Secret Sharing. Qi Chen. December 14, 2015

Similar documents
Linear Secret-Sharing Schemes for Forbidden Graph Access Structures

On Linear Secret Sharing for Connectivity in Directed Graphs

Characterizing Ideal Weighted Threshold Secret Sharing

Secret Sharing CPT, Version 3

Characterizing Ideal Weighted Threshold Secret Sharing

Optimal Linear Secret Sharing Schemes for Graph Access Structures on Six Participants

On the Power of Nonlinear Secret-Sharing

ON THE POWER OF NONLINEAR SECRET-SHARING

On Secret Sharing Schemes, Matroids and Polymatroids

Visual Cryptography Schemes with Optimal Pixel Expansion

Conditional Disclosure of Secrets and d-uniform Secret Sharing with Constant Information Rate

Efficient Conversion of Secret-shared Values Between Different Fields

Security in Locally Repairable Storage

Visual cryptography schemes with optimal pixel expansion

Secret Sharing and Network Coding

Round-Efficient Perfectly Secure Message Transmission Scheme Against General Adversary

Extending Brickell-Davenport Theorem to Non-Perfect Secret Sharing Schemes

Secret sharing schemes

Detection of Cheaters in Non-interactive Polynomial Evaluation

Perfect Secret Sharing Schemes from Room. Squares. Ghulam-Rasool Chaudhry. Centre for Computer Security Research. University of Wollongong

Lecture Notes on Secret Sharing

Secret Sharing for General Access Structures

BOUNDS ON THE INFORMATION RATIOS OF SECRET SHARING SCHEMES FOR CLOSE ACCESS STRUCTURES

Secure Computation. Unconditionally Secure Multi- Party Computation

Efficient Secret Sharing Schemes Achieving Optimal Information Rate

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Algebraic matroids are almost entropic

Perfect Secret Sharing Schemes from Room Squares

Secret Sharing: Four People, Need Three

Hierarchical Threshold Secret Sharing

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

A Probabilistic Secret Sharing Scheme for a Compartmented Access Structure

Lecture 04: Secret Sharing Schemes (2) Secret Sharing

Perfect Secret Sharing Schemes Based on Generalized Kirkman Squares

Near-Optimal Secret Sharing and Error Correcting Codes in AC 0

A New Class of Product-sum Type Public Key Cryptosystem, K(V)ΣΠPKC, Constructed Based on Maximum Length Code

Improving the Linear Programming Technique in the Search for Lower Bounds in Secret Sharing

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Secret Sharing and Secure Multi-party Computation

Are you the one to share? Secret Transfer with Access Structure

Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search

Characterizing Ideal Weighted Threshold Secret Sharing

Multiparty Computation (MPC) Arpita Patra

Masao KASAHARA. Graduate School of Osaka Gakuin University

Winter 2011 Josh Benaloh Brian LaMacchia

On secret sharing with nonlinear product reconstruction

Optimal Ramp Schemes and Related Combinatorial Objects

Multi-Party Computation with Conversion of Secret Sharing

Secret Sharing Schemes

Simple and Asymptotically Optimal t-cheater Identifiable Secret Sharing Scheme

3x + 1 (mod 5) x + 2 (mod 5)

Essentially Optimal Robust Secret Sharing with Maximal Corruptions

Staircase Codes for Secret Sharing with Optimal Communication and Read Overheads

An Efficient Lattice-based Secret Sharing Construction

Introduction to Modern Cryptography Lecture 11

arxiv: v1 [cs.cr] 1 May 2012

Resource-efficient OT combiners with active security

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Construction of Multiplicative Monotone Span Program

Separating the Power of Monotone Span Programs over Different Fields

Strongly Multiplicative and 3-Multiplicative Linear Secret Sharing Schemes

Error Correcting Codes Questions Pool

Randomized Component and Group Oriented (t,m,n)-secret Sharing

MY PUTNAM PROBLEMS. log(1 + x) dx = π2

Secret-sharing with a class of ternary codes

Disjunctive Multi-Level Secret Sharing

Private Information Retrieval from Coded Databases

CSL361 Problem set 4: Basic linear algebra

Secure Multiparty Computation from Graph Colouring

Secure Sketch for Multi-Sets

Introduction to Cryptography Lecture 13

Multi-Linear Formulas for Permanent and Determinant are of Super-Polynomial Size

Generalized Oblivious Transfer by Secret Sharing

Today. Polynomials. Secret Sharing.

INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING

Overview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy

Lecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007

On the Cryptographic Complexity of the Worst Functions

CPSC 467: Cryptography and Computer Security

Lecture 12: November 6, 2017

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

Lecture 8 - Cryptography and Information Theory

Threshold Cryptography

Sharing DSS by the Chinese Remainder Theorem

Ideal Hierarchical Secret Sharing Schemes

Rank Analysis of Cubic Multivariate Cryptosystems

On the representability of the bi-uniform matroid

RELIABLE BIOMETRIC AUTHENTICATION WITH PRIVACY PROTECTION

Quantum walks public key cryptographic system (Extended Abstract)

PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS

Cube attack in finite fields of higher order

Efficient Multi-party Computation over Rings

Applications of Galois Geometries to Coding Theory and Cryptography

Report on PIR with Low Storage Overhead

Linear Integer Secret Sharing and Distributed Exponentiation

Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets

ASPECIAL case of the general key agreement scenario defined

COS597D: Information Theory in Computer Science September 21, Lecture 2

Compartmented Secret Sharing Based on the Chinese Remainder Theorem

Transcription:

Secret Sharing Qi Chen December 14, 2015

What is secret sharing? A dealer: know the secret S and distribute the shares of S to each party A set of n parties P n {p 1,, p n }: each party owns a share Authorized subset of the parties:b P n can reconstruct the secret from their shares Unauthorized subset of the parties: T P n know nothing about the secret from their shares

Applications Secure storage Secure multiparty computation Threshold cryptography Byzantine agreement Access control Private information retrieval Atribute-based encryption General oblivious transfer...

Access structure The collection A of all authorized subsets is called the access structure of a secret sharing. Access structure is monotone, i.e., if A B and A A, then B A.

Access structure The collection A of all authorized subsets is called the access structure of a secret sharing. Access structure is monotone, i.e., if A B and A A, then B A. Example Let P 4 = {p 1,, p 4 }. Then A = {{p 1, p 2 }, {p 2, p 3 }, {p 3, p 4 }, {p 1, p 2, p 3 }, {p 1, p 2, p 4 }, {p 1, p 3, p 4 }, {p 2, p 3, p 4 }, {p 1, p 2, p 3, p 4 }} is an access structure.

Access structure Collection A of minimal sets in A Let A be the collection of minimal sets in A, i.e., B A if B A and for any C B, C A Access structure A is uniquely determined by A

Access structure Collection A of minimal sets in A Let A be the collection of minimal sets in A, i.e., B A if B A and for any C B, C A Access structure A is uniquely determined by A Example A = {{p 1, p 2 }, {p 2, p 3 }, {p 3, p 4 }}

Access structure Collection A of minimal sets in A Let A be the collection of minimal sets in A, i.e., B A if B A and for any C B, C A Access structure A is uniquely determined by A Example Remark A = {{p 1, p 2 }, {p 2, p 3 }, {p 3, p 4 }} Note that A is a Sperner family on P n, i.e, a collection of subsets of P n such that any two member of the collection does not contain each other. Sperner family is counted by Dedekind number which grows very fast with n. This imply the difficulty of secret sharing problem.

Definition by probability A distribution scheme Σ = Π, µ with domain of secret K µ is a probability distribution on some finite set R Π is a mapping from K R to a set of n-tuples K 1 K n, where K j is called the domain of shares of p j The dealer distributes k K according to Σ by first sampling a random string r R according to µ, computing a vector Π(k, r) = (s 1,, s n ) and privately communicating each share s j to party p j.

Definition by probability Scheme Σ is a secret-sharing scheme realizing an access structure A if the following two requirement hold: 1. (Correctness) For any B = {p i1,, p i B } A, there is a reconstruction function REC : K i1 : K i B K such that for any k K, Pr[REC(Π(k, r) B ) = k] = 1. 2. (Perfect Privacy) For any T A, for any a, b K, and for every possible vector of shares s j pj T : Pr[Π(a, r) T = s j pj T ] = Pr[Π(b, r) T = s j pj T ]

Definition by entropy Consider the secret be a random variable S on K, and each share be a random variable S j on K j. Then the scheme S = (S, S j ) pj P n is a secret-sharing scheme realizing access structure A if the following two conditions hold: 1. (Correctness) For any B A, H(S S B ) = 0 2. (Perfect Privacy) For any T A, H(S S T ) = H(S)

Definition by entropy Consider the secret be a random variable S on K, and each share be a random variable S j on K j. Then the scheme S = (S, S j ) pj P n is a secret-sharing scheme realizing access structure A if the following two conditions hold: 1. (Correctness) For any B A, H(S S B ) = 0 2. (Perfect Privacy) For any T A, H(S S T ) = H(S) Remark For perfect privacy, the condition can be written as I (S; S T ) = 0. If we modify the condition to I (S; S T ) = a T for some 0 a T H(S), then modified version is called non-perfect secret sharing, while the traditional one is called perfect secret sharing.

Equivalence of two definitions Theorem Two definitions of secret sharing are equivalent. For any Σ = (Π, µ) realizing access structure A, we can construct a random vector S = (S, S j ) pj P n realizing A. For any random vector S = (S, S j ) pj P n realizing A, we can accordingly construct a Σ = (Π, µ) realizing A

Information ratio Information ratio by the definition of probability ρ Σ max 1 j n log K j log K Information ratio by the definition of entropy ρ S max 1 j n H(S j ) H(S)

Information ratio Information ratio by the definition of probability ρ Σ max 1 j n log K j log K Information ratio by the definition of entropy ρ S max 1 j n H(S j ) H(S) Corollary if Σ corresponds to S. ρ Σ = ρ S

The fundamental problem of secret sharing: optimal information ratio Let N = {s} P n and Γ N the entropy function region on N. Let A be an access structure on P n. Then the optimal information ratio on A is where ρ A max 1 j n h({p j }) inf h Γ N Φ A h({s}) Φ A = {h : h({s} B) = h(b) B A, h({s} T ) = h({s}) + h(t ) T A}

Shamir s threshold scheme For 1 t n, let A t,n = {A P n : A t}. Then A t,n is a access structure with threshold t. It can be realised by Shamir s scheme in the following Let K = F q, where q > n is a prime power. Let α 1,, α n F q be n distinct non-zero elements known to all parties. The dealer uniformly choose a 1,, a t 1 F q and generate a polynomial P(x) = k + t 1 i=1 a ix i. The share of p j is s j = P(α j )

Shamir s threshold scheme Correctness For any B = {p i1,, p it } A t,n, let Q(x) = t l=1 s il 1 j t,j l α ij x α ij α il. Note that Q(α il ) = s il = P(α il ) for 1 l t which implies that Q(x) = P(x) and Q(0) = P(0) = k.

Shamir s threshold scheme Perfect privacy For any T = {p i1,, p it 1 }, t 1 shares with each secret a F q, uniquely determines a polynomial P a (x) with P a (0) = a and P a (α il ) = s il for 1 l t 1. Hence Pr[Π(a, r) T = s il 1 l t 1 ] = 1 q t 1 The privacy follows from the probability is the same for every a F q

Shamir s threshold scheme Perfect privacy For any T = {p i1,, p it 1 }, t 1 shares with each secret a F q, uniquely determines a polynomial P a (x) with P a (0) = a and P a (α il ) = s il for 1 l t 1. Hence Pr[Π(a, r) T = s il 1 l t 1 ] = 1 q t 1 The privacy follows from the probability is the same for every a F q Information ratio The information ratio is 1 since K j = K = F q It is the optimal information ratio on the access structure A t,n

Shamir s threshold scheme by entropy Let Γ N be the polymatroidal region on N. Let p = {{s}, P n } be a partition of N. Lemma Ψ p = Ψ p where Ψ p = Γ N C A t,n, Ψ p = Γ N C At,n and C At,n = {h : h(a) = h(b), h({s} A) = h({s} B), if A = B A, B P n }

Shamir s threshold scheme by entropy For simplicity, let ρ t,n = ρ At,n and Φ t,n = Φ At,n. Then ρ t,n = max 1 j n h({p j }) inf h Γ N Φt,n h({s}) where Φ t,n = {h :h({s} B) = h(b) if B t, h({s} B) = h({s}) + h(b) if B < t}

Shamir s threshold scheme by entropy For simplicity, let ρ t,n = ρ At,n and Φ t,n = Φ At,n. Then ρ t,n = max 1 j n h({p j }) inf h Γ N Φt,n h({s}) where Φ t,n = {h :h({s} B) = h(b) if B t, h({s} B) = h({s}) + h(b) if B < t} Theorem ρ t,n = inf h Ψ p Φt,n max 1 j n h({p j }) h({s})

Shamir s threshold scheme by entropy Theorem The solution is and ρ t,n = max 1 j n h({p j }) min h Ψ p Φ t,n h({s}) ρ t,n = 1 arg min ρ t,n = {h : au t,n+1, a > 0}

Shamir s threshold scheme by entropy Theorem The solution is and ρ t,n = max 1 j n h({p j }) min h Ψ p Φ t,n h({s}) ρ t,n = 1 arg min ρ t,n = {h : au t,n+1, a > 0} Remark This result can be generalized to non-perfect threshold scheme.

Linear secret-sharing scheme Definition A secret-sharing scheme is linear if Secret s F Each ramdom string r R is a vector and each entry of r is chosen independent with uniform distribution from F Each share s j is a vector and each entry of s j is a fixed linear combination of the secret s and the coordinates of the random string r.

Linear secret-sharing scheme Definition A secret-sharing scheme is linear if Secret s F Each ramdom string r R is a vector and each entry of r is chosen independent with uniform distribution from F Each share s j is a vector and each entry of s j is a fixed linear combination of the secret s and the coordinates of the random string r. Shamir s threshold scheme is linear.

Linear secret-sharing scheme Monotone span program A monotone span program is a triple M = (F, M, ρ), where F is a field, M is an a b matrix over F and ρ : {1,, a} {p 1,, p n } labels each row of M by a party.

Linear secret-sharing scheme Monotone span program A monotone span program is a triple M = (F, M, ρ), where F is a field, M is an a b matrix over F and ρ : {1,, a} {p 1,, p n } labels each row of M by a party. Example Consider the following monotone span program (F 17, M, ρ), where 1 1 1 M = 1 2 4 1 3 9 1 4 16 and ρ(1) = ρ(2) = p 2, ρ(3) = p 1 and ρ(4) = p 4.

Linear secret-sharing scheme Monotone span program For any A P n, let M A denote the sub-matrix obtained by restricting M to the rows labeled by parties in A. M accepts B if the rows of M B span the vector e 1 = (1, 0,, 0). M accepts access structure A if M accepts a set B iff B A.

Linear secret-sharing scheme Monotone span program For any A P n, let M A denote the sub-matrix obtained by restricting M to the rows labeled by parties in A. M accepts B if the rows of M B span the vector e 1 = (1, 0,, 0). M accepts access structure A if M accepts a set B iff B A. Example Consider B = {p 1, p 2 } and T = {p 1, p 3 }. Then 1 1 1 M B = 1 2 4 and M T = 1 3 9 [ ] 1 3 9. 1 4 16 It can be checked M B spans e 1 but M T does not. We can check further that A = {{p 1, p 2 }, {p 2, p 3 }}.

Linear secret-sharing scheme Theorem Let M = (F, M, ρ) be a monotone span program accepting an access structure A, where F is a finite field and for every j there a j rows of M labeled by p j. Then, there is a linear secret-sharing scheme realizing A such that the share of party p j is a vector in F a j. The information ratio of the resulting scheme is max 1 j n a j.

Linear secret-sharing scheme Theorem Let M = (F, M, ρ) be a monotone span program accepting an access structure A, where F is a finite field and for every j there a j rows of M labeled by p j. Then, there is a linear secret-sharing scheme realizing A such that the share of party p j is a vector in F a j. The information ratio of the resulting scheme is max 1 j n a j. Theorem Let Γ L N be the region bounded by Shannon-type information inequalities and linear rank inequalities over N. Then the optimal information ratio of linear scheme on A is ρ A where Φ A is defined as above. max 1 j n h({p j }) inf h Γ L N Φ A h({s})

Lower bounds on the information ratio Theorem Let p j be a non-redundant party in A and let Σ be any secret-sharing scheme realizing A, then K j K which implies that ρ A 1 for any A.

Lower bounds on the information ratio Theorem Let p j be a non-redundant party in A and let Σ be any secret-sharing scheme realizing A, then K j K which implies that ρ A 1 for any A. Ideal secrete-sharing scheme For a secret-sharing scheme, if its information ratio is 1, it is called an ideal secret-sharing scheme.

Csirmaz s lower bound Csirmaz s access structure We define access structure A n by its minimal set A n. Let k be the largest integer such that 2 k + k 1 n. Let B = {p 1,, p 2 k 1} and define B 0 = and B i = {p 1,, p i } for 1 i 2 k 1. Let A = {p 2 k,, p 2 k +k 1}, and A = A 0, A 1,, A 2 k 1 = be all the subsets of A such that if i < i, then A i A i. Define U i = A i B i for 0 i 2 k 1. Then A n = {U i : 0 i 2 k 1}.

Csirmaz s lower bound Csirmaz s access structure We define access structure A n by its minimal set A n. Let k be the largest integer such that 2 k + k 1 n. Let B = {p 1,, p 2 k 1} and define B 0 = and B i = {p 1,, p i } for 1 i 2 k 1. Let A = {p 2 k,, p 2 k +k 1}, and A = A 0, A 1,, A 2 k 1 = be all the subsets of A such that if i < i, then A i A i. Define U i = A i B i for 0 i 2 k 1. Then A n = {U i : 0 i 2 k 1}. Theorem The information ratio of secret-sharing scheme realizing access structure constructed above is Ω(n/ log n).

Csirmaz s lower bound Lemma For every 0 i 2 k 2, H(B i A) H(B i ) H(B i+1 ) H(B i+1 ) + H(S)

Csirmaz s lower bound Lemma For every 0 i 2 k 2, H(B i A) H(B i ) H(B i+1 ) H(B i+1 ) + H(S) Proof sketch of Theorem H({p j }) H(A) p j A H(B 0 A) H(B 0 ) H(B 2 k 1 A) H(B 2 k 1) + (2 k 1)H(S) = Ω(n)H(S). This implies that H({p j }) = Ω(n/ log n)h(s) for at least one p j.

Csirmaz s lower bound Lemma For every 0 i 2 k 2, H(B i A) H(B i ) H(B i+1 ) H(B i+1 ) + H(S) Proof sketch of Theorem H({p j }) H(A) p j A H(B 0 A) H(B 0 ) H(B 2 k 1 A) H(B 2 k 1) + (2 k 1)H(S) = Ω(n)H(S). This implies that H({p j }) = Ω(n/ log n)h(s) for at least one p j. Remark Both Lemma and the inequalities in the proof sketch are Shannon-type.

Lower bounds for linear secret sharing Theorem For any n, there exists an access structure A n sucht that every monotone span program over any field accepting it has size n Ω(log n).

Limitations of known techniques for lower bounds No better lower bound is found since Csirmaz s lower bound in 1994 Shannon-type information inequalities can not help to improve the bound All information inequalities with less than 6 random variables can not help to improve the bound

Open problems Question 1 Prove or disprove that there exists an access structure such that the information ratio of every secret-sharing scheme realizing it is 2 Ω(n). Question 2 Prove or disprove that there exists an access structure such that the information ratio of every secret-sharing scheme realizing it with domain {0, 1} is super-polynomial in n. Question 3 Prove that there exists an explicit access structure such that the information ratio of every linear secret-sharing scheme realizing it is 2 Ω(n).

Bibiography A. Beilmel, Secret-sharing schemes: a survey, Coding and cryptology, 2011-Springer. Q. Chen and R. W. Yeung, Partition-Symmetrical Entropy Functions, submitted to IEEE Trans. Info. Theory.

Discussion What can we do?

Thank you!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback