400 likes | 598 Views
Amos Beimel Ben-Gurion University Slides borrowed fromYuval Ishai, Noam Livne, Moni Naor, Enav Weinreb. Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87]. 1706. 1706. t=3. ?. 2538. 3441. 1329. 6634. Talk Overview.
E N D
Amos Beimel Ben-Gurion University Slides borrowed fromYuval Ishai, Noam Livne, Moni Naor, Enav Weinreb. Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes
Secret Sharing[Shamir79,Blakley79,ItoSaitoNishizeki87] 1706 1706 t=3 ? 2538 3441 1329 6634
Talk Overview • Motivation and definitions • Linear secret sharing schemes • Nonlinear secret sharing schemes • Weakly-private secret sharing schemes • Conclusions and open problems ICITS
Pn P1 P2 Def: Secret Sharing • Access Structure • realizes if:Correctness:every authorized set Bcan always recover s. Privacy:every unauthorized set B cannot learn anything about s. s1 s2 sn s r ICITS
Applications • Secure storage; • Secure multiparty computation; • Threshold cryptography; • Byzantine agreement; • Access control; • Private information retrieval; • Attribute-based encryption. ICITS
Shamir’s t-out-of-n Secret Sharing Scheme • Input: secrets • Choose at random apolynomial p(x)=s+r1x+r2x2+…+ rt-1xt-1 • Share of Pj: sj= p(j) s ICITS
minimal sets {2,4} s {1,2} s {1,3,5} s P1 P2 P3 P4 P5 The General Case Which access structures can be realized? • Necessary condition: is monotone. • Also sufficient! Not efficient!!!! ICITS
Are there Efficient Schemes? • The known schemes for general access structures have shares of size 2O(n). • Best lower bound for an explicit structure [Csirmaz94]: (n2 / logn) • Nothing better is known even for non-explicit structures! • large gap Conjecture: There is an access structure that requires shares of size 2Ω(n). ICITS
Talk Overview • Motivation and definitions • Linear secret sharing schemes • Nonlinear secret sharing schemes • Weakly-private secret sharing schemes • Conclusions and open problems ICITS
Pn P1 P2 F Linear Transformation r1 r2 rm s F Linear Secret-Sharing • Examples: • Shamir’s scheme • Formula based Schemes [BenalohLeichter88] • Monotone span programs [KrachmerWigderson93] ICITS
Linear Schemes and Span Program Monotone Span programs – linear algebraic model of computation [KarchmerWigderson93]. Equivalent to Linear schemes. ICITS
Monotone Span Programs The program accepts a set B iff the rows labeled by B span the target vector. ICITS
1 0 1 1 0 0 1 1 Monotone Span Programs {P2,P4} ICITS
Monotone Span Programs {P1,P2} ICITS
Span Programs Secret Sharing P2 P2 P1 P3 P4 = P2 P2 P1 P3 P4 Example s=1,r2=r3=0, r4=1 ICITS
Span Programs Secret Sharing P2 P2 P1 P3 P4 = s {P2,P4} ICITS
Linear Schemes: State of the Art • Every access structure can be realized by a linear scheme. • Most known schemes are linear. • Linear schemes can efficiently realize only access structures in NC (NC = languages having efficient parallel algorithms). • Best lower bounds for linear schemes for explicit access structures [B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]: (nlog n). • Best existential lower bounds for linear schemes: 2(n). ICITS
Why Linear Secret Sharing? • Share generation and secret reconstruction are efficient. • Perfect privacy for free. • Homomorphic • Secure multi-party computation [CramerDamgardMaurer2000] Why not? • Can only realize access structures in NC. ICITS
1 1 0 1 P2 s y1 0 1 1 0 r2 P2 y2 = 1 1 0 1 s+s’ y1+y’1 y3 0 1 1 0 P1 r3 0 1 1 0 r2+r’2 y2+y’2 y4 1 1 0 0 r4 P3 = 1 1 0 1 P2 s’ y3+y’3 0 1 1 0 r3+ r’3 y’1 0 0 1 1 y5 P4 0 1 1 0 r’2 P2 y’2 y4+y’4 1 1 0 0 r4 + r’4 = y’3 0 1 1 0 P1 r’3 0 0 1 1 y5+y’5 y’4 1 1 0 0 r’4 P3 0 0 1 1 y’5 P4 Homomorphism of Linear Secret Sharing + ICITS
1 1 0 1 P2 s y1 0 1 1 0 r2 P2 y2 = y3 0 1 1 0 P1 r3 y4 1 1 0 0 r4 P3 1 1 0 1 P2 s’ y’1 0 0 1 1 y5 P4 0 1 1 0 r’2 P2 y’2 = y’3 0 1 1 0 P1 r’3 y’4 1 1 0 0 r’4 P3 0 0 1 1 y’5 P4 Multiplicative Homomorphism of Linear Secret Sharing [….,CramerDamgardMaurer2000] PROTOCOL * Shares fors* s’ Access structure must be Q2 ICITS
Talk Overview • Motivation and definitions • Linear secret sharing schemes • Nonlinear secret sharing schemes • Weakly-private secret sharing • Conclusions and open problems ICITS
Constructing Nonlinear scheme Two constructions: • Composition Approach no assumptions, access structures in NC. • Direct Constructions access structures probably not in P. ICITS
…. …. P1 Pn P2n Pn+1 Linear Linear S2 S1 Nonlinear Schemes: Composition Approach [B+Ishai01] over GF(3) over GF(2) S= S1+S2 • [B+Weinreb03]: • access structure: easy over GF(2), hard over any other field • access structure: easy over GF(3), hard over any other field ICITS
quadratic residuosity modulo a (fixed) prime Yes perfect Nonlinear schemes: Direct Constructions [B+Ishai01] computationally efficient? perfect / statistical access structure equivalent to... co-primality Yes statistical quadratic residuosity No statistical ICITS
Talk Overview • Motivation and definitions • Linear secret sharing schemes • Nonlinear secret sharing schemes • Weakly-private secret sharing • Conclusions and open problems ICITS
Large gap • Sharing 1-bit secret for general access structures: • The known schemes have 2O(n)-bit shares • Best lower bound for an explicit structure [Csirmaz94]: (n / log n) Conjecture: There is an access structure that requires shares of size 2Ω(n) for a one-bit secret. No progress in the last decade! ICITS
What Should We Do? • Prove lower-bounds for stronger definitions of secret sharing • Linear secret sharing schemes – nΩ(logn)-bit shares for one bit secret [B+GalPaterson95,BabaiGalWigderson96,Gal98] . • Prove upper-bounds for weaker definitions of secret sharing. • Try to understand which techniques should be used to prove lower bounds. ICITS
Pn P1 P2 Def: Weakly-Private Secret Sharing weaklyrealizes if: Correctness:every authorized set B can always recover s. Weak Privacy:every unauthorized set C can never rule out any secret. For every two secrets a,b, forevery shares si iC s1 s2 sn s r ICITS
Motivation • Strong lower bounds for secret sharing use entropy arguments [CapocelliDeSantisGarganoVaccaro91, BlundoDeSantisGarganoVaccaro92, Csirmaz94,….]. • Weakly-private ideal secret sharing = Perfect ideal secret sharing [BrickellDavenport91]. • Some papers used weakly-private schemes to prove lower bounds for perfect schemes [Seymour92, KurosawaOkada96,B+Livne06] ICITS
Motivation II • Key Distribution Schemes: • [BlundoDeSantisHerzbergKuttenVaccaroYung92] proved lower bounds for perfect schemes using entropy arguments. • [B+Chor93] proved the same lower bound for weakly-private schemes. • Does weak-privacy suffice for proving lower-bounds for secret sharing schemes? ICITS
Our Results • , there is a scheme: -bit secret and (+ c)-bit shares, cis a ``constant’’ depending on Disclaimer:ccan be exponential in n. Perfect: best known c’-bit shares. • For a doubly-exponential family of access structures, there is an efficient weakly-private scheme for 1-bit secrets (due to Yuval Ishai). Perfect: known only for an exponential family • There is a weakly-private t-out-of-nscheme: 1-bit secret and O(t)-bit shares. Perfect:log n-bit shares. ICITS
Constructions for general access structures First attempt: , try to construct a scheme with an -bit secret and -bit shares. Let s be an -bit secret. • Choose at random a maximal unauthorized set D . • Choose a random bi {0,1}for every Pi D. • Set bi= s for every Pi D. • The share of Pi is bi. Weak privacy:C The set C can getany vector of shares for every s. Correctness: ????? B Pi B \ D. Guess Pi Band output bi. ICITS
Constructions for general access structures Second (correct) attempt: , there is a scheme with an -bit secret and (+c)-bit shares (cis a “constant” depending on ). • Choose at random a maximal unauthorized set D . • Share the n-bit string representing D using a weakly-private scheme realizing . Let a1,…,anbe the generated shares. • Choose a random bi {0,1}for every Pi D. • Set bi= s for every Pi D. • The share of Pi is (ai,bi). Correctness: B Pi B \ D. Reconstructs D, finds Pi B \ D,and outputs bi. Share size: scheme where shares ai are 2n-bits (worse case) Total size: +2n ICITS
Talk Overview • Motivation and definitions • Linear secret sharing schemes • Nonlinear secret sharing schemes • Weakly-private secret sharing • Conclusions and open problems ICITS
Conclusions • Linearity is useful. • However, linear schemes can realize only access structures in NC. • Nonlinear schemes can efficiently realize some “computationally hard” access structures. • Exact power of nonlinear schemes remains unknown. ICITS
Proving Lower Bounds • Close gap for perfect secret sharing schemes • Improve 2O(n) upper bound? • Improve (n2 / logn) lower bound? • Even existential proof is interesting. • Exponential lower bounds for linear schemes • Improve (nlog n) lower bound. ICITS
Upper & Lower Bounds: Specific Access Structures • Directed connectivity • Participants correspond to edges in the complete directed graph • Authorized sets: graphs containing a path from v1 to v2 • Efficient construction for undirected connectivity • There is an efficient computational scheme • Open: perfect scheme • Perfect Matching • Implies a scheme for directed connectivity • Open: perfect and computational schemes • Weighted threshold • Efficient computational scheme [B+Weinreb] • Perfect scheme with nlog n shares • Open: perfect scheme • Open: monotone formula ICITS
Secret Sharing and Oblivious Transfer • Hamiltonian: • Participants correspond to edges in the complete graph • Authorized sets: graphs containing a Hamiltonian cycle Want an efficient scheme for minimal authorized subsets – when given the witness (cycle) Theorem [Rudich]: If one-way functions exist and an efficient secret sharing scheme for the Hamiltonian problem exists then Oblivious Transfer Protocols exist. • I.e., Minicrypt = Cryptomania • Construction is non-blackbox Theorem [Rudich]: If there is a perfect scheme for Hamiltonian, then NP Co-AM ICITS