VIEWS: 0 PAGES: 40 POSTED ON: 5/9/2013
Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes Amos Beimel Ben-Gurion University Slides borrowed fromYuval Ishai, Noam Livne, Moni Naor, Enav Weinreb. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] 1706 1706 t=3 ? 3441 2538 6634 1329 Talk Overview 1. Motivation and definitions 2. Linear secret sharing schemes 3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing schemes 5. Conclusions and open problems 28/05/2007 ICITS 3 Def: Secret Sharing P1 P2 Pn s1 s2 sn s r • Access Structure 2 { P ,..., Pn } 1 • realizes if: Correctness: every authorized set B can always recover s. Privacy: every unauthorized set B cannot learn anything about s. 28/05/2007 ICITS 4 Applications • Secure storage; • Secure multiparty computation; • Threshold cryptography; • Byzantine agreement; • Access control; • Private information retrieval; • Attribute-based encryption. 28/05/2007 ICITS 5 Shamir’s t-out-of-n Secret Sharing Scheme – Input: secret s – Choose at random a polynomial p(x)=s+r1x+r2x2+…+ rt-1xt-1 – Share of Pj: sj= p(j ) s 28/05/2007 ICITS 6 The General Case Which access structures can be realized? • Necessary condition: is monotone. • Also sufficient! minimal sets s {2,4} s {1,2} s {1,3,5} P1 P2 P3 P4 P5 Not efficient!!!! 28/05/2007 ICITS 7 Are there Efficient Schemes? • The known schemes for general access structures have shares of size 2O(n). • Best lower bound for an explicit structure [Csirmaz94]: (n2 / logn) • Nothing better is known even for non-explicit structures! – large gap Conjecture: There is an access structure that requires shares of size 2Ω(n). 28/05/2007 ICITS 8 Talk Overview 1. Motivation and definitions 2. Linear secret sharing schemes 3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing schemes 5. Conclusions and open problems 28/05/2007 ICITS 9 Linear Secret-Sharing P1 P2 Pn F Linear Transformation s r1 r2 r m F Examples: • Shamir’s scheme • Formula based Schemes [BenalohLeichter88] • Monotone span programs [KrachmerWigderson93] 28/05/2007 ICITS 10 Linear Schemes and Span Program Monotone Span programs – linear algebraic model of computation [KarchmerWigderson93]. Equivalent to Linear schemes. 28/05/2007 ICITS 11 Monotone Span Programs P2 1 1 0 1 P2 0 1 1 0 P1 0 1 1 0 P3 1 1 0 0 P4 0 0 1 1 1 0 0 0 The program accepts a set B iff the rows labeled by B span the target vector. 28/05/2007 ICITS 12 Monotone Span Programs P2 1 1 0 1 1 0 1 1 P2 0 1 1 0 P1 0 1 1 0 P3 1 1 0 0 P4 0 0 1 1 0 0 1 1 1 0 0 0 1 0 0 0 {P2,P4} 28/05/2007 ICITS 13 Monotone Span Programs P2 1 1 0 1 1 1 0 1 P2 0 1 1 0 0 1 1 0 P1 0 1 1 0 0 1 1 0 P3 1 1 0 0 P4 0 0 1 1 1 0 0 0 1 0 0 0 {P1,P2} 28/05/2007 ICITS 14 Span Programs Secret Sharing P2 1 1 0 1 s s+ r2+r4 P2 P2 0 1 1 0 r2 r2+r3 P2 P1 r3 = r2+r3 0 1 1 0 P1 P3 1 1 0 0 r4 s+r2 P3 P4 0 0 1 1 r3+r4 P4 0 P2 Example s=1,r2=r3=0, r4=1 0 P2 0 P1 1 P3 1 P4 28/05/2007 ICITS 15 Span Programs Secret Sharing P2 1 1 0 1 s s+r2+r4 P2 P2 0 1 1 0 r2 r2+r3 P2 P1 r3 = r2+r3 0 1 1 0 P1 P3 1 1 0 0 r4 s+r2 P3 P4 0 0 1 1 r3+r4 P4 1 0 0 0 s {P2,P4} 28/05/2007 ICITS 16 Linear Schemes: State of the Art • Every access structure can be realized by a linear scheme. • Most known schemes are linear. • Linear schemes can efficiently realize only access structures in NC (NC = languages having efficient parallel algorithms). • Best lower bounds for linear schemes for explicit access structures [B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]: (nlog n). • Best existential lower bounds for linear schemes: 2(n). 28/05/2007 ICITS 17 Why Linear Secret Sharing? • Share generation and secret reconstruction are efficient. • Perfect privacy for free. • Homomorphic – Secure multi-party computation [CramerDamgardMaurer2000] Why not? • Can only realize access structures in NC. 28/05/2007 ICITS 18 Homomorphism of Linear Secret Sharing P2 1 1 0 1 s y1 P2 0 1 1 0 r2 y2 1 =1 0 1 s+s’ y1+y’1 P1 0 1 1 0 r3 0 1 1 y3 0 r2 +r’2 y2+y’2 0 1 1 0 r3+ r’3 = y3+y’3 P3 1 1 0+ 0 r4 1 y 1 0 40 r4 + r’4 y4+y’4 P2 s’ P4 1 0 1 0 0 1 1 1 0 0 1y’5 1 y1 y5+y’5 P2 0 1 1 0 r’2 y’2 P1 r’3 = y’3 0 1 1 0 P3 1 1 0 0 r’4 y’4 P4 0 0 1 1 y’5 28/05/2007 ICITS 19 Application: Computing a Sum a a1 a 2 a3 b b1 b2 b3 s1 s 2 s3 s c c1 c 2 c3 28/05/2007 ICITS 20 Multiplicative Homomorphism of Linear Secret Sharing [….,CramerDamgardMaurer2000] P2 1 1 0 1 s y1 P2 0 1 1 0 r2 y2 P1 0 1 1 0 r3 = y3 P3 1 1 0 0 r4 y4 P4 0 0 1 1 y5 z1 z2 * PROTOCOL z3 P2 1 1 0 1 s’ y’1 z4 P2 0 1 1 0 r’2 y’2 0 1 1 0 r’3 = y’3 z5 P1 1 1 0 0 r’4 y’4 P3 P4 0 0 1 1 y’5 Shares for s * s’ Access structure must be Q2 28/05/2007 ICITS 21 Talk Overview 1. Motivation and definitions 2. Linear secret sharing schemes 3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing 5. Conclusions and open problems 28/05/2007 ICITS 22 Constructing Nonlinear scheme Two constructions: 1. Composition Approach no assumptions, access structures in NC. 2. Direct Constructions access structures probably not in P. 28/05/2007 ICITS 23 Nonlinear Schemes: Composition Approach [B+Ishai01] P1 …. P n Pn+1…. P 2n Linear over GF(2) Linear over GF(3) S1 S2 S= S1+S2 [B+Weinreb03]: • access structure: easy over GF(2), hard over any other field • access structure: easy over GF(3), hard over any other field 28/05/2007 ICITS 24 Nonlinear schemes: Direct Constructions [B+Ishai01] computationally perfect / access structure efficient? statistical equivalent to... quadratic residuosity Yes perfect modulo a (fixed) prime Yes statistical co-primality No statistical quadratic residuosity 28/05/2007 ICITS 25 Talk Overview 1. Motivation and definitions 2. Linear secret sharing schemes 3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing 5. Conclusions and open problems 28/05/2007 ICITS 28 Large gap • Sharing 1-bit secret for general access structures: – The known schemes have 2O(n)-bit shares – Best lower bound for an explicit structure [Csirmaz94]: (n / log n) Conjecture: There is an access structure that requires shares of size 2Ω(n) for a one-bit secret. No progress in the last decade! 28/05/2007 ICITS 29 What Should We Do? • Prove lower-bounds for stronger definitions of secret sharing – Linear secret sharing schemes – nΩ(logn)-bit shares for one bit secret [B+GalPaterson95,BabaiGalWigderson96,Gal98] . • Prove upper-bounds for weaker definitions of secret sharing. • Try to understand which techniques should be used to prove lower bounds. 28/05/2007 ICITS 30 Def: Weakly-Private Secret Sharing P1 P2 Pn s1 s2 sn s r weakly realizes 2{ P ,..., Pn }if: 1 Correctness: every authorized set B can always recover s. Weak Privacy: every unauthorized set C can never rule out any secret. For every two secrets a,b, for every shares si iC Pr C (a, r ) si iC 0 iff Pr C (b, r ) si iC 0 28/05/2007 ICITS 31 Motivation • Strong lower bounds for secret sharing use entropy arguments [CapocelliDeSantisGarganoVaccaro91, BlundoDeSantisGarganoVaccaro92, Csirmaz94,….]. • Weakly-private ideal secret sharing = Perfect ideal secret sharing [BrickellDavenport91]. • Some papers used weakly-private schemes to prove lower bounds for perfect schemes [Seymour92, KurosawaOkada96,B+Livne06] 28/05/2007 ICITS 32 Motivation II • Key Distribution Schemes: – [BlundoDeSantisHerzbergKuttenVaccaroYung92] proved lower bounds for perfect schemes using entropy arguments. – [B+Chor93] proved the same lower bound for weakly-private schemes. • Does weak-privacy suffice for proving lower-bounds for secret sharing schemes? 28/05/2007 ICITS 33 Our Results 1. , there is a scheme: -bit secret and ( + c)-bit shares, c is a ``constant’’ depending on Disclaimer: c can be exponential in n. Perfect: best known c’-bit shares. 2. For a doubly-exponential family of access structures, there is an efficient weakly-private scheme for 1-bit secrets (due to Yuval Ishai). Perfect: known only for an exponential family 3. There is a weakly-private t-out-of-n scheme: 1-bit secret and O(t)-bit shares. Perfect: log n-bit shares. 28/05/2007 ICITS 34 Constructions for general access structures First attempt: , try to construct a scheme with an -bit secret and -bit shares. Let s be an -bit secret. 1. Choose at random a maximal unauthorized set D . 2. Choose a random bi {0,1} for every Pi D. 3. Set bi = s for every Pi D. 4. The share of Pi is bi. Weak privacy: C Correctness: ????? The set C can get any vector of shares for every s. B Pi B \ D. Guess Pi B and output bi. 28/05/2007 ICITS 35 Constructions for general access structures Second (correct) attempt: , there is a scheme with an -bit secret and (+c)-bit shares (c is a “constant” depending on ). 1. Choose at random a maximal unauthorized set D . 2. Share the n-bit string representing D using a weakly-private scheme realizing . Let a1,…,an be the generated shares. 3. Choose a random bi {0,1} for every Pi D. 4. Set bi = s for every Pi D. 5. The share of Pi is (ai,bi). Share size: B Pi B \ D. Correctness: scheme where shares ai are 2n-bits (worse case) Reconstructs+2finds Pi B \ D, and outputs bi. Total size: D, n 28/05/2007 ICITS 36 Talk Overview 1. Motivation and definitions 2. Linear secret sharing schemes 3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing 5. Conclusions and open problems 28/05/2007 ICITS 37 Conclusions • Linearity is useful. • However, linear schemes can realize only access structures in NC. • Nonlinear schemes can efficiently realize some “computationally hard” access structures. • Exact power of nonlinear schemes remains unknown. 28/05/2007 ICITS 38 Proving Lower Bounds • Close gap for perfect secret sharing schemes – Improve 2O(n) upper bound? – Improve (n2 / logn) lower bound? – Even existential proof is interesting. • Exponential lower bounds for linear schemes – Improve (nlog n) lower bound. 28/05/2007 ICITS 39 Upper & Lower Bounds: Specific Access Structures • Directed connectivity • Participants correspond to edges in the complete directed graph • Authorized sets: graphs containing a path from v1 to v2 – Efficient construction for undirected connectivity – There is an efficient computational scheme – Open: perfect scheme • Perfect Matching – Implies a scheme for directed connectivity – Open: perfect and computational schemes • Weighted threshold – Efficient computational scheme [B+Weinreb] – Perfect scheme with nlog n shares – Open: perfect scheme – Open: monotone formula 28/05/2007 ICITS 40 Secret Sharing and Oblivious Transfer • Hamiltonian: – Participants correspond to edges in the complete graph – Authorized sets: graphs containing a Hamiltonian cycle Want an efficient scheme for minimal authorized subsets – when given the witness (cycle) Theorem [Rudich]: If one-way functions exist and an efficient secret sharing scheme for the Hamiltonian problem exists then Oblivious Transfer Protocols exist. – I.e., Minicrypt = Cryptomania – Construction is non-blackbox Theorem [Rudich]: If there is a perfect scheme for Hamiltonian, then NP Co-AM 28/05/2007 ICITS 41 The End…