On Information-Theoretic Secure Multiparty Computation with Local Repairability

Abstract

In this work we consider the task of designing information-theoretic MPC protocols for which the state of a given party can be recovered from a small amount of parties, a property we refer to as local repairability. This is useful when considering MPC over dynamic settings where parties leave and join a computation, a scenario that has gained notable attention in recent literature. Thanks to the results of (Cramer et al. EUROCRYPT’00), designing such protocols boils down to constructing a linear secret-sharing scheme (LSSS) with good locality, that is, each share is determined by only a small amount of other shares, that also satisfies the so-called multiplicativity property. Previous constructions that achieve locality (e.g. using locally recoverable codes—LRCs) do not enjoy multiplicativity, and LSSS that are multiplicative (e.g. Shamir’s secret-sharing) do not satisfy locality. Our construction bridges this literature gap by showing the existence of an LSSS that achieves both properties simultaneously.

Our results are obtained by making use of well known connection between error correcting codes and LSSS, in order to adapt the LRC construction by (Tamo & Barg, IEEE Transactions on Information Theory 2014) to turn it into a LSSS. With enough care, such coding-theoretic construction yields our desired locality property, but it falls short at satisfying multiplicativity. In order to address this, we perform an extensive analysis of the privacy properties of our scheme in order to identify parameter regimes where our construction satisfies multiplicativity.

Finally, since our LSSS satisfies locality, every share is determined by a small amount of shares. However, in an MPC context it is not enough to let the (small set of) parties to send their shares to the repaired party, since this may leak more information than the regenerated share. To obtain our final result regarding MPC with local repairability, we construct a lightweight MPC protocol that performs such repairing process without any leakage. We provide both a passively secure construction (for the plain multiplicative regime) and an actively secure one (for strong multiplicativity).

Appendices

Appendix

A Comparison with a Two-Level Shamir’s Secret Sharing Scheme

In this section, we will compare our construction presented in Construction 1, which we will denote by \(\varSigma \) with a more natural two-level Shamir’s secret sharing scheme, which we denote by \(\varSigma ^\prime .\) For completeness, first, we discuss the two-level Shamir’s secret sharing scheme \(\varSigma ^\prime .\) Let n be the number of parties and consider two integers v and m such that \(n=(v+1)m\). Split the parties into m groups of \(v+1\) parties each. Let q be a prime number, d, w integers with \(d\le v\) and \(w\le m-1.\) Consider a linear secret-sharing scheme that, to distribute a secret \(s\in \mathbb {F}_q\), proceeds as follows.

1. 1.

   Generate m shares of the secret s using a (w, m)–Shamir’s secret sharing scheme where the m shares are denoted as \(s_1,\ldots ,s_m\). Here for positive integers \(a<b\), we use the notation (a, b)–Shamir’s secret sharing scheme to denote the Shamir’s secret sharing scheme providing a privacy where shares are evaluations of a polynomial of degree a in b distinct evaluation points. Suppose that this is done by using a degree w polynomial \(F(\texttt{X})=\sum _{i=0}^w F_i \texttt{X}^i\) with set of evaluation points \(\{\alpha _1,\ldots , \alpha _m\}.\)

2. 2.

   For each \(i=1,\ldots , m,\) generate \(v+1\) shares for the local secret \(s_i\) using a \((d-1,v+1)-\) Shamir’s secret sharing scheme where the \(v+1\) shares are denoted as \(s_{i,1},\ldots , s_{i,v+1}.\) Suppose that such share generation is done using a degree \(d-1\) polynomial \(F^{(i)}(\texttt{X})=\sum _{j=0}^{d-1} F^{(i)}_j \texttt{X}^j\) with \(\{\gamma _{i,1},\ldots , \gamma _{i,v+1}\}\) as the set of evaluation points.

3. 3.

   For \(i=1,\ldots , m\) and \(j=1,\ldots , v+1,\) assign the share \(s_{i,j}\) to the j-th party in group i.

Note that we have in total m local groups, each with \(v+1\) players where the threshold for the local group is \(d-1\). On the other hand, when we consider each group as one player, our construction is reduced to a (w, m)- Shamir’s secret sharing scheme. In order to have a comparable scheme, for the second construction, which is based on two-steps of Shamir’s secret sharing, we assume that the first step uses a (w, m)-Shamir’s secret sharing scheme where each of its share is further secretly shared using a \((d-1,v+1)\)-Shamir’s secret sharing scheme. Furthermore, for the first step of the sharing, we assume that the chosen evaluation points are \(\alpha _0,\ldots , \alpha _m\) where \(\alpha _0\) is used as the evaluation point for the secret. Furthermore, for \(K=1,\ldots , M\), each such share is further secretly shared using evaluation points \(\gamma ^{(K)}_1,\ldots , \gamma ^{(K)}_{v+1}\). The complete specification of the secret sharing scheme \(\varSigma ^\prime \) is specified in Algorithm 6.

Note that in this definition, we assume that the m instantiations of the secret sharing schemes used to secretly share \(S_K\) to \(v+1\) players using the polynomial \(f^{(K)}\) encodes \(S_K\) as \(f^{(K)}(0).\) However, it is easy to see that a simple shifting operation can be used to have \(S_K\) to be \(f^{(K)}(y_K)\) for any choice of \(y_K\in \mathbb {F}_q\) without changing any of the shares \(S_i^{(K)}.\)

First we show that for any secret sharing scheme \(\varSigma \) constructed using Algorithm 1, it is equivalent to \(\varSigma ^\prime ,\) which is obtained from Algorithm 6 with some choice of the parameters.

Lemma 10

Let \((S_{i,j}:1\le i\le m, 1\le j\le v+1)\) be the shares for the n players in a secret sharing scheme \(\varSigma \) constructed using Algorithm 1 with a fixed secret \(S\in \mathbb {F}_q.\) Then there exists some assignments of the variables such that the shares generated by a secret sharing scheme \(\varSigma ^\prime \) following Algorithm 6 are \((S_{i,j}:1\le i\le m,1\le j\le v+1).\)

Proof

Let \(\alpha _0=g(0)\) and for \(i=1,\ldots , m, \alpha _i=g(\beta _i).\) For each \(K=1,\ldots , M\) and \(j=1,\ldots , v+1,\) we define \(\gamma _j^{(K)}=\gamma _{K,j}.\) We aim to show that for any \(K=1,\ldots , M\) and \(j=1,\ldots , v+1,\) we have \(S_i^{(K)}=S_{K,i}.\) For \(i=0,\ldots , w,\) we set \(F_i=a_{0i}.\) Then we have \(\sum _{i=0}^w F_i \alpha _0^i = \sum _{i=0}^w a_{0i} g(0)^i=S\) as required. Furthermore, we have \(S_K=\sum _{i=0}^w F_i\alpha _K^i=\sum _{i=0}^w a_{0i}g(\beta _K)^i.\) Lastly, we set \(f_0^{(K)}=S_K\) and for \(j=1,\ldots , d-1\) and \(K=1,\ldots , m,\) let \(f_j^{(K)}=\sum _{i=0}^w a_{ji} g(\beta _K)^i.\)

Then for each group \(K=1,\ldots , m,\) the player assigned to \(\gamma _i^{(k)}\) receives the share

$$\begin{aligned} S_i^{(K)}= & {} f^{(K)}(\gamma _i^{(K)})=\sum _{j=0}^{d-1} f_j^{(K)} \left( \gamma _i^{(K)}\right) ^{j}= \sum _{i=0}^{w} a_{0i} g(\beta _K)^i\\ {} & {} +\sum _{j=1}^{d-1} \left( \sum _{i=0}^{w} a_{ji} g(\beta _K)^i\right) \left( \gamma _i^{(K)}\right) ^{j}= \sum _{j=0}^{d-1} \sum _{i=0}^w a_{ji} g(\gamma _i^{(K)})^j\left( \gamma _i^{(K)}\right) ^{j}=S_{K,i} \end{aligned}$$

completing the proof.    \(\square \)

Next we show that a secret sharing scheme \(\varSigma ^\prime \) obtained from Algorithm 6 is also equivalent to a secret sharing scheme \(\varSigma \) obtained from Algorithm 1 with some possible changes of parameters.

Lemma 11

Let \((S_i^{(K)}:K=1,\ldots , m, i=1,\ldots , v+1)\) be the shares for the n players generated by Algorithm 6 with a fixed secret \(S\in \mathbb {F}_q\) and the evaluation points \(\gamma _i^{(K)}\) that are pairwise distinct. Then there exists some assignments of the variables such that \((S_i^{(K)}:K=1,\ldots ,m,i=1,\ldots , v+1)\) are generated using Algorithm 1 with some possibly changed parameters.

Proof

Recall that we have \(S=\sum _{i=0}^{w} F_i \alpha _0^i.\) Next, for \(K=1,\ldots , m,\) we have \(f_0^{(K)}=s_K=\sum _{i=0}^w F_i \alpha _K^i.\) Furthermore, we define \(f_1^{(K)},\ldots , f_{d-1}^{(K)}\) such that \(S_i^{(K)}=\sum _{j=0}^{d-1} f_j^{(K)}\left( \gamma _i^{(K)}\right) ^j.\)

Then for \(K=1,\ldots , m,\) we have \(f^{(K)}(\texttt{X})=\sum _{i=0}^w F_i \alpha _K^i+\sum _{j=1}^{d-1} f_j^{(K)} \texttt{X}^j.\) Now for \(j=1,\ldots , d-1,\) there exists \(d_j\in \{0,\ldots , m-1\}\) and \(a_{0,j},\ldots , a_{d_j,j}\in \mathbb {F}_q\) such that for any \(K=1,\ldots , m, f_j^{(K)}=\sum _{i=0}^{d_j} a_{i,j} \alpha _K^i.\) We further define \(d_0=w\) and \(a_{i,0}=F_i\) for \(i=0,\ldots , w.\) Lastly, we define \(D_1=\max \{d_0,\ldots , d_{d-1}\}.\) For any \(i=0,\ldots , D_1\) and \(j=1,\ldots , d-1,\) such that \(a_{i,j}\) is not yet defined, we set \(a_{i,j}=0.\)

Then we have \(f^{(K)}(\texttt{X})=\sum _{j=0}^{d-1}\left( \sum _{i=0}^{D_1}a_{i,j}\alpha _K^i\right) \texttt{X}^j\) where for any \(i=1,\ldots , v+1,\) we have \(S_i^{(K)}=f^{(K)}(\gamma _i^{(K)})=\sum _{j=0}^{d-1}\left( \sum _{i=0}^{D_1}a_{i,j}\alpha _K^i\right) \left( \gamma _i^{(K)}\right) ^j.\) This shows that if we want to have one polynomial \(f^*(\texttt{X})\) such that for any \(K=1,\ldots , m\) and \(i=1,\ldots , v+1, f^*(\gamma _i^{(K)})=S_i^{(K)},\) we need to have some polynomial \(g^*(\texttt{X})\) such that for any \(K=1,\ldots , m\) and \(i=1,\ldots , v+1, g^*(\gamma _i^{(K)})=\alpha _K.\) Note that such \(g^*(\texttt{X})\) is guaranteed to exist with degree of at most n. Then with such \(g^*(\texttt{X}),\) we can define \(f^*(\texttt{X})=\sum _{j=0}^{d-1}\left( \sum _{i=0}^{D_1}a_{i,j} g*(\texttt{X})^i\right) x^j.\) So letting \(\gamma _{i,j} = \gamma _j^{(i)}\) for \(i=1,\ldots , M, j=1,\ldots , v+1,\) for such specific instances of the secret sharing schemes obtained by Algorithm 6 it can also be generated using Algorithm 1.    \(\square \)

Remark 2

We note that based on the form of \(f^*\) which requires the polynomial \(g^*(x),\) for two players belonging to different local groups, they cannot possess the same evaluation points. Otherwise, they will have exactly the same share. So this is the reason why we require such restriction in the statement of Lemma 11.

Lemma 11 shows that if all the evaluation points in the second step of Algorithm 6 are pairwise distinct, then we can transform it to a one-step secret sharing which follows Algorithm 1 with a possible change in the degree of \(g(\texttt{X})\) from \(v+1\) to a positive integer, say \(D_2,\) and the inner degree from w to \(D_1.\) We claim that \(v+1\le D_2.\) Indeed, we note that \(g^*(\texttt{X})\) cannot be a constant since we have at least m distinct evaluation points evaluated to m distinct values. Furthermore, recall that \(g^*(\gamma _i^{(1)})=\alpha _1\) for \(i=1,\ldots , v+1.\) Consider \(\hat{g}(\texttt{X})=g^*(\texttt{X})-\alpha _1.\) It is easy to see that \(\hat{g}(\texttt{X})\) has the same degree as \(g^*(\texttt{X})\) and neither is a constant function. However, we have \(\hat{g}(\gamma _i^{(1)})=0\) for \(i=1,\ldots , v+1.\) Hence we have \(\prod _{i=1}^{v+1} (\texttt{X}-\gamma _i^{(1)})|\hat{g}(\texttt{X}),\) proving that its degree, and hence the degree of \(g^*(\texttt{X}),\) is at least \(v+1\) as claimed.

Consider \(\varSigma \) a secret sharing scheme following Algorithm 1. By Theorems 1 and 2, \(\varSigma \) is shown to have \(t_1\) privacy and \(r_1\) recovery where \((d-1)(w+1)\le t_1\le d(w+1)-1\) and \(r_1\le w(v+1)+d.\)

Now suppose that we generate a secret sharing scheme \(\varSigma ^\prime \) following Algorithm 6. First we consider its recovery level \(r_2\). Note that by Lemma 11, the degree of the constructed \(f^*(\texttt{X})\) is \(D_1\cdot \textrm{deg}(g^*(\texttt{X})) +d-1\) where \(\textrm{deg}(g^*(\texttt{X}))\) is the degree of \(g^*(\texttt{X}).\) Recall that \(D_1=\max \{d_0,d_1,\ldots , d_{d-1}\}\) where \(d_0=w\) while for any \(j=1,\ldots , d-1,\) the polynomial \(\sum _{i=0}^{d_j} a_{i,j} \texttt{X}^i\) maps \(\alpha _K^{i}\) to \(f_j^{(K)}\) for each \(K=1,\ldots , m.\) Note that since \(f_j^{(K)}\) is also unknown, each of such \(d_j\) can be as large as \(m-1.\) Hence, in general, \(d_j=m-1\) for \(j=1,\ldots , d-1,\) which implies \(D_1=m-1.\) Furthermore, as we have established, the degree of \(g^*(\texttt{X})\) is at least \(v+1,\) which implies that \(\textrm{deg}(f^*(\texttt{X}))\ge (m-1)(v+1)+(d-1)=m(v+1)-(v+2-d).\)

Consider a group of players containing \(v+1\) players from the first w groups and \(d-1\) players from the remaining \(m-w\) groups. Note that such group has size \((v+1)w+(d-1)(m-w)\le \textrm{deg}(f^*(\texttt{X})).\) We claim that it is possible to have a share generation such that the original secret \(s=1\) while all the shares of these players to be 0. Note that by linearity of \(\varSigma ^\prime ,\) this means that the shares from such group of size \(m(v+1)+(m-w)(d-v-2)\) contains no information about s,  proving that it provides privacy from such group. This would imply that \(r_2\ge (v+1)w+(d-1)(m-w)+1.\)

First, for the first w groups, since we have the shares of all \(v+1\) players from such group, we would be able to recover the local secret \(s_i\) from the shares of these players. Since their shares are 0,  we can conclude that \(s_i=0\) for \(i=1,\ldots , w.\) Next, note that since \(s_i\) is a valid share from a (w, m)-Shamir’s secret sharing scheme, by the w-privacy guarantee of the (w, m)-Shamir’s secret sharing scheme, there is a valid share generation of 1 such that \(s_i=0\) for \(i=1,\ldots , w.\) This will also fix the values of \(s_i\) for \(i=w+1,\ldots , m.\) Next, we consider the sharing of the players in the i-th group for \(i=w+1,\ldots , m.\) Note that since \(s_{i,j}\) is a valid secret share of \(s_i\) using \((d-1,v+1)\)-Shamir’s secret sharing scheme, by its \(d-1\)-privacy guarantee, it is possible to have a valid share generation of \(s_i\) such that \(s_{i,j}=0\) for \(d-1\) of such j. This shows that it is possible to have a valid share generation of \(s=1\) such that the share of all the players belonging to the group described above to be zero. This proves that \(r_2\ge (v+1)w+(d-1)(m-w)+1.\) Combined with the upper bound established for \(r_1,\) we obtain \(r_2-r_1\ge (d-1)(m-w-1).\)

Next, we consider the privacy level of \(\varSigma ^\prime ,\) which we denote by \(t_2.\) Consider the group of players consisting of d players from each of the first \(w+1\) groups. It is easy to see that such group can recover the original secret. This shows that \(t_2\le d(w+1)-1.\) So combined with the fact that \((d-1)(w+1)\le t_1,\) we have \(t_2-t_1\le d-1.\) It is easy to see that when \(w-1<m,\) the increase of recovery level, which is at least \((m-w-1)(d-1)\) is at least the increase in the privacy level, which is at most \(d-1.\) This gap becomes much larger especially in the scenario where the secret sharing scheme is (strongly) multiplicative with repairing process that provides statistical security for the privacy of the shares. Note that in this case, since \(w\le \frac{m}{2}\) and \(m=O\left( \frac{n}{v}\right) =O\left( \frac{n}{\ln ^{(1+\varepsilon )} n}\right) \) for some \(\varepsilon >0,\) the gap is \(O\left( \frac{n}{\ln ^{(1+\varepsilon )}n}\right) .\) This shows that in general, a secret sharing scheme generated by Algorithm 6 comes with a larger gap between the privacy level and recovery level. So if we maintain the recovery level to be the same, the privacy level provided by \(\varSigma ^\prime \) is much smaller than what can be guaranteed from the construction following Algorithm 1. Such limitation of Algorithm 6 provides us with a justification on considering the one-step construction in Algorithm 1 instead of the more natural Algorithm 6.