How to withstand mobile virus attacks, revisited

In PODC 1991 Ostrovsky and Yung [35] introduced the proactive security model, where corruptions spread throughout the network, analogous to the spread of a virus or a worm. PODC 2006 distinguished lecture by Danny Dolev, that also appears in the PODC06 proceedings, lists the above work as one of PODC's "Century Papers at the First Quarter-Century Milestone" [22]. At the very center of this work is the notion of proactive secret sharing schemes. Secret sharing schemes allow a dealer to distribute a secret among a group of parties such that while the group of parties jointly possess the secret, no sufficiently small subset of the parties can learn any information about the secret. The secret can be reconstructed only when a sufficient number of shares are combined together. Most secret sharing schemes assume that an adversary can only corrupt some fixed number of the parties over the entire lifetime of the secret; such a model is unrealistic in the case where over a long enough period of time, an adversary can eventually corrupt all parties or a large enough fraction that exceeds such a threshold. More specifically, in the proactive security model, the adversary is not limited in the number of parties it can corrupt, but rather in the rate of corruption with respect to a "rebooting" rate. Ostrovsky and Yung proposed the first proactive secret sharing scheme, which received a lot of follow-up attention. In the same paper, Ostrovsky and Yung also showed that constructing a general purpose secure multiparty computation (MPC) protocol in the proactive security model is feasible as long as the rate of corruption is a constant fraction of the parties. Their result, however, was shown only for stand-alone security and incurred a large polynomial communication overhead for each gate of the computation. Following the initial work defining the proactive security model, numerous cryptographic primitives and distributed protocols have been adapted to the proactive security model, such as proactively secure threshold encryption, proactive Byzantine agreement, proactive key management, proactive digital signatures, and many others. All these results use proactive secret sharing schemes. In this paper, we introduce a new "packed" proactive secret sharing (PPSS) scheme, where the amortized communication and the amortized computational cost of maintaining each individual secret is optimal (e.g., a constant rate), resolving a long standing problem in this area. Assuming secure point-to-point channels and authenticated, reliable broadcast over a synchronous network, our PPSS scheme can tolerate a 1/3-ε (resp. 1/2-ε) corruption rate against a malicious adversary, and is perfectly (resp. statistically) UC-secure, whereas all previous proactive secret sharing schemes have been secure under cryptographic assumptions only. As an application of our PPSS scheme, we show how to construct a proactive multiparty computation (PMPC) protocol with the same threshold as the PPSS scheme and near-linear communication complexity. PMPC problem is very general and implies, for example, proactive Byzantine Agreement. Our PMPC result also matches the asymptotic communication complexity of the best known MPC results in the "classical" model of stationary faults [19].