Brief Note: Asynchronous Verifiable Secret Sharing with Optimal Resilience and Linear Amortized Overhead

by   Aniket Kate, et al.

In this work we present hbAVSS, the Honey Badger of Asynchronous Verifiable Secret Sharing (AVSS) protocols - an AVSS protocol that guarantees linear amortized communication overhead even in the worst case. The best prior work can achieve linear overhead only at a suboptimal resilience level (t < n/4) or by relying on optimism (falling back to quadratic overhead in case of network asynchrony or Byzantine faults). Our protocol therefore closes this gap, showing that linear communication overhead is possible without these compromises. The main idea behind our protocol is what we call the encrypt-and-disperse paradigm: by first applying ordinary public key encryption to the secret shares, we can make use of highly efficient (but not confidentiality preserving) information dispersal primitives. We prove our protocol is secure under a static computationally bounded Byzantine adversary model.


page 1

page 2

page 3

page 4


Perfectly-Secure Synchronous MPC with Asynchronous Fallback Guarantees

Secure multi-party computation (MPC) is a fundamental problem in secure ...

Asynchronous Verifiable Secret-Sharing Protocols on a Good Day

Asynchronous verifiable secret sharing (AVSS) is a cornerstone primitive...

Revisiting Asynchronous Fault Tolerant Computation with Optimal Resilience

The celebrated result of Fischer, Lynch and Paterson is the fundamental ...

Hot-Stuff the Linear, Optimal-Resilience, One-Message BFT Devil

We describe a protocol called `Hot-Stuff the Linear, Optimal-Resilience,...

Jolteon and Ditto: Network-Adaptive Efficient Consensus with Asynchronous Fallback

Existing committee-based Byzantine state machine replication (SMR) proto...

Fundamental Limits of Byzantine Agreement

Byzantine agreement (BA) is a distributed consensus problem where n proc...

Determining the Optimal Random-padding Size for Rabin Cryptosystems

Rabin encryption and a secure ownership transfer protocol based on the d...

I Introduction

In a verifiable secret sharing (VSS) protocol, a dealer shares a secret among a set of parties, such that honest parties can reconstruct the secret. VSS forms the basis for fault tolerant file storage [5, 9], shared databases [2], and many other applications. It is also an essential component of secure multiparty computation (MPC) protocols, used both for generating random preprocessing elements and for accepting secret-shared inputs from untrusted clients.

The verifiability property means that if any party gets their shares, then every correct party also receives a valid share. This is essential when VSS is used as input to MPC, since parties need to assume the shares will be available in order to make irrevocable actions (such as revealing intermediate outputs of a computation). The challenge is that a faulty dealer may provide invalid data to some but not all of the parties. The main idea behind nearly all VSS protocols, starting from Feldman et al., [8], is to broadcast a polynomial commitment, enabling parties to individually validate their shares.

In the case of synchronous VSS, we can simply wait to hear a confirmation from all parties, or else abort. The asynchronous VSS case is more difficult since we must proceed after hearing from only of the parties, where is the number of parties that undergo a Byzantine fault. Since crashed nodes are indistinguishable from slow nodes, it could be that of the ones we waited for are corrupted, hence only correct parties received valid shares.

In order to cope with asynchrony, AVSS protocols typically distribute shares with additional redundancy, such that parties who received invalid shares can recover their shares through interaction with the others. This recovery process either results in extra communication overhead [4], or else relies on loosened resilience guarantees [6].

Improvements to AVSS have made use of concise polynomial commitments based on pairing cryptography [1]. Most notably, in recent work, Basu et al. [2] present an optimistic AVSS protocol that achieves linear communication overhead in the typical case, but in the presence of Byzantine faults or network asynchrony may fall back to quadratic overhead. The goal of this paper is to present a protocol that provides linear guarantees even in the worst case.

Overview of our solution. The main idea behind our approach is a technique we call encrypt-then-disperse, inspired by a related application in HoneyBadgerBFT [12]. The secret share encoding and polynomial commitments are as usual. However, before transmitting, the secret shares are first encrypted using public key encryption. Next the encrypted payload is dispersed using an information dispersal routine, which can guarantee robustness and efficiency since it does not have to provide secrecy.

The use of information dispersal guarantees that every honest node receives some data, even in the asynchronous setting. If it turns out to be invalid, then it can be used as evidence to implicate the leader. Once the dealer is determined to be faulty, we enter a share recovery phase, which ensures every correct party receives their share. The share recovery phase can be very efficient too, since it does not need to ensure confidentiality at all, since it can only be initiated once the dealer is determined to be faulty. A summary comparison of our results to related work is given in Table I.

Protocol Resilience Comm. Overhead
Typical Worst
hbAVSS (ours)
sAVSS [2]
eAVSS [1]
AVSS [4]
TABLE I: Amortized communication overhead and resilience of AVSS protocols

Ii Preliminaries

Ii-a Asynchronous Network Model

Throughout this paper we assume the standard asynchronous network model. We assume a fixed set of communicating parties , as well as a dealer . We consider a static Byzantine corruption model. The dealer and up to of the parties may be corrupted, in which case they are controlled entirely by the adversary. The parties are connected by pairwise authenticated channels. Messages between uncorrupted parties are guaranteed eventually to be delivered, although the order and timing of delivery of messages is determined by the adversary. We assume a computationally bounded adversary that is unable to break cryptographic primitives.

Ii-B Asynchronous Verifiable Secret Sharing

Here we give the security definition for our construction:

Definition 1.

(Asynchronous Verifiable Secret Sharing (AVSS)) In an AVSS protocol, the dealer receives input , and each party receives an output share for some degree- polynomial .

The protocol must satisfy the following properties:

  • Correctness: If the dealer is correct, then all correct parties eventually output a share where is a random polynomial with .

  • Secrecy: If the dealer is correct, then the adversary learns no information about except for the shares of corrupted parties.

  • Agreement: If any correct party receives output, then there exists a unique degree- polynomial such that each correct party eventually outputs .

For simplicity, this definition is written to be specific to Shamir sharing, though a more generic definition would be possible [1]. Our agreement property is written to incorporate the strong commitment property from Backes et al. [1], in which the secret-shared value must be determined by the time that the first correct party outputs a share (and cannot be influenced thereafter by the adversary).

Ii-C Polynomial Commitments

Polynomial commitments are an interface by which a committer can create a commitment to a polynomial as well as witnesses to its evaluation at different points, so to prove that evaluations are correct without revealing the full polynomial. Polynomial commitments have been implicit in all cryptographic VSS protocols since Feldman [8], but were first formalized by Kate et al. [11] We use the scheme from Kate et al. because it gives commitments that are additively homomorphic and constant-sized.

Definition 2.

(PolyCommit (c.f. [11]) Let be a family of finite fields indexed by a security parameter (we’ll typically omit and just write ). A scheme for consists of the following algorithms:

generates system parameters to commit to a polynomial over of degree bound . is run by a trusted or distributed authority. can also be standardized for repeated use.

outputs a commitment to a polynomial for the system parameters , and some associated decommitment information .

outputs , where is a witness for the decommitment information for the evaluation of at the index .

verifies that is indeed the evaluation at the index of the polynomial committed in . If so, the algorithm outputs accept, otherwise it outputs reject.

A scheme must satisfy the following properties:

  • Correctness: If and , then the correct evaluation of is successfully verified by .

  • Polynomial Binding: If

    , then except with negligible probability, an adversary can not create a polynomial

    such that if .

  • Evaluation Binding: If and then except with negligible probability, an adversary can not create an evaluation , witness , and decommitment information such that if .

  • Hiding: Given and for any , an adversary either

    • Can only determine or with negligible probability given bounded computation (Computational Hiding)

    • Can not determine any information about or , even given unbounded computation (Unconditional Hiding)

We additionally require that the commitments and witnesses be additively homomorphic

. This allows us to create new commitments and witnesses through interpolation, a property we rely on in our AVSS construction.

  • Additive Homomorphism: Given commitments and to polynomials and respectively, there should be an efficient operation to compute , the commitment to . Additionally, given and , the witnesses for the evaluations of and at respectively, it should be similarly efficient to compute . Lastly, it should also be efficient to compute from and .

In this work we use PolyCommitPed from Kate et al.[11], which provides a constant-sized commitment that achieves unconditional hiding as well as our desired homomorphic properties. We also note that PolyCommitPed achieves unconditional hiding through the use of a hiding polynomial, which we notate as in this work. As is instantiated as a polynomial over a finite field, it too realizes our desired property of additive homomorphism.

Ii-D Asynchronous Verifiable Information Dispersal

Our protocol relies on an information dispersal protocol as defined below. Our definition is for a batch, such that messages are dispersed at once and can be individually retrieved.

Definition 3.

(Asynchronous Verifiable Information Dispersal (AVID)) A AVID scheme for values is a pair of protocols that satisfy the following with high probability:

  • Termination: If the dealer is correct and initiates , then every correct party eventually completes

  • Agreement: If any correct party completes , all correct parties eventually complete .

  • Availability: If correct parties have completed , and some correct party initiates , then the party eventually reconstructs a message .

  • Correctness: After correct parties have completed , then for each index there is a single value such that if a correct party receives from , then . Furthermore if the dealer is correct, then is the value input by the dealer.

Hendricks et al. [10] present , an AVID protocol whose total communication complexity is only in phase for a sufficiently large batch , i.e. it achieves only constant communication overhead.

Ii-E Reliable Broadcast

Reliable broadcast [3] is a primitive that enables a dealer to broadcast a message to every party. Regardless of if the dealer is correct, if any party receives some output then every party eventually receives . Reliable broadcast is a special case of information dispersal, where each party simply begins immediately after completes. In fact, all efficient protocols we know of, such as Cachin and Tessaro [5] or Duan et al., [7], are built from an AVID protocol. We therefore skip the definition but use the syntax in our protocol description as short hand for followed by all parties immediately beginning .

Ii-F Public Key Encryption

We make use of a semantically secure public key encryption scheme, , such that produces a ciphertext encrypted under public key , while decrypts the message using secret key . We assume a PKI, such that each party already knows . We also assume that each public key is a function of the secret key, written , which we make use of by revealing secret key during the dealer implication phase.

We note that while in our presentation we only consider a single session with a single dealer, for a practical deployment, we would want to derive per-session keys from a single long-term keypair and allow a recipient to present the session key along with a proof of its correctness, rather than reveal her secret key (and consequently need to update her key in the PKI).

Iii The hbAVSS Protocol

Iii-a Protocol description

At a high level, the protocol consists of the following steps:

  1. Dealer’s phase: the dealer creates Shamir sharings for secrets and broadcasts commitments to the polynomials that encode them. The dealer then encrypts each party’s shares using their public encryption keys, and disperses the encrypted payloads.

  2. Share validation: each party retrieves their encrypted payload, and then attempts to decrypt and validate their shares against the polynomial commitments. If sufficiently many parties successfully receive valid shares, then the shares are output.

  3. Implicating a faulty dealer: if any party finds that the shares they receive are invalid or fail to decrypt, they reveal their secret key, enabling the other parties to confirm that the dealer was faulty.

  4. Share recovery: once the dealer is implicated as faulty, the parties who did receive valid shares distribute them to enable the remaining parties also to reconstruct their shares.

We now explain these steps in more detail. The protocol pseudocode is given in Algorithm 1, and the narration below refers to the schematic illustration in Figure 1.

Fig. 1: Illustration of . A batch of secrets are encoded as a degree- bivariate polynomial . Each party ’s shares are encrypted, then dispersed. Polynomial commitments to the sharings are broadcast, enabling parties to validate their shares. If a party detects an invalid share, they publish their decryption key, enabling the other parties to confirm the dealer is faulty. Invalid shares are then recovered in two steps: (R1) each party receives valid shares to interpolate one column , then (R2) each party reconstructs their shares .
Setup: 1:Each party begins with such that 2:The set of all are publicly known 3:Set up the polynomial commitment As dealer with input : 101: // Secret Share Encoding 102:Sample a random degree- bivariate polynomial such that each and is ’s share of 103: // Polynomial Commitment 104:for  do 105:      106: 107: // Encrypt and Disperse 108:for each and each  do 109:      110:      111: As receiver : 201: // Wait for broadcasts 202:Wait to receive 203:Wait for to complete 204: // Decrypt and validate 205: 206:for  do 207:      208:     if  then 209:          sendall       210:if all shares were valid then sendall As receiver (continued) 301: // Bracha-style agreement 302:On receiving from parties, 303:     sendall 304:On receiving from parties, 305:     sendall (if haven’t yet) 306:Wait to receive from parties, 307:     if all shares were valid then 308:          output shares       401: // Handling Implication 402:On receiving from some , 403:     Discard if 404:      405:      406:     Discard if 407:     Otherwise proceed to Share Recovery below 408: // Share Recovery 501:Interpolate commitments from 502:if we previously received valid shares (line 308then 503:     Interpolate witnesses from 504:     for each  do 505:          send to       506:On receiving from parties such that 507:     Interpolate 508:     for each  do 509:          send to       510:On receiving from at least parties, 511:     Robustly interpolate 512:     output shares

Note: To avoid clutter, the protocol is written to share a batch of exactly secret values. To achieve linear communication overhead, the and instances should be shared among a batch of several simultaneously executing instances, as explained in Section III-C.

Algorithm 1 for dealer and parties

1) Sharing and committing

: The protocol shares a batch of inputs at a time, . The dealer creates a degree- Shamir sharing for each input such that , and each party ’s share of is . We visualize this as a matrix, with each party’s shares forming a row as illustrated in Figure 1. Later, if share recovery is needed, we make use of as a degree- bivariate polynomial.

The dealer then uses to create a commitment to each sharing . The commitments are then broadcast, ensuring all the parties can validate their shares consistently.

Next, for each share and party , the dealer creates an encrypted payload , consisting of the shares and the polynomial evaluation witness , encrypted under ’s public key . The dealer then s these encrypted payloads. With the broadcast and dispersal complete, the dealer’s role in the protocol is concluded — in fact since information dispersal itself requires only one message from the dealer, the dealer’s entire role is just to send messages in the first round.

2) Share Verification

: Each party waits for and to complete, and then retrieves just their payload . The party then attempts to decrypt and validate its shares. If decryption is successful and all the shares are valid, then signals this by sending an message to the other recipients. The goal of the and messages (lines 303-308) is to ensure that if any party outputs a share, then enough correct parties have shares for share recovery to succeed if necessary.

3) Implicating a faulty dealer

: If any honest party receives a share that either fails to decrypt or fails verification, they reveal their secret key by sending , which other parties can use to repeat the decryption and confirm that the dealer dispersed invalid data.

4) Share Recovery

After a dealer is implicated as faulty, the protocol enters a two-step share recovery process, following the approach of Choudhury et al. [6]. In the first step, parties wait for messages from parties that received valid shares originally. The can be checked individually by making use of the homomorphic property of polynomial commitments and witnesses (Section II-C). Every correct party participates in the second phase of share recovery, by reconstructing one column of the bivariate polynomial .

The second step is the transpose, where each party reconstructs the row polynomial corresponding to its shares. Since all correct parties send an message, even if they did not originally receive valid shares, we can interpolate through ordinary robust decoding rather than using the polynomial commits.


For simplicity, we have described the protocol as sharing a batch of exactly values. However, to reach our desired amortized complexity goals, we need to run multiple instances in parallel in order to offset the overhead of and . The idea is to run several instances of such that the and protocols are in lockstep, sharing their control messages (i.e., the payloads are concatenated across the several instances).

Iii-B Security Analysis of

Theorem 1.

The hbAVSS protocol (Algorithm 1) satifies the requirements of an AVSS protocol (with high probability) when instantiated with an additively homomorphic polynomial commitment scheme , an AVID protocol , a reliable broadcast protocol , and a semantically secure public key encryption scheme with a pre-established PKI such that each party knows their secret key and the public keys are well known.


Correctness. The correctness property follows easily: If the dealer is correct, then and complete, so each honest party receives their valid shares and outputs them through the ordinary case (line 308).

Secrecy. Secrecy also follows easily. The hiding property of the broadcasted polynomial commitments ensures that they reveal nothing about the shares. Each party’s shares are encrypted prior to dispersal, so the computationally-bounded adversary only obtains the shares that can be decrypted using corrupt parties’ secret keys. Share recovery reveals more information, but if the dealer is correct, then any attempts by the adversary to initiate share recovery will be rejected (line  406).

Agreement. It is easy to check that parties only output shares that are consistent with the broadcasted polynomial commitments. The challenge is in showing that if any correct party outputs a share, then all of them do. In the following, assume a correct party has output a share, either through the typical path (line 308) or through share recovery (line  512). In either case, the broadcast and dispersal must have completed and the party must have received messages (line 306).

First, notice the -amplification in line 305 plays the same role as in Bracha broadcast:

Claim 1.

If any correct party outputs a share, then all correct parties eventually receive messages (line 306).

If any correct party receives messages, then at least correct parties must have sent messages, which causes all correct parties to send messages.

Next, the following claim ensures that share recovery can proceed if necessary:

Claim 2.

If any correct party outputs a share, then at least correct parties receive valid shares.

For -amplification to begin, some correct party must have initially sent after receiving messages (line 303), thus correct parties must have successfully received valid shares (line 210).

Because of the availability and agreement properties of dispersal, every correct party either receives valid shares (and by then Claim 1 outputs ordinarily) or else receives an invalid share and initiates share recovery, which by Claim 2 is able to proceed. ∎

Iii-C Performance Analysis of

We now analyze the performance of , focusing primarily on communication complexity. Recall that our goal is to achieve linear amortized communication overhead. Since one run of this protocol results in secret shared values, we have a budget of communication complexity to keep in mind.

We encounter a challenge: the up-front overhead (independent of payload size) of the and primitives is either if Merkle tree checksums are used (as in Cachin and Tessaro [5]) or if full cross checksums are used (as in Hendricks et al. [10]). Hence to obtain linear overhead, we consider amortizing these costs across at least multiple runs executing in parallel, sharing the upkeep.

The broadcast payload consists of commitments, but each one is constant size. Since the overhead of broadcast is , the total communication cost is . The total size of the payload is elements, but the overhead of dispersal is constant, so the total cost is . Each party s only a block of elements, thus all of them. The Bracha-like and messages clearly contribute .

The share recovery process clearly involves total communication, but only occurs at most once, since it enables all correct parties to reconstructing their shares at once.

The final challenge is dealing with spurious implications. In the worst case, each honest party may need to validate up to false implications, each of which requires retrieving a block from the dispersal protocol, thus worst case cost in total. Fortunately, we amortize this in the same way, by running at least concurrent instances of the protocol. We only need to process at most one implication per party across all the instances. If spurious, further implications are ignored; if confirmed, initiate share recovery in all instances.


  • [1] M. Backes, A. Datta, and A. Kate. Asynchronous computational vss with reduced communication complexity. In Cryptographers’ Track at the RSA Conference, pages 259–276. Springer, 2013.
  • [2] S. Basu, A. Tomescu, M. Reiter, and D. Malkhi. Asynchronous verifiable secret-sharing protocols on a good day. arXiv preprint arXiv:1807.03720, 2018.
  • [3] G. Bracha and S. Toueg. Asynchronous consensus and broadcast protocols. Journal of the ACM (JACM), 32(4):824–840, 1985.
  • [4] C. Cachin, K. Kursawe, A. Lysyanskaya, and R. Strobl. Asynchronous verifiable secret sharing and proactive cryptosystems. In Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, pages 88–97, New York, NY, USA, 2002. ACM.
  • [5] C. Cachin and S. Tessaro. Asynchronous verifiable information dispersal. In Reliable Distributed Systems, 2005. SRDS 2005. 24th IEEE Symposium on, pages 191–201. IEEE, 2005.
  • [6] A. Choudhury, M. Hirt, and A. Patra. Asynchronous multiparty computation with linear communication complexity. In International Symposium on Distributed Computing, pages 388–402. Springer, 2013.
  • [7] S. Duan, M. K. Reiter, and H. Zhang. Beat: Asynchronous bft made practical. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 2028–2041. ACM, 2018.
  • [8] P. Feldman. A practical scheme for non-interactive verifiable secret sharing. In Foundations of Computer Science, 1987., 28th Annual Symposium on, pages 427–438. IEEE, 1987.
  • [9] G. Goodson, J. Wylie, G. Ganger, and M. Reiter. Efficient byzantine-tolerant erasure-coded storage. In Dependable Systems and Networks, 2004 International Conference on, pages 135–144. IEEE, 2004.
  • [10] J. Hendricks, G. R. Ganger, and M. K. Reiter. Verifying distributed erasure-coded data. In Proceedings of the twenty-sixth annual ACM symposium on Principles of distributed computing, pages 139–146. ACM, 2007.
  • [11] A. Kate, G. M. Zaverucha, and I. Goldberg. Constant-size commitments to polynomials and their applications. In International Conference on the Theory and Application of Cryptology and Information Security, pages 177–194. Springer, 2010.
  • [12] A. Miller, Y. Xia, K. Croman, E. Shi, and D. Song. The honey badger of bft protocols. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 31–42. ACM, 2016.