Secret Sharing. Qi Chen. December 14, 2015

Transcription

1 Secret Sharing Qi Chen December 14, 2015

2 What is secret sharing? A dealer: know the secret S and distribute the shares of S to each party A set of n parties P n {p 1,, p n }: each party owns a share Authorized subset of the parties:b P n can reconstruct the secret from their shares Unauthorized subset of the parties: T P n know nothing about the secret from their shares

3 Applications Secure storage Secure multiparty computation Threshold cryptography Byzantine agreement Access control Private information retrieval Atribute-based encryption General oblivious transfer...

4 Access structure The collection A of all authorized subsets is called the access structure of a secret sharing. Access structure is monotone, i.e., if A B and A A, then B A.

5 Access structure The collection A of all authorized subsets is called the access structure of a secret sharing. Access structure is monotone, i.e., if A B and A A, then B A. Example Let P 4 = {p 1,, p 4 }. Then A = {{p 1, p 2 }, {p 2, p 3 }, {p 3, p 4 }, {p 1, p 2, p 3 }, {p 1, p 2, p 4 }, {p 1, p 3, p 4 }, {p 2, p 3, p 4 }, {p 1, p 2, p 3, p 4 }} is an access structure.

6 Access structure Collection A of minimal sets in A Let A be the collection of minimal sets in A, i.e., B A if B A and for any C B, C A Access structure A is uniquely determined by A

7 Access structure Collection A of minimal sets in A Let A be the collection of minimal sets in A, i.e., B A if B A and for any C B, C A Access structure A is uniquely determined by A Example A = {{p 1, p 2 }, {p 2, p 3 }, {p 3, p 4 }}

8 Access structure Collection A of minimal sets in A Let A be the collection of minimal sets in A, i.e., B A if B A and for any C B, C A Access structure A is uniquely determined by A Example Remark A = {{p 1, p 2 }, {p 2, p 3 }, {p 3, p 4 }} Note that A is a Sperner family on P n, i.e, a collection of subsets of P n such that any two member of the collection does not contain each other. Sperner family is counted by Dedekind number which grows very fast with n. This imply the difficulty of secret sharing problem.

9 Definition by probability A distribution scheme Σ = Π, µ with domain of secret K µ is a probability distribution on some finite set R Π is a mapping from K R to a set of n-tuples K 1 K n, where K j is called the domain of shares of p j The dealer distributes k K according to Σ by first sampling a random string r R according to µ, computing a vector Π(k, r) = (s 1,, s n ) and privately communicating each share s j to party p j.

10 Definition by probability Scheme Σ is a secret-sharing scheme realizing an access structure A if the following two requirement hold: 1. (Correctness) For any B = {p i1,, p i B } A, there is a reconstruction function REC : K i1 : K i B K such that for any k K, Pr[REC(Π(k, r) B ) = k] = (Perfect Privacy) For any T A, for any a, b K, and for every possible vector of shares s j pj T : Pr[Π(a, r) T = s j pj T ] = Pr[Π(b, r) T = s j pj T ]

11 Definition by entropy Consider the secret be a random variable S on K, and each share be a random variable S j on K j. Then the scheme S = (S, S j ) pj P n is a secret-sharing scheme realizing access structure A if the following two conditions hold: 1. (Correctness) For any B A, H(S S B ) = 0 2. (Perfect Privacy) For any T A, H(S S T ) = H(S)

12 Definition by entropy Consider the secret be a random variable S on K, and each share be a random variable S j on K j. Then the scheme S = (S, S j ) pj P n is a secret-sharing scheme realizing access structure A if the following two conditions hold: 1. (Correctness) For any B A, H(S S B ) = 0 2. (Perfect Privacy) For any T A, H(S S T ) = H(S) Remark For perfect privacy, the condition can be written as I (S; S T ) = 0. If we modify the condition to I (S; S T ) = a T for some 0 a T H(S), then modified version is called non-perfect secret sharing, while the traditional one is called perfect secret sharing.

13 Equivalence of two definitions Theorem Two definitions of secret sharing are equivalent. For any Σ = (Π, µ) realizing access structure A, we can construct a random vector S = (S, S j ) pj P n realizing A. For any random vector S = (S, S j ) pj P n realizing A, we can accordingly construct a Σ = (Π, µ) realizing A

14 Information ratio Information ratio by the definition of probability ρ Σ max 1 j n log K j log K Information ratio by the definition of entropy ρ S max 1 j n H(S j ) H(S)

15 Information ratio Information ratio by the definition of probability ρ Σ max 1 j n log K j log K Information ratio by the definition of entropy ρ S max 1 j n H(S j ) H(S) Corollary if Σ corresponds to S. ρ Σ = ρ S

16 The fundamental problem of secret sharing: optimal information ratio Let N = {s} P n and Γ N the entropy function region on N. Let A be an access structure on P n. Then the optimal information ratio on A is where ρ A max 1 j n h({p j }) inf h Γ N Φ A h({s}) Φ A = {h : h({s} B) = h(b) B A, h({s} T ) = h({s}) + h(t ) T A}

17 Shamir s threshold scheme For 1 t n, let A t,n = {A P n : A t}. Then A t,n is a access structure with threshold t. It can be realised by Shamir s scheme in the following Let K = F q, where q > n is a prime power. Let α 1,, α n F q be n distinct non-zero elements known to all parties. The dealer uniformly choose a 1,, a t 1 F q and generate a polynomial P(x) = k + t 1 i=1 a ix i. The share of p j is s j = P(α j )

18 Shamir s threshold scheme Correctness For any B = {p i1,, p it } A t,n, let Q(x) = t l=1 s il 1 j t,j l α ij x α ij α il. Note that Q(α il ) = s il = P(α il ) for 1 l t which implies that Q(x) = P(x) and Q(0) = P(0) = k.

19 Shamir s threshold scheme Perfect privacy For any T = {p i1,, p it 1 }, t 1 shares with each secret a F q, uniquely determines a polynomial P a (x) with P a (0) = a and P a (α il ) = s il for 1 l t 1. Hence Pr[Π(a, r) T = s il 1 l t 1 ] = 1 q t 1 The privacy follows from the probability is the same for every a F q

20 Shamir s threshold scheme Perfect privacy For any T = {p i1,, p it 1 }, t 1 shares with each secret a F q, uniquely determines a polynomial P a (x) with P a (0) = a and P a (α il ) = s il for 1 l t 1. Hence Pr[Π(a, r) T = s il 1 l t 1 ] = 1 q t 1 The privacy follows from the probability is the same for every a F q Information ratio The information ratio is 1 since K j = K = F q It is the optimal information ratio on the access structure A t,n

21 Shamir s threshold scheme by entropy Let Γ N be the polymatroidal region on N. Let p = {{s}, P n } be a partition of N. Lemma Ψ p = Ψ p where Ψ p = Γ N C A t,n, Ψ p = Γ N C At,n and C At,n = {h : h(a) = h(b), h({s} A) = h({s} B), if A = B A, B P n }

22 Shamir s threshold scheme by entropy For simplicity, let ρ t,n = ρ At,n and Φ t,n = Φ At,n. Then ρ t,n = max 1 j n h({p j }) inf h Γ N Φt,n h({s}) where Φ t,n = {h :h({s} B) = h(b) if B t, h({s} B) = h({s}) + h(b) if B < t}

23 Shamir s threshold scheme by entropy For simplicity, let ρ t,n = ρ At,n and Φ t,n = Φ At,n. Then ρ t,n = max 1 j n h({p j }) inf h Γ N Φt,n h({s}) where Φ t,n = {h :h({s} B) = h(b) if B t, h({s} B) = h({s}) + h(b) if B < t} Theorem ρ t,n = inf h Ψ p Φt,n max 1 j n h({p j }) h({s})

24 Shamir s threshold scheme by entropy Theorem The solution is and ρ t,n = max 1 j n h({p j }) min h Ψ p Φ t,n h({s}) ρ t,n = 1 arg min ρ t,n = {h : au t,n+1, a > 0}

25 Shamir s threshold scheme by entropy Theorem The solution is and ρ t,n = max 1 j n h({p j }) min h Ψ p Φ t,n h({s}) ρ t,n = 1 arg min ρ t,n = {h : au t,n+1, a > 0} Remark This result can be generalized to non-perfect threshold scheme.

26 Linear secret-sharing scheme Definition A secret-sharing scheme is linear if Secret s F Each ramdom string r R is a vector and each entry of r is chosen independent with uniform distribution from F Each share s j is a vector and each entry of s j is a fixed linear combination of the secret s and the coordinates of the random string r.

27 Linear secret-sharing scheme Definition A secret-sharing scheme is linear if Secret s F Each ramdom string r R is a vector and each entry of r is chosen independent with uniform distribution from F Each share s j is a vector and each entry of s j is a fixed linear combination of the secret s and the coordinates of the random string r. Shamir s threshold scheme is linear.

28 Linear secret-sharing scheme Monotone span program A monotone span program is a triple M = (F, M, ρ), where F is a field, M is an a b matrix over F and ρ : {1,, a} {p 1,, p n } labels each row of M by a party.

29 Linear secret-sharing scheme Monotone span program A monotone span program is a triple M = (F, M, ρ), where F is a field, M is an a b matrix over F and ρ : {1,, a} {p 1,, p n } labels each row of M by a party. Example Consider the following monotone span program (F 17, M, ρ), where M = and ρ(1) = ρ(2) = p 2, ρ(3) = p 1 and ρ(4) = p 4.

30 Linear secret-sharing scheme Monotone span program For any A P n, let M A denote the sub-matrix obtained by restricting M to the rows labeled by parties in A. M accepts B if the rows of M B span the vector e 1 = (1, 0,, 0). M accepts access structure A if M accepts a set B iff B A.

31 Linear secret-sharing scheme Monotone span program For any A P n, let M A denote the sub-matrix obtained by restricting M to the rows labeled by parties in A. M accepts B if the rows of M B span the vector e 1 = (1, 0,, 0). M accepts access structure A if M accepts a set B iff B A. Example Consider B = {p 1, p 2 } and T = {p 1, p 3 }. Then M B = and M T = [ ] It can be checked M B spans e 1 but M T does not. We can check further that A = {{p 1, p 2 }, {p 2, p 3 }}.

32 Linear secret-sharing scheme Theorem Let M = (F, M, ρ) be a monotone span program accepting an access structure A, where F is a finite field and for every j there a j rows of M labeled by p j. Then, there is a linear secret-sharing scheme realizing A such that the share of party p j is a vector in F a j. The information ratio of the resulting scheme is max 1 j n a j.

33 Linear secret-sharing scheme Theorem Let M = (F, M, ρ) be a monotone span program accepting an access structure A, where F is a finite field and for every j there a j rows of M labeled by p j. Then, there is a linear secret-sharing scheme realizing A such that the share of party p j is a vector in F a j. The information ratio of the resulting scheme is max 1 j n a j. Theorem Let Γ L N be the region bounded by Shannon-type information inequalities and linear rank inequalities over N. Then the optimal information ratio of linear scheme on A is ρ A where Φ A is defined as above. max 1 j n h({p j }) inf h Γ L N Φ A h({s})

34 Lower bounds on the information ratio Theorem Let p j be a non-redundant party in A and let Σ be any secret-sharing scheme realizing A, then K j K which implies that ρ A 1 for any A.

35 Lower bounds on the information ratio Theorem Let p j be a non-redundant party in A and let Σ be any secret-sharing scheme realizing A, then K j K which implies that ρ A 1 for any A. Ideal secrete-sharing scheme For a secret-sharing scheme, if its information ratio is 1, it is called an ideal secret-sharing scheme.

36 Csirmaz s lower bound Csirmaz s access structure We define access structure A n by its minimal set A n. Let k be the largest integer such that 2 k + k 1 n. Let B = {p 1,, p 2 k 1} and define B 0 = and B i = {p 1,, p i } for 1 i 2 k 1. Let A = {p 2 k,, p 2 k +k 1}, and A = A 0, A 1,, A 2 k 1 = be all the subsets of A such that if i < i, then A i A i. Define U i = A i B i for 0 i 2 k 1. Then A n = {U i : 0 i 2 k 1}.

37 Csirmaz s lower bound Csirmaz s access structure We define access structure A n by its minimal set A n. Let k be the largest integer such that 2 k + k 1 n. Let B = {p 1,, p 2 k 1} and define B 0 = and B i = {p 1,, p i } for 1 i 2 k 1. Let A = {p 2 k,, p 2 k +k 1}, and A = A 0, A 1,, A 2 k 1 = be all the subsets of A such that if i < i, then A i A i. Define U i = A i B i for 0 i 2 k 1. Then A n = {U i : 0 i 2 k 1}. Theorem The information ratio of secret-sharing scheme realizing access structure constructed above is Ω(n/ log n).

38 Csirmaz s lower bound Lemma For every 0 i 2 k 2, H(B i A) H(B i ) H(B i+1 ) H(B i+1 ) + H(S)

39 Csirmaz s lower bound Lemma For every 0 i 2 k 2, H(B i A) H(B i ) H(B i+1 ) H(B i+1 ) + H(S) Proof sketch of Theorem H({p j }) H(A) p j A H(B 0 A) H(B 0 ) H(B 2 k 1 A) H(B 2 k 1) + (2 k 1)H(S) = Ω(n)H(S). This implies that H({p j }) = Ω(n/ log n)h(s) for at least one p j.

40 Csirmaz s lower bound Lemma For every 0 i 2 k 2, H(B i A) H(B i ) H(B i+1 ) H(B i+1 ) + H(S) Proof sketch of Theorem H({p j }) H(A) p j A H(B 0 A) H(B 0 ) H(B 2 k 1 A) H(B 2 k 1) + (2 k 1)H(S) = Ω(n)H(S). This implies that H({p j }) = Ω(n/ log n)h(s) for at least one p j. Remark Both Lemma and the inequalities in the proof sketch are Shannon-type.

41 Lower bounds for linear secret sharing Theorem For any n, there exists an access structure A n sucht that every monotone span program over any field accepting it has size n Ω(log n).

42 Limitations of known techniques for lower bounds No better lower bound is found since Csirmaz s lower bound in 1994 Shannon-type information inequalities can not help to improve the bound All information inequalities with less than 6 random variables can not help to improve the bound

43 Open problems Question 1 Prove or disprove that there exists an access structure such that the information ratio of every secret-sharing scheme realizing it is 2 Ω(n). Question 2 Prove or disprove that there exists an access structure such that the information ratio of every secret-sharing scheme realizing it with domain {0, 1} is super-polynomial in n. Question 3 Prove that there exists an explicit access structure such that the information ratio of every linear secret-sharing scheme realizing it is 2 Ω(n).

44 Bibiography A. Beilmel, Secret-sharing schemes: a survey, Coding and cryptology, 2011-Springer. Q. Chen and R. W. Yeung, Partition-Symmetrical Entropy Functions, submitted to IEEE Trans. Info. Theory.

45 Discussion What can we do?

46 Thank you!