Practical Password-Based Authentication Protocol for Secret Sharing Based Multiparty Computation

Abstract

The speed of secret sharing (SS)-based multiparty computation (MPC) has recently increased greatly, and several efforts to implement and use it have been put into practice. Authentication of clients is one critical mechanism for implementing SS-based MPC successfully in practice. We propose a password-based authentication protocol for SS-based MPC. Our protocol is secure in the presence of secure channels, and it is optimized for practical use with SS-based MPC in the following ways.

• Threshold security: Our protocol is secure in the honest majority, which is necessary and sufficient since most practical results on SS-based MPC are secure in the same environment.

• Establishing distinct channels: After our protocol, a client has distinct secure and two-way authenticated channels to each server, which is necessary for SS-based MPC and different from the usual setting.

• Ease of implementation: Our protocol consists of SS and operations involving SS, which can be reused from an implementation of SS-based MPC.

Furthermore, we implemented our protocol with an optimization for the realistic network and confirm that the protocol is practical. A client received the result within 2 s even when the network delay was 200 ms, which is almost the delay that occurs between Japan and Europe.

A Other Methods to Generate Random and Zero Shares

We give several methods to generate random shares and zero shares.

The first method is just relying on \(\mathcal{C}\), which generates the random and zero shares in \(\textsc {Setup}\) and sends them to all \(\mathcal S_i\) at the same time a share of a password is sent. This does not compromise security since the password, and the random and zero shares are sent by the same client. If the random or zero shares are short, \(\mathcal S_i\) requests \(\mathcal{C}\) to generate them after \(\textsc {Auth}\) is correctly finished with the acceptance.

The second method is that \(\mathcal S_i\) generates random and zero shares in the idle state. Damgård and Nielsen [18] and Beerliová-Trubíniová and Hirt [3] proposed a random share generation protocol called “DN-Rand” and “BH-Rand,” respectively. We can prepare random shares by using these protocols straightforwardly. A zero share is generated in almost the same way to generate random shares. First, generate random shares whose degree is \(2k-2\) and then multiply \(\mathcal S_i\)’s “coordinate” of Shamir’s SS. The zero share generation protocol is as follows.

1. 1.

   Each \(\mathcal S_i\) generates a \((2k-2, n)\)-random share \(\left\langle {r_i}\right\rangle _j\).

2. 2.

   Each \(\mathcal S_i\) locally computes \([\![{0}]\!]_i = i \times \left\langle {r_j}\right\rangle _i \).

The third method is that \(\mathcal S_i\) also generates random and zero shares in the idle state. This way is more efficient than using DN-Rand and HB-Rand instead of using pseudo-randomness. Cramer et al. [16] showed that if all \(\mathcal S_i\) share seeds among themselves before the protocol, they can produce replicated random shares by themselves and locally convert them to Shamir’s random shares. Let \(\mathbb {B}=\left\{ {\beta _1, \ldots , \beta _{\left|{\mathbb {B}}\right|}}\right\} \) be a set of \(n-k+1\) combinations of \(\mathcal S_i\) from n servers where \(\left|{\mathbb {B}}\right| = \left( {\begin{array}{c}n\\ n-k+1\end{array}}\right) \), \(\upsilon _{\beta _1}, \ldots , \upsilon _{\beta _{\left|{\mathbb {B}}\right|}}\) be independently and uniformly chosen seeds, \(f_{\beta _j}\) be the function satisfying \(f_{\beta _j}(0)=1\), \(f_{\beta _j}(\ell )=0\) for \(\mathcal S_\ell \notin \beta _j\), and its degree be \(k-1\). In the initial setup, make each \(\mathcal S_i\) have \(\upsilon _{\beta _j}\), where \(\mathcal S_i \in \beta _j\). To generate a random share, each \(\mathcal S_i\) computes pseudo-randomness \(\varUpsilon _{\beta _j}\) from \(\upsilon _{\beta _j}\) for \(\mathcal S_i \in \beta _j\). Then, each \(\mathcal S_i\) computes \( [r]_i = \sum _\mathcal{S_i\in \beta _j} f_{\beta _j}(i) \varUpsilon _{\beta _j}. \) A zero share is generated with the same technique described in the previous paragraph. First, generate a \((2k-2, n)\) random share \(\left\langle {r}\right\rangle _i\) and multiply \(\mathcal S_i\)’s coordinate.