secret sharing - ece.drexel.eduece.drexel.edu/walsh/qi_secretsharing.pdf · j2t] = pr[( b;r) t = hs...

Secret Sharing

Qi Chen

December 14, 2015

What is secret sharing?

I A dealer: know the secret S and distribute the shares of S toeach party

I A set of n parties Pn , p1, · · · , pn: each party owns a share

I Authorized subset of the parties:B ⊂ Pn can reconstruct thesecret from their shares

I Unauthorized subset of the parties: T ⊂ Pn know nothingabout the secret from their shares

Applications

I Secure storage

I Secure multiparty computation

I Threshold cryptography

I Byzantine agreement

I Access control

I Private information retrieval

I Atribute-based encryption

I General oblivious transfer

I ...

Access structure

I The collection A of all authorized subsets is called the accessstructure of a secret sharing.

I Access structure is monotone, i.e., if A ⊂ B and A ∈ A, thenB ∈ A.

Example

Let P4 = p1, · · · , p4. Then

A = p1, p2, p2, p3, p3, p4, p1, p2, p3,p1, p2, p4, p1, p3, p4, p2, p3, p4, p1, p2, p3, p4

is an access structure.

Access structure

I The collection A of all authorized subsets is called the accessstructure of a secret sharing.

I Access structure is monotone, i.e., if A ⊂ B and A ∈ A, thenB ∈ A.

Example

Let P4 = p1, · · · , p4. Then

A = p1, p2, p2, p3, p3, p4, p1, p2, p3,p1, p2, p4, p1, p3, p4, p2, p3, p4, p1, p2, p3, p4

is an access structure.

Access structure

Collection A∗ of minimal sets in AI Let A∗ be the collection of minimal sets in A, i.e., B ∈ A∗ if

B ∈ A and for any C ⊂ B, C 6∈ AI Access structure A is uniquely determined by A∗

Example

A∗ = p1, p2, p2, p3, p3, p4

RemarkI Note that A∗ is a Sperner family on Pn, i.e, a collection of

subsets of Pn such that any two member of the collectiondoes not contain each other.

I Sperner family is counted by Dedekind number which growsvery fast with n. This imply the difficulty of secret sharingproblem.

Access structure

Collection A∗ of minimal sets in AI Let A∗ be the collection of minimal sets in A, i.e., B ∈ A∗ if

B ∈ A and for any C ⊂ B, C 6∈ AI Access structure A is uniquely determined by A∗

Example

A∗ = p1, p2, p2, p3, p3, p4

RemarkI Note that A∗ is a Sperner family on Pn, i.e, a collection of

subsets of Pn such that any two member of the collectiondoes not contain each other.

I Sperner family is counted by Dedekind number which growsvery fast with n. This imply the difficulty of secret sharingproblem.

Access structure

Collection A∗ of minimal sets in AI Let A∗ be the collection of minimal sets in A, i.e., B ∈ A∗ if

B ∈ A and for any C ⊂ B, C 6∈ AI Access structure A is uniquely determined by A∗

Example

A∗ = p1, p2, p2, p3, p3, p4

RemarkI Note that A∗ is a Sperner family on Pn, i.e, a collection of

subsets of Pn such that any two member of the collectiondoes not contain each other.

I Sperner family is counted by Dedekind number which growsvery fast with n. This imply the difficulty of secret sharingproblem.

Definition by probability

I A distribution scheme Σ = 〈Π, µ〉 with domain of secret K

I µ is a probability distribution on some finite set R

I Π is a mapping from K × R to a set of n-tuplesK1 × · · · × Kn, where Kj is called the domain of shares of pj

I The dealer distributes k ∈ K according to Σ by first samplinga random string r ∈ R according to µ, computing a vectorΠ(k, r) = (s1, · · · , sn) and privately communicating eachshare sj to party pj .

Definition by probability

Scheme Σ is a secret-sharing scheme realizing an access structureA if the following two requirement hold:

1. (Correctness) For any B = pi1 , · · · , pi|B| ∈ A, there is areconstruction function REC : Ki1 × · · · : Ki|B| → K such thatfor any k ∈ K ,

Pr[REC(Π(k , r)B) = k] = 1.

2. (Perfect Privacy) For any T 6∈ A, for any a, b ∈ K , and forevery possible vector of shares 〈sj〉pj∈T :

Pr[Π(a, r)T = 〈sj〉pj∈T ] = Pr[Π(b, r)T = 〈sj〉pj∈T ]

Definition by entropy

Consider the secret be a random variable S on K , and each sharebe a random variable Sj on Kj . Then the scheme S = (S ,Sj)pj∈Pn

is a secret-sharing scheme realizing access structure A if thefollowing two conditions hold:

1. (Correctness) For any B ∈ A,

H(S |SB) = 0

2. (Perfect Privacy) For any T 6∈ A,

H(S |ST ) = H(S)

Remark For perfect privacy, the condition can be written asI (S ;ST ) = 0. If we modify the condition to I (S ;ST ) = aT forsome 0 ≤ aT ≤ H(S), then modified version is called non-perfectsecret sharing, while the traditional one is called perfect secretsharing.

Definition by entropy

Consider the secret be a random variable S on K , and each sharebe a random variable Sj on Kj . Then the scheme S = (S ,Sj)pj∈Pn

is a secret-sharing scheme realizing access structure A if thefollowing two conditions hold:

1. (Correctness) For any B ∈ A,

H(S |SB) = 0

2. (Perfect Privacy) For any T 6∈ A,

H(S |ST ) = H(S)

Remark For perfect privacy, the condition can be written asI (S ;ST ) = 0. If we modify the condition to I (S ;ST ) = aT forsome 0 ≤ aT ≤ H(S), then modified version is called non-perfectsecret sharing, while the traditional one is called perfect secretsharing.

Equivalence of two definitions

TheoremTwo definitions of secret sharing are equivalent.

I For any Σ = (Π, µ) realizing access structure A, we canconstruct a random vector S = (S , Sj)pj∈Pn realizing A.

I For any random vector S = (S ,Sj)pj∈Pn realizing A, we canaccordingly construct a Σ = (Π, µ) realizing A

Information ratio

Information ratio by the definition of probability

ρΣ ,max1≤j≤n log |Kj |

log |K |

Information ratio by the definition of entropy

ρS ,max1≤j≤n H(Sj)

H(S)

Corollary

ρΣ = ρS

if Σ corresponds to S.

Information ratio

Information ratio by the definition of probability

ρΣ ,max1≤j≤n log |Kj |

log |K |

Information ratio by the definition of entropy

ρS ,max1≤j≤n H(Sj)

H(S)

Corollary

ρΣ = ρS

if Σ corresponds to S.

The fundamental problem of secret sharing: optimalinformation ratio

Let N = s ∪ Pn and Γ∗N the entropy function region on N . LetA be an access structure on Pn. Then the optimal informationratio on A is

ρA , infh∈Γ∗N∩ΦA

max1≤j≤n h(pj)h(s)

where

ΦA = h : h(s ∪ B) = h(B) ∀B ∈ A,h(s ∪ T ) = h(s) + h(T ) ∀T 6∈ A

Shamir’s threshold scheme

For 1 ≤ t ≤ n, let At,n = A ⊂ Pn : |A| ≥ t. Then At,n is aaccess structure with threshold t. It can be realised by Shamir’sscheme in the following

I Let K = Fq, where q > n is a prime power.

I Let α1, · · · , αn ∈ Fq be n distinct non-zero elements knownto all parties.

I The dealer uniformly choose a1, · · · , at−1 ∈ Fq and generate apolynomial P(x) = k +

∑t−1i=1 aix

i .

I The share of pj is sj = P(αj)

Shamir’s threshold scheme

CorrectnessFor any B = pi1 , · · · , pit ∈ A∗t,n, let

Q(x) =t∑

`=1

si`∏

1≤j≤t,j 6=`

αij − x

αij − αi`

.

Note that Q(αi`) = si` = P(αi`) for 1 ≤ ` ≤ t which implies thatQ(x) = P(x) and Q(0) = P(0) = k.

Shamir’s threshold scheme

Perfect privacy

For any T = pi1 , · · · , pit−1, t − 1 shares with each secret a ∈ Fq,uniquely determines a polynomial Pa(x) with Pa(0) = a andPa(αi`) = si` for 1 ≤ ` ≤ t − 1. Hence

Pr[Π(a, r)T = 〈si`〉1≤`≤t−1] =1

qt−1

The privacy follows from the probability is the same for everya ∈ Fq

Information ratio

I The information ratio is 1 since Kj = K = Fq

I It is the optimal information ratio on the access structure At,n

Shamir’s threshold scheme

Perfect privacy

For any T = pi1 , · · · , pit−1, t − 1 shares with each secret a ∈ Fq,uniquely determines a polynomial Pa(x) with Pa(0) = a andPa(αi`) = si` for 1 ≤ ` ≤ t − 1. Hence

Pr[Π(a, r)T = 〈si`〉1≤`≤t−1] =1

qt−1

The privacy follows from the probability is the same for everya ∈ Fq

Information ratio

I The information ratio is 1 since Kj = K = Fq

I It is the optimal information ratio on the access structure At,n

Shamir’s threshold scheme by entropy

Let ΓN be the polymatroidal region on N . Let p = s,Pn be apartition of N .

Lemma

Ψ∗p = Ψp

where Ψ∗p = Γ∗N ∩ CAt,n , Ψp = ΓN ∩ CAt,n and

CAt,n = h : h(A) = h(B),

h(s ∪ A) = h(s ∪ B),

if |A| = |B| ∀A,B ⊂ Pn

Shamir’s threshold scheme by entropy

For simplicity, let ρt,n = ρAt,n and Φt,n = ΦAt,n . Then

ρt,n = infh∈Γ∗N∩Φt,n

max1≤j≤n h(pj)h(s)

where

Φt,n = h :h(s ∪ B) = h(B) if |B| ≥ t,

h(s ∪ B) = h(s) + h(B) if |B| < t

Theorem

ρt,n = infh∈Ψ∗p∩Φt,n

max1≤j≤n h(pj)h(s)

Shamir’s threshold scheme by entropy

For simplicity, let ρt,n = ρAt,n and Φt,n = ΦAt,n . Then

ρt,n = infh∈Γ∗N∩Φt,n

max1≤j≤n h(pj)h(s)

where

Φt,n = h :h(s ∪ B) = h(B) if |B| ≥ t,

h(s ∪ B) = h(s) + h(B) if |B| < t

Theorem

ρt,n = infh∈Ψ∗p∩Φt,n

max1≤j≤n h(pj)h(s)

Shamir’s threshold scheme by entropy

Theorem

ρt,n = minh∈Ψp∩Φt,n

max1≤j≤n h(pj)h(s)

The solution isρt,n = 1

andarg min ρt,n = h : aUt,n+1, a > 0

Remark This result can be generalized to non-perfect thresholdscheme.

Shamir’s threshold scheme by entropy

Theorem

ρt,n = minh∈Ψp∩Φt,n

max1≤j≤n h(pj)h(s)

The solution isρt,n = 1

andarg min ρt,n = h : aUt,n+1, a > 0

Remark This result can be generalized to non-perfect thresholdscheme.

Linear secret-sharing scheme

DefinitionA secret-sharing scheme is linear if

I Secret s ∈ FI Each ramdom string r ∈ R is a vector and each entry of r is

chosen independent with uniform distribution from FI Each share sj is a vector and each entry of sj is a fixed linear

combination of the secret s and the coordinates of therandom string r .

Shamir’s threshold scheme is linear.

Linear secret-sharing scheme

DefinitionA secret-sharing scheme is linear if

I Secret s ∈ FI Each ramdom string r ∈ R is a vector and each entry of r is

chosen independent with uniform distribution from FI Each share sj is a vector and each entry of sj is a fixed linear

combination of the secret s and the coordinates of therandom string r .

Shamir’s threshold scheme is linear.

Linear secret-sharing scheme

Monotone span program

A monotone span program is a triple M = (F,M, ρ), where

I F is a field,

I M is an a× b matrix over FI and ρ : 1, · · · , a → p1, · · · , pn labels each row of M by a

party.

Example

Consider the following monotone span program (F17,M, ρ), where

M =

1 1 11 2 41 3 91 4 16

and ρ(1) = ρ(2) = p2, ρ(3) = p1 and ρ(4) = p4.

Linear secret-sharing scheme

Monotone span program

A monotone span program is a triple M = (F,M, ρ), where

I F is a field,

I M is an a× b matrix over FI and ρ : 1, · · · , a → p1, · · · , pn labels each row of M by a

party.

Example

Consider the following monotone span program (F17,M, ρ), where

M =

1 1 11 2 41 3 91 4 16

and ρ(1) = ρ(2) = p2, ρ(3) = p1 and ρ(4) = p4.

Linear secret-sharing scheme

Monotone span program

I For any A ⊂ Pn, let MA denote the sub-matrix obtained byrestricting M to the rows labeled by parties in A.

I M accepts B if the rows of MB span the vectore1 = (1, 0, · · · , 0).

I M accepts access structure A ifM accepts a set B iff B ∈ A.

Example

Consider B = p1, p2 and T = p1, p3. Then

MB =

1 1 11 2 41 3 9

and MT =

[1 3 91 4 16

].

It can be checked MB spans e1 but MT does not. We can checkfurther that A∗ = p1, p2, p2, p3.

Linear secret-sharing scheme

Monotone span program

I For any A ⊂ Pn, let MA denote the sub-matrix obtained byrestricting M to the rows labeled by parties in A.

I M accepts B if the rows of MB span the vectore1 = (1, 0, · · · , 0).

I M accepts access structure A ifM accepts a set B iff B ∈ A.

Example

Consider B = p1, p2 and T = p1, p3. Then

MB =

1 1 11 2 41 3 9

and MT =

[1 3 91 4 16

].

It can be checked MB spans e1 but MT does not. We can checkfurther that A∗ = p1, p2, p2, p3.

Linear secret-sharing scheme

TheoremLet M = (F,M, ρ) be a monotone span program accepting anaccess structure A, where F is a finite field and for every j there ajrows of M labeled by pj . Then, there is a linear secret-sharingscheme realizing A such that the share of party pj is a vector inFaj . The information ratio of the resulting scheme is max1≤j≤n aj .

TheoremLet ΓL

N be the region bounded by Shannon-type informationinequalities and linear rank inequalities over N . Then the optimalinformation ratio of linear scheme on A is

ρA , infh∈ΓL

N∩ΦA

max1≤j≤n h(pj)h(s)

where ΦA is defined as above.

Linear secret-sharing scheme

TheoremLet M = (F,M, ρ) be a monotone span program accepting anaccess structure A, where F is a finite field and for every j there ajrows of M labeled by pj . Then, there is a linear secret-sharingscheme realizing A such that the share of party pj is a vector inFaj . The information ratio of the resulting scheme is max1≤j≤n aj .

TheoremLet ΓL

N be the region bounded by Shannon-type informationinequalities and linear rank inequalities over N . Then the optimalinformation ratio of linear scheme on A is

ρA , infh∈ΓL

N∩ΦA

max1≤j≤n h(pj)h(s)

where ΦA is defined as above.

Lower bounds on the information ratio

TheoremLet pj be a non-redundant party in A and let Σ be anysecret-sharing scheme realizing A, then

|Kj | ≥ |K |

which implies that ρA ≥ 1 for any A.

Ideal secrete-sharing scheme

For a secret-sharing scheme, if its information ratio is 1, it is calledan ideal secret-sharing scheme.

Lower bounds on the information ratio

TheoremLet pj be a non-redundant party in A and let Σ be anysecret-sharing scheme realizing A, then

|Kj | ≥ |K |

which implies that ρA ≥ 1 for any A.

Ideal secrete-sharing scheme

For a secret-sharing scheme, if its information ratio is 1, it is calledan ideal secret-sharing scheme.

Csirmaz’s lower bound

Csirmaz’s access structureWe define access structure An by its minimal set A∗n.

I Let k be the largest integer such that 2k + k − 1 ≤ n.

I Let B = p1, · · · , p2k−1 and define B0 = ∅ andBi = p1, · · · , pi for 1 ≤ i ≤ 2k − 1.

I Let A = p2k , · · · , p2k+k−1, and A = A0,A1, · · · ,A2k−1 = ∅be all the subsets of A such that if i < i ′, then Ai 6⊂ Ai ′ .

I Define Ui = Ai ∪ Bi for 0 ≤ i ≤ 2k − 1.

Then A∗n = Ui : 0 ≤ i ≤ 2k − 1.

TheoremThe information ratio of secret-sharing scheme realizing accessstructure constructed above is Ω(n/ log n).

Csirmaz’s lower bound

Csirmaz’s access structureWe define access structure An by its minimal set A∗n.

I Let k be the largest integer such that 2k + k − 1 ≤ n.

I Let B = p1, · · · , p2k−1 and define B0 = ∅ andBi = p1, · · · , pi for 1 ≤ i ≤ 2k − 1.

I Let A = p2k , · · · , p2k+k−1, and A = A0,A1, · · · ,A2k−1 = ∅be all the subsets of A such that if i < i ′, then Ai 6⊂ Ai ′ .

I Define Ui = Ai ∪ Bi for 0 ≤ i ≤ 2k − 1.

Then A∗n = Ui : 0 ≤ i ≤ 2k − 1.

TheoremThe information ratio of secret-sharing scheme realizing accessstructure constructed above is Ω(n/ log n).

Csirmaz’s lower bound

LemmaFor every 0 ≤ i ≤ 2k − 2,

H(Bi ∪ A)− H(Bi ) ≥ H(Bi+1)− H(Bi+1) + H(S)

Proof sketch of Theorem∑pj∈A

H(pj) ≥ H(A)

≥ H(B0 ∪ A)− H(B0)

≥ H(B2k−1 ∪ A)− H(B2k−1) + (2k − 1)H(S)

= Ω(n)H(S).

This implies that H(pj) = Ω(n/ log n)H(S) for at least one pj . Remark Both Lemma and the inequalities in the proof sketch areShannon-type.

Csirmaz’s lower bound

LemmaFor every 0 ≤ i ≤ 2k − 2,

H(Bi ∪ A)− H(Bi ) ≥ H(Bi+1)− H(Bi+1) + H(S)

Proof sketch of Theorem∑pj∈A

H(pj) ≥ H(A)

≥ H(B0 ∪ A)− H(B0)

≥ H(B2k−1 ∪ A)− H(B2k−1) + (2k − 1)H(S)

= Ω(n)H(S).

This implies that H(pj) = Ω(n/ log n)H(S) for at least one pj .

Remark Both Lemma and the inequalities in the proof sketch areShannon-type.

Csirmaz’s lower bound

LemmaFor every 0 ≤ i ≤ 2k − 2,

H(Bi ∪ A)− H(Bi ) ≥ H(Bi+1)− H(Bi+1) + H(S)

Proof sketch of Theorem∑pj∈A

H(pj) ≥ H(A)

≥ H(B0 ∪ A)− H(B0)

≥ H(B2k−1 ∪ A)− H(B2k−1) + (2k − 1)H(S)

= Ω(n)H(S).

This implies that H(pj) = Ω(n/ log n)H(S) for at least one pj . Remark Both Lemma and the inequalities in the proof sketch areShannon-type.

Lower bounds for linear secret sharing

TheoremFor any n, there exists an access structure An sucht that everymonotone span program over any field accepting it has sizenΩ(log n).

Limitations of known techniques for lower bounds

I No better lower bound is found since Csirmaz’s lower boundin 1994

I Shannon-type information inequalities can not help to improvethe bound

I All information inequalities with less than 6 random variablescan not help to improve the bound

Open problems

Question 1Prove or disprove that there exists an access structure such thatthe information ratio of every secret-sharing scheme realizing it is2Ω(n).

Question 2Prove or disprove that there exists an access structure such thatthe information ratio of every secret-sharing scheme realizing itwith domain 0, 1 is super-polynomial in n.

Question 3Prove that there exists an explicit access structure such that theinformation ratio of every linear secret-sharing scheme realizing itis 2Ω(n).

Bibiography

A. Beilmel, “Secret-sharing schemes: a survey,” Coding andcryptology, 2011-Springer.

Q. Chen and R. W. Yeung, “Partition-Symmetrical EntropyFunctions,” submitted to IEEE Trans. Info. Theory.

Discussion

What can we do?

Thank you!