Communication-Efficient Proactive Secret Sharing for Dynamic Groups with Dishonest Majorities

摘要

In Secret Sharing (SS), a dealer shares a secret s among n parties such that an adversary corrupting no more than t parties does not learn s, while any t + 1 parties can efficiently recover s. Proactive Secret Sharing (PSS) retains confidentiality of s even when a mobile adversary corrupts all parties over the secret's lifetime, but no more than a threshold t in each epoch (called a refresh period). Withstanding such adversaries is becoming increasingly important with the emergence of settings where private keys are secret shared and used to sign cryptocurrency transactions, among other applications. Feasibility of (single-secret) PSS for static groups with dishonest majorities was recently demonstrated, but with a protocol that requires inefficient communication of O(n~4). In this work, using new techniques, we improve over prior work in two directions: batching without incurring a linear loss in corruption threshold and communication efficiency. While each of properties we improve upon appeared independently in the context of PSS and in other previous work, handling them simultaneously (and efficiently) in a single scheme faces non-trivial challenges. SomePSS protocols can handle batching of ℓ ～ n secrets, but all of them are for the honest majority setting. The techniques typically used to accomplish such batching decrease the tolerated corruption threshold bound by a linear factor in ℓ, effectively limiting the number of elements that can be batched with dishonest majority. We solve this problem by finding a way to reduce the decrease to ℓ~(1/2) instead, allowing to reach the dishonest majority setting when ℓ ～ n. Specifically, this work introduces new bivariate-polynomials-based sharing techniques allowing to batch up to n - 2 secrets in our PSS. Next, we tackle the efficiency bottleneck and construct a PSS protocol with O(n~3/ℓ) communication complexity for ℓ. secrets, i.e., an amortized communication complexity of O(n~2) when the maximum batch size is used.