Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa

Popular Encryption Schemes Must share a secret-key Don’t share a secret-key ComputationalSKEPKE UnconditionalOne-time pad

Does there exist ? Must share a secret-key Don’t share a secret-key ComputationalSKEPKE UnconditionalOne-time pad???

Yes (1975) Wyner Wire-tap channel model (1984) Bennett and Brassard BB84 (1993) Dolev, Dwork, Waarts and Yung Network model

In the model of DDWY Alice and Bob are a part of a network There are n channels between them Adversary can corrupt (observe and forge) at most t channels AliceBob

Indeed, in Internet There are many channels between A and B No adversary can corrupt all the routers

Dolev, Dwork, Waarts and Yung Showed that we can achieve (Perfect Privacy) Adversary learns no information on the secret message s (Perfect Reliability) Bob can receive s correctly (Adversary cannot forge s)

There are many variants NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect and etc.

Many authors since DDWY Sayeed, Abu-Amara Franklin, Wright Kumar, Goudan, Srinatahn, Rangan, Narayanan, Patra, Choudhary Desmedt, Wang, Burmester, Yang Agarwal, Cramer, de Haan Garay, Ostrovsky, Fitzi, Vardhan Kurosawa, Suzuki

This talk NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect

We begin with 1 st setting NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect

In an Undirected Network Each channel is two-way AliceBob

1 Round Protocol Sender Receiver

2 Round Protocol Sender Receiver Sender Receiver 1st 2nd

PSMT denotes Perfectly Secure Message Transmission Scheme

DDWY showed 1-round PSMT exists iff n ≧ 3t+1 2-round PSMT exists iff n ≧ 2t+1 where the adversary can corrupt t out of n channels.

Let’s look at 1-round PSMT iff n ≧ 3t+1 2-round PSMTfor n = 2t+1 where an adversary can corrupt t out of n channels.

2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Exp- time DDWY (1993) Poly- time Transmission rate

2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Exp- time DDWY (1993) Poly- time Sayeed, Abu-Amara (1996) Transmission rate

2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993) Poly- time Sayeed, Abu-Amara (1996) Transmission rate

2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993)Agarwal, Cramer, de Haan (2006) Poly- time Sayeed, Abu-Amara (1996) Transmission rate

2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993)Agarwal, Cramer, de Haan (2006) Poly- time Sayeed, Abu-Amara (1996) Kurosawa, Suzuki (2008) Transmission rate

Alice Bob s f(1) f(t) f(n) ・ ・ ・ ・ ・ ・ Suppose that Alice chooses a random f(x) such that f(0)=s and deg f(x) ≦ t

Adversary Alice Bob s f(1) f(t) f(n) ・ ・ ・ ・ ・ ・ corrupts t channels.

Perfect Privacy Is satisfied because this is a (t+1, n)-secret sharing scheme Hence the adverasry learns no information on s.

Adversary Alice Bob s f(1) f(t) f(n) ・ ・ ・ ・ ・ ・ forges t channels. How about Perfect Reliability f(1)’ = f(1)+ e 1 f(t)’ = f(t)+ e t

Perfect Reliability Bob can compute s if X=(f(1),…, f(n)) is a codeword of a t-error correcting code.

X=(f(1),…, f(n)) has at most t zeros because deg f(x) ≦ t.

X=(f(1),…, f(n)) has at most t zeros because deg f(x) ≦ t. Hence X has the minimum Hamming weight n-t.

X=(f(1),…, f(n)) has at most t zeros because deg f(x) ≦ t. Hence X has the minimum Hamming weight n-t. Therefore the minimum Hamming distance of this linear code is d=n-t.

If n=3t+1, the minimum Hamming distance is d = n – t = (3t+1) – t = 2t+1.

If n=3t+1, the minimum Hamming distance is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary.

If n=3t+1, the minimum Hamming distance of C is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary by using Berlekamp-Weltch algorithm

If n=3t+1, the minimum Hamming distance is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary. Thus perfect reliability is also satisfied.

If n=3t+1, the minimum Hamming distance of C is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary. Thus perfect reliability is satisfied. Therefore we can obtain a 1-round PSMT easily for n ≧ 3t+1

If n=2t+1, however, the minimum Hamming distance is d = n - t = (2t+1) – t = t+1

If n=2t+1, however, the minimum Hamming distance of C is d=n-t=(2t+1)-t= t+1 Hence the receiver can only detect t errors, but cannot correct them.

If n=2t+1, however, the minimum Hamming distance of C is d=n-t=(2t+1)-t=t+1 Hence the receiver can only detect t errors, but cannot correct them. This is the main reason why PSMT for n=2t+1 is difficult.

DDWY showed Exp-time 2-round PSMT Poly-time 3-round PSMT such that the transmission rate is O(n 5 ), where the transmission rate is defined as the total number of bits transmitted the size of the secrets

Sayeed and Abu-Amara 2-round PSMT such that the transmission rate is O(n 3 )

Srinathan, Narayan and Rangan the transmission rate ≧ n for any 2-round PSMT with n=2t+1. (CRYPTO 2004)

Agarwal, Cramer and de Haan ・ Exp-time 2-round PSMT such that the trans. rate is O(n). (CRYPTO 2006)

Kurosawa and Suzuki ・ Poly-time 2-round PSMT such that the trans. rate is O(n). at Eurocrypt 2008 Final version: IEEE Trans. on IT, 2009

Our Idea What is a difference between error correction and PSMT ?

What is a difference If the sender sends a single codeword, then adversary causes t errors randomly.

What is a difference If the sender sends a single codeword, then adversary causes t errors randomly. Hence there is no difference.

However If the sender sends many codewords X 1, …, X m, then the errors are not totally random because the errors always occur at the same t (or less) places !

Our Observation Suppose that the receiver received Y 1 =X 1 + E 1, …, Y m =X m + E m, where E 1, …, E m are error vectors

Our Observation Let E = [E 1, …, E m ]. Then dim E ≦ t because the errors always occur at the same t (or less) places !

But The receiver does not know the error vectors E 1, …, E m

Our Contribution We introduced a notion of pseudo-dimension pseudo-basis,

Let Y= {Y 1, …, Y m } Let E = [E 1, …, E m ]. If Y has Pseudo dim kthen E has dim k If Y has a Pseudo basis {Y j1, …, Y jk } then E has a basis {E j1, …, E jk } Intuition

Our Contribution We then showed a poly-time algorithm which finds pseudo-basis and pseudo-dimension from Y={Y 1, …, Y m }.

More Observation For example, E 1 =(1,0, …, 0), E 2 =(1,1,0, …, 0), … E t =(1,…,1,0, …, 0), is a basis of E.

More Observation E 1 =(1,0, …, 0), NonZero(E 1 )={1} E 2 =(1,1,0, …, 0), NonZero(E 2 )={1,2} … E t =(1,…,1,0, …, 0), NonZero(E t )={1, …, t}

More Observation E 1 =(1,0, …, 0), NonZero(E 1 )={1} E 2 =(1,1,0, …, 0), NonZero(E 2 )={1,2} … E t =(1,…,1,0, …, 0), NonZero(E t )={1, …, t} Define FORGED = U NonZero(E i ) basis

More Observation E 1 =(1,0, …, 0), NonZero(E 1 )={1} E 2 =(1,1,0, …, 0), NonZero(E 2 )={2} … E t =(1, …, 1, 0, …, 0), NonZero(E t )= {t} Define FORGED ≡ U basis NonZero(E i ) Then FORGED = {all forged channels}

Our basic 2-round PSMT Let t = 1 and n = 2t+1 = 3 That is, Adversary can corrupt 1 out of 3 channels

It consists of 3 phases Encryption phase Error detection phase Decryption phase We run them in parallel

Encryption phase (1 st R) R sends random f 1 (x), f 2 (x) and f 3 (x) with deg f i (x) ≦ 1 as follows f 1 (x) f 2 (x) f 3 (x) S R

Encryption phase (1 st R) S receives f 1 ’(x), f 2 ’(x) and f 3 ’(x) f 1 ’(x) f 2 ’(x) f 3 ’(x) S

Encryption phase (2 nd R) S broadcasts c = s + f 1 ’(1) +f 2 ’(2) + f 3 ’(3) c c c S R

Encryption phase (2 nd R) R can receive c correctly by taking majority vote because at most 1 channel is corrupted c c c’ R

Error detection phase (1 st R) R sends X 1, X 2, X 3 such that R f 2 (1) f 2 (2) f 2 (3) X 2 || f 1 (1) f 1 (2) f 1 (3) X 1 || f 3 (1) f 3 (2) f 3 (3) X 3 ||

S receives S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y 2 || f 1 (1)’ f 1 (2)’ f 1 (3)’ Y 1 || f 3 (1)’ f 3 (2)’ f 3 (3)’ Y 3 ||

From {Y 1, Y 2, Y 3 } S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y2Y2 f 1 (1)’ f 1 (2)’ f 1 (3)’ Y1Y1 f 3 (1)’ f 3 (2)’ f 3 (3)’ Y3Y3 S computes the psudo-dimension k and a pseudo-basis Λ by using the proposed algorithm

For example S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y2Y2 f 1 (1)’ f 1 (2)’ f 1 (3)’ Y1Y1 f 3 (1)’ f 3 (2)’ f 3 (3)’ Y3Y3 S computes the psudo-dimension k=1 and a pseudo-basis Λ={Y 1 }

S broadcasts S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y2Y2 f 1 (1)’ f 1 (2)’ f 1 (3)’ Y1Y1 f 3 (1)’ f 3 (2)’ f 3 (3)’ Y3Y3 S k=1, Λ={Y 1 }

R sent X 1 and received Y 1 =X 1 +E 1 R f 2 (1) f 2 (2) f 2 (3) X2X2 f 1 (1) f 1 (2) f 1 (3) X1X1 f 3 (1) f 3 (2) f 3 (3) X3X3 R k=1, Λ={Y 1 }

Hence R can compute E 1 =Y 1 - X 1 R f 2 (1) f 2 (2) f 2 (3) X2X2 f 1 (1) f 1 (2) f 1 (3) X1X1 f 3 (1) f 3 (2) f 3 (3) X3X3 k=1, Λ={Y 1 } R

Suppose that E 1 =Y 1 - X 1 =[0,0,e 3 ] T R f 2 (1) f 2 (2) f 2 (3) X2X2 f 1 (1) f 1 (2) f 1 (3) X1X1 f 3 (1) f 3 (2) f 3 (3) X3X3 k=1, Λ={Y 1 } R

Suppose that E 1 =[0,0,e 3 ] T Then R sees that channel 3 is corrupted R f 2 (1) f 2 (2) f 2 (3) f 1 (1) f 1 (2) f 1 (3) f 3 (1) f 3 (2) f 3 (3) X1X1 X2X2 X3X3 Adversary

f 1 (x) f 2 (x) f 3 (x) S R What happened ? X1X1 X2X2 X3X3

Adversary corrupted channel 3 f 1 (x) f 2 (x) f 3 (x) S R What happened ? Adversary X1X1 X2X2 X3X3

Adversary corrupted channel 3 S broadcast c and Y 1 =pseudo-basis f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 What happened ? Adversary X1X1 X2X2 X3X3

Adversary corrupted channel 3 S broadcast c and Y 1 =pseudo-basis Then R found that channel 3 was corrupted f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 What happened ? Adversary X1X1 X2X2 X3X3

Adversary observed f 3 (x) and Y 1 ≃ f 1 (x) f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 In particular Adversary X1X1 X2X2 X3X3

Adversary observed f 3 (x) and Y 1 ≃ f 1 (x) But f 2 (2) is kept hidden f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 In particular Adversary X1X1 X2X2 X3X3 f 2 (2)

R can find the corrupted channel keeping f 2 (2) secret f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 In other words Adversary X1X1 X2X2 X3X3 f 2 (2)

If R sends f 1 (x), ⋯, f 6 (x), then R can find the corrupted channel keeping f 2 (2), f 4 (1), f 5 (2) secret f 1 (x), f 4 (x) f 2 (x), f 5 (x) f 3 (x), f 6 (x) S R S Y1Y1 Adversary

If R sends f 1 (x), ⋯, f 6 (x), then R can find the corrupted channel keeping f 2 (2), f 4 (1), f 5 (2) secret Only Y 1 is broadcast as a pseudo-basis f 1 (x), f 4 (x) f 2 (x), f 5 (x) f 3 (x), f 6 (x) S R S Y1Y1 Adversary

Going back to our basic scheme let’s look at f 3 (x) R f 3 (1) f 3 (2) f 3 (3) f 3 (x)

R knows that S y 1 =f 3 (1) y 2 =f 3 (2) f 3 ’(x), y 3 S received

y 1 =f 3 (1) S y 2 =f 3 (2) f 3 ’(x), y 3 S Δ 1 = f 3 ’(1) - y 1 Δ 2 = f 3 ’(2) - y 2 Δ 3 = f 3 ’(3) - y 3 S broadcasts Decryption phase

y 1 =f 3 (1) S y 2 =f 3 (2) y3y3 S Δ 1 = f 3 ’(1) -y 1 Δ 2 = f 3 ’(2) -y 2 Δ 3 = f 3 ’(3)-y 3 From these 2 equations, R can compute f 3 ’(1) =Δ 1 +f 3 (1) R

y 1 =f 3 (1) S y 2 =f 3 (2) y3y3 S Δ 1 = f 3 ’(1) -y 1 Δ 2 = f 3 ’(2) -y 2 Δ 3 = f 3 ’(3)-y 3 From these 2 equations, R can compute f 3 ’(2) =Δ 2 +f 3 (2) R

y 1 =f 3 (1) S y 2 =f 3 (2) y3y3 S Δ 1 = f 3 ’(1) -y 1 Δ 2 = f 3 ’(2) -y 2 Δ 3 = f 3 ’(3)-y 3 Then R can obtain f 3 ’(x) by applying Lagrange formula to f 3 ’(1) and f 3 ’(2) R

Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly

Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly Remember that R received c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3)

Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly Remember that R received c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Now R can compute s

Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly Remember that R received c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Now R can compute s Therefore perfect reliability is satisfied

Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3)

Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis

Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis Adversary observed f 3 ’(x)

Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis Adversary observed f 3 ’(x) But she has no info. on f 2 ’(2)= f 2 (2)

Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis Adversary observed f 3 ’(x) But she has no info. on f 2 ’(2) = f 2 (2) Hence perfect privacy is also satisfied

Final scheme R sends many f i (x) in parallel S uses “generalized broadcast” Then we can obtain the transmission rate = O(n)

Now what is pseudo-basis Let C be a linear code such that the codewords are (f(1), ⋯, f(n)), where deg f(x) ≦ t That is, C={ (f(1), ⋯, f(n)) | deg f(x) ≦ t }

We write Y 1 = Y 2 mod C if Y 1 - Y 2 ∈ C

We write Y 1 = Y 2 mod C if Y 1 - Y 2 ∈ C In particular, if Y=X+E, then Y=E mod C

Linearly pseudo-expressed We say that Y 0 is linearly pseudo-expressed by {Y 1, ⋯, Y k } if Y 0 = a 1 Y 1 + ⋯ + a k Y k mod C for some (a 1, ⋯, a k )

Pseudo Span Let Λ ⊆ Y = {Y 1, ⋯, Y m }, We say that Λ pseudo spans Y if each Y i is linearly pseudo-expressed by Λ

Pseudo-Basis We say that Λ is a pseudo-basis of Y if it is a minimum set which pseudo-spans Y

Pseudo-Dimension Suppose that Λ is a pseudo-basis of Y We say that k=|Λ| is the pseudo-dimension of Y

Admissible Error Vector Set We say that {E 1, ⋯,E m } is an admissible error vector set of Y={Y 1, ⋯,Y m } if E i =Y i mod C for all i |U NonZero(E i )| ≦ t i

Theorem Let {E 1, ⋯,E m } be an admissible error vector set of Y= {Y 1, ⋯,Y m } Y= {Y 1, …, Y m }E = [E 1, …, E m ]. Y has Pseudo dim kiff E has dim k Y has a Pseudo basis {Y j1, …, Y jk } iff E has a basis {E j1, …, E jk }

Corollary Let {E 1, ⋯,E m } be the real error vector set caused by the adversary Y= {Y 1, …, Y m }E = [E 1, …, E m ]. If Y has Pseudo dim kthen E has dim k If Y has a Pseudo basis {Y j1, …, Y jk } then E has a basis {E j1, …, E jk }

Next how to check linearly pseudo-expressed Y 3 –(a 1 Y 1 +a 2 Y 2 ) = 0 mod C This equation means LHS = some codeword (f(1), ⋯, f(n))

First construct f (a1,a2) (x) by applying Lagrange formula to the first t+1 elements of Y 3 – (a 1 Y 1 +a 2 Y 2 ) like this f (a1,a2) (1) = y 3,1 ー (a 1 y 1,1 + a 2 y 2,1 ) ⋮ f (a1,a2) (t+1) = y 3.t+1 ー (a 1 y 1,t+1 + a 2 y 2,t+1 )

Next check if f (a1,a2) (x) is consistent with the remaining elements of Y 3 – (a 1 Y 1 +a 2 Y 2 ) for some (a 1,a 2 ) f (a1,a2) (t+2) = y 3,t+2 ー (a 1 y 1,t+2 + a 2 y 2,t+2 ) ⋮ f (a1,a2) (n) = y 3,n ー (a 1 y 1,n + a 2 y 2,n )

This can be done easily By checking if the following linear equations has a solution (a 1,a 2 ) f (a1,a2) (t+2) = y 3,t+2 ー (a 1 y 1,t+2 + a 2 y 2,t+2 ) ⋮ f (a1,a2) (n) = y 3,n ー (a 1 y 1,n + a 2 y 2,n )

If yes, then Y 3 is linearly pseudo-expressed by {Y 1,Y 2 }

Algorithm for finding pseudo-basis Input: Y={Y 1, …, Y m } Let Λ=empty For i=1 to m, do: While |Λ|<t, do: Add Y i to Λ if Y i is not linearly pseudo-expressed by Λ. Finally output Λ as a pesudo-basis of Y.

2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993)Agarwal, Cramer, de Haan (2006) Poly- time Sayeed, Abu-Amara (1996) Kurosawa, Suzuki (2008) Transmission rate

For the details ・ Please look at the paper Truly Efficient 2-Round Perfectly Secure Message Transmission Scheme Kurosawa and Suzuki Preliminary: Eurocrypt 2008 Final: IEEE Trans. on IT, 2009

Patra, Choudhary and Rangan Used pseudo-basis to construct Communication optimal 3 and 6 round PSMT in directed networks (ICDCN 2010) 3-round communication optimal PSMT tolerating mobile mixed adversary (PODC 2010)

Yang and Desmedt used pseudo-basis to construct 2-round PSMT for Q 2 adversary structure (Asiacrypt 2010)

Open Problem (1) Can we apply pseudo-basis to another problems ?

Open Problem (2) The transmission rate is the total number of bits transmitted the size of the secrets

Open Problem (2) In our PSMT the total number of bits transmitted = O(n 3 ) the size of the secrets = O(n 2 ) to achieve the transmission rate = O(n)

Open Problem (2) In our PSMT the total number of bits transmitted = O(n 3 ) the size of the secrets = O(n 2 ) to achieve the transmission rate = O(n) What is a lower bound on the communication complexity to achieve our goal ?

Next 2nd setting NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect

Desmedt et at. Threshold adversaries are not realistic when dealing with computer viruses, such as the I LOVE YOU virus and the Internet virus/worm that only spread to Windows, respectively Unix.

{1,2,3} use Windows SR SenderReceiver

{3,4} use UNIX SR SenderReceiver

{1,5} use TRON SR SenderReceiver

Adversary Structure Adversary can corrupt B 1 ={1,2,3} or B 2 ={3,4} or B 3 ={1,5}. Let Γ={B 1, B 2, B 3 } Such Γ is called an adversary structure.

Hirt and Maurer Introduced adversary structure in the context of multiparty protocols They generalized n ≧ 2t+1 to Q 2 adversary structure n ≧ 3t+1 to Q 3 adversary structure

Γ satisfies Q 2 If B i ⋃ B j ≠ {1, ⋯, n} for any B i, B j ∊ Γ

Γ satisfies Q 3 If B i ⋃ B j ⋃ B k ≠ {1, ⋯, n} for any B i, B j, B k ∊ Γ

PSMT for General Adversary 2002 Kumar, Goudan, Srinatahn, Rangan Many round PSMT for Q Desmedt, Wang, Burmester Exp-time 1-round PSMT for Q Kurosawa Poly-time 1-round PSMT for Q Yang, Desmedt Poly-time 2-round PSMT for Q 2

I will explain 2002 Kumar, Goudan, Srinatahn, Rangan Many round PSMT for Q Desmedt, Wang, Burmester Exp-time 1-round PSMT for Q Kurosawa Poly-time 1-round PSMT for Q Yang, Desmedt 2-round PSMT for Q 2

Monotone We say that Γ is monotone if B ∈ Γ and B’ ⊂ B, then B’ ∈ Γ For example. if an adversary can corrupt B={1,2,3}, then she can corrupt B’={1,2} clearly. In what follows, we assume that Γ is monotone

Proposition For any monotone adversary structure Γ, there exists a linear secret sharing scheme such that if B ∈ Γ, then B has no information on s If A ∉ Γ, then A can reconstruct s

Proposition For any monotone adversary structure Γ, there exists a (linear) secret sharing scheme such that if B ∈ Γ, then B has no information on s If A ∉ Γ, then A can reconstruct s We call such a scheme a secret sharing scheme for Γ

What is a difference between Shamir’s threshold secret sharing scheme and general secret sharing schemes ?

Secret Sharing Scheme Sharing phase: For a secret s, Dealer computes a share vector V=(v 1, ⋯, v n ), and gives v i to player P i

Secret Sharing Scheme Reconstruction phase: Suppose that some subset of players B ∈ Γ open forged shares Let Y=V+E where V is a share vector and E is an error vector

In Shamir’s threshold SS, If n ≧ 3t+1, then Berlekamp-Weltch algorithm can correct t erros in Y=V+E in poly-time

For Q 3 adversary structure, no secret sharing scheme was known such that s can be reconstructed in poly-time from Y (=V+E) This is the reason why the construction of 1-round PSMT for Q 3 is difficult

I constructed A secret sharing scheme for Q 3 such that s can be reconstructed from Y (=V+E) in poly-time

Proposed construction For a Q 3 -adversary structure Γ, let LSSS be a linear secret sharing scheme such that if B ∈ Γ, then B has no information on s If A ∉ Γ, then A can reconstruct s

Step 1 LSSS v1 ⋮vnv1 ⋮vn s r0r0

Step 2 LSSS u 11 ⋮ u 1n v1v1 r1r1 LSSS v1 ⋮vnv1 ⋮vn s r0r0

Dealer distributes P1P1 (v 1, r 1 ) u 11 P2P2 u 12 ⋮⋮ PnPn u 1n

Similarly LSSS u 21 ⋮ u 2n v2v2 r2r2 LSSS v1v2 ⋮vnv1v2 ⋮vn s r0r0

Dealer distributes P1P1 (v 1, r 1 ) u 11 u 21 P2P2 u 12 (v 2, r 2 ) u 22 ⋮⋮⋮ PnPn u 1n u 2n

And so on. P1P1 (v 1, r 1 ) u 11 u 21 ⋯ u n1 P2P2 u 12 (v 2, r 2 ) u 22 ⋯ u n2 ⋮⋮⋮⋯⋮ PnPn u 1n u 2n ⋯ (v n, r n ) u nn

In the Reconstruction phase Suppose that some subset of players B ∈ Γ open forged shares We will show a poly-time algorithm which can reconstruct s

Suppose that P1P1 (v 1, r 1 ) u 11 u 21 ⋯ u n1 P2P2 u 12 (v 2, r 2 ) u 22 ⋯ u n2 ⋮⋮⋮⋯⋮ PnPn u 1n u 2n ⋯ (v n, r n ) u nn Each player opened blue shares

Decoding algorithm: Step 1 LSSS u 11 ⋮ u 1n v1v1 r1r1 Run the LSSS on input (v 1, r 1 ) to generate red shares

Then compare the red shares with the blue shares LSSS u 11 ⋮ u 1n v1v1 r1r1 u 11 ⋮ u 1n Accept v 1 if { j | u 1j ≠ u 1j } ∈ Γ ≠ =

Similarly LSSS u i1 ⋮ u in vivi riri Run the LSSS on input (v i, r i ) to generate red shares

Compare the red shares with the blue shares LSSS u i1 ⋮ u in vivi riri u i1 ⋮ u in Accept v i if { j | u ij ≠ u ij } ∈ Γ

Decoding algorithm: Step 2 Finally apply the reconstruction alorithm of the LSSS to {acepted v i }, and reconstruct s

That is, Reconstruction algorithm of LSSS { accepted v i } s

Theorem Proposed scheme is a secret sharing scheme for a Q 3 adversary structure Γ

Theorem Proposed scheme is a secret sharing scheme for a Q 3 adverary structure Γ Even if some B ∈ Γ open forged shares, the decoding algorithm can reconstruct s in poly-time in the size of the LSSS (which is the total size of the shares)

Application to PSMT We can construct a 1-round PSMT for any Q 3 -adverary structure which runs in poly-time in the size of the underlying LSSS

Proposed PSMT Channel 1 (v 1, r 1 ) u 11 u 21 ⋯ u n1 Channel 2 u 12 (v 2, r 2 ) u 22 ⋯ u n2 ⋮⋮⋮⋯⋮ Channel n u 1n u 2n ⋯ (v n, r n ) u nn

For Q 3 adversary structure 2005 Desmedt, Wang, Burmester Exp-time 1-round PSMT 2009 Kurosawa Poly-time 1-round PSMT

For the details Please look at the paper ePrint 2009/263 General Error Decodable Secret Sharing Scheme and Its Application Kaoru Kurosawa

Summary Poly-time 2-round PSMT for n=2t+1 with the trans. rate O(n) Poly-time 1-round PSMT for Q 3 adversary structure

Open Problems It seems that there are many open problems in this area because there are many variants of this model, some parameters to be optimized.

THANK YOU !!

Brief Announcement on our new result ePrint 2010/609 The Round Complexity of General VSS Ashish Choudhary Kaoru Kurosawa Arpita Patra

Verifiable Secret Sharing (VSS) Is a fundamental building block in many distributed cryptographic protocols. In this model, Adversary can corrupt not only some subset of players but also the dealer

Even though, A unique secret must be reconstructed in the reconstruction phase no matter how malicious players behave.

STOC 2001 Gennaro, Ishai, Kushilevitz and Rabin showed that 2 round VSS is possible iff n ≧ 4t+1 3 round VSS is possible iff n ≧ 3t+1

TCC 2006 Fitzi, Garay, Gollakota, Rangan and Srinathan Constructed a poly-time 3-round VSS for n ≧ 3t+1

We consider general adversary Our resultPrevious 2-round VSSiff Γ is Q 4 n ≧ 4t+1 3-round VSSiff Γ is Q 3 n ≧ 3t+1

As a special case of our VSS We can obtain a more efficient 3-round VSS than the VSS of Fitzi et al. for n = 3t+1 The communication complexity of the reconstruction phase is reduced from O(n 3 ) to O(n 2 )

Further We point out a flaw in the reconstruction phase of VSS of Fitzi et al., and show how to fix it.

For the details Please look at the paper ePrint 2010/609 The Round Complexity of General VSS Ashish Choudhary Kaoru Kurosawa Arpita Patra

THANK YOU, AGAIN !!