^{1}

^{1}

^{2}

^{1}

^{2}

Verifiable secret sharing (VSS) is one of the basic problems in the theory of distributed cryptography and has an important role in secure multiparty computation. In this case, it is tried to share a confidential data as secret, between multiple nodes in a distributed system, in the presence of an active adversary that can destroy some nodes, such that the secret can be reconstructed with the participation of certain size of honest nodes. A dynamic adversary can change its corrupted nodes among the protocol. So far, there is not a formal definition and there are no protocols of dynamic adversaries in VSS context. Also, another important question is, would there exist a protocol to share a secret with a static adversary with at most 1 broadcast round? In this paper, we provide a formal definition of the dynamic adversary. The simulation results prove the efficiency of the proposed protocol in terms of the runtime, the memory usage, and the number of message exchanges. We show that the change period of the dynamic adversary could not happen in less than 4 rounds in order to have a perfectly secure VSS, and then we establish a protocol to deal with this type of adversary. Also, we prove that the lower bound of broadcast complexity for the static adversary is (2,0)-broadcast rounds.

In the family of distributed cryptography problems, secret sharing is a fundamental problem in which a “dealer”

Verifiable secret sharing (VSS) is an extended version of secret sharing, such that there is an active and external corrupter mechanism in the system [

For solving the VSS problem, the system has been considered to have two independent message-passing channels. The first way is authenticated, private channels that connect players pairwise; these channels construct a point-to-point network. In addition, there is a common broadcast channel to which all players have access. The broadcast channel allows each player to send a message to all other players consistently, even if the sender is corrupted by the adversary [

VSS protocols work in two different phases. The first phase in which the secret is shared by the dealer and each player receives his share is called

VSS has played an important role in Data Privacy Science for the last two decades [

Secret sharing is formally defined in [

Next, in 1989, Rabin and Ben-Or in [

Genaro et al. in [

Round complexities for secure VSS and WSS protocols with an active adversary.

Protocol | Threshold | Number of rounds |
---|---|---|

WSS | — | |

3 | ||

1 | ||

VSS | — | |

3 | ||

2 | ||

1 |

Recent studies focused on reducing the number of rounds using the broadcast channel. This measurement leads to the “broadcast complexity” termination, which was introduced by Garay et al. in [

There are also other important algorithms with a constant broadcast complexity for

Whether there is a (1,0)-broadcast and constant round protocol for the system with

Recent efforts focused on a particular scheme of the VSS problem, which is known as the publicly verifiable secret sharing (PVSS). This form of VSS allows any third-party evaluator (outside

In comparison with the abovementioned research that worked on a different form of VSS problem and considered a static adversary, the main focus of our work is on a VSS protocol for the adaptive adversaries, which needs a very low process requirement of players.

Between the newest results that are strongly focused on cloud environments, we could refer the readers to a survey written by Attasena et al. in 2017 [

In this paper, we delve into some open problems in the VSS problem, which are most related to the broadcast complexity and adaptive adversaries. Our motivation comes from an open question about regimes with

In order to address the above-mentioned challenges, we first propose a new formal definition for an adaptive adversary based on the abilities of such an adversary. This definition helps us to demonstrate the main ability of an adaptive adversary versus the static one, which is the capability of corrupting a different set of players during the algorithm rounds. Instead of the static adversary, which selects its corrupting nodes before the algorithm starts and cannot change the corruption set, an adaptive adversary may change its set of nodes after a particular number of rounds, termed as “change-period.” After arranging a proper formal definition, we prove a lower bound on the change-period parameter.

Further, given the above-mentioned formal definition, we suggest the first optimal protocol that delves with the adaptive adversary. In fact, we arrange a two-round subprotocol with one broadcast round, which could be added to any of the previous static adversary protocols. More specifically, we added this subprotocol to the Garay (2,0)-broadcast protocol that works for

Finally, we prove a fundamental lower bound on the number of rounds that every protocol in the presence of a static adversary needed to take to satisfy the VSS requirements. More precisely, we demonstrate that, with a static adversary, every VSS protocol must use the broadcast channel in at least two rounds.

In this section, we describe all the definitions and preliminaries needed in the rest of the paper.

We assume a distributed message-passing synchronous system, consisting of a set of

The algorithm consists of several rounds that are a period of time through which the players send and receive a batch of data messages. In each round based on the algorithm, players send proper data to each other, using mentioned channels. When each round is finished, players perform their own computation on received data and prepare the data packets which should be sent in the next round.

For example, in an electronic and cryptographic voting system, each voter is considered as a player and each player is connected to all the others pairwise with fiber lines. In addition, we have a common microwave bus, which is used by players. For collecting votes, players send and receive authentication data in sequential rounds.

As mentioned earlier, the properties of an adversary imply an essential role in VSS protocols. An adversary can take control of any player and turn it into a corrupted player that we call dishonest. We consider a centralized adversary

Our common assumption of the adversary over the whole paper is that we consider that the adversary is

In all sections except Section

Although there are several definitions of VSS [

VSS-Share: initially, the dealer holds the secret

VSS-Reconstruct: at first, each player

After the above two phases, the following three requirements of the VSS problem have to be satisfied for a correct protocol [

PRIVACY: if

CORRECTNESS: if

COMMITEMENT: with high probability, at the end of the sharing phase, there must exist a unique value

With the formal definition of the VSS problem, we can go through our contributions to this problem.

In this section, we propose a formal definition of an adaptive adversary in VSS problems. This definition helps us to formulate abilities of an adaptive adversary in order to arrange a suitable protocol and enables us to formally prove the correctness, privacy, and commitment requirements of the VSS problem. To the best of our knowledge, there is no formal specification for the characteristic of adaptive adversaries and all we know is from properties of such adversaries in a multiparty computation problem, which is the most important application of the VSS problem [

We should consider that an active adversary (either static or adaptive) does not reveal his plan about corrupted players or even which player he wants to corrupt. But, to specify adaptive adversaries, we consider a set of players which an adversary can potentially corrupt in the whole period of protocol, named

(adaptive adversary). An adaptive adversary

Also,

In the above definition, adversary structure

In Definition

The adversary structures could have different properties, but, in the following, we define the

(

This circumstance brings the static

In this section, we defined a formal definition of an adaptive adversary. Defining in this way empowers us to suggest a protocol with respect to the adversary behavior which informal definition is not able to.

It is significant to know how much an adaptive adversary can make problems in VSS protocols. In better words, an adaptive adversary who is too fast in changing is theoretically irreparable and it is needed to find an acceptable changing rate for challenging such an adversary. This section is about a lower bound on change period that, with a number lower than such period, there is no perfectly secure protocol to solve a VSS problem.

There is no perfectly secure VSS protocol in the presence of a rushing, computationally unbounded, and adaptive

Consider that there is an Algorithm

Private channel

(a)

Broadcast

(a)

(b)

(c) D sends

(d)

(e) [Internal computations:]

(f)

In

(a) Each player holds the set

In Theorem

For example, consider that our adaptive adversary is able to keep the only

Unlike the privacy requirements, since the corrupted players may send incorrect data packets to other players, the correctness of the algorithm is still in danger. Therefore, we suggest a very efficient subprotocol to simulate ordinary message sending over private channels. This subprotocol can be used in other static adversary protocols and turn them into a suitable protocol for memory-bounded adaptive adversaries. This subprotocol should recall inside of static adversary protocols everywhere players want to send data to each other over private channels. We named this subprotocol

Model: we consider a system with an adaptive rushing but computationally bounded (only in memory) adversary that can corrupt

The

Using

(Privacy) Because adversary can hold at most

(Correctness) First, consider that

(Commitment) First, we assume that

On the other hand, if

As we can see, this subprotocol could detect all errors in the dealer or other players and even with an adaptive adversary. In the worst case, the change period is one round and changing in the forbidden set happens between the first and second rounds of

If sender is corrupted after the second round, the receiver rejects the sender if the sender information does not send correct messages in the second round.

If dealer breaks between two rounds and if it sends incorrect information more than

In this section, we present a performance analysis of the

A number of players in a secret sharing system plan to share a secret in the model described in

The player network simulation was performed using the Swift 5.1 programming language. The program source code is accessible at

As mentioned earlier, the

Growth of messages transmission with and without SendWithCheck() subprotocol.

Replacing simple message exchange with a subprotocol like

Growth of runtime with and without SendWithCheck() subprotocol.

In the last experiment, we investigate the effect of adding our subprotocol on the amount of memory required to run the original sharing phase. The ability to run the

Growth of memory consumption with and without SendWithCheck() subprotocol.

As we mentioned in Section

The proof is based on three lemmas. First of all, we prove these lemmas that are used in the proof of broadcast complexity lower bound. Assume that there is Algorithm

For achieving the commitment requirement, Algorithm

We call the first information set “Secret Retrieving” and the second information set “Dealer Examination.” Clearly, the Secret Retrieving set is shares of each player distributed by the dealer and should guarantee the existence of a fixed value for a player commitment. According to the VSS formal definition, sharing of the secret is performed by the dealer

In order to achieve the commitment requirement, the dealer must send the Secret Retrieving information to players. Suppose that we can merge the Dealer Examination set into the Secret Retrieving information set. If in this case the dealer was corrupted by an adversary, Secret Retrieving information could be manipulated by the adversary such that in reconstruction phase players get apparently correct information and commit on a value

To achieve the commitment requirement with the agreement, Algorithm

In Lemma

To achieve the correctness, Algorithm

Suppose that the Dealer Examination set is delivered to players with private secure point-to-point channels except broadcasting. If

The lower bound of broadcast complexity in the VSS problem with rushing, computationally unbounded, and static

The first principle is that every VSS protocol needs at least one use of the broadcast channel. We show that this single round is insufficient to satisfy the requirements of the VSS problem. It is obvious that the distribution of the Dealer Examination information occurs after distributing some Secret Retrieving information (because the dealer still distributes no Secret Retrieving information to players and before this examination makes no sense). Also, according to Lemma

In this paper, we delved into some open questions about broadcast complexity and adaptive adversaries in the VSS problem. We proposed a formal definition for adaptive adversaries, helping us to characterize the circumstance of such adversary. In addition, we proved a lower bound on one of the parameters of this definition. Also, we proposed an efficient two-round (one broadcast) subprotocol which was added to protocols that are suitable for static adversaries and turn them into perfect secure VSS protocols for adaptive memory-bounded adversaries and also provide a performance analysis of this protocol. Finally, we proved an important lower bound on the broadcast complexity of VSS in the presence of a static adversary.

There are still works to do in the field of VSS problems. The most important opened window is the concept of adaptive adversaries, which needs to design more optimized protocols for this type of adversary. Indeed, the finite state form of the adaptive adversary definition provides a good potential to use different concepts of Automata theory in adaptive adversaries’ protocols. It would be a good practice to decrease the number of rounds in the reconstruction phase of Garay (2,0)-broadcast protocol to a number smaller than 20.

The nature of the data is the Swift 5.1 language source code written for the simulation of the proposed approach. The data used to support the findings of this study are included within the article (the environment configuration of the simulation). The program source code is accessible at

The authors declare that they have no conflicts of interest regarding the publication of this article.