1 / 40

Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes

Amos Beimel Ben-Gurion University Slides borrowed fromYuval Ishai, Noam Livne, Moni Naor, Enav Weinreb. Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87]. 1706. 1706. t=3. ?. 2538. 3441. 1329. 6634. Talk Overview.

lacy
Télécharger la présentation

Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Amos Beimel Ben-Gurion University Slides borrowed fromYuval Ishai, Noam Livne, Moni Naor, Enav Weinreb. Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes

  2. Secret Sharing[Shamir79,Blakley79,ItoSaitoNishizeki87] 1706 1706 t=3 ? 2538 3441 1329 6634

  3. Talk Overview • Motivation and definitions • Linear secret sharing schemes • Nonlinear secret sharing schemes • Weakly-private secret sharing schemes • Conclusions and open problems ICITS

  4. Pn P1 P2 Def: Secret Sharing • Access Structure •  realizes if:Correctness:every authorized set Bcan always recover s. Privacy:every unauthorized set B cannot learn anything about s. s1 s2 sn  s r ICITS

  5. Applications • Secure storage; • Secure multiparty computation; • Threshold cryptography; • Byzantine agreement; • Access control; • Private information retrieval; • Attribute-based encryption. ICITS

  6. Shamir’s t-out-of-n Secret Sharing Scheme • Input: secrets • Choose at random apolynomial p(x)=s+r1x+r2x2+…+ rt-1xt-1 • Share of Pj: sj= p(j) s ICITS

  7. minimal sets {2,4} s {1,2} s {1,3,5} s P1 P2 P3 P4 P5 The General Case Which access structures  can be realized? • Necessary condition:  is monotone. • Also sufficient! Not efficient!!!! ICITS

  8. Are there Efficient Schemes? • The known schemes for general access structures have shares of size 2O(n). • Best lower bound for an explicit structure [Csirmaz94]: (n2 / logn) • Nothing better is known even for non-explicit structures! • large gap Conjecture: There is an access structure that requires shares of size 2Ω(n). ICITS

  9. Talk Overview • Motivation and definitions • Linear secret sharing schemes • Nonlinear secret sharing schemes • Weakly-private secret sharing schemes • Conclusions and open problems ICITS

  10. Pn P1 P2 F Linear Transformation r1 r2 rm s F Linear Secret-Sharing • Examples: • Shamir’s scheme • Formula based Schemes [BenalohLeichter88] • Monotone span programs [KrachmerWigderson93] ICITS

  11. Linear Schemes and Span Program Monotone Span programs – linear algebraic model of computation [KarchmerWigderson93]. Equivalent to Linear schemes. ICITS

  12. Monotone Span Programs The program accepts a set B iff the rows labeled by B span the target vector. ICITS

  13. 1 0 1 1 0 0 1 1 Monotone Span Programs {P2,P4} ICITS

  14. Monotone Span Programs {P1,P2} ICITS

  15. Span Programs  Secret Sharing P2 P2 P1 P3 P4 = P2 P2 P1 P3 P4 Example s=1,r2=r3=0, r4=1 ICITS

  16. Span Programs  Secret Sharing P2 P2 P1 P3 P4 = s {P2,P4} ICITS

  17. Linear Schemes: State of the Art • Every access structure can be realized by a linear scheme. • Most known schemes are linear. • Linear schemes can efficiently realize only access structures in NC (NC = languages having efficient parallel algorithms). • Best lower bounds for linear schemes for explicit access structures [B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]: (nlog n). • Best existential lower bounds for linear schemes: 2(n). ICITS

  18. Why Linear Secret Sharing? • Share generation and secret reconstruction are efficient. • Perfect privacy for free. • Homomorphic • Secure multi-party computation [CramerDamgardMaurer2000] Why not? • Can only realize access structures in NC. ICITS

  19. 1 1 0 1 P2 s y1 0 1 1 0 r2 P2 y2 = 1 1 0 1 s+s’ y1+y’1 y3 0 1 1 0 P1 r3 0 1 1 0 r2+r’2 y2+y’2 y4 1 1 0 0 r4 P3 = 1 1 0 1 P2 s’ y3+y’3 0 1 1 0 r3+ r’3 y’1 0 0 1 1 y5 P4 0 1 1 0 r’2 P2 y’2 y4+y’4 1 1 0 0 r4 + r’4 = y’3 0 1 1 0 P1 r’3 0 0 1 1 y5+y’5 y’4 1 1 0 0 r’4 P3 0 0 1 1 y’5 P4 Homomorphism of Linear Secret Sharing + ICITS

  20. Application: Computing a Sum ICITS

  21. 1 1 0 1 P2 s y1 0 1 1 0 r2 P2 y2 = y3 0 1 1 0 P1 r3 y4 1 1 0 0 r4 P3 1 1 0 1 P2 s’ y’1 0 0 1 1 y5 P4 0 1 1 0 r’2 P2 y’2 = y’3 0 1 1 0 P1 r’3 y’4 1 1 0 0 r’4 P3 0 0 1 1 y’5 P4 Multiplicative Homomorphism of Linear Secret Sharing [….,CramerDamgardMaurer2000] PROTOCOL * Shares fors* s’ Access structure must be Q2 ICITS

  22. Talk Overview • Motivation and definitions • Linear secret sharing schemes • Nonlinear secret sharing schemes • Weakly-private secret sharing • Conclusions and open problems ICITS

  23. Constructing Nonlinear scheme Two constructions: • Composition Approach  no assumptions, access structures in NC. • Direct Constructions access structures probably not in P. ICITS

  24. …. …. P1 Pn P2n Pn+1 Linear Linear S2 S1 Nonlinear Schemes: Composition Approach [B+Ishai01] over GF(3) over GF(2) S= S1+S2 • [B+Weinreb03]: •  access structure: easy over GF(2), hard over any other field •  access structure: easy over GF(3), hard over any other field ICITS

  25. quadratic residuosity modulo a (fixed) prime Yes perfect Nonlinear schemes: Direct Constructions [B+Ishai01] computationally efficient? perfect / statistical access structure equivalent to... co-primality Yes statistical quadratic residuosity No statistical ICITS

  26. Talk Overview • Motivation and definitions • Linear secret sharing schemes • Nonlinear secret sharing schemes • Weakly-private secret sharing • Conclusions and open problems ICITS

  27. Large gap • Sharing 1-bit secret for general access structures: • The known schemes have 2O(n)-bit shares • Best lower bound for an explicit structure [Csirmaz94]: (n / log n) Conjecture: There is an access structure that requires shares of size 2Ω(n) for a one-bit secret. No progress in the last decade! ICITS

  28. What Should We Do? • Prove lower-bounds for stronger definitions of secret sharing • Linear secret sharing schemes – nΩ(logn)-bit shares for one bit secret [B+GalPaterson95,BabaiGalWigderson96,Gal98] . • Prove upper-bounds for weaker definitions of secret sharing. • Try to understand which techniques should be used to prove lower bounds. ICITS

  29. Pn P1 P2 Def: Weakly-Private Secret Sharing  weaklyrealizes if: Correctness:every authorized set B can always recover s. Weak Privacy:every unauthorized set C can never rule out any secret. For every two secrets a,b, forevery shares si iC s1 s2 sn  s r ICITS

  30. Motivation • Strong lower bounds for secret sharing use entropy arguments [CapocelliDeSantisGarganoVaccaro91, BlundoDeSantisGarganoVaccaro92, Csirmaz94,….]. • Weakly-private ideal secret sharing = Perfect ideal secret sharing [BrickellDavenport91]. • Some papers used weakly-private schemes to prove lower bounds for perfect schemes [Seymour92, KurosawaOkada96,B+Livne06] ICITS

  31. Motivation II • Key Distribution Schemes: • [BlundoDeSantisHerzbergKuttenVaccaroYung92] proved lower bounds for perfect schemes using entropy arguments. • [B+Chor93] proved the same lower bound for weakly-private schemes. • Does weak-privacy suffice for proving lower-bounds for secret sharing schemes? ICITS

  32. Our Results • , there is a scheme: -bit secret and (+ c)-bit shares, cis a ``constant’’ depending on  Disclaimer:ccan be exponential in n. Perfect: best known c’-bit shares. • For a doubly-exponential family of access structures, there is an efficient weakly-private scheme for 1-bit secrets (due to Yuval Ishai). Perfect: known only for an exponential family • There is a weakly-private t-out-of-nscheme: 1-bit secret and O(t)-bit shares. Perfect:log n-bit shares. ICITS

  33. Constructions for general access structures First attempt: , try to construct a scheme with an -bit secret and -bit shares. Let s be an -bit secret. • Choose at random a maximal unauthorized set D  . • Choose a random bi {0,1}for every Pi D. • Set bi= s for every Pi D. • The share of Pi is bi. Weak privacy:C  The set C can getany vector of shares for every s. Correctness: ????? B   Pi B \ D. Guess Pi Band output bi. ICITS

  34. Constructions for general access structures Second (correct) attempt: , there is a scheme with an -bit secret and (+c)-bit shares (cis a “constant” depending on ). • Choose at random a maximal unauthorized set D  . • Share the n-bit string representing D using a weakly-private scheme realizing . Let a1,…,anbe the generated shares. • Choose a random bi {0,1}for every Pi D. • Set bi= s for every Pi D. • The share of Pi is (ai,bi). Correctness: B   Pi B \ D. Reconstructs D, finds Pi B \ D,and outputs bi. Share size: scheme where shares ai are 2n-bits (worse case) Total size: +2n ICITS

  35. Talk Overview • Motivation and definitions • Linear secret sharing schemes • Nonlinear secret sharing schemes • Weakly-private secret sharing • Conclusions and open problems ICITS

  36. Conclusions • Linearity is useful. • However, linear schemes can realize only access structures in NC. • Nonlinear schemes can efficiently realize some “computationally hard” access structures. • Exact power of nonlinear schemes remains unknown. ICITS

  37. Proving Lower Bounds • Close gap for perfect secret sharing schemes • Improve 2O(n) upper bound? • Improve (n2 / logn) lower bound? • Even existential proof is interesting. • Exponential lower bounds for linear schemes • Improve (nlog n) lower bound. ICITS

  38. Upper & Lower Bounds: Specific Access Structures • Directed connectivity • Participants correspond to edges in the complete directed graph • Authorized sets: graphs containing a path from v1 to v2 • Efficient construction for undirected connectivity • There is an efficient computational scheme • Open: perfect scheme • Perfect Matching • Implies a scheme for directed connectivity • Open: perfect and computational schemes • Weighted threshold • Efficient computational scheme [B+Weinreb] • Perfect scheme with nlog n shares • Open: perfect scheme • Open: monotone formula ICITS

  39. Secret Sharing and Oblivious Transfer • Hamiltonian: • Participants correspond to edges in the complete graph • Authorized sets: graphs containing a Hamiltonian cycle Want an efficient scheme for minimal authorized subsets – when given the witness (cycle) Theorem [Rudich]: If one-way functions exist and an efficient secret sharing scheme for the Hamiltonian problem exists then Oblivious Transfer Protocols exist. • I.e., Minicrypt = Cryptomania • Construction is non-blackbox Theorem [Rudich]: If there is a perfect scheme for Hamiltonian, then NP  Co-AM ICITS

  40. The End…

More Related