Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.

Similar presentations


Presentation on theme: "Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa."— Presentation transcript:

1 Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa

2 Popular Encryption Schemes Must share a secret-key Don’t share a secret-key ComputationalSKEPKE UnconditionalOne-time pad

3 Does there exist ? Must share a secret-key Don’t share a secret-key ComputationalSKEPKE UnconditionalOne-time pad???

4 Yes (1975) Wyner Wire-tap channel model (1984) Bennett and Brassard BB84 (1993) Dolev, Dwork, Waarts and Yung Network model

5 In the model of DDWY Alice and Bob are a part of a network There are n channels between them Adversary can corrupt (observe and forge) at most t channels AliceBob

6 Indeed, in Internet There are many channels between A and B No adversary can corrupt all the routers

7 Dolev, Dwork, Waarts and Yung Showed that we can achieve (Perfect Privacy) Adversary learns no information on the secret message s (Perfect Reliability) Bob can receive s correctly (Adversary cannot forge s)

8 There are many variants NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect and etc.

9 Many authors since DDWY Sayeed, Abu-Amara Franklin, Wright Kumar, Goudan, Srinatahn, Rangan, Narayanan, Patra, Choudhary Desmedt, Wang, Burmester, Yang Agarwal, Cramer, de Haan Garay, Ostrovsky, Fitzi, Vardhan Kurosawa, Suzuki

10 This talk NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect

11 We begin with 1 st setting NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect

12 In an Undirected Network Each channel is two-way AliceBob

13 1 Round Protocol Sender Receiver

14 2 Round Protocol Sender Receiver Sender Receiver 1st 2nd

15 PSMT denotes Perfectly Secure Message Transmission Scheme

16 DDWY showed 1-round PSMT exists iff n ≧ 3t+1 2-round PSMT exists iff n ≧ 2t+1 where the adversary can corrupt t out of n channels.

17 Let’s look at 1-round PSMT iff n ≧ 3t+1 2-round PSMTfor n = 2t+1 where an adversary can corrupt t out of n channels.

18 2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Exp- time DDWY (1993) Poly- time Transmission rate

19 2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Exp- time DDWY (1993) Poly- time Sayeed, Abu-Amara (1996) Transmission rate

20 2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993) Poly- time Sayeed, Abu-Amara (1996) Transmission rate

21 2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993)Agarwal, Cramer, de Haan (2006) Poly- time Sayeed, Abu-Amara (1996) Transmission rate

22 2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993)Agarwal, Cramer, de Haan (2006) Poly- time Sayeed, Abu-Amara (1996) Kurosawa, Suzuki (2008) Transmission rate

23 Alice Bob s f(1) f(t) f(n) ・ ・ ・ ・ ・ ・ Suppose that Alice chooses a random f(x) such that f(0)=s and deg f(x) ≦ t

24 Adversary Alice Bob s f(1) f(t) f(n) ・ ・ ・ ・ ・ ・ corrupts t channels.

25 Perfect Privacy Is satisfied because this is a (t+1, n)-secret sharing scheme Hence the adverasry learns no information on s.

26 Adversary Alice Bob s f(1) f(t) f(n) ・ ・ ・ ・ ・ ・ forges t channels. How about Perfect Reliability f(1)’ = f(1)+ e 1 f(t)’ = f(t)+ e t

27 Perfect Reliability Bob can compute s if X=(f(1),…, f(n)) is a codeword of a t-error correcting code.

28 X=(f(1),…, f(n)) has at most t zeros because deg f(x) ≦ t.

29 X=(f(1),…, f(n)) has at most t zeros because deg f(x) ≦ t. Hence X has the minimum Hamming weight n-t.

30 X=(f(1),…, f(n)) has at most t zeros because deg f(x) ≦ t. Hence X has the minimum Hamming weight n-t. Therefore the minimum Hamming distance of this linear code is d=n-t.

31 If n=3t+1, the minimum Hamming distance is d = n – t = (3t+1) – t = 2t+1.

32 If n=3t+1, the minimum Hamming distance is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary.

33 If n=3t+1, the minimum Hamming distance of C is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary by using Berlekamp-Weltch algorithm

34 If n=3t+1, the minimum Hamming distance is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary. Thus perfect reliability is also satisfied.

35 If n=3t+1, the minimum Hamming distance of C is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary. Thus perfect reliability is satisfied. Therefore we can obtain a 1-round PSMT easily for n ≧ 3t+1

36 If n=2t+1, however, the minimum Hamming distance is d = n - t = (2t+1) – t = t+1

37 If n=2t+1, however, the minimum Hamming distance of C is d=n-t=(2t+1)-t= t+1 Hence the receiver can only detect t errors, but cannot correct them.

38 If n=2t+1, however, the minimum Hamming distance of C is d=n-t=(2t+1)-t=t+1 Hence the receiver can only detect t errors, but cannot correct them. This is the main reason why PSMT for n=2t+1 is difficult.

39 DDWY showed Exp-time 2-round PSMT Poly-time 3-round PSMT such that the transmission rate is O(n 5 ), where the transmission rate is defined as the total number of bits transmitted the size of the secrets

40 Sayeed and Abu-Amara 2-round PSMT such that the transmission rate is O(n 3 )

41 Srinathan, Narayan and Rangan the transmission rate ≧ n for any 2-round PSMT with n=2t+1. (CRYPTO 2004)

42 Agarwal, Cramer and de Haan ・ Exp-time 2-round PSMT such that the trans. rate is O(n). (CRYPTO 2006)

43 Kurosawa and Suzuki ・ Poly-time 2-round PSMT such that the trans. rate is O(n). at Eurocrypt 2008 Final version: IEEE Trans. on IT, 2009

44 Our Idea What is a difference between error correction and PSMT ?

45 What is a difference If the sender sends a single codeword, then adversary causes t errors randomly.

46 What is a difference If the sender sends a single codeword, then adversary causes t errors randomly. Hence there is no difference.

47 However If the sender sends many codewords X 1, …, X m, then the errors are not totally random because the errors always occur at the same t (or less) places !

48 Our Observation Suppose that the receiver received Y 1 =X 1 + E 1, …, Y m =X m + E m, where E 1, …, E m are error vectors

49 Our Observation Let E = [E 1, …, E m ]. Then dim E ≦ t because the errors always occur at the same t (or less) places !

50 But The receiver does not know the error vectors E 1, …, E m

51 Our Contribution We introduced a notion of pseudo-dimension pseudo-basis,

52 Let Y= {Y 1, …, Y m } Let E = [E 1, …, E m ]. If Y has Pseudo dim kthen E has dim k If Y has a Pseudo basis {Y j1, …, Y jk } then E has a basis {E j1, …, E jk } Intuition

53 Our Contribution We then showed a poly-time algorithm which finds pseudo-basis and pseudo-dimension from Y={Y 1, …, Y m }.

54 More Observation For example, E 1 =(1,0, …, 0), E 2 =(1,1,0, …, 0), … E t =(1,…,1,0, …, 0), is a basis of E.

55 More Observation E 1 =(1,0, …, 0), NonZero(E 1 )={1} E 2 =(1,1,0, …, 0), NonZero(E 2 )={1,2} … E t =(1,…,1,0, …, 0), NonZero(E t )={1, …, t}

56 More Observation E 1 =(1,0, …, 0), NonZero(E 1 )={1} E 2 =(1,1,0, …, 0), NonZero(E 2 )={1,2} … E t =(1,…,1,0, …, 0), NonZero(E t )={1, …, t} Define FORGED = U NonZero(E i ) basis

57 More Observation E 1 =(1,0, …, 0), NonZero(E 1 )={1} E 2 =(1,1,0, …, 0), NonZero(E 2 )={2} … E t =(1, …, 1, 0, …, 0), NonZero(E t )= {t} Define FORGED ≡ U basis NonZero(E i ) Then FORGED = {all forged channels}

58 Our basic 2-round PSMT Let t = 1 and n = 2t+1 = 3 That is, Adversary can corrupt 1 out of 3 channels

59 It consists of 3 phases Encryption phase Error detection phase Decryption phase We run them in parallel

60 Encryption phase (1 st R) R sends random f 1 (x), f 2 (x) and f 3 (x) with deg f i (x) ≦ 1 as follows f 1 (x) f 2 (x) f 3 (x) S R

61 Encryption phase (1 st R) S receives f 1 ’(x), f 2 ’(x) and f 3 ’(x) f 1 ’(x) f 2 ’(x) f 3 ’(x) S

62 Encryption phase (2 nd R) S broadcasts c = s + f 1 ’(1) +f 2 ’(2) + f 3 ’(3) c c c S R

63 Encryption phase (2 nd R) R can receive c correctly by taking majority vote because at most 1 channel is corrupted c c c’ R

64 Error detection phase (1 st R) R sends X 1, X 2, X 3 such that R f 2 (1) f 2 (2) f 2 (3) X 2 || f 1 (1) f 1 (2) f 1 (3) X 1 || f 3 (1) f 3 (2) f 3 (3) X 3 ||

65 S receives S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y 2 || f 1 (1)’ f 1 (2)’ f 1 (3)’ Y 1 || f 3 (1)’ f 3 (2)’ f 3 (3)’ Y 3 ||

66 From {Y 1, Y 2, Y 3 } S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y2Y2 f 1 (1)’ f 1 (2)’ f 1 (3)’ Y1Y1 f 3 (1)’ f 3 (2)’ f 3 (3)’ Y3Y3 S computes the psudo-dimension k and a pseudo-basis Λ by using the proposed algorithm

67 For example S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y2Y2 f 1 (1)’ f 1 (2)’ f 1 (3)’ Y1Y1 f 3 (1)’ f 3 (2)’ f 3 (3)’ Y3Y3 S computes the psudo-dimension k=1 and a pseudo-basis Λ={Y 1 }

68 S broadcasts S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y2Y2 f 1 (1)’ f 1 (2)’ f 1 (3)’ Y1Y1 f 3 (1)’ f 3 (2)’ f 3 (3)’ Y3Y3 S k=1, Λ={Y 1 }

69 R sent X 1 and received Y 1 =X 1 +E 1 R f 2 (1) f 2 (2) f 2 (3) X2X2 f 1 (1) f 1 (2) f 1 (3) X1X1 f 3 (1) f 3 (2) f 3 (3) X3X3 R k=1, Λ={Y 1 }

70 Hence R can compute E 1 =Y 1 - X 1 R f 2 (1) f 2 (2) f 2 (3) X2X2 f 1 (1) f 1 (2) f 1 (3) X1X1 f 3 (1) f 3 (2) f 3 (3) X3X3 k=1, Λ={Y 1 } R

71 Suppose that E 1 =Y 1 - X 1 =[0,0,e 3 ] T R f 2 (1) f 2 (2) f 2 (3) X2X2 f 1 (1) f 1 (2) f 1 (3) X1X1 f 3 (1) f 3 (2) f 3 (3) X3X3 k=1, Λ={Y 1 } R

72 Suppose that E 1 =[0,0,e 3 ] T Then R sees that channel 3 is corrupted R f 2 (1) f 2 (2) f 2 (3) f 1 (1) f 1 (2) f 1 (3) f 3 (1) f 3 (2) f 3 (3) X1X1 X2X2 X3X3 Adversary

73 f 1 (x) f 2 (x) f 3 (x) S R What happened ? X1X1 X2X2 X3X3

74 Adversary corrupted channel 3 f 1 (x) f 2 (x) f 3 (x) S R What happened ? Adversary X1X1 X2X2 X3X3

75 Adversary corrupted channel 3 S broadcast c and Y 1 =pseudo-basis f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 What happened ? Adversary X1X1 X2X2 X3X3

76 Adversary corrupted channel 3 S broadcast c and Y 1 =pseudo-basis Then R found that channel 3 was corrupted f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 What happened ? Adversary X1X1 X2X2 X3X3

77 Adversary observed f 3 (x) and Y 1 ≃ f 1 (x) f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 In particular Adversary X1X1 X2X2 X3X3

78 Adversary observed f 3 (x) and Y 1 ≃ f 1 (x) But f 2 (2) is kept hidden f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 In particular Adversary X1X1 X2X2 X3X3 f 2 (2)

79 R can find the corrupted channel keeping f 2 (2) secret f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 In other words Adversary X1X1 X2X2 X3X3 f 2 (2)

80 If R sends f 1 (x), ⋯, f 6 (x), then R can find the corrupted channel keeping f 2 (2), f 4 (1), f 5 (2) secret f 1 (x), f 4 (x) f 2 (x), f 5 (x) f 3 (x), f 6 (x) S R S Y1Y1 Adversary

81 If R sends f 1 (x), ⋯, f 6 (x), then R can find the corrupted channel keeping f 2 (2), f 4 (1), f 5 (2) secret Only Y 1 is broadcast as a pseudo-basis f 1 (x), f 4 (x) f 2 (x), f 5 (x) f 3 (x), f 6 (x) S R S Y1Y1 Adversary

82 Going back to our basic scheme let’s look at f 3 (x) R f 3 (1) f 3 (2) f 3 (3) f 3 (x)

83 R knows that S y 1 =f 3 (1) y 2 =f 3 (2) f 3 ’(x), y 3 S received

84 y 1 =f 3 (1) S y 2 =f 3 (2) f 3 ’(x), y 3 S Δ 1 = f 3 ’(1) - y 1 Δ 2 = f 3 ’(2) - y 2 Δ 3 = f 3 ’(3) - y 3 S broadcasts Decryption phase

85 y 1 =f 3 (1) S y 2 =f 3 (2) y3y3 S Δ 1 = f 3 ’(1) -y 1 Δ 2 = f 3 ’(2) -y 2 Δ 3 = f 3 ’(3)-y 3 From these 2 equations, R can compute f 3 ’(1) =Δ 1 +f 3 (1) R

86 y 1 =f 3 (1) S y 2 =f 3 (2) y3y3 S Δ 1 = f 3 ’(1) -y 1 Δ 2 = f 3 ’(2) -y 2 Δ 3 = f 3 ’(3)-y 3 From these 2 equations, R can compute f 3 ’(2) =Δ 2 +f 3 (2) R

87 y 1 =f 3 (1) S y 2 =f 3 (2) y3y3 S Δ 1 = f 3 ’(1) -y 1 Δ 2 = f 3 ’(2) -y 2 Δ 3 = f 3 ’(3)-y 3 Then R can obtain f 3 ’(x) by applying Lagrange formula to f 3 ’(1) and f 3 ’(2) R

88 Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly

89 Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly Remember that R received c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3)

90 Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly Remember that R received c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Now R can compute s

91 Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly Remember that R received c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Now R can compute s Therefore perfect reliability is satisfied

92 Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3)

93 Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis

94 Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis Adversary observed f 3 ’(x)

95 Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis Adversary observed f 3 ’(x) But she has no info. on f 2 ’(2)= f 2 (2)

96 Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis Adversary observed f 3 ’(x) But she has no info. on f 2 ’(2) = f 2 (2) Hence perfect privacy is also satisfied

97 Final scheme R sends many f i (x) in parallel S uses “generalized broadcast” Then we can obtain the transmission rate = O(n)

98 Now what is pseudo-basis Let C be a linear code such that the codewords are (f(1), ⋯, f(n)), where deg f(x) ≦ t That is, C={ (f(1), ⋯, f(n)) | deg f(x) ≦ t }

99 We write Y 1 = Y 2 mod C if Y 1 - Y 2 ∈ C

100 We write Y 1 = Y 2 mod C if Y 1 - Y 2 ∈ C In particular, if Y=X+E, then Y=E mod C

101 Linearly pseudo-expressed We say that Y 0 is linearly pseudo-expressed by {Y 1, ⋯, Y k } if Y 0 = a 1 Y 1 + ⋯ + a k Y k mod C for some (a 1, ⋯, a k )

102 Pseudo Span Let Λ ⊆ Y = {Y 1, ⋯, Y m }, We say that Λ pseudo spans Y if each Y i is linearly pseudo-expressed by Λ

103 Pseudo-Basis We say that Λ is a pseudo-basis of Y if it is a minimum set which pseudo-spans Y

104 Pseudo-Dimension Suppose that Λ is a pseudo-basis of Y We say that k=|Λ| is the pseudo-dimension of Y

105 Admissible Error Vector Set We say that {E 1, ⋯,E m } is an admissible error vector set of Y={Y 1, ⋯,Y m } if E i =Y i mod C for all i |U NonZero(E i )| ≦ t i

106 Theorem Let {E 1, ⋯,E m } be an admissible error vector set of Y= {Y 1, ⋯,Y m } Y= {Y 1, …, Y m }E = [E 1, …, E m ]. Y has Pseudo dim kiff E has dim k Y has a Pseudo basis {Y j1, …, Y jk } iff E has a basis {E j1, …, E jk }

107 Corollary Let {E 1, ⋯,E m } be the real error vector set caused by the adversary Y= {Y 1, …, Y m }E = [E 1, …, E m ]. If Y has Pseudo dim kthen E has dim k If Y has a Pseudo basis {Y j1, …, Y jk } then E has a basis {E j1, …, E jk }

108 Next how to check linearly pseudo-expressed Y 3 –(a 1 Y 1 +a 2 Y 2 ) = 0 mod C This equation means LHS = some codeword (f(1), ⋯, f(n))

109 First construct f (a1,a2) (x) by applying Lagrange formula to the first t+1 elements of Y 3 – (a 1 Y 1 +a 2 Y 2 ) like this f (a1,a2) (1) = y 3,1 ー (a 1 y 1,1 + a 2 y 2,1 ) ⋮ f (a1,a2) (t+1) = y 3.t+1 ー (a 1 y 1,t+1 + a 2 y 2,t+1 )

110 Next check if f (a1,a2) (x) is consistent with the remaining elements of Y 3 – (a 1 Y 1 +a 2 Y 2 ) for some (a 1,a 2 ) f (a1,a2) (t+2) = y 3,t+2 ー (a 1 y 1,t+2 + a 2 y 2,t+2 ) ⋮ f (a1,a2) (n) = y 3,n ー (a 1 y 1,n + a 2 y 2,n )

111 This can be done easily By checking if the following linear equations has a solution (a 1,a 2 ) f (a1,a2) (t+2) = y 3,t+2 ー (a 1 y 1,t+2 + a 2 y 2,t+2 ) ⋮ f (a1,a2) (n) = y 3,n ー (a 1 y 1,n + a 2 y 2,n )

112 If yes, then Y 3 is linearly pseudo-expressed by {Y 1,Y 2 }

113 Algorithm for finding pseudo-basis Input: Y={Y 1, …, Y m } Let Λ=empty For i=1 to m, do: While |Λ|

114 2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993)Agarwal, Cramer, de Haan (2006) Poly- time Sayeed, Abu-Amara (1996) Kurosawa, Suzuki (2008) Transmission rate

115 For the details ・ Please look at the paper Truly Efficient 2-Round Perfectly Secure Message Transmission Scheme Kurosawa and Suzuki Preliminary: Eurocrypt 2008 Final: IEEE Trans. on IT, 2009

116 Patra, Choudhary and Rangan Used pseudo-basis to construct Communication optimal 3 and 6 round PSMT in directed networks (ICDCN 2010) 3-round communication optimal PSMT tolerating mobile mixed adversary (PODC 2010)

117 Yang and Desmedt used pseudo-basis to construct 2-round PSMT for Q 2 adversary structure (Asiacrypt 2010)

118 Open Problem (1) Can we apply pseudo-basis to another problems ?

119 Open Problem (2) The transmission rate is the total number of bits transmitted the size of the secrets

120 Open Problem (2) In our PSMT the total number of bits transmitted = O(n 3 ) the size of the secrets = O(n 2 ) to achieve the transmission rate = O(n)

121 Open Problem (2) In our PSMT the total number of bits transmitted = O(n 3 ) the size of the secrets = O(n 2 ) to achieve the transmission rate = O(n) What is a lower bound on the communication complexity to achieve our goal ?

122 Next 2nd setting NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect

123 Desmedt et at. Threshold adversaries are not realistic when dealing with computer viruses, such as the I LOVE YOU virus and the Internet virus/worm that only spread to Windows, respectively Unix.

124 {1,2,3} use Windows SR SenderReceiver

125 {3,4} use UNIX SR SenderReceiver

126 {1,5} use TRON SR SenderReceiver

127 Adversary Structure Adversary can corrupt B 1 ={1,2,3} or B 2 ={3,4} or B 3 ={1,5}. Let Γ={B 1, B 2, B 3 } Such Γ is called an adversary structure.

128 Hirt and Maurer Introduced adversary structure in the context of multiparty protocols They generalized n ≧ 2t+1 to Q 2 adversary structure n ≧ 3t+1 to Q 3 adversary structure

129 Γ satisfies Q 2 If B i ⋃ B j ≠ {1, ⋯, n} for any B i, B j ∊ Γ

130 Γ satisfies Q 3 If B i ⋃ B j ⋃ B k ≠ {1, ⋯, n} for any B i, B j, B k ∊ Γ

131 PSMT for General Adversary 2002 Kumar, Goudan, Srinatahn, Rangan Many round PSMT for Q Desmedt, Wang, Burmester Exp-time 1-round PSMT for Q Kurosawa Poly-time 1-round PSMT for Q Yang, Desmedt Poly-time 2-round PSMT for Q 2

132 I will explain 2002 Kumar, Goudan, Srinatahn, Rangan Many round PSMT for Q Desmedt, Wang, Burmester Exp-time 1-round PSMT for Q Kurosawa Poly-time 1-round PSMT for Q Yang, Desmedt 2-round PSMT for Q 2

133 Monotone We say that Γ is monotone if B ∈ Γ and B’ ⊂ B, then B’ ∈ Γ For example. if an adversary can corrupt B={1,2,3}, then she can corrupt B’={1,2} clearly. In what follows, we assume that Γ is monotone

134 Proposition For any monotone adversary structure Γ, there exists a linear secret sharing scheme such that if B ∈ Γ, then B has no information on s If A ∉ Γ, then A can reconstruct s

135 Proposition For any monotone adversary structure Γ, there exists a (linear) secret sharing scheme such that if B ∈ Γ, then B has no information on s If A ∉ Γ, then A can reconstruct s We call such a scheme a secret sharing scheme for Γ

136 What is a difference between Shamir’s threshold secret sharing scheme and general secret sharing schemes ?

137 Secret Sharing Scheme Sharing phase: For a secret s, Dealer computes a share vector V=(v 1, ⋯, v n ), and gives v i to player P i

138 Secret Sharing Scheme Reconstruction phase: Suppose that some subset of players B ∈ Γ open forged shares Let Y=V+E where V is a share vector and E is an error vector

139 In Shamir’s threshold SS, If n ≧ 3t+1, then Berlekamp-Weltch algorithm can correct t erros in Y=V+E in poly-time

140 For Q 3 adversary structure, no secret sharing scheme was known such that s can be reconstructed in poly-time from Y (=V+E) This is the reason why the construction of 1-round PSMT for Q 3 is difficult

141 I constructed A secret sharing scheme for Q 3 such that s can be reconstructed from Y (=V+E) in poly-time

142 Proposed construction For a Q 3 -adversary structure Γ, let LSSS be a linear secret sharing scheme such that if B ∈ Γ, then B has no information on s If A ∉ Γ, then A can reconstruct s

143 Step 1 LSSS v1 ⋮vnv1 ⋮vn s r0r0

144 Step 2 LSSS u 11 ⋮ u 1n v1v1 r1r1 LSSS v1 ⋮vnv1 ⋮vn s r0r0

145 Dealer distributes P1P1 (v 1, r 1 ) u 11 P2P2 u 12 ⋮⋮ PnPn u 1n

146 Similarly LSSS u 21 ⋮ u 2n v2v2 r2r2 LSSS v1v2 ⋮vnv1v2 ⋮vn s r0r0

147 Dealer distributes P1P1 (v 1, r 1 ) u 11 u 21 P2P2 u 12 (v 2, r 2 ) u 22 ⋮⋮⋮ PnPn u 1n u 2n

148 And so on. P1P1 (v 1, r 1 ) u 11 u 21 ⋯ u n1 P2P2 u 12 (v 2, r 2 ) u 22 ⋯ u n2 ⋮⋮⋮⋯⋮ PnPn u 1n u 2n ⋯ (v n, r n ) u nn

149 In the Reconstruction phase Suppose that some subset of players B ∈ Γ open forged shares We will show a poly-time algorithm which can reconstruct s

150 Suppose that P1P1 (v 1, r 1 ) u 11 u 21 ⋯ u n1 P2P2 u 12 (v 2, r 2 ) u 22 ⋯ u n2 ⋮⋮⋮⋯⋮ PnPn u 1n u 2n ⋯ (v n, r n ) u nn Each player opened blue shares

151 Decoding algorithm: Step 1 LSSS u 11 ⋮ u 1n v1v1 r1r1 Run the LSSS on input (v 1, r 1 ) to generate red shares

152 Then compare the red shares with the blue shares LSSS u 11 ⋮ u 1n v1v1 r1r1 u 11 ⋮ u 1n Accept v 1 if { j | u 1j ≠ u 1j } ∈ Γ ≠ =

153 Similarly LSSS u i1 ⋮ u in vivi riri Run the LSSS on input (v i, r i ) to generate red shares

154 Compare the red shares with the blue shares LSSS u i1 ⋮ u in vivi riri u i1 ⋮ u in Accept v i if { j | u ij ≠ u ij } ∈ Γ

155 Decoding algorithm: Step 2 Finally apply the reconstruction alorithm of the LSSS to {acepted v i }, and reconstruct s

156 That is, Reconstruction algorithm of LSSS { accepted v i } s

157 Theorem Proposed scheme is a secret sharing scheme for a Q 3 adversary structure Γ

158 Theorem Proposed scheme is a secret sharing scheme for a Q 3 adverary structure Γ Even if some B ∈ Γ open forged shares, the decoding algorithm can reconstruct s in poly-time in the size of the LSSS (which is the total size of the shares)

159 Application to PSMT We can construct a 1-round PSMT for any Q 3 -adverary structure which runs in poly-time in the size of the underlying LSSS

160 Proposed PSMT Channel 1 (v 1, r 1 ) u 11 u 21 ⋯ u n1 Channel 2 u 12 (v 2, r 2 ) u 22 ⋯ u n2 ⋮⋮⋮⋯⋮ Channel n u 1n u 2n ⋯ (v n, r n ) u nn

161 For Q 3 adversary structure 2005 Desmedt, Wang, Burmester Exp-time 1-round PSMT 2009 Kurosawa Poly-time 1-round PSMT

162 For the details Please look at the paper ePrint 2009/263 General Error Decodable Secret Sharing Scheme and Its Application Kaoru Kurosawa

163 Summary Poly-time 2-round PSMT for n=2t+1 with the trans. rate O(n) Poly-time 1-round PSMT for Q 3 adversary structure

164 Open Problems It seems that there are many open problems in this area because there are many variants of this model, some parameters to be optimized.

165 THANK YOU !!

166 Brief Announcement on our new result ePrint 2010/609 The Round Complexity of General VSS Ashish Choudhary Kaoru Kurosawa Arpita Patra

167 Verifiable Secret Sharing (VSS) Is a fundamental building block in many distributed cryptographic protocols. In this model, Adversary can corrupt not only some subset of players but also the dealer

168 Even though, A unique secret must be reconstructed in the reconstruction phase no matter how malicious players behave.

169 STOC 2001 Gennaro, Ishai, Kushilevitz and Rabin showed that 2 round VSS is possible iff n ≧ 4t+1 3 round VSS is possible iff n ≧ 3t+1

170 TCC 2006 Fitzi, Garay, Gollakota, Rangan and Srinathan Constructed a poly-time 3-round VSS for n ≧ 3t+1

171 We consider general adversary Our resultPrevious 2-round VSSiff Γ is Q 4 n ≧ 4t+1 3-round VSSiff Γ is Q 3 n ≧ 3t+1

172 As a special case of our VSS We can obtain a more efficient 3-round VSS than the VSS of Fitzi et al. for n = 3t+1 The communication complexity of the reconstruction phase is reduced from O(n 3 ) to O(n 2 )

173 Further We point out a flaw in the reconstruction phase of VSS of Fitzi et al., and show how to fix it.

174 For the details Please look at the paper ePrint 2010/609 The Round Complexity of General VSS Ashish Choudhary Kaoru Kurosawa Arpita Patra

175 THANK YOU, AGAIN !!


Download ppt "Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa."

Similar presentations


Ads by Google