Robust Secret Sharing Schemes Against Local Adversaries · Robust Secret Sharing Schemes Against...

Robust Secret Sharing SchemesAgainst Local Adversaries

Allison Bishop Lewko Valerio Pastro

Columbia University

April 2, 2015

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 1 / 22

Secret Sharing (Informal)

(Share,Rec) pair of algorithms:

s � Share // (s1, . . . , sn) � Rec // s

t-privacy: s1, . . . , st ⇒ no info on s

r-reconstructability: s1, . . . , sr ⇒ s uniquely determined

For threshold schemes: r = t + 1.


Example: Shamir Secret Sharing [Sha79]

F field, public x1, . . . , xn ∈ F.

Shamir.Sharet(s):

1 pick uniform a1, . . . , at ∈ F2 define polynomial f (X ) := s +

∑tj=1 ajX

j ∈ F[X ]3 compute si ← f (xi )4 output (s1, . . . , sn)

Shamir.Rect(s1, . . . , sn):

1 Lagrange interpolation to recover f (X )2 output f (0)


Robust Secret Sharing – Standard Model

(Share,Rec) Secret Sharing, (t, δ)-robust: for any Adv,

s � Share // (s1, . . . , st , st+1, . . . , sn)_

(s1,...,st)=Adv(s1,...,st)��

(s1, . . . , st , st+1, . . . , sn) � Rec // s ′

Pr[s ′ 6= s] ≤ δ


Robust Secret Sharing – with Local Adversaries

(Share,Rec) Secret Sharing, locally (t, δ)-robust: for any Adv1, . . . ,Advt ,

s � Share // (s1, . . . , st , st+1, . . . , sn)_

s1=Adv1(s1),...,st=Advt(st)��

(s1, . . . , st , st+1, . . . , sn) � Rec // s ′

Pr[s ′ 6= s] ≤ δ


Does Locality Make Sense?

It captures the following:

Pre-Game: Players talk to each other, set their actions

Game: Players are given private inputsPlayers run protocol without revealing inputs to othersOutput of protocol is set

Post-Game: Players talk to each other again, possibly revealing inputs

Similar to collusion-free protocols [LMs05].


Locality – Possible Scenarios

Corrupt parties unwilling to coordinate (e.g. different goals)

Corrupt parties oblivious about existence of each other

Network with (independently) faulty channels

Data is required to travel fast, coordination impossible

. . .


Locality – Related Work

Interactive Proofs:

Multi-prover interactive proofs:MIP=NEXP, [BFL91] (IP=PSPACE, [Sha92])

Multi-party Computation:

Collusion-free protocols [LMs05, AKL+09, AKMZ12]Local UC [CV12]

Leakage-resilient crypto:

Split secret state and independent leakage [DP08]


Facts about Robust Secret Sharing

Easy Tricky Impossiblet

0 n/3 n/2

t < n/3: perfect robustness (δ = 0)

no share size overhead (|si | = |s| =: m)

e.g. Shamir share + Reed-Solomon decoding

RS decodes up to (n − t)/2 > (3 · t − t)/2 = t errors

n/3 ≤ t < n/2: tricky!

no perfect robustness (δ = 2−k) [Cev11]

shares larger than secret (|si | > m) [Cev11]

All of the above: independent of standard/local adv. model


The Tricky Case

The trickiest case: n = 2 · t + 1.Analysis of |si |:

standardm + k m + O(k + n)

best eff. construction[CFOR12]

lower bound[CSV93]

gap n /

local adv.

m + k − 4 ∼ m + O(k)

Our result:lower bound & eff. construction

(essentially) match. ,


The Tricky Case

The trickiest case: n = 2 · t + 1.Analysis of |si |:

standardm + k m + O(k + n)

best eff. construction[CFOR12]

lower bound[CSV93]

gap n /

local adv.

m + k − 4 ∼ m + O(k)

Our result:lower bound & eff. construction

(essentially) match. ,


Our Construction1

Previous Constructions

Privacy: Shamir secret sharing, degree=t

Robustness: one-time MAC, O(n) keys per player.

⇒ |si | inherent depends (at least) linearly on n

Our Construction

Privacy: Shamir secret sharing, degree=t

Robustness: one-time MAC, one key only.

1Conceptually simpler; thanks to Daniel Wichs for fruitful discussions.


In Detail

Share(s):

1 sample MAC key z ∈ X2 (s1, . . . , sn)← Shamir.Sharet(s)3 (z1, . . . , zn)← Shamir.Share1(z)4 ti ← MACz(si )5 output Si = (si , zi , ti ) to Pi

Rec(S1, . . . ,Sn):

1 z ← RS.Rec1(z1, . . . , zn)2 set i ∈ G if ti = MACz(si )3 s ← Shamir.Rect(sG )


Privacy – Proof Intuition

Share(s):

1 sample MAC key z ∈ X2 (s1, . . . , sn)← Shamir.Sharet(s)3 (z1, . . . , zn)← Shamir.Share1(z)4 ti ← MACz(si )5 output Si = (si , zi , ti ) to Pi

t-privacy: z uniform, independent of s, s1, . . . , sns1, . . . , st give no info on s, (privacy of Shamir.Sharet)t1, . . . , tt functions only of z , s1, . . . , st⇒ S1, . . . ,St give no info on s


Robustness – Proof Intuition

Rec(S1, . . . ,Sn):

1 z ← RS.Rec1(z1, . . . , zn)2 set i ∈ G if ti = MACz(si )3 s ← Shamir.Rect(sG )

(t, δ)-robustness: z correct, because RS.Rec1 decodes up to(n − 1)/2 = (2t + 1− 1)/2 = t errors

Advi sees only si , zi , ti⇒ no info on z (privacy of Shamir.Share1)

MAC ε-secure⇒ Pr[i ∈ G | si 6= si ] ≤ ε⇒ Pr[G ⊆ H ∪ P] ≥ 1− t · ε⇒ δ ≤ t · ε


Possible MAC and Overhead Analysis

Remember: δ ≤ t · εAssume: m = |s|, 2 · c = |z |, c = |ti |, m = 2 · d · c

MAC : (F2c )2 × F2m → F2c

(a, b), (m1, . . . ,md) 7→∑d

l=1 al ·ml + b.

Fact: MAC is ε = d · 2−c -secure.⇒ construction is δ = t · ε = t · d · 2−c = t ·m · 2−c−1 · c−1-secure.

Set c = k + log(t ·m) = O(k) ⇒ δ ≤ t ·m · 2−k−log(t·m)−1 · c−1 ≤ 2−k

Overhead: |z |+ |ti | = 2c + c = 3c = O(k) ,




MAC : (F2c )2 × F2m → F2c

(a, b), (m1, . . . ,md) 7→∑d

l=1 al ·ml + b.

Fact: MAC is ε = d · 2−c -secure.

⇒ construction is δ = t · ε = t · d · 2−c = t ·m · 2−c−1 · c−1-secure.






MAC : (F2c )2 × F2m → F2c

(a, b), (m1, . . . ,md) 7→∑d

l=1 al ·ml + b.







MAC : (F2c )2 × F2m → F2c

(a, b), (m1, . . . ,md) 7→∑d

l=1 al ·ml + b.



Overhead: |z |+ |ti | = 2c + c = 3c = O(k)

,




MAC : (F2c )2 × F2m → F2c

(a, b), (m1, . . . ,md) 7→∑d

l=1 al ·ml + b.





Optimality of Construction

Want to show:

Scheme (t, 2−k)-robust against local advs ⇒ |si | ≥ m + k − 4

What we do: prove a stronger result!

Scheme (t, 2−k)-robust against oblivious advs ⇒ |si | ≥ m + k − 4

local adv: si = Advi (si )oblivious adv: si = Advi (∅)

Proof structure:

1 define an oblivious attack

2 link success of attack with share size



Want to show:





Proof structure:





Want to show:





Proof structure:




The Attack

Let st+1 be the shortest share.

Specifications:

“decide” whether to corrupt P1, . . . ,Pt (L) or Pt+2, . . . ,Pn (R)

sample secret s ←M, randomness r ← Rrun (s1, . . . , sn)← Share(s, r)

if L, submit s1, . . . , st ; if R, submit st+2, . . . , sn

Intuition: hope that corrupt shares & st+1 consistent with dishonest secret.

Rec

partial sharing of sL︷︸︸︷s1, . . . , st , st+1, st+2, . . . , sn︸︷︷︸

partial sharing of sR

= ?


The Attack

Let st+1 be the shortest share.

Specifications:

“decide” whether to corrupt P1, . . . ,Pt (L) or Pt+2, . . . ,Pn (R)

sample secret s ←M, randomness r ← Rrun (s1, . . . , sn)← Share(s, r)

if L, submit s1, . . . , st ; if R, submit st+2, . . . , sn

Intuition: hope that corrupt shares & st+1 consistent with dishonest secret.

Rec

partial sharing of sL︷︸︸︷s1, . . . , st , st+1, st+2, . . . , sn︸︷︷︸

partial sharing of sR

= ?


The Decision

Intuitively: find out whether L is more promising than R.

Graph: (sL, rL) connected to (sR , rR) if:Share(sL, rL)t+1 = y = Share(sR , rR)t+1, and sL 6= sR

Label edge with L (resp. R) if:Rec(sL1 , . . . , s

Lt , y , s

Rt+2, . . . , s

Rn ) 6= sR resp. 6= sL)

Decide L if #L-edges ≥ #R-edges.

(sL, rL) (sR , rR)


The Decision




Lt , y , s

Rt+2, . . . , s



(sL, rL) (sR , rR)


The Decision




Lt , y , s

Rt+2, . . . , s



(sL, rL) (sR , rR)


The Success (WLOG assume L)

Rec

sL︷︸︸︷︸︷︷︸s

s1, . . . , st , st+1, st+2, . . . , sn︸︷︷︸sR

6= sR

(s, r) (sL, rL) (sR , rR)

Share(s, r){1,...,t} = Share(sL, rL){1,...,t} Share(sL, rL)t+1 = Share(sR , rR )t+1

δ = 2−k ≥ Pr (s ,r ,sR ,rR)[∃(sL, rL) | (s, r)—(sL, rL)L

—(sR , rR)]



Rec

sL︷︸︸︷︸︷︷︸s

s1, . . . , st , st+1, st+2, . . . , sn︸︷︷︸sR

6= sR




—(sR , rR)]



Rec

sL︷︸︸︷︸︷︷︸s

s1, . . . , st , st+1, st+2, . . . , sn︸︷︷︸sR

6= sR




—(sR , rR)]



Rec

sL︷︸︸︷︸︷︷︸s

s1, . . . , st , st+1, st+2, . . . , sn︸︷︷︸sR

6= sR




—(sR , rR)]


Mass Distribution

For a1, . . . , at+1,let Ba1,...,at+1 = {(sL, rL) | Share(sL, rL){1,...,t+1} = a1, . . . , at+1},let Aa1,...,at+1 = {(s, r) | Share(s, r){1,...,t} = a1, . . . , at}.

Fact 1∗: by reconstructability, (s ′, r ′), (s ′′, r ′′) ∈ Ba1,...,at+1 ⇒ s ′ = s ′′.

Fact 2: by privacy, |Aa1,...,at+1 | ≥ 2m · |Ba1,...,at+1 |.




Mass Distribution

For a1, . . . , at+1,let Ba1,...,at+1 = {(sL, rL) | Share(sL, rL){1,...,t+1} = a1, . . . , at+1},let Aa1,...,at+1 = {(s, r) | Share(s, r){1,...,t} = a1, . . . , at}.

Fact 1∗: by reconstructability, (s ′, r ′), (s ′′, r ′′) ∈ Ba1,...,at+1 ⇒ s ′ = s ′′.Fact 2: by privacy, |Aa1,...,at+1 | ≥ 2m · |Ba1,...,at+1 |.




Putting Things Together – IntuitionActual analysis needs more correcting factors (loss of ∼ 4 bits).

2−k ≥ Pr (s ,r ,sR ,rR )[∃(sL, rL) | (s, r)—(sL, rL)L

—(sR , rR)]

(Fact 1&2)

≥ 2m · Pr (sL,rL,sR ,rR )[(sL, rL)L

—(sR , rR)]

≥ 2m−1 · Pr (sL,rL,sR ,rR )[(sL, rL)—(sR , rR)]

≥ 2m−1 ·∑at+1

Pr (sL,rL,sR ,rR )[Share(sL, rL) = at+1,Share(sR , rR) = at+1]

≥ 2m−1 ·∑at+1

Pr (s,r)[Share(s, r) = at+1]2 (Cauchy-Schwarz)

≥ 2m−1 · 2−|st+1|

(∑at+1

Pr (s,r)[Share(s, r) = at+1] · 1

)2

= 2m−1 · 2−|st+1|

|st+1| ≥ m + k − 1 ,




—(sR , rR)] (Fact 1&2)


—(sR , rR)]


≥ 2m−1 ·∑at+1


≥ 2m−1 ·∑at+1


≥ 2m−1 · 2−|st+1|

(∑at+1


)2

= 2m−1 · 2−|st+1|

|st+1| ≥ m + k − 1 ,




—(sR , rR)] (Fact 1&2)


—(sR , rR)]


≥ 2m−1 ·∑at+1


≥ 2m−1 ·∑at+1

Pr (s,r)[Share(s, r) = at+1]2

(Cauchy-Schwarz)

≥ 2m−1 · 2−|st+1|

(∑at+1


)2

= 2m−1 · 2−|st+1|

|st+1| ≥ m + k − 1 ,




—(sR , rR)] (Fact 1&2)


—(sR , rR)]


≥ 2m−1 ·∑at+1


≥ 2m−1 ·∑at+1


≥ 2m−1 · 2−|st+1|

(∑at+1


)2

= 2m−1 · 2−|st+1|

|st+1| ≥ m + k − 1 ,




—(sR , rR)] (Fact 1&2)


—(sR , rR)]


≥ 2m−1 ·∑at+1


≥ 2m−1 ·∑at+1


≥ 2m−1 · 2−|st+1|

(∑at+1


)2

= 2m−1 · 2−|st+1|

|st+1| ≥ m + k − 1

,




—(sR , rR)] (Fact 1&2)


—(sR , rR)]


≥ 2m−1 ·∑at+1


≥ 2m−1 ·∑at+1


≥ 2m−1 · 2−|st+1|

(∑at+1


)2

= 2m−1 · 2−|st+1|

|st+1| ≥ m + k − 1 ,


ConclusionRobust SS with n = 2 · t + 1 players, eff. reconstruction. Share size:

model construction lower bound

standard m + O(n + k) m + k

NEW: local adv. m + O(k) m + k − 4

Future:

Locality in more complicated settings:I info theoretic MPC: circumvent lower bounds?I general MPC: more eff/practical protocols?

standard RSSS: lower bound & construction matching?

Thanks!https://eprint.iacr.org/2014/909






Future:









Future:





Joel Alwen, Jonathan Katz, Yehuda Lindell, Giuseppe Persiano, abhishelat, and Ivan Visconti.Collusion-free multiparty computation in the mediated model.In Shai Halevi, editor, Advances in Cryptology - CRYPTO 2009, 29thAnnual International Cryptology Conference, Santa Barbara, CA,USA, August 16-20, 2009. Proceedings, volume 5677 of Lecture Notesin Computer Science, pages 524–540. Springer, 2009.

Joel Alwen, Jonathan Katz, Ueli Maurer, and Vassilis Zikas.Collusion-preserving computation.In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances inCryptology - CRYPTO 2012 - 32nd Annual Cryptology Conference,Santa Barbara, CA, USA, August 19-23, 2012. Proceedings, volume7417 of Lecture Notes in Computer Science, pages 124–143. Springer,2012.

Laszlo Babai, Lance Fortnow, and Carsten Lund.Non-deterministic exponential time has two-prover interactiveprotocols.Computational Complexity, 1:3–40, 1991.


Alfonso Cevallos.Reducing the share size in robust secret sharing.http://www.algant.eu/documents/theses/cevallos.pdf, 2011.

Alfonso Cevallos, Serge Fehr, Rafail Ostrovsky, and Yuval Rabani.Unconditionally-secure robust secret sharing with compact shares.In David Pointcheval and Thomas Johansson, editors, EUROCRYPT,volume 7237 of Lecture Notes in Computer Science, pages 195–208.Springer, 2012.

Marco Carpentieri, Alfredo De Santis, and Ugo Vaccaro.Size of shares and probability of cheating in threshold schemes.In Tor Helleseth, editor, Advances in Cryptology - EUROCRYPT ’93,Workshop on the Theory and Application of of CryptographicTechniques, Lofthus, Norway, May 23-27, 1993, Proceedings, volume765 of Lecture Notes in Computer Science, pages 118–125. Springer,1993.

Ran Canetti and Margarita Vald.Universally composable security with local adversaries.


http://www.algant.eu/documents/theses/cevallos.pdf

In Ivan Visconti and Roberto De Prisco, editors, Security andCryptography for Networks - 8th International Conference, SCN 2012,Amalfi, Italy, September 5-7, 2012. Proceedings, volume 7485 ofLecture Notes in Computer Science, pages 281–301. Springer, 2012.

Stefan Dziembowski and Krzysztof Pietrzak.Leakage-resilient cryptography.In 49th Annual IEEE Symposium on Foundations of ComputerScience, FOCS 2008, October 25-28, 2008, Philadelphia, PA, USA,pages 293–302. IEEE Computer Society, 2008.

Matt Lepinski, Silvio Micali, and abhi shelat.Collusion-free protocols.In Harold N. Gabow and Ronald Fagin, editors, Proceedings of the37th Annual ACM Symposium on Theory of Computing, Baltimore,MD, USA, May 22-24, 2005, pages 543–552. ACM, 2005.

Adi Shamir.How to share a secret.Commun. ACM, 22(11):612–613, 1979.


Adi Shamir.IP = PSPACE.J. ACM, 39(4):869–877, 1992.


Date post:	18-Aug-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Robust Secret Sharing Schemes Against Local Adversaries · Robust Secret Sharing Schemes Against...

Documents