Advanced Protocols
Things we don’t know The millionaires problem Secretly computing the average salary of n users Online gambling 1-on-1 poker is difficult enough Even agreeing on a common random bit is not easy Electronic elections
Computing the average Example How do we do t-private? Honest but curious, 1-private, single user output Honest but curious, fully private, single user output How do we do t-private?
Secret sharing Motivation “Definition” Access structure Dealer Secret Shares of secret Sets that can reconstruct secret Sets that have no information Access structure General structure Threshold structure
Threshold secret sharing Access structure includes all subsets with at least t+1 participants Example I n-1 threshold over a finite group Impossibility of secret sharing over an infinite domain Example II Threshold of 1
Polynomial interpolation F is a finite field and p(x) is a polynomial over F Theorem: If |F|≥t+1 then any t+1 pairs (xi,p(xi)) uniquely determine a degree t polynomial that passes through these points Lagrange interpolation t monomials of the type [(x-x1)*…*(x-xt+1)]/[(xi-x1)*…*(xi-xt+1)]*p(xi) t+1 points uniquely determine p(0) t points give no information on p(0) No information Pr[secret=s|t shares]=Pr[secret=s]
Shamir secret sharing A threshold secret sharing scheme for a parameter t Let the secret s be an element in a finite field F, |F|>n. The i-the participant is associated with a unique element xiF, all participants know x1,…,xn The dealer chooses a polynomial p(x) of degree t over F such that P(0)=s (this is also the free coefficient) The other coefficients of p(x) are random elements in F The i-th share is p(xi)
Shamir secret sharing (cont.) Reconstruction Sets of at least t+1 can perform Lagrange interpolation on pairs (xi,p(xi)) Secrecy A set of at most t parties learns nothing because any secret is still possible Can the dealer lie? Yes, but we’re not dealing with it right now (semi-honest assumption)
Examples What can be computed locally Shamir secret sharing of s in F, compute locally secret sharing of a*s for public value aF Shamir secret sharing of s1, s2 in F, compute locally secret sharing of s1+s2 in F Example - Computing the average with a threshold of t Example - Proactive secret sharing Periodically adding a zero
Linear functions on secrets Model n parties The i-th party has secret si in field F, S=(s1,…,sn) All parties know a fixed nXn matrix A={ai,j} Compute Y=AS Required threshold t Solution The i-th party is a dealer in a Shamir secret sharing for secret si using polynomial pi(x) (i.e. pi(0)=si ) If Y={yj} then yj=iaji*si, which is the free coefficient of qj(x)= iaji*pi(x) Each party uses its shares of p1(x),…,pn(x) to locally compute q1(x),…,qn(x)