1 / 24

On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase

On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase. Ronald Cramer, Ivan Damgard, Serge Fehr. Introduction. Secret-sharing (introduced by Shamir)

declan-martin
Download Presentation

On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr

  2. Introduction • Secret-sharing (introduced by Shamir) • l-bits secret distributes to n players, every player have a share. Over than t shares can find the secret by some player. • Privacy • If an adversary sees up to t shares, it still learns no information about the secret and correctness. (t+1 is enough).

  3. Introduction • This paper consider more. Some player (at most t players) may be corrupted, they may contribute wrong shares., • We want every player try to reconstruct the secret under this situation. • If t  n/2, no one can sure that its reconstruction is correct. • If t<n/3, a standard methods can give an opt solution with no error.

  4. Introduction • We only consider n/3 t < n/2. • A honest player can either reconstruct the secret or output “failure”. (failure 2-(k), where k is security parameter) • When t=(n-1)/2, there is a lower bound of information sending O(nl+kn2). • This bound is also tight.

  5. Communication Model • Secure-channels model with broadcast. • There is a set of players {P1,…,Pn} • A dealer D. • Every pair has a secure private channel. • Adversary • Active(corrupt at most t players) • Rushing (can decide after all honest players sent). • Static, adaptive (static means it needs to corrupt players before execution).

  6. Single-Round Honest-Dealer VSS • Distribution phase: • The honest dealer generates shares si={ki,yi}, i=1…n, according to a fixed and publicly known conditional probability distribution PS1…Sn(…|s), where s is the secret. Privately sends si to Pi. • Reconstruction phase: • Each player Pi is required to broadcast ŷi, which is supposedly to equal to yi. Each player Pi decides on the secret s based on ki and other ŷi…ŷn. (output s or “failure”).

  7. Adversary can change the ŷj to broadcast, when Pj is corrupted. Others honest players always have ŷj=yj. • Adversary can be rushing, non-rushing; static, adaptive.

  8. Single-Round Honest-Dealer VSS is (t, n, 1-)-secure if: • Privacy: • Adversary gains no information of s form distribution phase. • (1-)-correctness: • In the reconstruction phase, each uncorrupted output ‘s’ or “failure”, and outputting failure has  probability.

  9. We can repeat m times to make the error rate to m. • This definition is very general, we don’t care the dictate of the implementation.

  10. Theoretical Lower Bound and Tightness Proof of SRHD-VSS

  11. H is the entropy of S, by definition: Lower Bound on Reconstruction Complexity • If and for a security parameter k, then the total information broadcast in the reconstruction phase is lower bounded by • For any family of Single-Round Honest-Dealer VSS scheme, (t, n, 1-δ)-secure against an active, rushing adversary

  12. Reduced Theorem: Proposition 1 • Let be the message distributed by the SRHD-VSS. In the case of odd n, the size of any public share Yi is lower bounded by • While for even n, it is the size H(YiYj) of every pair Yi≠Yj that is lower bounded by

  13. A Little Authentication Theory • Let K, M, Y, Z be r.v. with joint distribution PKMYZ such that M is independent of K and Z but uniquely defined by Y and Z. Then one can compute consistent with K and Z by Z with probability* * Stands for impersonation attack

  14. A Little Authentication Theory • Also, knowing Z and Y, one can compute consistent with K and Z and a with probability*: * Stands for a substitution attack

  15. Observation of PS and PI • Let K, M, Y, Z the same as above. If M is uniformly distributed among a non-trivial set, then one can compute with Z known and consistent with K and Z, and a with probability: An successful impersonating attack is a successful substitution attack by definition M is uniformly distributed and M’!=M

  16. Pi can thus not compute S with certainty. We then let* Either red ones are honest or vice versa… Proof of Proposition 1 (1/3) P1 P2 … Pi-1 Pi … Pt Pt+1 Yt+1 Y’t+1 *Note that the semantics of δ is for Pi to decide {failure} and still a recoverable error may be counted in. See Section 6 for correctness proof

  17. Proof of Proposition 1 (2/3) • Apply observation 1 by letting K=Ki, M=S, Y=Yt+1, and Z=(K1,…,Ki-1,Y1…,Yt) • Use the δ then

  18. A Little Information Theory • Chain rule of mutual information

  19. Proof of Proposition 1 (3/3) • Use the chain rule, we have • And since S1…St cannot work without St+1, we have • And the proposal is resulted.

  20. Theorem 2: Theorem 1 is Tight • For , against an adaptive and rushing adversary, with total communication complexity of O(kn2) bits • Proof by constructing one.

  21. Construction of the SRHD-VSS (1/3) • Given a (t+1, n) threshold secret sharing scheme and an authentication scheme, e.g. by a family of strongly universal hash function • Dealer: 人人有一份, 對對有一根… • S  • Select a random

  22. Construction of the SRHD-VSS (2/3) • Dealer: 金刀為證, 玉璽為憑 • Generate authentication tag for every process Pj • Everyone: 問鼎中原, 人人有責 • Pi send <Si,yij> to Pj for all i,j, i!=j

  23. Making Ω(k) (3/3) • Use Shamir’s secret sharing scheme over a field F, |F| > n • Choose the hash family hα , β(X) = αX+β over F • As such, the attack can succeed with probability 1/F • Choose • The desired result follows

  24. Thanks Presented by 游騰楷 呂育恩 葉恆青

More Related