Information Processing Letters 112 (2012) 856–859

Contents lists available at SciVerse ScienceDirect

Information Processing Letters

www.elsevier.com/locate/ipl

Verifiable secret sharing in a total of three rounds

Shashank Agrawal

Department of Computer Science, University of Illinois at Urbana–Champaign, United States

a r t i c l e i n f o a b s t r a c t

Article history:Received 25 March 2012Received in revised form 23 July 2012Accepted 7 August 2012Available online 9 August 2012Communicated by D. Pointcheval

Keywords:CryptographyUnconditional securitySecret sharingByzantine adversaryRound optimality

Verifiable secret sharing (VSS) is an important building block in the design of secure multi-party protocols, when some of the parties are under the control of a malicious adversary.Henceforth, its round complexity has been the subject of intense study. The best knownunconditionally secure protocol takes 3 rounds in sharing phase, which is known to beoptimal, and 1 round in reconstruction. Recently, by introducing a negligible probability oferror in the definition of VSS, Patra et al. [CRYPTO 2009] have designed a novel protocolwhich takes only 2 rounds in sharing phase. However, the drawback of their protocol is thatit takes 2 rounds in reconstruction as well. Hence, the total number of rounds required forVSS remains the same.In this paper, we present a VSS protocol which takes a total of 3 rounds only—2 rounds insharing and 1 round in reconstruction.

© 2012 Elsevier B.V. All rights reserved.

1. Introduction

Secret sharing is one of the most important and widelystudied primitives in cryptography. It allows a dealer todistribute shares of a secret among a set of players suchthat unless a certain number of players come together, thesecret cannot be reconstructed [1]. A secret sharing proto-col can be viewed as consisting of two phases: the sharingphase where the dealer shares the secret among the play-ers, and the reconstruction phase where players collaborateto reconstruct the secret. We would like the sharing phaseto be secure—even if a (bounded) number of players col-laborate, the secret remains unknown. More precisely, weimagine that there is an adversary who controls a sub-set of players, and is trying to extract the secret from themessages received by players under its control. Our goal isto guard against this adversary without making the secretsharing protocol overly complex.

When the adversary is also capable of modifying thebehavior of players under its control (a malicious or Byzan-tine adversary), a new issue arises: corrupt players maypresent incorrect shares in the reconstruction phase whichcan lead to the construction of a wrong secret. Even

E-mail address: sagrawl2@illinois.edu.

0020-0190/$ – see front matter © 2012 Elsevier B.V. All rights reserved.http://dx.doi.org/10.1016/j.ipl.2012.08.003

the dealer cannot be trusted any more: it may distributeshares which do not define a unique secret, so that whenplayers try to recover the secret later, they fail to agreeupon a specific value. Hence, we would like to designa scheme wherein the players can verify the shares dis-tributed by the dealer for consistency. This leads us to thenotion of verifiable secret sharing (VSS). It is easy to seethat VSS is a generalization of an important distributedcomputing problem—the Byzantine Generals problem [2].

Introduced in [3], VSS has been used as a buildingblock in the design of general secure multi-party proto-cols [4–7]. Starting with the work of Ben-Or et al. [5],VSS has been studied for malicious adversaries who haveunbounded computing power. Since unproven hardness ofcertain problems cannot be used against this adversary,the security provided is unconditional. For this strongeradversary, it is known that an error-free solution to theByzantine Generals problem exists in a network, wherepoint-to-point secure channels are available for communi-cation, if and only if the number of corrupt players t isless than one-third of the total number of players n [2].Moreover, any solution must involve at least t + 1 roundsof communication [8]. Therefore, if only point-to-point se-cure channels are available, one cannot hope to design aconstant-round VSS protocol. Hence, to better understand

S. Agrawal / Information Processing Letters 112 (2012) 856–859 857

the round complexity of VSS, the network is assumed tohave a broadcast channel (in addition to point-to-pointchannels).

The round complexity of unconditionally secure VSSwas first formally studied by Gennaro et al. [9]. Theyprove that any error-free VSS protocol for t < n/3 musttake 3 rounds in sharing phase. They provide a protocolwhich matches this lower bound, but is not efficient. Sub-sequently, Fitzi et al. give an efficient protocol [10]. Theirapproach was to first design a protocol for a weakened no-tion of VSS, called weak secret sharing (WSS), and then useit as a sub-protocol to obtain a protocol for VSS. In [11],Katz et al. propose an improved protocol which minimizesthe use of broadcast channel. In their protocol, the broad-cast channel is used only once in the sharing phase andnot at all in the reconstruction phase, and one cannot hopeto do better than this.

Recently, Patra et al. [12] proposed a novel VSS proto-col which takes only two rounds in sharing phase. Theywere able to break the lower bound of 3 rounds by in-troducing a negligible probability of error in the definitionof VSS. This variant of VSS has been studied before foran adversary who could corrupt upto half of the players(t < n/2) [7]. Since it is possible to achieve error-free VSSwhen t < n/3, the negligible error variant for this case didnot receive any attention.

There is one problem with the protocol of Patra et al.though: it takes 2 rounds in reconstruction phase. Al-though Gennaro et al. defined the round complexity of VSSas the number of rounds in sharing phase, they did sobecause it was clear that reconstruction can easily be ac-complished in a single round—for example, by letting eachplayer reveal all the information in its possession [9]. How-ever, the design of Patra et al.’s protocol seems to require2 rounds in reconstruction to ensure that all requirementsof VSS are met. Therefore, when the number of roundsin sharing and reconstruction phases are taken together,Patra et al.’s protocol does no better than the most round-efficient protocols known. This naturally brings us to aninteresting question: does there exist a VSS protocol whichtakes only 3 rounds overall?

In this paper we give a positive answer to this question.We provide the first VSS protocol for t < n/3 which takesonly 3 rounds in its entirety. This settles the open questionraised by Patra et al. [12], and later by Katz et al. [11].

2. Modeling and definitions

Network model: We consider a network of n players P ={P1, P2, . . . , Pn}. Every pair of players has a secure channelbetween them which allows private, reliable and authenti-cated communication (point-to-point secure channels [5]).Additionally, players have access to a broadcast channel:when a player puts a message m on this channel, all theplayers receive m.

We assume that the network is synchronous. Any pro-tocol in such a network runs in a sequence of rounds.In each round, a party performs local computation, sendsmessages to other parties via point-to-point channels andthe broadcast channel, and receives the messages sent byother parties in this round on those channels [12], in that

order. (The protocol proposed here uses only one kind ofchannel in each round.)

Corruption model: We model corruption in the networkby a computationally unbounded Byzantine adversary. Thisadversary can corrupt at most t < n/3 parties in the net-work. It co-ordinates the behavior of the corrupted partiesto breach the security of protocols being run in the net-work. Since the adversary is computationally unbounded,any protocol designed to withstand this adversary cannotmake use of complexity-theoretic assumptions (which arevery popular in modern cryptography).

The adversary is rushing: it can wait to receive the mes-sages sent to the corrupted parties in a certain round,before sending messages for that round. We would liketo point out here that if the adversary is not rushing, the2 rounds of reconstruction in Patra et al.’s protocol can becollapsed into one. Indeed, the main contribution of thispaper is in designing a protocol that can tolerate a rushingadversary, and yet take only 1 round in reconstruction.

Verifiable secret sharing: Before proceeding further, weformally define verifiable secret sharing (VSS). A dealerD ∈P wishes to share a secret s ∈ F among the players P .A protocol run by players P consisting of two phases shar-ing and reconstruction is a VSS protocol if it satisfies thefollowing requirements:

• Privacy: If D is honest, view of the adversary shouldnot reveal any information about s during the sharingphase.

• Correctness: If D is honest, every honest player out-puts s at the end of reconstruction phase.

• Strong commitment: There exists a value s′ ∈ F ∪ {⊥}such that the honest players hold the shares of thisvalue at the end of sharing phase, and they output s′at the end of reconstruction phase.

The above definition has been borrowed from Patraet al. [12]. Note that ⊥ denotes a value not belonging tothe field F; at the end of sharing phase, commitment to ⊥is allowed. This means that a corrupt dealer is allowed toget away with distributing inconsistent shares as long asevery honest player outputs ⊥ when the protocol ends.

In the case of weak secret sharing (WSS), while the pri-vacy and correctness requirements remain unchanged, thecommitment condition is relaxed as follows:

• Weak commitment: There exists a value s′ ∈ F ∪ {⊥}such that the honest players hold the shares of thisvalue at the end of sharing phase, and they output s′ or⊥ at the end of reconstruction phase.

Let κ be the security parameter. We assume that thesize of the field F from which the secret is chosen, and inwhich all computations take place, is exponential in κ . Wealso assume that n = poly(κ). As we know, to have a shar-ing phase of just 2 rounds, some probability of error mustbe allowed. The protocol presented in this paper has a neg-ligible error probability in κ . Like the protocols in [12], our

858 S. Agrawal / Information Processing Letters 112 (2012) 856–859

protocol provides perfect privacy, and errs only in the cor-rectness and commitment requirements.

From WSS to VSS: In the reconstruction phase of Patraet al.’s VSS protocol, first the reconstruction phases of ninstances of a WSS protocol are run together, and theneach party does some local computation to compute thesecret. Since the reconstruction phase of their WSS pro-tocol takes two rounds, so does the corresponding phaseof VSS. Hence, to reduce the round complexity of VSS, weconstruct a WSS protocol which takes only one round inreconstruction. When our WSS protocol is used as a sub-routine in their VSS protocol, the latter takes only 3 roundsoverall. The trade-off is that the communication complex-ity of our WSS protocol is higher by a factor of n.

3. WSS protocol

Before presenting our protocol, we briefly describe whyPatra et al.’s protocol requires two rounds in reconstruc-tion, and how by making certain changes in their protocol,we can collapse the two rounds into one.

In the sharing phase of the WSS protocol of [12],a player P j receives a polynomial f j(x) from the dealer D,which represents its share of the secret, and another playerPk receives a set of random points Sk, j on f j(x). Duringthe reconstruction phase, the random points are used toverify whether the polynomial declared by players are in-deed the ones which were given to them by D. Suppose P jis corrupt, and claims that it received f ′

j(x) from D. Now,a player Pi accepts P j ’s claim if sufficient number of play-ers agree with P j . For example, Pk agrees with P j if f ′

j(x)is consistent with the random points Sk, j declared by Pk .

Note that it is crucial that P j declares its polynomialfirst, and then Pk declares its random points on this poly-nomial. If both the steps are executed in the same round,a rushing adversary would wait till it receives the randompoints, and then declare an incorrect polynomial f ′

j(x) �=f j(x) which is consistent with all the points. This wouldfool Pi into believing that Pk agrees with P j .

Our protocol closely follows the design of Patra et al.’sprotocol. As usual, the dealer would give a polynomialf j(x) to P j , and random points on f j(x) to Pk . However,instead of receiving a single set of random points, Pk willreceive a separate set of random points for every otherplayer. In particular, Pk will receive a set of random pointsSk, j,i on f j(x) corresponding to the player Pi . Now, in thereconstruction phase, Pi would receive Sk, j,i from Pk andf ′

j(x) from P j in the same round. Since Sk, j,i is revealed onlyto Pi , P j would not be able to fool Pi into believing thatPk agrees with P j with an f ′

j(x) �= f j(x).We now present the 2-round sharing and 1-round re-

construction protocol for WSS when n > 3t . Our protocoluses the broadcast channel only in the second round ofsharing.

Sharing:

• Local computation by D: The dealer D chooses the fol-lowing:

– A random bi-variate polynomial F (x, y) withF (0,0) = s such that the degree of polynomial invariable y is t and in variable x is n2κ + 1.

– n random polynomials ri(x), 1 � i � n, each of de-gree n2κ + 1.

– κn random non-zero field elements for each playerPi , denoted by ai,k,z , where 1 � k � n and 1 � z � κ .

• Round 1: D privately sends to player Pi the follow-ing:– The univariate polynomial f i(x) = F (x, i), and the

polynomial ri(x). ( f i(0) is Pi ’s share of the se-cret s.)

– For all 1 � j � n and for all 1 � k � n the setsSi, j,k = {〈ai,k,z, f j(ai,k,z), r j(ai,k,z)〉 where 1 � z � κ}.

• Round 2: Player Pi broadcasts the following:– A random non-zero element ci ∈ F and the polyno-

mial gi(x) = f i(x) + ciri(x).– κ/2 tuples from each Si, j,k , chosen at random.

Let S ′i, j,k denote the subset of broadcasted tuples

from Si, j,k , 1 � j,k � n.• Local computation by player Pi : Initialize a set SHARE

of players to φ. A player Pk agrees with a player P j if∀1 � u � n and ∀〈α,β,γ 〉 ∈ S ′

k, j,u

g j(α) = β + c jγ . (1)

Add player P j to SHARE if at least n − t players agreewith it.Note that, since this local computation depends onlyon the values broadcasted in Round 2, the set SHAREconstructed by individual honest players is the same.If |SHARE| < n − t , the dealer is disqualified andthe shares of a public default value (say 0) are out-put.

Reconstruction:

• Round 1: A player Pi sends to player Pl the following:– The sets Si,w,l \ S ′

i,w,l where 1 � w � n.– If Pi ∈ SHARE, then the polynomial f i(x).

• Local computation by player Pi :– Initialize a set RECONi of players to φ. A player

Pk agrees with a player P j ∈ SHARE if ∃〈α,β,γ 〉 ∈Sk, j,i \ S ′

k, j,i such that

f j(α) = β. (2)

Add a player to RECONi if at least n − 2t playersagree with it.

– Interpolate the set of points {( j, f j(0)) | P j ∈RECONi}. If a unique t-degree polynomial is re-constructed, output its constant term; otherwise,output ⊥.

This completes the protocol description. We now seehow this protocol satisfies the three requirements of WSS.Let M be the set of corrupted players; for simplicity as-sume that |M| = t . Note that the first two requirementshave to be proved only in the case where dealer is honest,i.e., D /∈M.

Privacy: Consider the set of points {(i, f i(0)) | Pi ∈ P}.They define a t-degree polynomial h(x) such that h(0) =

S. Agrawal / Information Processing Letters 112 (2012) 856–859 859

F (0,0) = s. Here, h(i) is Pi ’s share of the secret s. In thevery first round, adversary obtains t points on this polyno-mial: {(i, f i(0)) | Pi ∈ M}. We show that during the shar-ing phase, it does not obtain any information about theremaining points, implying that the secret remains hid-den.

For a player P j /∈ M, adversary learns at most 12 κn ×

(n + t) points on the polynomial f j(x) during the shar-ing phase: at most tκn points in Round 1, and at most12 κn(n − t) points in Round 2. Since, the degree of f j(x) isn2κ + 1, no information about h( j) = f j(0) is revealed.

Correctness: It is easy to see that all honest players endup in the set SHARE, and later, in the set RECONi . Sincethere are at least n − t honest players, the dealer is notdisqualified at the end of sharing phase. Now, if we showthat with high probability the set RECONi constructed byany honest player Pi does not contain any corrupt player,we know that only the shares of honest players will beused in reconstruction, resulting in the output of secret s.We now proceed to do the same.

Suppose a corrupt player P j , who manages to be a partof set SHARE, sends an incorrect polynomial f ′

j(x) withf ′

j(0) �= f j(0) to an honest player Pi . Now, Pi will addP j to RECONi if at least n − 2t players agree with it,or at least one honest player agrees with it. For this tohappen, ∃〈α,β,γ 〉 ∈ Sk, j,i \ S ′

k, j,i such that f ′j(α) = β , for

some honest player Pk . However, since none of the α’sare known to the adversary (these α’s are only given toplayer Pi ), the probability that P j sends a polynomial f ′

j(x)

with f ′j(0) �= f j(0) and yet gets added to RECONi is at

most 1 − (|F|−1|F| )

12 κ(n−t) , which is negligibly small in κ

(note that κ/2 is the size of Sk, j,i \ S ′k, j,i and n − t is the

number of honest players).

Commitment: If the dealer is honest, all honest players arepart of SHARE and hold shares of the secret s. We now seehow the commitment property holds when D ∈ M. Weknow that at least n − 2t > t + 1 honest players should endup in the set SHARE, otherwise the dealer gets disqual-ified. If the shares of these players define a polynomial,we need to show that every honest player will outputthe constant term of this polynomial or ⊥ at the end ofreconstruction phase; if the shares don’t define a polyno-mial, ⊥ should be output. To show this, it is sufficient toprove that every honest player in SHARE also ends up inRECONi , for every honest player Pi . In this way, the shareof every honest player would be taken into account whilereconstructing the secret and we would achieve the de-sired properties.

Consider an honest player P j ∈ SHARE that does notget added to RECONi constructed by an honest player Pi .This means that though n − t players agreed with P j inthe sharing phase, not even n − 2t of them agreed with itin the reconstruction phase. This further implies that thereis at least one honest player, say Pk , who agreed with P j

first but did not agree later. We now show that, no matterwhat the adversary does, the probability of this event E isnegligibly small in κ .

The corrupted dealer D should give the polynomialsf j(x), r j(x) to P j and the set of tuples Sk, j,i to Pk suchthat for at least half of the tuples in Sk, j,i Eq. (1) holds,making sure that Pk agrees with P j during sharing phase,and for at least half of the tuples in Sk, j,i Eq. (2) does nothold, making sure that Pk does not agree with P j dur-ing reconstruction phase. However, since a non-zero c j ischosen randomly by P j , the probability that some tuplesatisfies exactly one of the two equations is at most κ

|F|−1 .Hence, with a high probability of at least 1 − κ

|F|−1 , any tu-ple satisfies both equations or none of them. Now, to havea good chance of success, D must make sure that exactly1/2 of the tuples in Sk, j,i satisfy Eq. (1) (if more than halfdo, then with a high probability more than half of the tu-ples will satisfy Eq. (2) as well, and Pk would agree withP j again). However, the event E occurs only when the κ/2tuples chosen randomly by Pk are exactly the ones forwhich the dealer has made Eq. (1) to hold. This happenswith a probability of 1/

( κκ/2

), which is negligible in κ .

References

[1] A. Shamir, How to share a secret, Commun. ACM 22 (1979) 612–613.[2] M. Pease, R. Shostak, L. Lamport, Reaching agreement in the presence

of faults, J. ACM 27 (1980) 228–234.[3] B. Chor, S. Goldwasser, S. Micali, B. Awerbuch, Verifiable secret

sharing and achieving simultaneity in the presence of faults, in:26th Annual Symposium on Foundations of Computer Science, 1985,pp. 383–395.

[4] O. Goldreich, S. Micali, A. Wigderson, How to play any mental game,in: Proceedings of the Nineteenth Annual ACM Symposium on The-ory of Computing, STOC’87, ACM, New York, NY, USA, 1987, pp. 218–229.

[5] M. Ben-Or, S. Goldwasser, A. Wigderson, Completeness theoremsfor non-cryptographic fault-tolerant distributed computation, in: Pro-ceedings of the Twentieth Annual ACM Symposium on Theory ofComputing, STOC’88, ACM, New York, NY, USA, 1988, pp. 1–10.

[6] D. Chaum, C. Crépeau, I. Damgard, Multiparty unconditionally secureprotocols, in: Proceedings of the Twentieth Annual ACM Symposiumon Theory of Computing, STOC’88, ACM, New York, NY, USA, 1988,pp. 11–19.

[7] T. Rabin, M. Ben-Or, Verifiable secret sharing and multiparty proto-cols with honest majority, in: Proceedings of the Twenty-first AnnualACM Symposium on Theory of Computing, STOC’89, ACM, New York,NY, USA, 1989, pp. 73–85.

[8] M.J. Fischer, N.A. Lynch, A lower bound for the time to assure inter-active consistency, Inform. Process. Lett. 14 (1981) 183–186.

[9] R. Gennaro, Y. Ishai, E. Kushilevitz, T. Rabin, The round complexityof verifiable secret sharing and secure multicast, in: Proceedings ofthe Thirty-third Annual ACM Symposium on Theory of Computing,STOC’01, ACM, New York, NY, USA, 2001, pp. 580–589.

[10] M. Fitzi, J. Garay, S. Gollakota, C. Rangan, K. Srinathan, Round-optimaland efficient verifiable secret sharing, in: S. Halevi, T. Rabin (Eds.),Theory of Cryptography, in: Lecture Notes in Comput. Sci., vol. 3876,Springer, Berlin/Heidelberg, 2006, pp. 329–342.

[11] J. Katz, C.-Y. Koo, R. Kumaresan, Improving the round complexityof VSS in point-to-point networks, Inform. and Comput. 207 (2009)889–899.

[12] A. Patra, A. Choudhary, T. Rabin, C. Rangan, The round complexityof verifiable secret sharing revisited, in: S. Halevi (Ed.), Advancesin Cryptology – CRYPTO 2009, in: Lecture Notes in Comput. Sci.,vol. 5677, Springer, Berlin/Heidelberg, 2009, pp. 487–504.