Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)

Slides:



Advertisements
Similar presentations
Parikshit Gopalan Georgia Institute of Technology Atlanta, Georgia, USA.
Advertisements

Efficient Multiparty Protocols via Log-Depth Threshold Formulae Ron Rothblum Weizmann Institute Joint work with Gil Cohen, Ivan Damgard, Yuval Ishai, Jonas.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Linear Algebra against Covert or Unbounded Adversaries Payman Mohassel and Enav Weinreb UC Davis CWI.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Computation of Linear Algebraic Functions
Secret Sharing, Matroids, and Non-Shannon Information Inequalities.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Private Approximation of Search Problems Amos Beimel Paz Carmi Kobbi Nissim Enav Weinreb Ben Gurion University Research partially Supported by the Frankel.
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
Private Information Retrieval Amos Beimel – Ben-Gurion University Tel-Hai, June 4, 2003 This talk is based on talks by:
Foundations of Privacy Lecture 11 Lecturer: Moni Naor.
Computational aspects of stability in weighted voting games Edith Elkind (NTU, Singapore) Based on joint work with Leslie Ann Goldberg, Paul W. Goldberg,
Cryptography Lecture 8 Stefan Dziembowski
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.
Rijndael Advanced Encryption Standard. Overview Definitions Definitions Who created Rijndael and the reason behind it Who created Rijndael and the reason.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Private Approximation of Search Problems Amos Beimel Paz Carmi Kobbi Nissim Enav Weinreb (Technion)
Welcome to to Autumn School! Some practical issues.
Secure Computation (Lecture 5) Arpita Patra. Recap >> Scope of MPC > models of computation > network models > modelling distrust (centralized/decentralized.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
On the Cryptographic Complexity of the Worst Functions Amos Beimel (BGU) Yuval Ishai (Technion) Ranjit Kumaresan (Technion) Eyal Kushilevitz (Technion)
Secure Computation Lecture Arpita Patra. Recap > Shamir Secret-sharing > BGW Protocol based on secret-sharing > Offline/Online phase > Creating.
Secret Sharing Non-Shannon Information Inequalities Presented in: Theory of Cryptography Conference (TCC) 2009 Published in: IEEE Transactions on Information.
Private Information Retrieval Based on the talk by Yuval Ishai, Eyal Kushilevitz, Tal Malkin.
Pseudorandomness: New Results and Applications Emanuele Viola IAS April 2007.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Secret Sharing Schemes: A Short Survey Secret Sharing 2.
Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Cryptographic Protocols Secret sharing, Threshold Security
P & NP.
Network Security Design Fundamentals Lecture-13
Encryption and Integrity
Dana Ron Tel Aviv University
Public-Key Cryptography RSA Rivest-Shamir-Adelmann Public-Key System
On the Size of Pairing-based Non-interactive Arguments
Negation-Limited Formulas
PUBLIC-KEY ENCRYPTION Focusing on RSA
MPC and Verifiable Computation on Committed Data
Circuit Lower Bounds A combinatorial approach to P vs NP
Secret Sharing (or, more accurately, “Secret Splitting”)
Digital Signature Schemes and the Random Oracle Model
Gate Evaluation Secret Sharing and Secure Two-Party Computation
Secure Computation of Constant-Depth Circuits with Applications to Database Search Problems Omer Barkol Yuval Ishai Technion.
Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp Multimedia Security.
Four-Round Secure Computation without Setup
Pseudo-derandomizing learning and approximation
Unknown Input Attacks in the Parallel Setting Improving the Security of the CHES 2012 Leakage Resilient PRF Marcel Medwed François-Xavier Standaert Ventzislav.
Cryptography for Quantum Computers
CSE838 Lecture notes copy right: Moon Jung Chung
Chapter 11 Limitations of Algorithm Power
NET 311 Information Security
On the Power of Nonlinear Secret-Sharing∗
For ASIACRYPT 2018 Constructing Ideal Secret Sharing Schemes based on Chinese Remainder Theorem Fuyou Miao University of Science and Technology of China.
New Frontiers in Secret Sharing
Cryptology Design Fundamentals
Hard Problems Some problems are hard to solve.
Cryptology Design Fundamentals
Cryptology Design Fundamentals
Compact Adaptively Secure ABE for NC1 from k-Lin
Cryptographic Protocols Secret Sharing, Threshold Security
Network Security Design Fundamentals Lecture-13
Public-Key Cryptography Quadratic Residues and „Rabin Lock“
Presentation transcript:

Secret Sharing: Linear vs. Nonlinear Schemes (A Survey) Amos Beimel Ben-Gurion University Slides borrowed from Yuval Ishai, Enav Weinreb.

Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] 01001001101111 11111001101101 11001011110011 00101001010111 0001101001001© 00011011001001 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Computational secret sharing Conclusions and open problems 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Def: Secret Sharing P1 P2 Pn s1 s2 sn  s r Access Structure   realizes  if: Correctness: every authorized set B can always recover s. Privacy: every unauthorized set B cannot learn anything about s. 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Applications Secure storage; Secure multiparty computation; Threshold cryptography; Byzantine agreement; Access control; Private information retrieval; Attribute-based encryption. 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace The Threshold Case (t,n)-secret-sharing:  = { B  {P1,…,Pn} : |B|  t } Shamir’s scheme: s GF(q), q > n  prime p(x)=s+r1x+r2x2+…+ rt-1xt-1 (mod q) sj= p(j ) s 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace The General Case Which access structures  can be realized? Necessary condition:  is monotone. Also sufficient! P1 P2 s P3 P4 P5 minimal sets {2,4} {1,2} {1,3,5} Not efficient!!!! 10/25/2006 IPAM - Securing Cyberspace

Are there Efficient Schemes? The known schemes for general access structures have shares of size 2O(n). Best lower bound for an explicit structure [Csirmaz94]: (n2 / logn) Nothing better is known even for non-explicit structures! large gap Conjecture: There is an access structure that requires shares of size 2Ω(n). 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Computational secret sharing Conclusions and open problems 10/25/2006 IPAM - Securing Cyberspace

Linear Secret-Sharing F s r1 P1 P2 Pn Linear Transformation r2 rm Examples: Shamir’s scheme Formula based Schemes [BenalohLeichter88] Monotone span programs [KrachmerWigderson93] 10/25/2006 IPAM - Securing Cyberspace

Linear Schemes and Span Program Monotone Span programs – linear algebraic model of computation [KarchmerWigderson93]. Equivalent to Linear schemes. 10/25/2006 IPAM - Securing Cyberspace

Monotone Span Programs 1 1 The program accepts a set B iff the rows labeled by B span the target vector. 10/25/2006 IPAM - Securing Cyberspace

Monotone Span Programs 1 1 1 1 1 {P2,P4} 10/25/2006 IPAM - Securing Cyberspace

Monotone Span Programs 1 1 1 1 {P1,P2} 10/25/2006 IPAM - Securing Cyberspace

Span Programs  Secret Sharing 1 s r2 r3 r4 s+ r2+r4 r2+r3 s+r2 r3+r4 P2 P1 P3 P4 = 1 P2 P1 P3 P4 Example s=1,r2=r3=0, r4=1 10/25/2006 IPAM - Securing Cyberspace

Span Programs  Secret Sharing 1 s r2 r3 r4 s+r2+r4 r2+r3 s+r2 r3+r4 P2 P1 P3 P4 = 1 s {P2,P4} 10/25/2006 IPAM - Securing Cyberspace

Linear Schemes: State of the Art Every access structure can be realized by a linear scheme. Most known schemes are linear. Linear schemes can efficiently realize only access structures in NC (NC = languages having efficient parallel algorithms). Best lower bounds for linear schemes for explicit access structures [B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]: (nlog n). Best existential lower bounds for linear schemes: 2(n). 10/25/2006 IPAM - Securing Cyberspace

Why Linear Secret Sharing? Share generation and secret reconstruction are efficient. Perfect privacy for free Homomorphic Secure multi-party computation [CramerDamgardMaurer2000] Why not? Can only realize access structures in NC. 10/25/2006 IPAM - Securing Cyberspace

Homomorphism of Linear Secret Sharing 1 P4 P3 P1 P2 r4 r3 r2 s y5 y4 y3 y2 y1 = 1 r4 + r’4 r3+ r’3 r2 +r’2 s+s’ y5+y’5 y4+y’4 y3+y’3 y2+y’2 y1+y’1 = + 1 P4 P3 P1 P2 r’4 r’3 r’2 s’ y’5 y’4 y’3 y’2 y’1 = 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Multiplicative Homomorphism of Linear Secret Sharing [….,CramerDamgardMaurer2000] 1 P4 P3 P1 P2 r4 r3 r2 s y5 y4 y3 y2 y1 = z1 z2 z3 z4 z5 PROTOCOL * 1 P4 P3 P1 P2 r’4 r’3 r’2 s’ y’5 y’4 y’3 y’2 y’1 = Shares for s * s’ Access structure must be Q2 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Computational secret sharing Conclusions and open problems 10/25/2006 IPAM - Securing Cyberspace

Constructing Nonlinear scheme Two constructions: Composition Approach  no assumptions, access structures in NC. Direct Constructions  access structures probably not in P. 10/25/2006 IPAM - Securing Cyberspace

Nonlinear Schemes: Composition Approach [B+Ishai01] Pn+1 P2n P1 Pn S1 S2 …. over GF(2) over GF(3) S= S1+S2 [B+Weinreb03]:  access structure: easy over GF(2), hard over any other field  access structure: easy over GF(3), hard over any other field 10/25/2006 IPAM - Securing Cyberspace

Nonlinear schemes: Direct Constructions [B+Ishai01] computationally efficient? perfect / statistical access structure equivalent to... perfect quadratic residuosity modulo a (fixed) prime Yes Yes statistical co-primality No statistical quadratic residuosity 10/25/2006 IPAM - Securing Cyberspace

Quadratic Non-Residuosity Modulo Fixed Prime First idea: represent a set of numbers by an access structure Only sets that contain exactly one party from each column n = 2m 1 B1101 u p fixed p is defined by the minimal sets { Bu : u  QNRp }. 10/25/2006 IPAM - Securing Cyberspace

Efficient Nonlinear Scheme Info. to be learned by Bu rR QRp r +z3 +z2 +z1 +z0 1 SUM = r mod p u  QRp  SUM  QRp u  QNRp  SUM  QRp  zi = 0 (mod v) r Parties can only sum shares s = 1: 1 23r 22r 21r 20r Privacy Correctness SUM = ru mod p u  QRp  SUM  QRp u  QNRp  SUM  QNRp 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Computational secret sharing Conclusions and open problems 10/25/2006 IPAM - Securing Cyberspace

Computational Secret Sharing Secret sharing schemes with computational privacy: Computational privacy: every set of polynomial time players P cannot learn anything about s. Thm [Yao89]: If there is a polynomial size monotone circuit computing membership in  then there is an efficient computational secret sharing realizing  . Uses ideas from [BenalohLeichter90] of constructing information theoretic secret sharing from monotone formulae. 10/25/2006 IPAM - Securing Cyberspace

Secret Sharing Schemes from Monotone Formulae [BenalohLeichter90] We represent an access structure  by its characteristic function. Let be two monotone functions. Let and be secret sharing schemes for and . We build new secret sharing schemes for: The function . 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace The Function s s s 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace The Function 10/25/2006 IPAM - Securing Cyberspace

Secret Sharing from Formula Formula - monotone circuit with fan-out 1. Small monotone formula  efficient secret sharing: Share the secret according to the root gate. Treat the shares as secrets and recursively share them in both sides of the formula. 10/25/2006 IPAM - Securing Cyberspace

Does it work for Monotone Circuits? One gate has many outputs. Gets a share for each output. Share a bigger secret among its subcircuit. … Exponential Blowup 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Yao’s Solution Use encryption to avoid the blow-up. Publish the cryptogram and share the key. Computational Security. … E( , ) = E( , ) = 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Computational secret sharing Conclusions and open problems 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Conclusions Linearity is useful. However, linear schemes can realize only access structures in NC. Nonlinear schemes can efficiently realize some “computationally hard” access structures. Exact power of nonlinear schemes remains unknown. 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace Open Problems: Close gap for secret sharing schemes Improve (n2 / logn) lower bound. Exponential lower bounds for linear schemes Improve (nlog n) lower bound. Specific access structures: Directed s-t-connectivity, Perfect Matching, Weighted threshold [B+Weinreb]. Other nonlinear schemes. 10/25/2006 IPAM - Securing Cyberspace

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.