Download presentation

Presentation is loading. Please wait.

Published byIzabella Dunlap Modified about 1 year ago

1
Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa

2
Popular Encryption Schemes Must share a secret-key Don’t share a secret-key ComputationalSKEPKE UnconditionalOne-time pad

3
Does there exist ? Must share a secret-key Don’t share a secret-key ComputationalSKEPKE UnconditionalOne-time pad???

4
Yes (1975) Wyner Wire-tap channel model (1984) Bennett and Brassard BB84 (1993) Dolev, Dwork, Waarts and Yung Network model

5
In the model of DDWY Alice and Bob are a part of a network There are n channels between them Adversary can corrupt (observe and forge) at most t channels AliceBob

6
Indeed, in Internet There are many channels between A and B No adversary can corrupt all the routers

7
Dolev, Dwork, Waarts and Yung Showed that we can achieve (Perfect Privacy) Adversary learns no information on the secret message s (Perfect Reliability) Bob can receive s correctly (Adversary cannot forge s)

8
There are many variants NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect and etc.

9
Many authors since DDWY Sayeed, Abu-Amara Franklin, Wright Kumar, Goudan, Srinatahn, Rangan, Narayanan, Patra, Choudhary Desmedt, Wang, Burmester, Yang Agarwal, Cramer, de Haan Garay, Ostrovsky, Fitzi, Vardhan Kurosawa, Suzuki

10
This talk NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect

11
We begin with 1 st setting NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect

12
In an Undirected Network Each channel is two-way AliceBob

13
1 Round Protocol Sender Receiver

14
2 Round Protocol Sender Receiver Sender Receiver 1st 2nd

15
PSMT denotes Perfectly Secure Message Transmission Scheme

16
DDWY showed 1-round PSMT exists iff n ≧ 3t+1 2-round PSMT exists iff n ≧ 2t+1 where the adversary can corrupt t out of n channels.

17
Let’s look at 1-round PSMT iff n ≧ 3t+1 2-round PSMTfor n = 2t+1 where an adversary can corrupt t out of n channels.

18
2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Exp- time DDWY (1993) Poly- time Transmission rate

19
2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Exp- time DDWY (1993) Poly- time Sayeed, Abu-Amara (1996) Transmission rate

20
2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993) Poly- time Sayeed, Abu-Amara (1996) Transmission rate

21
2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993)Agarwal, Cramer, de Haan (2006) Poly- time Sayeed, Abu-Amara (1996) Transmission rate

22
2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993)Agarwal, Cramer, de Haan (2006) Poly- time Sayeed, Abu-Amara (1996) Kurosawa, Suzuki (2008) Transmission rate

23
Alice Bob s f(1) f(t) f(n) ・ ・ ・ ・ ・ ・ Suppose that Alice chooses a random f(x) such that f(0)=s and deg f(x) ≦ t

24
Adversary Alice Bob s f(1) f(t) f(n) ・ ・ ・ ・ ・ ・ corrupts t channels.

25
Perfect Privacy Is satisfied because this is a (t+1, n)-secret sharing scheme Hence the adverasry learns no information on s.

26
Adversary Alice Bob s f(1) f(t) f(n) ・ ・ ・ ・ ・ ・ forges t channels. How about Perfect Reliability f(1)’ = f(1)+ e 1 f(t)’ = f(t)+ e t

27
Perfect Reliability Bob can compute s if X=(f(1),…, f(n)) is a codeword of a t-error correcting code.

28
X=(f(1),…, f(n)) has at most t zeros because deg f(x) ≦ t.

29
X=(f(1),…, f(n)) has at most t zeros because deg f(x) ≦ t. Hence X has the minimum Hamming weight n-t.

30
X=(f(1),…, f(n)) has at most t zeros because deg f(x) ≦ t. Hence X has the minimum Hamming weight n-t. Therefore the minimum Hamming distance of this linear code is d=n-t.

31
If n=3t+1, the minimum Hamming distance is d = n – t = (3t+1) – t = 2t+1.

32
If n=3t+1, the minimum Hamming distance is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary.

33
If n=3t+1, the minimum Hamming distance of C is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary by using Berlekamp-Weltch algorithm

34
If n=3t+1, the minimum Hamming distance is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary. Thus perfect reliability is also satisfied.

35
If n=3t+1, the minimum Hamming distance of C is d=n – t = (3t+1) – t = 2t+1. Hence the receiver can correct t errors caused by the adversary. Thus perfect reliability is satisfied. Therefore we can obtain a 1-round PSMT easily for n ≧ 3t+1

36
If n=2t+1, however, the minimum Hamming distance is d = n - t = (2t+1) – t = t+1

37
If n=2t+1, however, the minimum Hamming distance of C is d=n-t=(2t+1)-t= t+1 Hence the receiver can only detect t errors, but cannot correct them.

38
If n=2t+1, however, the minimum Hamming distance of C is d=n-t=(2t+1)-t=t+1 Hence the receiver can only detect t errors, but cannot correct them. This is the main reason why PSMT for n=2t+1 is difficult.

39
DDWY showed Exp-time 2-round PSMT Poly-time 3-round PSMT such that the transmission rate is O(n 5 ), where the transmission rate is defined as the total number of bits transmitted the size of the secrets

40
Sayeed and Abu-Amara 2-round PSMT such that the transmission rate is O(n 3 )

41
Srinathan, Narayan and Rangan the transmission rate ≧ n for any 2-round PSMT with n=2t+1. (CRYPTO 2004)

42
Agarwal, Cramer and de Haan ・ Exp-time 2-round PSMT such that the trans. rate is O(n). (CRYPTO 2006)

43
Kurosawa and Suzuki ・ Poly-time 2-round PSMT such that the trans. rate is O(n). at Eurocrypt 2008 Final version: IEEE Trans. on IT, 2009

44
Our Idea What is a difference between error correction and PSMT ?

45
What is a difference If the sender sends a single codeword, then adversary causes t errors randomly.

46
What is a difference If the sender sends a single codeword, then adversary causes t errors randomly. Hence there is no difference.

47
However If the sender sends many codewords X 1, …, X m, then the errors are not totally random because the errors always occur at the same t (or less) places !

48
Our Observation Suppose that the receiver received Y 1 =X 1 + E 1, …, Y m =X m + E m, where E 1, …, E m are error vectors

49
Our Observation Let E = [E 1, …, E m ]. Then dim E ≦ t because the errors always occur at the same t (or less) places !

50
But The receiver does not know the error vectors E 1, …, E m

51
Our Contribution We introduced a notion of pseudo-dimension pseudo-basis,

52
Let Y= {Y 1, …, Y m } Let E = [E 1, …, E m ]. If Y has Pseudo dim kthen E has dim k If Y has a Pseudo basis {Y j1, …, Y jk } then E has a basis {E j1, …, E jk } Intuition

53
Our Contribution We then showed a poly-time algorithm which finds pseudo-basis and pseudo-dimension from Y={Y 1, …, Y m }.

54
More Observation For example, E 1 =(1,0, …, 0), E 2 =(1,1,0, …, 0), … E t =(1,…,1,0, …, 0), is a basis of E.

55
More Observation E 1 =(1,0, …, 0), NonZero(E 1 )={1} E 2 =(1,1,0, …, 0), NonZero(E 2 )={1,2} … E t =(1,…,1,0, …, 0), NonZero(E t )={1, …, t}

56
More Observation E 1 =(1,0, …, 0), NonZero(E 1 )={1} E 2 =(1,1,0, …, 0), NonZero(E 2 )={1,2} … E t =(1,…,1,0, …, 0), NonZero(E t )={1, …, t} Define FORGED = U NonZero(E i ) basis

57
More Observation E 1 =(1,0, …, 0), NonZero(E 1 )={1} E 2 =(1,1,0, …, 0), NonZero(E 2 )={2} … E t =(1, …, 1, 0, …, 0), NonZero(E t )= {t} Define FORGED ≡ U basis NonZero(E i ) Then FORGED = {all forged channels}

58
Our basic 2-round PSMT Let t = 1 and n = 2t+1 = 3 That is, Adversary can corrupt 1 out of 3 channels

59
It consists of 3 phases Encryption phase Error detection phase Decryption phase We run them in parallel

60
Encryption phase (1 st R) R sends random f 1 (x), f 2 (x) and f 3 (x) with deg f i (x) ≦ 1 as follows f 1 (x) f 2 (x) f 3 (x) S R

61
Encryption phase (1 st R) S receives f 1 ’(x), f 2 ’(x) and f 3 ’(x) f 1 ’(x) f 2 ’(x) f 3 ’(x) S

62
Encryption phase (2 nd R) S broadcasts c = s + f 1 ’(1) +f 2 ’(2) + f 3 ’(3) c c c S R

63
Encryption phase (2 nd R) R can receive c correctly by taking majority vote because at most 1 channel is corrupted c c c’ R

64
Error detection phase (1 st R) R sends X 1, X 2, X 3 such that R f 2 (1) f 2 (2) f 2 (3) X 2 || f 1 (1) f 1 (2) f 1 (3) X 1 || f 3 (1) f 3 (2) f 3 (3) X 3 ||

65
S receives S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y 2 || f 1 (1)’ f 1 (2)’ f 1 (3)’ Y 1 || f 3 (1)’ f 3 (2)’ f 3 (3)’ Y 3 ||

66
From {Y 1, Y 2, Y 3 } S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y2Y2 f 1 (1)’ f 1 (2)’ f 1 (3)’ Y1Y1 f 3 (1)’ f 3 (2)’ f 3 (3)’ Y3Y3 S computes the psudo-dimension k and a pseudo-basis Λ by using the proposed algorithm

67
For example S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y2Y2 f 1 (1)’ f 1 (2)’ f 1 (3)’ Y1Y1 f 3 (1)’ f 3 (2)’ f 3 (3)’ Y3Y3 S computes the psudo-dimension k=1 and a pseudo-basis Λ={Y 1 }

68
S broadcasts S f 2 (1)’ f 2 (2)’ f 2 (3)’ Y2Y2 f 1 (1)’ f 1 (2)’ f 1 (3)’ Y1Y1 f 3 (1)’ f 3 (2)’ f 3 (3)’ Y3Y3 S k=1, Λ={Y 1 }

69
R sent X 1 and received Y 1 =X 1 +E 1 R f 2 (1) f 2 (2) f 2 (3) X2X2 f 1 (1) f 1 (2) f 1 (3) X1X1 f 3 (1) f 3 (2) f 3 (3) X3X3 R k=1, Λ={Y 1 }

70
Hence R can compute E 1 =Y 1 - X 1 R f 2 (1) f 2 (2) f 2 (3) X2X2 f 1 (1) f 1 (2) f 1 (3) X1X1 f 3 (1) f 3 (2) f 3 (3) X3X3 k=1, Λ={Y 1 } R

71
Suppose that E 1 =Y 1 - X 1 =[0,0,e 3 ] T R f 2 (1) f 2 (2) f 2 (3) X2X2 f 1 (1) f 1 (2) f 1 (3) X1X1 f 3 (1) f 3 (2) f 3 (3) X3X3 k=1, Λ={Y 1 } R

72
Suppose that E 1 =[0,0,e 3 ] T Then R sees that channel 3 is corrupted R f 2 (1) f 2 (2) f 2 (3) f 1 (1) f 1 (2) f 1 (3) f 3 (1) f 3 (2) f 3 (3) X1X1 X2X2 X3X3 Adversary

73
f 1 (x) f 2 (x) f 3 (x) S R What happened ? X1X1 X2X2 X3X3

74
Adversary corrupted channel 3 f 1 (x) f 2 (x) f 3 (x) S R What happened ? Adversary X1X1 X2X2 X3X3

75
Adversary corrupted channel 3 S broadcast c and Y 1 =pseudo-basis f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 What happened ? Adversary X1X1 X2X2 X3X3

76
Adversary corrupted channel 3 S broadcast c and Y 1 =pseudo-basis Then R found that channel 3 was corrupted f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 What happened ? Adversary X1X1 X2X2 X3X3

77
Adversary observed f 3 (x) and Y 1 ≃ f 1 (x) f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 In particular Adversary X1X1 X2X2 X3X3

78
Adversary observed f 3 (x) and Y 1 ≃ f 1 (x) But f 2 (2) is kept hidden f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 In particular Adversary X1X1 X2X2 X3X3 f 2 (2)

79
R can find the corrupted channel keeping f 2 (2) secret f 1 (x) f 2 (x) f 3 (x) S R S c, Y 1 In other words Adversary X1X1 X2X2 X3X3 f 2 (2)

80
If R sends f 1 (x), ⋯, f 6 (x), then R can find the corrupted channel keeping f 2 (2), f 4 (1), f 5 (2) secret f 1 (x), f 4 (x) f 2 (x), f 5 (x) f 3 (x), f 6 (x) S R S Y1Y1 Adversary

81
If R sends f 1 (x), ⋯, f 6 (x), then R can find the corrupted channel keeping f 2 (2), f 4 (1), f 5 (2) secret Only Y 1 is broadcast as a pseudo-basis f 1 (x), f 4 (x) f 2 (x), f 5 (x) f 3 (x), f 6 (x) S R S Y1Y1 Adversary

82
Going back to our basic scheme let’s look at f 3 (x) R f 3 (1) f 3 (2) f 3 (3) f 3 (x)

83
R knows that S y 1 =f 3 (1) y 2 =f 3 (2) f 3 ’(x), y 3 S received

84
y 1 =f 3 (1) S y 2 =f 3 (2) f 3 ’(x), y 3 S Δ 1 = f 3 ’(1) - y 1 Δ 2 = f 3 ’(2) - y 2 Δ 3 = f 3 ’(3) - y 3 S broadcasts Decryption phase

85
y 1 =f 3 (1) S y 2 =f 3 (2) y3y3 S Δ 1 = f 3 ’(1) -y 1 Δ 2 = f 3 ’(2) -y 2 Δ 3 = f 3 ’(3)-y 3 From these 2 equations, R can compute f 3 ’(1) =Δ 1 +f 3 (1) R

86
y 1 =f 3 (1) S y 2 =f 3 (2) y3y3 S Δ 1 = f 3 ’(1) -y 1 Δ 2 = f 3 ’(2) -y 2 Δ 3 = f 3 ’(3)-y 3 From these 2 equations, R can compute f 3 ’(2) =Δ 2 +f 3 (2) R

87
y 1 =f 3 (1) S y 2 =f 3 (2) y3y3 S Δ 1 = f 3 ’(1) -y 1 Δ 2 = f 3 ’(2) -y 2 Δ 3 = f 3 ’(3)-y 3 Then R can obtain f 3 ’(x) by applying Lagrange formula to f 3 ’(1) and f 3 ’(2) R

88
Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly

89
Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly Remember that R received c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3)

90
Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly Remember that R received c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Now R can compute s

91
Perfect Reliability R can obtain f 1 ’(x) and f 2 ’(x) similarly Remember that R received c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Now R can compute s Therefore perfect reliability is satisfied

92
Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3)

93
Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis

94
Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis Adversary observed f 3 ’(x)

95
Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis Adversary observed f 3 ’(x) But she has no info. on f 2 ’(2)= f 2 (2)

96
Perfect Privacy S broadcasts c = s + f 1 ’(1) + f 2 ’(2) + f 3 ’(3) Y 1 is broadcast by S as a pseudo-basis Adversary observed f 3 ’(x) But she has no info. on f 2 ’(2) = f 2 (2) Hence perfect privacy is also satisfied

97
Final scheme R sends many f i (x) in parallel S uses “generalized broadcast” Then we can obtain the transmission rate = O(n)

98
Now what is pseudo-basis Let C be a linear code such that the codewords are (f(1), ⋯, f(n)), where deg f(x) ≦ t That is, C={ (f(1), ⋯, f(n)) | deg f(x) ≦ t }

99
We write Y 1 = Y 2 mod C if Y 1 - Y 2 ∈ C

100
We write Y 1 = Y 2 mod C if Y 1 - Y 2 ∈ C In particular, if Y=X+E, then Y=E mod C

101
Linearly pseudo-expressed We say that Y 0 is linearly pseudo-expressed by {Y 1, ⋯, Y k } if Y 0 = a 1 Y 1 + ⋯ + a k Y k mod C for some (a 1, ⋯, a k )

102
Pseudo Span Let Λ ⊆ Y = {Y 1, ⋯, Y m }, We say that Λ pseudo spans Y if each Y i is linearly pseudo-expressed by Λ

103
Pseudo-Basis We say that Λ is a pseudo-basis of Y if it is a minimum set which pseudo-spans Y

104
Pseudo-Dimension Suppose that Λ is a pseudo-basis of Y We say that k=|Λ| is the pseudo-dimension of Y

105
Admissible Error Vector Set We say that {E 1, ⋯,E m } is an admissible error vector set of Y={Y 1, ⋯,Y m } if E i =Y i mod C for all i |U NonZero(E i )| ≦ t i

106
Theorem Let {E 1, ⋯,E m } be an admissible error vector set of Y= {Y 1, ⋯,Y m } Y= {Y 1, …, Y m }E = [E 1, …, E m ]. Y has Pseudo dim kiff E has dim k Y has a Pseudo basis {Y j1, …, Y jk } iff E has a basis {E j1, …, E jk }

107
Corollary Let {E 1, ⋯,E m } be the real error vector set caused by the adversary Y= {Y 1, …, Y m }E = [E 1, …, E m ]. If Y has Pseudo dim kthen E has dim k If Y has a Pseudo basis {Y j1, …, Y jk } then E has a basis {E j1, …, E jk }

108
Next how to check linearly pseudo-expressed Y 3 –(a 1 Y 1 +a 2 Y 2 ) = 0 mod C This equation means LHS = some codeword (f(1), ⋯, f(n))

109
First construct f (a1,a2) (x) by applying Lagrange formula to the first t+1 elements of Y 3 – (a 1 Y 1 +a 2 Y 2 ) like this f (a1,a2) (1) = y 3,1 ー (a 1 y 1,1 + a 2 y 2,1 ) ⋮ f (a1,a2) (t+1) = y 3.t+1 ー (a 1 y 1,t+1 + a 2 y 2,t+1 )

110
Next check if f (a1,a2) (x) is consistent with the remaining elements of Y 3 – (a 1 Y 1 +a 2 Y 2 ) for some (a 1,a 2 ) f (a1,a2) (t+2) = y 3,t+2 ー (a 1 y 1,t+2 + a 2 y 2,t+2 ) ⋮ f (a1,a2) (n) = y 3,n ー (a 1 y 1,n + a 2 y 2,n )

111
This can be done easily By checking if the following linear equations has a solution (a 1,a 2 ) f (a1,a2) (t+2) = y 3,t+2 ー (a 1 y 1,t+2 + a 2 y 2,t+2 ) ⋮ f (a1,a2) (n) = y 3,n ー (a 1 y 1,n + a 2 y 2,n )

112
If yes, then Y 3 is linearly pseudo-expressed by {Y 1,Y 2 }

113
Algorithm for finding pseudo-basis Input: Y={Y 1, …, Y m } Let Λ=empty For i=1 to m, do: While |Λ|

114
2-round PSMT for n=2t+1 Larger than O(n)Lower bound O(n) Srinathan, Narayan Rangan (2004) Exp- time DDWY (1993)Agarwal, Cramer, de Haan (2006) Poly- time Sayeed, Abu-Amara (1996) Kurosawa, Suzuki (2008) Transmission rate

115
For the details ・ Please look at the paper Truly Efficient 2-Round Perfectly Secure Message Transmission Scheme Kurosawa and Suzuki Preliminary: Eurocrypt 2008 Final: IEEE Trans. on IT, 2009

116
Patra, Choudhary and Rangan Used pseudo-basis to construct Communication optimal 3 and 6 round PSMT in directed networks (ICDCN 2010) 3-round communication optimal PSMT tolerating mobile mixed adversary (PODC 2010)

117
Yang and Desmedt used pseudo-basis to construct 2-round PSMT for Q 2 adversary structure (Asiacrypt 2010)

118
Open Problem (1) Can we apply pseudo-basis to another problems ?

119
Open Problem (2) The transmission rate is the total number of bits transmitted the size of the secrets

120
Open Problem (2) In our PSMT the total number of bits transmitted = O(n 3 ) the size of the secrets = O(n 2 ) to achieve the transmission rate = O(n)

121
Open Problem (2) In our PSMT the total number of bits transmitted = O(n 3 ) the size of the secrets = O(n 2 ) to achieve the transmission rate = O(n) What is a lower bound on the communication complexity to achieve our goal ?

122
Next 2nd setting NetworkAdversarySecurity UndirectedThresholdPerfect DirectedGeneralAlmost perfect

123
Desmedt et at. Threshold adversaries are not realistic when dealing with computer viruses, such as the I LOVE YOU virus and the Internet virus/worm that only spread to Windows, respectively Unix.

124
{1,2,3} use Windows SR SenderReceiver

125
{3,4} use UNIX SR SenderReceiver

126
{1,5} use TRON SR SenderReceiver

127
Adversary Structure Adversary can corrupt B 1 ={1,2,3} or B 2 ={3,4} or B 3 ={1,5}. Let Γ={B 1, B 2, B 3 } Such Γ is called an adversary structure.

128
Hirt and Maurer Introduced adversary structure in the context of multiparty protocols They generalized n ≧ 2t+1 to Q 2 adversary structure n ≧ 3t+1 to Q 3 adversary structure

129
Γ satisfies Q 2 If B i ⋃ B j ≠ {1, ⋯, n} for any B i, B j ∊ Γ

130
Γ satisfies Q 3 If B i ⋃ B j ⋃ B k ≠ {1, ⋯, n} for any B i, B j, B k ∊ Γ

131
PSMT for General Adversary 2002 Kumar, Goudan, Srinatahn, Rangan Many round PSMT for Q Desmedt, Wang, Burmester Exp-time 1-round PSMT for Q Kurosawa Poly-time 1-round PSMT for Q Yang, Desmedt Poly-time 2-round PSMT for Q 2

132
I will explain 2002 Kumar, Goudan, Srinatahn, Rangan Many round PSMT for Q Desmedt, Wang, Burmester Exp-time 1-round PSMT for Q Kurosawa Poly-time 1-round PSMT for Q Yang, Desmedt 2-round PSMT for Q 2

133
Monotone We say that Γ is monotone if B ∈ Γ and B’ ⊂ B, then B’ ∈ Γ For example. if an adversary can corrupt B={1,2,3}, then she can corrupt B’={1,2} clearly. In what follows, we assume that Γ is monotone

134
Proposition For any monotone adversary structure Γ, there exists a linear secret sharing scheme such that if B ∈ Γ, then B has no information on s If A ∉ Γ, then A can reconstruct s

135
Proposition For any monotone adversary structure Γ, there exists a (linear) secret sharing scheme such that if B ∈ Γ, then B has no information on s If A ∉ Γ, then A can reconstruct s We call such a scheme a secret sharing scheme for Γ

136
What is a difference between Shamir’s threshold secret sharing scheme and general secret sharing schemes ?

137
Secret Sharing Scheme Sharing phase: For a secret s, Dealer computes a share vector V=(v 1, ⋯, v n ), and gives v i to player P i

138
Secret Sharing Scheme Reconstruction phase: Suppose that some subset of players B ∈ Γ open forged shares Let Y=V+E where V is a share vector and E is an error vector

139
In Shamir’s threshold SS, If n ≧ 3t+1, then Berlekamp-Weltch algorithm can correct t erros in Y=V+E in poly-time

140
For Q 3 adversary structure, no secret sharing scheme was known such that s can be reconstructed in poly-time from Y (=V+E) This is the reason why the construction of 1-round PSMT for Q 3 is difficult

141
I constructed A secret sharing scheme for Q 3 such that s can be reconstructed from Y (=V+E) in poly-time

142
Proposed construction For a Q 3 -adversary structure Γ, let LSSS be a linear secret sharing scheme such that if B ∈ Γ, then B has no information on s If A ∉ Γ, then A can reconstruct s

143
Step 1 LSSS v1 ⋮vnv1 ⋮vn s r0r0

144
Step 2 LSSS u 11 ⋮ u 1n v1v1 r1r1 LSSS v1 ⋮vnv1 ⋮vn s r0r0

145
Dealer distributes P1P1 (v 1, r 1 ) u 11 P2P2 u 12 ⋮⋮ PnPn u 1n

146
Similarly LSSS u 21 ⋮ u 2n v2v2 r2r2 LSSS v1v2 ⋮vnv1v2 ⋮vn s r0r0

147
Dealer distributes P1P1 (v 1, r 1 ) u 11 u 21 P2P2 u 12 (v 2, r 2 ) u 22 ⋮⋮⋮ PnPn u 1n u 2n

148
And so on. P1P1 (v 1, r 1 ) u 11 u 21 ⋯ u n1 P2P2 u 12 (v 2, r 2 ) u 22 ⋯ u n2 ⋮⋮⋮⋯⋮ PnPn u 1n u 2n ⋯ (v n, r n ) u nn

149
In the Reconstruction phase Suppose that some subset of players B ∈ Γ open forged shares We will show a poly-time algorithm which can reconstruct s

150
Suppose that P1P1 (v 1, r 1 ) u 11 u 21 ⋯ u n1 P2P2 u 12 (v 2, r 2 ) u 22 ⋯ u n2 ⋮⋮⋮⋯⋮ PnPn u 1n u 2n ⋯ (v n, r n ) u nn Each player opened blue shares

151
Decoding algorithm: Step 1 LSSS u 11 ⋮ u 1n v1v1 r1r1 Run the LSSS on input (v 1, r 1 ) to generate red shares

152
Then compare the red shares with the blue shares LSSS u 11 ⋮ u 1n v1v1 r1r1 u 11 ⋮ u 1n Accept v 1 if { j | u 1j ≠ u 1j } ∈ Γ ≠ =

153
Similarly LSSS u i1 ⋮ u in vivi riri Run the LSSS on input (v i, r i ) to generate red shares

154
Compare the red shares with the blue shares LSSS u i1 ⋮ u in vivi riri u i1 ⋮ u in Accept v i if { j | u ij ≠ u ij } ∈ Γ

155
Decoding algorithm: Step 2 Finally apply the reconstruction alorithm of the LSSS to {acepted v i }, and reconstruct s

156
That is, Reconstruction algorithm of LSSS { accepted v i } s

157
Theorem Proposed scheme is a secret sharing scheme for a Q 3 adversary structure Γ

158
Theorem Proposed scheme is a secret sharing scheme for a Q 3 adverary structure Γ Even if some B ∈ Γ open forged shares, the decoding algorithm can reconstruct s in poly-time in the size of the LSSS (which is the total size of the shares)

159
Application to PSMT We can construct a 1-round PSMT for any Q 3 -adverary structure which runs in poly-time in the size of the underlying LSSS

160
Proposed PSMT Channel 1 (v 1, r 1 ) u 11 u 21 ⋯ u n1 Channel 2 u 12 (v 2, r 2 ) u 22 ⋯ u n2 ⋮⋮⋮⋯⋮ Channel n u 1n u 2n ⋯ (v n, r n ) u nn

161
For Q 3 adversary structure 2005 Desmedt, Wang, Burmester Exp-time 1-round PSMT 2009 Kurosawa Poly-time 1-round PSMT

162
For the details Please look at the paper ePrint 2009/263 General Error Decodable Secret Sharing Scheme and Its Application Kaoru Kurosawa

163
Summary Poly-time 2-round PSMT for n=2t+1 with the trans. rate O(n) Poly-time 1-round PSMT for Q 3 adversary structure

164
Open Problems It seems that there are many open problems in this area because there are many variants of this model, some parameters to be optimized.

165
THANK YOU !!

166
Brief Announcement on our new result ePrint 2010/609 The Round Complexity of General VSS Ashish Choudhary Kaoru Kurosawa Arpita Patra

167
Verifiable Secret Sharing (VSS) Is a fundamental building block in many distributed cryptographic protocols. In this model, Adversary can corrupt not only some subset of players but also the dealer

168
Even though, A unique secret must be reconstructed in the reconstruction phase no matter how malicious players behave.

169
STOC 2001 Gennaro, Ishai, Kushilevitz and Rabin showed that 2 round VSS is possible iff n ≧ 4t+1 3 round VSS is possible iff n ≧ 3t+1

170
TCC 2006 Fitzi, Garay, Gollakota, Rangan and Srinathan Constructed a poly-time 3-round VSS for n ≧ 3t+1

171
We consider general adversary Our resultPrevious 2-round VSSiff Γ is Q 4 n ≧ 4t+1 3-round VSSiff Γ is Q 3 n ≧ 3t+1

172
As a special case of our VSS We can obtain a more efficient 3-round VSS than the VSS of Fitzi et al. for n = 3t+1 The communication complexity of the reconstruction phase is reduced from O(n 3 ) to O(n 2 )

173
Further We point out a flaw in the reconstruction phase of VSS of Fitzi et al., and show how to fix it.

174
For the details Please look at the paper ePrint 2010/609 The Round Complexity of General VSS Ashish Choudhary Kaoru Kurosawa Arpita Patra

175
THANK YOU, AGAIN !!

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google