on the cost of reconstructing a secret, or vss with optimal reconstruction phase ronald cramer, ivan...
TRANSCRIPT
![Page 1: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/1.jpg)
On the Cost of On the Cost of Reconstructing a Reconstructing a
Secret, or VSS with Secret, or VSS with Optimal Reconstruction Optimal Reconstruction
PhasePhaseRonald Cramer,
Ivan Damgard,
Serge Fehr
![Page 2: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/2.jpg)
Introduction
Secret-sharing (introduced by Shamir)– l-bits secret distributes to n players, every
player have a share. Over than t shares can find the secret by some player.
Privacy– If an adversary sees up to t shares, it still
learns no information about the secret and correctness. (t+1 is enough).
![Page 3: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/3.jpg)
Introduction
This paper consider more. Some player (at most t players) may be corrupted, they may contribute wrong shares.,
We want every player try to reconstruct the secret under this situation.
If t n/2, no one can sure that its reconstruction is correct.
If t<n/3, a standard methods can give an opt solution with no error.
![Page 4: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/4.jpg)
Introduction
We only consider n/3 t < n/2. A honest player can either reconstruct the
secret or output “failure”. (failure 2-(k), where k is security parameter)
When t=(n-1)/2, there is a lower bound of information sending O(nl+kn2).
This bound is also tight.
![Page 5: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/5.jpg)
Communication Model
Secure-channels model with broadcast.– There is a set of players {P1,…,Pn}
– A dealer D.– Every pair has a secure private channel.
Adversary– Active(corrupt at most t players)– Rushing (can decide after all honest players sent).– Static, adaptive (static means it needs to corrupt
players before execution).
![Page 6: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/6.jpg)
Single-Round Honest-Dealer VSS
Distribution phase:– The honest dealer generates shares si={ki,yi}, i=1…n,
according to a fixed and publicly known conditional probability distribution PS1…Sn(…|s), where s is the secret. Privately sends si to Pi.
Reconstruction phase:– Each player Pi is required to broadcast ŷi, which is
supposedly to equal to yi. Each player Pi decides on the secret s based on ki and other ŷi… ŷn. (output s or “failure”).
![Page 7: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/7.jpg)
Adversary can change the ŷj to broadcast, when Pj is corrupted. Others honest players always have ŷj=yj.
Adversary can be rushing, non-rushing; static, adaptive.
![Page 8: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/8.jpg)
Single-Round Honest-Dealer VSS is (t, n, 1-)-secure if:– Privacy:
• Adversary gains no information of s form distribution phase.
– (1-)-correctness:• In the reconstruction phase, each uncorrupted
output ‘s’ or “failure”, and outputting failure has probability.
![Page 9: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/9.jpg)
We can repeat m times to make the error rate to m.
This definition is very general, we don’t care the dictate of the implementation.
![Page 10: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/10.jpg)
Theoretical Lower Bound and Theoretical Lower Bound and Tightness Proof of SRHD-VSSTightness Proof of SRHD-VSS
![Page 11: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/11.jpg)
Lower Bound on Reconstruction Complexity
If and for a security parameter k, then the total information broadcast in the reconstruction phase is lower bounded by
– For any family of Single-Round Honest-Dealer VSS scheme, (t, n, 1-δ)-secure against an active, rushing adversary
( 1) / 2t n ( )2 k
2( )nH S kn
H is the entropy of S, by definition:
1
0
( ) logJ
j jj
H S S S
![Page 12: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/12.jpg)
Reduced Theorem: Proposition 1
Let be the message distributed by the SRHD-VSS. In the case of odd n, the size of any public share Yi is lower bounded by
While for even n, it is the size H(YiYj) of every pair Yi≠Yj that is lower bounded by
1 1 1( , )........., ( , )n n nS K Y S K Y
( ) ( ( ) )iH Y H S kn
( ) ( ( ) )iH Y H S kn
![Page 13: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/13.jpg)
A Little Authentication Theory
Let K, M, Y, Z be r.v. with joint distribution PKMYZ such that M is independent of K and Z but uniquely defined by Y and Z. Then one can compute consistent with K and Z by Z with probability*
Y
( ; | )2 I K Y ZIP
* Stands for impersonation attack
![Page 14: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/14.jpg)
A Little Authentication Theory
Also, knowing Z and Y, one can compute consistent with K and Z and a with probability*:
YM M
( | )2 H K ZSP
* Stands for a substitution attack
![Page 15: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/15.jpg)
Observation of PS and PI
Let K, M, Y, Z the same as above. If M is uniformly distributed among a non-trivial set, then one can compute with Z known and consistent with K and Z, and a with probability:
YM M
( ; | ) ( ; | ) 112 2I K Y Z I K Y Z
S
MP
M
An successful impersonating attack is a successful substitution attack by definition
M is uniformly distributed and M’!=M
![Page 16: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/16.jpg)
Proof of Proposition 1 (1/3)
P1 P2 Pi-1 Pi Pt+1Pt… …
Y t+1
Y’ t+1
Either red ones are honest or
vice versa…
Pi can thus not compute S with certainty. We then let*
( )2 k
*Note that the semantics of δ is for Pi to decide {failure} and still a recoverable error may be counted in. See Section 6 for correctness proof
![Page 17: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/17.jpg)
Proof of Proposition 1 (2/3)
Apply observation 1 by letting K=Ki, M=S, Y=Yt+1, and Z=(K1,…,Ki-1,Y1…,Yt)
Use the δ then
1 1 1 1( ; | ... ..... ) 12 i t i tI K Y K K Y YSP
1 1 1 1( ; | ... ... ) ( )
{1,... }i t i tI K Y K K Y Y k
i t
![Page 18: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/18.jpg)
A Little Information Theory
Chain rule of mutual information
1 1 1 1 1 1 11
( ..... ; | ..... ) ( ; | ... ... )t
t t t i t t ii
I K K Y Y Y I K Y Y Y K K
![Page 19: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/19.jpg)
Proof of Proposition 1 (3/3)
Use the chain rule, we have
And since S1…St cannot work without St+1, we have
And the proposal is resulted.
1 1 1 1( ) ( ..... ; | ..... ) ( )
( )t t t tH Y I K K Y Y Y kt
kn
1( ) ( )tH Y H S
![Page 20: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/20.jpg)
Theorem 2: Theorem 1 is Tight
For ,
against an adaptive and rushing adversary, with total communication complexity of O(kn2) bits
Proof by constructing one.
( 1) / 2t n ( ) ( , ,1 2 )-secure SRHD-VSSkt n
![Page 21: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/21.jpg)
Construction of the SRHD-VSS (1/3)
Given a (t+1, n) threshold secret sharing scheme and an authentication scheme, e.g. by a family of strongly universal hash function
Dealer: 人人有一份 , 對對有一根…– S – Select a random , i j P ,P i ji j
{ }h
1 2, ,..., nS S S
![Page 22: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/22.jpg)
Construction of the SRHD-VSS (2/3)
Dealer: 金刀為證 , 玉璽為憑– Generate authentication tag for
every process Pj
Everyone: 問鼎中原 , 人人有責– Pi send <Si,yij> to Pj for all i,j, i!=j
, ( )ji j iy h S
![Page 23: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/23.jpg)
Making Ω(k) (3/3)
Use Shamir’s secret sharing scheme over a field F, |F| > n
Choose the hash family hα , β(X) = αX+β over F– As such, the attack can succeed with
probability 1/F– Choose– The desired result follows
( )| | 2 kF
![Page 24: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase Ronald Cramer, Ivan Damgard, Serge Fehr](https://reader035.vdocuments.us/reader035/viewer/2022070400/56649f135503460f94c27c30/html5/thumbnails/24.jpg)
Thanks Thanks
Presented by
游騰楷 呂育恩 葉恆青