secret sharing - ece.drexel.eduece.drexel.edu/walsh/qi_secretsharing.pdf · j2t] = pr[( b;r) t = hs...
TRANSCRIPT
![Page 1: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/1.jpg)
Secret Sharing
Qi Chen
December 14, 2015
![Page 2: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/2.jpg)
What is secret sharing?
I A dealer: know the secret S and distribute the shares of S toeach party
I A set of n parties Pn , p1, · · · , pn: each party owns a share
I Authorized subset of the parties:B ⊂ Pn can reconstruct thesecret from their shares
I Unauthorized subset of the parties: T ⊂ Pn know nothingabout the secret from their shares
![Page 3: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/3.jpg)
Applications
I Secure storage
I Secure multiparty computation
I Threshold cryptography
I Byzantine agreement
I Access control
I Private information retrieval
I Atribute-based encryption
I General oblivious transfer
I ...
![Page 4: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/4.jpg)
Access structure
I The collection A of all authorized subsets is called the accessstructure of a secret sharing.
I Access structure is monotone, i.e., if A ⊂ B and A ∈ A, thenB ∈ A.
Example
Let P4 = p1, · · · , p4. Then
A = p1, p2, p2, p3, p3, p4, p1, p2, p3,p1, p2, p4, p1, p3, p4, p2, p3, p4, p1, p2, p3, p4
is an access structure.
![Page 5: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/5.jpg)
Access structure
I The collection A of all authorized subsets is called the accessstructure of a secret sharing.
I Access structure is monotone, i.e., if A ⊂ B and A ∈ A, thenB ∈ A.
Example
Let P4 = p1, · · · , p4. Then
A = p1, p2, p2, p3, p3, p4, p1, p2, p3,p1, p2, p4, p1, p3, p4, p2, p3, p4, p1, p2, p3, p4
is an access structure.
![Page 6: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/6.jpg)
Access structure
Collection A∗ of minimal sets in AI Let A∗ be the collection of minimal sets in A, i.e., B ∈ A∗ if
B ∈ A and for any C ⊂ B, C 6∈ AI Access structure A is uniquely determined by A∗
Example
A∗ = p1, p2, p2, p3, p3, p4
RemarkI Note that A∗ is a Sperner family on Pn, i.e, a collection of
subsets of Pn such that any two member of the collectiondoes not contain each other.
I Sperner family is counted by Dedekind number which growsvery fast with n. This imply the difficulty of secret sharingproblem.
![Page 7: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/7.jpg)
Access structure
Collection A∗ of minimal sets in AI Let A∗ be the collection of minimal sets in A, i.e., B ∈ A∗ if
B ∈ A and for any C ⊂ B, C 6∈ AI Access structure A is uniquely determined by A∗
Example
A∗ = p1, p2, p2, p3, p3, p4
RemarkI Note that A∗ is a Sperner family on Pn, i.e, a collection of
subsets of Pn such that any two member of the collectiondoes not contain each other.
I Sperner family is counted by Dedekind number which growsvery fast with n. This imply the difficulty of secret sharingproblem.
![Page 8: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/8.jpg)
Access structure
Collection A∗ of minimal sets in AI Let A∗ be the collection of minimal sets in A, i.e., B ∈ A∗ if
B ∈ A and for any C ⊂ B, C 6∈ AI Access structure A is uniquely determined by A∗
Example
A∗ = p1, p2, p2, p3, p3, p4
RemarkI Note that A∗ is a Sperner family on Pn, i.e, a collection of
subsets of Pn such that any two member of the collectiondoes not contain each other.
I Sperner family is counted by Dedekind number which growsvery fast with n. This imply the difficulty of secret sharingproblem.
![Page 9: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/9.jpg)
Definition by probability
I A distribution scheme Σ = 〈Π, µ〉 with domain of secret K
I µ is a probability distribution on some finite set R
I Π is a mapping from K × R to a set of n-tuplesK1 × · · · × Kn, where Kj is called the domain of shares of pj
I The dealer distributes k ∈ K according to Σ by first samplinga random string r ∈ R according to µ, computing a vectorΠ(k, r) = (s1, · · · , sn) and privately communicating eachshare sj to party pj .
![Page 10: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/10.jpg)
Definition by probability
Scheme Σ is a secret-sharing scheme realizing an access structureA if the following two requirement hold:
1. (Correctness) For any B = pi1 , · · · , pi|B| ∈ A, there is areconstruction function REC : Ki1 × · · · : Ki|B| → K such thatfor any k ∈ K ,
Pr[REC(Π(k , r)B) = k] = 1.
2. (Perfect Privacy) For any T 6∈ A, for any a, b ∈ K , and forevery possible vector of shares 〈sj〉pj∈T :
Pr[Π(a, r)T = 〈sj〉pj∈T ] = Pr[Π(b, r)T = 〈sj〉pj∈T ]
![Page 11: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/11.jpg)
Definition by entropy
Consider the secret be a random variable S on K , and each sharebe a random variable Sj on Kj . Then the scheme S = (S ,Sj)pj∈Pn
is a secret-sharing scheme realizing access structure A if thefollowing two conditions hold:
1. (Correctness) For any B ∈ A,
H(S |SB) = 0
2. (Perfect Privacy) For any T 6∈ A,
H(S |ST ) = H(S)
Remark For perfect privacy, the condition can be written asI (S ;ST ) = 0. If we modify the condition to I (S ;ST ) = aT forsome 0 ≤ aT ≤ H(S), then modified version is called non-perfectsecret sharing, while the traditional one is called perfect secretsharing.
![Page 12: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/12.jpg)
Definition by entropy
Consider the secret be a random variable S on K , and each sharebe a random variable Sj on Kj . Then the scheme S = (S ,Sj)pj∈Pn
is a secret-sharing scheme realizing access structure A if thefollowing two conditions hold:
1. (Correctness) For any B ∈ A,
H(S |SB) = 0
2. (Perfect Privacy) For any T 6∈ A,
H(S |ST ) = H(S)
Remark For perfect privacy, the condition can be written asI (S ;ST ) = 0. If we modify the condition to I (S ;ST ) = aT forsome 0 ≤ aT ≤ H(S), then modified version is called non-perfectsecret sharing, while the traditional one is called perfect secretsharing.
![Page 13: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/13.jpg)
Equivalence of two definitions
TheoremTwo definitions of secret sharing are equivalent.
I For any Σ = (Π, µ) realizing access structure A, we canconstruct a random vector S = (S , Sj)pj∈Pn realizing A.
I For any random vector S = (S ,Sj)pj∈Pn realizing A, we canaccordingly construct a Σ = (Π, µ) realizing A
![Page 14: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/14.jpg)
Information ratio
Information ratio by the definition of probability
ρΣ ,max1≤j≤n log |Kj |
log |K |
Information ratio by the definition of entropy
ρS ,max1≤j≤n H(Sj)
H(S)
Corollary
ρΣ = ρS
if Σ corresponds to S.
![Page 15: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/15.jpg)
Information ratio
Information ratio by the definition of probability
ρΣ ,max1≤j≤n log |Kj |
log |K |
Information ratio by the definition of entropy
ρS ,max1≤j≤n H(Sj)
H(S)
Corollary
ρΣ = ρS
if Σ corresponds to S.
![Page 16: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/16.jpg)
The fundamental problem of secret sharing: optimalinformation ratio
Let N = s ∪ Pn and Γ∗N the entropy function region on N . LetA be an access structure on Pn. Then the optimal informationratio on A is
ρA , infh∈Γ∗N∩ΦA
max1≤j≤n h(pj)h(s)
where
ΦA = h : h(s ∪ B) = h(B) ∀B ∈ A,h(s ∪ T ) = h(s) + h(T ) ∀T 6∈ A
![Page 17: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/17.jpg)
Shamir’s threshold scheme
For 1 ≤ t ≤ n, let At,n = A ⊂ Pn : |A| ≥ t. Then At,n is aaccess structure with threshold t. It can be realised by Shamir’sscheme in the following
I Let K = Fq, where q > n is a prime power.
I Let α1, · · · , αn ∈ Fq be n distinct non-zero elements knownto all parties.
I The dealer uniformly choose a1, · · · , at−1 ∈ Fq and generate apolynomial P(x) = k +
∑t−1i=1 aix
i .
I The share of pj is sj = P(αj)
![Page 18: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/18.jpg)
Shamir’s threshold scheme
CorrectnessFor any B = pi1 , · · · , pit ∈ A∗t,n, let
Q(x) =t∑
`=1
si`∏
1≤j≤t,j 6=`
αij − x
αij − αi`
.
Note that Q(αi`) = si` = P(αi`) for 1 ≤ ` ≤ t which implies thatQ(x) = P(x) and Q(0) = P(0) = k.
![Page 19: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/19.jpg)
Shamir’s threshold scheme
Perfect privacy
For any T = pi1 , · · · , pit−1, t − 1 shares with each secret a ∈ Fq,uniquely determines a polynomial Pa(x) with Pa(0) = a andPa(αi`) = si` for 1 ≤ ` ≤ t − 1. Hence
Pr[Π(a, r)T = 〈si`〉1≤`≤t−1] =1
qt−1
The privacy follows from the probability is the same for everya ∈ Fq
Information ratio
I The information ratio is 1 since Kj = K = Fq
I It is the optimal information ratio on the access structure At,n
![Page 20: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/20.jpg)
Shamir’s threshold scheme
Perfect privacy
For any T = pi1 , · · · , pit−1, t − 1 shares with each secret a ∈ Fq,uniquely determines a polynomial Pa(x) with Pa(0) = a andPa(αi`) = si` for 1 ≤ ` ≤ t − 1. Hence
Pr[Π(a, r)T = 〈si`〉1≤`≤t−1] =1
qt−1
The privacy follows from the probability is the same for everya ∈ Fq
Information ratio
I The information ratio is 1 since Kj = K = Fq
I It is the optimal information ratio on the access structure At,n
![Page 21: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/21.jpg)
Shamir’s threshold scheme by entropy
Let ΓN be the polymatroidal region on N . Let p = s,Pn be apartition of N .
Lemma
Ψ∗p = Ψp
where Ψ∗p = Γ∗N ∩ CAt,n , Ψp = ΓN ∩ CAt,n and
CAt,n = h : h(A) = h(B),
h(s ∪ A) = h(s ∪ B),
if |A| = |B| ∀A,B ⊂ Pn
![Page 22: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/22.jpg)
Shamir’s threshold scheme by entropy
For simplicity, let ρt,n = ρAt,n and Φt,n = ΦAt,n . Then
ρt,n = infh∈Γ∗N∩Φt,n
max1≤j≤n h(pj)h(s)
where
Φt,n = h :h(s ∪ B) = h(B) if |B| ≥ t,
h(s ∪ B) = h(s) + h(B) if |B| < t
Theorem
ρt,n = infh∈Ψ∗p∩Φt,n
max1≤j≤n h(pj)h(s)
![Page 23: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/23.jpg)
Shamir’s threshold scheme by entropy
For simplicity, let ρt,n = ρAt,n and Φt,n = ΦAt,n . Then
ρt,n = infh∈Γ∗N∩Φt,n
max1≤j≤n h(pj)h(s)
where
Φt,n = h :h(s ∪ B) = h(B) if |B| ≥ t,
h(s ∪ B) = h(s) + h(B) if |B| < t
Theorem
ρt,n = infh∈Ψ∗p∩Φt,n
max1≤j≤n h(pj)h(s)
![Page 24: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/24.jpg)
Shamir’s threshold scheme by entropy
Theorem
ρt,n = minh∈Ψp∩Φt,n
max1≤j≤n h(pj)h(s)
The solution isρt,n = 1
andarg min ρt,n = h : aUt,n+1, a > 0
Remark This result can be generalized to non-perfect thresholdscheme.
![Page 25: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/25.jpg)
Shamir’s threshold scheme by entropy
Theorem
ρt,n = minh∈Ψp∩Φt,n
max1≤j≤n h(pj)h(s)
The solution isρt,n = 1
andarg min ρt,n = h : aUt,n+1, a > 0
Remark This result can be generalized to non-perfect thresholdscheme.
![Page 26: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/26.jpg)
Linear secret-sharing scheme
DefinitionA secret-sharing scheme is linear if
I Secret s ∈ FI Each ramdom string r ∈ R is a vector and each entry of r is
chosen independent with uniform distribution from FI Each share sj is a vector and each entry of sj is a fixed linear
combination of the secret s and the coordinates of therandom string r .
Shamir’s threshold scheme is linear.
![Page 27: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/27.jpg)
Linear secret-sharing scheme
DefinitionA secret-sharing scheme is linear if
I Secret s ∈ FI Each ramdom string r ∈ R is a vector and each entry of r is
chosen independent with uniform distribution from FI Each share sj is a vector and each entry of sj is a fixed linear
combination of the secret s and the coordinates of therandom string r .
Shamir’s threshold scheme is linear.
![Page 28: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/28.jpg)
Linear secret-sharing scheme
Monotone span program
A monotone span program is a triple M = (F,M, ρ), where
I F is a field,
I M is an a× b matrix over FI and ρ : 1, · · · , a → p1, · · · , pn labels each row of M by a
party.
Example
Consider the following monotone span program (F17,M, ρ), where
M =
1 1 11 2 41 3 91 4 16
and ρ(1) = ρ(2) = p2, ρ(3) = p1 and ρ(4) = p4.
![Page 29: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/29.jpg)
Linear secret-sharing scheme
Monotone span program
A monotone span program is a triple M = (F,M, ρ), where
I F is a field,
I M is an a× b matrix over FI and ρ : 1, · · · , a → p1, · · · , pn labels each row of M by a
party.
Example
Consider the following monotone span program (F17,M, ρ), where
M =
1 1 11 2 41 3 91 4 16
and ρ(1) = ρ(2) = p2, ρ(3) = p1 and ρ(4) = p4.
![Page 30: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/30.jpg)
Linear secret-sharing scheme
Monotone span program
I For any A ⊂ Pn, let MA denote the sub-matrix obtained byrestricting M to the rows labeled by parties in A.
I M accepts B if the rows of MB span the vectore1 = (1, 0, · · · , 0).
I M accepts access structure A ifM accepts a set B iff B ∈ A.
Example
Consider B = p1, p2 and T = p1, p3. Then
MB =
1 1 11 2 41 3 9
and MT =
[1 3 91 4 16
].
It can be checked MB spans e1 but MT does not. We can checkfurther that A∗ = p1, p2, p2, p3.
![Page 31: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/31.jpg)
Linear secret-sharing scheme
Monotone span program
I For any A ⊂ Pn, let MA denote the sub-matrix obtained byrestricting M to the rows labeled by parties in A.
I M accepts B if the rows of MB span the vectore1 = (1, 0, · · · , 0).
I M accepts access structure A ifM accepts a set B iff B ∈ A.
Example
Consider B = p1, p2 and T = p1, p3. Then
MB =
1 1 11 2 41 3 9
and MT =
[1 3 91 4 16
].
It can be checked MB spans e1 but MT does not. We can checkfurther that A∗ = p1, p2, p2, p3.
![Page 32: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/32.jpg)
Linear secret-sharing scheme
TheoremLet M = (F,M, ρ) be a monotone span program accepting anaccess structure A, where F is a finite field and for every j there ajrows of M labeled by pj . Then, there is a linear secret-sharingscheme realizing A such that the share of party pj is a vector inFaj . The information ratio of the resulting scheme is max1≤j≤n aj .
TheoremLet ΓL
N be the region bounded by Shannon-type informationinequalities and linear rank inequalities over N . Then the optimalinformation ratio of linear scheme on A is
ρA , infh∈ΓL
N∩ΦA
max1≤j≤n h(pj)h(s)
where ΦA is defined as above.
![Page 33: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/33.jpg)
Linear secret-sharing scheme
TheoremLet M = (F,M, ρ) be a monotone span program accepting anaccess structure A, where F is a finite field and for every j there ajrows of M labeled by pj . Then, there is a linear secret-sharingscheme realizing A such that the share of party pj is a vector inFaj . The information ratio of the resulting scheme is max1≤j≤n aj .
TheoremLet ΓL
N be the region bounded by Shannon-type informationinequalities and linear rank inequalities over N . Then the optimalinformation ratio of linear scheme on A is
ρA , infh∈ΓL
N∩ΦA
max1≤j≤n h(pj)h(s)
where ΦA is defined as above.
![Page 34: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/34.jpg)
Lower bounds on the information ratio
TheoremLet pj be a non-redundant party in A and let Σ be anysecret-sharing scheme realizing A, then
|Kj | ≥ |K |
which implies that ρA ≥ 1 for any A.
Ideal secrete-sharing scheme
For a secret-sharing scheme, if its information ratio is 1, it is calledan ideal secret-sharing scheme.
![Page 35: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/35.jpg)
Lower bounds on the information ratio
TheoremLet pj be a non-redundant party in A and let Σ be anysecret-sharing scheme realizing A, then
|Kj | ≥ |K |
which implies that ρA ≥ 1 for any A.
Ideal secrete-sharing scheme
For a secret-sharing scheme, if its information ratio is 1, it is calledan ideal secret-sharing scheme.
![Page 36: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/36.jpg)
Csirmaz’s lower bound
Csirmaz’s access structureWe define access structure An by its minimal set A∗n.
I Let k be the largest integer such that 2k + k − 1 ≤ n.
I Let B = p1, · · · , p2k−1 and define B0 = ∅ andBi = p1, · · · , pi for 1 ≤ i ≤ 2k − 1.
I Let A = p2k , · · · , p2k+k−1, and A = A0,A1, · · · ,A2k−1 = ∅be all the subsets of A such that if i < i ′, then Ai 6⊂ Ai ′ .
I Define Ui = Ai ∪ Bi for 0 ≤ i ≤ 2k − 1.
Then A∗n = Ui : 0 ≤ i ≤ 2k − 1.
TheoremThe information ratio of secret-sharing scheme realizing accessstructure constructed above is Ω(n/ log n).
![Page 37: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/37.jpg)
Csirmaz’s lower bound
Csirmaz’s access structureWe define access structure An by its minimal set A∗n.
I Let k be the largest integer such that 2k + k − 1 ≤ n.
I Let B = p1, · · · , p2k−1 and define B0 = ∅ andBi = p1, · · · , pi for 1 ≤ i ≤ 2k − 1.
I Let A = p2k , · · · , p2k+k−1, and A = A0,A1, · · · ,A2k−1 = ∅be all the subsets of A such that if i < i ′, then Ai 6⊂ Ai ′ .
I Define Ui = Ai ∪ Bi for 0 ≤ i ≤ 2k − 1.
Then A∗n = Ui : 0 ≤ i ≤ 2k − 1.
TheoremThe information ratio of secret-sharing scheme realizing accessstructure constructed above is Ω(n/ log n).
![Page 38: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/38.jpg)
Csirmaz’s lower bound
LemmaFor every 0 ≤ i ≤ 2k − 2,
H(Bi ∪ A)− H(Bi ) ≥ H(Bi+1)− H(Bi+1) + H(S)
Proof sketch of Theorem∑pj∈A
H(pj) ≥ H(A)
≥ H(B0 ∪ A)− H(B0)
≥ H(B2k−1 ∪ A)− H(B2k−1) + (2k − 1)H(S)
= Ω(n)H(S).
This implies that H(pj) = Ω(n/ log n)H(S) for at least one pj . Remark Both Lemma and the inequalities in the proof sketch areShannon-type.
![Page 39: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/39.jpg)
Csirmaz’s lower bound
LemmaFor every 0 ≤ i ≤ 2k − 2,
H(Bi ∪ A)− H(Bi ) ≥ H(Bi+1)− H(Bi+1) + H(S)
Proof sketch of Theorem∑pj∈A
H(pj) ≥ H(A)
≥ H(B0 ∪ A)− H(B0)
≥ H(B2k−1 ∪ A)− H(B2k−1) + (2k − 1)H(S)
= Ω(n)H(S).
This implies that H(pj) = Ω(n/ log n)H(S) for at least one pj .
Remark Both Lemma and the inequalities in the proof sketch areShannon-type.
![Page 40: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/40.jpg)
Csirmaz’s lower bound
LemmaFor every 0 ≤ i ≤ 2k − 2,
H(Bi ∪ A)− H(Bi ) ≥ H(Bi+1)− H(Bi+1) + H(S)
Proof sketch of Theorem∑pj∈A
H(pj) ≥ H(A)
≥ H(B0 ∪ A)− H(B0)
≥ H(B2k−1 ∪ A)− H(B2k−1) + (2k − 1)H(S)
= Ω(n)H(S).
This implies that H(pj) = Ω(n/ log n)H(S) for at least one pj . Remark Both Lemma and the inequalities in the proof sketch areShannon-type.
![Page 41: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/41.jpg)
Lower bounds for linear secret sharing
TheoremFor any n, there exists an access structure An sucht that everymonotone span program over any field accepting it has sizenΩ(log n).
![Page 42: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/42.jpg)
Limitations of known techniques for lower bounds
I No better lower bound is found since Csirmaz’s lower boundin 1994
I Shannon-type information inequalities can not help to improvethe bound
I All information inequalities with less than 6 random variablescan not help to improve the bound
![Page 43: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/43.jpg)
Open problems
Question 1Prove or disprove that there exists an access structure such thatthe information ratio of every secret-sharing scheme realizing it is2Ω(n).
Question 2Prove or disprove that there exists an access structure such thatthe information ratio of every secret-sharing scheme realizing itwith domain 0, 1 is super-polynomial in n.
Question 3Prove that there exists an explicit access structure such that theinformation ratio of every linear secret-sharing scheme realizing itis 2Ω(n).
![Page 44: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/44.jpg)
Bibiography
A. Beilmel, “Secret-sharing schemes: a survey,” Coding andcryptology, 2011-Springer.
Q. Chen and R. W. Yeung, “Partition-Symmetrical EntropyFunctions,” submitted to IEEE Trans. Info. Theory.
![Page 45: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/45.jpg)
Discussion
What can we do?
![Page 46: Secret Sharing - ece.drexel.eduece.drexel.edu/walsh/Qi_SecretSharing.pdf · j2T] = Pr[( b;r) T = hs ji p j2T] ... j = K = F q I It is the optimal ... t;n = fh : aU t;n+1;a >0g Remark](https://reader031.vdocuments.us/reader031/viewer/2022030501/5aad62ff7f8b9aa9488e2f36/html5/thumbnails/46.jpg)
Thank you!