Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secret Sharing Schemes: A Short Survey. 3742 2538 344113296634 Secret Sharing 2.

Published byKenneth Lee Modified over 8 years ago

Similar presentations

Presentation on theme: "Secret Sharing Schemes: A Short Survey. 3742 2538 344113296634 Secret Sharing 2."— Presentation transcript:

1 Secret Sharing Schemes: A Short Survey

2 3742 2538 344113296634 Secret Sharing 2

3 3742 Secret Sharing 3 6634 3441 2538 1329 3

4 Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] Participants: P={P 1,…,P n } Access Structure   2 P (collection of sets of parties) A scheme realizes  if: Correctness Correctness: every authorized set B  can recover s Privacy Privacy: every unauthorized set B  cannot learn anything about s 4 P1P1 P2P2 PnPn Dealer s s1s1 r s2s2 snsn

5 Applications 5 Secure storage; Secure multiparty computation; Threshold cryptography; Byzantine agreement; Access control; Private information retrieval; Attribute-based encryption; General oblivious transfer…

6 Lecture Plan Introduction and motivation Constructions Secure protocols from secret sharing Lower bounds Conclusions 6

7 Shamir’s t-out-of-n Secret Sharing Scheme 7 Access structure:  = { A  P : |A|≥t } Scheme: –Input: secret s –Dealer chooses a random polynomial Q(x)=s+r 1 x+r 2 x 2 +…+r t-1 x t-1 –Share of P j : s j = Q(j) s

8 The Connectivity Access Structure Participants – edges in an undirected graph Minimal Authorized sets: paths from vertex v 1 to vertex v 2 Example: 8 P1P1 P4P4 P3P3 P6P6 P2P2 P5P5 v1v1 v2v2

9 The Connectivity Access Structure Participants – edges in an undirected graph Minimal Authorized sets: paths from vertex v 1 to vertex v 2 Example: 9 P1P1 P6P6 P5P5 v1v1 v2v2 Scheme: s  { 0,1} r 1 =s and r 2 = 0 choose a random bit r i for vertex v i Share of edge (v i,v j ) is r i  r j sr3sr3 r4r4 r3r4r3r4 v3v3 v4v4

10 A General Construction [ItoSaitoNishizeki87] Necessary condition: access structure is monotone. Also sufficient! 10 P1P1 P2P2 s P3P3 P4P4 P5P5 r3r3 r4r4 s s r2r2 r1r1 minimal sets {P 2,P 4 } {P 1,P 2 } {P 1,P 3,P 5 } s⊕r3 ⊕r4s⊕r3 ⊕r4 s⊕r2s⊕r2 s⊕r1s⊕r1

11 General Construction II: Linear Schemes Linear secret sharing schemes – use a linear mapping to share the secret. Equivalent to monotone span programs. linear algebraic model of computation [KarchmerWigderson93]. Nearly all known schemes are linear. 11

12 12 1011 0110 0110 0011 1100 P2P2 P2P2 P1P1 P3P3 P4P4 0001 The program accepts a set B iff the rows labeled by B span the target vector. Monotone Span Programs

13 13 1011 0110 0110 0011 1100 0001 1101 1100 0001 P2P2 P2P2 P1P1 P3P3 P4P4 {P 2,P 4 } Monotone Span Programs

14 14 1011 0110 0110 0011 1100 0001 0001 1011 0110 0110 P2P2 P2P2 P1P1 P3P3 P4P4 {P 1,P 2 } Monotone Span Programs

15 s r2r2 r3r3 r4r4 15 1011 0110 0110 0011 1100 P2P2 P2P2 P1P1 P3P3 P4P4 s+ r 2 +r 4 r2+r3r2+r3 r2+r3r2+r3 s+r 2 r3+r4r3+r4 = P2P2P1P3P4P2P2P1P3P4 Example s=1,r 2 =r 3 =0, r 4 =1 0 0 0 1 1 P2P2P1P3P4P2P2P1P3P4 Span Programs  Secret Sharing Span program accepts B iff B can reconstruct s

16 s r2r2 r3r3 r4r4 16 1011 0110 0110 0011 1100 P2P2 P2P2 P1P1 P3P3 P4P4 s+r2+r4s+r2+r4 r2+r3r2+r3 r2+r3r2+r3 s+r 2 r3+r4r3+r4 = P2P2P1P3P4P2P2P1P3P4 {P 2,P 4 } 1000 s Span Programs  Secret Sharing

17 Construction III: Multi-Linear Schemes [BertilssonIngemarsson93,vanDijk97] Multi-linear secret sharing schemes – use a linear mapping to share the secret. Secret – Few field elements Equivalent to multi-target monotone span programs. 17

18 18 0100 0101 0201 1010 5020 7040 P1P1 P2P2 P3P3 P1P1 P2P2 P3P3 0001 Accepts B iff rows labeled by B span the target vector Span Programs 0010 Accepts B iff rows labeled by B span all target vectors Multi-target

19 19 0100 0101 0201 1010 5020 7040 P1P1 P2P2 P3P3 P1P1 P2P2 P3P3 0001 Span Programs  Secret Sharing 0010 Multi-target s1s1 s2s2 r3r3 r4r4 r3r3 s1+r3s1+r3 s 1 +2r 3 s2+r4s2+r4 2s 2 +5r 4 4s 2 +7r 4 = P1P1 P2P2 P3P3 P1P1 P2P2 P3P3

20 20 0100 0101 0201 1010 5020 P1P1 P2P2 P3P3 P1P1 P2P2 0001 Span Programs: Problem 0010 Multi-target s1s1 s2s2 r3r3 r4r4 r3r3 s1+r3s1+r3 s 1 +2r 3 s2+r4s2+r4 2s 2 +5r 4 = P1P1 P2P2 P3P3 P1P1 P2P2 0100 0101 0201 1010 5020 7040 P1P1 P2P2 P3P3 P1P1 P2P2 P3P3 r3r3 s1+r3s1+r3 s 1 +2r 3 s2+r4s2+r4 2s 2 +5r 4 4s 2 +7r 4 P1P1 P2P2 P3P3 P1P1 P2P2 P3P3

21 21 0100 0101 0201 1010 5020 P1P1 P2P2 P3P3 P1P1 P2P2 0001 Span Programs: Problem 0010 Multi-target s1s1 s2s2 r3r3 r4r4 r3r3 s1+r3s1+r3 s 1 +2r 3 s2+r4s2+r4 2s 2 +5r 4 = P1P1 P2P2 P3P3 P1P1 P2P2

22 22 0100 0101 0201 1010 5020 7040 P1P1 P2P2 P3P3 P1P1 P2P2 P3P3 0001 Accepts B iff rows labeled by B span all the target vectors Span Programs: Corrected 0010 Multi-target Rejects B iff rows labeled by B do not span any target vector

23 23 0100 0101 0201 0111 5020 7040 P1P1 P2P2 P3P3 P1P1 P2P2 P3P3 0001 Span Programs: Problem 2 0010 Multi-target s1s1 s2s2 r3r3 r4r4 r3r3 s1+r3s1+r3 s 1 +2r 3 s1+s2+r3s1+s2+r3 2s 2 +5r 4 4s 2 +7r 4 = P1P1 P2P2 P3P3 P1P1 P2P2 P3P3

24 24 0100 0101 0201 0111 5020 7040 P1P1 P2P2 P3P3 P1P1 P2P2 P3P3 0001 Span Programs: Problem 2 0010 Multi-target s1s1 s2s2 r3r3 r4r4 r3r3 s1+r3s1+r3 s 1 +2r 3 s1+s2+r3s1+s2+r3 2s 2 +5r 4 4s 2 +7r 4 = P1P1 P2P2 P3P3 P1P1 P2P2 P3P3

25 25 0100 0101 0201 1010 5020 7040 P1P1 P2P2 P3P3 P1P1 P2P2 P3P3 0001 Accepts B iff rows labeled by B span all the target vectors Span Programs: Corrected! 0010 Multi-target Rejects B iff rows labeled by B do not span any combination of target vectors

26 Linear vs. Multi-Linear Secret Sharing [SimonisAshikhmin98] ∃ access structure Does not have ideal linear scheme Has ideal multi-linear scheme Secret – 2 field elements [PendavinghvanZwam13] Another example [BeimelBenEfraimPadroTyomkin13] More examples Secret – p field elements (for any prime) 26

27 Lecture Plan Introduction and motivation Constructions Secure protocols from secret sharing Lower bounds Conclusions 27

28 Homomorphism of Linear Secret Sharing 28 1100 0011 0110 0110 1011 P4P4 P3P3 P1P1 P2P2 P2P2 r4r4 r3r3 r2r2 s y5y5 y4y4 y3y3 y2y2 y1y1 = 1100 0011 0110 0110 1011 P4P4 P3P3 P1P1 P2P2 P2P2 r’ 4 r’ 3 r’ 2 s’ y’ 5 y’ 4 y’ 3 y’ 2 y’ 1 = + 1100 0011 0110 0110 1011 r 4 +r’ 4 r 3 +r’ 3 r 2 +r’ 2 s+s’ y5+y’5y5+y’5 y4+y’4y4+y’4 y3+y’3y3+y’3 y2+y’2y2+y’2 y1+y’1y1+y’1 =

29 29 Multiplicative Homomorphism of Linear Secret Sharing 1100 0011 0110 0110 1011 P4P4 P3P3 P1P1 P2P2 P2P2 r4r4 r3r3 r2r2 s y5y5 y4y4 y3y3 y2y2 y1y1 = 1100 0011 0110 0110 1011 P4P4 P3P3 P1P1 P2P2 P2P2 r’ 4 r’ 3 r’ 2 s’ y’ 5 y’ 4 y’ 3 y’ 2 y’ 1 = * PROTOCOL z1z1 z2z2 z3z3 z4z4 z5z5 Shares for s * s’ Access structure must be Q 2

30 Application: Computing a Sum 30

31 Lecture Plan Introduction and motivation Constructions Secure protocols from secret sharing Lower bounds Conclusions 31

32 Are There Efficient Secret Sharing Schemes? Every monotone access structure can be realized The known schemes for general access structures have shares of size ℓ · 2 O(n) n – number of participants ℓ – size of secrets in bits Best lower bound [Csirmaz94] : ℓ · n/log n Large gap! No significant progress made from 94 32

33 Are There Efficient Secret Sharing Schemes? 33

34 Techniques for Proving Lower Bounds Counting arguments Connected to counting the number of representable matroids Combinatorial arguments Cannot help – There are efficient weakly- private schemes Use entropy and information inequalities Proves ℓ · n/log n lower bound Information Inequalities with up to 5 variables cannot help Other Techniques? 34

35 08/30/2007IBM Crypto Seminar35 Lower Bounds for Linear Secret Sharing Schemes Explicit access structures [BabaiGalWigderson96,Gal98,GalPudlak03]: ℓ · n (log n). Technique: Access structure ⇒ Matrix M Rank(M) high ⇒ Size of MSP big Existential lower bounds: 2 (n). Counting arguments

36 Lecture Plan Introduction and motivation Constructions Secure protocols from secret sharing Lower Bounds Conclusions 36

37 37 Conclusions Secret sharing – useful in cryptography General constructions based on linear algebra Constructions are not efficient Large gap between lower & upper bounds Secret Sharing: A Survey, IWCC 2011 www.cs.bgu.ac.il/~beimel/pub.html 37

38 38

Download ppt "Secret Sharing Schemes: A Short Survey. 3742 2538 344113296634 Secret Sharing 2."

Similar presentations

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Algorithms (and Datastructures) Lecture 3 MAS 714 part 2 Hartmut Klauck.

Algorithms (and Datastructures) Lecture 3 MAS 714 part 2 Hartmut Klauck.
Secret Sharing, Matroids, and Non-Shannon Information Inequalities.

Secret Sharing, Matroids, and Non-Shannon Information Inequalities.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.

An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.

Locally Decodable Codes from Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers Kiran Kedlaya Sergey Yekhanin MIT Microsoft Research.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.

Information Theoretical Security and Secure Network Coding NCIS11 Ning Cai May 14, 2011 Xidian University.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.

NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
The Complexity of the Network Design Problem Networks, 1978 Classic Paper Reading 99.12.

The Complexity of the Network Design Problem Networks, 1978 Classic Paper Reading
Graph Algorithms: Minimum Spanning Tree 1 2 3 4 6 5 10 1 5 4 3 2 6 1 1 8 We are given a weighted, undirected graph G = (V, E), with weight function w:

Graph Algorithms: Minimum Spanning Tree We are given a weighted, undirected graph G = (V, E), with weight function w:
Chapter 9 Graph algorithms. Sample Graph Problems Path problems. Connectedness problems. Spanning tree problems.

Chapter 9 Graph algorithms. Sample Graph Problems Path problems. Connectedness problems. Spanning tree problems.
An Efficient Construction of Secret Sharing for Generalized Adversary Structure and Its Reduction Communications, Circuits and Systems, 2004. ICCCAS 2004.

An Efficient Construction of Secret Sharing for Generalized Adversary Structure and Its Reduction Communications, Circuits and Systems, ICCCAS 2004.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] 1706 2538344113296634 ? 1706 2 bad.

How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
Chapter 9 Graph algorithms Lec 21 Dec 1, 2010. Sample Graph Problems Path problems. Connectedness problems. Spanning tree problems.

Chapter 9 Graph algorithms Lec 21 Dec 1, Sample Graph Problems Path problems. Connectedness problems. Spanning tree problems.
EXPANDER GRAPHS Properties & Applications. Things to cover ! Definitions Properties Combinatorial, Spectral properties Constructions “Explicit” constructions.

EXPANDER GRAPHS Properties & Applications. Things to cover ! Definitions Properties Combinatorial, Spectral properties Constructions “Explicit” constructions.

Similar presentations

Ads by Google