Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes

Amos Beimel

Ben-Gurion University

Slides borrowed fromYuval Ishai,

Noam Livne, Moni Naor, Enav

Weinreb.

Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87]

1706

2538344113296634?

1706

t=3

28/05/2007 ICITS 3

Talk Overview

1. Motivation and definitions2. Linear secret sharing schemes3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing schemes 5. Conclusions and open problems

28/05/2007 ICITS 4

Def: Secret Sharing

• Access Structure realizes if:

Correctness: every authorized set B can always recover s. Privacy: every unauthorized set B cannot learn anything about

s.

P1 P2 Pn

s

s1

r

s2 sn

1{ ,..., }2 nP P

28/05/2007 ICITS 5

Applications

• Secure storage;• Secure multiparty computation;• Threshold cryptography;• Byzantine agreement;• Access control;• Private information retrieval;• Attribute-based encryption.

28/05/2007 ICITS 6

Shamir’s t-out-of-n Secret Sharing Scheme

– Input: secret s– Choose at random a polynomial p(x)=s+r1x+r2x2+…+ rt-1xt-1

– Share of Pj: sj= p(j )

s

28/05/2007 ICITS 7

The General Case

Which access structures can be realized?• Necessary condition: is monotone.• Also sufficient!

P1 P2

s

P3 P4 P5

s

s

minimal sets

{2,4}{1,2}

{1,3,5}

Not efficient!!!!

28/05/2007 ICITS 8

Are there Efficient Schemes?• The known schemes for general access structures have

shares of size 2O(n).

• Best lower bound for an explicit structure [Csirmaz94]:

(n2 / logn)

• Nothing better is known even for non-explicit structures!

– large gap

Conjecture: There is an access structure that requires shares of size 2Ω(n).

28/05/2007 ICITS 9

Talk Overview

1. Motivation and definitions2. Linear secret sharing schemes3. Nonlinear secret sharing schemes4. Weakly-private secret sharing schemes5. Conclusions and open problems

28/05/2007 ICITS 10

Linear Secret-Sharing

F

Fs r1

P1 P2 Pn

Linear Transformation

r2 rm

Examples:• Shamir’s scheme• Formula based Schemes [BenalohLeichter88]• Monotone span programs [KrachmerWigderson93]

28/05/2007 ICITS 11

Linear Schemes and Span Program

Monotone Span programs – linear algebraic model of computation [KarchmerWigderson93].

Equivalent to Linear schemes.

28/05/2007 ICITS 12

Monotone Span Programs

1 1 0 1

0 1 1 0

0 1 1 0

1 1 0 0

0 0 1 1

P2

P2

P1

P3

P4

1 0 0 0

The program accepts a set B iff

the rows labeled by B span the target vector.

28/05/2007 ICITS 13

Monotone Span Programs

1 1 0 1

0 1 1 0

0 1 1 0

1 1 0 0

0 0 1 1

1 0 0 0

1101

1100

1 0 0 0

P2

P2

P1

P3

P4

{P2,P4}

28/05/2007 ICITS 14

Monotone Span Programs

1 1 0 1

0 1 1 0

0 1 1 0

1 1 0 0

0 0 1 1

1 0 0 0 1 0 0 0

1 1 0 1

0 1 1 0

0 1 1 0

P2

P2

P1

P3

P4

{P1,P2}

28/05/2007 ICITS 15

Span Programs Secret Sharing

1 1 0 1

0 1 1 0

0 1 1 0

1 1 0 0

0 0 1 1

P2

P2

P1

P3

P4

s

r2

r3

r4

s+ r2+r4

r2+r3

r2+r3

s+r2

r3+r4

=

P2

P2

P1

P3

P4

Example s=1,r2=r3=0, r4=1

00

011

P2

P2

P1

P3

P4

28/05/2007 ICITS 16

Span Programs Secret Sharing

1 1 0 1

0 1 1 0

0 1 1 0

1 1 0 0

0 0 1 1

P2

P2

P1

P3

P4

s

r2

r3

r4

s+r2+r4

r2+r3

r2+r3

s+r2

r3+r4

=

P2

P2

P1

P3

P4

{P2,P4}

1 0 0 0 s

28/05/2007 ICITS 17

Linear Schemes: State of the Art

• Every access structure can be realized by a linear scheme.

• Most known schemes are linear.

• Linear schemes can efficiently realize only access structures in NC (NC = languages having efficient parallel algorithms).

• Best lower bounds for linear schemes for explicit access structures [B+GalPaterson95,BabaiGalWigderson96,Gal98,GalPudlak03]:

(nlog n).

• Best existential lower bounds for linear schemes: 2(n).

28/05/2007 ICITS 18

Why Linear Secret Sharing?

• Share generation and secret reconstruction are efficient.

• Perfect privacy for free.

• Homomorphic

– Secure multi-party computation [CramerDamgardMaurer2000]

Why not?

• Can only realize access structures in NC.

28/05/2007 ICITS 19

Homomorphism of Linear Secret Sharing

1100

0011

0110

0110

1011

P4

P3

P1

P2

P2

r4

r3

r2

s

y5

y4

y3

y2

y1

=

1100

0011

0110

0110

1011

P4

P3

P1

P2

P2

r’4

r’3

r’2

s’

y’5

y’4

y’3

y’2

y’1

=

+1100

0011

0110

0110

1011

r4 + r’4

r3+ r’3

r2 +r’2

s+s’

y5+y’5

y4+y’4

y3+y’3

y2+y’2

y1+y’1

=

28/05/2007 ICITS 20

Application: Computing a Sum

c 1c 2c 3c

b1b 2b 3b a 1a 2a 3a

1s

3s

2s

s

28/05/2007 ICITS 21

Multiplicative Homomorphism of Linear Secret Sharing [….,CramerDamgardMaurer2000]

1100

0011

0110

0110

1011

P4

P3

P1

P2

P2

r4

r3

r2

s

y5

y4

y3

y2

y1

=

1100

0011

0110

0110

1011

P4

P3

P1

P2

P2

r’4

r’3

r’2

s’

y’5

y’4

y’3

y’2

y’1

=

* PROTOCOL

z1

z2

z3

z4

z5

Shares for s * s’

Access structure must be Q2

28/05/2007 ICITS 22

Talk Overview

1. Motivation and definitions2. Linear secret sharing schemes3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing5. Conclusions and open problems

28/05/2007 ICITS 23

Constructing Nonlinear scheme

Two constructions:

1. Composition Approach no assumptions, access structures in NC.

2. Direct Constructions access structures probably not in P.

28/05/2007 ICITS 24

Nonlinear Schemes: Composition Approach [B+Ishai01]

S= S1+S2

Linear

Pn+1 P2n

Linear

P1 Pn

S1S2

…. ….

[B+Weinreb03]: access structure: easy over GF(2), hard over any other field

access structure: easy over GF(3), hard over any other field

over GF(2) over GF(3)

28/05/2007 ICITS 25

perfect quadratic residuosity modulo a (fixed) primeYes

Nonlinear schemes: Direct Constructions [B+Ishai01]

perfect /statistical

access structureequivalent to...

computationallyefficient?

statistical quadratic residuosity No

statistical co-primalityYes

28/05/2007 ICITS 28

Talk Overview

1. Motivation and definitions2. Linear secret sharing schemes3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing 5. Conclusions and open problems

28/05/2007 ICITS 29

Large gap

• Sharing 1-bit secret for general access structures: – The known schemes have 2O(n)-bit shares

– Best lower bound for an explicit structure [Csirmaz94]:

(n / log n)

Conjecture: There is an access structure that requires shares of size 2Ω(n) for a one-bit secret.

No progress in the last decade!

28/05/2007 ICITS 30

What Should We Do?

• Prove lower-bounds for stronger definitions of secret

sharing

– Linear secret sharing schemes – nΩ(logn)-bit shares for

one bit secret [B+GalPaterson95,BabaiGalWigderson96,Gal98] .

• Prove upper-bounds for weaker definitions of secret

sharing.

• Try to understand which techniques should be used

to prove lower bounds.

28/05/2007 ICITS 31

Def: Weakly-Private Secret Sharing

weakly realizes if:Correctness: every authorized set B can always recover s.Weak Privacy: every unauthorized set C can never rule out

any secret. For every two secrets a,b, for every shares si iC

1{ ,..., }2 nP P

P1 P2 Pn

s

s1

r

s2 sn

Pr ( , ) 0 iff Pr ( , ) 0C i C ii C i Ca r s b r s

28/05/2007 ICITS 32

Motivation

• Strong lower bounds for secret sharing use entropy arguments [CapocelliDeSantisGarganoVaccaro91, BlundoDeSantisGarganoVaccaro92, Csirmaz94,….].

• Weakly-private ideal secret sharing = Perfect ideal secret sharing [BrickellDavenport91].

• Some papers used weakly-private schemes to prove lower bounds for perfect schemes [Seymour92, KurosawaOkada96,B+Livne06]

28/05/2007 ICITS 33

Motivation II

• Key Distribution Schemes:– [BlundoDeSantisHerzbergKuttenVaccaroYung92] proved lower

bounds for perfect schemes using entropy arguments.– [B+Chor93] proved the same lower bound for weakly-private

schemes.

• Does weak-privacy suffice for proving lower-bounds for secret sharing schemes?

28/05/2007 ICITS 34

Our Results

1. , there is a scheme: -bit secret and ( + c)-bit shares, c is a ``constant’’ depending on Disclaimer: c can be exponential in n.Perfect: best known c’-bit shares.

2. For a doubly-exponential family of access structures, there is an efficient weakly-private scheme for 1-bit secrets (due to Yuval Ishai).Perfect: known only for an exponential family

3. There is a weakly-private t-out-of-n scheme: 1-bit secret and O(t)-bit shares.Perfect: log n-bit shares.

28/05/2007 ICITS 35

Constructions for general access structures

First attempt: , try to construct a scheme with an -bit secret and -bit shares.

Let s be an -bit secret.

1. Choose at random a maximal unauthorized set D .2. Choose a random bi {0,1} for every Pi D.3. Set bi = s for every Pi D.

4. The share of Pi is bi.

Weak privacy: C The set C can get any vector of shares for every s.

Correctness: ?????

B Pi B \ D.

Guess Pi B and output bi.

28/05/2007 ICITS 36

Constructions for general access structures

Second (correct) attempt: , there is a scheme with an -bit secret and (+c)-bit shares

(c is a “constant” depending on ).

1. Choose at random a maximal unauthorized set D .2. Share the n-bit string representing D using a weakly-private

scheme realizing . Let a1,…,an be the generated shares.3. Choose a random bi {0,1} for every Pi D.4. Set bi = s for every Pi D.

5. The share of Pi is (ai,bi).Correctness: B Pi B \ D.

Reconstructs D, finds Pi B \ D, and outputs bi.

Share size: scheme where shares ai are 2n-bits (worse case)

Total size: +2n

28/05/2007 ICITS 37

Talk Overview

1. Motivation and definitions2. Linear secret sharing schemes3. Nonlinear secret sharing schemes 4. Weakly-private secret sharing5. Conclusions and open problems

28/05/2007 ICITS 38

Conclusions

• Linearity is useful.

• However, linear schemes can realize only access structures in NC.

• Nonlinear schemes can efficiently realize some “computationally hard” access structures.

• Exact power of nonlinear schemes remains unknown.

28/05/2007 ICITS 39

Proving Lower Bounds

• Close gap for perfect secret sharing schemes– Improve 2O(n) upper bound?– Improve (n2 / logn) lower bound?– Even existential proof is interesting.

• Exponential lower bounds for linear schemes– Improve (nlog n) lower bound.

28/05/2007 ICITS 40

Upper & Lower Bounds: Specific Access Structures

• Directed connectivity• Participants correspond to edges in the complete directed graph • Authorized sets: graphs containing a path from v1 to v2

– Efficient construction for undirected connectivity– There is an efficient computational scheme– Open: perfect scheme

• Perfect Matching – Implies a scheme for directed connectivity– Open: perfect and computational schemes

• Weighted threshold – Efficient computational scheme [B+Weinreb]– Perfect scheme with nlog n shares– Open: perfect scheme– Open: monotone formula

28/05/2007 ICITS 41

Secret Sharing and Oblivious Transfer• Hamiltonian:

– Participants correspond to edges in the complete graph – Authorized sets: graphs containing a Hamiltonian cycle

Want an efficient scheme for minimal authorized subsets – when given the witness (cycle)

Theorem [Rudich]: If one-way functions exist and an efficient secret sharing scheme for the Hamiltonian problem exists then Oblivious Transfer Protocols exist.– I.e., Minicrypt = Cryptomania– Construction is non-blackbox

Theorem [Rudich]: If there is a perfect scheme for Hamiltonian, then NP Co-AM

The End…