 Hey everyone, I am Akshay Ra and today I am going to talk about nearly optimal robust secret sharing against rushing adversaries. This is based on joint work with Pasin Manurangasi and Prasanth Nalini Vasudevan. Let me start this talk by recalling the notion of threshold secret sharing that was introduced in the seminal works of Shamir and Blackly in the late 1970s. In this setting, there is a dealer who has a secret message s that is n bits long. The dealer splits the secret into n shares SH1 up to SHn with some threshold parameter d. He then sends the IH share SHi to party pn. We want a threshold secret sharing to satisfy the following two properties. The first property, which is called the correctness property, requires that any group of more than t parties can come together, use their shares to reconstruct the secret s. The second property, which is the secrecy property, requires that the shares corresponding to any group of t parties reveal no information about the underlying secret. Threshold secret sharing is a fundamental cryptographic perimeter with numerous applications. Some of these applications include constructing secure multi-party computation protocols, designing threshold cryptographic primitives, constructing leakage resilience at good compilers and so on. However, the basic version that I defined in the previous slide provides security only against passive adversaries. In order to protect against the stronger malicious adversaries, there have been many strengthenings of threshold secret sharing that have been proposed. Some of these strengthenings include robust secret sharing, verifiable secret sharing, and the more recent non-malleable secret sharing. The focus of this work is on robust secret sharing. Robust secret sharing was introduced by Rabin and Benor in 1989. So it's just like any other threshold secret sharing scheme, satisfying both the correctness and the secrecy properties. In addition to these two properties, we require a third property which is the robustness property. Roughly speaking, this robustness property requires that any group of t-corrupted parties who might deviate arbitrarily from the protocol cannot force an honest party to reconstruct to a wrong secret. To give more details about the robustness, let's consider the reconstruction phase of the protocol. In the reconstruction, the parties start with the shares that was handed over to them by the dealer. We consider an adversary that could corrupt up to T of these parties. The reconstruction could proceed in multiple rounds and in each round, a party could send a message to every other party. The honest parties will follow the protocol whereas the adversarial parties might deviate arbitrarily from the protocol. At the end of the reconstruction, the robustness requirement states that all the honest parties output the secret S that was originally shared. Here we might consider an adversary that can either be rushing or non-rushing. The stronger rushing adversarial model allows a corrupted party to wait for all the messages from honest parties before sending its own message in a particular round. For applications related to secure multi-party computation, it is extremely crucial that the secret sharing is robust against rushing adversaries. The more formal definition of robustness is as follows. A T out of N secret sharing scheme is said to be T, N, epsilon robust is for every malicious adversary A controlling up to T parties and for every secret S, the probability that there is an honest party that outputs something different from S while interacting with A in the reconstruction phase is upper bounded by this parameter epsilon. One can think about epsilon as being the error parameter for the robustness. Given this definition of robustness, let me state a couple of observations. The first observation is that Shamir secret sharing is perfectly robust that is epsilon is equal to 0 when N is greater than or equal to 3T plus 1 and this follows due to the error correcting properties of Reed-Solomon codes. On the other hand, if an adversary is able to corrupt a majority of the parties, in other words, if N is less than or equal to 2T, then robustness is impossible to achieve. So the interesting set of parameters is when N lies between 2T plus 1 and between 3T plus 1 and the most challenging setting here is when N is equal to 2T plus 1. In the work of Rabin and Bernard also gave a construction of robust secret sharing when N is equal to 2T plus 1 with error parameter being true to the minus lambda. The share size of their construction was M plus order N times lambda where M is the length of the secret. When compared to the non-robust variant, there is an additive overhead of order N times lambda in their construction. So a natural question to ask is whether this overhead is necessary. A work by Carpentry et al in 94 showed that for N being 2T plus 1 and error being 2 to the minus lambda, any robust secret sharing scheme has to have a share size which is at least N plus omega of lambda. A couple of points to note about this result is that perfect robustness is impossible to achieve in this regime and furthermore, the share size of a robust secret sharing scheme is strictly larger than their non-robust counterpart. A long line of work followed and which has tried optimizing the share size of a robust secret sharing scheme to achieve this lower bound. I would like to remark that there are many exciting words that consider the setting where T is equal to half minus delta times N where delta is some arbitrarily small constant. However, in this setting, the lower bound of Carpentry et al does not hold and in fact one can obtain a construction of robust secret sharing with a constant overhead. That is the share size is M plus order of 1. However, the focus of this work is when N is equal to 2T plus 1 and in this regime the lower bound of Carpentry et al holds. Let me now give you details of the prior work on the setting where N is equal to 2T plus 1 and the prior work can be summarized in this following table. The work of Kramer et al in 2001 improved upon the Rabin-Penor construction by giving a robust secret sharing scheme whose share size is M which is the length of the secret plus O prime of N plus lambda. Here O prime hides polylogarithmic factors. However, the reconstruction complexity in the construction was exponential in the number of parties and it was only proved secure against non-rushing adversaries. A work by Savalos et al in 2012 gave a construction that had a similar share size as that of Kramer et al but it had an efficient reconstruction procedure and was proven secure against the rushing adversaries. In 2016, a work by Bishop et al gave a construction which had a near optimal share size of M plus O prime of lambda and it also had an efficient reconstruction. Unfortunately, it was proven secure against non-rushing adversaries. Last year, Fer and Yuan gave two constructions of robust secret sharing. The first construction had a share size of M plus O prime of N to the epsilon times lambda where epsilon could be an arbitrarily small constant. The reconstruction in their work was efficient and it was proven secure against the stronger rushing adversaries. They also gave another construction which had a near optimal share size with security against rushing adversaries but the reconstruction was slightly super polynomial. So, the open problem which follows from this long line of work is to get a construction of robust secret sharing with a near optimal share size with an efficient reconstruction procedure and with security against rushing adversaries. In this work, we resolve this question in the positive by giving a robust secret sharing for the case where N is equal to 2T plus 1 with security against rushing adversaries and the share size of our construction is M plus order of lambda times log square N plus log N times log N. Here, M is the length of the secret, lambda is the error parameter, N is the number of part. An interesting point to note is that even when restricted to the non-rushing case, our share size is better than the prior best known work by Bishop et al in 2016. Furthermore, our reconstruction is polynomial time and it only involves two rounds of communication. So, our work completes this table by giving a construction with a near optimal share size with polynomial time reconstruction procedure and it's proven secure against the stronger rushing adversaries. I would like to remark that in a concurrent and an independent work, Fair and Yuan gave a construction of nearly optimal robust secret sharing against rushing adversaries. When compared to our construction, the share size is slightly larger and the reconstruction requires five rounds when compared to our two-round reconstruction. And furthermore, the techniques used in both these works are completely different. In the rest of the talk, I would like to give you details of our construction and explain how we achieve a near optimal share size. But before we move on to our construction, I would like to explain the Rabin-Benhor construction and which serves as our starting point. So, let's take a look at the Rabin-Benhor construction. So, the Rabin-Benhor construction takes the secret S and first shares it using Shamir secret sharing to get n shares SS1 up to SSN. Next for every party and for every i in n, we choose a random MAC key and compute a tag on the ith Shamir share using this key. And the share of a party includes its Shamir share and the n pairs of key, tux. So, this can easily be shown to be correct. But in order to prove security, we need to be slightly careful. This is because the tag could reveal information about the shares of the other parties and it's not entirely clear on how we can prove the secrecy of this construction. To ensure privacy, we use what is called as a private tag scheme. That is the property that this private tag scheme satisfies is that the key, tag pair does not give any information about the underlying message. So, if we use this private tag scheme, we can prove the secrecy property of this construction. So, let's see how we prove robustness, but before that, let me explain the reconstruction procedure. So in the Rabin-Bennau reconstruction just involves a single round of communication. So in this round, each party broadcasts its Shamir share to every other party. Note that the parties do not broadcast the key, tag pairs and these are private and known only to this party. So, we now consider an adversary who can corrupt up to t parties and since we consider a malicious adversary, the broadcasted share of the corrupted parties could be different from the share that was given to them by the leader. Once a party, let's call it as PI, receives all the broadcasted shares, it just checks if the tag is valid. Note that it follows from the security property of the tag scheme that if an adversarial party has modified the Shamir share, then the verification of the tag scheme fails with overwhelming probability. So what a party does is that it just collects the shares for which the verification passes and does a Shamir reconstruction to recover the original secretness. Unfortunately, the main drawback of this construction is that the size of each share is m plus order n times lambda and which is very far from being optimal. So let us now take a look at our construction and let's see how we can improve the share size. The first step in our construction is exactly same as the Rabin-Penor construction that is we take this secret and share it into n shares SS1 to SSN using Shamir secret share. The second step is where we differ from the Rabin-Penor construction. Specifically, instead of choosing the key and computing the tag for every i and n, what we do is that for every party, we choose a random subset of the set 1 to n with size order log n and we call this subset as the watch list of this party. For every i in the watch list, we choose a random MAC key and compute the tag on the i at Shamir share using this key and the share for the party includes its Shamir share and the key, tag pairs corresponding to every element of its watch list. Note that since the size of each party's watch list is order log n, the overhead that we achieve in this construction is order lambda times log n. The idea of using watch list of small size to authenticate the shares goes back to the work of Bishop et al and is called as the local authentication paradigm. Specifically instead of authenticating every share, we choose a local random subset and authenticate the shares corresponding to this subset. Given this locally computed shares, the reconstruction procedure is no longer as straightforward as the previous Sahab and Pendaw constructions. So let's take a look at our reconstruction procedure. So as I had mentioned before, our reconstruction involves two rounds of communication and let's take a look at the first round. In the first round, the parties just broadcast the Shamir share to every other party. As before, we consider an adversary that could corrupt up to T parties and since we consider a malicious adversary, the broadcasted share could be different from the share that was handed over to them by the dealer. Unlike the Rabind Bin or construction, a honest party cannot check if every received share was modified or not because it does not have enough key, tag pairs. But what it can do is to check the received shares for those corresponding to its watchlist. So that is what the honest party does. So an honest party PI, for every element J in its watchlist, it checks if the Jth received share was correct, that is it checks whether the tag is valid or not. If the tag is valid, it labels the party J as being good, otherwise it labels the party J as being bad. In the second round, each party just broadcasts a set of labels for corresponding to parties in its own watches. So this is the second round of communication. Now at the end of the second round, every party has the labeled watchlist of every other party. Let me make a couple of quick observations. The first observation is that an honest party always labels an other honest party in its watchlist as being good. And this just follows from the correctness of the tags. On the other hand, if an honest party has a corrupted party in its watchlist and if this corrupted party has modified the share, then with overwhelming probability it labels that corrupted party as being bad. And this just follows from the security property of the tags. On the other hand, a corrupted party might choose an arbitrary label. It could label an other corrupted party as being good. On the other hand, it can also label an honest party as being bad. Furthermore, since we allow the adversaries to be rushing, the labelings of the corrupted parties can depend on the labelings of the honest party. So given these two observations, let's consider the graph that is restricted to the set of bad edges. That is, we remove all the edges that are labeled as good and we just include the edges that are labeled as being bad. So in this restricted graph, one can easily observe that the set of honest parties will form an independent set. This is because every honest party will label another honest party as being good. And it's not too hard to show that the maximum independent set on this restricted graph contains a large number of honest parties and contains only a few adversarial parties. So this just follows from the fact that the edges from the honest parties are chosen uniformly at random. So this gives a very natural approach to reconstruct the original secret. Just find the maximum independent set on this restricted graph and do a read Solomon decoding on the shares corresponding to this independent set. Since this independent set is guaranteed to contain a large number of honest parties and only a few number of adversarial parties, the read Solomon error correcting properties ensure that the reconstructed secret is same as the original secret. So this is the main idea. But unfortunately, in order to make this idea work, you need to find the maximum independent set on this graph in polynomial time. But recall that it's a classic result that finding the maximum independent set is NP hard on first case graphs. But what goes in favor for us is that this graph that is generated is not first case. And in fact, there are some random edges, specifically the edges from the honest parties are chosen uniformly at random. In spite of this favorable point, we do not know how to find the maximum independent set in this graph in polynomial time. But what we do know is that we can find a set S such that the set S has a large intersection with the set of honest parties and has a small intersection with the set of corrupted parties. Once we find the set S, we can like before do a read Solomon decoding to recover the actual secret. And one of the main contributions in our work is to find is to give a polynomial time algorithm for finding the set S. And we call this algorithm as the vertex identification algorithm. Unfortunately, I wouldn't have time to go into the details of this vertex identification algorithm. And I would encourage you to look into our paper. So this brings me to the last slide. So in this work, we gave a construction of a robust secret sharing with an efficient reconstruction procedure for the case where n is equal to 2t plus 1 and the construction had security against rushing adversaries and had a near optimal share sense. Some of the open problems that have been it to resolve are the following. So our share size has a poly logarithmic overhead over this factor lambda. So a share size is m plus 4 prime of lambda. And the question is, is this poly logarithmic overhead necessary? Another interesting open problem is to improve the concrete efficiency of a construction. So that's it. Thank you for your attention. And you can find the full version of our paper on email.