Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)

Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)
Amos Beimel Ben-Gurion University Slides borrowed from Yuval Ishai, Enav Weinreb.

Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87]
© 10/25/2006 IPAM - Securing Cyberspace

IPAM - Securing Cyberspace
Talk Overview Motivation and definitions Linear secret sharing schemes Nonlinear secret sharing schemes Computational secret sharing Conclusions and open problems 10/25/2006 IPAM - Securing Cyberspace

Def: Secret Sharing P1 P2 Pn s1 s2 sn  s r Access Structure   realizes  if: Correctness: every authorized set B can always recover s. Privacy: every unauthorized set B cannot learn anything about s. 10/25/2006 IPAM - Securing Cyberspace

Applications Secure storage; Secure multiparty computation; Threshold cryptography; Byzantine agreement; Access control; Private information retrieval; Attribute-based encryption. 10/25/2006 IPAM - Securing Cyberspace

The Threshold Case (t,n)-secret-sharing:  = { B  {P1,…,Pn} : |B|  t } Shamir’s scheme: s GF(q), q > n  prime p(x)=s+r1x+r2x2+…+ rt-1xt-1 (mod q) sj= p(j ) s 10/25/2006 IPAM - Securing Cyberspace

The General Case Which access structures  can be realized? Necessary condition:  is monotone. Also sufficient! P1 P2 s P3 P4 P5 minimal sets {2,4} {1,2} {1,3,5} Not efficient!!!! 10/25/2006 IPAM - Securing Cyberspace

Are there Efficient Schemes?
The known schemes for general access structures have shares of size 2O(n). Best lower bound for an explicit structure [Csirmaz94]: (n2 / logn) Nothing better is known even for non-explicit structures! large gap Conjecture: There is an access structure that requires shares of size 2Ω(n). 10/25/2006 IPAM - Securing Cyberspace

Linear Secret-Sharing
F s r1 P1 P2 Pn Linear Transformation r2 rm Examples: Shamir’s scheme Formula based Schemes [BenalohLeichter88] Monotone span programs [KrachmerWigderson93] 10/25/2006 IPAM - Securing Cyberspace

Linear Schemes and Span Program
Monotone Span programs – linear algebraic model of computation [KarchmerWigderson93]. Equivalent to Linear schemes. 10/25/2006 IPAM - Securing Cyberspace

Monotone Span Programs
1 1 The program accepts a set B iff the rows labeled by B span the target vector. 10/25/2006 IPAM - Securing Cyberspace

1 1 1 1 1 {P2,P4} 10/25/2006 IPAM - Securing Cyberspace

1 1 1 1 {P1,P2} 10/25/2006 IPAM - Securing Cyberspace

Span Programs  Secret Sharing
1 s r2 r3 r4 s+ r2+r4 r2+r3 s+r2 r3+r4 P2 P1 P3 P4 = 1 P2 P1 P3 P4 Example s=1,r2=r3=0, r4=1 10/25/2006 IPAM - Securing Cyberspace

Span Programs  Secret Sharing
1 s r2 r3 r4 s+r2+r4 r2+r3 s+r2 r3+r4 P2 P1 P3 P4 = 1 s {P2,P4} 10/25/2006 IPAM - Securing Cyberspace

Linear Schemes: State of the Art
Every access structure can be realized by a linear scheme. Most known schemes are linear. Linear schemes can efficiently realize only access structures in NC (NC = languages having efficient parallel algorithms). Best lower bounds for linear schemes for explicit access structures [B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]: (nlog n). Best existential lower bounds for linear schemes: 2(n). 10/25/2006 IPAM - Securing Cyberspace

Why Linear Secret Sharing?
Share generation and secret reconstruction are efficient. Perfect privacy for free Homomorphic Secure multi-party computation [CramerDamgardMaurer2000] Why not? Can only realize access structures in NC. 10/25/2006 IPAM - Securing Cyberspace

Homomorphism of Linear Secret Sharing
1 P4 P3 P1 P2 r4 r3 r2 s y5 y4 y3 y2 y1 = 1 r4 + r’4 r3+ r’3 r2 +r’2 s+s’ y5+y’5 y4+y’4 y3+y’3 y2+y’2 y1+y’1 = + 1 P4 P3 P1 P2 r’4 r’3 r’2 s’ y’5 y’4 y’3 y’2 y’1 = 10/25/2006 IPAM - Securing Cyberspace

Multiplicative Homomorphism of Linear Secret Sharing [….,CramerDamgardMaurer2000] 1 P4 P3 P1 P2 r4 r3 r2 s y5 y4 y3 y2 y1 = z1 z2 z3 z4 z5 PROTOCOL * 1 P4 P3 P1 P2 r’4 r’3 r’2 s’ y’5 y’4 y’3 y’2 y’1 = Shares for s * s’ Access structure must be Q2 10/25/2006 IPAM - Securing Cyberspace

Constructing Nonlinear scheme
Two constructions: Composition Approach  no assumptions, access structures in NC. Direct Constructions  access structures probably not in P. 10/25/2006 IPAM - Securing Cyberspace

Nonlinear Schemes: Composition Approach [B+Ishai01]
Pn+1 P2n P1 Pn S1 S2 …. over GF(2) over GF(3) S= S1+S2 [B+Weinreb03]:  access structure: easy over GF(2), hard over any other field  access structure: easy over GF(3), hard over any other field 10/25/2006 IPAM - Securing Cyberspace

Nonlinear schemes: Direct Constructions [B+Ishai01]
computationally efficient? perfect / statistical access structure equivalent to... perfect quadratic residuosity modulo a (fixed) prime Yes Yes statistical co-primality No statistical quadratic residuosity 10/25/2006 IPAM - Securing Cyberspace

Quadratic Non-Residuosity Modulo Fixed Prime
First idea: represent a set of numbers by an access structure Only sets that contain exactly one party from each column n = 2m 1 B1101 u p fixed p is defined by the minimal sets { Bu : u  QNRp }. 10/25/2006 IPAM - Securing Cyberspace

Efficient Nonlinear Scheme
Info. to be learned by Bu rR QRp r +z3 +z2 +z1 +z0 1 SUM = r mod p u  QRp  SUM  QRp u  QNRp  SUM  QRp  zi = 0 (mod v) r Parties can only sum shares s = 1: 1 23r 22r 21r 20r Privacy Correctness SUM = ru mod p u  QRp  SUM  QRp u  QNRp  SUM  QNRp 10/25/2006 IPAM - Securing Cyberspace

Computational Secret Sharing
Secret sharing schemes with computational privacy: Computational privacy: every set of polynomial time players P cannot learn anything about s. Thm [Yao89]: If there is a polynomial size monotone circuit computing membership in  then there is an efficient computational secret sharing realizing  . Uses ideas from [BenalohLeichter90] of constructing information theoretic secret sharing from monotone formulae. 10/25/2006 IPAM - Securing Cyberspace

Secret Sharing Schemes from Monotone Formulae [BenalohLeichter90]
We represent an access structure  by its characteristic function. Let be two monotone functions. Let and be secret sharing schemes for and We build new secret sharing schemes for: The function 10/25/2006 IPAM - Securing Cyberspace

The Function s s s 10/25/2006 IPAM - Securing Cyberspace

The Function 10/25/2006 IPAM - Securing Cyberspace

Secret Sharing from Formula
Formula - monotone circuit with fan-out 1. Small monotone formula  efficient secret sharing: Share the secret according to the root gate. Treat the shares as secrets and recursively share them in both sides of the formula. 10/25/2006 IPAM - Securing Cyberspace

Does it work for Monotone Circuits?
One gate has many outputs. Gets a share for each output. Share a bigger secret among its subcircuit. … Exponential Blowup 10/25/2006 IPAM - Securing Cyberspace

Yao’s Solution Use encryption to avoid the blow-up. Publish the cryptogram and share the key. Computational Security. … E( , ) = E( , ) = 10/25/2006 IPAM - Securing Cyberspace

Conclusions Linearity is useful. However, linear schemes can realize only access structures in NC. Nonlinear schemes can efficiently realize some “computationally hard” access structures. Exact power of nonlinear schemes remains unknown. 10/25/2006 IPAM - Securing Cyberspace

Open Problems: Close gap for secret sharing schemes Improve (n2 / logn) lower bound. Exponential lower bounds for linear schemes Improve (nlog n) lower bound. Specific access structures: Directed s-t-connectivity, Perfect Matching, Weighted threshold [B+Weinreb]. Other nonlinear schemes. 10/25/2006 IPAM - Securing Cyberspace

Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)

Similar presentations

Presentation on theme: "Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)

Similar presentations

Presentation on theme: "Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)"— Presentation transcript:

Similar presentations

About project

Feedback