Multipartite Secret Sharing...Ideal Multipartite Secret Sharing Schemes Eurocrypt 2007 In our work, we propose a uniﬁed framework to analyze those constructions Ideal Multi-partite

Multipartite Secret Sharing

Carles Padró

Nanyang Technological University, Singapore

Jornadas de CriptografíaCentenario de la Real Sociedad Matemática Española

Universidad de Murcia, November 2011

Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011

How to Share a Secret

How to compute shares a secret is such a way that t ≤ n players canreconstruct it but t − 1 players get no information?(Threshold access structure)

A simple and brilliant idea by Shamir, 1979

Let K be a finite field with |K| ≥ n + 1

To share a secret value k ∈ K, take a random polynomial

f (x) = k + a1x + · · ·+ at−1x t−1 ∈ K[x ]

and distribute the shares

f (x1), f (x2), . . . , f (xn)

where xi ∈ K− {0} is a public value associated to player pi

Independently, Blakley proposed in 1979a geometric secret sharing scheme


Properties of Shamir’s Secret Sharing Scheme

Shamir’s scheme is enough for most of the current applications ofsecret sharing.

1 It is a threshold scheme2 It is perfect3 It is ideal4 It is linear5 It is multiplicative6 The size of the secret value depends on the number of players


Secret Sharing from Linear Codes

How to construct ideal linear secret sharing schemesfor non-threshold access structures

Every linear code over K defines aK-vector space secret sharing scheme

(a0,a1, . . . ,at−1)

↑ ↑ ↑π0 π1 · · · πn↓ ↓ ↓

= (k , s1, . . . , sn)

It is ideal and linear,and it can have non-threshold access structure

A ∈ Γ if and only if rank(π0, (πi )i∈A) = rank((πi )i∈A)K-vector space access structure


Threshold Secret Sharing from Linear Codes

Shamir’s threshold scheme is a particular case: Reed-Solomon codes

(k ,a1, . . . ,at−1)

1 1 · · · 10 x1 · · · xn0 x2

1 · · · x2n

......

...0 x t−1

1 · · · x t−1n

= (k , s1, . . . , sn)

By using algebraic geometry codes, it is possible to findsecret sharing schemes with most of those propertiesover constant size fields

Chen, Cramer (2006)


Secret Sharing for General Access Structures

But in some situations non-threshold secret sharing schemesare required

The access structure Γ is the family of qualified subsets

In his seminal paper Shamir (1979) introducedweighted threshold secret sharing

Subsequently, two lines of work have been developed1 Optimization of secret sharing schemes for

general access structures

This appeared to be an extremely difficult open problemSee the recent survey on this topic by Amos Beimel

2 Constructing efficient secret sharing schemes foruseful access structures

Initiated by Kothari (1984), Simmons (1988), and Brickell (1989)


Natural Generalizations of Threshold Secret Sharing

Are there other natural ways of generalize Shamir’s scheme?

Specifically, we look for families of access structures with thefollowing properties

1 Multipartite: participants are divided into several parts and theparticipants in the same part play an equivalent role in thestructure.

2 They admit a very compact descriptionA small number of parameters, at most linear on the number ofparts.

3 They admit an ideal linear secret sharing scheme over everylarge enough field


Hierarchical and Compartmented Secret Sharing

Kothari (1984) proposed a generalization ofShamir’s threshold scheme, with some hints to constructideal hierarchical secret sharing schemes

Simmons (1988) introduced themultilevel and compartmented access structuresand conjectured that they admit an ideal SSSHe presented geometric constructions for some of them

Multilevel and compartmented access structures are multipartite



Multilevel and compartmented access structures are multipartite

The former ones are hierarchicalFor instance, players are divided in 3 levelsA subset is qualified if and only if it contains

at least 5 players in the first level, orat least 8 players in the first two levels, orat least 15 players in total

As an example of a compartmented access structure:A qualified subset must containat least 5 players in each of the 5 compartments andat least 30 participants in total



Brickell (1989) proposed a general linear algebra methodto construct ideal secret sharing schemesIt unifies Shamir’s and Blakley’s approachesActually, Kothari (1984) anticipated some of Brickell’s ideas

In particular, Brickell constructed by using this methodideal schemes for the multilevel and compartmented structuresproposed by Simmons

Subsequently, other proposals for constructions ofideal schemes for these and similar structures appearedFor instance, Tassa (2004), Tassa & Dyn (2006)

But all of them fit in Brickell’s general method


Natural Generalizations of Threshold Secret Sharing

Two natural problems appear at this point1 Find other interesting families of

such natural generalizations of threshold secret sharing(multipartite, compact description, ideal and linear)

2 Find criteria to decide if a givenmultipartite access structure is ideal

In addition, two important efficiency issues1 Computational time to construct the scheme2 Size of the secret value

Of course, matroids play a fundamental role in these questions

Brickell and Davenport, 1991


Integer Polymatroids and Matroids

An integer polymatroid is a pair Z = (J,h),where the rank function h : 2J → Z satisfies

1 h(∅) = 02 X ⊆ Y =⇒ h(X ) ≤ h(Y )

3 h(X ∪ Y ) + h(X ∩ Y ) ≤ h(X ) + h(Y )

A matroid is an integer polymatroid satisfyingh(X ) ≤ |X | for every X ⊆ J


Representing Integer Polymatroids and MatroidsSome matroidsM = (Q, r) can be representedby a family of vectors... or, equivalently, by a linear code

G =

↑ ↑ ↑π0 π1 · · · πn↓ ↓ ↓

r(X ) = rank(GX ) for every X ⊆ Q

Some integer polymatroids Z = (J,h) can be representedby a family of vector subspaces

G =

↑ ↑ ↑ ↑ ↑ ↑π0 π1 π2 π3 π4 π5↓ ↓ ↓ ↓ ↓ ↓

That is, there exist (Vi )i∈J , vector subspaces, with

h(X ) = dim

(∑i∈X

Vi

)for every X ⊆ J


Ideal Secret Sharing and Matroids

Every linear code defines an ideal linear secret sharing scheme

(a0,a1, . . . ,at−1)

↑ ↑ ↑π0 π1 · · · πn↓ ↓ ↓

= (s0, s1, . . . , sn)

P = {p1, . . . ,pn}, Q = P ∪ {p0}

IfM = (Q, r) is the representable matroid associated to the code,

Γ = Γp0 (M) = {A ⊆ P : r(A ∪ {p0}) = r(A)}

Equivalently,

min Γ = min Γp0 (M) = {A ⊆ P : A ∪ {p0} is a circuit ofM}

That is, Γ is the port of a representable matroid


Multipartite Access StructuresFor a partition Π = (P1, . . . ,Pm) of P,an access structure Γ on P is said to be Π-partite ifτΓ = Γ for every permutation τ on P with τPi = Pi for i = 1, . . . ,m

For a subset A ⊆ P, we define

Π(A) = (|A ∩ P1|, . . . , |A ∩ Pm|) ∈ Zm+

A Π-partite access structure Γ ⊆ 2P is determined by the points

Π(Γ) = {Π(A) : A ∈ Γ} ⊂ Zm+


A Unified Approach

O. Farràs, J. Martí-Farré, C. PadróIdeal Multipartite Secret Sharing SchemesEurocrypt 2007

In our work, we propose a unified frameworkto analyze those constructions

Ideal Multi-partite Access

Structures

MultipartiteMatroids

IntegerPolymatroids

Ideal LinearSchemes

RepresentableMultipartiteMatroids

RepresentableInteger

Polymatroids

(P1, . . . ,Pm)-partite on {0, . . . ,m}

n+1 vectors m+1 vector subspaces


A Unified Approach

This approach has lead to several results

Necessary conditions and sufficient conditions for ideality,which imply some very efficient criteriaIn particular, much shorter (but non-constructive) proof thatmultilevel and compartmented access structures are idealNew interesting families of ideal multipartite access structuresThe efficiency problems in the construction ofideal multipartite secret sharing schemesare more precisely statedCharacterization of the ideal tripartite access structuresCharacterization of theideal hierarchical access structures (TCC 2010)In particular, a new proof for the characterization ofideal weighted threshold access structures

Beimel, Tassa, Weinreb (2005)


Some Notation

The modulus |u| of a vector u = (ui )i∈J ∈ ZJ+ is defined by

|u| =∑i∈J

ui

If u, v ∈ ZJ , we write u ≤ v if ui ≤ vi for every i ∈ J


Independent Vectors of Integer PolymatroidsA vector u ∈ ZJ

+ is anindependent vector of the integer polymatroid Z = (J,h) if∑

i∈X

ui ≤ h(X ) for every X ⊆ J

A nonempty finite set D ⊆ ZJ+ is the

family of independent vectors of an integer polymatroid if and only if1 If u ∈ D and v ∈ ZJ

+ are such that v ≤ u, then v ∈ D.2 For every pair of vectors u, v ∈ D with |u| < |v |,

there exists i ∈ J such that ui < vi and u + ei ∈ D.


Bases of Integer Polymatroids

The bases of Z are the maximal independent vectors

A nonempty subset B ⊆ ZJ+ is the

family of bases of an integer polymatroid if and only ifFor every u ∈ B and v ∈ B with ui > vi , there exists j ∈ J suchthat uj < vj and u − ei + ej ∈ B.

In particular, all bases have the same modulus |u| =∑

i∈J ui


Access Structures from Integer Polymatroids

Let Π = (P1, . . . ,Pm) be a partition of P

Take J ′m = {0,1, . . . ,m} and Jm = {1, . . . ,m}

Consider an integer polymatroid Z = (J ′m,h)with h({0}) = 1 and h({i}) ≤ |Pi |

Consider Γ0(Z) = {X ⊆ Jm : h(X ∪ {0}) = h(X )}

Then the Π-partite access structure Γ = Γ0(Z,Π) is defined by

u ∈ Zm+ is in Π(Γ) if and only if there exist

an independent vector v of Z and X ∈ Γ0(Z) such thatv ≤ u∑

i∈X vi = h(X )


Conditions for Ideality

Theorem (FMP’07)

Every ideal Π-partite access structure is of the form Γ0(Z,Π)for some integer polymatroid Z

In particular, all minimal qualified subsets with the same support havethe same cardinality

Theorem (FMP’07)

If the integer polymatroid Z is K-representable,then every multipartite access structure of the form Γ0(Z,Π) admitsan ideal linear secret sharing scheme overevery large enough finite extension L of K


Boolean Polymatroids

Let (Bi )i∈J be a family of subsets of a finite set B

The mapping h : 2J → Z defined by

h(X ) =

∣∣∣∣∣⋃i∈X

Bi

∣∣∣∣∣is the rank function of an integer polymatroid Z = (J,h)

These are the Boolean polymatroids

Boolean polymatroids are K-representable for every field K:Identify B to a basis of a K-vector space and take Vi = 〈Bi〉


Access Structures from Boolean Polymatroids

Given integers 1 = t0 < t1 < · · · < tm,take B = [1, tm] and Bi = [1, ti ] for i ∈ J ′m

If Z = (J ′m,h) is the corresponding Boolean polymatroid, then

u ∈ Π(Γ0(Z,Π)) if and only ifi∑

j=1

uj ≥ ti for some i ∈ Jm

That is, Γ0(Z,Π) is a multilevel access structure

This proves that those access structures admit anideal linear secret sharing schemeover every large enough finite field

Actually, every ideal hierarchical access structureis a minor of an access structure of the form Γ0(Z,Π)with Z a Boolean polymatroid (FP’10)


Access Structures from other Integer Polymatroids

We con consider as well truncated Boolean polymatroids

h(X ) = min

{∣∣∣∣∣⋃i∈X

Bi

∣∣∣∣∣ , t}

By using Vandermonde vectors,truncated Boolean polymatroidsare representable over every large enough field

By using these and related integer polymatroids, one can prove thateverycompartmented access structure

min Π(Γ) = {u ∈ Zm+ : |u| = k and a ≤ u ≤ b}

admits an ideal linear secret sharing schemeover every large enough field


Summarizing. . .

Our general results provide

Characterizations of ideal access structures in some familiesShorter proofs for the ideality ofmultilevel and compartmented access structuresNew useful families of ideal access structures

It is easier now to determine whethera multipartite access structure is ideal

But. . .

Our results do not improve the efficiency of the known methods toconstruct ideal linear secret sharing schemes for these accessstructures


Constructing Ideal Multipartite SSS

Ideal Multi-partite Access

Structures

MultipartiteMatroids

IntegerPolymatroids

Ideal LinearSchemes

RepresentableMultipartiteMatroids

RepresentableInteger

Polymatroids

(P1, . . . ,Pm)-partite on {0, . . . ,m}

n+1 vectors m+1 vector subspaces


Constructing Ideal Multipartite SSS

The problem of constructing ideal linear secret sharing schemes formultipartite access structures can be formulated as follows

Given

V1, . . . ,Vm, vector subspaces of a K-vector space EIntegers n1, . . . ,nm with ni ≥ dim Vi

Find, for i = 1, . . . ,m,

ni vectors in Vi such thatFor every basis u = (u1, . . . ,um) ∈ Zm

+

of the corresponding integer polymatroid andfor every choice of ui out of the ni vectors in Vi ,a basis of E is obtained

If the field K is not large enough,one should consider an extension field L

Problem: Determine the smallest extension field


Known Construction Methods

Find, over some extension L ⊇ K, a matrix

M = (M1|M2| · · · |Mm)

such that Mi is a k × ni matrix with columns in Vi ⊆ Lk

and the submatrices corresponding to bases are nonsingular

Construct M step by step, checking the determinantsAvoid checkings by using some primitive element in an extensionfield. This implies that L is very large (Brickell 1989)Choose M at random. High success probability if L is largeenough (Tassa 2004)


On the Size of the Base Field

Given a collection of subspaces Vi ⊆ Kk

representing an integer polymatroidand integers n1, . . . ,nm with ni ≥ dim Vi

Determine the minimum size of the extension fields L ⊇ Ksuch that we can find ni vectors in Vi ⊆ Lk

with the required properties

A general upper bound from our results: |L| ≤(

nk

)Beutelspacher & Wettl (1993) Lower and upper boundsfor the case m = 2, V2 ⊆ V1, dim V2 = 2. Basically, |L| = nGiuletti & Vincenti (2010) Upper bounds for the case m = 3 andV3 ⊆ V2 ⊆ V1, dim V1 = 4, dim V2 = 3, dim V3 = 2Namely, |L| ≤ O(n2)


Example: Representing Bipartite Matroids

Consider the simplest case m = 2

Given V1,V2 ⊆ E with s = dim E , ri = dim Vi

Find ni vectors in Vi such that, for every ` = 0, . . . , t = r1 + r2 − s,every r1 − ` vectors out of the n1 vectors in V1 andevery r2 − (t − `) vectors out of the n2 vectors in V2form a basis of E

1 How do we efficiently find such vectors?2 Which is the minimum size of the field?


Documents

Multipartite Secret Sharing...Ideal Multipartite Secret Sharing Schemes Eurocrypt 2007 In our work, we propose a uniﬁed framework to analyze those constructions Ideal Multi-partite