I Introduction
In a verifiable secret sharing (VSS) protocol, a dealer shares a secret among a set of parties, such that honest parties can reconstruct the secret. VSS forms the basis for fault tolerant file storage [5, 9], shared databases [2], and many other applications. It is also an essential component of secure multiparty computation (MPC) protocols, used both for generating random preprocessing elements and for accepting secretshared inputs from untrusted clients.
The verifiability property means that if any party gets their shares, then every correct party also receives a valid share. This is essential when VSS is used as input to MPC, since parties need to assume the shares will be available in order to make irrevocable actions (such as revealing intermediate outputs of a computation). The challenge is that a faulty dealer may provide invalid data to some but not all of the parties. The main idea behind nearly all VSS protocols, starting from Feldman et al., [8], is to broadcast a polynomial commitment, enabling parties to individually validate their shares.
In the case of synchronous VSS, we can simply wait to hear a confirmation from all parties, or else abort. The asynchronous VSS case is more difficult since we must proceed after hearing from only of the parties, where is the number of parties that undergo a Byzantine fault. Since crashed nodes are indistinguishable from slow nodes, it could be that of the ones we waited for are corrupted, hence only correct parties received valid shares.
In order to cope with asynchrony, AVSS protocols typically distribute shares with additional redundancy, such that parties who received invalid shares can recover their shares through interaction with the others. This recovery process either results in extra communication overhead [4], or else relies on loosened resilience guarantees [6].
Improvements to AVSS have made use of concise polynomial commitments based on pairing cryptography [1]. Most notably, in recent work, Basu et al. [2] present an optimistic AVSS protocol that achieves linear communication overhead in the typical case, but in the presence of Byzantine faults or network asynchrony may fall back to quadratic overhead. The goal of this paper is to present a protocol that provides linear guarantees even in the worst case.
Overview of our solution. The main idea behind our approach is a technique we call encryptthendisperse, inspired by a related application in HoneyBadgerBFT [12]. The secret share encoding and polynomial commitments are as usual. However, before transmitting, the secret shares are first encrypted using public key encryption. Next the encrypted payload is dispersed using an information dispersal routine, which can guarantee robustness and efficiency since it does not have to provide secrecy.
The use of information dispersal guarantees that every honest node receives some data, even in the asynchronous setting. If it turns out to be invalid, then it can be used as evidence to implicate the leader. Once the dealer is determined to be faulty, we enter a share recovery phase, which ensures every correct party receives their share. The share recovery phase can be very efficient too, since it does not need to ensure confidentiality at all, since it can only be initiated once the dealer is determined to be faulty. A summary comparison of our results to related work is given in Table I.
Ii Preliminaries
Iia Asynchronous Network Model
Throughout this paper we assume the standard asynchronous network model. We assume a fixed set of communicating parties , as well as a dealer . We consider a static Byzantine corruption model. The dealer and up to of the parties may be corrupted, in which case they are controlled entirely by the adversary. The parties are connected by pairwise authenticated channels. Messages between uncorrupted parties are guaranteed eventually to be delivered, although the order and timing of delivery of messages is determined by the adversary. We assume a computationally bounded adversary that is unable to break cryptographic primitives.
IiB Asynchronous Verifiable Secret Sharing
Here we give the security definition for our construction:
Definition 1.
(Asynchronous Verifiable Secret Sharing (AVSS)) In an AVSS protocol, the dealer receives input , and each party receives an output share for some degree polynomial .
The protocol must satisfy the following properties:

Correctness: If the dealer is correct, then all correct parties eventually output a share where is a random polynomial with .

Secrecy: If the dealer is correct, then the adversary learns no information about except for the shares of corrupted parties.

Agreement: If any correct party receives output, then there exists a unique degree polynomial such that each correct party eventually outputs .
For simplicity, this definition is written to be specific to Shamir sharing, though a more generic definition would be possible [1]. Our agreement property is written to incorporate the strong commitment property from Backes et al. [1], in which the secretshared value must be determined by the time that the first correct party outputs a share (and cannot be influenced thereafter by the adversary).
IiC Polynomial Commitments
Polynomial commitments are an interface by which a committer can create a commitment to a polynomial as well as witnesses to its evaluation at different points, so to prove that evaluations are correct without revealing the full polynomial. Polynomial commitments have been implicit in all cryptographic VSS protocols since Feldman [8], but were first formalized by Kate et al. [11] We use the scheme from Kate et al. because it gives commitments that are additively homomorphic and constantsized.
Definition 2.
(PolyCommit (c.f. [11]) Let be a family of finite fields indexed by a security parameter (we’ll typically omit and just write ). A scheme for consists of the following algorithms:

generates system parameters to commit to a polynomial over of degree bound . is run by a trusted or distributed authority. can also be standardized for repeated use.

outputs a commitment to a polynomial for the system parameters , and some associated decommitment information .

outputs , where is a witness for the decommitment information for the evaluation of at the index .

verifies that is indeed the evaluation at the index of the polynomial committed in . If so, the algorithm outputs accept, otherwise it outputs reject.
A scheme must satisfy the following properties:

Correctness: If and , then the correct evaluation of is successfully verified by .

Polynomial Binding: If
, then except with negligible probability, an adversary can not create a polynomial
such that if . 
Evaluation Binding: If and then except with negligible probability, an adversary can not create an evaluation , witness , and decommitment information such that if .

Hiding: Given and for any , an adversary either

Can only determine or with negligible probability given bounded computation (Computational Hiding)

Can not determine any information about or , even given unbounded computation (Unconditional Hiding)

We additionally require that the commitments and witnesses be additively homomorphic
. This allows us to create new commitments and witnesses through interpolation, a property we rely on in our AVSS construction.

Additive Homomorphism: Given commitments and to polynomials and respectively, there should be an efficient operation to compute , the commitment to . Additionally, given and , the witnesses for the evaluations of and at respectively, it should be similarly efficient to compute . Lastly, it should also be efficient to compute from and .
In this work we use PolyCommitPed from Kate et al.[11], which provides a constantsized commitment that achieves unconditional hiding as well as our desired homomorphic properties. We also note that PolyCommitPed achieves unconditional hiding through the use of a hiding polynomial, which we notate as in this work. As is instantiated as a polynomial over a finite field, it too realizes our desired property of additive homomorphism.
IiD Asynchronous Verifiable Information Dispersal
Our protocol relies on an information dispersal protocol as defined below. Our definition is for a batch, such that messages are dispersed at once and can be individually retrieved.
Definition 3.
(Asynchronous Verifiable Information Dispersal (AVID)) A AVID scheme for values is a pair of protocols that satisfy the following with high probability:

Termination: If the dealer is correct and initiates , then every correct party eventually completes

Agreement: If any correct party completes , all correct parties eventually complete .

Availability: If correct parties have completed , and some correct party initiates , then the party eventually reconstructs a message .

Correctness: After correct parties have completed , then for each index there is a single value such that if a correct party receives from , then . Furthermore if the dealer is correct, then is the value input by the dealer.
Hendricks et al. [10] present , an AVID protocol whose total communication complexity is only in phase for a sufficiently large batch , i.e. it achieves only constant communication overhead.
IiE Reliable Broadcast
Reliable broadcast [3] is a primitive that enables a dealer to broadcast a message to every party. Regardless of if the dealer is correct, if any party receives some output then every party eventually receives . Reliable broadcast is a special case of information dispersal, where each party simply begins immediately after completes. In fact, all efficient protocols we know of, such as Cachin and Tessaro [5] or Duan et al., [7], are built from an AVID protocol. We therefore skip the definition but use the syntax in our protocol description as short hand for followed by all parties immediately beginning .
IiF Public Key Encryption
We make use of a semantically secure public key encryption scheme, , such that produces a ciphertext encrypted under public key , while decrypts the message using secret key . We assume a PKI, such that each party already knows . We also assume that each public key is a function of the secret key, written , which we make use of by revealing secret key during the dealer implication phase.
We note that while in our presentation we only consider a single session with a single dealer, for a practical deployment, we would want to derive persession keys from a single longterm keypair and allow a recipient to present the session key along with a proof of its correctness, rather than reveal her secret key (and consequently need to update her key in the PKI).
Iii The hbAVSS Protocol
Iiia Protocol description
At a high level, the protocol consists of the following steps:

Dealer’s phase: the dealer creates Shamir sharings for secrets and broadcasts commitments to the polynomials that encode them. The dealer then encrypts each party’s shares using their public encryption keys, and disperses the encrypted payloads.

Share validation: each party retrieves their encrypted payload, and then attempts to decrypt and validate their shares against the polynomial commitments. If sufficiently many parties successfully receive valid shares, then the shares are output.

Implicating a faulty dealer: if any party finds that the shares they receive are invalid or fail to decrypt, they reveal their secret key, enabling the other parties to confirm that the dealer was faulty.

Share recovery: once the dealer is implicated as faulty, the parties who did receive valid shares distribute them to enable the remaining parties also to reconstruct their shares.
We now explain these steps in more detail. The protocol pseudocode is given in Algorithm 1, and the narration below refers to the schematic illustration in Figure 1.
1) Sharing and committing
: The protocol shares a batch of inputs at a time, . The dealer creates a degree Shamir sharing for each input such that , and each party ’s share of is . We visualize this as a matrix, with each party’s shares forming a row as illustrated in Figure 1. Later, if share recovery is needed, we make use of as a degree bivariate polynomial.
The dealer then uses to create a commitment to each sharing . The commitments are then broadcast, ensuring all the parties can validate their shares consistently.
Next, for each share and party , the dealer creates an encrypted payload , consisting of the shares and the polynomial evaluation witness , encrypted under ’s public key . The dealer then s these encrypted payloads. With the broadcast and dispersal complete, the dealer’s role in the protocol is concluded — in fact since information dispersal itself requires only one message from the dealer, the dealer’s entire role is just to send messages in the first round.
2) Share Verification
: Each party waits for and to complete, and then retrieves just their payload . The party then attempts to decrypt and validate its shares. If decryption is successful and all the shares are valid, then signals this by sending an message to the other recipients. The goal of the and messages (lines 303308) is to ensure that if any party outputs a share, then enough correct parties have shares for share recovery to succeed if necessary.
3) Implicating a faulty dealer
: If any honest party receives a share that either fails to decrypt or fails verification, they reveal their secret key by sending , which other parties can use to repeat the decryption and confirm that the dealer dispersed invalid data.
4) Share Recovery
After a dealer is implicated as faulty, the protocol enters a twostep share recovery process, following the approach of Choudhury et al. [6]. In the first step, parties wait for messages from parties that received valid shares originally. The can be checked individually by making use of the homomorphic property of polynomial commitments and witnesses (Section IIC). Every correct party participates in the second phase of share recovery, by reconstructing one column of the bivariate polynomial .
The second step is the transpose, where each party reconstructs the row polynomial corresponding to its shares. Since all correct parties send an message, even if they did not originally receive valid shares, we can interpolate through ordinary robust decoding rather than using the polynomial commits.
Batching
For simplicity, we have described the protocol as sharing a batch of exactly values. However, to reach our desired amortized complexity goals, we need to run multiple instances in parallel in order to offset the overhead of and . The idea is to run several instances of such that the and protocols are in lockstep, sharing their control messages (i.e., the payloads are concatenated across the several instances).
IiiB Security Analysis of
Theorem 1.
The hbAVSS protocol (Algorithm 1) satifies the requirements of an AVSS protocol (with high probability) when instantiated with an additively homomorphic polynomial commitment scheme , an AVID protocol , a reliable broadcast protocol , and a semantically secure public key encryption scheme with a preestablished PKI such that each party knows their secret key and the public keys are well known.
Proof.
Correctness. The correctness property follows easily: If the dealer is correct, then and complete, so each honest party receives their valid shares and outputs them through the ordinary case (line 308).
Secrecy. Secrecy also follows easily. The hiding property of the broadcasted polynomial commitments ensures that they reveal nothing about the shares. Each party’s shares are encrypted prior to dispersal, so the computationallybounded adversary only obtains the shares that can be decrypted using corrupt parties’ secret keys. Share recovery reveals more information, but if the dealer is correct, then any attempts by the adversary to initiate share recovery will be rejected (line 406).
Agreement. It is easy to check that parties only output shares that are consistent with the broadcasted polynomial commitments. The challenge is in showing that if any correct party outputs a share, then all of them do. In the following, assume a correct party has output a share, either through the typical path (line 308) or through share recovery (line 512). In either case, the broadcast and dispersal must have completed and the party must have received messages (line 306).
First, notice the amplification in line 305 plays the same role as in Bracha broadcast:
Claim 1.
If any correct party outputs a share, then all correct parties eventually receive messages (line 306).
If any correct party receives messages, then at least correct parties must have sent messages, which causes all correct parties to send messages.
Next, the following claim ensures that share recovery can proceed if necessary:
Claim 2.
If any correct party outputs a share, then at least correct parties receive valid shares.
IiiC Performance Analysis of
We now analyze the performance of , focusing primarily on communication complexity. Recall that our goal is to achieve linear amortized communication overhead. Since one run of this protocol results in secret shared values, we have a budget of communication complexity to keep in mind.
We encounter a challenge: the upfront overhead (independent of payload size) of the and primitives is either if Merkle tree checksums are used (as in Cachin and Tessaro [5]) or if full cross checksums are used (as in Hendricks et al. [10]). Hence to obtain linear overhead, we consider amortizing these costs across at least multiple runs executing in parallel, sharing the upkeep.
The broadcast payload consists of commitments, but each one is constant size. Since the overhead of broadcast is , the total communication cost is . The total size of the payload is elements, but the overhead of dispersal is constant, so the total cost is . Each party s only a block of elements, thus all of them. The Brachalike and messages clearly contribute .
The share recovery process clearly involves total communication, but only occurs at most once, since it enables all correct parties to reconstructing their shares at once.
The final challenge is dealing with spurious implications. In the worst case, each honest party may need to validate up to false implications, each of which requires retrieving a block from the dispersal protocol, thus worst case cost in total. Fortunately, we amortize this in the same way, by running at least concurrent instances of the protocol. We only need to process at most one implication per party across all the instances. If spurious, further implications are ignored; if confirmed, initiate share recovery in all instances.
References
 [1] M. Backes, A. Datta, and A. Kate. Asynchronous computational vss with reduced communication complexity. In Cryptographers’ Track at the RSA Conference, pages 259–276. Springer, 2013.
 [2] S. Basu, A. Tomescu, M. Reiter, and D. Malkhi. Asynchronous verifiable secretsharing protocols on a good day. arXiv preprint arXiv:1807.03720, 2018.
 [3] G. Bracha and S. Toueg. Asynchronous consensus and broadcast protocols. Journal of the ACM (JACM), 32(4):824–840, 1985.
 [4] C. Cachin, K. Kursawe, A. Lysyanskaya, and R. Strobl. Asynchronous verifiable secret sharing and proactive cryptosystems. In Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS ’02, pages 88–97, New York, NY, USA, 2002. ACM.
 [5] C. Cachin and S. Tessaro. Asynchronous verifiable information dispersal. In Reliable Distributed Systems, 2005. SRDS 2005. 24th IEEE Symposium on, pages 191–201. IEEE, 2005.
 [6] A. Choudhury, M. Hirt, and A. Patra. Asynchronous multiparty computation with linear communication complexity. In International Symposium on Distributed Computing, pages 388–402. Springer, 2013.
 [7] S. Duan, M. K. Reiter, and H. Zhang. Beat: Asynchronous bft made practical. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 2028–2041. ACM, 2018.
 [8] P. Feldman. A practical scheme for noninteractive verifiable secret sharing. In Foundations of Computer Science, 1987., 28th Annual Symposium on, pages 427–438. IEEE, 1987.
 [9] G. Goodson, J. Wylie, G. Ganger, and M. Reiter. Efficient byzantinetolerant erasurecoded storage. In Dependable Systems and Networks, 2004 International Conference on, pages 135–144. IEEE, 2004.
 [10] J. Hendricks, G. R. Ganger, and M. K. Reiter. Verifying distributed erasurecoded data. In Proceedings of the twentysixth annual ACM symposium on Principles of distributed computing, pages 139–146. ACM, 2007.
 [11] A. Kate, G. M. Zaverucha, and I. Goldberg. Constantsize commitments to polynomials and their applications. In International Conference on the Theory and Application of Cryptology and Information Security, pages 177–194. Springer, 2010.
 [12] A. Miller, Y. Xia, K. Croman, E. Shi, and D. Song. The honey badger of bft protocols. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 31–42. ACM, 2016.