Efficient Proactive Secret Sharing for Large Data via Concise Vector Commitments

Abstract

Proactive secret sharing has been proposed by Herzberg, Jarecki, Krawczyk, and Yung (CRYPTO’95) and is a powerful tool for storing highly confidential data. However, their scheme is not designed for storing large data and communication and computation costs scale linearly with the data size. In this paper we propose a variant of their scheme that uses concise vector commitments. We show that our new scheme, when instantiated with a variant of the Pedersen commitment scheme (CRYPTO’92), reduces computation costs by up to \(50\%\) and broadcast communication costs by a factor of L, where L is the length of the commitment message vectors.

A Proofs

Proof

(Proof of Theorem 4). Let \(\mathbb {G}\) be a finite cyclic group, p be the order of \(\mathbb {G}\), and \(L \in \mathbb {N}\), \(\mathsf {DLVC}_{\mathbb {G},L} = (L, \mathsf {GEN}(\mathbb {G})^L,\mathbb {Z}_p,\mathbb {G},\mathbb {Z}_p,\mathsf {Setup},\mathsf {Commit},\mathsf {Open})\), and \(m = (m_1,\ldots ,m_L) \in \mathbb {Z}_p^L\).

We observe that for \(\mathsf {Setup}() \rightarrow \rho \), we have \(\rho =(g_0,\ldots ,g_L) \in \mathsf {GEN}(\mathbb {G})^L\). Furthermore, we observe that if \(\mathsf {Commit}(\rho ,m) \rightarrow (c,d)\), then \(c = \mathsf {EXP}(g_0,d) \circ \bigcirc _{i=1}^L \mathsf {EXP}(g_i,m_i)\). It follows that \(\mathsf {Open}(\rho ,m,c,d)=1\).    \(\square \)

Proof

(Proof of Theorem 5). Let \(\mathbb {G}\) be a finite cyclic group associated with operation \(\circ \), \(L \in \mathbb {N}\), and \(\mathsf {DLVC}_{\mathbb {G},L} = (L,\mathsf {GEN}(\mathbb {G})^L,\mathbb {Z}_p,\mathbb {G},\mathbb {Z}_p,\mathsf {Setup},\mathsf {Commit},\mathsf {Open})\). We observe that for all \(\rho \in \mathsf {GEN}(\mathbb {G})^L\), \(m \in \mathbb {Z}_p^L\), \(c^* \in \mathbb {G}\), by the definition of \(\mathsf {Commit}\) and because g is a generator, we have

$$\begin{aligned} \begin{aligned}&\Pr \begin{bmatrix}c=c^* : \\\mathsf {Commit}(\rho ,m) \rightarrow (c,d)\end{bmatrix} \\ {}&= \Pr \begin{bmatrix} c=c^* : \\ U(\mathbb {Z}_p) \rightarrow d, c \leftarrow \mathsf {EXP}(g_0,d) \bigcirc _{i=1}^L \mathsf {EXP}(g_i,m_i) \end{bmatrix} \\ {}&= \Pr \begin{bmatrix} c=c^* : \\ U(\mathbb {G}) \rightarrow c \end{bmatrix} \text { ,} \end{aligned} \end{aligned}$$

where \(\rho =(g_0,\ldots ,g_L)\) and \(m = (m_1,\ldots ,m_L)\).    \(\square \)

Proof

(Proof of Theorem 6). The following proof is adapted from Section 2.3.2 of [6].

Let \(\mathbb {G}\) be a finite cyclic group of prime order p, \(\mathsf {DLVC}_{\mathbb {G},L} = (L,\mathsf {GEN}(\mathbb {G})^L,\mathbb {Z}_p,\mathbb {G},\mathbb {Z}_p,\mathsf {Setup},\mathsf {Commit},\mathsf {Open})\), \(g \in \mathsf {GEN}(\mathbb {G})\), \(\tau \in \mathbb {N}\), and \(\mathcal {A}\in \mathsf {Algo}(\tau )\). In the following, we prove an upper bound on

$$\begin{aligned} \Pr \begin{bmatrix} \mathsf {Open}(\rho , m, c, d) = 1 \wedge \mathsf {Open}(\rho , m', c, d') = 1 \wedge m \ne m' : \\ \mathsf {Setup}() \rightarrow \rho , \mathcal {A}(\rho ) \rightarrow (c, m, d, m', d') \end{bmatrix} \text { .} \end{aligned}$$

Let \(\mathcal {B}\) be an algorithm that takes as input \(y \in \mathbb {G}\) and works as follows. Sample \(U(\mathbb {Z}_p) \rightarrow a_0\) and for \(i \in [L]\), \(U(\mathbb {Z}_p^2) \rightarrow (a_i, b_i)\). Compute \(g_0 \leftarrow \mathsf {EXP}(g,a_0)\) and for \(i \in [L]\), \(g_i \leftarrow \mathsf {EXP}(g,a_i) \circ \mathsf {EXP}(y, b_i)\). Run \(\mathcal {A}((g_0,\ldots ,g_L)) \rightarrow (c, m, d, m', d')\). If \(\mathsf {Open}(\rho ,m,c,d) = 0\) or \(\mathsf {Open}(\rho ,m',c,d') = 0\), output \(\bot \). Otherwise, proceed as follows. Let \(m = (m_0,\ldots ,m_L) \in \mathbb {Z}_p^L\) and \(m' = (m'_0,\ldots ,m'_L) \in \mathbb {Z}_p^L\). Compute \(a \leftarrow a_0(d-d') + \sum _{i \in [L]} a_i (m_i- m'_i)\) and \(b \leftarrow \sum _{i \in [L]} b_i(m'_i- m_i)\). If \(b=0\), output \(\bot \). Otherwise, compute \(x \leftarrow \frac{a}{b}\) and output x.

We observe that because the \(a_i\)’s are uniformly distributed and g is a generator, the \(g_i\)’s are also uniformly distributed. This means that \((g_0,\ldots ,g_L)\) has the same distribution as \(\rho \) generated by \(\mathsf {Setup}()\). It follows that

$$\begin{aligned}&\Pr \begin{bmatrix} \mathsf {Open}(\rho , m, c, d) = 1 \wedge \mathsf {Open}(\rho , m', c, d') = 1 \wedge m \ne m' : \\ \mathsf {Setup}() \rightarrow \rho , \mathcal {A}(\rho ) \rightarrow (c, m, d, m', d') \end{bmatrix} \\&\qquad \qquad \,\,\,\, = \Pr \begin{bmatrix} \mathsf {Open}(\rho , m, c, d) = 1 \wedge \mathsf {Open}(\rho , m', c, d') = 1 \wedge m \ne m' : \\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \text { .} \end{aligned}$$

Using sigma additivity we write

$$\begin{aligned} \begin{aligned}&\Pr \begin{bmatrix} \mathsf {Open}(\rho , m, c, d) = 1 \wedge \mathsf {Open}(\rho , m', c, d') = 1 \wedge m \ne m' : \\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \\ {}&= \Pr \begin{bmatrix} \mathsf {Open}(\rho , m, c, d) = 1 \wedge \mathsf {Open}(\rho , m', c, d') = 1 \wedge m \ne m' \wedge b = 0 : \\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \\ {}&\quad + \, \Pr \begin{bmatrix} \mathsf {Open}(\rho , m, c, d) = 1 \wedge \mathsf {Open}(\rho , m', c, d') = 1 \wedge m \ne m' \wedge b \ne 0 : \\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \text { .} \end{aligned} \end{aligned}$$

The first term is upper-bounded by \(\frac{1}{p}\), as can be seen as follows:

$$\begin{aligned} \begin{aligned}&\Pr \begin{bmatrix} \mathsf {Open}(\rho , m, c, d) = 1 \wedge \mathsf {Open}(\rho , m', c, d') = 1 \wedge m \ne m' \wedge b = 0 : \\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \\ {}&\le \Pr \begin{bmatrix} m \ne m' \wedge b = 0 : \\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \\ {}&= \Pr \begin{bmatrix} m \ne m' \wedge \sum _{j \in [L]} b_j(m'_j - m_j) = 0 : \\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \\ {}&\le \Pr \begin{bmatrix} \exists i \in [L], m_i \ne m_i' \wedge b_i = \frac{-\sum _{j \in [L]\setminus \{i\}} b_j(m'_j - m_j)}{(m'_i - m_i)} : \\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} = \frac{1}{p} \text { .} \end{aligned} \end{aligned}$$

Next we prove that the second term is upper-bounded by

$$\begin{aligned} \Pr \begin{bmatrix} \mathsf {EXP}(g,x) = y :\\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \text { .} \end{aligned}$$

We observe that if \(b \ne 0\), then \(\mathsf {Open}(\rho , m, c, d) = 1\), \(\mathsf {Open}(\rho , m', c, d') = 1\), \(m \ne m'\), and

$$\begin{aligned} \begin{aligned}&\mathsf {EXP}(g_0,d) \bigcirc _{i \in [L]} \mathsf {EXP}(g_i,m_i) = \mathsf {EXP}(g_0,d') \bigcirc _{i \in [L]} \mathsf {EXP}(g_i,m'_i) \\&\iff \mathsf {EXP}(g_0,d-d') \bigcirc _{i \in [L]} \mathsf {EXP}(g_i,m_i-m'_i) = e_\mathbb {G}\\&\iff \mathsf {EXP}\left( g, {a_0(d-d')+ \sum _{i \in [L]} a_i(m_i- m'_i)} \right) \circ \mathsf {EXP}\left( y, {\sum _{i \in [L]} b_i (m_i -m'_i)} \right) = e_\mathbb {G}\\&\iff \mathsf {EXP}\left( g, {a_0(d-d')+ \sum _{i \in [L]} a_i(m_i- m'_i)} \right) = \mathsf {EXP}\left( y, {\sum _{i \in [L]} b_i (m'_i -m_i)}\right) \\&\iff \mathsf {EXP}\left( g,\frac{a}{b}\right) = y \text { .} \end{aligned} \end{aligned}$$

It follows that

$$\begin{aligned}&\Pr \begin{bmatrix} \mathsf {EXP}(g, \frac{a}{b}) = y \wedge b \ne 0 :\\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \\&\,\quad = \Pr \begin{bmatrix} \mathsf {Open}(\rho , m, c, d) = 1 \wedge \mathsf {Open}(\rho , m', c, d') = 1 \wedge m \ne m' \wedge b \ne 0: \\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \text { .} \end{aligned}$$

By the fact that \(b=0\) implies \(x=\bot \) and \(\mathsf {EXP}(g, \bot ) \not \in \mathbb {G}\), we have

$$\begin{aligned} \Pr \begin{bmatrix} \mathsf {EXP}(g,x) = y \wedge b \ne 0 :\\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} = \Pr \begin{bmatrix} \mathsf {EXP}(g,x) = y :\\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} \text { .} \end{aligned}$$

In summary, we obtain

$$\begin{aligned} \begin{aligned}&\Pr \begin{bmatrix} \mathsf {Open}(\rho , m, c, d) = 1 \wedge \mathsf {Open}(\rho , m', c, d') = 1 \wedge m \ne m' : \\ \mathsf {Setup}() \rightarrow \rho , \mathcal {A}(\rho ) \rightarrow (c, m, d, m', d') \end{bmatrix} \\ {}&\le \Pr \begin{bmatrix} \mathsf {EXP}(g,x) = y :\\ U(\mathbb {G}) \rightarrow y, \mathcal {B}(y) \rightarrow x \end{bmatrix} + \frac{1}{p} \text { .} \end{aligned} \end{aligned}$$

Finally, we observe that the running time of \(\mathcal {B}\) is upper-bounded by \(\tau + \alpha \), where \(\alpha \) is the constant difference between the running time of \(\mathcal {B}\) and the running time of \(\mathcal {A}\). It follows that if \(\mathsf {DLOG}(\mathbb {G},g)\) is \(\epsilon \)-hard, then \(\mathsf {DLVC}_{\mathbb {G},L}\) is \(\epsilon '\)-binding-secure with

$$\begin{aligned} \epsilon ': \tau \mapsto \epsilon (\tau + \alpha ) + \frac{1}{p} \text { .} \end{aligned}$$

   \(\square \)

Proof

(Proof of Theorem 7). Let \(\mathbb {G}\) be a finite cyclic group, \(L \in \mathbb {N}\), and \(\mathsf {DLVC}_{\mathbb {G},L} = (L,\mathsf {GEN}(\mathbb {G})^L,\mathbb {Z}_p,\mathbb {G},\mathbb {Z}_p,\mathsf {Setup},\mathsf {Commit},\mathsf {Open})\). Let \(\circ \) denote the operation associated with \(\mathbb {G}\), \(+\) and \(*\) denote addition and multiplication over \(\mathbb {Z}_p\), and \(\oplus \) denote addition over \(\mathbb {Z}_p^L\). We observe that for any \(\rho \in \mathcal {P}\), \((m_1, c_1,d_1)\in \mathtt {COMS}(\rho )\), and \((m_2, c_2,d_2) \in \mathtt {COMS}(\rho )\) we have that

$$\begin{aligned} \begin{aligned}&(m_1, c_1,d_1)\in \mathtt {COMS}(\rho ) \wedge (m_2, c_2,d_2) \in \mathtt {COMS}(\rho ) \\ {}&\implies \begin{aligned}&\left( \mathsf {EXP}(g_0,d_1) \bigcirc _{i \in [L]} \mathsf {EXP}(g_i,m_{1,i})\right) = c_1 \\ {}&\wedge \left( \mathsf {EXP}(g_0,d_2) \bigcirc _{i \in [L]} \mathsf {EXP}(g_i,m_{2,i})\right) = c_2 \end{aligned} \\ {}&\implies \begin{aligned}&\left( \mathsf {EXP}(g_0,d_1) \bigcirc _{i \in [L]} \mathsf {EXP}(g_i,m_{1,i})\right) \\ {}&\circ \left( \mathsf {EXP}(g_0,d_2) \bigcirc _{i \in [L]} \mathsf {EXP}(g_i,m_{2,i})\right) = c_1 \circ c_2 \end{aligned} \\ {}&\iff \mathsf {EXP}(g_0,d_1+d_2) \bigcirc _{i \in [L]} \mathsf {EXP}(g_i,m_{1,i}+m_{2,i}) = c_1 \circ c_2 \\ {}&\iff \mathsf {Open}(\rho , m_1 \oplus m_2, c_1 * c_2 , d_1 \circ d_2) = 1 \text { .} \end{aligned} \end{aligned}$$

   \(\square \)