Download presentation
Presentation is loading. Please wait.
1
New Frontiers in Secret Sharing
- Ashutosh Kumar (UCLA) Based on joint works with Vipul Goyal Raghu Meka Amit Sahai
2
Agenda Non-Malleable Secret Sharing Leakage-Resilient Secret Sharing
3
Secret Sharing (SS) [Shamir79,Blakley79]
shares ๐ โ 1 secret Reconstructed secret ๐ โฎ ๐โ๐๐๐ ๐ ๐
๐๐ Any t shares. ๐ โ ๐ Correctness : any subset with at least t shares can be used to reconstruct the correct secret. Secrecy : any subset with less than t shares has no information about the underlying secret.
4
Shamirโs 2-out-of-n SS Scheme
Secret = y-intercept of the line Shares = points on the line Correctness : Any two points completely determine the line. Secrecy : One point has no information about other points on the random line. ๐ โ 3 ๐ โ 2 ๐ โ 1 m 1 2 3 x t = 2 and n = 3
5
What if a party is corrupted ?
We can detect an error. We can correct an error. 1+๐ โ 2 Tampering Adversary 1+๐ โ 3 ๐ โ 4 ๐ โ 3 ๐ โ 3 ๐ โ 2 ๐ โ 2 ๐ โ 1 ๐ โ 1 m m 1 2 3 x 1 2 3 4 x 3 parties 4 parties
6
What if everyone is corrupted ?
Adversary may overwrite with valid shares of some secret ๐ โ 4 ๐ โ 3 ๐ โ 2 ๐ โ 1 m We cannot even hope to detect errors 1 2 3 4 x t = 2 and n = 4
7
Our Question โฎ โฎ ~ ๐ โ 1 ๐ โ 1 Tampering ~ ๐ ๐โ๐๐๐ ๐ ๐
๐๐ ~
secret Tampering ~ ๐ ๐โ๐๐๐ โฎ โฎ ๐ ๐
๐๐ ~ Any ๐ก shares. ๐ โ ๐ ๐ โ ๐ Adversary overwrites with valid shares; destroys the entire secret. Adversary does not tamper; preserves the entire secret. Can we ensure that any tampering essentially destroys the secret ? In particular, suppose the adversary can tamper with all the n shares. In such a case, if the adversary simply overwrites 0 for all the shares, the original secret will be destroyed. The adversary may simply overwrite the existing shares with authentic shares of 0. In which case, the reconstruction function will only see valid shares of 0 and there is no hope of detecting the tampering. However, notice that in both these cases, the output of the reconstruction function was completely unrelated to the original secret, as if the original secret was destoryed. Therefore, a natural question to ask is that can we construct schemes that ensure that any tampering essentially destroys the secret?
8
When is the secret really โdestroyedโ ?
~ ๐ โ 1 ๐ โ 1 secret Tampering Tampered secret ~ ๐ 1 ๐โ๐๐๐ โฎ โฎ ๐
๐๐ ๐ ~ Some ๐ก shares. ๐ โ ๐ ๐ โ ๐ Different Statistically close distribution ~ ๐ โ 1 ๐ โ 1 secret Tampering Tampered secret ~ ๐ 2 ๐โ๐๐๐ โฎ โฎ ๐
๐๐ ๐ ~ Some ๐ก shares. ๐ โ ๐ ๐ โ ๐ In particular, suppose the adversary can tamper with all the n shares. In such a case, if the adversary simply overwrites 0 for all the shares, the original secret will be destroyed. The adversary may simply overwrite the existing shares with authentic shares of 0. In which case, the reconstruction function will only see valid shares of 0 and there is no hope of detecting the tampering. However, notice that in both these cases, the output of the reconstruction function was completely unrelated to the original secret, as if the original secret was destoryed. Therefore, a natural question to ask is that can we construct schemes that ensure that any tampering essentially destroys the secret?
9
Non-Malleable Secret Sharing (NMSS)
๐ โ 1 ๐ โ 1 secret Tampering Tampered secret ~ ๐ ๐โ๐๐๐ โฎ โฎ ๐ ๐
๐๐ ~ Some ๐ก shares. ๐ โ ๐ ๐ โ ๐ Either the distribution of the tampered secret is independent of the secret, or the secret remains unchanged. Non-Malleable Cryptography : Dolev, Dwork and Naor 91 Therefore, to encompass such situations, we allow our guessing algorithm to output a special symbol same*, which signals our simulator that the adversary left the secret intact. In such a case, our simulator outputs the original secret, otherwise, it outputs the guessed tampered secret. Formally, we say that a t-out-of-n secret sharing scheme is non-malleable w.r.t. a tampering family if for all authorized subsets of parties, for all tampering function in the given family, there exists a guessing algorithm such that for all values of secret, the output of tampered secret in real experiment is statistically close to the output of the simulator. Informally, this corresponds to the natural notion that any tampering either leaves the original secret intact or results in a completely unrelated secret, effectively destroying the original secret.
10
Individual Tampering Family
~ ๐ โ 1 ๐ 1 ๐ โ 1 ๐ โฎ โฎ โฎ ~ ๐โ๐๐๐ Rec ๐ ~ Any ๐ก shares ๐ โ ๐ ๐ ๐ ๐ โ ๐ Computationally unbounded Each share is tampered arbitrarily and independently. Letโs look at some natural tampering families. A split-state tampering family contains all possible tuple of n functions which tamper with all the n shares arbitrarily and independently. These functions may be computationally unbounded. We only require that the n shares are tampered independently. Having described the notion, and the split-state tampering family, it is a natural time to highlight the connection and differences to non-malleable codes.
11
Is Shamirโs scheme non-malleable ?
Related to m Related to m 1+๐ โ 4 1+๐ โ 3 p(x) 1+๐ โ 2 ~ 2๐ โ 4 ๐ โ 4 m=2m 1+๐ โ 1 2๐ โ 1 2๐ โ 3 โฎ 1+m ๐ โ 3 2๐ โ 2 ๐ โ 2 ๐ โ 1 m m ๐ โ 4 ๐ โ 1 ๐ โ 3 ๐ โ 2 1 2 3 4 x 1 2 3 4 t = 2 and n = 4 t = 3 and n = 4
12
All linear SS schemes are malleable.
Most SS schemes are linear [Beimel] ๐๐๐๐๐๐กโ ๐ผ ๐ ร ๐ โ ๐ ๐โ๐ 2ร๐๐๐๐๐๐กโ ๐ผ ๐ ร(2ร๐ โ ๐ ) ๐โ๐
13
Non-Malleable Codes [Dziembowski, Pietrzak, Wichs 10]
Tampered states Tampered message message states ~ ๐ ๐ ๐ ~ ๐ 2โ๐๐๐ธ๐๐ 2โ๐๐๐ท๐๐ ๐ ~ ๐ ๐ ๐ 2 split-state non-malleable code is a 2-out-of-2 NMSS [LL12] rely on cryptographic assumptions. [DKO13,RS18] construct for single bit messages. [ADL14] use additive combinatorics for multi-bit messages. [CGL16,Li17,Li18] rely on constructions of non-malleable extractors. Constructions
14
2-out-of-2 NMSS [Aggarwal, Dodis, Lovett 14]
Tampered vectors Tampered message vectors message ~ ๐ ๐ ๐ ~ ๐ ๐ผ ๐ โ1 ๐ผ๐ ๐ ~ ๐ ๐ ๐ ~ Overwrite with vectors having inner-product ๐, then ๐ = ๐ Scale one of the vectors by ๐, then ๐ = ๐ โ ๐ ~ Theorem [ADL14] : Over large characteristic fields, for all ๐ and ๐, ๐ผ๐ ๐ ๐ ,๐ ๐ is statistically close to ๐ โ๐ผ๐ ๐,๐ +๐ ๐,๐
15
2-out-of-2 NMSS ~ ๐ ๐ ๐ ~ ๐ ๐ผ ๐ โ1 ๐ผ๐ ๐ ~ ๐ ๐ ๐
โAffine-tamperableโ ~ ๐ ๐ ๐ ~ ๐ ๐ผ ๐ โ1 ๐ผ๐ ๐ ~ ๐ ๐ ๐ Theorem [ADL14] : Over large characteristic fields, for all ๐ and ๐, ๐ผ๐ ๐ ๐ ,๐ ๐ is statistically close to ๐ โ๐ผ๐ ๐,๐ +๐ ๐,๐ Theorem [ADL14] : There is an efficient โ that detects affine tampering. Non-malleable ~ ๐ ๐ ๐ ~ ๐ ๐ ๐ผ ๐ โ1 โ โ โ1 โโ๐ผ๐ ~ ๐ ๐ ๐
16
Applications of 2-out-of-2 NMSS
Tamper resilient cryptography [DPW10]. Used for non-malleable commitments [GPR16]. Connections found to two-source extractors [CZ16]. Used to construct privacy amplification protocols [CKOS18]. Applications of 2-out-of-2 NMSS ~ ๐ ๐ ๐ ~ ~ ๐ 3โ๐๐๐ธ๐๐ ๐ ๐ ๐ 3โ๐๐๐ท๐๐ ๐ ~ ๐ โ ๐ 3 split-state non-malleable code need not be a 3-out-of-3 SS
17
Our First Result [Goyal and K. 18]
~ Computationally unbounded ๐ โ 1 ๐ 1 ๐ โ 1 โฎ โฎ โฎ ~ ๐ ๐โ๐๐๐ Rec ๐ ~ ๐ โ ๐ ๐ ๐ ๐ โ ๐ Any authorized set Theorem 1. Compiler that converts any SS scheme into a non-malleable one. First t-out-of-n NMSS Even works for computational SS
18
Problem : ๐ and ๐ must be independently tampered.
First Attempt ๐ ๐ 1 ๐ 2 ๐ 3 โฏ ๐ ๐ 1 ๐ 2 ๐ 3 ๐ 1 ๐ 2 ๐ 3 โฎ ~ ~ ~ ~ ๐ ๐ 1 ๐ 2 ๐ 3 ~ ~ ~ ~ โฏ ๐ ๐ 1 ๐ 2 ๐ 3 Problem : ๐ and ๐ must be independently tampered.
19
The power of different schemes.
๐ ๐ 1 ๐ 2 ๐ 3 ๐ 1 ๐ 2 ~ ๐ 1 ~ ๐ 2 ~ ๐ Unrelated to ๐ 1 2 3 Takeaway : Polynomials of different degrees have some non-malleability.
20
Idea : Use different schemes for sharing ๐ and ๐.
Second Attempt Idea : Use different schemes for sharing ๐ and ๐.
21
Second Attempt Continued
๐ is fixed given only two shares of ๐ Can depend on two shares of ๐ Two shares hide ๐ ๐ does not depend on ๐ ๐ ๐ 1 ๐ 2 ๐ 3 ~ ~ โฏ ๐ ๐ 1 ๐ 2 ๐ 3 ๐ 1 ๐ 2 ๐ 3 โฎ ~ ~ ~ ~ ๐ 1 ~ ๐ ๐ 2 ๐ 3 ~ ~ ~ ~ โฏ ๐ ๐ 1 ๐ 2 ๐ 3 Problem : Tampering of ๐ can still depend on ๐.
22
Leakage Resilient SS [Goyal and K. 18]
๐ ๐ 1 ๐ 2 โฏ ๐ ๐ Bounded amount of information about each ๐ ๐ is leaked by ๐ ๐ ๐ 1 ๐ 2 โฎ ๐ ๐ ~ ~ ~ ๐ 1 ๐ 2 โฏ ๐ ๐ SS is leakage resilient if the joint distribution of bounded leakages is statistically independent of the secret
23
Our Construction
24
Our Construction Continued
Idea : Think of the tampered shares of ๐ as leakage from shares of ๐ ๐ is independent of ( ๐ 1 , ๐ 2 , ๐ 3 ) ๐ computed using ( ๐ 1 , ๐ 2 , ๐ 3 ) ๐ is independent of ๐ ๐ is independent of ๐. ๐ ๐ 1 ๐ 2 ๐ 3 ~ ~ ~ โฏ ๐ ๐ 1 ๐ 2 ๐ 3 ~ ~ ~ ~ ๐ 1 ๐ 2 ๐ 3 โฎ ~ ~ ~ ~ ~ ๐ ๐ 1 ๐ 2 ๐ 3 ~ โฏ ~ ~ ~ ~ ๐ ๐ 1 ๐ 2 ๐ 3
25
Are we done? ~ ๐ may depend on the secret ๐ ~ ๐ cannot depend on ๐ ~
We have We need ~ ~ ๐ is independent of ๐. ๐ is independent of ๐. ๐ only depends on ๐. ๐ only depends of ๐. ~ ~ ๐ is independent of ๐ ~ ๐ ๐ ๐ ~ ๐ 2โ๐๐๐ท๐๐ ๐ 2โ๐๐๐ธ๐๐ ~ ๐ ๐ ๐ Secure only if ๐ and ๐ are tampered independently.
26
The same construction works with a little bit of technical work.
The Last Subtlety Full information of ๐ ๐ ๐ 1 ๐ 2 ๐ 3 โฏ ๐ ๐ 1 ๐ 2 ๐ 3 ๐ may depend on ๐ ~ ๐ 1 ๐ 2 ๐ 3 โฎ ๐ is independent of ๐ ~ ~ ~ ~ ~ ๐ ๐ 1 ๐ 2 ๐ 3 โฏ ~ ~ ~ ~ ๐ ๐ 1 ๐ 2 ๐ 3 The same construction works with a little bit of technical work.
27
Joint Tampering Family
~ ๐ โ 1 ๐ โ 1 ๐น โฎ โฎ ~ ๐ โ ๐กโ1 ๐ โ ๐กโ1 ~ ๐ ๐โ๐๐๐ Rec ๐ ~ ๐ โ ๐ก ๐บ ๐ โ ๐ก subset ๐=[๐ก] ๐ โ ๐ Computationally unbounded Adversary chooses any authorized subset T of size t Partitions T into unequal non-empty A and B Jointly tampers shares in A using F Jointly tampers shares in B using G
28
Our Main Result [Goyal and K. 18]
~ ๐ โ 1 ๐ โ 1 ๐น โฎ โฎ ~ ๐ โ ๐กโ1 ๐ โ ๐กโ1 ~ ๐ ๐โ๐๐๐ Rec ๐ ~ ๐ โ ๐ก ๐บ ๐ โ ๐ก subset ๐=[๐ก] ๐ โ ๐ Computationally unbounded Theorem 2. For any ๐กโฅ2, any ๐โฅ๐ก, there is an efficient ๐ก-out-of-๐ NMSS.
29
Leakage-Resilient 2-out-of-2 NMSS [Goyal and K. 18]
๐ ~ ๐ ๐ ๐ ๐ ~ ๐๐๐ธ๐๐ ๐๐๐๐ ๐ ๐ ๐๐๐ท๐๐ ~ ๐ ๐ ๐ Theorem 3. For any polynomial p, there is an efficient 2-out-of-2 LR NMSS where the adversary leaks ๐( ๐ ) bits of information about ๐. Based on Chattopadhyay, Goyal and Li 16 and Raz 05
30
Agenda Non-Malleable Secret Sharing Leakage-Resilient Secret Sharing
31
Leakage Resilient Storage [Davi, Dziembowski, Venturi 10]
๐ ๐ ๐ Bounded amount of information about each ๐ ๐ is leaked by ๐ ๐ ๐ 1 ๐ 2 ๐ผ ๐ฝ SS is leakage resilient if the joint distribution of bounded leakages is statistically independent of the secret Theorem{DDV10] : Construction based on inner-product ( used as 2-source extractor [Vazirani 85, Chor-Goldeich 88] )
32
2-out-of-n LRSS [Goyal and K. 18]
๐ ๐ 1 ๐ 2 โฏ ๐ ๐ ๐ 1 ๐ 2 โฎ ๐ ๐ Only 2-out-of-n ๐ 1 ๐ 2 โฏ ๐ ๐ Only individual leakage Non-adaptive SS is leakage resilient if the joint distribution of bounded leakages is statistically independent of the secret Theorem : Construction based on 2-out-of-2 LRSS
33
t-out-of-n LRSS (๐ก = ๐ โ ๐(logโก๐))[BDIR 18]
๐ ๐ 1 ๐ 2 โฏ ๐ ๐ ๐ 1 ๐ 2 โฎ ๐ ๐ Only ๐ก = ๐ โ ๐(logโก๐) ๐ 1 ๐ 2 โฏ ๐ ๐ Only individual leakage Non-adaptive Theorem [BDIR18] : Shamirโs t-out-of-n SS is LRSS for ๐ก = ๐ โ ๐(logโก๐) over fields of large characteristic.
34
Leakage Resilient SS [K., Meka and Sahai 18]
โฏ ๐ ๐๐๐๐๐ก ๐ โ 1 ๐ โ 2 ๐ โ 3 ๐ โ ๐ Only two restrictions Jointly leaks from at most ๐ parties At most ๐ bits of total leakage ๐๐๐๐ 1 ๐๐๐๐ 2 ๐ผ ๐ฝ โฎ โฎ ๐ผ ๐ฝ Transcript SS is (๐,๐)-leakage resilient if any such leakage transcript of at most ๐ bits is statistically independent of the secret
35
Our New Result [K., Meka and Sahai 18]
Theorem 4. For any leakage-bound ๐, compiler that converts any SS scheme on ๐ parties into a (๐,๐)-leakage-resilient one, where ๐=๐ log ๐ . First 3-out-of-3 LRSS for joint-leakage Even p =1 was open for almost everything. Corollary. For any leakage-bound ๐,any ๐โฅ2, any ๐=๐ log ๐ , any ๐ก>๐, efficient ๐ก-out-of-๐ SS that is (๐,๐)-leakage-resilient.
36
Number On The Forehead (NOF) [Chandra, Furst and Lipton 83]
37
NOF Comm. Complexity [Babai, Nisan and Szegedy 92]
๐๐ข๐ก๐๐ข๐ก ๐ โ 1 ๐ โ 2 ๐ โ 3 ๐ 1 ๐ 2 โฎ At most ๐ bits of communication ๐ผ ๐ฝ โฎ ๐ผ ๐ฝ Transcript f has NOF communication complexity at least ๐ if any such communication transcript of at most ๐ bits is statistically uncorrelated with the output
38
Upper bounds on total leakage
Our Connection Shares of 3-out-of-3 scheme Number on forehead of each party ๐ โ 1 ๐ โ 2 ๐ โ 3 ๐ โ 1 ๐ โ 2 ๐ โ 3 Joint leakage NOF communication ๐ผ ๐ผ Upper bounds on total leakage Lower Bounds on NOF CC Idea : lower bound on ๐ party NOF CC gives us ๐-out-of-๐ LRSS against joint leakage from ๐โ1 shares.
39
Challenges Ahead Upper bounds on total leakage Lower Bounds on NOF CC Idea : lower bound on ๐ party NOF CC gives us n-out-of-n LRSS against joint leakage from ๐= ๐โ1 shares. Inefficient : Lower bound drops exponentially with n What if we bound p ? Share size exponential in n
40
Bounding ๐ helps Upper bounds on total leakage Lower Bounds on NOF CC Our idea : n-out-of-n LRSS against joint leakage from ๐ shares. t-out-of-n LRSS ? BNS92 Lower bound drops exponentially with ๐ Efficient ๐-out-of-๐ for ๐ = ๐(logโก๐) Share size exponential in ๐.
41
Summary Define and construct non-malleable SS.
Define and construct leakage-resilient SS. Can merge the two to get LR NMSS As we share r using a 2-out-of-n scheme, if we allow the adversary to jointly tamper two shares, then it can simply reconstruct r and use it to tamper shares of l. On the other hand, if we share r using a 3-out-of-n scheme, then we can no longer employ our first idea of using different degree polynomials. We continue using our idea of different degree polynomials and allow the tampering of l to depend on r. We view the tampered shares of l as leakage from r and derive leakage-resilience from the underlying non-malleable code. As such leakage-resilient non-malleable codes were not known, we construct such codes.
42
Open Problems Number-on-forehead tampering NMSS.
Communication lower bounds for ๐ =๐(logโก๐) Extractors for cylinder sources. Improve rate of our schemes (particularly NMSS) We mention some interesting open problems. While we obtained results for t-out-of-n schemes, a natural research direction is to try to construct non-malleable schemes for general access structures. In an upcoming crypto paper, we have generalized our results to general access structure for split state tampering. However, the case of joint tampering remains open. Another research direction is to handle more sophisticated tampering families. As an example, can we construct non-malleable codes that allow for multiple tampering of the secret ? In this work, we did not focus on improving the rate of our schemes, and it is a great problem to construct non-malleable secret sharing schemes that are as efficient as the malleable ones.
43
Thank You! Questions ?
44
Towards Joint Tampering
๐ ๐ 1 ๐ 2 ๐ ๐ 3 ๐ 1 ๐ 2 ๐ 3 ๐ 1 ๐ 2 ๐บ ~ ~ ๐ 1 ~ ๐ 1 ~ ๐ 2 ๐ 2 ~ ~ ๐ ๐ Unrelated to ๐ Unrelated to ๐ 1 2 3 1 2 3 Idea : Polynomials of different degrees still work. As we share r using a 2-out-of-n scheme, if we allow the adversary to jointly tamper two shares, then it can simply reconstruct r and use it to tamper shares of l. On the other hand, if we share r using a 3-out-of-n scheme, then we can no longer employ our first idea of using different degree polynomials. We continue using our idea of different degree polynomials and allow the tampering of l to depend on r. We view the tampered shares of l as leakage from r and derive leakage-resilience from the underlying non-malleable code. As such leakage-resilient non-malleable codes were not known, we construct such codes.
45
What happens with a different partition?
๐ ๐ ๐ 1 ๐ 2 ๐ 2 ๐ 3 ๐ 1 ๐ 3 ๐บ ๐บ ๐น ~ ๐ 2 ~ ๐ 1 ~ ~ ๐ 2 ๐ 1 ~ ~ ๐ ๐ Unrelated to ๐ Related to ๐ 1 2 3 1 2 3 Problem : First two shares of ๐ may depend on all three shares of ๐. As we share r using a 2-out-of-n scheme, if we allow the adversary to jointly tamper two shares, then it can simply reconstruct r and use it to tamper shares of l. On the other hand, if we share r using a 3-out-of-n scheme, then we can no longer employ our first idea of using different degree polynomials. We continue using our idea of different degree polynomials and allow the tampering of l to depend on r. We view the tampered shares of l as leakage from r and derive leakage-resilience from the underlying non-malleable code. As such leakage-resilient non-malleable codes were not known, we construct such codes.
46
The power of consistency checks.
๐ ๐ 1 ๐ 2 ๐ 3 ๐บ ๐น ~ ๐ 2 ~ ๐ 3 ~ ๐ 1 ~ ๐ Unrelated to ๐ 1 2 3 Idea : Enforcing co-linearity buys us arbitrary partitioning. As we share r using a 2-out-of-n scheme, if we allow the adversary to jointly tamper two shares, then it can simply reconstruct r and use it to tamper shares of l. On the other hand, if we share r using a 3-out-of-n scheme, then we can no longer employ our first idea of using different degree polynomials. We continue using our idea of different degree polynomials and allow the tampering of l to depend on r. We view the tampered shares of l as leakage from r and derive leakage-resilience from the underlying non-malleable code. As such leakage-resilient non-malleable codes were not known, we construct such codes.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.