Document Sample

Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes Amos Beimel Ben-Gurion University Slides borrowed fromYuval Ishai, Noam Livne, Moni Naor, Enav Weinreb. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] 1706 1706 t=3 ? 3441 2538 6634 1329 Talk Overview 1. Motivation and definitions 2. Linear secret sharing schemes 3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing schemes 5. Conclusions and open problems 28/05/2007 ICITS 3 Def: Secret Sharing P1 P2 Pn s1 s2 sn s r • Access Structure 2 { P ,..., Pn } 1 • realizes if: Correctness: every authorized set B can always recover s. Privacy: every unauthorized set B cannot learn anything about s. 28/05/2007 ICITS 4 Applications • Secure storage; • Secure multiparty computation; • Threshold cryptography; • Byzantine agreement; • Access control; • Private information retrieval; • Attribute-based encryption. 28/05/2007 ICITS 5 Shamir’s t-out-of-n Secret Sharing Scheme – Input: secret s – Choose at random a polynomial p(x)=s+r1x+r2x2+…+ rt-1xt-1 – Share of Pj: sj= p(j ) s 28/05/2007 ICITS 6 The General Case Which access structures can be realized? • Necessary condition: is monotone. • Also sufficient! minimal sets s {2,4} s {1,2} s {1,3,5} P1 P2 P3 P4 P5 Not efficient!!!! 28/05/2007 ICITS 7 Are there Efficient Schemes? • The known schemes for general access structures have shares of size 2O(n). • Best lower bound for an explicit structure [Csirmaz94]: (n2 / logn) • Nothing better is known even for non-explicit structures! – large gap Conjecture: There is an access structure that requires shares of size 2Ω(n). 28/05/2007 ICITS 8 Talk Overview 1. Motivation and definitions 2. Linear secret sharing schemes 3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing schemes 5. Conclusions and open problems 28/05/2007 ICITS 9 Linear Secret-Sharing P1 P2 Pn F Linear Transformation s r1 r2 r m F Examples: • Shamir’s scheme • Formula based Schemes [BenalohLeichter88] • Monotone span programs [KrachmerWigderson93] 28/05/2007 ICITS 10 Linear Schemes and Span Program Monotone Span programs – linear algebraic model of computation [KarchmerWigderson93]. Equivalent to Linear schemes. 28/05/2007 ICITS 11 Monotone Span Programs P2 1 1 0 1 P2 0 1 1 0 P1 0 1 1 0 P3 1 1 0 0 P4 0 0 1 1 1 0 0 0 The program accepts a set B iff the rows labeled by B span the target vector. 28/05/2007 ICITS 12 Monotone Span Programs P2 1 1 0 1 1 0 1 1 P2 0 1 1 0 P1 0 1 1 0 P3 1 1 0 0 P4 0 0 1 1 0 0 1 1 1 0 0 0 1 0 0 0 {P2,P4} 28/05/2007 ICITS 13 Monotone Span Programs P2 1 1 0 1 1 1 0 1 P2 0 1 1 0 0 1 1 0 P1 0 1 1 0 0 1 1 0 P3 1 1 0 0 P4 0 0 1 1 1 0 0 0 1 0 0 0 {P1,P2} 28/05/2007 ICITS 14 Span Programs Secret Sharing P2 1 1 0 1 s s+ r2+r4 P2 P2 0 1 1 0 r2 r2+r3 P2 P1 r3 = r2+r3 0 1 1 0 P1 P3 1 1 0 0 r4 s+r2 P3 P4 0 0 1 1 r3+r4 P4 0 P2 Example s=1,r2=r3=0, r4=1 0 P2 0 P1 1 P3 1 P4 28/05/2007 ICITS 15 Span Programs Secret Sharing P2 1 1 0 1 s s+r2+r4 P2 P2 0 1 1 0 r2 r2+r3 P2 P1 r3 = r2+r3 0 1 1 0 P1 P3 1 1 0 0 r4 s+r2 P3 P4 0 0 1 1 r3+r4 P4 1 0 0 0 s {P2,P4} 28/05/2007 ICITS 16 Linear Schemes: State of the Art • Every access structure can be realized by a linear scheme. • Most known schemes are linear. • Linear schemes can efficiently realize only access structures in NC (NC = languages having efficient parallel algorithms). • Best lower bounds for linear schemes for explicit access structures [B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]: (nlog n). • Best existential lower bounds for linear schemes: 2(n). 28/05/2007 ICITS 17 Why Linear Secret Sharing? • Share generation and secret reconstruction are efficient. • Perfect privacy for free. • Homomorphic – Secure multi-party computation [CramerDamgardMaurer2000] Why not? • Can only realize access structures in NC. 28/05/2007 ICITS 18 Homomorphism of Linear Secret Sharing P2 1 1 0 1 s y1 P2 0 1 1 0 r2 y2 1 =1 0 1 s+s’ y1+y’1 P1 0 1 1 0 r3 0 1 1 y3 0 r2 +r’2 y2+y’2 0 1 1 0 r3+ r’3 = y3+y’3 P3 1 1 0+ 0 r4 1 y 1 0 40 r4 + r’4 y4+y’4 P2 s’ P4 1 0 1 0 0 1 1 1 0 0 1y’5 1 y1 y5+y’5 P2 0 1 1 0 r’2 y’2 P1 r’3 = y’3 0 1 1 0 P3 1 1 0 0 r’4 y’4 P4 0 0 1 1 y’5 28/05/2007 ICITS 19 Application: Computing a Sum a a1 a 2 a3 b b1 b2 b3 s1 s 2 s3 s c c1 c 2 c3 28/05/2007 ICITS 20 Multiplicative Homomorphism of Linear Secret Sharing [….,CramerDamgardMaurer2000] P2 1 1 0 1 s y1 P2 0 1 1 0 r2 y2 P1 0 1 1 0 r3 = y3 P3 1 1 0 0 r4 y4 P4 0 0 1 1 y5 z1 z2 * PROTOCOL z3 P2 1 1 0 1 s’ y’1 z4 P2 0 1 1 0 r’2 y’2 0 1 1 0 r’3 = y’3 z5 P1 1 1 0 0 r’4 y’4 P3 P4 0 0 1 1 y’5 Shares for s * s’ Access structure must be Q2 28/05/2007 ICITS 21 Talk Overview 1. Motivation and definitions 2. Linear secret sharing schemes 3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing 5. Conclusions and open problems 28/05/2007 ICITS 22 Constructing Nonlinear scheme Two constructions: 1. Composition Approach no assumptions, access structures in NC. 2. Direct Constructions access structures probably not in P. 28/05/2007 ICITS 23 Nonlinear Schemes: Composition Approach [B+Ishai01] P1 …. P n Pn+1…. P 2n Linear over GF(2) Linear over GF(3) S1 S2 S= S1+S2 [B+Weinreb03]: • access structure: easy over GF(2), hard over any other field • access structure: easy over GF(3), hard over any other field 28/05/2007 ICITS 24 Nonlinear schemes: Direct Constructions [B+Ishai01] computationally perfect / access structure efficient? statistical equivalent to... quadratic residuosity Yes perfect modulo a (fixed) prime Yes statistical co-primality No statistical quadratic residuosity 28/05/2007 ICITS 25 Talk Overview 1. Motivation and definitions 2. Linear secret sharing schemes 3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing 5. Conclusions and open problems 28/05/2007 ICITS 28 Large gap • Sharing 1-bit secret for general access structures: – The known schemes have 2O(n)-bit shares – Best lower bound for an explicit structure [Csirmaz94]: (n / log n) Conjecture: There is an access structure that requires shares of size 2Ω(n) for a one-bit secret. No progress in the last decade! 28/05/2007 ICITS 29 What Should We Do? • Prove lower-bounds for stronger definitions of secret sharing – Linear secret sharing schemes – nΩ(logn)-bit shares for one bit secret [B+GalPaterson95,BabaiGalWigderson96,Gal98] . • Prove upper-bounds for weaker definitions of secret sharing. • Try to understand which techniques should be used to prove lower bounds. 28/05/2007 ICITS 30 Def: Weakly-Private Secret Sharing P1 P2 Pn s1 s2 sn s r weakly realizes 2{ P ,..., Pn }if: 1 Correctness: every authorized set B can always recover s. Weak Privacy: every unauthorized set C can never rule out any secret. For every two secrets a,b, for every shares si iC Pr C (a, r ) si iC 0 iff Pr C (b, r ) si iC 0 28/05/2007 ICITS 31 Motivation • Strong lower bounds for secret sharing use entropy arguments [CapocelliDeSantisGarganoVaccaro91, BlundoDeSantisGarganoVaccaro92, Csirmaz94,….]. • Weakly-private ideal secret sharing = Perfect ideal secret sharing [BrickellDavenport91]. • Some papers used weakly-private schemes to prove lower bounds for perfect schemes [Seymour92, KurosawaOkada96,B+Livne06] 28/05/2007 ICITS 32 Motivation II • Key Distribution Schemes: – [BlundoDeSantisHerzbergKuttenVaccaroYung92] proved lower bounds for perfect schemes using entropy arguments. – [B+Chor93] proved the same lower bound for weakly-private schemes. • Does weak-privacy suffice for proving lower-bounds for secret sharing schemes? 28/05/2007 ICITS 33 Our Results 1. , there is a scheme: -bit secret and ( + c)-bit shares, c is a ``constant’’ depending on Disclaimer: c can be exponential in n. Perfect: best known c’-bit shares. 2. For a doubly-exponential family of access structures, there is an efficient weakly-private scheme for 1-bit secrets (due to Yuval Ishai). Perfect: known only for an exponential family 3. There is a weakly-private t-out-of-n scheme: 1-bit secret and O(t)-bit shares. Perfect: log n-bit shares. 28/05/2007 ICITS 34 Constructions for general access structures First attempt: , try to construct a scheme with an -bit secret and -bit shares. Let s be an -bit secret. 1. Choose at random a maximal unauthorized set D . 2. Choose a random bi {0,1} for every Pi D. 3. Set bi = s for every Pi D. 4. The share of Pi is bi. Weak privacy: C Correctness: ????? The set C can get any vector of shares for every s. B Pi B \ D. Guess Pi B and output bi. 28/05/2007 ICITS 35 Constructions for general access structures Second (correct) attempt: , there is a scheme with an -bit secret and (+c)-bit shares (c is a “constant” depending on ). 1. Choose at random a maximal unauthorized set D . 2. Share the n-bit string representing D using a weakly-private scheme realizing . Let a1,…,an be the generated shares. 3. Choose a random bi {0,1} for every Pi D. 4. Set bi = s for every Pi D. 5. The share of Pi is (ai,bi). Share size: B Pi B \ D. Correctness: scheme where shares ai are 2n-bits (worse case) Reconstructs+2finds Pi B \ D, and outputs bi. Total size: D, n 28/05/2007 ICITS 36 Talk Overview 1. Motivation and definitions 2. Linear secret sharing schemes 3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing 5. Conclusions and open problems 28/05/2007 ICITS 37 Conclusions • Linearity is useful. • However, linear schemes can realize only access structures in NC. • Nonlinear schemes can efficiently realize some “computationally hard” access structures. • Exact power of nonlinear schemes remains unknown. 28/05/2007 ICITS 38 Proving Lower Bounds • Close gap for perfect secret sharing schemes – Improve 2O(n) upper bound? – Improve (n2 / logn) lower bound? – Even existential proof is interesting. • Exponential lower bounds for linear schemes – Improve (nlog n) lower bound. 28/05/2007 ICITS 39 Upper & Lower Bounds: Specific Access Structures • Directed connectivity • Participants correspond to edges in the complete directed graph • Authorized sets: graphs containing a path from v1 to v2 – Efficient construction for undirected connectivity – There is an efficient computational scheme – Open: perfect scheme • Perfect Matching – Implies a scheme for directed connectivity – Open: perfect and computational schemes • Weighted threshold – Efficient computational scheme [B+Weinreb] – Perfect scheme with nlog n shares – Open: perfect scheme – Open: monotone formula 28/05/2007 ICITS 40 Secret Sharing and Oblivious Transfer • Hamiltonian: – Participants correspond to edges in the complete graph – Authorized sets: graphs containing a Hamiltonian cycle Want an efficient scheme for minimal authorized subsets – when given the witness (cycle) Theorem [Rudich]: If one-way functions exist and an efficient secret sharing scheme for the Hamiltonian problem exists then Oblivious Transfer Protocols exist. – I.e., Minicrypt = Cryptomania – Construction is non-blackbox Theorem [Rudich]: If there is a perfect scheme for Hamiltonian, then NP Co-AM 28/05/2007 ICITS 41 The End…

DOCUMENT INFO

Shared By:

Categories:

Tags:

Stats:

views: | 0 |

posted: | 5/9/2013 |

language: | Unknown |

pages: | 40 |

OTHER DOCS BY yurtgc548

How are you planning on using Docstoc?
BUSINESS
PERSONAL

By registering with docstoc.com you agree to our
privacy policy and
terms of service, and to receive content and offer notifications.

Docstoc is the premier online destination to start and grow small businesses. It hosts the best quality and widest selection of professional documents (over 20 million) and resources including expert videos, articles and productivity tools to make every small business better.

Search or Browse for any specific document or resource you need for your business. Or explore our curated resources for Starting a Business, Growing a Business or for Professional Development.

Feel free to Contact Us with any questions you might have.