Upload
gannon
View
69
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Amos Beimel Ben-Gurion University Slides borrowed fromYuval Ishai, Noam Livne, Moni Naor, Enav Weinreb. Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87]. 1706. 1706. t=3. ?. 2538. 3441. 1329. 6634. Talk Overview. - PowerPoint PPT Presentation
Citation preview
Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes
Amos Beimel
Ben-Gurion University
Slides borrowed fromYuval Ishai,
Noam Livne, Moni Naor, Enav
Weinreb.
Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87]
1706
2538344113296634?
1706
t=3
28/05/2007 ICITS 3
Talk Overview
1. Motivation and definitions2. Linear secret sharing schemes3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing schemes 5. Conclusions and open problems
28/05/2007 ICITS 4
Def: Secret Sharing
• Access Structure realizes if:
Correctness: every authorized set B can always recover s. Privacy: every unauthorized set B cannot learn anything about
s.
P1 P2 Pn
s
s1
r
s2 sn
1{ ,..., }2 nP P
28/05/2007 ICITS 5
Applications
• Secure storage;• Secure multiparty computation;• Threshold cryptography;• Byzantine agreement;• Access control;• Private information retrieval;• Attribute-based encryption.
28/05/2007 ICITS 6
Shamir’s t-out-of-n Secret Sharing Scheme
– Input: secret s– Choose at random a polynomial p(x)=s+r1x+r2x2+…+ rt-1xt-1
– Share of Pj: sj= p(j )
s
28/05/2007 ICITS 7
The General Case
Which access structures can be realized?• Necessary condition: is monotone.• Also sufficient!
P1 P2
s
P3 P4 P5
s
s
minimal sets
{2,4}{1,2}
{1,3,5}
Not efficient!!!!
28/05/2007 ICITS 8
Are there Efficient Schemes?• The known schemes for general access structures have
shares of size 2O(n).
• Best lower bound for an explicit structure [Csirmaz94]:
(n2 / logn)
• Nothing better is known even for non-explicit structures!
– large gap
Conjecture: There is an access structure that requires shares of size 2Ω(n).
28/05/2007 ICITS 9
Talk Overview
1. Motivation and definitions2. Linear secret sharing schemes3. Nonlinear secret sharing schemes4. Weakly-private secret sharing schemes5. Conclusions and open problems
28/05/2007 ICITS 10
Linear Secret-Sharing
F
Fs r1
P1 P2 Pn
Linear Transformation
r2 rm
Examples:• Shamir’s scheme• Formula based Schemes [BenalohLeichter88]• Monotone span programs [KrachmerWigderson93]
28/05/2007 ICITS 11
Linear Schemes and Span Program
Monotone Span programs – linear algebraic model of computation [KarchmerWigderson93].
Equivalent to Linear schemes.
28/05/2007 ICITS 12
Monotone Span Programs
1 1 0 1
0 1 1 0
0 1 1 0
1 1 0 0
0 0 1 1
P2
P2
P1
P3
P4
1 0 0 0
The program accepts a set B iff
the rows labeled by B span the target vector.
28/05/2007 ICITS 13
Monotone Span Programs
1 1 0 1
0 1 1 0
0 1 1 0
1 1 0 0
0 0 1 1
1 0 0 0
1101
1100
1 0 0 0
P2
P2
P1
P3
P4
{P2,P4}
28/05/2007 ICITS 14
Monotone Span Programs
1 1 0 1
0 1 1 0
0 1 1 0
1 1 0 0
0 0 1 1
1 0 0 0 1 0 0 0
1 1 0 1
0 1 1 0
0 1 1 0
P2
P2
P1
P3
P4
{P1,P2}
28/05/2007 ICITS 15
Span Programs Secret Sharing
1 1 0 1
0 1 1 0
0 1 1 0
1 1 0 0
0 0 1 1
P2
P2
P1
P3
P4
s
r2
r3
r4
s+ r2+r4
r2+r3
r2+r3
s+r2
r3+r4
=
P2
P2
P1
P3
P4
Example s=1,r2=r3=0, r4=1
00
011
P2
P2
P1
P3
P4
28/05/2007 ICITS 16
Span Programs Secret Sharing
1 1 0 1
0 1 1 0
0 1 1 0
1 1 0 0
0 0 1 1
P2
P2
P1
P3
P4
s
r2
r3
r4
s+r2+r4
r2+r3
r2+r3
s+r2
r3+r4
=
P2
P2
P1
P3
P4
{P2,P4}
1 0 0 0 s
28/05/2007 ICITS 17
Linear Schemes: State of the Art
• Every access structure can be realized by a linear scheme.
• Most known schemes are linear.
• Linear schemes can efficiently realize only access structures in NC (NC = languages having efficient parallel algorithms).
• Best lower bounds for linear schemes for explicit access structures [B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]:
(nlog n).
• Best existential lower bounds for linear schemes: 2(n).
28/05/2007 ICITS 18
Why Linear Secret Sharing?
• Share generation and secret reconstruction are efficient.
• Perfect privacy for free.
• Homomorphic
– Secure multi-party computation [CramerDamgardMaurer2000]
Why not?
• Can only realize access structures in NC.
28/05/2007 ICITS 19
Homomorphism of Linear Secret Sharing
1100
0011
0110
0110
1011
P4
P3
P1
P2
P2
r4
r3
r2
s
y5
y4
y3
y2
y1
=
1100
0011
0110
0110
1011
P4
P3
P1
P2
P2
r’4
r’3
r’2
s’
y’5
y’4
y’3
y’2
y’1
=
+1100
0011
0110
0110
1011
r4 + r’4
r3+ r’3
r2 +r’2
s+s’
y5+y’5
y4+y’4
y3+y’3
y2+y’2
y1+y’1
=
28/05/2007 ICITS 20
Application: Computing a Sum
c 1c 2c 3c
b1b 2b 3b a 1a 2a 3a
1s
3s
2s
s
28/05/2007 ICITS 21
Multiplicative Homomorphism of Linear Secret Sharing [….,CramerDamgardMaurer2000]
1100
0011
0110
0110
1011
P4
P3
P1
P2
P2
r4
r3
r2
s
y5
y4
y3
y2
y1
=
1100
0011
0110
0110
1011
P4
P3
P1
P2
P2
r’4
r’3
r’2
s’
y’5
y’4
y’3
y’2
y’1
=
* PROTOCOL
z1
z2
z3
z4
z5
Shares for s * s’
Access structure must be Q2
28/05/2007 ICITS 22
Talk Overview
1. Motivation and definitions2. Linear secret sharing schemes3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing5. Conclusions and open problems
28/05/2007 ICITS 23
Constructing Nonlinear scheme
Two constructions:
1. Composition Approach no assumptions, access structures in NC.
2. Direct Constructions access structures probably not in P.
28/05/2007 ICITS 24
Nonlinear Schemes: Composition Approach [B+Ishai01]
S= S1+S2
Linear
Pn+1 P2n
Linear
P1 Pn
S1S2
…. ….
[B+Weinreb03]: access structure: easy over GF(2), hard over any other field
access structure: easy over GF(3), hard over any other field
over GF(2) over GF(3)
28/05/2007 ICITS 25
perfect quadratic residuosity modulo a (fixed) primeYes
Nonlinear schemes: Direct Constructions [B+Ishai01]
perfect /statistical
access structureequivalent to...
computationallyefficient?
statistical quadratic residuosity No
statistical co-primalityYes
28/05/2007 ICITS 28
Talk Overview
1. Motivation and definitions2. Linear secret sharing schemes3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing 5. Conclusions and open problems
28/05/2007 ICITS 29
Large gap
• Sharing 1-bit secret for general access structures: – The known schemes have 2O(n)-bit shares
– Best lower bound for an explicit structure [Csirmaz94]:
(n / log n)
Conjecture: There is an access structure that requires shares of size 2Ω(n) for a one-bit secret.
No progress in the last decade!
28/05/2007 ICITS 30
What Should We Do?
• Prove lower-bounds for stronger definitions of secret
sharing
– Linear secret sharing schemes – nΩ(logn)-bit shares for
one bit secret [B+GalPaterson95,BabaiGalWigderson96,Gal98] .
• Prove upper-bounds for weaker definitions of secret
sharing.
• Try to understand which techniques should be used
to prove lower bounds.
28/05/2007 ICITS 31
Def: Weakly-Private Secret Sharing
weakly realizes if:Correctness: every authorized set B can always recover s.Weak Privacy: every unauthorized set C can never rule out
any secret. For every two secrets a,b, for every shares si iC
1{ ,..., }2 nP P
P1 P2 Pn
s
s1
r
s2 sn
Pr ( , ) 0 iff Pr ( , ) 0C i C ii C i Ca r s b r s
28/05/2007 ICITS 32
Motivation
• Strong lower bounds for secret sharing use entropy arguments [CapocelliDeSantisGarganoVaccaro91, BlundoDeSantisGarganoVaccaro92, Csirmaz94,….].
• Weakly-private ideal secret sharing = Perfect ideal secret sharing [BrickellDavenport91].
• Some papers used weakly-private schemes to prove lower bounds for perfect schemes [Seymour92, KurosawaOkada96,B+Livne06]
28/05/2007 ICITS 33
Motivation II
• Key Distribution Schemes:– [BlundoDeSantisHerzbergKuttenVaccaroYung92] proved lower
bounds for perfect schemes using entropy arguments.– [B+Chor93] proved the same lower bound for weakly-private
schemes.
• Does weak-privacy suffice for proving lower-bounds for secret sharing schemes?
28/05/2007 ICITS 34
Our Results
1. , there is a scheme: -bit secret and ( + c)-bit shares, c is a ``constant’’ depending on Disclaimer: c can be exponential in n.Perfect: best known c’-bit shares.
2. For a doubly-exponential family of access structures, there is an efficient weakly-private scheme for 1-bit secrets (due to Yuval Ishai).Perfect: known only for an exponential family
3. There is a weakly-private t-out-of-n scheme: 1-bit secret and O(t)-bit shares.Perfect: log n-bit shares.
28/05/2007 ICITS 35
Constructions for general access structures
First attempt: , try to construct a scheme with an -bit secret and -bit shares.
Let s be an -bit secret.
1. Choose at random a maximal unauthorized set D .2. Choose a random bi {0,1} for every Pi D.3. Set bi = s for every Pi D.
4. The share of Pi is bi.
Weak privacy: C The set C can get any vector of shares for every s.
Correctness: ?????
B Pi B \ D.
Guess Pi B and output bi.
28/05/2007 ICITS 36
Constructions for general access structures
Second (correct) attempt: , there is a scheme with an -bit secret and (+c)-bit shares
(c is a “constant” depending on ).
1. Choose at random a maximal unauthorized set D .2. Share the n-bit string representing D using a weakly-private
scheme realizing . Let a1,…,an be the generated shares.3. Choose a random bi {0,1} for every Pi D.4. Set bi = s for every Pi D.
5. The share of Pi is (ai,bi).Correctness: B Pi B \ D.
Reconstructs D, finds Pi B \ D, and outputs bi.
Share size: scheme where shares ai are 2n-bits (worse case)
Total size: +2n
28/05/2007 ICITS 37
Talk Overview
1. Motivation and definitions2. Linear secret sharing schemes3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing5. Conclusions and open problems
28/05/2007 ICITS 38
Conclusions
• Linearity is useful.
• However, linear schemes can realize only access structures in NC.
• Nonlinear schemes can efficiently realize some “computationally hard” access structures.
• Exact power of nonlinear schemes remains unknown.
28/05/2007 ICITS 39
Proving Lower Bounds
• Close gap for perfect secret sharing schemes– Improve 2O(n) upper bound?– Improve (n2 / logn) lower bound?– Even existential proof is interesting.
• Exponential lower bounds for linear schemes– Improve (nlog n) lower bound.
28/05/2007 ICITS 40
Upper & Lower Bounds: Specific Access Structures
• Directed connectivity• Participants correspond to edges in the complete directed graph • Authorized sets: graphs containing a path from v1 to v2
– Efficient construction for undirected connectivity– There is an efficient computational scheme– Open: perfect scheme
• Perfect Matching – Implies a scheme for directed connectivity– Open: perfect and computational schemes
• Weighted threshold – Efficient computational scheme [B+Weinreb]– Perfect scheme with nlog n shares– Open: perfect scheme– Open: monotone formula
28/05/2007 ICITS 41
Secret Sharing and Oblivious Transfer• Hamiltonian:
– Participants correspond to edges in the complete graph – Authorized sets: graphs containing a Hamiltonian cycle
Want an efficient scheme for minimal authorized subsets – when given the witness (cycle)
Theorem [Rudich]: If one-way functions exist and an efficient secret sharing scheme for the Hamiltonian problem exists then Oblivious Transfer Protocols exist.– I.e., Minicrypt = Cryptomania– Construction is non-blackbox
Theorem [Rudich]: If there is a perfect scheme for Hamiltonian, then NP Co-AM
The End…