Efficient Verifiable Secret Sharing with Share Recovery in BFT Protocols

Byzantine fault tolerant state machine replication (SMR) provides powerful integrity guarantees, but fails to provide any privacy guarantee whatsoever. A natural way to add such privacy guarantees is to secret-share state instead of fully replicating it. Such a com- bination would enable simple solutions to difficult problems, such as a fair exchange or a distributed certification authority. However, incorporating secret shared state into traditional Byzantine fault tolerant (BFT) SMR protocols presents unique challenges. BFT protocols often use a network model that has some degree of asynchrony, making verifiable secret sharing (VSS) unsuitable. However, full asynchronous VSS (AVSS) is unnecessary as well since the BFT algorithm provides a broadcast channel. We first present the VSS with share recovery problem, which is the subproblem of AVSS required to incorporate secret shared state into a BFT engine. Then, we provide the first VSS with share recovery solution, KZG-VSSR, in which a failure-free sharing incurs only a constant number of cryptographic operations per replica. Finally, we show how to efficiently integrate any instantiation of VSSR into a BFT replication protocol while incurring only constant overhead. Instantiating VSSR with prior AVSS protocols would require a quadratic communication cost for a single shared value and incur a linear overhead when incorporated into BFT replication. We demonstrate our end-to-end solution via a a private key-value store built using BFT replication and two instantiations of VSSR, KZG-VSSR and Ped-VSSR, and present its evaluation.

[1]  Aniket Kate,et al.  Asynchronous Computational VSS with Reduced Communication Complexity , 2013, CT-RSA.

[2]  Peter Sebastian Nordholt,et al.  Minimising Communication in Honest-Majority MPC by Batchwise Multiplication Verification , 2018, IACR Cryptol. ePrint Arch..

[3]  Ronald Cramer,et al.  A secure and optimally efficient multi-authority election scheme , 1997, Eur. Trans. Telecommun..

[4]  Elaine Shi,et al.  The Honey Badger of BFT Protocols , 2016, CCS.

[5]  Enis Ceyhun Alp,et al.  C ALYPSO : Auditable Sharing of Private Data over Blockchains , 2018 .

[6]  Matthew Green,et al.  Zerocoin: Anonymous Distributed E-Cash from Bitcoin , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  Nancy A. Lynch,et al.  Consensus in the presence of partial synchrony , 1988, JACM.

[8]  Ramakrishna Kotla,et al.  Zyzzyva , 2007, SOSP.

[9]  Rafail Ostrovsky,et al.  Communication-Optimal Proactive Secret Sharing for Dynamic Groups , 2015, ACNS.

[10]  Ran Canetti,et al.  Fast asynchronous Byzantine agreement with optimal resilience , 1993, STOC.

[11]  Pradeep K. Khosla,et al.  Survivable Information Storage Systems , 2000, Computer.

[12]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[13]  Dawn Xiaodong Song,et al.  CHURP: Dynamic-Committee Proactive Secret Sharing , 2019, IACR Cryptol. ePrint Arch..

[14]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[15]  Moses D. Liskov,et al.  MPSS: Mobile Proactive Secret Sharing , 2010, TSEC.

[16]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[17]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[18]  Miguel Castro,et al.  Practical byzantine fault tolerance and proactive recovery , 2002, TOCS.

[19]  Jean-Philippe Martin,et al.  Fast Byzantine Consensus , 2006, IEEE Transactions on Dependable and Secure Computing.

[20]  Sam Toueg,et al.  Asynchronous consensus and broadcast protocols , 1985, JACM.

[21]  Robbert van Renesse,et al.  APSS: proactive secret sharing in asynchronous systems , 2005, TSEC.

[22]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[23]  Matthew K. Franklin,et al.  Communication complexity of secure computation (extended abstract) , 1992, STOC '92.

[24]  Victor Shoup,et al.  Secure and Efficient Asynchronous Broadcast Protocols , 2001, CRYPTO.

[25]  Sushil Jajodia,et al.  Redistributing Secret Shares to New Access Structures and Its Applications , 1997 .

[26]  Anna Lysyanskaya,et al.  Asynchronous verifiable secret sharing and proactive cryptosystems , 2002, CCS '02.

[27]  Yvo Desmedt,et al.  Shared Generation of Authenticators and Signatures (Extended Abstract) , 1991, CRYPTO.

[28]  Moni Naor,et al.  Distributed Pseudo-random Functions and KDCs , 1999, EUROCRYPT.

[29]  Svetla Nikova,et al.  On Proactive Secret Sharing Schemes , 2004, Selected Areas in Cryptography.

[30]  Douglas R. Stinson,et al.  On dealer-free dynamic threshold schemes , 2013, Adv. Math. Commun..

[31]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[32]  Yves Deswarte,et al.  Intrusion tolerance in distributed computing systems , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[33]  Haibin Zhang,et al.  Secure Causal Atomic Broadcast, Revisited , 2017, 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[34]  Martin Tompa,et al.  How to share a secret with cheaters , 1988, Journal of Cryptology.

[35]  Emin Gün Sirer,et al.  Scalable and Probabilistic Leaderless BFT Consensus through Metastability , 2019, ArXiv.

[36]  Ignacio Cascudo,et al.  SCRAPE: Scalable Randomness Attested by Public Entities , 2017, IACR Cryptol. ePrint Arch..

[37]  Eli Ben-Sasson,et al.  Zerocash: Decentralized Anonymous Payments from Bitcoin , 2014, 2014 IEEE Symposium on Security and Privacy.

[38]  Hugo Krawczyk,et al.  Secret Sharing Made Short , 1994, CRYPTO.

[39]  Moti Yung,et al.  Optimal-resilience proactive public-key cryptosystems , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[40]  Craig A. N. Soules,et al.  Survivable storage systems , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[41]  Maurice Herlihy,et al.  Linearizability: a correctness condition for concurrent objects , 1990, TOPL.

[42]  Ari Juels,et al.  HAIL: a high-availability and integrity layer for cloud storage , 2009, CCS.

[43]  Aniket Kate,et al.  Brief Note: Asynchronous Verifiable Secret Sharing with Optimal Resilience and Linear Amortized Overhead , 2019, ArXiv.

[44]  Benny Pinkas,et al.  SBFT: A Scalable and Decentralized Trust Infrastructure , 2018, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[45]  Victor Shoup,et al.  Random Oracles in Constantinople: Practical Asynchronous Byzantine Agreement Using Cryptography , 2000, Journal of Cryptology.

[46]  Ian Goldberg,et al.  Constant-Size Commitments to Polynomials and Their Applications , 2010, ASIACRYPT.

[47]  Maurice Herlihy,et al.  How to Make Replicated Data Secure , 1987, CRYPTO.

[48]  Rafail Ostrovsky,et al.  How to withstand mobile virus attacks, revisited , 2014, PODC '14.

[49]  Ittai Abraham,et al.  HotStuff: BFT Consensus with Linearity and Responsiveness , 2019, PODC.

[50]  Ivan Damgård,et al.  Multiparty Computation from Somewhat Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[51]  Michael K. Reiter,et al.  How to securely replicate services , 1994, TOPL.

[52]  Jeannette M. Wing,et al.  Verifiable secret redistribution for archive systems , 2002, First International IEEE Security in Storage Workshop, 2002. Proceedings..