Embed Size (px)
DESCRIPTION
3 Secret Sharing Scheme (SSS) Introduction (1/4)
Citation preview
1
Problems of Perfect Multi-Secret Sharing Schemes
Advisor: 阮夙姿教授Presenter: 蔡惠嬋Date: 2008/08/11
國立暨南國際大學資訊工程學系
2
Outline • Introduction• Topic 1:
– A Perfect SSS on General Hypergraph-Based Prohibited Structure (G-HP Scheme)
• Topic 2: – MSSS for Proving Both Improvement Ratios– Two Optimal General MSSSs (GMS1, GMS2)
• Comparisons• Conclusions
3
• Secret Sharing Scheme (SSS)
Introduction (1/4)
Introduction (2/4)
4
• Secret Sharing Scheme (SSS)
D : Distribution AlgorithmR : Reconstruction Algorithm
P1
P2
Pn
…
Ds s
P1
P2…R
Pt
Introduction (3/4)
• Dealer• Participants
• P = {P1, P2, …, Pn}
• Access structure ( 2P )• Prohibited structure ( 2P )
5
x1
xn
x2
P1
P2
Pn
…
Ds
P = {P1, P2, P3} = {{P1, P3}, {P2, P3}} = {{P1}, {P3}, {P1, P2}}
• (t, n)-threshold scheme (A. Shamir 1979, Blakley 1979)
• Information Rate () = log(K) / log(Si)• A SSS is ideal if = 1.
6
Introduction (4/4)
K
x
y
7
Outline • Introduction• Topic 1:
– A Perfect SSS on General Hypergraph-Based Prohibited Structure (G-HP Scheme)
• Topic 2: – MSSS for Proving Both Improvement Ratios– Optimal General MSSS
• Comparisons• Conclusions and Future Work
• (r1, r2)-HP Scheme• G-HP Scheme
8
Preliminary – Hypergraph (1/2)
• Hypergraph H = (V, E)• r-Uniform Hypergraph• (r1, r2)-Uniform Hypergraph• General Hypergraph
P1
P4P2
P3
P5
P6
3-Uniform Hypergraph
P1
P4P2
P3
P5
P6
(2, 3)-Uniform Hypergraph General Hypergraph Source: Wikipedia
Preliminary - Related Work (2/2)
9
Graph Based
1010
• (r1, r2)-Uniform Hypergraph H• V(H) = P and |P| = n.• = {A| A B for some B E(H)} {A | A P and |A| (r1
1)}• = {A P| B E(H), A B and r1 |A| r2+1}
• Example: (2, 4)-HP Scheme• = {{P1, P5}, {P1, P6}, {P2, P5}, {P2, P6}, {P1, P2, P3},
{P1, P2, P4}, {P1, P3, P4}, {P2, P3, P4}}.
(r1, r2)-HP Scheme (1/3)
P1
P2P3
P4
P6
P5
1111
(r1, r2)-HP Scheme (2/3)
P1
P2P3
P4
P6
P5
• (2, 4)-HP Scheme• = {{P1, P5}, {P1, P6}, {P2, P5}, {P2, P6}
{P1, P2, P3}, {P1, P2, P4}, {P1, P3, P4}, {P2, P3, P4}}.
• Idea:• Distribute a random number ai for each Pi.• Construct related polynomials.
• Distribution:• Distribute a1, a2, …, a6 to P1, P2, …, P6.• Construct f1(x) = K2x + K1 mod q• Construct f2(x) = A21x2 + K2x + K1 mod q
1212
f1(x) = K2x +K1 (mod q)
f2(x) = A21x2 + K2x + K1 (mod q)
P1
P2P3
P4
P6
P5
1313
G-HP Scheme
• (r1, r2, …, rv)-HP Scheme• Distribute random numbers a1, a2, …, an to P1, P2, …, Pn.• Observe
• ConstructqKx KxAxAxf –– mod)( 12
222
1212
22
qKx KxAxAxf –– mod)( 122
121
11111
qKx KxAxAxf –u
–uu
uu mod)( 122
21
1
…
iiliii
iliiii
u
BBB
uiBBBBBBB
|||||| and
,1for , },...,,{ where},...,,{
)(,2,1,
)(,2,1,
21
• Information Rate• = log(K) / log(Si) = 2/ (d +1),
• Comparisons between G-HA and G-HP schemes.
1414
Performance Analysis
|},|{|max where 1 APAAd ini
||max|,|
0
0
Arm
A
15
Outline • Introduction• Topic 1:
– A Perfect SSS on General Hypergraph-Based Prohibited Structure (G-HP Scheme)
• Topic 2: – MSSS for Proving Both Improvement Ratios– Optimal General MSSS
• Comparisons• Conclusions and Future Work
16
Outline • Introduction• Topic 1:
– A Perfect SSS on General Hypergraph-Based Prohibited Structure (G-HP Scheme)
• Topic 2: – MSSS for Proving Both Improvement Ratios– Two Optimal General MSSSs
• Comparisons• Conclusions and Future Work
• GMS1• GMS2
17
• Multi-SSS • an extension of a single-SSS to deal with many secrets
at the same time
s1
s2
sM
P1
P2
Pn
s1
s2
sM
R
P1
P2
Pt
… …… …
D
P1
P2
Pn
s
P1
P2
… …
Ds R
Pt
Preliminary(1/2)
• Parameter Setup:• P = {P1, P2, …, Pn}
• s1, s2, …, sM: secrets
• xi : Pi’s secret share.• h (r, s): two-variable one way function• q : large prime
18
L. J. Pang, H. X. Li and Y. M. Wang, An Efficient and Secure Multi-Secret Sharing Scheme with General Access Structures,WUJNS, 2006. (PLW scheme)
19
GMS1 (1/2)
x
y
f1(x) = s1 + x mod qf2(x) = s2 + x mod q fM(x) = sM + x mod q
Secret Distribution:
si
f(di,j) h(ri, xi,j,1) h(ri, xi,j,2) … h(ri, xi,j,k)
Pi,j,1 Pi,j,2 Pi,j,k…
xi,j,1 xi,j,2 xi,j,k
h(ri, xi,j,1) h(ri, xi,j,2) … h(ri, xi,j,k)
MSGi = { ri, hi,1, hi,2,…, hi,|i| }Publish
(di,j, f(di,j))…
di,j = i z + j, where z = max{n, |1|, |2|, …, |M|}
hi,j =
Let = (1, 2, …, M) be the access structure for the secrets1, s2, …, sM, respectively. Say i = {Ai,1, Ai,2, …, Ai,|i|
}.
20
Secret Reconstruction:
GMS1 (2/2)
MSGi = { ri, hi,1, hi,2,…, hi,|i| }
Pi,j,1 Pi,j,2 Pi,j,k…
xi,j,1 xi,j,2 xi,j,k
h(ri, xi,j,1) h(ri, xi,j,2) … h(ri, xi,j,k)hi,j h(ri, xi,j,1) h(ri, xi,j,2) … h(ri, xi,j,k)
x
y
si
(di,j, f(di,j))
fi(di,j) – di,j
fi(x) = si + x mod q
f(di,j) =
x
y
f(dj) h(r, xj,1) h(r, xj,2) … h(r, xj,k)
先直接公佈 l – 1 個點Pj,1 Pj,2 Pj,k
…
xj1 xj2 xjk
h(r, xj,1) h(r, xj,2) … h(r, xj,k)Publish:
MSG = { r, f(1), f(2), …, f(l – 1), h1, h2, …, ht }
l 個秘密 {s1, s2 ,…, sl}
(dj, f(dj))
Secret Distribution:
需要 l 個點
hj =
21
GMS2
Observe access structures of each secret si first.
q xxsxssxf ll,l,, mod)( 1
121111
Security Analysis
• (di,j, f(di,j)) must be computed by Pk in Ai,j by using his h(ri, xk).
• Guessing probability of xi or fi(di,j) is the same. (1/q).
• Two variable one way function h(ri, xi,j)
22
Multi-use
23
Comparisons of general SSS (apply single secret)
Comparisons (1/3)
24
Comparisons of three general MSSS (apply multiple secrets)
Comparisons (2/3)
)log(1
2
m
iii llO
m
iiMm
1
||2
)log(1
2
m
iii llO
M
iiM
1
||
m
iiM
1
||
Mlm
ii
1
Comparisons (3/3)
25
Given an Access Structure, choose a suitable SSS.
26
Conclusions
• Conclusions:• Construct G-HP scheme.• Theoretical prove of improvement ratios.• Construct GMS1 and GMS2 schemes.
Thanks for your listening.
