Practical Non-interactive Publicly Verifiable Secret Sharing with Thousands of Parties

Non-interactive publicly verifiable secret sharing (PVSS) schemes allow parties to re-share a secret in a decentralized setting in the presence of malicious parties. A recently proposed application of PVSS schemes is to enable permissionless proof-of-stake blockchains to “keep a secret” via a sequence of committees that share that secret. Such committees can use the secret to produce signatures on the blockchain’s behalf, or to disclose hidden data conditioned on consensus that some event has occurred. Such a setting may involve thousands of parties, so the PVSS scheme that it uses must be very efficient, both in computation and communication. Yet, previous PVSS schemes have large proofs and/or require many exponentiations over large groups. We present a non-interactive PVSS scheme in which the underlying encryption scheme is based on the learning with errors (LWE) problem. While lattice-based encryption schemes are very fast, they have issues with bandwidth (long ciphertexts and public keys). We deal with the bandwidth issue in two ways. First, we adapt the Peikert-Vaikuntanathan-Waters (PVW) encryption scheme to the multireceiver setting so that the bulk of the parties’ keys is a common random string, and so that we get good amortized communication: Ω(1) plaintext/ciphertext rate (rate ≈ 1/60 for 100 parties, ≈ 1/8 for 1000 parties, approaching 1/2 as the number of parties grows). Second, we use bulletproofs over a DL-group of order about 256 bits to get compact proofs of correct encryption of shares. Switching from the lattice setting to the DL setting is relatively painless, as we equate the LWE modulus with the order of the group, and apply dimension reduction to vectors before the switch to minimize the number of exponentiations in the bulletproof. An implementation of our PVSS for 1000 parties showed that it’s quite practical, and should remain so with up to a two order of magnitude increase in the group size.

[1]  Berry Schoenmakers,et al.  A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic , 1999, CRYPTO.

[2]  Jacques Stern,et al.  One Round Threshold Discrete-Log Key Generation without Private Channels , 2001, Public Key Cryptography.

[3]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[4]  Jonathan Lee,et al.  Dory: Efficient, Transparent arguments for Generalised Inner Products and Polynomial Commitments , 2020, IACR Cryptol. ePrint Arch..

[5]  Dimitris Achlioptas,et al.  Database-friendly random projections: Johnson-Lindenstrauss with binary coins , 2003, J. Comput. Syst. Sci..

[6]  Craig Gentry,et al.  Can a Public Blockchain Keep a Secret? , 2020, TCC.

[7]  Ivan Damgård,et al.  More Efficient Commitments from Structured Lattice Assumptions , 2018, SCN.

[8]  Craig Gentry,et al.  Pinocchio: Nearly Practical Verifiable Computation , 2013, 2013 IEEE Symposium on Security and Privacy.

[9]  Matthieu Rambaud,et al.  Almost-Asynchronous MPC under Honest Majority, Revisited , 2021, IACR Cryptol. ePrint Arch..

[10]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[11]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[12]  Vadim Lyubashevsky,et al.  Amortization with Fewer Equations for Proving Knowledge of Small Secrets , 2017, CRYPTO.

[13]  Vadim Lyubashevsky,et al.  Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures , 2009, ASIACRYPT.

[14]  Georg Fuchsbauer,et al.  Commuting Signatures and Verifiable Encryption , 2011, EUROCRYPT.

[15]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[16]  Martin R. Albrecht,et al.  On the concrete hardness of Learning with Errors , 2015, J. Math. Cryptol..

[17]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[18]  Ilya Mironov,et al.  Publicly Verifiable Secret Sharing for Cloud-Based Key Management , 2011, INDOCRYPT.

[19]  Ron Steinfeld,et al.  Improved Security Proofs in Lattice-Based Cryptography: Using the Rényi Divergence Rather than the Statistical Distance , 2015, Journal of Cryptology.

[20]  Jacques Traoré,et al.  Efficient Publicly Verifiable Secret Sharing Schemes with Fast or Delayed Recovery , 1999, ICICS.

[21]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[22]  Jorge Luis Villar,et al.  Public Verifiability from Pairings in Secret Sharing Schemes , 2009, Selected Areas in Cryptography.

[23]  Craig Gentry,et al.  Compressible FHE with Applications to PIR , 2019, IACR Cryptol. ePrint Arch..

[24]  Jonathan Bootle,et al.  Sumcheck Arguments and their Applications , 2021, IACR Cryptol. ePrint Arch..

[25]  Ivan Damgård,et al.  How to Prove Knowledge of Small Secrets , 2016, CRYPTO.

[26]  Rosario Gennaro,et al.  Fast Multiparty Threshold ECDSA with Fast Trustless Setup , 2018, CCS.

[27]  Jens Groth,et al.  Non-interactive distributed key generation and key resharing , 2021, IACR Cryptol. ePrint Arch..

[28]  Marc-Olivier Killijian,et al.  XPIR : Private Information Retrieval for Everyone , 2016, Proc. Priv. Enhancing Technol..

[29]  Brent Waters,et al.  A Framework for Efficient and Composable Oblivious Transfer , 2008, CRYPTO.

[30]  Paz Morillo,et al.  Proof of a Shuffle for Lattice-Based Cryptography , 2017, NordSec.

[31]  Yehuda Lindell,et al.  Fast Secure Multiparty ECDSA with Practical Distributed Key Generation and Applications to Cryptocurrency Custody , 2018, CCS.

[32]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[33]  Ian Goldberg,et al.  Revisiting the Computational Practicality of Private Information Retrieval , 2011, Financial Cryptography.

[34]  Moti Yung,et al.  A PVSS as Hard as Discrete Log and Shareholder Separability , 2001, Public Key Cryptography.

[35]  Jens Groth,et al.  On the Size of Pairing-Based Non-interactive Arguments , 2016, EUROCRYPT.

[36]  Vadim Lyubashevsky,et al.  Lattice-Based Identification Schemes Secure Under Active Attacks , 2008, Public Key Cryptography.

[37]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[38]  Jorge Luis Villar,et al.  Publicly Verfiable Secret Sharing from Paillier's Cryptosystem , 2005, WEWoRC.

[39]  Craig Gentry,et al.  Random-index PIR with Applications to Large-Scale Secure MPC , 2020, IACR Cryptol. ePrint Arch..

[40]  Vadim Lyubashevsky,et al.  Shorter Lattice-Based Zero-Knowledge Proofs via One-Time Commitments , 2020, IACR Cryptol. ePrint Arch..

[41]  Leonid Reyzin,et al.  Turning HATE into LOVE: Compact Homomorphic Ad Hoc Threshold Encryption for Scalable MPC , 2021, CSCML.

[42]  Zvika Brakerski,et al.  Leveraging Linear Decryption: Rate-1 Fully-Homomorphic Encryption and Time-Lock Puzzles , 2019, IACR Cryptol. ePrint Arch..

[43]  Tatsuaki Okamoto,et al.  A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications , 1998, EUROCRYPT.

[44]  Dan Boneh,et al.  Bulletproofs: Short Proofs for Confidential Transactions and More , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[45]  Vadim Lyubashevsky,et al.  Simple Amortized Proofs of Shortness for Linear Relations over Polynomial Rings , 2017, IACR Cryptol. ePrint Arch..

[46]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[47]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption , 2016, ASIACRYPT.

[48]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[49]  Mahabir Prasad Jhanwar,et al.  Paillier-based publicly verifiable (non-interactive) secret sharing , 2014, Des. Codes Cryptogr..

[50]  Yuh-Min Tseng,et al.  A pairing-based publicly verifiable secret sharing scheme , 2011, J. Syst. Sci. Complex..

[51]  Radu Sion,et al.  On the Computational Practicality of Private Information Retrieval , 2006 .

[52]  Vadim Lyubashevsky,et al.  Practical Lattice-Based Zero-Knowledge Proofs for Integer Relations , 2020, IACR Cryptol. ePrint Arch..

[53]  Damien Stehlé,et al.  Towards Practical and Round-Optimal Lattice-Based Threshold and Blind Signatures , 2021, IACR Cryptol. ePrint Arch..