Secret Sharing. Qi Chen. December 14, 2015
|
|
- Scot Terry
- 6 years ago
- Views:
Transcription
1 Secret Sharing Qi Chen December 14, 2015
2 What is secret sharing? A dealer: know the secret S and distribute the shares of S to each party A set of n parties P n {p 1,, p n }: each party owns a share Authorized subset of the parties:b P n can reconstruct the secret from their shares Unauthorized subset of the parties: T P n know nothing about the secret from their shares
3 Applications Secure storage Secure multiparty computation Threshold cryptography Byzantine agreement Access control Private information retrieval Atribute-based encryption General oblivious transfer...
4 Access structure The collection A of all authorized subsets is called the access structure of a secret sharing. Access structure is monotone, i.e., if A B and A A, then B A.
5 Access structure The collection A of all authorized subsets is called the access structure of a secret sharing. Access structure is monotone, i.e., if A B and A A, then B A. Example Let P 4 = {p 1,, p 4 }. Then A = {{p 1, p 2 }, {p 2, p 3 }, {p 3, p 4 }, {p 1, p 2, p 3 }, {p 1, p 2, p 4 }, {p 1, p 3, p 4 }, {p 2, p 3, p 4 }, {p 1, p 2, p 3, p 4 }} is an access structure.
6 Access structure Collection A of minimal sets in A Let A be the collection of minimal sets in A, i.e., B A if B A and for any C B, C A Access structure A is uniquely determined by A
7 Access structure Collection A of minimal sets in A Let A be the collection of minimal sets in A, i.e., B A if B A and for any C B, C A Access structure A is uniquely determined by A Example A = {{p 1, p 2 }, {p 2, p 3 }, {p 3, p 4 }}
8 Access structure Collection A of minimal sets in A Let A be the collection of minimal sets in A, i.e., B A if B A and for any C B, C A Access structure A is uniquely determined by A Example Remark A = {{p 1, p 2 }, {p 2, p 3 }, {p 3, p 4 }} Note that A is a Sperner family on P n, i.e, a collection of subsets of P n such that any two member of the collection does not contain each other. Sperner family is counted by Dedekind number which grows very fast with n. This imply the difficulty of secret sharing problem.
9 Definition by probability A distribution scheme Σ = Π, µ with domain of secret K µ is a probability distribution on some finite set R Π is a mapping from K R to a set of n-tuples K 1 K n, where K j is called the domain of shares of p j The dealer distributes k K according to Σ by first sampling a random string r R according to µ, computing a vector Π(k, r) = (s 1,, s n ) and privately communicating each share s j to party p j.
10 Definition by probability Scheme Σ is a secret-sharing scheme realizing an access structure A if the following two requirement hold: 1. (Correctness) For any B = {p i1,, p i B } A, there is a reconstruction function REC : K i1 : K i B K such that for any k K, Pr[REC(Π(k, r) B ) = k] = (Perfect Privacy) For any T A, for any a, b K, and for every possible vector of shares s j pj T : Pr[Π(a, r) T = s j pj T ] = Pr[Π(b, r) T = s j pj T ]
11 Definition by entropy Consider the secret be a random variable S on K, and each share be a random variable S j on K j. Then the scheme S = (S, S j ) pj P n is a secret-sharing scheme realizing access structure A if the following two conditions hold: 1. (Correctness) For any B A, H(S S B ) = 0 2. (Perfect Privacy) For any T A, H(S S T ) = H(S)
12 Definition by entropy Consider the secret be a random variable S on K, and each share be a random variable S j on K j. Then the scheme S = (S, S j ) pj P n is a secret-sharing scheme realizing access structure A if the following two conditions hold: 1. (Correctness) For any B A, H(S S B ) = 0 2. (Perfect Privacy) For any T A, H(S S T ) = H(S) Remark For perfect privacy, the condition can be written as I (S; S T ) = 0. If we modify the condition to I (S; S T ) = a T for some 0 a T H(S), then modified version is called non-perfect secret sharing, while the traditional one is called perfect secret sharing.
13 Equivalence of two definitions Theorem Two definitions of secret sharing are equivalent. For any Σ = (Π, µ) realizing access structure A, we can construct a random vector S = (S, S j ) pj P n realizing A. For any random vector S = (S, S j ) pj P n realizing A, we can accordingly construct a Σ = (Π, µ) realizing A
14 Information ratio Information ratio by the definition of probability ρ Σ max 1 j n log K j log K Information ratio by the definition of entropy ρ S max 1 j n H(S j ) H(S)
15 Information ratio Information ratio by the definition of probability ρ Σ max 1 j n log K j log K Information ratio by the definition of entropy ρ S max 1 j n H(S j ) H(S) Corollary if Σ corresponds to S. ρ Σ = ρ S
16 The fundamental problem of secret sharing: optimal information ratio Let N = {s} P n and Γ N the entropy function region on N. Let A be an access structure on P n. Then the optimal information ratio on A is where ρ A max 1 j n h({p j }) inf h Γ N Φ A h({s}) Φ A = {h : h({s} B) = h(b) B A, h({s} T ) = h({s}) + h(t ) T A}
17 Shamir s threshold scheme For 1 t n, let A t,n = {A P n : A t}. Then A t,n is a access structure with threshold t. It can be realised by Shamir s scheme in the following Let K = F q, where q > n is a prime power. Let α 1,, α n F q be n distinct non-zero elements known to all parties. The dealer uniformly choose a 1,, a t 1 F q and generate a polynomial P(x) = k + t 1 i=1 a ix i. The share of p j is s j = P(α j )
18 Shamir s threshold scheme Correctness For any B = {p i1,, p it } A t,n, let Q(x) = t l=1 s il 1 j t,j l α ij x α ij α il. Note that Q(α il ) = s il = P(α il ) for 1 l t which implies that Q(x) = P(x) and Q(0) = P(0) = k.
19 Shamir s threshold scheme Perfect privacy For any T = {p i1,, p it 1 }, t 1 shares with each secret a F q, uniquely determines a polynomial P a (x) with P a (0) = a and P a (α il ) = s il for 1 l t 1. Hence Pr[Π(a, r) T = s il 1 l t 1 ] = 1 q t 1 The privacy follows from the probability is the same for every a F q
20 Shamir s threshold scheme Perfect privacy For any T = {p i1,, p it 1 }, t 1 shares with each secret a F q, uniquely determines a polynomial P a (x) with P a (0) = a and P a (α il ) = s il for 1 l t 1. Hence Pr[Π(a, r) T = s il 1 l t 1 ] = 1 q t 1 The privacy follows from the probability is the same for every a F q Information ratio The information ratio is 1 since K j = K = F q It is the optimal information ratio on the access structure A t,n
21 Shamir s threshold scheme by entropy Let Γ N be the polymatroidal region on N. Let p = {{s}, P n } be a partition of N. Lemma Ψ p = Ψ p where Ψ p = Γ N C A t,n, Ψ p = Γ N C At,n and C At,n = {h : h(a) = h(b), h({s} A) = h({s} B), if A = B A, B P n }
22 Shamir s threshold scheme by entropy For simplicity, let ρ t,n = ρ At,n and Φ t,n = Φ At,n. Then ρ t,n = max 1 j n h({p j }) inf h Γ N Φt,n h({s}) where Φ t,n = {h :h({s} B) = h(b) if B t, h({s} B) = h({s}) + h(b) if B < t}
23 Shamir s threshold scheme by entropy For simplicity, let ρ t,n = ρ At,n and Φ t,n = Φ At,n. Then ρ t,n = max 1 j n h({p j }) inf h Γ N Φt,n h({s}) where Φ t,n = {h :h({s} B) = h(b) if B t, h({s} B) = h({s}) + h(b) if B < t} Theorem ρ t,n = inf h Ψ p Φt,n max 1 j n h({p j }) h({s})
24 Shamir s threshold scheme by entropy Theorem The solution is and ρ t,n = max 1 j n h({p j }) min h Ψ p Φ t,n h({s}) ρ t,n = 1 arg min ρ t,n = {h : au t,n+1, a > 0}
25 Shamir s threshold scheme by entropy Theorem The solution is and ρ t,n = max 1 j n h({p j }) min h Ψ p Φ t,n h({s}) ρ t,n = 1 arg min ρ t,n = {h : au t,n+1, a > 0} Remark This result can be generalized to non-perfect threshold scheme.
26 Linear secret-sharing scheme Definition A secret-sharing scheme is linear if Secret s F Each ramdom string r R is a vector and each entry of r is chosen independent with uniform distribution from F Each share s j is a vector and each entry of s j is a fixed linear combination of the secret s and the coordinates of the random string r.
27 Linear secret-sharing scheme Definition A secret-sharing scheme is linear if Secret s F Each ramdom string r R is a vector and each entry of r is chosen independent with uniform distribution from F Each share s j is a vector and each entry of s j is a fixed linear combination of the secret s and the coordinates of the random string r. Shamir s threshold scheme is linear.
28 Linear secret-sharing scheme Monotone span program A monotone span program is a triple M = (F, M, ρ), where F is a field, M is an a b matrix over F and ρ : {1,, a} {p 1,, p n } labels each row of M by a party.
29 Linear secret-sharing scheme Monotone span program A monotone span program is a triple M = (F, M, ρ), where F is a field, M is an a b matrix over F and ρ : {1,, a} {p 1,, p n } labels each row of M by a party. Example Consider the following monotone span program (F 17, M, ρ), where M = and ρ(1) = ρ(2) = p 2, ρ(3) = p 1 and ρ(4) = p 4.
30 Linear secret-sharing scheme Monotone span program For any A P n, let M A denote the sub-matrix obtained by restricting M to the rows labeled by parties in A. M accepts B if the rows of M B span the vector e 1 = (1, 0,, 0). M accepts access structure A if M accepts a set B iff B A.
31 Linear secret-sharing scheme Monotone span program For any A P n, let M A denote the sub-matrix obtained by restricting M to the rows labeled by parties in A. M accepts B if the rows of M B span the vector e 1 = (1, 0,, 0). M accepts access structure A if M accepts a set B iff B A. Example Consider B = {p 1, p 2 } and T = {p 1, p 3 }. Then M B = and M T = [ ] It can be checked M B spans e 1 but M T does not. We can check further that A = {{p 1, p 2 }, {p 2, p 3 }}.
32 Linear secret-sharing scheme Theorem Let M = (F, M, ρ) be a monotone span program accepting an access structure A, where F is a finite field and for every j there a j rows of M labeled by p j. Then, there is a linear secret-sharing scheme realizing A such that the share of party p j is a vector in F a j. The information ratio of the resulting scheme is max 1 j n a j.
33 Linear secret-sharing scheme Theorem Let M = (F, M, ρ) be a monotone span program accepting an access structure A, where F is a finite field and for every j there a j rows of M labeled by p j. Then, there is a linear secret-sharing scheme realizing A such that the share of party p j is a vector in F a j. The information ratio of the resulting scheme is max 1 j n a j. Theorem Let Γ L N be the region bounded by Shannon-type information inequalities and linear rank inequalities over N. Then the optimal information ratio of linear scheme on A is ρ A where Φ A is defined as above. max 1 j n h({p j }) inf h Γ L N Φ A h({s})
34 Lower bounds on the information ratio Theorem Let p j be a non-redundant party in A and let Σ be any secret-sharing scheme realizing A, then K j K which implies that ρ A 1 for any A.
35 Lower bounds on the information ratio Theorem Let p j be a non-redundant party in A and let Σ be any secret-sharing scheme realizing A, then K j K which implies that ρ A 1 for any A. Ideal secrete-sharing scheme For a secret-sharing scheme, if its information ratio is 1, it is called an ideal secret-sharing scheme.
36 Csirmaz s lower bound Csirmaz s access structure We define access structure A n by its minimal set A n. Let k be the largest integer such that 2 k + k 1 n. Let B = {p 1,, p 2 k 1} and define B 0 = and B i = {p 1,, p i } for 1 i 2 k 1. Let A = {p 2 k,, p 2 k +k 1}, and A = A 0, A 1,, A 2 k 1 = be all the subsets of A such that if i < i, then A i A i. Define U i = A i B i for 0 i 2 k 1. Then A n = {U i : 0 i 2 k 1}.
37 Csirmaz s lower bound Csirmaz s access structure We define access structure A n by its minimal set A n. Let k be the largest integer such that 2 k + k 1 n. Let B = {p 1,, p 2 k 1} and define B 0 = and B i = {p 1,, p i } for 1 i 2 k 1. Let A = {p 2 k,, p 2 k +k 1}, and A = A 0, A 1,, A 2 k 1 = be all the subsets of A such that if i < i, then A i A i. Define U i = A i B i for 0 i 2 k 1. Then A n = {U i : 0 i 2 k 1}. Theorem The information ratio of secret-sharing scheme realizing access structure constructed above is Ω(n/ log n).
38 Csirmaz s lower bound Lemma For every 0 i 2 k 2, H(B i A) H(B i ) H(B i+1 ) H(B i+1 ) + H(S)
39 Csirmaz s lower bound Lemma For every 0 i 2 k 2, H(B i A) H(B i ) H(B i+1 ) H(B i+1 ) + H(S) Proof sketch of Theorem H({p j }) H(A) p j A H(B 0 A) H(B 0 ) H(B 2 k 1 A) H(B 2 k 1) + (2 k 1)H(S) = Ω(n)H(S). This implies that H({p j }) = Ω(n/ log n)h(s) for at least one p j.
40 Csirmaz s lower bound Lemma For every 0 i 2 k 2, H(B i A) H(B i ) H(B i+1 ) H(B i+1 ) + H(S) Proof sketch of Theorem H({p j }) H(A) p j A H(B 0 A) H(B 0 ) H(B 2 k 1 A) H(B 2 k 1) + (2 k 1)H(S) = Ω(n)H(S). This implies that H({p j }) = Ω(n/ log n)h(s) for at least one p j. Remark Both Lemma and the inequalities in the proof sketch are Shannon-type.
41 Lower bounds for linear secret sharing Theorem For any n, there exists an access structure A n sucht that every monotone span program over any field accepting it has size n Ω(log n).
42 Limitations of known techniques for lower bounds No better lower bound is found since Csirmaz s lower bound in 1994 Shannon-type information inequalities can not help to improve the bound All information inequalities with less than 6 random variables can not help to improve the bound
43 Open problems Question 1 Prove or disprove that there exists an access structure such that the information ratio of every secret-sharing scheme realizing it is 2 Ω(n). Question 2 Prove or disprove that there exists an access structure such that the information ratio of every secret-sharing scheme realizing it with domain {0, 1} is super-polynomial in n. Question 3 Prove that there exists an explicit access structure such that the information ratio of every linear secret-sharing scheme realizing it is 2 Ω(n).
44 Bibiography A. Beilmel, Secret-sharing schemes: a survey, Coding and cryptology, 2011-Springer. Q. Chen and R. W. Yeung, Partition-Symmetrical Entropy Functions, submitted to IEEE Trans. Info. Theory.
45 Discussion What can we do?
46 Thank you!
Linear Secret-Sharing Schemes for Forbidden Graph Access Structures
Linear Secret-Sharing Schemes for Forbidden Graph Access Structures Amos Beimel 1, Oriol Farràs 2, Yuval Mintz 1, and Naty Peter 1 1 Ben Gurion University of the Negev, Be er Sheva, Israel 2 Universitat
More informationOn Linear Secret Sharing for Connectivity in Directed Graphs
On Linear Secret Sharing for Connectivity in Directed Graphs Amos Beimel 1 and Anat Paskin 2 1 Dept. of computer science, Ben-Gurion University, Beer Sheva, Israel. 2 Dept. of computer science, Technion,
More informationCharacterizing Ideal Weighted Threshold Secret Sharing
Characterizing Ideal Weighted Threshold Secret Sharing Amos Beimel Tamir Tassa Enav Weinreb August 12, 2004 Abstract Weighted threshold secret sharing was introduced by Shamir in his seminal work on secret
More informationSecret Sharing CPT, Version 3
Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically
More informationCharacterizing Ideal Weighted Threshold Secret Sharing
Characterizing Ideal Weighted Threshold Secret Sharing Amos Beimel Tamir Tassa Enav Weinreb October 2, 2006 Abstract Weighted threshold secret sharing was introduced by Shamir in his seminal work on secret
More informationOptimal Linear Secret Sharing Schemes for Graph Access Structures on Six Participants
Optimal Linear Secret Sharing Schemes for Graph Access Structures on Six Participants Motahhareh Gharahi Shahram Khazaei Abstract We review the problem of finding the optimal information ratios of graph
More informationOn the Power of Nonlinear Secret-Sharing
On the Power of Nonlinear Secret-Sharing (PRELIMINARY VERSION) Amos Beimel Dept. of Computer Science Ben-Gurion University Beer-Sheva 84105, Israel beimel@cs.bgu.ac.il Yuval Ishai DIMACS and AT&T Labs
More informationON THE POWER OF NONLINEAR SECRET-SHARING
ON THE POWER OF NONLINEAR SECRET-SHARING AMOS BEIMEL AND YUVAL ISHAI Abstract. A secret-sharing scheme enables a dealer to distribute a secret among n parties such that only some predefined authorized
More informationOn Secret Sharing Schemes, Matroids and Polymatroids
On Secret Sharing Schemes, Matroids and Polymatroids Jaume Martí-Farré, Carles Padró Dep. de Matemàtica Aplicada 4, Universitat Politècnica de Catalunya, Barcelona, Spain {jaumem,cpadro}@ma4.upc.edu June
More informationVisual Cryptography Schemes with Optimal Pixel Expansion
Visual Cryptography Schemes with Optimal Pixel Expansion Carlo Blundo, Stelvio Cimato and Alfredo De Santis Dipartimento di Informatica ed Applicazioni Università degli Studi di Salerno, 808, Baronissi
More informationConditional Disclosure of Secrets and d-uniform Secret Sharing with Constant Information Rate
Conditional Disclosure of Secrets and d-uniform Secret Sharing with Constant Information Rate Benny Applebaum, Barak Arkis December 25, 2017 Abstract Consider the following secret-sharing problem. Your
More informationEfficient Conversion of Secret-shared Values Between Different Fields
Efficient Conversion of Secret-shared Values Between Different Fields Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We show how to effectively convert a
More informationSecurity in Locally Repairable Storage
1 Security in Locally Repairable Storage Abhishek Agarwal and Arya Mazumdar Abstract In this paper we extend the notion of locally repairable codes to secret sharing schemes. The main problem we consider
More informationVisual cryptography schemes with optimal pixel expansion
Theoretical Computer Science 369 (2006) 69 82 wwwelseviercom/locate/tcs Visual cryptography schemes with optimal pixel expansion Carlo Blundo a,, Stelvio Cimato b, Alfredo De Santis a a Dipartimento di
More informationSecret Sharing and Network Coding
Clemson University TigerPrints All Theses Theses 5-2013 Secret Sharing and Network Coding Fiona Knoll Clemson University, fknol309@gmail.com Follow this and additional works at: https://tigerprints.clemson.edu/all_theses
More informationRound-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary
Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary Kaoru Kurosawa Department of Computer and Information Sciences, Ibaraki University, 4-12-1 Nakanarusawa, Hitachi,
More informationExtending Brickell-Davenport Theorem to Non-Perfect Secret Sharing Schemes
Extending Brickell-Davenport Theorem to Non-Perfect Secret Sharing Schemes Oriol Farràs 1 and Carles Padró 2 1 Universitat Rovira i Virgili, Tarragona, Catalonia, Spain 2 Nanyang Technological University,
More informationSecret sharing schemes
Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret
More informationDetection of Cheaters in Non-interactive Polynomial Evaluation
Detection of Cheaters in Non-interactive Polynomial Evaluation Maki Yoshida 1 and Satoshi Obana 2 1 Osaka University, Japan 2 Hosei University, Japan Abstract. In this paper, we consider both theoretical
More informationPerfect Secret Sharing Schemes from Room. Squares. Ghulam-Rasool Chaudhry. Centre for Computer Security Research. University of Wollongong
Perfect Secret Sharing Schemes from Room Squares Ghulam-Rasool Chaudhry Hossein Ghodosi Jennifer Seberry Department of Computer Science Centre for Computer Security Research University of Wollongong Wollongong,
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationSecret Sharing for General Access Structures
SECRET SHARING FOR GENERAL ACCESS STRUCTURES 1 Secret Sharing for General Access Structures İlker Nadi Bozkurt, Kamer Kaya, and Ali Aydın Selçuk Abstract Secret sharing schemes (SSS) are used to distribute
More informationBOUNDS ON THE INFORMATION RATIOS OF SECRET SHARING SCHEMES FOR CLOSE ACCESS STRUCTURES
BOUNDS ON THE INFORMATION RATIOS OF SECRET SHARING SCHEMES FOR CLOSE ACCESS STRUCTURES ORIOL FARRÀS JORDI RIBES GONZÁLEZ SARA RICCI Universitat Rovira i Virgili, Catalonia, Spain Workshop on Mathematics
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationEfficient Secret Sharing Schemes Achieving Optimal Information Rate
Efficient Secret Sharing Schemes Achieving Optimal Information Rate Yongge Wang KINDI Center for Computing Research, Qatar University, Qatar and Department of SIS, UNC Charlotte, USA Email: yonggewang@unccedu
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationAlgebraic matroids are almost entropic
accepted to Proceedings of the AMS June 28, 2017 Algebraic matroids are almost entropic František Matúš Abstract. Algebraic matroids capture properties of the algebraic dependence among elements of extension
More informationPerfect Secret Sharing Schemes from Room Squares
University of Wollongong Research Online Faculty of Informatics - Papers (Archive) Faculty of Engineering and Information Sciences 1998 Perfect Secret Sharing Schemes from Room Squares G. R. Chaudhry University
More informationSecret Sharing: Four People, Need Three
Secret Sharing A secret is an n-bit string. Throughout this talk assume that Zelda has a secret s {0, 1} n. She will want to give shares of the secret to various people. Applications Rumor: Secret Sharing
More informationHierarchical Threshold Secret Sharing
Hierarchical Threshold Secret Sharing Tamir Tassa Abstract We consider the problem of threshold secret sharing in groups with hierarchical structure. In such settings, the secret is shared among a group
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationA Probabilistic Secret Sharing Scheme for a Compartmented Access Structure
A Probabilistic Secret Sharing Scheme for a Compartmented Access Structure Yuyin Yu and Mingsheng Wang The State Key Laboratory of Information Security, Institute of Software Chinese Academy of Sciences,
More informationLecture 04: Secret Sharing Schemes (2) Secret Sharing
Lecture 04: Schemes (2) Recall: Goal We want to Share a secret s Z p to n parties, such that {1,..., n} Z p, Any two parties can reconstruct the secret s, and No party alone can predict the secret s Recall:
More informationPerfect Secret Sharing Schemes Based on Generalized Kirkman Squares
Applied Mathematical Sciences, Vol. 6, 2012, no. 56, 2785-2790 Perfect Secret Sharing Schemes Based on Generalized Kirkman Squares Wang Changyuan School of Mathematics and Statistics Zaozhuang University,
More informationNear-Optimal Secret Sharing and Error Correcting Codes in AC 0
Near-Optimal Secret Sharing and Error Correcting Codes in AC 0 Kuan Cheng Yuval Ishai Xin Li December 18, 2017 Abstract We study the question of minimizing the computational complexity of (robust) secret
More informationA New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code
A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Abstract The author recently proposed a new class of knapsack type PKC referred
More informationImproving the Linear Programming Technique in the Search for Lower Bounds in Secret Sharing
Improving the Linear Programming Technique in the Search for Lower Bounds in Secret Sharing Oriol Farràs 1, Tarik Kaced 2, Sebastià Martín 3, and Carles Padró 3 1 Universitat Rovira i Virgili, Tarragona,
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationSecret Sharing and Secure Multi-party Computation
Secret Sharing and Secure Multi-party Computation Michael Mortensen 1. July 2007 Department of Informatics University of Bergen PB. 7800 N-5020 BERGEN Preface This thesis explores the different secret
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationCharacterizing Ideal Weighted Threshold Secret Sharing
Characterizing Ideal Weighted Threshold Secret Sharing Amos Beimel 1, Tamir Tassa 1,2, and Enav Weinreb 1 1 Dept. of Computer Science, Ben-Gurion University, Beer Sheva, Israel. 2 Division of Computer
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More informationMasao KASAHARA. Graduate School of Osaka Gakuin University
Abstract Construction of New Classes of Knapsack Type Public Key Cryptosystem Using Uniform Secret Sequence, K(II)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Graduate School of Osaka
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationOn secret sharing with nonlinear product reconstruction
On secret sharing with nonlinear product reconstruction Ignacio Cascudo Ronald Cramer Diego Mirandola Carles Padró Chaoping Xing Abstract Multiplicative linear secret sharing is a fundamental notion in
More informationOptimal Ramp Schemes and Related Combinatorial Objects
Optimal Ramp Schemes and Related Combinatorial Objects Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo BCC 2017, Glasgow, July 3 7, 2017 1 / 18 (t, n)-threshold Schemes
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationSecret Sharing Schemes
Secret Sharing Schemes 1.1 Introduction 1 1 Handling secret has been an issue of prominence from the time human beings started to live together. Important things and messages have been always there to
More informationSimple and Asymptotically Optimal t-cheater Identifiable Secret Sharing Scheme
Simple and Asymptotically Optimal t-cheater Identifiable Secret Sharing Scheme Ashish Choudhury Applied Statistics Unit Indian Statistical Institute Kolkata India partho31@gmail.com, partho 31@yahoo.co.in
More information3x + 1 (mod 5) x + 2 (mod 5)
Today. Secret Sharing. Polynomials Polynomials. Secret Sharing. Share secret among n people. Secrecy: Any k 1 knows nothing. Roubustness: Any k knows secret. Efficient: minimize storage. A polynomial P(x)
More informationEssentially Optimal Robust Secret Sharing with Maximal Corruptions
Essentially Optimal Robust Secret Sharing with Maximal Corruptions Allison Bishop 1, Valerio Pastro 1, Rajmohan Rajaraman 2, and Daniel Wichs 2 1 Columbia University 2 Northeastern University November
More informationStaircase Codes for Secret Sharing with Optimal Communication and Read Overheads
1 Staircase Codes for Secret Sharing with Optimal Communication and Read Overheads Rawad Bitar, Student Member, IEEE and Salim El Rouayheb, Member, IEEE Abstract We study the communication efficient secret
More informationAn Efficient Lattice-based Secret Sharing Construction
An Efficient Lattice-based Secret Sharing Construction Rachid El Bansarkhani 1 and Mohammed Meziani 2 1 Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraße
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationarxiv: v1 [cs.cr] 1 May 2012
A SECRET SHARING SCHEME BASED ON GROUP PRESENTATIONS AND THE WORD PROBLEM arxiv:1205.0157v1 [cs.cr] 1 May 2012 MAGGIE HABEEB, DELARAM KAHROBAEI, AND VLADIMIR SHPILRAIN Abstract. A (t, n)-threshold secret
More informationResource-efficient OT combiners with active security
Resource-efficient OT combiners with active security Ignacio Cascudo 1, Ivan Damgård 2, Oriol Farràs 3, and Samuel Ranellucci 4 1 Aalborg University, ignacio@math.aau.dk 2 Aarhus University, ivan@cs.au.dk
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationConstruction of Multiplicative Monotone Span Program
Construction of Multiplicative Monotone Span Program Yuenai Chen, Chunming Tang,2 School of Mathematics and Information Sciences, Guangzhou University, Guangzhou 50006, China 2 Key Laboratory of Mathematics
More informationSeparating the Power of Monotone Span Programs over Different Fields
Separating the Power of onotone Span Programs over Different Fields Amos Beimel Enav Weinreb Abstract onotone span programs are a linear-algebraic model of computation They are equivalent to linear secret
More informationStrongly Multiplicative and 3-Multiplicative Linear Secret Sharing Schemes
Strongly Multiplicative and 3-Multiplicative Linear Secret Sharing Schemes Zhifang Zhang 1, Mulan Liu 1, Yeow Meng Chee 2, San Ling 2, and Huaxiong Wang 2,3 1 Key Laboratory of Mathematics Mechanization,
More informationError Correcting Codes Questions Pool
Error Correcting Codes Questions Pool Amnon Ta-Shma and Dean Doron January 3, 018 General guidelines The questions fall into several categories: (Know). (Mandatory). (Bonus). Make sure you know how to
More informationRandomized Component and Group Oriented (t,m,n)-secret Sharing
Randomized Component and Group Oriented (t,m,n)-secret Sharing Miao Fuyou School of Computer Sci. & Tech.,USTC 2016.4.10 Outline (t,n)-secret Sharing 2 Attacks Against (t,n)-ss Randomized Component (t,m,n)-group
More informationMY PUTNAM PROBLEMS. log(1 + x) dx = π2
MY PUTNAM PROBLEMS These are the problems I proposed when I was on the Putnam Problem Committee for the 984 86 Putnam Exams. Problems intended to be A or B (and therefore relatively easy) are marked accordingly.
More informationSecret-sharing with a class of ternary codes
Theoretical Computer Science 246 (2000) 285 298 www.elsevier.com/locate/tcs Note Secret-sharing with a class of ternary codes Cunsheng Ding a, David R Kohel b, San Ling c; a Department of Computer Science,
More informationDisjunctive Multi-Level Secret Sharing
Disjunctive ulti-level Secret Sharing ira Belenkiy Brown University Providence, RI 02912 USA mira@cs.brown.edu January 11, 2008 Abstract A disjunctive multi-level secret sharing scheme divides users into
More informationPrivate Information Retrieval from Coded Databases
Private Information Retrieval from Coded Databases arim Banawan Sennur Ulukus Department of Electrical and Computer Engineering University of Maryland, College Park, MD 20742 kbanawan@umdedu ulukus@umdedu
More informationCSL361 Problem set 4: Basic linear algebra
CSL361 Problem set 4: Basic linear algebra February 21, 2017 [Note:] If the numerical matrix computations turn out to be tedious, you may use the function rref in Matlab. 1 Row-reduced echelon matrices
More informationSecure Multiparty Computation from Graph Colouring
Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012 Ron Steinfeld Secure Multiparty Computation from Graph Colouring July 2012 1/34 Acknowledgements Based on joint
More informationSecure Sketch for Multi-Sets
Secure Sketch for Multi-Sets Ee-Chien Chang Vadym Fedyukovych Qiming Li March 15, 2006 Abstract Given the original set X where X = s, a sketch P is computed from X and made public. From another set Y where
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationMulti-Linear Formulas for Permanent and Determinant are of Super-Polynomial Size
Multi-Linear Formulas for Permanent and Determinant are of Super-Polynomial Size Ran Raz Weizmann Institute ranraz@wisdom.weizmann.ac.il Abstract An arithmetic formula is multi-linear if the polynomial
More informationGeneralized Oblivious Transfer by Secret Sharing
Generalized Oblivious Transfer by Secret Sharing Tamir Tassa Abstract The notion of Generalized Oblivious Transfer (GOT) was introduced by Ishai and Kushilevitz in [12]. In a GOT protocol, Alice holds
More informationToday. Polynomials. Secret Sharing.
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need
More informationINFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING Changlu Lin State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China Key Lab. of Network Security
More informationOverview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy
Overview of the Talk Secret Sharing CS395T Design and Implementation of Trusted Services Ankur Gupta Hugo Krawczyk. Secret Sharing Made Short, 1993. Josh Cohen Benaloh. Secret Sharing Homomorphisms: Keeping
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationOn the Cryptographic Complexity of the Worst Functions
On the Cryptographic Complexity of the Worst Functions Amos Beimel 1, Yuval Ishai 2, Ranjit Kumaresan 2, and Eyal Kushilevitz 2 1 Dept. of Computer Science, Ben Gurion University of the Negev, Be er Sheva,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 22 November 27, 2017 CPSC 467, Lecture 22 1/43 BBS Pseudorandom Sequence Generator Secret Splitting Shamir s Secret Splitting Scheme
More informationLecture 12: November 6, 2017
Information and Coding Theory Autumn 017 Lecturer: Madhur Tulsiani Lecture 1: November 6, 017 Recall: We were looking at codes of the form C : F k p F n p, where p is prime, k is the message length, and
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationLecture 8 - Cryptography and Information Theory
Lecture 8 - Cryptography and Information Theory Jan Bouda FI MU April 22, 2010 Jan Bouda (FI MU) Lecture 8 - Cryptography and Information Theory April 22, 2010 1 / 25 Part I Cryptosystem Jan Bouda (FI
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationIdeal Hierarchical Secret Sharing Schemes
Ideal Hierarchical Secret Sharing Schemes Oriol Farràs and Carles Padró Universitat Politècnica de Catalunya, Barcelona, Spain. Abstract. Hierarchical secret sharing is among the most natural generalizations
More informationRank Analysis of Cubic Multivariate Cryptosystems
Rank Analysis of Cubic Multivariate Cryptosystems John Baena 1 Daniel Cabarcas 1 Daniel Escudero 2 Karan Khathuria 3 Javier Verbel 1 April 10, 2018 1 Universidad Nacional de Colombia, Colombia 2 Aarhus
More informationOn the representability of the bi-uniform matroid
On the representability of the bi-uniform matroid Simeon Ball, Carles Padró, Zsuzsa Weiner and Chaoping Xing August 1, 2012 Abstract Every bi-uniform matroid is representable over all sufficiently large
More informationRELIABLE BIOMETRIC AUTHENTICATION WITH PRIVACY PROTECTION
RELIABLE BIOMETRIC AUTHENTICATION WITH PRIVACY PROTECTION E. VERBITSKIY, P. TUYLS, D. DENTENEER, J.P. LINNARTZ PHILIPS RESEARCH LABORATORIES PROF. HOLSTLAAN 4, AA 5656 EINDHOVEN, THE NETHERLANDS {EVGENY.VERBITSKIY,PIM.TUYLS,DEE.DENTENEER,J.P.LINNARTZ@PHILIPS.COM}
More informationQuantum walks public key cryptographic system (Extended Abstract)
Quantum walks public key cryptographic system (Extended Abstract) C. Vlachou 3 J. Rodrigues 1,2 P. Mateus 1,2 N. Paunković 1,2 A. Souto 1,2 1 SQIG - Instituto de Telecomunicações 2 Departamento de Matemática
More informationPREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS
PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS JAIME GUTIERREZ, ÁLVAR IBEAS, DOMINGO GÓMEZ-PEREZ, AND IGOR E. SHPARLINSKI Abstract. We study the security of the linear generator
More informationCube attack in finite fields of higher order
Cube attack in finite fields of higher order Andrea Agnesse 1 Marco Pedicini 2 1 Dipartimento di Matematica, Università Roma Tre Largo San Leonardo Murialdo 1, Rome, Italy 2 Istituto per le Applicazioni
More informationEfficient Multi-party Computation over Rings
Efficient Multi-party Computation over Rings Ronald Cramer 1, Serge Fehr 1, Yuval Ishai 2, and Eyal Kushilevitz 2 1 BRICS, Department of Computer Science, Århus University, Denmark {cramer,fehr}@brics.dk
More informationApplications of Galois Geometries to Coding Theory and Cryptography
Applications of Galois Geometries to Coding Theory and Cryptography Ghent University Dept. of Mathematics Krijgslaan 281 - Building S22 9000 Ghent Belgium Albena, July 1, 2013 1. Affine spaces 2. Projective
More informationReport on PIR with Low Storage Overhead
Report on PIR with Low Storage Overhead Ehsan Ebrahimi Targhi University of Tartu December 15, 2015 Abstract Private information retrieval (PIR) protocol, introduced in 1995 by Chor, Goldreich, Kushilevitz
More informationLinear Integer Secret Sharing and Distributed Exponentiation
Linear Integer Secret Sharing and Distributed Exponentiation Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We introduce the notion of Linear Integer Secret-Sharing
More informationSome results on the existence of t-all-or-nothing transforms over arbitrary alphabets
Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets Navid Nasr Esfahani, Ian Goldberg and Douglas R. Stinson David R. Cheriton School of Computer Science University of
More informationASPECIAL case of the general key agreement scenario defined
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL 49, NO 4, APRIL 2003 839 Secret-Key Agreement Over Unauthenticated Public Channels Part III: Privacy Amplification Ueli Maurer, Fellow, IEEE, and Stefan Wolf
More informationCOS597D: Information Theory in Computer Science September 21, Lecture 2
COS597D: Information Theory in Computer Science September 1, 011 Lecture Lecturer: Mark Braverman Scribe: Mark Braverman In the last lecture, we introduced entropy H(X), and conditional entry H(X Y ),
More informationCompartmented Secret Sharing Based on the Chinese Remainder Theorem
Compartmented Secret Sharing Based on the Chinese Remainder Theorem Sorin Iftene Faculty of Computer Science Al. I. Cuza University Iaşi, Romania siftene@infoiasi.ro Abstract A secret sharing scheme starts
More information