Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr.

Published byAugustus O’Brien’ Modified over 8 years ago

Similar presentations

Presentation on theme: "On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr."— Presentation transcript:

1 On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr

2 Introduction  Secret-sharing (introduced by Shamir) – l-bits secret distributes to n players, every player have a share. Over than t shares can find the secret by some player.  Privacy – If an adversary sees up to t shares, it still learns no information about the secret and correctness. (t+1 is enough).

3 Introduction  This paper consider more. Some player (at most t players) may be corrupted, they may contribute wrong shares.,  We want every player try to reconstruct the secret under this situation.  If t  n/2, no one can sure that its reconstruction is correct.  If t<n/3, a standard methods can give an opt solution with no error.

4 Introduction  We only consider n/3  t < n/2.  A honest player can either reconstruct the secret or output “failure”. (failure 2 -  (k), where k is security parameter)  When t=  (n-1)/2 , there is a lower bound of information sending O(nl+kn 2 ).  This bound is also tight.

5 Communication Model  Secure-channels model with broadcast. – There is a set of players {P 1,…,P n } – A dealer D. – Every pair has a secure private channel.  Adversary – Active(corrupt at most t players) – Rushing (can decide after all honest players sent). – Static, adaptive (static means it needs to corrupt players before execution).

6 Single-Round Honest-Dealer VSS  Distribution phase: – The honest dealer generates shares s i ={k i,y i }, i=1…n, according to a fixed and publicly known conditional probability distribution P S1…Sn (…|s), where s is the secret. Privately sends s i to P i.  Reconstruction phase: – Each player P i is required to broadcast ŷ i, which is supposedly to equal to y i. Each player P i decides on the secret s based on k i and other ŷ i … ŷ n. (output s or “failure”).

7  Adversary can change the ŷ j to broadcast, when P j is corrupted. Others honest players always have ŷ j =y j.  Adversary can be rushing, non-rushing; static, adaptive.

8  Single-Round Honest-Dealer VSS is (t, n, 1-  )-secure if: – Privacy: Adversary gains no information of s form distribution phase. – (1-  )-correctness: In the reconstruction phase, each uncorrupted output ‘s’ or “failure”, and outputting failure has  probability.

9  We can repeat m times to make the error rate to  m.  This definition is very general, we don’t care the dictate of the implementation.

10 Theoretical Lower Bound and Tightness Proof of SRHD-VSS

11 Lower Bound on Reconstruction Complexity  If and for a security parameter k, then the total information broadcast in the reconstruction phase is lower bounded by – For any family of Single-Round Honest- Dealer VSS scheme, (t, n, 1-δ)-secure against an active, rushing adversary H is the entropy of S, by definition:

12 Reduced Theorem: Proposition 1  Let be the message distributed by the SRHD-VSS. In the case of odd n, the size of any public share Y i is lower bounded by  While for even n, it is the size H(Y i Y j ) of every pair Y i ≠Y j that is lower bounded by

13 A Little Authentication Theory  Let K, M, Y, Z be r.v. with joint distribution P KMYZ such that M is independent of K and Z but uniquely defined by Y and Z. Then one can compute consistent with K and Z by Z with probability* * Stands for impersonation attack

14 A Little Authentication Theory  Also, knowing Z and Y, one can compute consistent with K and Z and a with probability*: * Stands for a substitution attack

15 Observation of P S and P I  Let K, M, Y, Z the same as above. If M is uniformly distributed among a non-trivial set, then one can compute with Z known and consistent with K and Z, and a with probability: An successful impersonating attack is a successful substitution attack by definition M is uniformly distributed and M ’ !=M

16 Proof of Proposition 1 (1/3) P1P1 P2P2 P i-1 PiPi P t+1 PtPt …… Y t+1  Y ’ t+1 Either red ones are honest or vice versa … Pi can thus not compute S with certainty. We then let* *Note that the semantics of δ is for P i to decide {failure} and still a recoverable error may be counted in. See Section 6 for correctness proof

17 Proof of Proposition 1 (2/3)  Apply observation 1 by letting K=K i, M=S, Y=Y t+1, and Z=(K 1,…,K i-1,Y 1 …,Y t )  Use the δ then

18 A Little Information Theory  Chain rule of mutual information

19 Proof of Proposition 1 (3/3)  Use the chain rule, we have  And since S 1 …S t cannot work without S t+1, we have  And the proposal is resulted.

20 Theorem 2: Theorem 1 is Tight  For, against an adaptive and rushing adversary, with total communication complexity of O(kn 2 ) bits  Proof by constructing one.

21 Construction of the SRHD-VSS (1/3)  Given a (t+1, n) threshold secret sharing scheme and an authentication scheme, e.g. by a family of strongly universal hash function  Dealer: 人人有一份, 對對有一根 … – S  – Select a random

22 Construction of the SRHD-VSS (2/3)  Dealer: 金刀為證, 玉璽為憑 – Generate authentication tag for every process P j  Everyone: 問鼎中原, 人人有責 – P i send to P j for all i,j, i!=j

23 Making Ω(k) (3/3)  Use Shamir’s secret sharing scheme over a field F, |F| > n  Choose the hash family h α, β (X) = αX+β over F – As such, the attack can succeed with probability 1/F – Choose – The desired result follows

24 Thanks Presented by 游騰楷 呂育恩 葉恆青

Download ppt "On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr."

Similar presentations

Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,

Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors Ronald Cramer, Yevgeniy Dodis, Serge Fehr, Carles Padro,
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
An Approximate Truthful Mechanism for Combinatorial Auctions An Internet Mathematics paper by Aaron Archer, Christos Papadimitriou, Kunal Talwar and Éva.

An Approximate Truthful Mechanism for Combinatorial Auctions An Internet Mathematics paper by Aaron Archer, Christos Papadimitriou, Kunal Talwar and Éva.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Enhancing Secrecy With Channel Knowledge

Enhancing Secrecy With Channel Knowledge
Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.

Sheng Xiao, Weibo Gong and Don Towsley,2010 Infocom.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.

Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
95-712 OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.

OOP/Java1 Public Key Crytography From: Introduction to Algorithms Cormen, Leiserson and Rivest.
Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 90321019 王怡君.

Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 王怡君.
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Similar presentations

Ads by Google