Docstoc

No Slide Title - ESCET

Document Sample
No Slide Title - ESCET Powered By Docstoc
					      Linear, Nonlinear, and Weakly-Private
            Secret Sharing Schemes
  Amos Beimel
  Ben-Gurion
   University


Slides borrowed
fromYuval Ishai,
  Noam Livne,
Moni Naor, Enav
    Weinreb.
       Secret Sharing
[Shamir79,Blakley79,ItoSaitoNishizeki87]


                               1706

                 1706
                               t=3
   ?         3441
             2538
             6634
             1329
                  Talk Overview


1.   Motivation and definitions
2.   Linear secret sharing schemes
3.   Nonlinear secret sharing schemes
4.   Weakly-private secret sharing schemes
5.   Conclusions and open problems




28/05/2007                ICITS              3
               Def: Secret Sharing
                P1       P2                        Pn
                s1       s2
                                                  sn

                                

                     s                         r


• Access Structure   2
                              { P ,..., Pn }
                                 1



•  realizes  if:
  Correctness: every authorized set B can always recover s.
  Privacy: every unauthorized set B cannot learn anything
 about s.
 28/05/2007                          ICITS                      4
                Applications

    • Secure storage;
    • Secure multiparty computation;
    • Threshold cryptography;
    • Byzantine agreement;
    • Access control;
    • Private information retrieval;
    • Attribute-based encryption.



28/05/2007              ICITS          5
       Shamir’s t-out-of-n Secret Sharing
                    Scheme


     – Input: secret s
     – Choose at random a polynomial p(x)=s+r1x+r2x2+…+ rt-1xt-1
     – Share of Pj: sj= p(j )




             s


28/05/2007                      ICITS                              6
                  The General Case

  Which access structures  can be realized?
 • Necessary condition:  is monotone.
 • Also sufficient!
                                               minimal sets
     s                                           {2,4}
     s                                           {1,2}
     s                                          {1,3,5}
             P1    P2   P3    P4      P5

 Not efficient!!!!
28/05/2007                    ICITS                           7
              Are there Efficient Schemes?
• The known schemes for general access structures have
  shares of size 2O(n).
• Best lower bound for an explicit structure [Csirmaz94]:
                     (n2 / logn)
• Nothing better is known even for non-explicit structures!
  – large gap
Conjecture: There is an access structure that
 requires shares of size 2Ω(n).


 28/05/2007                   ICITS                         8
                  Talk Overview


1.   Motivation and definitions
2.   Linear secret sharing schemes
3.   Nonlinear secret sharing schemes
4.   Weakly-private secret sharing schemes
5.   Conclusions and open problems




28/05/2007                ICITS              9
             Linear Secret-Sharing

              P1         P2                   Pn

                                                  F

                   Linear Transformation

                   s    r1    r2   r     m   F



Examples:
• Shamir’s scheme
• Formula based Schemes [BenalohLeichter88]
• Monotone span programs [KrachmerWigderson93]
28/05/2007                    ICITS                     10
 Linear Schemes and Span Program


Monotone Span programs – linear algebraic
 model of computation [KarchmerWigderson93].

Equivalent to Linear schemes.




28/05/2007               ICITS                 11
              Monotone Span Programs

             P2   1     1      0           1
             P2   0     1      1           0
             P1   0     1      1           0
             P3   1     1      0           0
             P4   0     0      1           1
                  1     0      0           0

                The program accepts a set B
                              iff
         the rows labeled by B span the target vector.

28/05/2007                         ICITS                 12
              Monotone Span Programs

             P2   1   1   0           1
                                          1   0   1   1
             P2   0   1   1           0
             P1   0   1   1           0
             P3   1   1   0           0
             P4   0   0   1           1   0   0   1   1

                  1   0   0           0   1   0   0   0



    {P2,P4}

28/05/2007                    ICITS                       13
              Monotone Span Programs

             P2   1   1   0           1   1   1   0   1

             P2   0   1   1           0   0   1   1   0

             P1   0   1   1           0   0   1   1   0

             P3   1   1   0           0
             P4   0   0   1           1
                  1   0   0           0   1   0   0   0



    {P1,P2}

28/05/2007                    ICITS                       14
       Span Programs  Secret Sharing
P2           1   1     0     1            s         s+ r2+r4    P2
P2           0   1     1     0            r2            r2+r3   P2
P1                                        r3
                                               =        r2+r3
             0   1     1     0                                  P1
P3           1   1     0     0            r4            s+r2    P3
P4           0   0     1     1                          r3+r4   P4
                                           0       P2

      Example s=1,r2=r3=0, r4=1            0       P2
                                           0       P1
                                           1       P3
                                           1       P4
28/05/2007                        ICITS                          15
       Span Programs  Secret Sharing
P2           1   1   0   1           s        s+r2+r4   P2
P2           0   1   1   0           r2        r2+r3    P2
P1                                   r3
                                          =    r2+r3
             0   1   1   0                              P1
P3           1   1   0   0           r4        s+r2     P3
P4           0   0   1   1                     r3+r4    P4

             1   0   0   0                       s


     {P2,P4}

28/05/2007                   ICITS                       16
        Linear Schemes: State of the Art

• Every access structure can be realized by a linear scheme.
• Most known schemes are linear.
• Linear schemes can efficiently realize only access structures in NC
  (NC = languages having efficient parallel algorithms).
• Best lower bounds for linear schemes for explicit access structures
  [B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]:
                                (nlog n).
• Best existential lower bounds for linear schemes: 2(n).




  28/05/2007                     ICITS                              17
             Why Linear Secret Sharing?


• Share generation and secret reconstruction are efficient.

• Perfect privacy for free.

• Homomorphic
     – Secure multi-party computation [CramerDamgardMaurer2000]

Why not?

• Can only realize access structures in NC.




28/05/2007                       ICITS                            18
      Homomorphism of Linear Secret Sharing
P2           1   1   0    1           s             y1
P2           0   1   1    0           r2            y2
                                          1
                                              =1   0 1      s+s’           y1+y’1
P1           0   1   1    0           r3 0     1   1 y3 0   r2 +r’2        y2+y’2
                                          0    1   1 0      r3+ r’3    =   y3+y’3
P3           1   1   0+   0           r4 1           y
                                               1   0 40     r4 + r’4       y4+y’4
P2                                    s’
P4
             1
             0
                 1
                 0
                     0
                     1
                          1
                          1               0    0   1y’5 1
                                                     y1                    y5+y’5

P2           0   1   1    0           r’2           y’2
 P1                                   r’3
                                              =     y’3
             0   1   1    0
 P3          1   1   0    0           r’4           y’4

 P4          0   0   1    1                         y’5

28/05/2007                    ICITS                                    19
           Application: Computing a Sum
       a  a1  a 2 a3         b  b1  b2 b3
s1                               s 2    



       s3                    s      

                    c  c1  c 2 c3
   28/05/2007               ICITS                 20
     Multiplicative Homomorphism of Linear Secret
            Sharing [….,CramerDamgardMaurer2000]

P2    1      1   0   1    s         y1
P2    0      1   1   0    r2        y2

P1    0      1   1   0    r3    =   y3

P3    1      1   0   0    r4        y4

P4    0      0   1   1              y5                       z1
                                                             z2
                          *                   PROTOCOL
                                                             z3
P2    1      1   0   1    s’        y’1                      z4
P2    0      1   1   0    r’2       y’2
      0      1   1   0    r’3   =   y’3                      z5
P1
      1      1   0   0    r’4       y’4
P3
P4    0      0   1   1              y’5
                                                         Shares for s * s’
                         Access structure must be Q2
28/05/2007                            ICITS                           21
                  Talk Overview


1.   Motivation and definitions
2.   Linear secret sharing schemes
3.   Nonlinear secret sharing schemes
4.   Weakly-private secret sharing
5.   Conclusions and open problems




28/05/2007                ICITS         22
       Constructing Nonlinear scheme
Two constructions:

1. Composition Approach  no assumptions, access structures
   in NC.


2. Direct Constructions  access structures probably not in P.




28/05/2007                    ICITS                              23
       Nonlinear Schemes: Composition Approach
                               [B+Ishai01]


                     P1   …. P      n             Pn+1…. P    2n




                   Linear over GF(2)            Linear over GF(3)




                               S1               S2


                                 S= S1+S2

[B+Weinreb03]:
• access structure: easy over GF(2), hard over any other field
• access structure: easy over GF(3), hard over any other field
  28/05/2007                            ICITS                       24
Nonlinear schemes: Direct Constructions
                                [B+Ishai01]

             computationally   perfect /         access structure
               efficient?      statistical        equivalent to...

                                                quadratic residuosity
                 Yes            perfect         modulo a (fixed) prime

                 Yes           statistical          co-primality


                  No           statistical      quadratic residuosity




28/05/2007                              ICITS                            25
                  Talk Overview


1.   Motivation and definitions
2.   Linear secret sharing schemes
3.   Nonlinear secret sharing schemes
4.   Weakly-private secret sharing
5.   Conclusions and open problems




28/05/2007                ICITS         28
                         Large gap

• Sharing 1-bit secret for general access structures:
  – The known schemes have 2O(n)-bit shares
  – Best lower bound for an explicit structure [Csirmaz94]:
                       (n / log n)

Conjecture: There is an access structure that
 requires shares of size 2Ω(n) for a one-bit secret.


No progress in the last decade!

 28/05/2007                      ICITS                        29
                  What Should We Do?

• Prove lower-bounds for stronger definitions of secret
    sharing
     – Linear secret sharing schemes – nΩ(logn)-bit shares for
         one bit secret [B+GalPaterson95,BabaiGalWigderson96,Gal98] .

• Prove upper-bounds for weaker definitions of secret
    sharing.
• Try to understand which techniques should be used
    to prove lower bounds.




28/05/2007                              ICITS                           30
  Def: Weakly-Private Secret Sharing
                    P1           P2                                  Pn
                     s1          s2
                                                                    sn

                                                

                             s                          r

 weakly realizes                      2{ P ,..., Pn }if:
                                             1




   Correctness: every authorized set B can always recover s.
   Weak Privacy: every unauthorized set C can never rule out
      any secret.
         For every two secrets a,b, for every shares si iC
               Pr C (a, r )  si
                                    iC
                                             0 iff Pr C (b, r )  si
                                                                         iC
                                                                                  0
                                                                                 
28/05/2007                                        ICITS                                 31
                        Motivation
• Strong lower bounds for secret sharing use entropy
  arguments [CapocelliDeSantisGarganoVaccaro91,
    BlundoDeSantisGarganoVaccaro92, Csirmaz94,….].


• Weakly-private ideal secret sharing = Perfect ideal
  secret sharing [BrickellDavenport91].

• Some papers used weakly-private schemes to prove
  lower bounds for perfect schemes [Seymour92,
    KurosawaOkada96,B+Livne06]




28/05/2007                       ICITS                  32
                      Motivation II

• Key Distribution Schemes:
     – [BlundoDeSantisHerzbergKuttenVaccaroYung92] proved lower
       bounds for perfect schemes using entropy arguments.
     – [B+Chor93] proved the same lower bound for weakly-private
       schemes.




• Does weak-privacy suffice for proving lower-bounds
  for secret sharing schemes?



28/05/2007                     ICITS                               33
                   Our Results
1. , there is a scheme: -bit secret and ( + c)-bit
   shares, c is a ``constant’’ depending on 
   Disclaimer: c can be exponential in n.
   Perfect: best known c’-bit shares.
2. For a doubly-exponential family of access structures,
   there is an efficient weakly-private scheme for 1-bit
   secrets (due to Yuval Ishai).
   Perfect: known only for an exponential family
3. There is a weakly-private t-out-of-n scheme: 1-bit
   secret and O(t)-bit shares.
   Perfect: log n-bit shares.
28/05/2007                ICITS                       34
             Constructions for general access
                        structures
First attempt:
, try to construct a scheme with an -bit secret and -bit shares.

Let s be an -bit secret.
1.   Choose at random a maximal unauthorized set D  .
2.   Choose a random bi  {0,1} for every Pi  D.
3.   Set bi = s for every Pi  D.
4.   The share of Pi is bi.


Weak privacy: C  
Correctness: ????? The set C can get any vector of shares
   for every s.
B     Pi  B \ D.
Guess Pi B and output bi.
28/05/2007                      ICITS                             35
             Constructions for general access
                        structures
Second (correct) attempt:
, there is a scheme with an -bit secret and (+c)-bit shares
(c is a “constant” depending on ).


1. Choose at random a maximal unauthorized set D  .
2. Share the n-bit string representing D using a weakly-private
   scheme realizing . Let a1,…,an be the generated shares.
3. Choose a random bi  {0,1} for every Pi  D.
4. Set bi = s for every Pi  D.
5. The share of Pi is (ai,bi).

Share size:  B     Pi  B \ D.
Correctness: scheme where shares ai are 2n-bits (worse case)
              Reconstructs+2finds Pi B \ D, and outputs bi.
                Total size: D, n
28/05/2007                         ICITS                          36
                  Talk Overview


1.   Motivation and definitions
2.   Linear secret sharing schemes
3.   Nonlinear secret sharing schemes
4.   Weakly-private secret sharing
5.   Conclusions and open problems




28/05/2007                ICITS         37
                    Conclusions


• Linearity is useful.
• However, linear schemes can realize only access
  structures in NC.
• Nonlinear schemes can efficiently realize some
  “computationally hard” access structures.
• Exact power of nonlinear schemes remains unknown.




28/05/2007               ICITS                      38
               Proving Lower Bounds

• Close gap for perfect secret sharing schemes
   – Improve 2O(n) upper bound?
   – Improve (n2 / logn) lower bound?
   – Even existential proof is interesting.

• Exponential lower bounds for linear schemes
   – Improve (nlog n) lower bound.




  28/05/2007                ICITS                39
    Upper & Lower Bounds: Specific Access
                 Structures
• Directed connectivity
      • Participants correspond to edges in the complete directed graph
      • Authorized sets: graphs containing a path from v1 to v2
   – Efficient construction for undirected connectivity
   – There is an efficient computational scheme
   – Open: perfect scheme
• Perfect Matching
   – Implies a scheme for directed connectivity
   – Open: perfect and computational schemes
• Weighted threshold
   – Efficient computational scheme [B+Weinreb]
   – Perfect scheme with nlog n shares
   – Open: perfect scheme
   – Open: monotone formula


   28/05/2007                       ICITS                                 40
       Secret Sharing and Oblivious Transfer
• Hamiltonian:
     – Participants correspond to edges in the complete graph
     – Authorized sets: graphs containing a Hamiltonian cycle
        Want an efficient scheme for minimal authorized subsets –
          when given the witness (cycle)
   Theorem [Rudich]: If one-way functions exist and an
   efficient secret sharing scheme for the Hamiltonian
   problem exists then Oblivious Transfer Protocols
   exist.
     – I.e., Minicrypt = Cryptomania
     – Construction is non-blackbox
     Theorem [Rudich]: If there is a perfect scheme for
       Hamiltonian, then NP  Co-AM
28/05/2007                      ICITS                           41
The End…

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:5/9/2013
language:Unknown
pages:40