Distributed pseudo-random bit generators—a new way to speed-up shared coin tossing

JUAN A. GARAYt A shared coin is one which n players “simultaneously” hold and can later reveal, but no sufficiently small coalition can influence or i priori predict the outcome. Such coins are expensive to produce, yet many distributed protocols (inclnding broadcast and Byzantine agreement) need them in bulk. We introduce a new paradigm for obtaining shared coins. We suggest distributed, pseudo-random bit generators (D-PRBGs). Analogous to a pseudo-random bit generator, which is an efficient algorithm to expand a short random seed into a long random looking sequence, a D-PRBG is a protocol which “expands” a “distributed seed,” consisting of shared coins, into a longer “sequence” of shared coins, at low amortized cost per coin produced. Our main result is the construction of a D-PRBG in which this amortized cost (computation and communication) is significantly lower than the cost of any “from-scratch” shared coin generation protocol. Furthermore, for applications which are executed repeatedly, we suggest bootstrapping each run of the D-PRBG produces not only the coins for the current execution but also the seed for the next execution. Since the cost of the initial seed can now effectively be neglected, we get very fast coin generation. Underlying these constructions are some techniques of independent interest. We consider batch Verifiable Secret Sharing (VSS), where we need to do a large number of VSSS simultaneously. We provide a method in which the amortized cost per VSS is significantly lower than the cost of a VSS for any known VSS protocol. * Department of Computer Science & Engmeenng, Mail Code 0114, Umversity of California at San Diego, 9500 Gilman Drive, La Jolla, CA 92093. E-mail: rnihir@cs .ucsd. edu URL: //www-c5e .ucsd. edu/users/rnlhm, t CWI, Krul~laan 413, 1098 SJ Am~terdam, The Netherlands, and IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, New York 1059S. Email: garay@ciii. nl, garay~watson. ibrn. con URLS: f lrnwv. cui .nl, Iluuw. research. ibu. comlsecurit y. f MIT Laboratory for Computer Science, 545 Technology Square, Cambridge, MA 02139, USA Emad: talr~theory. Ics. rnit .edu. Work supported by an NSF Postdoctoral Fellowship. Part of this work wss done when the author was visltmg the IBM T.J. Watson Research Center. Permission to make digitel/bar’d copies of all or part of tldri material for peremsal or classroom use is gmnted without fee provided that the copies are not made or dtetributed for profit or co-~ial advan~ge) tie. cW’Aght aatiea, the tit!e of tbe publicrrtion ad ifa dam Rppmr, ad u@ce Is. given that copyright ia by permission of the ACM, Inc. To copy otherumsc, to rcpublidh to poet on servers or to m.dktributa to Iista, requires specific permission andlor fee. PODC’96, Phiidelphis PA, USA e 1996 ACM @89791 .fJ@J-2/96/05 ..$3.50