420 likes | 430 Views
Learn about secret sharing as an essential tool for secure computation in the workshop slides by Divya Ravi, borrowed from Arpita Patra and Ashish Choudhury. Explore the concept and properties of secret sharing, applications in distributed key storage and reliable data storage, and its role in MPC secure circuit evaluation.
E N D
Secret Sharing and Information-Theoretic MPC Divya Ravi Workshop on Cryptography Slides borrowed from Arpita Patra, Ashish Choudhury
Agenda • Information-Theoretic MPC • Adversarial Setting • Computationally-unbounded • Semi-honest • n parties, honest majority t < n/2 • Secret Sharing : Important tool for MPC • Shamir-secret sharing
S The Concept of Secret Sharing (n, t) LOCKED BOX REPRESENTATION A secret s P1 P2 Pn
S The Concept of Secret Sharing (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 P2 Pn
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 P2 Pn • Any t parties cannot open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 Ex: t = 1 P2 Pn • Any t parties cannot open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 Ex: t = 1 P2 Pn • Any t parties cannot open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 Ex: t = 1 P2 Pn • Any t parties cannot open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 P2 Pn • Any t parties cannot open the box • Any (t + 1) parties can open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 Ex: t = 1 P2 Pn • Any t parties cannot open the box • Any (t + 1) parties can open the box
S Secret Sharing: Properties (n, t) LOCKED BOX REPRESENTATION A secret s locked in a box P1 Ex: t = 1 P2 Pn • Any t parties cannot open the box • Any (t + 1) parties can open the box
Unconditionally-secure Instantiation of (n, t)-locked box Representation Sharing Phase … vn v1 v3 v2 Reconstruction Phase t +1 parties can reconstruct the secret Less than t +1 parties have no info’ about the secret Secret s • Unconditionally-secure (n, t)-secret sharing Secret s Dealer Reconstruction Phase
Unconditionally-secure Instantiation of (n, t)-locked box Representation • Unconditionally-secure (n, t)-secret sharing AdiShamir: How to Share a Secret. Commun. ACM 22(11): 612-613 (1979) Sharing Phase Shn Sh2 Sh1 deg-t Shi s Shi = Evaluation of the curve at x = i 2 i n 1
Unconditionally-secure Instantiation of (n, t)-locked box Representation • Unconditionally-secure (n, t)-secret sharing AdiShamir: How to Share a Secret. Commun. ACM 22(11): 612-613 (1979) Reconstruction Phase Lagrange Interpolation deg-t s Shi = Evaluation of the curve at x = i 2 i n 1 Sh2 Shi Sh2 Shi Shn Shn Sh1 Sh1
Lagrange’s Interpolation Reconstructing t degree polynomial, given (t + 1) points where Theorem: h(x) can be written as >> Poly of degree t >> At i, it evaluates to 1 >> At any other point, it gives 0. are public polynomials >> are public values, denote by ri >> Can be written as the linear combination of h(i)s >> The combiners are (recombination vector): r1,….rt+1
Shamir Secret-sharing : Security Shn Sh2 Sh1 Shi deg-t s Shi = Evaluation of the curve at x = i i n 1 2 • A polynomial of degree t is uniquely determined by a set of t + 1 distinct values of the polynomial • Given only t distinct values, a polynomial of degree t is not uniquely determined • Fix any missing value. This will determine a polynomial of degree t along with the already available t distinct values • All possible secrets from the field are equi-probable
Shamir Secret-sharing : Security Demonstration • n = 3 and t = 1 • s • sh1 • sh2 • sh3 • 1 • 2 • 3
Shamir Secret-sharing : Security Demonstration • n = 3 and t = 1 • s • sh1 • sh3 • 1 • 3 • Any set of 2 shares original straight line and the secret
Shamir Secret-sharing : Security Demonstration • n = 3 and t = 1 • s • sh1 • s’’ s’ • 1 • Only 1 share all possible straight lines over the field
Secret Sharing: Applications • Distributed Key Storage • - Storing of encryption key in different servers using some secret • Sharing. • - Even if one of the servers or some of the servers is compromised • the key still would be secret and can only be recovered when threshold number of shares collude. • Reliable Data Storage • - withstand loss upto threshold servers • - the data can still be re-generated using shares from other servers. • Building Block of MPC
Secure Circuit Evaluation • Most MPC protocols assume that the function f to be securely computed is expressed as an arithmetic circuit over some finite field F • The circuit consists of : x1 x2 x3 x4 • Input gates: for the inputs of the parties • Output gates: for the function output • Linear gates 3 • Addition gates • Addition by public constants • Multiplication by public constants • Non-linear (multiplication) gates y
Secure Circuit Evaluation 1 5 9 2 3 y
Secure Circuit Evaluation (n, t)- secret share each input 3 2 1 5 9
Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 2 1 5 9
Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 144 2 1 5 9 3 48 45
Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 144 2 1 5 9 3 48 45
Secure Circuit Evaluation (n, t)- secret share each input 2. Find (n, t)-sharing of each intermediate value 3 144 2 1 5 9 3 48 45
Secure Circuit Evaluation Each party acts as a dealer and (n, t)- secret share its input 2. The parties jointly compute a (n, t)-sharing of each intermediate value 3 3 45 48 1 5 2 9 3. Reconstruct Shamir-sharing of the output by exchanging shares with each other 144
Secure Circuit Evaluation Privacy follows (intuitively) because: No inputs of the honest parties are leaked. 3 2 1 5 48 3 45 9 2. No intermediate value is leaked. 144 Goal : Obtain (n, t) sharing of sum / product from (n,t) sharing of inputs
Addition Gates • Let us consider n = 3, t = 1 Fa(0) • each party does locally c3 a1 a2 a3 a c2 c1 Fa(x) + Fb(x) Fb(0) b3 b2 + + + a+b b1 b1 b b2 b3 Fb(x) b a3 a2 a1 Fa(x) a • 1 • 2 • 3 a+b c1 c2 c3 Fa(0) + Fb(0) • We say that the parties compute [a]t + [b]t = [a + b]tto mean that every party locally adds its shares of a and b respectively to compute its share of a + b (Fa(i) + Fb(i)) • Addition of secret-shared values is absolutely free (non-interactive)
Linearity of (n, t) Shamir Secret Sharing : Example • Let us consider n = 3, t = 1 • Let c F be a public constant d3 a1 a2 a3 d2 d1 a cFa(x) ca c c c a3 a2 a1 a Fa(x) ca • 1 • 2 • 3 d1 d2 d3 • We say that the parties compute c . [a]t = [c . a]tto mean that every party locally multiplies its shares of a with c to compute its share of c . a. • Multiplication of a secret-shared value with public constants is absolutely free (non-interactive)
Linearity of (n, t) Shamir Secret Sharing : Summary • Shamir secret-sharing allows to non-interactively perform linear operations on secret-shared values • Given [a]t, [b]t and publicly known constants c1, c2, the parties can locally compute: c1 . [a]t + c2 . [b]t = [c1 . a + c2 . b]t • In general, let g : m be a linear function and let (y(1), …, y(m)) = g (x(1), …, x()) • Given sharings [x(1)]t, …, [x()]t, the parties can locally compute • [y(1)]t, …, [y(m)]t = g([x(1)]t, …, [x()]t) • From adversary’s point of view, any linear function of a random input sharing will be random as well • Ex: [a]t + [b]t = [a + b]t • If [a]t and [b]t is random for the adversary, then so is [a + b]t • Even if a + b is publicly reconstructed, a and b remains as private as possible!!
Linearity of (n, t) Shamir Secret Sharing : Example • Let us consider n = 3, t = 1, = {P1, P2, P3} with P1 being corrupted and = 17 • Let 1 = 1, = 2 and = 3 • Let P1 has no input, P2 and P3 have inputs a, b and y = f(a, b) = a + b • Let a = 2, shared through fa(x) = 2 + 2x and b = 4, shared through fb(x) = 4 + x • To compute c = a + b, the following computation and communication will be done: • The bold values denote the values seen by the adversary • By interpolating (1, 9), (2, 12) and (3, 15), adversary will see the polynomial fc(x) = 6 + 3x • From its view, can adversary infer any additional information about a and b ? • Is adversary’s view equally consistent with (a = 0, b = 6) and (a = 1, b = 5) and (a = 3, b = 3) and (a = 4, b = 2) and (a = 5, b = 1) and (a = 6, b = 0) ? • If so then indeed adversary learns nothing additional about a and b, even if c and its shares are made public!!
Linearity of (n, t) Shamir Secret Sharing : Example • The view of the adversary during the protocol: • The bold values denote the values seen by the adversary ? 1 10 7 ? ? • By interpolating (1, 9), (2, 12) and (3, 15), adversary will see the polynomial fc(x) = 6 + 3x 5 ? 5 ? 5 ? • Suppose the adversary makes the hypothesis that a = 1 and b = 5. Then is it consistent with the above view of the adversary ? • If a is fixed as 1, then it fixes the candidate a-sharing polynomial f’a(x) = 3x + 1 • The polynomial has degree 1 and passes through (0, 1) and (1, 4) • The rest of the shares of a (consistent with f’a(x)) also get fixed • If b is fixed as 5, then it fixes the candidate b-sharing polynomial f’b(x) = 0x + 5 • The polynomial has degree 1 and passes through (0, 5) and (1, 5) • The rest of the shares of b (consistent with f’b(x)) also get fixed • The hypothesis a = 1 and b = 5 is consistent with the view of the adversary
Linearity of (n, t) Shamir Secret Sharing : Example • The view of the adversary during the protocol: • The bold values denote the values seen by the adversary ? ? ? • By interpolating (1, 9), (2, 12) and (3, 15), adversary will see the polynomial fc(x) = 6 + 3x ? ? ? • The view of the adversary will be consistent with other candidate values of a and b as well 5 8 3 6 0 12 3 6 7 4 9 3 4 4 7 4 1 10 2 5 8 5 11 5
Multiplication Gate d2 d3 Fa(x) Fb(x) ab a1 a2 a3 a d1 b3 b2 b1 b1 b2 b3 b Fb(x) b a3 a2 a1 a Fa(x) d1 d2 d3 • 1 • 2 • 3 ab • Degree of sharing becomes 2t instead of t • a x b now shared by a non-random polynomial
Securely Multiplying Two Shamir-shared Values n = 2t+1 P2 P3 P1 t = 1 • a : shared via polynomial A(x) • b : shared via polynomial B(x) a2 a3 a1 d2 d1 d3 c a b • Let C(x) = A(x) . B(x) : degree 2t X X X b2 b3 b1 • Let C(0) = A(0) . B(0) = ab • Let C(i) = A(i) . B(i) = di d1 d2 d3 • C(0) is a linear function of d1, …, d2t+1 r3 r2 r1 r2 r1 r3 r2 r1 r3 d11 d12 d13 + + + + + + • C(0) = ab = r1 d1 + … + r2t+1 d2t+1 d21 d22 d23 • r1, …, r2t+1 : publicly known Lagrange’s coefficients d31 d32 d33 • Each Pi computes di = aibi and secret-shares di, acting as a dealer c2 c3 • So [ab] = r1 [d1] + … + r2t+1 [d2t+1] c1
The Multiplication Sub-protocol : Example • Let n = 3, t = 1, = {P1, P2, P3} with P1 being corrupted and = 5 ,1 = 1, = 2 and = 3 • Let P1 has no input, P2 and P3 have inputs a, b and y = f(a, b) = a * b • Let a = 2, shared through fa(x) = 2 + x and b = 2, shared through fb(x) = 2 + 2x • To compute c = a * b, the following computation and communication will be done: • The bold values denote the values seen by the adversary • Let P1 t-share c1 = 2 via 2 + x • Let P2 t-share c2 = 4 via 4 • Let P3 t-share c3 = 0 via 4x • Recombination vector (r1, r2, r3) r2 = = 2 r1 = = 3 r3 = = 1 4 • Interpolating (1, 1) and (2, 3) gives the curve 2x + 4 • Does the adversary learn anything about a, b beyond that a*b = 4 ?
The Multiplication Sub-protocol : Example • Adversary’s view in the protocol • The bold values denote the values seen by the adversary ? ? ? • (r1, r2, r3) = (3, 2, 1) ? ? ? • Will adversary’s view be consistent with a = 1 and b = 4 ? ? 0 3 ? • a = 1 fa(x) = 2x + 1 ? ? ? • b = 4 fb(x) = 4 ? ? ? • c2 = 0 fc2(x) = 4x • c3 = 3 fc3(x) = x + 3 4 • Adversary’s view is consistent with a = 1 and b = 4 • In fact adversary’s view will be consistent with all possible (a, b) 2, wit a*b = 4 0 0 3 4 2 4 2 1 4 0 3 1
BGW Unconditionally-secure MPC Protocol in the Semi-honest Setting • Input stage : n = 2t+1 x1 x2 x3 • Each Pi acts as a dealer and Shamir-shares its input xi with threshold t y x2 x3 x1 • Computation stage : gate invariant x1+x2 • Given Shamir-sharing of the gate inputs, compute a Shamir-sharing of the gate output y X • Linear gates : invariant is free • multiplication gates : re-sharing based interactive multiplication protocol y • Output stage : • Reconstruct the output value by exchanging shares of the function output