Embed Size (px)
Citation preview
On the Cost of On the Cost of Reconstructing a Reconstructing a
Secret, or VSS with Secret, or VSS with Optimal Reconstruction Optimal Reconstruction
PhasePhaseRonald Cramer,
Ivan Damgard,
Serge Fehr
Introduction
Secret-sharing (introduced by Shamir)– l-bits secret distributes to n players, every
player have a share. Over than t shares can find the secret by some player.
Privacy– If an adversary sees up to t shares, it still
learns no information about the secret and correctness. (t+1 is enough).
Introduction
This paper consider more. Some player (at most t players) may be corrupted, they may contribute wrong shares.,
We want every player try to reconstruct the secret under this situation.
If t n/2, no one can sure that its reconstruction is correct.
If t<n/3, a standard methods can give an opt solution with no error.
Introduction
We only consider n/3 t < n/2. A honest player can either reconstruct the
secret or output “failure”. (failure 2-(k), where k is security parameter)
When t=(n-1)/2, there is a lower bound of information sending O(nl+kn2).
This bound is also tight.
Communication Model
Secure-channels model with broadcast.– There is a set of players {P1,…,Pn}
– A dealer D.– Every pair has a secure private channel.
Adversary– Active(corrupt at most t players)– Rushing (can decide after all honest players sent).– Static, adaptive (static means it needs to corrupt
players before execution).
Single-Round Honest-Dealer VSS
Distribution phase:– The honest dealer generates shares si={ki,yi}, i=1…n,
according to a fixed and publicly known conditional probability distribution PS1…Sn(…|s), where s is the secret. Privately sends si to Pi.
Reconstruction phase:– Each player Pi is required to broadcast ŷi, which is
supposedly to equal to yi. Each player Pi decides on the secret s based on ki and other ŷi… ŷn. (output s or “failure”).
Adversary can change the ŷj to broadcast, when Pj is corrupted. Others honest players always have ŷj=yj.
Adversary can be rushing, non-rushing; static, adaptive.
Single-Round Honest-Dealer VSS is (t, n, 1-)-secure if:– Privacy:
• Adversary gains no information of s form distribution phase.
– (1-)-correctness:• In the reconstruction phase, each uncorrupted
output ‘s’ or “failure”, and outputting failure has probability.
We can repeat m times to make the error rate to m.
This definition is very general, we don’t care the dictate of the implementation.
Theoretical Lower Bound and Theoretical Lower Bound and Tightness Proof of SRHD-VSSTightness Proof of SRHD-VSS
Lower Bound on Reconstruction Complexity
If and for a security parameter k, then the total information broadcast in the reconstruction phase is lower bounded by
– For any family of Single-Round Honest-Dealer VSS scheme, (t, n, 1-δ)-secure against an active, rushing adversary
( 1) / 2t n ( )2 k
2( )nH S kn
H is the entropy of S, by definition:
1
0
( ) logJ
j jj
H S S S
Reduced Theorem: Proposition 1
Let be the message distributed by the SRHD-VSS. In the case of odd n, the size of any public share Yi is lower bounded by
While for even n, it is the size H(YiYj) of every pair Yi≠Yj that is lower bounded by
1 1 1( , )........., ( , )n n nS K Y S K Y
( ) ( ( ) )iH Y H S kn
( ) ( ( ) )iH Y H S kn
A Little Authentication Theory
Let K, M, Y, Z be r.v. with joint distribution PKMYZ such that M is independent of K and Z but uniquely defined by Y and Z. Then one can compute consistent with K and Z by Z with probability*
Y
( ; | )2 I K Y ZIP
* Stands for impersonation attack
A Little Authentication Theory
Also, knowing Z and Y, one can compute consistent with K and Z and a with probability*:
YM M
( | )2 H K ZSP
* Stands for a substitution attack
Observation of PS and PI
Let K, M, Y, Z the same as above. If M is uniformly distributed among a non-trivial set, then one can compute with Z known and consistent with K and Z, and a with probability:
YM M
( ; | ) ( ; | ) 112 2I K Y Z I K Y Z
S
MP
M
An successful impersonating attack is a successful substitution attack by definition
M is uniformly distributed and M’!=M
Proof of Proposition 1 (1/3)
P1 P2 Pi-1 Pi Pt+1Pt… …
Y t+1
Y’ t+1
Either red ones are honest or
vice versa…
Pi can thus not compute S with certainty. We then let*
( )2 k
*Note that the semantics of δ is for Pi to decide {failure} and still a recoverable error may be counted in. See Section 6 for correctness proof
Proof of Proposition 1 (2/3)
Apply observation 1 by letting K=Ki, M=S, Y=Yt+1, and Z=(K1,…,Ki-1,Y1…,Yt)
Use the δ then
1 1 1 1( ; | ... ..... ) 12 i t i tI K Y K K Y YSP
1 1 1 1( ; | ... ... ) ( )
{1,... }i t i tI K Y K K Y Y k
i t
A Little Information Theory
Chain rule of mutual information
1 1 1 1 1 1 11
( ..... ; | ..... ) ( ; | ... ... )t
t t t i t t ii
I K K Y Y Y I K Y Y Y K K
Proof of Proposition 1 (3/3)
Use the chain rule, we have
And since S1…St cannot work without St+1, we have
And the proposal is resulted.
1 1 1 1( ) ( ..... ; | ..... ) ( )
( )t t t tH Y I K K Y Y Y kt
kn
1( ) ( )tH Y H S
Theorem 2: Theorem 1 is Tight
For ,
against an adaptive and rushing adversary, with total communication complexity of O(kn2) bits
Proof by constructing one.
( 1) / 2t n ( ) ( , ,1 2 )-secure SRHD-VSSkt n
Construction of the SRHD-VSS (1/3)
Given a (t+1, n) threshold secret sharing scheme and an authentication scheme, e.g. by a family of strongly universal hash function
Dealer: 人人有一份 , 對對有一根…– S – Select a random , i j P ,P i ji j
{ }h
1 2, ,..., nS S S
Construction of the SRHD-VSS (2/3)
Dealer: 金刀為證 , 玉璽為憑– Generate authentication tag for
every process Pj
Everyone: 問鼎中原 , 人人有責– Pi send <Si,yij> to Pj for all i,j, i!=j
, ( )ji j iy h S
Making Ω(k) (3/3)
Use Shamir’s secret sharing scheme over a field F, |F| > n
Choose the hash family hα , β(X) = αX+β over F– As such, the attack can succeed with
probability 1/F– Choose– The desired result follows
( )| | 2 kF
Thanks Thanks
Presented by
游騰楷 呂育恩 葉恆青
