ABSTRACT
The constant-sized polynomial commitment scheme by Kate, Zaverucha, and Goldberg (Asiscrypt 2010), also known as the KZG commitment, is an essential component in designing bandwidth-efficient verifiable secret-sharing (VSS) protocols. We point out, however, that the KZG commitment is missing two important properties that are crucial for VSS protocols.
First, the KZG commitment has not been proven to be degree binding in the standard adversary model without idealized group assumptions. In other words, the committed polynomial is not guaranteed to have the claimed degree, which is supposed to be the reconstruction threshold of VSS. Without this property, shareholders in VSS may end up reconstructing different secrets depending on which shares are used.
Second, the KZG commitment does not support polynomials with different degrees at once with a single setup. If the reconstruction threshold of the underlying VSS protocol changes, the protocol must redo the setup, which involves an expensive multi-party computation known as the powers of tau setup.
In this work, we augment the KZG commitment to address both of these limitations. Our scheme is degree-binding in the standard model under the strong Diffie-Hellman (SDH) assumption. It supports any degree 0 < d ≤ m under a powers-of-tau common reference string with m+ 1 group elements generated by a one-time setup.
- Ittai Abraham, Srinivas Devadas, Danny Dolev, Kartik Nayak, and Ling Ren. 2019. Synchronous Byzantine Agreement with Expected O(1) Rounds, Expected O(n 2) Communication, and Optimal Resilience. In Financial Cryptography and Data Security (FC). Springer, 320--334.Google Scholar
- Ittai Abraham, Philipp Jovanovic, Mary Maller, Sarah Meiklejohn, and Gilad Stern. 2022. Bingo: Adaptively Secure Packed Asynchronous Verifiable Secret Sharing and Asynchronous Distributed Key Generation. IACR Cryptology ePrint Archive, Report 2022/1759 (2022).Google Scholar
- Nicolas Alhaddad, Mayank Varia, and Haibin Zhang. 2021. High-threshold avss with optimal communication complexity. In Financial Cryptography and Data Security (FC). Springer, 479--498.Google Scholar
- Soumya Basu, Alin Tomescu, Ittai Abraham, Dahlia Malkhi, Michael K Reiter, and Emin Gün Sirer. 2019. Efficient verifiable secret sharing with share recovery in BFT protocols. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 2387--2402.Google ScholarDigital Library
- Zuzana Beerliová-Trubíniová and Martin Hirt. 2008. Perfectly-secure MPC with linear communication complexity. In Theory of Cryptography Conference (TCC). Springer, 213--230.Google ScholarCross Ref
- Michael Ben-Or, Shafi Goldwasser, and Avi Wigderson. 1988. Completeness theorems for noncryptographic fault-tolerant distributed computations. In Annual ACM Symposium on Theory of Computing (STOC). 1--10.Google Scholar
- Fabrice Benhamouda, Shai Halevi, Hugo Krawczyk, Alex Miao, and Tal Rabin. 2022. Threshold Cryptography as a Service (in the Multiserver and YOSO Models). In ACM SIGSAC Conference on Computer and Communications Security (CCS). 323--336.Google ScholarDigital Library
- Adithya Bhat, Nibesh Shrestha, Zhongtang Luo, Aniket Kate, and Kartik Nayak. 2021. Randpiper--reconfiguration-friendly random beacons with quadratic communication. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 3502--3524.Google ScholarDigital Library
- Dan Boneh and Xavier Boyen. 2008. Short signatures without random oracles and the SDH assumption in bilinear groups. Journal of Cryptology, Vol. 21, 2 (2008), 149--177.Google ScholarDigital Library
- Dan Boneh, Ben Lynn, and Hovav Shacham. 2001. Short signatures from the Weil pairing. In Annual International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT). Springer, 514--532.Google ScholarCross Ref
- Benedikt Bünz, Jonathan Bootle, Dan Boneh, Andrew Poelstra, Pieter Wuille, and Greg Maxwell. 2018. Bulletproofs: Short proofs for confidential transactions and more. In IEEE Symposium on Security and Privacy (S&P). IEEE, 315--334.Google ScholarCross Ref
- Christian Cachin and Stefano Tessaro. 2005. Asynchronous verifiable information dispersal. In IEEE Symposium on Reliable Distributed Systems (SRDS). IEEE, 191--201.Google ScholarDigital Library
- Ran Canetti. 2001. Universally composable security: A new paradigm for cryptographic protocols. In Annual Symposium on Foundations of Computer Science (FOCS). IEEE, 136--145.Google ScholarCross Ref
- Ran Canetti, Asaf Cohen, and Yehuda Lindell. 2015. A simpler variant of universally composable security for standard multiparty computation. In Annual International Cryptology Conference (CRYPTO). Springer, 3--22.Google ScholarDigital Library
- Benny Chor, Shafi Goldwasser, Silvio Micali, and Baruch Awerbuch. 1985. Verifiable secret sharing and achieving simultaneity in the presence of faults. In Annual Symposium on Foundations of Computer Science (FOCS). IEEE, 383--395.Google ScholarDigital Library
- Ashish Choudhury. 2020. Optimally-resilient unconditionally-secure asynchronous multi-party computation revisited. IACR Cryptology ePrint Archive, Report 2020/906 (2020).Google Scholar
- Ivan Damgård and Jesper Buus Nielsen. 2007. Scalable and unconditionally secure multiparty computation. In Annual International Cryptology Conference (CRYPTO). Springer, 572--590.Google ScholarCross Ref
- Sourav Das, Vinith Krishnan, Irene Miriam Isaac, and Ling Ren. 2022a. Spurt: Scalable distributed randomness beacon with transparent setup. In IEEE Symposium on Security and Privacy (S&P). IEEE, 2502--2517.Google ScholarCross Ref
- Sourav Das, Thomas Yurek, Zhuolun Xiang, Andrew Miller, Lefteris Kokoris-Kogias, and Ling Ren. 2022b. Practical asynchronous distributed key generation. In IEEE Symposium on Security and Privacy (S&P). IEEE, 2518--2534.Google ScholarCross Ref
- Danny Dolev and H. Raymond Strong. 1983. Authenticated algorithms for Byzantine agreement. SIAM J. Comput., Vol. 12, 4 (1983), 656--666.Google ScholarDigital Library
- Paul Feldman. 1987. A practical scheme for non-interactive verifiable secret sharing. In Annual Symposium on Foundations of Computer Science (FOCS). IEEE, 427--438.Google ScholarDigital Library
- Amos Fiat and Adi Shamir. 1987. How to prove yourself: Practical solutions to identification and signature problems. In Annual International Cryptology Conference (CRYPTO). Springer, 186--194.Google Scholar
- Georg Fuchsbauer, Eike Kiltz, and Julian Loss. 2018. The algebraic group model and its applications. In Annual International Cryptology Conference (CRYPTO). Springer, 33--62.Google ScholarDigital Library
- Rosario Gennaro, Stanisław Jarecki, Hugo Krawczyk, and Tal Rabin. 1999. Secure distributed key generation for discrete-log based cryptosystems. In Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT). Springer, 295--310.Google ScholarCross Ref
- Martin Hirt and Jesper Buus Nielsen. 2006. Robust multiparty computation with linear communication complexity. In Annual International Cryptology Conference (CRYPTO). Springer, 463--482.Google ScholarDigital Library
- Bin Hu, Zongyang Zhang, Han Chen, You Zhou, Huazu Jiang, and Jianwei Liu. 2022. DyCAPS: Asynchronous Proactive Secret Sharing for Dynamic Committees. IACR Cryptology ePrint Archive, Report 2022/1169 (2022).Google Scholar
- Aniket Kate, Gregory M Zaverucha, and Ian Goldberg. 2010a. Constant-size commitments to polynomials and their applications. In Annual International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT). Springer, 177--194.Google ScholarCross Ref
- Aniket Kate, Gregory M Zaverucha, and Ian Goldberg. 2010b. Polynomial Commitments. (2010). https://cacr.uwaterloo.ca/techreports/2010/cacr2010--10.pdfGoogle Scholar
- Jonathan Katz and Chiu-Yuen Koo. 2009. On expected constant-round protocols for byzantine agreement. J. Comput. System Sci., Vol. 75, 2 (2009), 91--112.Google ScholarDigital Library
- Leslie Lamport, Robert Shostak, and Marshall Pease. 1982. The Byzantine Generals Problem. ACM Transactions on Programming Languages and Systems, Vol. 4, 3 (1982), 382--401.Google ScholarDigital Library
- Donghang Lu, Thomas Yurek, Samarth Kulshreshtha, Rahul Govind, Aniket Kate, and Andrew Miller. 2019. Honeybadgermpc and asynchromix: Practical asynchronous mpc and its application to anonymous communication. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 887--903.Google ScholarDigital Library
- Sai Krishna Deepak Maram, Fan Zhang, Lun Wang, Andrew Low, Yupeng Zhang, Ari Juels, and Dawn Song. 2019. CHURP: dynamic-committee proactive secret sharing. In ACM SIGSAC Conference on Computer and Communications Security (CCS). 2369--2386.Google Scholar
- Achour Mostéfaoui, Hamouma Moumen, and Michel Raynal. 2014. Signature-free asynchronous Byzantine consensus with t < n/3 and O(n2) messages. In ACM Symposium on Principles of Distributed Computing (PODC). 2--9.Google Scholar
- Arpita Patra, Ashish Choudhury, and C Pandu Rangan. 2010. Communication efficient perfectly secure VSS and MPC in asynchronous networks with optimal resilience. In International Conference on Cryptology in Africa (AFRICACRYPT). Springer, 184--202.Google ScholarDigital Library
- Torben Pryds Pedersen. 2001. Non-interactive and information-theoretic secure verifiable secret sharing. In Annual International Cryptology Conference (CRYPTO). Springer, 129--140.Google Scholar
- Michael O Rabin. 1989. Efficient dispersal of information for security, load balancing, and fault tolerance. Journal of the ACM (JACM), Vol. 36, 2 (1989), 335--348.Google ScholarDigital Library
- Irving S Reed and Gustave Solomon. 1960. Polynomial codes over certain finite fields. Journal of the society for industrial and applied mathematics, Vol. 8, 2 (1960), 300--304.Google ScholarCross Ref
- Victor Shoup and Nigel P Smart. 2023. Lightweight Asynchronous Verifiable Secret Sharing with Optimal Resilience. IACR Cryptology ePrint Archive, Report 2023/536 (2023).Google Scholar
- Alin Tomescu, Robert Chen, Yiming Zheng, Ittai Abraham, Benny Pinkas, Guy Golan Gueta, and Srinivas Devadas. 2020. Towards scalable threshold cryptosystems. In IEEE Symposium on Security and Privacy (S&P). IEEE, 877--893.Google ScholarCross Ref
- Robin Vassantlal, Eduardo Alchieri, Bernardo Ferreira, and Alysson Bessani. 2022. Cobra: Dynamic proactive secret sharing for confidential bft services. In IEEE Symposium on Security and Privacy (S&P). IEEE, 1335--1353.Google ScholarCross Ref
- Thomas Yurek, Licheng Luo, Jaiden Fairoze, Aniket Kate, and Andrew Miller. 2022a. hbACSS: How to Robustly Share Many Secrets. In Network and Distributed System Security Symposium (NDSS).Google ScholarCross Ref
- Thomas Yurek, Zhuolun Xiang, Yu Xia, and Andrew Miller. 2022b. Long live the honey badger: Robust asynchronous dpss and its applications. IACR Cryptology ePrint Archive, Report 2022/971.Google Scholar
Index Terms
- On the Security of KZG Commitment for VSS
Recommendations
VSS from Distributed ZK Proofs and Applications
Advances in Cryptology – ASIACRYPT 2023AbstractNon-Interactive Verifiable Secret Sharing (NI-VSS) is a technique for distributing a secret among a group of individuals in a verifiable manner, such that shareholders can verify the validity of their received share and only a specific number of ...
Communication efficient perfectly secure VSS and MPC in asynchronous networks with optimal resilience
AFRICACRYPT'10: Proceedings of the Third international conference on Cryptology in AfricaVerifiable Secret Sharing (VSS) is a fundamental primitive used in many distributed cryptographic tasks, such as Multiparty Computation (MPC) and Byzantine Agreement (BA). It is a two phase (sharing, reconstruction) protocol. The VSS and MPC protocols ...
VSS Made Simpler
Advances in Information and Computer SecurityAbstractVerifiable secret sharing (VSS) allows honest parties to ensure consistency of their shares even if a dealer and/or a subset of parties are corrupt. We focus on perfect VSS, i.e., those providing perfect privacy, correctness and commitment with ...
Comments