Multiparty Computation (MPC) Arpita Patra
MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability and privacy of sensitive data
Satellite Collision in Space
Satellite Collision in Space NASA tracks 7,000 space crafts and 21,000 objects (space debris) in space Approximately 20,00,00,000 pairs
List of High-speed Collisions The 1996 collision between the French Cerise military reconnaissance satellite and debris from Ariane rocket The 2009 collision between the Iridium 33 communications satellite and the derelict Russian Kosmos 2251 spacecraft over Siberia, which resulted in the destruction of both satellites The 22 May 2013 collision between Ecuador's NEE-01 Pegaso and Argentina's CubeBug-1, and the particles of a debris cloud left over from the launch of Kosmos 1666 On Jan. 22, 2013, debris from the destroyed Chinese satellite Fengyun 1C collided with a small Russian laser-ranging retroreflector satellite called BLITS ("Ball Lens in The Space").
Preventing Satellite Collision in Space NASA tracks 7,000 space crafts and 21,000 objects (space debris) in space Approximately 20,00,00,000 pairs High-accuracy positional information is privy to operators National secret
Secure Multiparty Computation (MPC) MPC is the holy grail >> n parties P 1,...,P n some are corrupted >> P i has private input x i >> A common n-input function f Goals: >> Correctness: Compute f(x 1,x 2,..x n ) >> Privacy: Nothing beyond function output should be leaked. Applications: (Dual need of data privacy & data usability) E-voting Biometrics E-auction Data Mining Bioinformatics
The Goal of MPC x 1 x 2 x 3 x4 y = f(x 1,x 2,x 3,x 4 ) REAL world
The Goal of MPC x 1 x 2 y y y y x 3 x4 y = f(x 1,x 2,x 3,x 4 ) REAL world
The Goal of MPC x 1 x 2 x 1 x 2 y y Any task y y Invisible x 3 x 4 IDEAL world y = f(x 1,x 2,x 3,x 4 ) x 3 REAL world x4
The Goal of MPC x 1 x 2 x 1 x 2 y y y Any task y y Invisible x 3 x 4 IDEAL world y = f(x 1,x 2,x 3,x 4 ) x 3 REAL world x4
Important Parameters of an MPC Protocol 1. Communication Complexity (b) : Total number of bits communicated by the honest parties 2. Round Complexity (r) : Total number of rounds of interaction in the protocol
Two models of MPC for any function f Boolean Circuit (AND, OR, NOT, XOR) Arithmetic Circuit over finite field (Addition and Multiplication) x 1 x 2 x 3 x 4 x 1 x 2 x 3 x 4 + f(x 1, x 2, x 3, x 4 ); inputs are bits f(x 1, x 2, x 3, x 4 ); inputs are field elements Secure Circuit evaluation: Nothing other than the output gate value will be revealed
Threshold Adversary Assumption: any t out of n parties can be corrupted t is the threshold which t don t known
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Secret s Dealer
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Less than t +1 parties have no info about the secret
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Secret s t +1 parties can reconstruct the secret
(n,t) Secret Sharing s Linear : (n,t) Secret Sharing of secret s For MPC: Linear (n,t) Secret Sharing Linearity: The parties can do the following s 1 s 2 from s 1 s 2 c s from c: public constant s
Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries Secret x is Shamir-Shared if Random polynomial of degree t x 1 x 2 x 3 x n P 1 P 2 P 3 P n
Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries P 1 x 1 P 2 x 2 P i P 3 x 3 P n x n Lagrange s Interpolation The same is done for all P i
Secure Circuit Evaluation 2 1 5 9 3 y
Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 3
Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 3 2. Find (n, t)-sharing of each intermediate value
Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 48 144
Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 Linear gates: Linearity of Shamir Sharing - Non-Interactive 48 144
Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 Linear gates: Linearity of Shamir Sharing - Non-Interactive 48 Non-linear gate: Require degreereduction Technique. Interactive 144
Secure Circuit Evaluation 2 1 5 9 Privacy follows (intuitively) because: 3 48 45 3 1. No inputs of the honest parties are leaked. 2. No intermediate value is leaked. 144
One Significant Contribution Underlying Network: Synchronous Asynchronous NO Efficient MPC protocols
Synchronous Model Global Clock Channels have fixed delay x Knows how long to wait... Compute and send x... Wait to receive x
Asynchronous Model No Global Clock Channels have arbitrary yet finite delay x Does not Know how long to wait... Compute and send x... Wait to receive x
Asynchronous Model No Global Clock Channels have arbitrary yet finite delay x Does not Know how long to wait... Compute and send x... Wait to receive x
n parties Challenges in Asynchronous Model n parties and t corrupted x 1 Cannot wait for all Else endless waiting x 2 can afford to wait to listen from (n-t) parties x n But leads to ignoring messages of t honest parties
Synchronous vs. Asynchronous Linear (O(n)) overhead MPC O(n 3 ) overhead MPC Our contribution: Journal of Cryptology: O(n 2 ) overhead MPC without error DISC 14 (Full version submitted to IEEE Transactions on Information Theory): O(n) overhead MPC with negligible error Scalable Solution (par party communication is independent of no. of parties)
Adaptive Corruption stronger than Static Corruption Hackers constantly trying to break into computers running secure protocols but could do so after the protocol has started. The attacker first looks at the communication and then decide who to corrupt (not allowed in static model)
Static vs. Adaptive Efficient; Constant Round MPC In-efficient; NO constant MPC Our contribution: >> TCC 14 (Full version awaiting acceptance in Journal of Cryptology): Proposed slightly restricted models (one adaptive corruption). Proposed solutions static protocols >> PODC 15 (Full version submitted to Journal of Cryptology): Proposed yet another practical model (partial erasure). Proposed solutions static protocols partial erasure)
Threshold Adversary Assumption: any t out of n parties can be corrupted t is the threshold which t don t known
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Secret s Dealer
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Less than t +1 parties have no info about the secret
(n, t) - Secret Sharing [Shamir 1979, Blackley 1979] Sharing Phase Secret s Dealer v 1 v 2 v 3 v n Reconstruction Phase Secret s t +1 parties can reconstruct the secret
(n,t) Secret Sharing s Linear : (n,t) Secret Sharing of secret s For MPC: Linear (n,t) Secret Sharing Linearity: The parties can do the following s 1 s 2 from s 1 s 2 c s from c: public constant s
Reconstruction of Linearly Shared Secrets The efficiency of MPC reduces to the efficiency of reconstructing a secret >> Part I: How to reconstruct a secret efficiently? > Semi-honest Model: (n,t) secret sharing and reconstruction with linear (O(n)) overhead; > Malicious Model: (n 3t+1,t) secret sharing and reconstruction with linear (O(n)) overhead; n 3t+1 is necessary and sufficient for error-free reconstruction > Malicious Model: (n 2t+1,t) secret sharing and reconstruction with linear (O(n)) overhead; n 2t+1 is necessary and sufficient for reconstruction >> Part II: How MPC reduces to reconstruction of secrets? > Semi-honest Model: Linear Overhead MPC > Malicious Model: Linear Overhead Error-free MPC with n 3t+1 > Malicious Model: Linear Overhead MPC with n 2t+1
Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries Secret x is Shamir-Shared if Random polynomial of degree t x 1 x 2 x 3 x n P 1 P 2 P 3 P n
Reconstruction of Shamir-sharing: (n,t) - Secret Sharing for Semi-honest Adversaries P 1 x 1 P 2 x 2 P i P 3 x 3 P n x n Lagrange s Interpolation The same is done for all P i Communication Complexity (CC): O(n 2 )
Efficient Reconstruction of (n,t)- Shamir for Semi-honest Adversaries >> Can we do better? O(n) Easy P 1 x 1 Because we are assuming semi-honest adversaries. P 1 P 2 x 2 P 2 P 1 x P 3 x 3 P 3 P n x n P n Challenge: Linear Solution tolerating malicious adversaries
Reconstruction of (n 3t+1,t) - Shamir Secret Sharing for Malicious Adversaries P 1 x 1 Error Correction Possible to get back x!! P 2 x 2 >> Shamir-sharing Reed-Solomon Code (linear) with distance n-t 2t P i >> Fundamental result: distance 2 errors P 3 x x 3 P n x n x n The same is done for all P i Communication Complexity (CC): O(n 2 )
Efficient Reconstruction of (n 3t+1,t) - Shamir Secret Sharing for Malicious Adversaries >> Can we do better? O(n) Can we use the same trick as before? P 1 x 1 P 1 P 2 x 2 P 2 P 1 Error correct and get x P 3 x 3 P 3 P n x n P n Trick for semi-honest adversaries does not work
Reconstruction of (t+1) secrets with O(n 2 ) Cost for n 3t+1 a 0 b 1 P 1 a 1 Local Computation b 2 P 2 a t b n P n f(x) = a 0 + a 1 x + + a t x t b i = f(i) = a 0 + a 1 i + + a t i t Communication Complexity: O(n 2 )
Reconstruction of (t+1) secrets with O(n 2 ) Cost for n 3t+1 a 0 b 1 P 0 b 0 a 1 Local Computation b 2 P 1 b 1 P i >> Apply Error Correction >> Obtain f(x) a t b n P n b n f(x) = a 0 + a 1 x + + a t x t b i = f(i) = a 0 + a 1 i + + a t i t The same is done for all P i Amortized Communication CC /secret: Complexity O(n) (CC): O(n 2 )
Reconstruction of (n 2t+1,t) - Shamir Secret Sharing for Malicious Adversaries P 1 x 1 Error Correction NOT Possible! >> Shamir-sharing Reed-Solomon Code (linear) with distance n-t t P 2 P 3 P n x 2 x x 3 x n x n P i >> Fundamental result: distance 2 errors >> Enhance the secret sharing in such a way that a party cannot lie about his share >> If they lie, they will be detected as corrupted >> Use information-theoretic MACs
Information Theoretic MACs Message: MAC: a MAC K (a) MAC Key: K a, MAC K (a) Accept a, MAC K (a) Reject
Information Theoretic MAC a K = (α, β) from F MAC K (a) = α a + β a, MAC K (a) Accept a, MAC K (a) Reject
Homomorphic Information Theoretic MAC a MAC K1 (a) = α a + β 1 b MAC K2 (b) = α b + β 2 K 1 = (α, β 1 ) K 2 = (α, β 2 ) a + b MAC K (a + b) = MAC K1 (a) + MAC K2 (b) = α (a + b) + (β 1 + β 2 ) K = (α, β 1 + β 2 ) No interaction needed. We can use similar trick for multiplication by publicly known constant and again no need of interaction.
Enhanced Shamir-sharing: (n 2t+1,t) - Secret Sharing for Malicious Adversaries Secret s is enhanced-shamir- Shared if s is Shamir-shared + Pairwise MACs P 1 x 1 MAC 1 (x 1 ) MAC 2 (x 1 ) MAC n (x 1 ) K 1 K 2 P 2 x 2 P 3 x 3 P n x n K n The same holds for all P i Enhanced-Shamir-Sharing is also linear
Reconstruction of (n 2t+1,t) - Shamir Secret Sharing for Malicious Adversaries P 1 x 1 MAC i (x 1 ) P 2 x 2 MAC i (x 2 ) P i Verify with K 1. If accept, keep x 1 Verify with K 2. If accept, keep x 2 P 3 x x 3 MAC i (x 3 ) Verify with K 3. If reject, ignore x 3 P n xx n MAC i (x i (x n ) n ) Will have at least t+1 accepted shares (from the honest parties) The same is done for all P i Communication Complexity (CC): O(n 2 )
Efficient Reconstruction of (n 2t+1,t) Enhanced Shamir Secret Sharing for Malicious Adversaries a 0 b 1 P 0 b 0 a 1 Local Computation b 2 P 1 b 1 P i >> Apply Error Correction >> Obtain f(x) But Error Correction does not work a t b n P n b n f(x) = a 0 + a 1 x + + a t x t b i = f(i) = a 0 + a 1 i + + a t i t Does the trick for 3t+1 work? Challenge: Linear Overhead tolerating malicious adversaries for n 2t+1
Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 a 10 a 1i a 1t b 11 b 12 b 1n a 20 a 2i a 2t b 21 b 21 b 2n Local Computation a n0 a ni a nt b n1 b n2 b nn f 0 (x) = a 00 + a 01 x + + a 0t x t b 0j = f 0 (j) = a 00 + a 01 j + + a 0t j t j =1,..,n
Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 a 10 a 1i a 1t b 11 b 1i b 1n a 20 a 2i a 2t b 21 b 2i b 2n Local Computation a n0 a ni a nt b n1 b ni b nn A n.(t+1) B n.n f i (x) = a i0 + a i1 x + + a it x t b ij = f i (j) = a i0 + a i1 j + + a it j t j =1,..,n t+1 columns of B matrix are required to reconstruct A
Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 11 b 1i b 1n b 21 b 2i b 2n b n1 b ni b nn P 1 P i P n Communication Complexity: O(n 3 )
Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 11 b 1i b 1n >> If the parties honestly communicate their column to every other party, we are done. b 21 b 2i b 2n >> But there is no guarantee that a corrupted P i will do that. b n1 b ni b nn >> Prevent a party from sending a wrong column (he should be caught if he does so) P 1 P i P n Communication Complexity: O(n 3 )
Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 1i r 1i b 2i r 2i b ni r ni P i P j r 1i b 1i + r 2i b 2i.. + r ni b ni r 1i, r 2i.., r ni are remains hidden from everyone
Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 1i r 1i b 2i r 2i >> A corrupted P i will fail very high probability. >> P j will ignore P i s column b ni r ni P j Verify if the sum is same as the below (r 1i b 1i + r 2i b 2i.. + r ni b ni ) How P j can compute (r 1i b 1i + r 2i b 2i.. + r ni b ni ) without revealing his random choice.
Reconstruction of n(t+1) secrets with O(n 3 ) Cost for n 2t+1 b 1i E(r 1i ) E(r 1i b 1i +..+ r ni b ni b 2i E(r 2i ) b ni E(r ni ) P j E(r 1i b 1i +..+ r ni b ni ) Decrypt r 1i b 1i +..+ r ni b ni (pk,sk): Homomorphic Encryption For each pair of parties Communication Complexity: O(n)
Part II: Reduction from MPC to Reconstruction of Secrets Reduction holds for any linear secret sharing
Secure Circuit Evaluation x 1 x 2 x 3 x 4 y c
Secure Circuit Evaluation 2 1 5 9 3 y
Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 3
Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 3 2. Find (n, t)-sharing of each intermediate value
Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 48 144
Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 Linear gates: Linearity of Shamir Sharing - Non-Interactive 48 144
Secure Circuit Evaluation 2 1 5 9 1. (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 45 3 Linear gates: Linearity of Shamir Sharing - Non-Interactive 48 Non-linear gate: Require degreereduction Technique. Interactive 144
Secure Circuit Evaluation 2 1 5 9 3 48 45 3 144 1. (n, t)- secret share each input Reduction to one reconstruction 2. Find (n, t)-sharing of each intermediate value Linear gates: Linearity of Shamir Sharing - Non-Interactive Non-linear gate: Require degreereduction Technique. Interactive Reduction to two reconstructions 3. Open output by Reconstruction algorithm
Secure Circuit Evaluation 2 1 5 9 Privacy follows (intuitively) because: 3 48 45 3 1. No inputs of the honest parties are leaked. 2. No intermediate value is leaked. 144
Beaver s Circuit-randomization Technique for Multiplication Don Beaver CRYPTO 91 2 1 5 9 3 3
Beaver s Circuit-randomization Technique for Multiplication 2 1 5 9 a b ab 3 3 Multiplication Triple
Beaver s Circuit-randomization Technique for Multiplication Ex: 2 1 5 9 1 1 1 3 3 Multiplication Triple
Beaver s Circuit-randomization Technique for Multiplication Ex: 2 1 5 9 1 6 6 3 3 Multiplication Triple
Beaver s Circuit-randomization Technique for Multiplication Ex: 2 1 5 9 5 2 10 3 3 Multiplication Triple
Beaver s Circuit-randomization Technique for Multiplication 2 1 5 9 a b ab 3 3 Multiplication Triple
Beaver s Circuit-randomization Technique for Multiplication Random and Private a, b 2 1 5 9 a b ab 3 3 Multiplication Triple
Beaver s Circuit-randomization Technique for Multiplication Random and Private a, b Independent of the multiplication gate 2 1 5 9 a b ab 3 3 Two reconstructions Linear operations
Beaver s Circuit-randomization Technique for Multiplication Random and Private a, b Independent of the multiplication gate 2 1 5 9 a b ab 3 45 3 Two reconstructions Linear operations
Secure Circuit Evaluation Using Beaver Circuit Randomization Let M be the number of multiplication gates in the circuit x 1 x 2 x 3 x 4 3
Secure Circuit Evaluation Using Beaver Circuit Randomization Let M be the number of multiplication gates in the circuit Ask triple-oracle for M multiplication triples x 1 x 2 x 3 x 4 3
Secure Circuit Evaluation Using Beaver Circuit Randomization Let M be the number of multiplication gates in the circuit Ask triple-oracle for M multiplication triples x 1 x 2 x 3 x 4 5 2 10 2 2 4 3 1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 3 2 2 4 1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 3 2 2 4 1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 3 2 2 4 1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 4 3 2 2 4 1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 4 3 2 2 4 1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 4 3 2 2 4 16 1 0 0
Secure Circuit Evaluation Using Beaver Circuit Randomization 2 2 2 2 5 2 10 4 4 3 2 2 4 16 1 0 0
Why Beaver s Trick is Useful Offline Phase- Online Phase Paradigm Offline Phase: Sitting Idle, Generate as many shared triples as possible---raw data Online Phase: Use the raw data for circuit evaluation. Triple generation parallelizable efficiency On the contrary, multiplications gates can not be evaluated in parallel
Online Complexity How efficiently can we reconstruct a shared secret? s Reconstruction cost of one shared secret = Cost Per Multiplication (asymptotically) 1. Generate shared data s 2. Implement the oracle
Beaver s Circuit Randomization Technique xy = ((x-a) +a)((y-b)+b) = (α + a)(β + b) = ab + α b +β a + α β xy = ab + α b a + β + α β α = x-a β = y-b
Beaver s Circuit Randomization Technique x y a b ab x-a xy
Beaver s Circuit Randomization Technique y b ab x a x-a Open α = x-a y-b Open β = y-b α b a β (α β) xy
Linearity of (n, t) Shamir Secret Sharing say t = 1 a
Linearity of (n, t) Shamir Secret Sharing say t = 1 a b a 1 a 2 a 3 a 4 b 1 b 2 b 3 b 4 each party does locally b a b 1 b 2 b 4 a 1 a 2 a 3 a 4 c 1 c 2 c 3 c 4 1 2 3 4
Linearity of (n, t) Shamir Secret Sharing say t = 1 a b a 1 a 2 a 3 a 4 Addition is Absolutely free c 1 c 2 c 3 c 4 ab b b b 4 2 1 b 1 b 2 b 3 b 4 b a 1 a 2 a 3 a 4 a ab c 1 c 2 c 3 c 4 1 2 3 4
Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 a a 1 a 2 a 3 a 4 1 2 3 4
Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 c c c c a a 1 a 2 a 3 a 4 1 2 3 4
Linearity of (n, t) Shamir Secret Sharing say t = 1 a c is a publicly a 1 a 2 a 3 a known constant 4 c c c c a a 1 a 2 a 3 a 4 1 2 3 4
Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 c c c c a a 1 a 2 a 3 a 4 1 2 3 4 d 1 d 2 d 3 d 4
Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 ca c c c c a a 1 a 2 a 3 a 4 1 2 3 4 d 1 d 2 d 3 d 4
Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 d 1 d 2 d 3 d 4 ca c c c c a a 1 a 2 a 3 a 4 1 2 3 4 d 1 d 2 d 3 d 4
Linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 Multiplication by public constants is Absolutely free ca d 1 d 2 d 3 d 4 ca c c c c a a 1 a 2 a 3 a 4 1 2 3 4 d 1 d 2 d 3 d 4
Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 1 2 3 4
Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 1 2 3 4
Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 d 1 d 2 d 3 d 4 1 2 3 4
Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d 4 1 2 3 4
Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a a 1 a 2 a 3 a 4 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d 4 1 2 3 4
Non-linearity of (n, t) Shamir Secret Sharing say t = 1 d 4 d 3 a a 1 a 2 a 3 a 4 d 1 d 2 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d 4 1 2 3 4
Non-linearity of (n, t) Shamir Secret Sharing say t = 1 a Multiplication of shared d 4 secrets is not free ab d 2 d a 1 a 2 a 3 a 1 4 d 3 b b 1 b 2 b 3 b 4 b b 1 b 2 b 3 b 4 a a 1 a 2 a 3 a 4 ab d 1 d 2 d 3 d 4 1 2 3 4
Linear (n,t) Secret Sharing s 1 s = 2 s 1 + s 2 Linear Operation c s = c s s 1 s 2 s 2 s 1 Non-Linear Operation L
An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 Any t parties cannot open the box P n
An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 Any t parties cannot open the box P n
An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 P n Any t parties cannot open the box
An Abstract Tool for the Generic Solution (n, t) LOCKED BOX REPRESENTATION A secret s is locked in the box P 1 P 2 Any t parties cannot open the box Any (t + 1) parties can open the box P n