On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan...

On the Cost of On the Cost of Reconstructing a Reconstructing a

Secret, or VSS with Secret, or VSS with Optimal Reconstruction Optimal Reconstruction

PhasePhaseRonald Cramer,

Ivan Damgard,

Serge Fehr

Introduction

Secret-sharing (introduced by Shamir)– l-bits secret distributes to n players, every

player have a share. Over than t shares can find the secret by some player.

Privacy– If an adversary sees up to t shares, it still

learns no information about the secret and correctness. (t+1 is enough).

Introduction

This paper consider more. Some player (at most t players) may be corrupted, they may contribute wrong shares.,

We want every player try to reconstruct the secret under this situation.

If t n/2, no one can sure that its reconstruction is correct.

If t<n/3, a standard methods can give an opt solution with no error.

Introduction

We only consider n/3 t < n/2. A honest player can either reconstruct the

secret or output “failure”. (failure 2-(k), where k is security parameter)

When t=(n-1)/2, there is a lower bound of information sending O(nl+kn2).

This bound is also tight.

Communication Model

Secure-channels model with broadcast.– There is a set of players {P1,…,Pn}

– A dealer D.– Every pair has a secure private channel.

Adversary– Active(corrupt at most t players)– Rushing (can decide after all honest players sent).– Static, adaptive (static means it needs to corrupt

players before execution).

Single-Round Honest-Dealer VSS

Distribution phase:– The honest dealer generates shares si={ki,yi}, i=1…n,

according to a fixed and publicly known conditional probability distribution PS1…Sn(…|s), where s is the secret. Privately sends si to Pi.

Reconstruction phase:– Each player Pi is required to broadcast ŷi, which is

supposedly to equal to yi. Each player Pi decides on the secret s based on ki and other ŷi… ŷn. (output s or “failure”).

Adversary can change the ŷj to broadcast, when Pj is corrupted. Others honest players always have ŷj=yj.

Adversary can be rushing, non-rushing; static, adaptive.

Single-Round Honest-Dealer VSS is (t, n, 1-)-secure if:– Privacy:

• Adversary gains no information of s form distribution phase.

– (1-)-correctness:• In the reconstruction phase, each uncorrupted

output ‘s’ or “failure”, and outputting failure has probability.

We can repeat m times to make the error rate to m.

This definition is very general, we don’t care the dictate of the implementation.

Theoretical Lower Bound and Theoretical Lower Bound and Tightness Proof of SRHD-VSSTightness Proof of SRHD-VSS

Lower Bound on Reconstruction Complexity

If and for a security parameter k, then the total information broadcast in the reconstruction phase is lower bounded by

– For any family of Single-Round Honest-Dealer VSS scheme, (t, n, 1-δ)-secure against an active, rushing adversary

( 1) / 2t n ( )2 k

2( )nH S kn

H is the entropy of S, by definition:

1

0

( ) logJ

j jj

H S S S

Reduced Theorem: Proposition 1

Let be the message distributed by the SRHD-VSS. In the case of odd n, the size of any public share Yi is lower bounded by

While for even n, it is the size H(YiYj) of every pair Yi≠Yj that is lower bounded by

1 1 1( , )........., ( , )n n nS K Y S K Y

( ) ( ( ) )iH Y H S kn

( ) ( ( ) )iH Y H S kn

A Little Authentication Theory

Let K, M, Y, Z be r.v. with joint distribution PKMYZ such that M is independent of K and Z but uniquely defined by Y and Z. Then one can compute consistent with K and Z by Z with probability*

Y

( ; | )2 I K Y ZIP

* Stands for impersonation attack

A Little Authentication Theory

Also, knowing Z and Y, one can compute consistent with K and Z and a with probability*:

YM M

( | )2 H K ZSP

* Stands for a substitution attack

Observation of PS and PI

Let K, M, Y, Z the same as above. If M is uniformly distributed among a non-trivial set, then one can compute with Z known and consistent with K and Z, and a with probability:

YM M

( ; | ) ( ; | ) 112 2I K Y Z I K Y Z

S

MP

M

An successful impersonating attack is a successful substitution attack by definition

M is uniformly distributed and M’!=M

Proof of Proposition 1 (1/3)

P1 P2 Pi-1 Pi Pt+1Pt… …

Y t+1

Y’ t+1

Either red ones are honest or

vice versa…

Pi can thus not compute S with certainty. We then let*

( )2 k

*Note that the semantics of δ is for Pi to decide {failure} and still a recoverable error may be counted in. See Section 6 for correctness proof

Proof of Proposition 1 (2/3)

Apply observation 1 by letting K=Ki, M=S, Y=Yt+1, and Z=(K1,…,Ki-1,Y1…,Yt)

Use the δ then

1 1 1 1( ; | ... ..... ) 12 i t i tI K Y K K Y YSP

1 1 1 1( ; | ... ... ) ( )

{1,... }i t i tI K Y K K Y Y k

i t

A Little Information Theory

Chain rule of mutual information

1 1 1 1 1 1 11

( ..... ; | ..... ) ( ; | ... ... )t

t t t i t t ii

I K K Y Y Y I K Y Y Y K K

Proof of Proposition 1 (3/3)

Use the chain rule, we have

And since S1…St cannot work without St+1, we have

And the proposal is resulted.

1 1 1 1( ) ( ..... ; | ..... ) ( )

( )t t t tH Y I K K Y Y Y kt

kn

1( ) ( )tH Y H S

Theorem 2: Theorem 1 is Tight

For ,

against an adaptive and rushing adversary, with total communication complexity of O(kn2) bits

Proof by constructing one.

( 1) / 2t n ( ) ( , ,1 2 )-secure SRHD-VSSkt n

Construction of the SRHD-VSS (1/3)

Given a (t+1, n) threshold secret sharing scheme and an authentication scheme, e.g. by a family of strongly universal hash function

Dealer: 人人有一份 , 對對有一根…– S – Select a random , i j P ,P i ji j

{ }h

1 2, ,..., nS S S

Construction of the SRHD-VSS (2/3)

Dealer: 金刀為證 , 玉璽為憑– Generate authentication tag for

every process Pj

Everyone: 問鼎中原 , 人人有責– Pi send <Si,yij> to Pj for all i,j, i!=j

, ( )ji j iy h S

Making Ω(k) (3/3)

Use Shamir’s secret sharing scheme over a field F, |F| > n

Choose the hash family hα , β(X) = αX+β over F– As such, the attack can succeed with

probability 1/F– Choose– The desired result follows

( )| | 2 kF

Thanks Thanks

Presented by

游騰楷 呂育恩 葉恆青