Secret Sharing Schemes: A Short Survey. 3742 2538 344113296634 Secret Sharing 2.

Slides:



Advertisements
Similar presentations
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Advertisements

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Algorithms (and Datastructures) Lecture 3 MAS 714 part 2 Hartmut Klauck.
Secret Sharing, Matroids, and Non-Shannon Information Inequalities.
Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
The Complexity of the Network Design Problem Networks, 1978 Classic Paper Reading
Graph Algorithms: Minimum Spanning Tree We are given a weighted, undirected graph G = (V, E), with weight function w:
Chapter 9 Graph algorithms. Sample Graph Problems Path problems. Connectedness problems. Spanning tree problems.
An Efficient Construction of Secret Sharing for Generalized Adversary Structure and Its Reduction Communications, Circuits and Systems, ICCCAS 2004.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
Chapter 9 Graph algorithms Lec 21 Dec 1, Sample Graph Problems Path problems. Connectedness problems. Spanning tree problems.
EXPANDER GRAPHS Properties & Applications. Things to cover ! Definitions Properties Combinatorial, Spectral properties Constructions “Explicit” constructions.
Chapter 11: Limitations of Algorithmic Power
Privacy Preserving Data Mining Yehuda Lindell & Benny Pinkas.
Quantum Algorithms II Andrew C. Yao Tsinghua University & Chinese U. of Hong Kong.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Hardness Results for Problems
DAST, Spring © L. Joskowicz 1 Data Structures – LECTURE 1 Introduction Motivation: algorithms and abstract data types Easy problems, hard problems.
Theory of Computing Lecture 10 MAS 714 Hartmut Klauck.
A Secure Protocol for Computing Dot-products in Clustered and Distributed Environments Ioannis Ioannidis, Ananth Grama and Mikhail Atallah Purdue University.
1 Quantum query complexity of some graph problems C. DürrUniv. Paris-Sud M. HeiligmanNational Security Agency P. HøyerUniv. of Calgary M. MhallaInstitut.
Multilinear NC 1  Multilinear NC 2 Ran Raz Weizmann Institute.
Tight Bounds for Graph Problems in Insertion Streams Xiaoming Sun and David P. Woodruff Chinese Academy of Sciences and IBM Research-Almaden.
Robust Sharing of Secrets when the Dealer Is Honest or Cheating Tal Rabin 1994 Brian Fry COEN
1 Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters UCLA SRI.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
7.1 and 7.2: Spanning Trees. A network is a graph that is connected –The network must be a sub-graph of the original graph (its edges must come from the.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Private Approximation of Search Problems Amos Beimel Paz Carmi Kobbi Nissim Enav Weinreb (Technion)
Welcome to to Autumn School! Some practical issues.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
Greedy Algorithms and Matroids Andreas Klappenecker.
DISTRIBUTED CRYPTOSYSTEMS Moti Yung. Distributed Trust-- traditionally  Secret sharing: –Linear sharing over a group (Sum sharing) gives n out of n sharing.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)
Implicit Hitting Set Problems Richard M. Karp Erick Moreno Centeno DIMACS 20 th Anniversary.
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
The Pennsylvania State University CSE597B: Special Topics in Network and Systems Security The Miscellaneous Instructor: Sencun Zhu.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Secret Sharing Non-Shannon Information Inequalities Presented in: Theory of Cryptography Conference (TCC) 2009 Published in: IEEE Transactions on Information.
Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.
Utility Dependence in Correct and Fair Rational Secret Sharing Gilad Asharov Yehuda Lindell Bar-Ilan University, Israel.
1 Lect. 19: Secret Sharing and Threshold Cryptography.
Secure Computation Lecture Arpita Patra. Recap >Three orthogonal problems- (n,t)-sharing, reconstruction, multiplication protocol > Verifiable Secret.
Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
New Locally Decodable Codes and Private Information Retrieval Schemes
Perfect Secret Sharing Schemes
On the Size of Pairing-based Non-interactive Arguments
Advanced Protocols.
Committed MPC Multiparty Computation from Homomorphic Commitments
CS154, Lecture 18:.
Ioannis Ioannidis, Ananth Grama and Ioannis Ioannidis
On the Power of Hybrid Networks in Multi-Party Computation
Probabilistic existence of regular combinatorial objects
Threshold RSA Cryptography
For ASIACRYPT 2018 Constructing Ideal Secret Sharing Schemes based on Chinese Remainder Theorem Fuyou Miao University of Science and Technology of China.
Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)
Some New Issues on Secret Sharing Schemes
Presentation transcript:

Secret Sharing Schemes: A Short Survey

Secret Sharing 2

3742 Secret Sharing

Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] Participants: P={P 1,…,P n } Access Structure   2 P (collection of sets of parties) A scheme realizes  if: Correctness Correctness: every authorized set B  can recover s Privacy Privacy: every unauthorized set B  cannot learn anything about s 4 P1P1 P2P2 PnPn Dealer s s1s1 r s2s2 snsn

Applications 5 Secure storage; Secure multiparty computation; Threshold cryptography; Byzantine agreement; Access control; Private information retrieval; Attribute-based encryption; General oblivious transfer…

Lecture Plan Introduction and motivation Constructions Secure protocols from secret sharing Lower bounds Conclusions 6

Shamir’s t-out-of-n Secret Sharing Scheme 7 Access structure:  = { A  P : |A|≥t } Scheme: –Input: secret s –Dealer chooses a random polynomial Q(x)=s+r 1 x+r 2 x 2 +…+r t-1 x t-1 –Share of P j : s j = Q(j) s

The Connectivity Access Structure Participants – edges in an undirected graph Minimal Authorized sets: paths from vertex v 1 to vertex v 2 Example: 8 P1P1 P4P4 P3P3 P6P6 P2P2 P5P5 v1v1 v2v2

The Connectivity Access Structure Participants – edges in an undirected graph Minimal Authorized sets: paths from vertex v 1 to vertex v 2 Example: 9 P1P1 P6P6 P5P5 v1v1 v2v2 Scheme: s  { 0,1} r 1 =s and r 2 = 0 choose a random bit r i for vertex v i Share of edge (v i,v j ) is r i  r j sr3sr3 r4r4 r3r4r3r4 v3v3 v4v4

A General Construction [ItoSaitoNishizeki87] Necessary condition: access structure is monotone. Also sufficient! 10 P1P1 P2P2 s P3P3 P4P4 P5P5 r3r3 r4r4 s s r2r2 r1r1 minimal sets {P 2,P 4 } {P 1,P 2 } {P 1,P 3,P 5 } s⊕r3 ⊕r4s⊕r3 ⊕r4 s⊕r2s⊕r2 s⊕r1s⊕r1

General Construction II: Linear Schemes Linear secret sharing schemes – use a linear mapping to share the secret. Equivalent to monotone span programs. linear algebraic model of computation [KarchmerWigderson93]. Nearly all known schemes are linear. 11

P2P2 P2P2 P1P1 P3P3 P4P The program accepts a set B iff the rows labeled by B span the target vector. Monotone Span Programs

P2P2 P2P2 P1P1 P3P3 P4P4 {P 2,P 4 } Monotone Span Programs

P2P2 P2P2 P1P1 P3P3 P4P4 {P 1,P 2 } Monotone Span Programs

s r2r2 r3r3 r4r P2P2 P2P2 P1P1 P3P3 P4P4 s+ r 2 +r 4 r2+r3r2+r3 r2+r3r2+r3 s+r 2 r3+r4r3+r4 = P2P2P1P3P4P2P2P1P3P4 Example s=1,r 2 =r 3 =0, r 4 = P2P2P1P3P4P2P2P1P3P4 Span Programs  Secret Sharing Span program accepts B iff B can reconstruct s

s r2r2 r3r3 r4r P2P2 P2P2 P1P1 P3P3 P4P4 s+r2+r4s+r2+r4 r2+r3r2+r3 r2+r3r2+r3 s+r 2 r3+r4r3+r4 = P2P2P1P3P4P2P2P1P3P4 {P 2,P 4 } 1000 s Span Programs  Secret Sharing

Construction III: Multi-Linear Schemes [BertilssonIngemarsson93,vanDijk97] Multi-linear secret sharing schemes – use a linear mapping to share the secret. Secret – Few field elements Equivalent to multi-target monotone span programs. 17

P1P1 P2P2 P3P3 P1P1 P2P2 P3P Accepts B iff rows labeled by B span the target vector Span Programs 0010 Accepts B iff rows labeled by B span all target vectors Multi-target

P1P1 P2P2 P3P3 P1P1 P2P2 P3P Span Programs  Secret Sharing 0010 Multi-target s1s1 s2s2 r3r3 r4r4 r3r3 s1+r3s1+r3 s 1 +2r 3 s2+r4s2+r4 2s 2 +5r 4 4s 2 +7r 4 = P1P1 P2P2 P3P3 P1P1 P2P2 P3P3

P1P1 P2P2 P3P3 P1P1 P2P Span Programs: Problem 0010 Multi-target s1s1 s2s2 r3r3 r4r4 r3r3 s1+r3s1+r3 s 1 +2r 3 s2+r4s2+r4 2s 2 +5r 4 = P1P1 P2P2 P3P3 P1P1 P2P P1P1 P2P2 P3P3 P1P1 P2P2 P3P3 r3r3 s1+r3s1+r3 s 1 +2r 3 s2+r4s2+r4 2s 2 +5r 4 4s 2 +7r 4 P1P1 P2P2 P3P3 P1P1 P2P2 P3P3

P1P1 P2P2 P3P3 P1P1 P2P Span Programs: Problem 0010 Multi-target s1s1 s2s2 r3r3 r4r4 r3r3 s1+r3s1+r3 s 1 +2r 3 s2+r4s2+r4 2s 2 +5r 4 = P1P1 P2P2 P3P3 P1P1 P2P2

P1P1 P2P2 P3P3 P1P1 P2P2 P3P Accepts B iff rows labeled by B span all the target vectors Span Programs: Corrected 0010 Multi-target Rejects B iff rows labeled by B do not span any target vector

P1P1 P2P2 P3P3 P1P1 P2P2 P3P Span Programs: Problem Multi-target s1s1 s2s2 r3r3 r4r4 r3r3 s1+r3s1+r3 s 1 +2r 3 s1+s2+r3s1+s2+r3 2s 2 +5r 4 4s 2 +7r 4 = P1P1 P2P2 P3P3 P1P1 P2P2 P3P3

P1P1 P2P2 P3P3 P1P1 P2P2 P3P Span Programs: Problem Multi-target s1s1 s2s2 r3r3 r4r4 r3r3 s1+r3s1+r3 s 1 +2r 3 s1+s2+r3s1+s2+r3 2s 2 +5r 4 4s 2 +7r 4 = P1P1 P2P2 P3P3 P1P1 P2P2 P3P3

P1P1 P2P2 P3P3 P1P1 P2P2 P3P Accepts B iff rows labeled by B span all the target vectors Span Programs: Corrected! 0010 Multi-target Rejects B iff rows labeled by B do not span any combination of target vectors

Linear vs. Multi-Linear Secret Sharing [SimonisAshikhmin98] ∃ access structure Does not have ideal linear scheme Has ideal multi-linear scheme Secret – 2 field elements [PendavinghvanZwam13] Another example [BeimelBenEfraimPadroTyomkin13] More examples Secret – p field elements (for any prime) 26

Lecture Plan Introduction and motivation Constructions Secure protocols from secret sharing Lower bounds Conclusions 27

Homomorphism of Linear Secret Sharing P4P4 P3P3 P1P1 P2P2 P2P2 r4r4 r3r3 r2r2 s y5y5 y4y4 y3y3 y2y2 y1y1 = P4P4 P3P3 P1P1 P2P2 P2P2 r’ 4 r’ 3 r’ 2 s’ y’ 5 y’ 4 y’ 3 y’ 2 y’ 1 = r 4 +r’ 4 r 3 +r’ 3 r 2 +r’ 2 s+s’ y5+y’5y5+y’5 y4+y’4y4+y’4 y3+y’3y3+y’3 y2+y’2y2+y’2 y1+y’1y1+y’1 =

29 Multiplicative Homomorphism of Linear Secret Sharing P4P4 P3P3 P1P1 P2P2 P2P2 r4r4 r3r3 r2r2 s y5y5 y4y4 y3y3 y2y2 y1y1 = P4P4 P3P3 P1P1 P2P2 P2P2 r’ 4 r’ 3 r’ 2 s’ y’ 5 y’ 4 y’ 3 y’ 2 y’ 1 = * PROTOCOL z1z1 z2z2 z3z3 z4z4 z5z5 Shares for s * s’ Access structure must be Q 2

Application: Computing a Sum 30

Lecture Plan Introduction and motivation Constructions Secure protocols from secret sharing Lower bounds Conclusions 31

Are There Efficient Secret Sharing Schemes? Every monotone access structure can be realized The known schemes for general access structures have shares of size ℓ · 2 O(n) n – number of participants ℓ – size of secrets in bits Best lower bound [Csirmaz94] : ℓ · n/log n Large gap! No significant progress made from 94 32

Are There Efficient Secret Sharing Schemes? 33

Techniques for Proving Lower Bounds Counting arguments Connected to counting the number of representable matroids Combinatorial arguments Cannot help – There are efficient weakly- private schemes Use entropy and information inequalities Proves ℓ · n/log n lower bound Information Inequalities with up to 5 variables cannot help Other Techniques? 34

08/30/2007IBM Crypto Seminar35 Lower Bounds for Linear Secret Sharing Schemes Explicit access structures [BabaiGalWigderson96,Gal98,GalPudlak03]: ℓ · n (log n). Technique: Access structure ⇒ Matrix M Rank(M) high ⇒ Size of MSP big Existential lower bounds: 2 (n). Counting arguments

Lecture Plan Introduction and motivation Constructions Secure protocols from secret sharing Lower Bounds Conclusions 36

37 Conclusions Secret sharing – useful in cryptography General constructions based on linear algebra Constructions are not efficient Large gap between lower & upper bounds Secret Sharing: A Survey, IWCC

38

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.