; No Slide Title - ESCET
Documents
User Generated
Resources
Learning Center
Your Federal Quarterly Tax Payments are due April 15th

# No Slide Title - ESCET

VIEWS: 0 PAGES: 40

• pg 1
```									      Linear, Nonlinear, and Weakly-Private
Secret Sharing Schemes
Amos Beimel
Ben-Gurion
University

Slides borrowed
fromYuval Ishai,
Noam Livne,
Moni Naor, Enav
Weinreb.
Secret Sharing
[Shamir79,Blakley79,ItoSaitoNishizeki87]

1706

1706
t=3
?         3441
2538
6634
1329
Talk Overview

1.   Motivation and definitions
2.   Linear secret sharing schemes
3.   Nonlinear secret sharing schemes
4.   Weakly-private secret sharing schemes
5.   Conclusions and open problems

28/05/2007                ICITS              3
Def: Secret Sharing
P1       P2                        Pn
s1       s2
               sn



s                         r

• Access Structure   2
{ P ,..., Pn }
1

•  realizes  if:
Correctness: every authorized set B can always recover s.
Privacy: every unauthorized set B cannot learn anything
28/05/2007                          ICITS                      4
Applications

• Secure storage;
• Secure multiparty computation;
• Threshold cryptography;
• Byzantine agreement;
• Access control;
• Private information retrieval;
• Attribute-based encryption.

28/05/2007              ICITS          5
Shamir’s t-out-of-n Secret Sharing
Scheme

– Input: secret s
– Choose at random a polynomial p(x)=s+r1x+r2x2+…+ rt-1xt-1
– Share of Pj: sj= p(j )

s

28/05/2007                      ICITS                              6
The General Case

Which access structures  can be realized?
• Necessary condition:  is monotone.
• Also sufficient!
minimal sets
s                                           {2,4}
s                                           {1,2}
s                                          {1,3,5}
P1    P2   P3    P4      P5

Not efficient!!!!
28/05/2007                    ICITS                           7
Are there Efficient Schemes?
• The known schemes for general access structures have
shares of size 2O(n).
• Best lower bound for an explicit structure [Csirmaz94]:
(n2 / logn)
• Nothing better is known even for non-explicit structures!
– large gap
Conjecture: There is an access structure that
requires shares of size 2Ω(n).

28/05/2007                   ICITS                         8
Talk Overview

1.   Motivation and definitions
2.   Linear secret sharing schemes
3.   Nonlinear secret sharing schemes
4.   Weakly-private secret sharing schemes
5.   Conclusions and open problems

28/05/2007                ICITS              9
Linear Secret-Sharing

P1         P2                   Pn

            F

Linear Transformation

s    r1    r2   r     m   F

Examples:
• Shamir’s scheme
• Formula based Schemes [BenalohLeichter88]
• Monotone span programs [KrachmerWigderson93]
28/05/2007                    ICITS                     10
Linear Schemes and Span Program

Monotone Span programs – linear algebraic
model of computation [KarchmerWigderson93].

Equivalent to Linear schemes.

28/05/2007               ICITS                 11
Monotone Span Programs

P2   1     1      0           1
P2   0     1      1           0
P1   0     1      1           0
P3   1     1      0           0
P4   0     0      1           1
1     0      0           0

The program accepts a set B
iff
the rows labeled by B span the target vector.

28/05/2007                         ICITS                 12
Monotone Span Programs

P2   1   1   0           1
1   0   1   1
P2   0   1   1           0
P1   0   1   1           0
P3   1   1   0           0
P4   0   0   1           1   0   0   1   1

1   0   0           0   1   0   0   0

{P2,P4}

28/05/2007                    ICITS                       13
Monotone Span Programs

P2   1   1   0           1   1   1   0   1

P2   0   1   1           0   0   1   1   0

P1   0   1   1           0   0   1   1   0

P3   1   1   0           0
P4   0   0   1           1
1   0   0           0   1   0   0   0

{P1,P2}

28/05/2007                    ICITS                       14
Span Programs  Secret Sharing
P2           1   1     0     1            s         s+ r2+r4    P2
P2           0   1     1     0            r2            r2+r3   P2
P1                                        r3
=        r2+r3
0   1     1     0                                  P1
P3           1   1     0     0            r4            s+r2    P3
P4           0   0     1     1                          r3+r4   P4
0       P2

Example s=1,r2=r3=0, r4=1            0       P2
0       P1
1       P3
1       P4
28/05/2007                        ICITS                          15
Span Programs  Secret Sharing
P2           1   1   0   1           s        s+r2+r4   P2
P2           0   1   1   0           r2        r2+r3    P2
P1                                   r3
=    r2+r3
0   1   1   0                              P1
P3           1   1   0   0           r4        s+r2     P3
P4           0   0   1   1                     r3+r4    P4

1   0   0   0                       s

{P2,P4}

28/05/2007                   ICITS                       16
Linear Schemes: State of the Art

• Every access structure can be realized by a linear scheme.
• Most known schemes are linear.
• Linear schemes can efficiently realize only access structures in NC
(NC = languages having efficient parallel algorithms).
• Best lower bounds for linear schemes for explicit access structures
[B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]:
(nlog n).
• Best existential lower bounds for linear schemes: 2(n).

28/05/2007                     ICITS                              17
Why Linear Secret Sharing?

• Share generation and secret reconstruction are efficient.

• Homomorphic
– Secure multi-party computation [CramerDamgardMaurer2000]

Why not?

• Can only realize access structures in NC.

28/05/2007                       ICITS                            18
Homomorphism of Linear Secret Sharing
P2           1   1   0    1           s             y1
P2           0   1   1    0           r2            y2
1
=1   0 1      s+s’           y1+y’1
P1           0   1   1    0           r3 0     1   1 y3 0   r2 +r’2        y2+y’2
0    1   1 0      r3+ r’3    =   y3+y’3
P3           1   1   0+   0           r4 1           y
1   0 40     r4 + r’4       y4+y’4
P2                                    s’
P4
1
0
1
0
0
1
1
1               0    0   1y’5 1
y1                    y5+y’5

P2           0   1   1    0           r’2           y’2
P1                                   r’3
=     y’3
0   1   1    0
P3          1   1   0    0           r’4           y’4

P4          0   0   1    1                         y’5

28/05/2007                    ICITS                                    19
Application: Computing a Sum
a  a1  a 2 a3         b  b1  b2 b3
s1                               s 2    

s3                    s      

c  c1  c 2 c3
28/05/2007               ICITS                 20
Multiplicative Homomorphism of Linear Secret
Sharing [….,CramerDamgardMaurer2000]

P2    1      1   0   1    s         y1
P2    0      1   1   0    r2        y2

P1    0      1   1   0    r3    =   y3

P3    1      1   0   0    r4        y4

P4    0      0   1   1              y5                       z1
z2
*                   PROTOCOL
z3
P2    1      1   0   1    s’        y’1                      z4
P2    0      1   1   0    r’2       y’2
0      1   1   0    r’3   =   y’3                      z5
P1
1      1   0   0    r’4       y’4
P3
P4    0      0   1   1              y’5
Shares for s * s’
Access structure must be Q2
28/05/2007                            ICITS                           21
Talk Overview

1.   Motivation and definitions
2.   Linear secret sharing schemes
3.   Nonlinear secret sharing schemes
4.   Weakly-private secret sharing
5.   Conclusions and open problems

28/05/2007                ICITS         22
Constructing Nonlinear scheme
Two constructions:

1. Composition Approach  no assumptions, access structures
in NC.

2. Direct Constructions  access structures probably not in P.

28/05/2007                    ICITS                              23
Nonlinear Schemes: Composition Approach
[B+Ishai01]

P1   …. P      n             Pn+1…. P    2n

Linear over GF(2)            Linear over GF(3)

S1               S2

S= S1+S2

[B+Weinreb03]:
• access structure: easy over GF(2), hard over any other field
• access structure: easy over GF(3), hard over any other field
28/05/2007                            ICITS                       24
Nonlinear schemes: Direct Constructions
[B+Ishai01]

computationally   perfect /         access structure
efficient?      statistical        equivalent to...

Yes            perfect         modulo a (fixed) prime

Yes           statistical          co-primality

28/05/2007                              ICITS                            25
Talk Overview

1.   Motivation and definitions
2.   Linear secret sharing schemes
3.   Nonlinear secret sharing schemes
4.   Weakly-private secret sharing
5.   Conclusions and open problems

28/05/2007                ICITS         28
Large gap

• Sharing 1-bit secret for general access structures:
– The known schemes have 2O(n)-bit shares
– Best lower bound for an explicit structure [Csirmaz94]:
(n / log n)

Conjecture: There is an access structure that
requires shares of size 2Ω(n) for a one-bit secret.

No progress in the last decade!

28/05/2007                      ICITS                        29
What Should We Do?

• Prove lower-bounds for stronger definitions of secret
sharing
– Linear secret sharing schemes – nΩ(logn)-bit shares for
one bit secret [B+GalPaterson95,BabaiGalWigderson96,Gal98] .

• Prove upper-bounds for weaker definitions of secret
sharing.
• Try to understand which techniques should be used
to prove lower bounds.

28/05/2007                              ICITS                           30
Def: Weakly-Private Secret Sharing
P1           P2                                  Pn
s1          s2
                  sn



s                          r

 weakly realizes                      2{ P ,..., Pn }if:
1

Correctness: every authorized set B can always recover s.
Weak Privacy: every unauthorized set C can never rule out
any secret.
For every two secrets a,b, for every shares si iC
Pr C (a, r )  si
                  iC
  0 iff Pr C (b, r )  si
                              iC
 0

28/05/2007                                        ICITS                                 31
Motivation
• Strong lower bounds for secret sharing use entropy
arguments [CapocelliDeSantisGarganoVaccaro91,
BlundoDeSantisGarganoVaccaro92, Csirmaz94,….].

• Weakly-private ideal secret sharing = Perfect ideal
secret sharing [BrickellDavenport91].

• Some papers used weakly-private schemes to prove
lower bounds for perfect schemes [Seymour92,

28/05/2007                       ICITS                  32
Motivation II

• Key Distribution Schemes:
– [BlundoDeSantisHerzbergKuttenVaccaroYung92] proved lower
bounds for perfect schemes using entropy arguments.
– [B+Chor93] proved the same lower bound for weakly-private
schemes.

• Does weak-privacy suffice for proving lower-bounds
for secret sharing schemes?

28/05/2007                     ICITS                               33
Our Results
1. , there is a scheme: -bit secret and ( + c)-bit
shares, c is a ``constant’’ depending on 
Disclaimer: c can be exponential in n.
Perfect: best known c’-bit shares.
2. For a doubly-exponential family of access structures,
there is an efficient weakly-private scheme for 1-bit
secrets (due to Yuval Ishai).
Perfect: known only for an exponential family
3. There is a weakly-private t-out-of-n scheme: 1-bit
secret and O(t)-bit shares.
Perfect: log n-bit shares.
28/05/2007                ICITS                       34
Constructions for general access
structures
First attempt:
, try to construct a scheme with an -bit secret and -bit shares.

Let s be an -bit secret.
1.   Choose at random a maximal unauthorized set D  .
2.   Choose a random bi  {0,1} for every Pi  D.
3.   Set bi = s for every Pi  D.
4.   The share of Pi is bi.

Weak privacy: C  
Correctness: ????? The set C can get any vector of shares
for every s.
B     Pi  B \ D.
Guess Pi B and output bi.
28/05/2007                      ICITS                             35
Constructions for general access
structures
Second (correct) attempt:
, there is a scheme with an -bit secret and (+c)-bit shares
(c is a “constant” depending on ).

1. Choose at random a maximal unauthorized set D  .
2. Share the n-bit string representing D using a weakly-private
scheme realizing . Let a1,…,an be the generated shares.
3. Choose a random bi  {0,1} for every Pi  D.
4. Set bi = s for every Pi  D.
5. The share of Pi is (ai,bi).

Share size:  B     Pi  B \ D.
Correctness: scheme where shares ai are 2n-bits (worse case)
Reconstructs+2finds Pi B \ D, and outputs bi.
Total size: D, n
28/05/2007                         ICITS                          36
Talk Overview

1.   Motivation and definitions
2.   Linear secret sharing schemes
3.   Nonlinear secret sharing schemes
4.   Weakly-private secret sharing
5.   Conclusions and open problems

28/05/2007                ICITS         37
Conclusions

• Linearity is useful.
• However, linear schemes can realize only access
structures in NC.
• Nonlinear schemes can efficiently realize some
“computationally hard” access structures.
• Exact power of nonlinear schemes remains unknown.

28/05/2007               ICITS                      38
Proving Lower Bounds

• Close gap for perfect secret sharing schemes
– Improve 2O(n) upper bound?
– Improve (n2 / logn) lower bound?
– Even existential proof is interesting.

• Exponential lower bounds for linear schemes
– Improve (nlog n) lower bound.

28/05/2007                ICITS                39
Upper & Lower Bounds: Specific Access
Structures
• Directed connectivity
• Participants correspond to edges in the complete directed graph
• Authorized sets: graphs containing a path from v1 to v2
– Efficient construction for undirected connectivity
– There is an efficient computational scheme
– Open: perfect scheme
• Perfect Matching
– Implies a scheme for directed connectivity
– Open: perfect and computational schemes
• Weighted threshold
– Efficient computational scheme [B+Weinreb]
– Perfect scheme with nlog n shares
– Open: perfect scheme
– Open: monotone formula

28/05/2007                       ICITS                                 40
Secret Sharing and Oblivious Transfer
• Hamiltonian:
– Participants correspond to edges in the complete graph
– Authorized sets: graphs containing a Hamiltonian cycle
Want an efficient scheme for minimal authorized subsets –
when given the witness (cycle)
Theorem [Rudich]: If one-way functions exist and an
efficient secret sharing scheme for the Hamiltonian
problem exists then Oblivious Transfer Protocols
exist.
– I.e., Minicrypt = Cryptomania
– Construction is non-blackbox
Theorem [Rudich]: If there is a perfect scheme for
Hamiltonian, then NP  Co-AM
28/05/2007                      ICITS                           41
The End…

```
To top
;