Date post: | 18-Mar-2018 |
Category: |
Documents |
Upload: | trinhthuan |
View: | 215 times |
Download: | 3 times |
Secret Sharing
Qi Chen
December 14, 2015
What is secret sharing?
I A dealer: know the secret S and distribute the shares of S toeach party
I A set of n parties Pn , p1, · · · , pn: each party owns a share
I Authorized subset of the parties:B ⊂ Pn can reconstruct thesecret from their shares
I Unauthorized subset of the parties: T ⊂ Pn know nothingabout the secret from their shares
Applications
I Secure storage
I Secure multiparty computation
I Threshold cryptography
I Byzantine agreement
I Access control
I Private information retrieval
I Atribute-based encryption
I General oblivious transfer
I ...
Access structure
I The collection A of all authorized subsets is called the accessstructure of a secret sharing.
I Access structure is monotone, i.e., if A ⊂ B and A ∈ A, thenB ∈ A.
Example
Let P4 = p1, · · · , p4. Then
A = p1, p2, p2, p3, p3, p4, p1, p2, p3,p1, p2, p4, p1, p3, p4, p2, p3, p4, p1, p2, p3, p4
is an access structure.
Access structure
I The collection A of all authorized subsets is called the accessstructure of a secret sharing.
I Access structure is monotone, i.e., if A ⊂ B and A ∈ A, thenB ∈ A.
Example
Let P4 = p1, · · · , p4. Then
A = p1, p2, p2, p3, p3, p4, p1, p2, p3,p1, p2, p4, p1, p3, p4, p2, p3, p4, p1, p2, p3, p4
is an access structure.
Access structure
Collection A∗ of minimal sets in AI Let A∗ be the collection of minimal sets in A, i.e., B ∈ A∗ if
B ∈ A and for any C ⊂ B, C 6∈ AI Access structure A is uniquely determined by A∗
Example
A∗ = p1, p2, p2, p3, p3, p4
RemarkI Note that A∗ is a Sperner family on Pn, i.e, a collection of
subsets of Pn such that any two member of the collectiondoes not contain each other.
I Sperner family is counted by Dedekind number which growsvery fast with n. This imply the difficulty of secret sharingproblem.
Access structure
Collection A∗ of minimal sets in AI Let A∗ be the collection of minimal sets in A, i.e., B ∈ A∗ if
B ∈ A and for any C ⊂ B, C 6∈ AI Access structure A is uniquely determined by A∗
Example
A∗ = p1, p2, p2, p3, p3, p4
RemarkI Note that A∗ is a Sperner family on Pn, i.e, a collection of
subsets of Pn such that any two member of the collectiondoes not contain each other.
I Sperner family is counted by Dedekind number which growsvery fast with n. This imply the difficulty of secret sharingproblem.
Access structure
Collection A∗ of minimal sets in AI Let A∗ be the collection of minimal sets in A, i.e., B ∈ A∗ if
B ∈ A and for any C ⊂ B, C 6∈ AI Access structure A is uniquely determined by A∗
Example
A∗ = p1, p2, p2, p3, p3, p4
RemarkI Note that A∗ is a Sperner family on Pn, i.e, a collection of
subsets of Pn such that any two member of the collectiondoes not contain each other.
I Sperner family is counted by Dedekind number which growsvery fast with n. This imply the difficulty of secret sharingproblem.
Definition by probability
I A distribution scheme Σ = 〈Π, µ〉 with domain of secret K
I µ is a probability distribution on some finite set R
I Π is a mapping from K × R to a set of n-tuplesK1 × · · · × Kn, where Kj is called the domain of shares of pj
I The dealer distributes k ∈ K according to Σ by first samplinga random string r ∈ R according to µ, computing a vectorΠ(k, r) = (s1, · · · , sn) and privately communicating eachshare sj to party pj .
Definition by probability
Scheme Σ is a secret-sharing scheme realizing an access structureA if the following two requirement hold:
1. (Correctness) For any B = pi1 , · · · , pi|B| ∈ A, there is areconstruction function REC : Ki1 × · · · : Ki|B| → K such thatfor any k ∈ K ,
Pr[REC(Π(k , r)B) = k] = 1.
2. (Perfect Privacy) For any T 6∈ A, for any a, b ∈ K , and forevery possible vector of shares 〈sj〉pj∈T :
Pr[Π(a, r)T = 〈sj〉pj∈T ] = Pr[Π(b, r)T = 〈sj〉pj∈T ]
Definition by entropy
Consider the secret be a random variable S on K , and each sharebe a random variable Sj on Kj . Then the scheme S = (S ,Sj)pj∈Pn
is a secret-sharing scheme realizing access structure A if thefollowing two conditions hold:
1. (Correctness) For any B ∈ A,
H(S |SB) = 0
2. (Perfect Privacy) For any T 6∈ A,
H(S |ST ) = H(S)
Remark For perfect privacy, the condition can be written asI (S ;ST ) = 0. If we modify the condition to I (S ;ST ) = aT forsome 0 ≤ aT ≤ H(S), then modified version is called non-perfectsecret sharing, while the traditional one is called perfect secretsharing.
Definition by entropy
Consider the secret be a random variable S on K , and each sharebe a random variable Sj on Kj . Then the scheme S = (S ,Sj)pj∈Pn
is a secret-sharing scheme realizing access structure A if thefollowing two conditions hold:
1. (Correctness) For any B ∈ A,
H(S |SB) = 0
2. (Perfect Privacy) For any T 6∈ A,
H(S |ST ) = H(S)
Remark For perfect privacy, the condition can be written asI (S ;ST ) = 0. If we modify the condition to I (S ;ST ) = aT forsome 0 ≤ aT ≤ H(S), then modified version is called non-perfectsecret sharing, while the traditional one is called perfect secretsharing.
Equivalence of two definitions
TheoremTwo definitions of secret sharing are equivalent.
I For any Σ = (Π, µ) realizing access structure A, we canconstruct a random vector S = (S , Sj)pj∈Pn realizing A.
I For any random vector S = (S ,Sj)pj∈Pn realizing A, we canaccordingly construct a Σ = (Π, µ) realizing A
Information ratio
Information ratio by the definition of probability
ρΣ ,max1≤j≤n log |Kj |
log |K |
Information ratio by the definition of entropy
ρS ,max1≤j≤n H(Sj)
H(S)
Corollary
ρΣ = ρS
if Σ corresponds to S.
Information ratio
Information ratio by the definition of probability
ρΣ ,max1≤j≤n log |Kj |
log |K |
Information ratio by the definition of entropy
ρS ,max1≤j≤n H(Sj)
H(S)
Corollary
ρΣ = ρS
if Σ corresponds to S.
The fundamental problem of secret sharing: optimalinformation ratio
Let N = s ∪ Pn and Γ∗N the entropy function region on N . LetA be an access structure on Pn. Then the optimal informationratio on A is
ρA , infh∈Γ∗N∩ΦA
max1≤j≤n h(pj)h(s)
where
ΦA = h : h(s ∪ B) = h(B) ∀B ∈ A,h(s ∪ T ) = h(s) + h(T ) ∀T 6∈ A
Shamir’s threshold scheme
For 1 ≤ t ≤ n, let At,n = A ⊂ Pn : |A| ≥ t. Then At,n is aaccess structure with threshold t. It can be realised by Shamir’sscheme in the following
I Let K = Fq, where q > n is a prime power.
I Let α1, · · · , αn ∈ Fq be n distinct non-zero elements knownto all parties.
I The dealer uniformly choose a1, · · · , at−1 ∈ Fq and generate apolynomial P(x) = k +
∑t−1i=1 aix
i .
I The share of pj is sj = P(αj)
Shamir’s threshold scheme
CorrectnessFor any B = pi1 , · · · , pit ∈ A∗t,n, let
Q(x) =t∑
`=1
si`∏
1≤j≤t,j 6=`
αij − x
αij − αi`
.
Note that Q(αi`) = si` = P(αi`) for 1 ≤ ` ≤ t which implies thatQ(x) = P(x) and Q(0) = P(0) = k.
Shamir’s threshold scheme
Perfect privacy
For any T = pi1 , · · · , pit−1, t − 1 shares with each secret a ∈ Fq,uniquely determines a polynomial Pa(x) with Pa(0) = a andPa(αi`) = si` for 1 ≤ ` ≤ t − 1. Hence
Pr[Π(a, r)T = 〈si`〉1≤`≤t−1] =1
qt−1
The privacy follows from the probability is the same for everya ∈ Fq
Information ratio
I The information ratio is 1 since Kj = K = Fq
I It is the optimal information ratio on the access structure At,n
Shamir’s threshold scheme
Perfect privacy
For any T = pi1 , · · · , pit−1, t − 1 shares with each secret a ∈ Fq,uniquely determines a polynomial Pa(x) with Pa(0) = a andPa(αi`) = si` for 1 ≤ ` ≤ t − 1. Hence
Pr[Π(a, r)T = 〈si`〉1≤`≤t−1] =1
qt−1
The privacy follows from the probability is the same for everya ∈ Fq
Information ratio
I The information ratio is 1 since Kj = K = Fq
I It is the optimal information ratio on the access structure At,n
Shamir’s threshold scheme by entropy
Let ΓN be the polymatroidal region on N . Let p = s,Pn be apartition of N .
Lemma
Ψ∗p = Ψp
where Ψ∗p = Γ∗N ∩ CAt,n , Ψp = ΓN ∩ CAt,n and
CAt,n = h : h(A) = h(B),
h(s ∪ A) = h(s ∪ B),
if |A| = |B| ∀A,B ⊂ Pn
Shamir’s threshold scheme by entropy
For simplicity, let ρt,n = ρAt,n and Φt,n = ΦAt,n . Then
ρt,n = infh∈Γ∗N∩Φt,n
max1≤j≤n h(pj)h(s)
where
Φt,n = h :h(s ∪ B) = h(B) if |B| ≥ t,
h(s ∪ B) = h(s) + h(B) if |B| < t
Theorem
ρt,n = infh∈Ψ∗p∩Φt,n
max1≤j≤n h(pj)h(s)
Shamir’s threshold scheme by entropy
For simplicity, let ρt,n = ρAt,n and Φt,n = ΦAt,n . Then
ρt,n = infh∈Γ∗N∩Φt,n
max1≤j≤n h(pj)h(s)
where
Φt,n = h :h(s ∪ B) = h(B) if |B| ≥ t,
h(s ∪ B) = h(s) + h(B) if |B| < t
Theorem
ρt,n = infh∈Ψ∗p∩Φt,n
max1≤j≤n h(pj)h(s)
Shamir’s threshold scheme by entropy
Theorem
ρt,n = minh∈Ψp∩Φt,n
max1≤j≤n h(pj)h(s)
The solution isρt,n = 1
andarg min ρt,n = h : aUt,n+1, a > 0
Remark This result can be generalized to non-perfect thresholdscheme.
Shamir’s threshold scheme by entropy
Theorem
ρt,n = minh∈Ψp∩Φt,n
max1≤j≤n h(pj)h(s)
The solution isρt,n = 1
andarg min ρt,n = h : aUt,n+1, a > 0
Remark This result can be generalized to non-perfect thresholdscheme.
Linear secret-sharing scheme
DefinitionA secret-sharing scheme is linear if
I Secret s ∈ FI Each ramdom string r ∈ R is a vector and each entry of r is
chosen independent with uniform distribution from FI Each share sj is a vector and each entry of sj is a fixed linear
combination of the secret s and the coordinates of therandom string r .
Shamir’s threshold scheme is linear.
Linear secret-sharing scheme
DefinitionA secret-sharing scheme is linear if
I Secret s ∈ FI Each ramdom string r ∈ R is a vector and each entry of r is
chosen independent with uniform distribution from FI Each share sj is a vector and each entry of sj is a fixed linear
combination of the secret s and the coordinates of therandom string r .
Shamir’s threshold scheme is linear.
Linear secret-sharing scheme
Monotone span program
A monotone span program is a triple M = (F,M, ρ), where
I F is a field,
I M is an a× b matrix over FI and ρ : 1, · · · , a → p1, · · · , pn labels each row of M by a
party.
Example
Consider the following monotone span program (F17,M, ρ), where
M =
1 1 11 2 41 3 91 4 16
and ρ(1) = ρ(2) = p2, ρ(3) = p1 and ρ(4) = p4.
Linear secret-sharing scheme
Monotone span program
A monotone span program is a triple M = (F,M, ρ), where
I F is a field,
I M is an a× b matrix over FI and ρ : 1, · · · , a → p1, · · · , pn labels each row of M by a
party.
Example
Consider the following monotone span program (F17,M, ρ), where
M =
1 1 11 2 41 3 91 4 16
and ρ(1) = ρ(2) = p2, ρ(3) = p1 and ρ(4) = p4.
Linear secret-sharing scheme
Monotone span program
I For any A ⊂ Pn, let MA denote the sub-matrix obtained byrestricting M to the rows labeled by parties in A.
I M accepts B if the rows of MB span the vectore1 = (1, 0, · · · , 0).
I M accepts access structure A ifM accepts a set B iff B ∈ A.
Example
Consider B = p1, p2 and T = p1, p3. Then
MB =
1 1 11 2 41 3 9
and MT =
[1 3 91 4 16
].
It can be checked MB spans e1 but MT does not. We can checkfurther that A∗ = p1, p2, p2, p3.
Linear secret-sharing scheme
Monotone span program
I For any A ⊂ Pn, let MA denote the sub-matrix obtained byrestricting M to the rows labeled by parties in A.
I M accepts B if the rows of MB span the vectore1 = (1, 0, · · · , 0).
I M accepts access structure A ifM accepts a set B iff B ∈ A.
Example
Consider B = p1, p2 and T = p1, p3. Then
MB =
1 1 11 2 41 3 9
and MT =
[1 3 91 4 16
].
It can be checked MB spans e1 but MT does not. We can checkfurther that A∗ = p1, p2, p2, p3.
Linear secret-sharing scheme
TheoremLet M = (F,M, ρ) be a monotone span program accepting anaccess structure A, where F is a finite field and for every j there ajrows of M labeled by pj . Then, there is a linear secret-sharingscheme realizing A such that the share of party pj is a vector inFaj . The information ratio of the resulting scheme is max1≤j≤n aj .
TheoremLet ΓL
N be the region bounded by Shannon-type informationinequalities and linear rank inequalities over N . Then the optimalinformation ratio of linear scheme on A is
ρA , infh∈ΓL
N∩ΦA
max1≤j≤n h(pj)h(s)
where ΦA is defined as above.
Linear secret-sharing scheme
TheoremLet M = (F,M, ρ) be a monotone span program accepting anaccess structure A, where F is a finite field and for every j there ajrows of M labeled by pj . Then, there is a linear secret-sharingscheme realizing A such that the share of party pj is a vector inFaj . The information ratio of the resulting scheme is max1≤j≤n aj .
TheoremLet ΓL
N be the region bounded by Shannon-type informationinequalities and linear rank inequalities over N . Then the optimalinformation ratio of linear scheme on A is
ρA , infh∈ΓL
N∩ΦA
max1≤j≤n h(pj)h(s)
where ΦA is defined as above.
Lower bounds on the information ratio
TheoremLet pj be a non-redundant party in A and let Σ be anysecret-sharing scheme realizing A, then
|Kj | ≥ |K |
which implies that ρA ≥ 1 for any A.
Ideal secrete-sharing scheme
For a secret-sharing scheme, if its information ratio is 1, it is calledan ideal secret-sharing scheme.
Lower bounds on the information ratio
TheoremLet pj be a non-redundant party in A and let Σ be anysecret-sharing scheme realizing A, then
|Kj | ≥ |K |
which implies that ρA ≥ 1 for any A.
Ideal secrete-sharing scheme
For a secret-sharing scheme, if its information ratio is 1, it is calledan ideal secret-sharing scheme.
Csirmaz’s lower bound
Csirmaz’s access structureWe define access structure An by its minimal set A∗n.
I Let k be the largest integer such that 2k + k − 1 ≤ n.
I Let B = p1, · · · , p2k−1 and define B0 = ∅ andBi = p1, · · · , pi for 1 ≤ i ≤ 2k − 1.
I Let A = p2k , · · · , p2k+k−1, and A = A0,A1, · · · ,A2k−1 = ∅be all the subsets of A such that if i < i ′, then Ai 6⊂ Ai ′ .
I Define Ui = Ai ∪ Bi for 0 ≤ i ≤ 2k − 1.
Then A∗n = Ui : 0 ≤ i ≤ 2k − 1.
TheoremThe information ratio of secret-sharing scheme realizing accessstructure constructed above is Ω(n/ log n).
Csirmaz’s lower bound
Csirmaz’s access structureWe define access structure An by its minimal set A∗n.
I Let k be the largest integer such that 2k + k − 1 ≤ n.
I Let B = p1, · · · , p2k−1 and define B0 = ∅ andBi = p1, · · · , pi for 1 ≤ i ≤ 2k − 1.
I Let A = p2k , · · · , p2k+k−1, and A = A0,A1, · · · ,A2k−1 = ∅be all the subsets of A such that if i < i ′, then Ai 6⊂ Ai ′ .
I Define Ui = Ai ∪ Bi for 0 ≤ i ≤ 2k − 1.
Then A∗n = Ui : 0 ≤ i ≤ 2k − 1.
TheoremThe information ratio of secret-sharing scheme realizing accessstructure constructed above is Ω(n/ log n).
Csirmaz’s lower bound
LemmaFor every 0 ≤ i ≤ 2k − 2,
H(Bi ∪ A)− H(Bi ) ≥ H(Bi+1)− H(Bi+1) + H(S)
Proof sketch of Theorem∑pj∈A
H(pj) ≥ H(A)
≥ H(B0 ∪ A)− H(B0)
≥ H(B2k−1 ∪ A)− H(B2k−1) + (2k − 1)H(S)
= Ω(n)H(S).
This implies that H(pj) = Ω(n/ log n)H(S) for at least one pj . Remark Both Lemma and the inequalities in the proof sketch areShannon-type.
Csirmaz’s lower bound
LemmaFor every 0 ≤ i ≤ 2k − 2,
H(Bi ∪ A)− H(Bi ) ≥ H(Bi+1)− H(Bi+1) + H(S)
Proof sketch of Theorem∑pj∈A
H(pj) ≥ H(A)
≥ H(B0 ∪ A)− H(B0)
≥ H(B2k−1 ∪ A)− H(B2k−1) + (2k − 1)H(S)
= Ω(n)H(S).
This implies that H(pj) = Ω(n/ log n)H(S) for at least one pj .
Remark Both Lemma and the inequalities in the proof sketch areShannon-type.
Csirmaz’s lower bound
LemmaFor every 0 ≤ i ≤ 2k − 2,
H(Bi ∪ A)− H(Bi ) ≥ H(Bi+1)− H(Bi+1) + H(S)
Proof sketch of Theorem∑pj∈A
H(pj) ≥ H(A)
≥ H(B0 ∪ A)− H(B0)
≥ H(B2k−1 ∪ A)− H(B2k−1) + (2k − 1)H(S)
= Ω(n)H(S).
This implies that H(pj) = Ω(n/ log n)H(S) for at least one pj . Remark Both Lemma and the inequalities in the proof sketch areShannon-type.
Lower bounds for linear secret sharing
TheoremFor any n, there exists an access structure An sucht that everymonotone span program over any field accepting it has sizenΩ(log n).
Limitations of known techniques for lower bounds
I No better lower bound is found since Csirmaz’s lower boundin 1994
I Shannon-type information inequalities can not help to improvethe bound
I All information inequalities with less than 6 random variablescan not help to improve the bound
Open problems
Question 1Prove or disprove that there exists an access structure such thatthe information ratio of every secret-sharing scheme realizing it is2Ω(n).
Question 2Prove or disprove that there exists an access structure such thatthe information ratio of every secret-sharing scheme realizing itwith domain 0, 1 is super-polynomial in n.
Question 3Prove that there exists an explicit access structure such that theinformation ratio of every linear secret-sharing scheme realizing itis 2Ω(n).
Bibiography
A. Beilmel, “Secret-sharing schemes: a survey,” Coding andcryptology, 2011-Springer.
Q. Chen and R. W. Yeung, “Partition-Symmetrical EntropyFunctions,” submitted to IEEE Trans. Info. Theory.
Discussion
What can we do?
Thank you!