MPSS

Thesis (S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2007.MIT Barker Engineering Library copy: issued in leaves.Includes bibliographical references (p. 153-157).This thesis describes mobile proactive secret sharing (MPSS), an extension of proactive secret sharing. Mobile proactive secret sharing is much more flexible than proactive secret sharing in terms of group membership: instead of the group of shareholders being exactly the same from one epoch to the next, we allow the group to change arbitrarily. In addition, we allow for an increase or decrease of the threshold at each epoch. We give the first known efficient protocol for MPSS in the asynchronous network model. We present this protocol as a practical solution to the problem of long-term protection of a secret in a realistic network.by David Andrew Schultz.S.M

A Novel Adaptive Proactive Secret Sharing without a Trusted Party

A $(t+1,n)$ proactive secret sharing is to protect a secret in long-lived system by distributing it to a group of $n$ participants and refreshing their shares periodically in this fixed group, while any $t+1$ and more than $t+1$ shares can reconstruct the secret. In some environment, it needs to change not only the number of participants $n$ but also the threshold value $t$. An adaptive proactive secret sharing is to refresh the shares as $t$ and $n$ change. In this paper, we propose a novel adaptive proactive secret sharing scheme without a trusted party. Our proposed scheme is uniformly efficient and tolerates $t$ Byzantine faults in any single time interval, where the number of participants $n\geq 3t+1$. The threshold value $t$ and the number of participants $n$ can be changed arbitrarily in two adjacent intervals. We also prove that our proposed scheme is secure under the discrete logarithm intractability assumption

Distributed Key Generation for the Internet

Although distributed key generation (DKG) has been studied for some time, it has never been examined outside of the synchronous setting. We present the first realistic DKG architecture for use over the Internet. We propose a practical system model and define an efficient verifiable secret sharing scheme in it. We observe the necessity of Byzantine agreement for asynchronous DKG and analyze the difficulty of using a randomized protocol for it. Using our verifiable secret sharing scheme and a leader-based agreement protocol, we then design a DKG protocol for public-key cryptography. Finally, along with traditional proactive security, we also introduce group modification primitives in our system.

CHURP: Dynamic-Committee Proactive Secret Sharing

We introduce CHURP (CHUrn-Robust Proactive secret sharing). CHURP enables secure secret-sharing in dynamic settings, where the committee of nodes storing a secret changes over time. Designed for blockchains, CHURP has lower communication complexity than previous schemes: $O(n)$ on-chain and $O(n^2)$ off-chain in the optimistic case of no node failures. CHURP includes several technical innovations: An efficient new proactivization scheme of independent interest, a technique (using asymmetric bivariate polynomials) for efficiently changing secret-sharing thresholds, and a hedge against setup failures in an efficient polynomial commitment scheme. We also introduce a general new technique for inexpensive off-chain communication across the peer-to-peer networks of permissionless blockchains. We formally prove the security of CHURP, report on an implementation, and present performance measurements

Improved Threshold Signatures, Proactive Secret Sharing, and Input Certification from LSS Isomorphisms

In this paper we present a series of applications steming from a formal treatment of linear secret-sharing isomorphisms, which are linear transformations between different secret-sharing schemes defined over vector spaces over a field $\mathbb{F}$ and allow for efficient multiparty conversion from one secret-sharing scheme to the other. This concept generalizes the folklore idea that moving from a secret-sharing scheme over $\mathbb{F}_{p}$ to a secret sharing ``in the exponent\u27\u27 can be done non-interactively by multiplying the share unto a generator of e.g., an elliptic curve group. We generalize this idea and show that it can also be used to compute arbitrary bilinear maps and in particular pairings over elliptic curves. We include the following practical applications originating from our framework: First we show how to securely realize the Pointcheval-Sanders signature scheme (CT-RSA 2016) in MPC. Second we present a construction for dynamic proactive secret-sharing which outperforms the current state of the art from CCS 2019. Third we present a construction for MPC input certification using digital signatures that we show experimentally to outperform the previous best solution in this area

Storing and Retrieving Secrets on a Blockchain

Multiple protocols implementing exciting cryptographic functionalities using blockchains such as time-lock encryption, one-time programs and fair multi-party computation assume the existence of a cryptographic primitive called extractable witness encryption. Unfortunately, there are no known efficient constructions (or even constructions based on any well studied assumptions) of extractable witness encryption. In this work, we propose a protocol that uses a blockchain itself to provide a functionality that is effectively the same as extractable witness encryption. By making small adjustments to the blockchain code, it is possible to easily implement applications that rely on extractable witness encryption and existed only as theoretical designs until now. There is also potential for new applications. As a key building block, our protocol uses a new and highly efficient batched dynamic proactive secret sharing scheme which may be of independent interest. We provide a proof-of-concept implementation of the extractable witness encryption construction and the underlying dynamic proactive secret sharing protocol

Communication-Efficient (Proactive) Secure Computation for Dynamic General Adversary Structures and Dynamic Groups

In modern distributed systems, an adversary’s limitations when corrupting subsets of servers may not necessarily be based on threshold constraints, but rather based on other technical or organizational characteristics in the systems. This means that the corruption patterns (and thus protection guarantees) are not based on the adversary being limited by a threshold, but on the adversary being limited by other constraints, in particular by what is known as a General Adversary Structure (GAS). We consider efficient secure multiparty computation (MPC) under such dynamically-changing GAS settings. During these changes, one desires to protect against and during corruption profile change, which renders some (secret sharing-based) encoding schemes underlying the MPC protocol more efficient than others when operating with the (currently) considered GAS. One of our contributions is a set of novel protocols to efficiently and securely convert back and forth between different MPC schemes for GAS; this process is often called share conversion. Specifically, we consider two MPC schemes, one based on additive secret sharing and the other based on Monotone Span Programs (MSP). The ability to efficiently convert between the secret sharing representations of these MPC schemes enables us to construct the first communication-efficient structure-adaptive proactive MPC protocol for dynamic GAS settings. By structure-adaptive, we mean that the choice of the MPC protocol to execute in future rounds after the GAS is changed (as specified by an administrative entity) is chosen to ensure communication-efficiency (the typical bottleneck in MPC). Furthermore, since such secure collaborative computing may be long-lived, we consider the mobile adversary setting, often called the proactive security setting. As our second contribution, we construct communication-efficient MPC protocols that can adapt to the proactive security setting. Proactive security assumes that at each (well defined) period of time the adversary corrupts different parties and over time may visit the entire system and corrupt all parties, provided that in each period it controls groups obeying the GAS constraints. In our protocol, the shares can be refreshed, meaning that parties receive new shares reconstructing the same secret, and some parties who lost their shares because of the reboot/resetting can recover their shares. As our third contribution, we consider another aspect of global long-term computations, namely, that of the dynamic groups. It is worth pointing out that such a setting with dynamic groups and GAS was not dealt with in existing literature on (proactive) MPC. In dynamic group settings, parties can be added and eliminated from the computation, under different GAS restrictions. We extend our protocols to this additional dynamic group settings defined by different GAS

Communication-Efficient Proactive Secret Sharing for Dynamic Groups with Dishonest Majorities

In standard Secret Sharing (SS), a dealer shares a secret $s$ among $n$ parties such that an adversary corrupting no more than $t$ parties does not learn $s$, while any $t+1$ parties can efficiently recover $s$. Proactive Secret Sharing (PSS) retains confidentiality of $s$ even when a mobile adversary corrupts all parties over the lifetime of the secret, but no more than a threshold $t$ in each epoch (called a refresh period). Withstanding such adversaries has become of increasing importance with the emergence of settings where private keys are secret shared and used to sign cryptocurrency transactions, among other applications. Feasibility of single-secret PSS for static groups with dishonest majorities was demonstrated but with a protocol that requires inefficient communication of $O(n^4)$. In this work, we improve over prior work in three directions: batching without incurring a linear loss in corruption threshold, communication efficiency, and handling dynamic groups. While each of properties we improve upon appeared independently in the context of PSS and in other previous work, handling them simultaneously (and efficiently) in a single scheme faces non-trivial challenges. Some PSS protocols can handle batching of $\ell \sim n$ secrets, but all of them are for the honest majority setting. Techniques typically used to accomplish such batching decrease the tolerated corruption threshold bound by a linear factor in $\ell$, effectively limiting the number of elements that can be batched with dishonest majority. We solve this problem by reducing the threshold decrease to $\sqrt{\ell}$ instead, allowing us to deal with the dishonest majority setting when $\ell \sim n$. This is accomplished based on new bivariate-polynomials-based techniques for sharing, and refreshing and recovering of shares, that allow batching of up to $n-2$ secrets in our PSS. To tackle the efficiency bottleneck the constructed PSS protocol requires only $O(n^3/\ell)$ communication for $\ell$ secrets, i.e., an amortized communication complexity of $O(n^2)$ when the maximum batch size is used. To handle dynamic groups we develop three new sub-protocols to deal with parties joining and leaving the group