Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Frontiers in Secret Sharing

Similar presentations


Presentation on theme: "New Frontiers in Secret Sharing"โ€” Presentation transcript:

1 New Frontiers in Secret Sharing
- Ashutosh Kumar (UCLA) Based on joint works with Vipul Goyal Raghu Meka Amit Sahai

2 Agenda Non-Malleable Secret Sharing Leakage-Resilient Secret Sharing

3 Secret Sharing (SS) [Shamir79,Blakley79]
shares ๐‘  โ„Ž 1 secret Reconstructed secret ๐‘š โ‹ฎ ๐‘†โ„Ž๐‘Ž๐‘Ÿ๐‘’ ๐‘š ๐‘…๐‘’๐‘ Any t shares. ๐‘  โ„Ž ๐‘› Correctness : any subset with at least t shares can be used to reconstruct the correct secret. Secrecy : any subset with less than t shares has no information about the underlying secret.

4 Shamirโ€™s 2-out-of-n SS Scheme
Secret = y-intercept of the line Shares = points on the line Correctness : Any two points completely determine the line. Secrecy : One point has no information about other points on the random line. ๐‘  โ„Ž 3 ๐‘  โ„Ž 2 ๐‘  โ„Ž 1 m 1 2 3 x t = 2 and n = 3

5 What if a party is corrupted ?
We can detect an error. We can correct an error. 1+๐‘  โ„Ž 2 Tampering Adversary 1+๐‘  โ„Ž 3 ๐‘  โ„Ž 4 ๐‘  โ„Ž 3 ๐‘  โ„Ž 3 ๐‘  โ„Ž 2 ๐‘  โ„Ž 2 ๐‘  โ„Ž 1 ๐‘  โ„Ž 1 m m 1 2 3 x 1 2 3 4 x 3 parties 4 parties

6 What if everyone is corrupted ?
Adversary may overwrite with valid shares of some secret ๐‘  โ„Ž 4 ๐‘  โ„Ž 3 ๐‘  โ„Ž 2 ๐‘  โ„Ž 1 m We cannot even hope to detect errors 1 2 3 4 x t = 2 and n = 4

7 Our Question โ‹ฎ โ‹ฎ ~ ๐‘  โ„Ž 1 ๐‘  โ„Ž 1 Tampering ~ ๐‘š ๐‘†โ„Ž๐‘Ž๐‘Ÿ๐‘’ ๐‘š ๐‘…๐‘’๐‘ ~
secret Tampering ~ ๐‘š ๐‘†โ„Ž๐‘Ž๐‘Ÿ๐‘’ โ‹ฎ โ‹ฎ ๐‘š ๐‘…๐‘’๐‘ ~ Any ๐‘ก shares. ๐‘  โ„Ž ๐‘› ๐‘  โ„Ž ๐‘› Adversary overwrites with valid shares; destroys the entire secret. Adversary does not tamper; preserves the entire secret. Can we ensure that any tampering essentially destroys the secret ? In particular, suppose the adversary can tamper with all the n shares. In such a case, if the adversary simply overwrites 0 for all the shares, the original secret will be destroyed. The adversary may simply overwrite the existing shares with authentic shares of 0. In which case, the reconstruction function will only see valid shares of 0 and there is no hope of detecting the tampering. However, notice that in both these cases, the output of the reconstruction function was completely unrelated to the original secret, as if the original secret was destoryed. Therefore, a natural question to ask is that can we construct schemes that ensure that any tampering essentially destroys the secret?

8 When is the secret really โ€œdestroyedโ€ ?
~ ๐‘  โ„Ž 1 ๐‘  โ„Ž 1 secret Tampering Tampered secret ~ ๐‘š 1 ๐‘†โ„Ž๐‘Ž๐‘Ÿ๐‘’ โ‹ฎ โ‹ฎ ๐‘…๐‘’๐‘ ๐‘š ~ Some ๐‘ก shares. ๐‘  โ„Ž ๐‘› ๐‘  โ„Ž ๐‘› Different Statistically close distribution ~ ๐‘  โ„Ž 1 ๐‘  โ„Ž 1 secret Tampering Tampered secret ~ ๐‘š 2 ๐‘†โ„Ž๐‘Ž๐‘Ÿ๐‘’ โ‹ฎ โ‹ฎ ๐‘…๐‘’๐‘ ๐‘š ~ Some ๐‘ก shares. ๐‘  โ„Ž ๐‘› ๐‘  โ„Ž ๐‘› In particular, suppose the adversary can tamper with all the n shares. In such a case, if the adversary simply overwrites 0 for all the shares, the original secret will be destroyed. The adversary may simply overwrite the existing shares with authentic shares of 0. In which case, the reconstruction function will only see valid shares of 0 and there is no hope of detecting the tampering. However, notice that in both these cases, the output of the reconstruction function was completely unrelated to the original secret, as if the original secret was destoryed. Therefore, a natural question to ask is that can we construct schemes that ensure that any tampering essentially destroys the secret?

9 Non-Malleable Secret Sharing (NMSS)
๐‘  โ„Ž 1 ๐‘  โ„Ž 1 secret Tampering Tampered secret ~ ๐‘š ๐‘†โ„Ž๐‘Ž๐‘Ÿ๐‘’ โ‹ฎ โ‹ฎ ๐‘š ๐‘…๐‘’๐‘ ~ Some ๐‘ก shares. ๐‘  โ„Ž ๐‘› ๐‘  โ„Ž ๐‘› Either the distribution of the tampered secret is independent of the secret, or the secret remains unchanged. Non-Malleable Cryptography : Dolev, Dwork and Naor 91 Therefore, to encompass such situations, we allow our guessing algorithm to output a special symbol same*, which signals our simulator that the adversary left the secret intact. In such a case, our simulator outputs the original secret, otherwise, it outputs the guessed tampered secret. Formally, we say that a t-out-of-n secret sharing scheme is non-malleable w.r.t. a tampering family if for all authorized subsets of parties, for all tampering function in the given family, there exists a guessing algorithm such that for all values of secret, the output of tampered secret in real experiment is statistically close to the output of the simulator. Informally, this corresponds to the natural notion that any tampering either leaves the original secret intact or results in a completely unrelated secret, effectively destroying the original secret.

10 Individual Tampering Family
~ ๐‘  โ„Ž 1 ๐‘“ 1 ๐‘  โ„Ž 1 ๐‘š โ‹ฎ โ‹ฎ โ‹ฎ ~ ๐‘†โ„Ž๐‘Ž๐‘Ÿ๐‘’ Rec ๐‘š ~ Any ๐‘ก shares ๐‘  โ„Ž ๐‘› ๐‘“ ๐‘› ๐‘  โ„Ž ๐‘› Computationally unbounded Each share is tampered arbitrarily and independently. Letโ€™s look at some natural tampering families. A split-state tampering family contains all possible tuple of n functions which tamper with all the n shares arbitrarily and independently. These functions may be computationally unbounded. We only require that the n shares are tampered independently. Having described the notion, and the split-state tampering family, it is a natural time to highlight the connection and differences to non-malleable codes.

11 Is Shamirโ€™s scheme non-malleable ?
Related to m Related to m 1+๐‘  โ„Ž 4 1+๐‘  โ„Ž 3 p(x) 1+๐‘  โ„Ž 2 ~ 2๐‘  โ„Ž 4 ๐‘  โ„Ž 4 m=2m 1+๐‘  โ„Ž 1 2๐‘  โ„Ž 1 2๐‘  โ„Ž 3 โ‹ฎ 1+m ๐‘  โ„Ž 3 2๐‘  โ„Ž 2 ๐‘  โ„Ž 2 ๐‘  โ„Ž 1 m m ๐‘  โ„Ž 4 ๐‘  โ„Ž 1 ๐‘  โ„Ž 3 ๐‘  โ„Ž 2 1 2 3 4 x 1 2 3 4 t = 2 and n = 4 t = 3 and n = 4

12 All linear SS schemes are malleable.
Most SS schemes are linear [Beimel] ๐‘†๐‘’๐‘๐‘Ÿ๐‘’๐‘กโ† ๐›ผ ๐‘– ร— ๐‘  โ„Ž ๐‘– ๐‘–โˆˆ๐‘‡ 2ร—๐‘†๐‘’๐‘๐‘Ÿ๐‘’๐‘กโ† ๐›ผ ๐‘– ร—(2ร—๐‘  โ„Ž ๐‘– ) ๐‘–โˆˆ๐‘‡

13 Non-Malleable Codes [Dziembowski, Pietrzak, Wichs 10]
Tampered states Tampered message message states ~ ๐‘™ ๐‘“ ๐‘™ ~ ๐‘š 2โˆ’๐‘๐‘€๐ธ๐‘›๐‘ 2โˆ’๐‘๐‘€๐ท๐‘’๐‘ ๐‘š ~ ๐‘Ÿ ๐‘” ๐‘Ÿ 2 split-state non-malleable code is a 2-out-of-2 NMSS [LL12] rely on cryptographic assumptions. [DKO13,RS18] construct for single bit messages. [ADL14] use additive combinatorics for multi-bit messages. [CGL16,Li17,Li18] rely on constructions of non-malleable extractors. Constructions

14 2-out-of-2 NMSS [Aggarwal, Dodis, Lovett 14]
Tampered vectors Tampered message vectors message ~ ๐‘™ ๐‘“ ๐‘™ ~ ๐‘š ๐ผ ๐‘ƒ โˆ’1 ๐ผ๐‘ƒ ๐‘š ~ ๐‘Ÿ ๐‘” ๐‘Ÿ ~ Overwrite with vectors having inner-product ๐‘, then ๐‘š = ๐‘ Scale one of the vectors by ๐‘Ž, then ๐‘š = ๐‘Ž โˆ— ๐‘š ~ Theorem [ADL14] : Over large characteristic fields, for all ๐‘“ and ๐‘”, ๐ผ๐‘ƒ ๐‘“ ๐‘™ ,๐‘” ๐‘Ÿ is statistically close to ๐‘Ž โˆ—๐ผ๐‘ƒ ๐‘™,๐‘Ÿ +๐‘ ๐‘Ž,๐‘

15 2-out-of-2 NMSS ~ ๐‘™ ๐‘“ ๐‘™ ~ ๐‘š ๐ผ ๐‘ƒ โˆ’1 ๐ผ๐‘ƒ ๐‘š ~ ๐‘Ÿ ๐‘Ÿ ๐‘”
โ€˜Affine-tamperableโ€™ ~ ๐‘™ ๐‘“ ๐‘™ ~ ๐‘š ๐ผ ๐‘ƒ โˆ’1 ๐ผ๐‘ƒ ๐‘š ~ ๐‘Ÿ ๐‘Ÿ ๐‘” Theorem [ADL14] : Over large characteristic fields, for all ๐‘“ and ๐‘”, ๐ผ๐‘ƒ ๐‘“ ๐‘™ ,๐‘” ๐‘Ÿ is statistically close to ๐‘Ž โˆ—๐ผ๐‘ƒ ๐‘™,๐‘Ÿ +๐‘ ๐‘Ž,๐‘ Theorem [ADL14] : There is an efficient โ„Ž that detects affine tampering. Non-malleable ~ ๐‘™ ๐‘“ ๐‘™ ~ ๐‘š ๐‘š ๐ผ ๐‘ƒ โˆ’1 โˆ˜ โ„Ž โˆ’1 โ„Žโˆ˜๐ผ๐‘ƒ ~ ๐‘Ÿ ๐‘” ๐‘Ÿ

16 Applications of 2-out-of-2 NMSS
Tamper resilient cryptography [DPW10]. Used for non-malleable commitments [GPR16]. Connections found to two-source extractors [CZ16]. Used to construct privacy amplification protocols [CKOS18]. Applications of 2-out-of-2 NMSS ~ ๐‘™ ๐‘“ ๐‘™ ~ ~ ๐‘š 3โˆ’๐‘๐‘€๐ธ๐‘›๐‘ ๐‘Ÿ ๐‘” ๐‘Ÿ 3โˆ’๐‘๐‘€๐ท๐‘’๐‘ ๐‘š ~ ๐‘  โ„Ž ๐‘  3 split-state non-malleable code need not be a 3-out-of-3 SS

17 Our First Result [Goyal and K. 18]
~ Computationally unbounded ๐‘  โ„Ž 1 ๐‘“ 1 ๐‘  โ„Ž 1 โ‹ฎ โ‹ฎ โ‹ฎ ~ ๐‘š ๐‘†โ„Ž๐‘Ž๐‘Ÿ๐‘’ Rec ๐‘š ~ ๐‘  โ„Ž ๐‘› ๐‘“ ๐‘› ๐‘  โ„Ž ๐‘› Any authorized set Theorem 1. Compiler that converts any SS scheme into a non-malleable one. First t-out-of-n NMSS Even works for computational SS

18 Problem : ๐‘™ and ๐‘Ÿ must be independently tampered.
First Attempt ๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ 3 โ‹ฏ ๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 ๐‘Ÿ 3 ๐‘“ 1 ๐‘“ 2 ๐‘“ 3 โ‹ฎ ~ ~ ~ ~ ๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ 3 ~ ~ ~ ~ โ‹ฏ ๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 ๐‘Ÿ 3 Problem : ๐‘™ and ๐‘Ÿ must be independently tampered.

19 The power of different schemes.
๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ 3 ๐‘” 1 ๐‘” 2 ~ ๐‘Ÿ 1 ~ ๐‘Ÿ 2 ~ ๐‘Ÿ Unrelated to ๐‘™ 1 2 3 Takeaway : Polynomials of different degrees have some non-malleability.

20 Idea : Use different schemes for sharing ๐‘™ and ๐‘Ÿ.
Second Attempt Idea : Use different schemes for sharing ๐‘™ and ๐‘Ÿ.

21 Second Attempt Continued
๐‘Ÿ is fixed given only two shares of ๐‘Ÿ Can depend on two shares of ๐‘™ Two shares hide ๐‘™ ๐‘Ÿ does not depend on ๐‘™ ๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ 3 ~ ~ โ‹ฏ ๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 ๐‘Ÿ 3 ๐‘“ 1 ๐‘“ 2 ๐‘“ 3 โ‹ฎ ~ ~ ~ ~ ๐‘™ 1 ~ ๐‘™ ๐‘™ 2 ๐‘™ 3 ~ ~ ~ ~ โ‹ฏ ๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 ๐‘Ÿ 3 Problem : Tampering of ๐‘™ can still depend on ๐‘Ÿ.

22 Leakage Resilient SS [Goyal and K. 18]
๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 โ‹ฏ ๐‘Ÿ ๐‘› Bounded amount of information about each ๐‘Ÿ ๐‘– is leaked by ๐‘” ๐‘– ๐‘” 1 ๐‘” 2 โ‹ฎ ๐‘” ๐‘› ~ ~ ~ ๐‘™ 1 ๐‘™ 2 โ‹ฏ ๐‘™ ๐‘› SS is leakage resilient if the joint distribution of bounded leakages is statistically independent of the secret

23 Our Construction

24 Our Construction Continued
Idea : Think of the tampered shares of ๐‘™ as leakage from shares of ๐‘Ÿ ๐‘Ÿ is independent of ( ๐‘™ 1 , ๐‘™ 2 , ๐‘™ 3 ) ๐‘™ computed using ( ๐‘™ 1 , ๐‘™ 2 , ๐‘™ 3 ) ๐‘™ is independent of ๐‘Ÿ ๐‘Ÿ is independent of ๐‘™. ๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ 3 ~ ~ ~ โ‹ฏ ๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 ๐‘Ÿ 3 ~ ~ ~ ~ ๐‘“ 1 ๐‘“ 2 ๐‘“ 3 โ‹ฎ ~ ~ ~ ~ ~ ๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ 3 ~ โ‹ฏ ~ ~ ~ ~ ๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 ๐‘Ÿ 3

25 Are we done? ~ ๐‘™ may depend on the secret ๐‘š ~ ๐‘™ cannot depend on ๐‘š ~
We have We need ~ ~ ๐‘™ is independent of ๐‘Ÿ. ๐‘Ÿ is independent of ๐‘™. ๐‘™ only depends on ๐‘™. ๐‘Ÿ only depends of ๐‘Ÿ. ~ ~ ๐‘š is independent of ๐‘Ÿ ~ ๐‘™ ๐‘™ ๐‘“ ~ ๐‘š 2โˆ’๐‘๐‘€๐ท๐‘’๐‘ ๐‘š 2โˆ’๐‘๐‘€๐ธ๐‘›๐‘ ~ ๐‘Ÿ ๐‘” ๐‘Ÿ Secure only if ๐‘™ and ๐‘Ÿ are tampered independently.

26 The same construction works with a little bit of technical work.
The Last Subtlety Full information of ๐‘š ๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ 3 โ‹ฏ ๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 ๐‘Ÿ 3 ๐‘™ may depend on ๐‘š ~ ๐‘“ 1 ๐‘“ 2 ๐‘“ 3 โ‹ฎ ๐‘™ is independent of ๐‘Ÿ ~ ~ ~ ~ ~ ๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ 3 โ‹ฏ ~ ~ ~ ~ ๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 ๐‘Ÿ 3 The same construction works with a little bit of technical work.

27 Joint Tampering Family
~ ๐‘  โ„Ž 1 ๐‘  โ„Ž 1 ๐น โ‹ฎ โ‹ฎ ~ ๐‘  โ„Ž ๐‘กโˆ’1 ๐‘  โ„Ž ๐‘กโˆ’1 ~ ๐‘š ๐‘†โ„Ž๐‘Ž๐‘Ÿ๐‘’ Rec ๐‘š ~ ๐‘  โ„Ž ๐‘ก ๐บ ๐‘  โ„Ž ๐‘ก subset ๐‘‡=[๐‘ก] ๐‘  โ„Ž ๐‘› Computationally unbounded Adversary chooses any authorized subset T of size t Partitions T into unequal non-empty A and B Jointly tampers shares in A using F Jointly tampers shares in B using G

28 Our Main Result [Goyal and K. 18]
~ ๐‘  โ„Ž 1 ๐‘  โ„Ž 1 ๐น โ‹ฎ โ‹ฎ ~ ๐‘  โ„Ž ๐‘กโˆ’1 ๐‘  โ„Ž ๐‘กโˆ’1 ~ ๐‘š ๐‘†โ„Ž๐‘Ž๐‘Ÿ๐‘’ Rec ๐‘š ~ ๐‘  โ„Ž ๐‘ก ๐บ ๐‘  โ„Ž ๐‘ก subset ๐‘‡=[๐‘ก] ๐‘  โ„Ž ๐‘› Computationally unbounded Theorem 2. For any ๐‘กโ‰ฅ2, any ๐‘›โ‰ฅ๐‘ก, there is an efficient ๐‘ก-out-of-๐‘› NMSS.

29 Leakage-Resilient 2-out-of-2 NMSS [Goyal and K. 18]
๐‘™ ~ ๐‘™ ๐‘“ ๐‘™ ๐‘š ~ ๐‘๐‘€๐ธ๐‘›๐‘ ๐‘™๐‘’๐‘Ž๐‘˜ ๐‘š ๐‘Ÿ ๐‘๐‘€๐ท๐‘’๐‘ ~ ๐‘Ÿ ๐‘Ÿ ๐‘” Theorem 3. For any polynomial p, there is an efficient 2-out-of-2 LR NMSS where the adversary leaks ๐‘( ๐‘™ ) bits of information about ๐‘Ÿ. Based on Chattopadhyay, Goyal and Li 16 and Raz 05

30 Agenda Non-Malleable Secret Sharing Leakage-Resilient Secret Sharing

31 Leakage Resilient Storage [Davi, Dziembowski, Venturi 10]
๐‘š ๐‘™ ๐‘Ÿ Bounded amount of information about each ๐‘Ÿ ๐‘– is leaked by ๐‘” ๐‘– ๐‘” 1 ๐‘” 2 ๐›ผ ๐›ฝ SS is leakage resilient if the joint distribution of bounded leakages is statistically independent of the secret Theorem{DDV10] : Construction based on inner-product ( used as 2-source extractor [Vazirani 85, Chor-Goldeich 88] )

32 2-out-of-n LRSS [Goyal and K. 18]
๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 โ‹ฏ ๐‘Ÿ ๐‘› ๐‘” 1 ๐‘” 2 โ‹ฎ ๐‘” ๐‘› Only 2-out-of-n ๐‘™ 1 ๐‘™ 2 โ‹ฏ ๐‘™ ๐‘› Only individual leakage Non-adaptive SS is leakage resilient if the joint distribution of bounded leakages is statistically independent of the secret Theorem : Construction based on 2-out-of-2 LRSS

33 t-out-of-n LRSS (๐‘ก = ๐‘› โ€“ ๐‘œ(logโก๐‘›))[BDIR 18]
๐‘Ÿ ๐‘Ÿ 1 ๐‘Ÿ 2 โ‹ฏ ๐‘Ÿ ๐‘› ๐‘” 1 ๐‘” 2 โ‹ฎ ๐‘” ๐‘› Only ๐‘ก = ๐‘› โ€“ ๐‘œ(logโก๐‘›) ๐‘™ 1 ๐‘™ 2 โ‹ฏ ๐‘™ ๐‘› Only individual leakage Non-adaptive Theorem [BDIR18] : Shamirโ€™s t-out-of-n SS is LRSS for ๐‘ก = ๐‘› โ€“ ๐‘œ(logโก๐‘›) over fields of large characteristic.

34 Leakage Resilient SS [K., Meka and Sahai 18]
โ‹ฏ ๐‘ ๐‘’๐‘๐‘Ÿ๐‘’๐‘ก ๐‘ โ„Ž 1 ๐‘ โ„Ž 2 ๐‘ โ„Ž 3 ๐‘ โ„Ž ๐‘› Only two restrictions Jointly leaks from at most ๐‘ parties At most ๐‘ bits of total leakage ๐‘™๐‘’๐‘Ž๐‘˜ 1 ๐‘™๐‘’๐‘Ž๐‘˜ 2 ๐›ผ ๐›ฝ โ‹ฎ โ‹ฎ ๐›ผ ๐›ฝ Transcript SS is (๐‘,๐‘)-leakage resilient if any such leakage transcript of at most ๐‘ bits is statistically independent of the secret

35 Our New Result [K., Meka and Sahai 18]
Theorem 4. For any leakage-bound ๐‘, compiler that converts any SS scheme on ๐‘› parties into a (๐‘,๐‘)-leakage-resilient one, where ๐‘=๐‘‚ log ๐‘› . First 3-out-of-3 LRSS for joint-leakage Even p =1 was open for almost everything. Corollary. For any leakage-bound ๐‘,any ๐‘›โ‰ฅ2, any ๐‘=๐‘‚ log ๐‘› , any ๐‘ก>๐‘, efficient ๐‘ก-out-of-๐‘› SS that is (๐‘,๐‘)-leakage-resilient.

36 Number On The Forehead (NOF) [Chandra, Furst and Lipton 83]

37 NOF Comm. Complexity [Babai, Nisan and Szegedy 92]
๐‘œ๐‘ข๐‘ก๐‘๐‘ข๐‘ก ๐‘ โ„Ž 1 ๐‘ โ„Ž 2 ๐‘ โ„Ž 3 ๐‘” 1 ๐‘” 2 โ‹ฎ At most ๐‘ bits of communication ๐›ผ ๐›ฝ โ‹ฎ ๐›ผ ๐›ฝ Transcript f has NOF communication complexity at least ๐‘ if any such communication transcript of at most ๐‘ bits is statistically uncorrelated with the output

38 Upper bounds on total leakage
Our Connection Shares of 3-out-of-3 scheme Number on forehead of each party ๐‘ โ„Ž 1 ๐‘ โ„Ž 2 ๐‘ โ„Ž 3 ๐‘ โ„Ž 1 ๐‘ โ„Ž 2 ๐‘ โ„Ž 3 Joint leakage NOF communication ๐›ผ ๐›ผ Upper bounds on total leakage Lower Bounds on NOF CC Idea : lower bound on ๐‘› party NOF CC gives us ๐‘›-out-of-๐‘› LRSS against joint leakage from ๐‘›โˆ’1 shares.

39 Challenges Ahead Upper bounds on total leakage Lower Bounds on NOF CC Idea : lower bound on ๐‘› party NOF CC gives us n-out-of-n LRSS against joint leakage from ๐‘= ๐‘›โˆ’1 shares. Inefficient : Lower bound drops exponentially with n What if we bound p ? Share size exponential in n

40 Bounding ๐‘ helps Upper bounds on total leakage Lower Bounds on NOF CC Our idea : n-out-of-n LRSS against joint leakage from ๐‘ shares. t-out-of-n LRSS ? BNS92 Lower bound drops exponentially with ๐‘ Efficient ๐‘›-out-of-๐‘› for ๐‘ = ๐‘‚(logโก๐‘›) Share size exponential in ๐‘.

41 Summary Define and construct non-malleable SS.
Define and construct leakage-resilient SS. Can merge the two to get LR NMSS As we share r using a 2-out-of-n scheme, if we allow the adversary to jointly tamper two shares, then it can simply reconstruct r and use it to tamper shares of l. On the other hand, if we share r using a 3-out-of-n scheme, then we can no longer employ our first idea of using different degree polynomials. We continue using our idea of different degree polynomials and allow the tampering of l to depend on r. We view the tampered shares of l as leakage from r and derive leakage-resilience from the underlying non-malleable code. As such leakage-resilient non-malleable codes were not known, we construct such codes.

42 Open Problems Number-on-forehead tampering NMSS.
Communication lower bounds for ๐‘ =๐œ”(logโก๐‘›) Extractors for cylinder sources. Improve rate of our schemes (particularly NMSS) We mention some interesting open problems. While we obtained results for t-out-of-n schemes, a natural research direction is to try to construct non-malleable schemes for general access structures. In an upcoming crypto paper, we have generalized our results to general access structure for split state tampering. However, the case of joint tampering remains open. Another research direction is to handle more sophisticated tampering families. As an example, can we construct non-malleable codes that allow for multiple tampering of the secret ? In this work, we did not focus on improving the rate of our schemes, and it is a great problem to construct non-malleable secret sharing schemes that are as efficient as the malleable ones.

43 Thank You! Questions ?

44 Towards Joint Tampering
๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ ๐‘™ 3 ๐‘™ 1 ๐‘™ 2 ๐‘™ 3 ๐‘” 1 ๐‘” 2 ๐บ ~ ~ ๐‘Ÿ 1 ~ ๐‘Ÿ 1 ~ ๐‘Ÿ 2 ๐‘Ÿ 2 ~ ~ ๐‘Ÿ ๐‘Ÿ Unrelated to ๐‘™ Unrelated to ๐‘™ 1 2 3 1 2 3 Idea : Polynomials of different degrees still work. As we share r using a 2-out-of-n scheme, if we allow the adversary to jointly tamper two shares, then it can simply reconstruct r and use it to tamper shares of l. On the other hand, if we share r using a 3-out-of-n scheme, then we can no longer employ our first idea of using different degree polynomials. We continue using our idea of different degree polynomials and allow the tampering of l to depend on r. We view the tampered shares of l as leakage from r and derive leakage-resilience from the underlying non-malleable code. As such leakage-resilient non-malleable codes were not known, we construct such codes.

45 What happens with a different partition?
๐‘™ ๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ 2 ๐‘™ 3 ๐‘™ 1 ๐‘™ 3 ๐บ ๐บ ๐น ~ ๐‘Ÿ 2 ~ ๐‘Ÿ 1 ~ ~ ๐‘Ÿ 2 ๐‘Ÿ 1 ~ ~ ๐‘Ÿ ๐‘Ÿ Unrelated to ๐‘™ Related to ๐‘™ 1 2 3 1 2 3 Problem : First two shares of ๐‘Ÿ may depend on all three shares of ๐‘™. As we share r using a 2-out-of-n scheme, if we allow the adversary to jointly tamper two shares, then it can simply reconstruct r and use it to tamper shares of l. On the other hand, if we share r using a 3-out-of-n scheme, then we can no longer employ our first idea of using different degree polynomials. We continue using our idea of different degree polynomials and allow the tampering of l to depend on r. We view the tampered shares of l as leakage from r and derive leakage-resilience from the underlying non-malleable code. As such leakage-resilient non-malleable codes were not known, we construct such codes.

46 The power of consistency checks.
๐‘™ ๐‘™ 1 ๐‘™ 2 ๐‘™ 3 ๐บ ๐น ~ ๐‘Ÿ 2 ~ ๐‘Ÿ 3 ~ ๐‘Ÿ 1 ~ ๐‘Ÿ Unrelated to ๐‘™ 1 2 3 Idea : Enforcing co-linearity buys us arbitrary partitioning. As we share r using a 2-out-of-n scheme, if we allow the adversary to jointly tamper two shares, then it can simply reconstruct r and use it to tamper shares of l. On the other hand, if we share r using a 3-out-of-n scheme, then we can no longer employ our first idea of using different degree polynomials. We continue using our idea of different degree polynomials and allow the tampering of l to depend on r. We view the tampered shares of l as leakage from r and derive leakage-resilience from the underlying non-malleable code. As such leakage-resilient non-malleable codes were not known, we construct such codes.


Download ppt "New Frontiers in Secret Sharing"

Similar presentations


Ads by Google