Coh16].

Ramanujan graphs do not necessarily have optimal vertex expansion. It is an open problem to find explicit general constructions of bipartite graphs with near-optimal vertex expansion (see Open Question 6 of Paredes [Par21]). Constructing such graphs would improve the concrete results of this paper. Nevertheless, Ramanujan graphs provide good vertex expansion, which is sufficient for the purposes of this paper.

Below we demonstrate that Ramanujan graphs have the properties our protocols require. Concretely, we prove Theorems 1 and 2. We start with a standard theorem relating spectral and vertex expansion:

Theorem 12

(Spectral expansion implies vertex expansion [Vad12][Theorem 4.6]). If G is a d-regular graph with second largest eigenvalue \(\lambda \), then for every \(\gamma \in [0,1]\), G is a \(\left( \gamma , \alpha \right) \) expander where

$$\begin{aligned} \alpha = \frac{1}{(1-\gamma ) \frac{\lambda ^2}{d^2} + \gamma } \end{aligned}$$

(1)

Combining Definition 3 and Theorem 12 gives our first required property:

Theorem 1

A Ramanujan graph is a \(\left( \gamma , \frac{1}{ (1-\gamma )\frac{4}{d} + \gamma } \right) \) expander \(\forall \) \(\gamma \in [0,1]\).

We now prove the second property. We are given a d-regular, bipartite expander graph with two sets L and R each of size n. We have a subset \(S \subset L\) of nodes of size \(\delta n\) on the left and a value \(\epsilon _1\). We want to calculate how many nodes on the right have more that \(\epsilon _1\) fraction of their edges connected to the set S.

Lemma 8

(Bipartite Expander Mixing [Hae95][Theorem 5.1]). Let G be a d-regular bipartite graph with spectral radius \(\lambda \). Suppose, \(S \subset L\), and \(T \subset R\), with \(\left| S \right| = \alpha \left| L \right| \), and \(\left| T \right| = \beta \left| R \right| \). Let \(e(X,Y) {\mathop {=}\limits ^{\textrm{def}}}\left| \left\{ (x,y) \in E ~\left| ~ x \in X, y \in Y\right. \right\} \right| \) then

$$\begin{aligned} \left| \frac{ e(S,T)}{e(L,R)} - \alpha \beta \right| \le \frac{\lambda }{d} \sqrt{\alpha \beta } \end{aligned}$$

(2)

Note, that e(L, R) are all the edges in the graph, i.e. d|L|.

Lemma 9

Given a d-regular bipartite expander with spectral radius \(\lambda \), suppose a set of \(\delta n\) vertices on the left are in S then at most

$$\begin{aligned} \frac{\lambda ^2 \delta n}{(\epsilon _1-\delta )^2d^2} \end{aligned}$$

(3)

right vertices have at least an \(\epsilon _1\) fraction of left-neighbors in S.

Proof

Let T denote the set of right-hand vertices that have at least an \(\epsilon _1\)-fraction of left-neighbors in S. Since G has right-degree d, we have \(e(S,T) \ge d \epsilon _1 \left| T \right| \).

On the other hand, the expander mixing lemma (Lemma 8) tells us that for \(\alpha = |T|/n\) and \(\beta = \delta \),

$$\begin{aligned} \left| \frac{e(S,T)}{nd} - \delta \frac{\left| T \right| }{n} \right| \le \frac{\lambda }{d} \sqrt{ \delta \frac{\left| T \right| }{n} } \quad \Rightarrow \quad \frac{e(S,T)}{d} - \delta \left| T \right| \le \frac{\lambda }{d} \sqrt{ n \delta \left| T \right| } \end{aligned}$$

(4)

On the other hand, \(e(S,T) \ge d \epsilon _1 \left| T \right| \), so we have

$$\begin{aligned} \epsilon _1 \left| T \right| - \delta \left| T \right| \le \frac{\lambda }{d} \sqrt{ n \delta \left| T \right| } \quad \Rightarrow \quad \left| T \right| \le \frac{ \lambda ^2 \delta n}{(\epsilon _1-\delta )^2 d^2 } \end{aligned}$$

(5)

Since Ramanujan graphs have spectral radius at most \(2 \sqrt{d - 1}\), this implies our required property:

Theorem 2

Ramanujan graphs have the following property. Let S be a set of size at most \(\delta n\) vertices on the left. Then at most

$$ \frac{4 \delta n}{(\frac{1}{2}-\delta )^2d} $$

right-hand vertices have at least \(\frac{1}{2}\) of their neighbors in S.

C Epoch Length

We present a maliciously-secure PSS protocol in Sect. 7 that can only tolerate \(\varTheta (\sqrt{n})\) corruptions per epoch, which may seem low compared to existing PSS protocols (e.g. [HJKY95] and [SLL10]) that can tolerate \(\varTheta (n)\) corruptions per epoch.

What this comparison hides is we are free to choose the length of an epoch by choosing how frequently we run the refresh protocol. Decreasing the length of an epoch will increase the communication cost (per unit time), but should decrease the number of parties an adversary can corrupt in a given epoch.

To see this in play, imagine that instead of allowing the adversary to corrupt \(\delta \cdot n\) parties per epoch (as is standard in the PSS literature), we assumed the adversary had a fixed corruption rate, i.e., the adversary could corrupt one party every t(n) units of time. A traditional PSS protocol (tolerating \(\delta n\) corruptions per epoch), would be secure in this model by setting the epoch length \(T = \delta \cdot n \cdot t(n)\).

But now, consider the communication cost. A traditional PSS protocol, tolerating \(\delta n\) corruptions per epoch, and requiring \(\varTheta (n)\) communication per refresh, would have amortized communication cost of \(\varTheta \left( \frac{1}{t(n)} \right) \) per unit time. By contrast, our protocol, which requires only \(\varTheta \left( \kappa \right) \) communication per epoch, but can “only” tolerate \(\varTheta (\sqrt{n})\) corruptions could set a much lower epoch time, \(T = \varTheta ( t(n) \cdot \sqrt{n} )\), which would make the amortized communication cost of our protocol \(\varTheta \left( \frac{\kappa }{t(n) \sqrt{n} } \right) \) per unit time, which is much lower for sufficiently large n.

Furthermore, this ignores the costs of establishing secure channels in the (normal) case that secure hardware channels do not exist. Authentication between parties requires \(\Omega (\kappa )\) communication (see Sect. 8 for our instantiation). This would increase the amortized communication cost of traditional protocols to \(\varTheta \left( \frac{\kappa }{t(n)} \right) \) per unit time, but the amortized cost of our maliciously-secure PSS protocol would remain \(\varTheta \left( \frac{\kappa }{t(n) \sqrt{n} } \right) \).

What this means is that (for sufficiently large n) we can achieve a lower amortized communication cost per unit time, while achieving the same level of security.

D Proof of Lemma 10

Lemma 10

The equation \(f(x) = \frac{4x}{(\frac{1}{2}- x)^2 (x - a)}\) where \(0 < a < \frac{1}{2}\) is minimized over the range \(a < x < \frac{1}{2}\) by \(x = \frac{1}{4} (a + \sqrt{a^2 + 4a})\).

Proof

First, observe that over the range \(a < x < \frac{1}{2}\), f(x) is continuous, differentiable and positive. Therefore, any minimum point of f(x) over \(a < x < \frac{1}{2}\) is also a maximum point of \(g(x) = \frac{4}{f(x)}\) over the same range. So we will now instead find the maximum point(s) of g(x) over this range.

$$g(x) = \frac{ (\frac{1}{2}- x)^2 (x-a) }{x} = \frac{x^3 - ax^2 -x^2 + ax + \frac{1}{4}x - \frac{1}{4}a}{x} = x^2 - (a+1)x + (a + \frac{1}{4}) - \frac{1}{4}\frac{a}{x}$$

Now \(g(a) = 0\), \(g(\frac{1}{2}) = 0\) and g(x) is positive over \(a < x < \frac{1}{2}\), so g(x) is not maximized over \(a < x < \frac{1}{2}\) at the end-points. It must be maximum at a point, v, where the first derivative is 0.

$$g'(v) = 2v - (a+1) + \frac{a}{4 v^2} = 0 \Rightarrow 2v^3 - (a+1)v^2 + \frac{a}{4} = 0 \Rightarrow (v - \frac{1}{2})(2v^2 - a - \frac{a}{2}) = 0$$

The solutions are \(v = \frac{1}{2}\), and \(v = \frac{a \pm \sqrt{a^2 + 4a}}{4}\). Only \(v = \frac{a + \sqrt{a^2 + 4a}}{4}\) is in the range \(a < x < \frac{1}{2}\), so this value minimizes g(x) and maximizes f(x) over this range.