Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes

Slides:



Advertisements
Similar presentations
Parikshit Gopalan Georgia Institute of Technology Atlanta, Georgia, USA.
Advertisements

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
One-Way Functions David Lagakos Yutao Zhong April 2, 2001.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Shortest Vector In A Lattice is NP-Hard to approximate
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Secret Sharing, Matroids, and Non-Shannon Information Inequalities.
Lecture 24 MAS 714 Hartmut Klauck
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Private Approximation of Search Problems Amos Beimel Paz Carmi Kobbi Nissim Enav Weinreb Ben Gurion University Research partially Supported by the Frankel.
Introduction to Modern Cryptography, Lecture 11 1) More about efficient computation: Montgomery arithmetic, efficient exponentiation 2)Secret Sharing schemes.
1 NP-Complete Problems. 2 We discuss some hard problems:  how hard? (computational complexity)  what makes them hard?  any solutions? Definitions 
Theory of Computing Lecture 16 MAS 714 Hartmut Klauck.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Lattice-Based Cryptography
An Efficient Construction of Secret Sharing for Generalized Adversary Structure and Its Reduction Communications, Circuits and Systems, ICCCAS 2004.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
EXPANDER GRAPHS Properties & Applications. Things to cover ! Definitions Properties Combinatorial, Spectral properties Constructions “Explicit” constructions.
Chapter 11: Limitations of Algorithmic Power
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
Privacy Preserving Data Mining Yehuda Lindell & Benny Pinkas.
Private Information Retrieval Amos Beimel – Ben-Gurion University Tel-Hai, June 4, 2003 This talk is based on talks by:
Foundations of Privacy Lecture 11 Lecturer: Moni Naor.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
1 Slides by Asaf Shapira & Michael Lewin & Boaz Klartag & Oded Schwartz. Adapted from things beyond us.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Secure Message Transmission In Asynchronous Directed Networks Kannan Srinathan, Center for Security, Theory and Algorithmic Research, IIIT-Hyderabad. In.
Cryptography Lecture 8 Stefan Dziembowski
Theory of Computing Lecture 15 MAS 714 Hartmut Klauck.
1 Introduction to Approximation Algorithms. 2 NP-completeness Do your best then.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
MA/CSSE 473 Day 11 Primality testing summary Data Encryption RSA.
CSE 326: Data Structures NP Completeness Ben Lerner Summer 2007.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Private Approximation of Search Problems Amos Beimel Paz Carmi Kobbi Nissim Enav Weinreb (Technion)
1 Lower Bounds Lower bound: an estimate on a minimum amount of work needed to solve a given problem Examples: b number of comparisons needed to find the.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Communication vs. Computation S Venkatesh Univ. Victoria Presentation by Piotr Indyk (MIT) Kobbi Nissim Microsoft SVC Prahladh Harsha MIT Joe Kilian NEC.
On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)
CS 3343: Analysis of Algorithms Lecture 25: P and NP Some slides courtesy of Carola Wenk.
The Pennsylvania State University CSE597B: Special Topics in Network and Systems Security The Miscellaneous Instructor: Sencun Zhu.
CS6045: Advanced Algorithms NP Completeness. NP-Completeness Some problems are intractable: as they grow large, we are unable to solve them in reasonable.
Secret Sharing Non-Shannon Information Inequalities Presented in: Theory of Cryptography Conference (TCC) 2009 Published in: IEEE Transactions on Information.
Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
Giansalvo EXIN Cirrincione unit #4 Single-layer networks They directly compute linear discriminant functions using the TS without need of determining.
Pseudorandomness: New Results and Applications Emanuele Viola IAS April 2007.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Secret Sharing Schemes: A Short Survey Secret Sharing 2.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
On the Size of Pairing-based Non-interactive Arguments
Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp Multimedia Security.
Pseudo-derandomizing learning and approximation
CSE838 Lecture notes copy right: Moon Jung Chung
Chapter 11 Limitations of Algorithm Power
For ASIACRYPT 2018 Constructing Ideal Secret Sharing Schemes based on Chinese Remainder Theorem Fuyou Miao University of Science and Technology of China.
Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)
Presentation transcript:

Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes Amos Beimel Ben-Gurion University Slides borrowed fromYuval Ishai, Noam Livne, Moni Naor, Enav Weinreb.

Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] 1706 1706 t=3 ? 1329 2538 3441 6634

Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Weakly-private secret sharing schemes Conclusions and open problems 28/05/2007 ICITS

Def: Secret Sharing s1 s2 sn  s r Access Structure  P1 P2 Pn s1 s2 sn  s r Access Structure   realizes  if: Correctness: every authorized set B can always recover s. Privacy: every unauthorized set B cannot learn anything about s. 28/05/2007 ICITS

Applications Secure storage; Secure multiparty computation; Threshold cryptography; Byzantine agreement; Access control; Private information retrieval; Attribute-based encryption. 28/05/2007 ICITS

Shamir’s t-out-of-n Secret Sharing Scheme Input: secret s Choose at random a polynomial p(x)=s+r1x+r2x2+…+ rt-1xt-1 Share of Pj: sj= p(j ) s 28/05/2007 ICITS

The General Case {2,4} {1,2} {1,3,5} Not efficient!!!! s P1 P2 P3 P4 Which access structures  can be realized? Necessary condition:  is monotone. Also sufficient! P1 P2 s P3 P4 P5 minimal sets {2,4} {1,2} {1,3,5} Not efficient!!!! 28/05/2007 ICITS

Are there Efficient Schemes? The known schemes for general access structures have shares of size 2O(n). Best lower bound for an explicit structure [Csirmaz94]: (n2 / logn) Nothing better is known even for non-explicit structures! large gap Conjecture: There is an access structure that requires shares of size 2Ω(n). 28/05/2007 ICITS

Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Weakly-private secret sharing schemes Conclusions and open problems 28/05/2007 ICITS

Linear Secret-Sharing F s r1 P1 P2 Pn Linear Transformation r2 rm Examples: Shamir’s scheme Formula based Schemes [BenalohLeichter88] Monotone span programs [KrachmerWigderson93] 28/05/2007 ICITS

Linear Schemes and Span Program Monotone Span programs – linear algebraic model of computation [KarchmerWigderson93]. Equivalent to Linear schemes. 28/05/2007 ICITS

Monotone Span Programs 1 1 The program accepts a set B iff the rows labeled by B span the target vector. 28/05/2007 ICITS

Monotone Span Programs 1 1 1 1 1 {P2,P4} 28/05/2007 ICITS

Monotone Span Programs 1 1 1 1 {P1,P2} 28/05/2007 ICITS

Span Programs  Secret Sharing 1 s r2 r3 r4 s+ r2+r4 r2+r3 s+r2 r3+r4 P2 P1 P3 P4 = 1 P2 P1 P3 P4 Example s=1,r2=r3=0, r4=1 28/05/2007 ICITS

Span Programs  Secret Sharing 1 s r2 r3 r4 s+r2+r4 r2+r3 s+r2 r3+r4 P2 P1 P3 P4 = 1 s {P2,P4} 28/05/2007 ICITS

Linear Schemes: State of the Art Every access structure can be realized by a linear scheme. Most known schemes are linear. Linear schemes can efficiently realize only access structures in NC (NC = languages having efficient parallel algorithms). Best lower bounds for linear schemes for explicit access structures [B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]: (nlog n). Best existential lower bounds for linear schemes: 2(n). 28/05/2007 ICITS

Why Linear Secret Sharing? Share generation and secret reconstruction are efficient. Perfect privacy for free. Homomorphic Secure multi-party computation [CramerDamgardMaurer2000] Why not? Can only realize access structures in NC. 28/05/2007 ICITS

Homomorphism of Linear Secret Sharing 1 P4 P3 P1 P2 r4 r3 r2 s y5 y4 y3 y2 y1 = 1 r4 + r’4 r3+ r’3 r2 +r’2 s+s’ y5+y’5 y4+y’4 y3+y’3 y2+y’2 y1+y’1 = + 1 P4 P3 P1 P2 r’4 r’3 r’2 s’ y’5 y’4 y’3 y’2 y’1 = 28/05/2007 ICITS

Application: Computing a Sum 28/05/2007 ICITS

Multiplicative Homomorphism of Linear Secret Sharing [… Multiplicative Homomorphism of Linear Secret Sharing [….,CramerDamgardMaurer2000] 1 P4 P3 P1 P2 r4 r3 r2 s y5 y4 y3 y2 y1 = z1 z2 z3 z4 z5 PROTOCOL * 1 P4 P3 P1 P2 r’4 r’3 r’2 s’ y’5 y’4 y’3 y’2 y’1 = Shares for s * s’ Access structure must be Q2 28/05/2007 ICITS

Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Weakly-private secret sharing Conclusions and open problems 28/05/2007 ICITS

Constructing Nonlinear scheme Two constructions: Composition Approach  no assumptions, access structures in NC. Direct Constructions  access structures probably not in P. 28/05/2007 ICITS

Nonlinear Schemes: Composition Approach [B+Ishai01] Pn+1 P2n P1 Pn S1 S2 …. over GF(2) over GF(3) S= S1+S2 [B+Weinreb03]:  access structure: easy over GF(2), hard over any other field  access structure: easy over GF(3), hard over any other field 28/05/2007 ICITS

Nonlinear schemes: Direct Constructions [B+Ishai01] computationally efficient? perfect / statistical access structure equivalent to... perfect quadratic residuosity modulo a (fixed) prime Yes Yes statistical co-primality No statistical quadratic residuosity 28/05/2007 ICITS

Quadratic Non-Residuosity Modulo Fixed Prime First idea: represent a set of numbers by an access structure Only sets that contain exactly one party from each column n = 2m 1 B1101 u p fixed p is defined by the minimal sets { Bu : u  QNRp }. 28/05/2007 ICITS

Efficient Nonlinear Scheme Info. to be learned by Bu rR QRp r +z3 +z2 +z1 +z0 1 SUM = r mod p u  QRp  SUM  QRp u  QNRp  SUM  QRp  zi = 0 (mod v) r Parties can only sum shares s = 1: 1 23r 22r 21r 20r Privacy Correctness SUM = ru mod p u  QRp  SUM  QRp u  QNRp  SUM  QNRp 28/05/2007 ICITS

Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Weakly-private secret sharing Conclusions and open problems 28/05/2007 ICITS

Large gap Sharing 1-bit secret for general access structures: The known schemes have 2O(n)-bit shares Best lower bound for an explicit structure [Csirmaz94]: (n / log n) Conjecture: There is an access structure that requires shares of size 2Ω(n) for a one-bit secret. No progress in the last decade! 28/05/2007 ICITS

What Should We Do? Prove lower-bounds for stronger definitions of secret sharing Linear secret sharing schemes – nΩ(logn)-bit shares for one bit secret [B+GalPaterson95,BabaiGalWigderson96,Gal98] . Prove upper-bounds for weaker definitions of secret sharing. Try to understand which techniques should be used to prove lower bounds. 28/05/2007 ICITS

Def: Weakly-Private Secret Sharing Pn s1 s2 sn  s r  weakly realizes  if: Correctness: every authorized set B can always recover s. Weak Privacy: every unauthorized set C can never rule out any secret. For every two secrets a,b, for every shares si iC 28/05/2007 ICITS

Motivation Strong lower bounds for secret sharing use entropy arguments [CapocelliDeSantisGarganoVaccaro91, BlundoDeSantisGarganoVaccaro92, Csirmaz94,….]. Weakly-private ideal secret sharing = Perfect ideal secret sharing [BrickellDavenport91]. Some papers used weakly-private schemes to prove lower bounds for perfect schemes [Seymour92, KurosawaOkada96,B+Livne06] 28/05/2007 ICITS

Motivation II Key Distribution Schemes: [BlundoDeSantisHerzbergKuttenVaccaroYung92] proved lower bounds for perfect schemes using entropy arguments. [B+Chor93] proved the same lower bound for weakly-private schemes. Does weak-privacy suffice for proving lower-bounds for secret sharing schemes? 28/05/2007 ICITS

Our Results , there is a scheme: -bit secret and ( + c)-bit shares, c is a ``constant’’ depending on  Disclaimer: c can be exponential in n. Perfect: best known c’-bit shares. For a doubly-exponential family of access structures, there is an efficient weakly-private scheme for 1-bit secrets (due to Yuval Ishai). Perfect: known only for an exponential family There is a weakly-private t-out-of-n scheme: 1-bit secret and O(t)-bit shares. Perfect: log n-bit shares. 28/05/2007 ICITS

Constructions for general access structures First attempt: , try to construct a scheme with an -bit secret and -bit shares. Let s be an -bit secret. Choose at random a maximal unauthorized set D  . Choose a random bi  {0,1} for every Pi  D. Set bi = s for every Pi  D. The share of Pi is bi. Weak privacy: C   The set C can get any vector of shares for every s. Correctness: ????? B     Pi  B \ D. Guess Pi B and output bi. 28/05/2007 ICITS

Constructions for general access structures Second (correct) attempt: , there is a scheme with an -bit secret and (+c)-bit shares (c is a “constant” depending on ). Choose at random a maximal unauthorized set D  . Share the n-bit string representing D using a weakly-private scheme realizing . Let a1,…,an be the generated shares. Choose a random bi  {0,1} for every Pi  D. Set bi = s for every Pi  D. The share of Pi is (ai,bi). Correctness: B     Pi  B \ D. Reconstructs D, finds Pi B \ D, and outputs bi. Share size:  scheme where shares ai are 2n-bits (worse case) Total size: +2n 28/05/2007 ICITS

Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Weakly-private secret sharing Conclusions and open problems 28/05/2007 ICITS

Conclusions Linearity is useful. However, linear schemes can realize only access structures in NC. Nonlinear schemes can efficiently realize some “computationally hard” access structures. Exact power of nonlinear schemes remains unknown. 28/05/2007 ICITS

Proving Lower Bounds Close gap for perfect secret sharing schemes Improve 2O(n) upper bound? Improve (n2 / logn) lower bound? Even existential proof is interesting. Exponential lower bounds for linear schemes Improve (nlog n) lower bound. 28/05/2007 ICITS

Upper & Lower Bounds: Specific Access Structures Directed connectivity Participants correspond to edges in the complete directed graph Authorized sets: graphs containing a path from v1 to v2 Efficient construction for undirected connectivity There is an efficient computational scheme Open: perfect scheme Perfect Matching Implies a scheme for directed connectivity Open: perfect and computational schemes Weighted threshold Efficient computational scheme [B+Weinreb] Perfect scheme with nlog n shares Open: monotone formula 28/05/2007 ICITS

Secret Sharing and Oblivious Transfer Hamiltonian: Participants correspond to edges in the complete graph Authorized sets: graphs containing a Hamiltonian cycle Want an efficient scheme for minimal authorized subsets – when given the witness (cycle) Theorem [Rudich]: If one-way functions exist and an efficient secret sharing scheme for the Hamiltonian problem exists then Oblivious Transfer Protocols exist. I.e., Minicrypt = Cryptomania Construction is non-blackbox Theorem [Rudich]: If there is a perfect scheme for Hamiltonian, then NP  Co-AM 28/05/2007 ICITS

The End…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.