cryptography for unconditionally secure message transmission in networks kaoru kurosawa

Cryptography for Unconditionally Secure

Message Transmission 　in Networks

Kaoru Kurosawa

Popular Encryption Schemes

Must sharea secret-key

Don’t sharea secret-key

Computational SKE PKE

Unconditional One-time pad

Does there exist ?

Must sharea secret-key

Don’t sharea secret-key

Computational SKE PKE

Unconditional One-time pad ???

Yes

• (1975) Wyner

Wire-tap channel model

• (1984) Bennett and Brassard

BB84

• (1993) Dolev, Dwork, Waarts and Yung

Network model

In the model of DDWY

• Alice and Bob are a part of a network

• There are n channels between them

• Adversary can corrupt (observe and forge)

at most t channels

Alice Bob

Indeed, in Internet

• There are many channels

between A and B

• No adversary can corrupt all the routers

Dolev, Dwork, Waarts and Yung

Showed that we can achieve

• (Perfect Privacy)

Adversary learns no information on

the secret message s

• (Perfect Reliability)

Bob can receive s correctly

(Adversary cannot forge s)

There are many variants

Network Adversary Security

Undirected Threshold Perfect

Directed General Almost perfect

and etc.

Many authors since DDWY

• Sayeed, Abu-Amara

• Franklin, Wright

• Kumar, Goudan, Srinatahn, Rangan,

Narayanan, Patra, Choudhary

• Desmedt, Wang, Burmester, Yang

• Agarwal, Cramer, de Haan

• Garay, Ostrovsky, Fitzi, Vardhan

• Kurosawa, Suzuki

This talk




We begin with 1st setting




In an Undirected Network

• Each channel is two-way

Alice Bob

1 Round Protocol

SenderReceiver

2 Round Protocol

SenderReceiver

SenderReceiver

1st

2nd

PSMT denotes

• Perfectly

• Secure

• Message

• Transmission 　• Scheme

DDWY showed

1-round PSMTexists

iff n ≧ 3t+1

2-round PSMT exists

iff n ≧ 2t+1

where the adversary can corrupt t out of n channels.

Let’s look at

1-round PSMT iff n ≧ 3t+1

2-round PSMT for n = 2t+1

where an adversary can corrupt t out of n channels.

2-round PSMT for n=2t+1

Larger than O(n) Lower bound O(n)

Exp-time

DDWY (1993)

Poly-time

Transmission rate


Larger than O(n) Lower bound O(n)

Exp-time

DDWY (1993)

Poly-time

Sayeed, Abu-Amara (1996)

Transmission rate


Larger than O(n) Lower bound O(n) Srinathan, Narayan Rangan (2004)

Exp-time

DDWY (1993)

Poly-time


Transmission rate



Exp-time

DDWY (1993) Agarwal, Cramer, de Haan (2006)

Poly-time


Transmission rate



Exp-time


Poly-time


Kurosawa, Suzuki (2008)

Transmission rate

Alice Bobs

f(1)

f(t)

f(n)

・・・

・・・

Suppose thatAlice chooses a random f(x) such thatf(0)=s and deg f(x)≦t

Adversary

Alice Bobs

f(1)

f(t)

f(n)

・・・

・・・

corrupts t channels.

Perfect Privacy

• Is satisfied because

• this is a (t+1, n)-secret sharing scheme

• Hence

the adverasry learns no information on s.

Adversary

Alice Bobs

f(1)

f(t)

f(n)

・・・

・・・

forges t channels. How about Perfect Reliability

f(1)’ = f(1)+ e1

f(t)’ = f(t)+ et

Perfect Reliability

• Bob can compute s if

X=(f(1),…, f(n))

• is a codeword of a t-error correcting code.

X=(f(1),…, f(n))

• has at most t zeros because deg f(x) ≦ t.

X=(f(1),…, f(n))


• Hence

X has the minimum Hamming weight

n-t.

X=(f(1),…, f(n))


• Hence

X has the minimum Hamming weight

n-t.

• Therefore

the minimum Hamming distance of this linear code is

d=n-t.

If n=3t+1,

• the minimum Hamming distance is

d = n – t

= (3t+1) – t

= 2t+1.

If n=3t+1,


d=n – t = (3t+1) – t = 2t+1.

• Hence the receiver can correct t errors caused by the adversary.

If n=3t+1,

• the minimum Hamming distance of C is

d=n – t = (3t+1) – t = 2t+1.

• Hence the receiver can correct t errors caused by the adversary

• by using Berlekamp-Weltch algorithm

If n=3t+1,


d=n – t = (3t+1) – t = 2t+1.


• Thus perfect reliability is also satisfied.

If n=3t+1,


d=n – t = (3t+1) – t = 2t+1.


• Thus perfect reliability is satisfied.

• Therefore

we can obtain a 1-round PSMT easily

for n≧3t+1

If n=2t+1, however,


d = n - t

= (2t+1) – t

= t+1

If n=2t+1, however,


d=n-t=(2t+1)-t= t+1

• Hence the receiver can only detect t errors,

but cannot correct them.

If n=2t+1, however,


d=n-t=(2t+1)-t=t+1

• Hence the receiver can only detect t errors,

but cannot correct them.

• This is the main reason

why PSMT for n=2t+1 is difficult.

DDWY showed

• Exp-time 2-round PSMT• Poly-time 3-round PSMT such that the transmission rate is O(n5),• where the transmission rate is defined as

the total number of bits transmitted the size of the secrets

Sayeed and Abu-Amara

• 2-round PSMT such that

the transmission rate is O(n3)

Srinathan, Narayan and Rangan

• the transmission rate ≧ n

for any 2-round PSMT with n=2t+1.

(CRYPTO 2004)

Agarwal, Cramer and de Haan

・ Exp-time 2-round PSMT such that the trans. rate is O(n) . (CRYPTO 2006)

Kurosawa and Suzuki

・ Poly-time 2-round PSMT such that the trans. rate is O(n) .

at Eurocrypt 2008 Final version: IEEE Trans. on IT, 2009

Our Idea

• What is a difference

between error correction and PSMT ?

What is a difference

• If the sender sends a single codeword,

then adversary causes t errors randomly.

What is a difference

• If the sender sends a single codeword,

then adversary causes t errors randomly.

• Hence there is no difference.

However

• If the sender sends many codewords

X1, …, Xm,

then the errors are not totally random

• because

the errors always occur

at the same t (or less) places !

Our Observation

• Suppose that the receiver received

Y1=X1+ E1, …, Ym=Xm+ Em,

• where E1, …, Em are error vectors

Our Observation

• Let

E = [E1, …, Em].• Then dim E t≦ because the errors always occur at the same t (or less) places !

But

• The receiver does not know

the error vectors E1, …, Em

Our Contribution

• We introduced a notion of

pseudo-dimension

pseudo-basis,

Let

Y= {Y1, …, Ym}

Let

E = [E1, …, Em].

If Y has Pseudo dim k then E has dim k

If Y has a Pseudo basis

{Yj1, …, Yjk}

then E has a basis

{Ej1, …, Ejk}

Intuition

Our Contribution

• We then showed a poly-time algorithm

which finds

pseudo-basis and pseudo-dimension

from Y={Y1, …, Ym}.

More Observation

For example,

• E1=(1,0, …, 0),

• E2=(1,1,0, …, 0),

• …

• Et=(1,…,1,0, …, 0),

is a basis of E.

More Observation

• E1=(1,0, …, 0), NonZero(E1)={1}

• E2=(1,1,0, …, 0), NonZero(E2)={1,2}

• …

• Et=(1,…,1,0, …, 0), NonZero(Et)={1, …, t}

More Observation

• E1=(1,0, …, 0), NonZero(E1)={1}• E2=(1,1,0, …, 0), NonZero(E2)={1,2}• …• Et=(1,…,1,0, …, 0), NonZero(Et)={1, …, t}

• Define

FORGED = U NonZero(Ei) basis

More Observation

• E1=(1,0, …, 0), NonZero(E1)={1}• E2=(1,1,0, …, 0), NonZero(E2)={2}• …• Et=(1, …, 1, 0, …, 0), NonZero(Et)= {t}

• Define

FORGED ≡ U basis NonZero(Ei) 　 Then FORGED = {all forged channels}

Our basic 2-round PSMT

• Let

t = 1 and

n = 2t+1 = 3

• That is,

Adversary can corrupt 1 out of 3 channels

It consists of 3 phases

• Encryption phase

• Error detection phase

• Decryption phase

We run them in parallel

Encryption phase (1st R)

• R sends random f1(x), f2(x) and f3(x)

with deg fi(x)≦1 as follows

f1(x)

f2(x)

f3(x)

S R

Encryption phase (1st R)

• S receives f1’(x), f2’(x) and f3’(x)

f1’(x)

f2’(x)

f3’(x)

S

Encryption phase (2nd R)

• S broadcasts

c = s + f1’(1) +f2’(2) + f3’(3)

c

c

c

S R

Encryption phase (2nd R)• R can receive c correctly

by taking majority vote

because at most 1 channel is corrupted

c

c

c’

R

Error detection phase (1st R)• R sends X1, X2, X3 such that

R

f2(1)

f2(2)

f2(3)

X2

||

f1(1)

f1(2)

f1(3)

X1

||

f3(1)

f3(2)

f3(3)

X3

||

S receives

S

f2(1)’

f2(2)’

f2(3)’

Y2

||

f1(1)’

f1(2)’

f1(3)’

Y1

||

f3(1)’

f3(2)’

f3(3)’

Y3

||

From {Y1, Y2, Y3}

S

f2(1)’

f2(2)’

f2(3)’

Y2

f1(1)’

f1(2)’

f1(3)’

Y1

f3(1)’

f3(2)’

f3(3)’

Y3

S computes the psudo-dimension kand a pseudo-basis Λby using the proposed algorithm

For example

S

f2(1)’

f2(2)’

f2(3)’

Y2

f1(1)’

f1(2)’

f1(3)’

Y1

f3(1)’

f3(2)’

f3(3)’

Y3

S computes the psudo-dimension k=1and a pseudo-basis Λ={Y1}

S broadcasts

S

f2(1)’

f2(2)’

f2(3)’

Y2

f1(1)’

f1(2)’

f1(3)’

Y1

f3(1)’

f3(2)’

f3(3)’

Y3

S k=1, Λ={Y1}

R sent X1 and received Y1=X1+E1

R

f2(1)

f2(2)

f2(3)

X2

f1(1)

f1(2)

f1(3)

X1

f3(1)

f3(2)

f3(3)

X3

Rk=1, Λ={Y1}

Hence R can compute E1=Y1- X1

R

f2(1)

f2(2)

f2(3)

X2

f1(1)

f1(2)

f1(3)

X1

f3(1)

f3(2)

f3(3)

X3

k=1, Λ={Y1} R

Suppose that E1=Y1- X1 =[0,0,e3]T

R

f2(1)

f2(2)

f2(3)

X2

f1(1)

f1(2)

f1(3)

X1

f3(1)

f3(2)

f3(3)

X3

k=1, Λ={Y1} R

Suppose that E1=[0,0,e3]T

Then R sees that channel 3 is corrupted

R

f2(1)

f2(2)

f2(3)

f1(1)

f1(2)

f1(3)

f3(1)

f3(2)

f3(3)

X1X2 X3

Adversary

f1(x)

f2(x)

f3(x) S R

What happened ?

X1 X2 X3

• Adversary corrupted channel 3

f1(x)

f2(x)

f3(x) S R

What happened ?

Adversary

X1 X2 X3


• S broadcast c and Y1=pseudo-basis

f1(x)

f2(x)

f3(x) S R

S c, Y1

What happened ?

Adversary

X1 X2 X3


• S broadcast c and Y1=pseudo-basis

• Then R found that channel 3 was corrupted

f1(x)

f2(x)

f3(x) S R

S c, Y1

What happened ?

Adversary

X1 X2 X3

• Adversary observed f3(x) and Y1 f≃ 1(x)

f1(x)

f2(x)

f3(x) S R

S c, Y1

In particular

Adversary

X1 X2 X3

• Adversary observed f3(x) and Y1 f≃ 1(x)

• But f2(2) is kept hidden

f1(x)

f2(x)

f3(x) S R

S c, Y1

In particular

Adversary

X1 X2 X3

f2(2)

• R can find the corrupted channel

keeping f2(2) secret

f1(x)

f2(x)

f3(x) S R

S c, Y1

In other words

Adversary

X1 X2 X3

f2(2)

• If R sends f1(x), , f⋯ 6(x),

• then R can find the corrupted channel

• keeping f2(2), f4(1), f5(2) secret

f1(x), f4(x)

f2(x), f5(x)

f3(x), f6(x) S R

S Y1 Adversary

• If R sends f1(x), , f⋯ 6(x),

• then R can find the corrupted channel

• keeping f2(2), f4(1), f5(2) secret

• Only Y1 is broadcast as a pseudo-basis

f1(x), f4(x)

f2(x), f5(x)

f3(x), f6(x) S R

S Y1 Adversary

Going back to our basic schemelet’s look at f3(x)

R

f3(1)

f3(2)

f3(3)f3(x)

R knows that

S

y1=f3(1)

y2=f3(2)

f3’(x), y3

S received

y1=f3(1)

S y2=f3(2)

f3’(x), y3

SΔ1= f3’(1) - y1

Δ2= f3’(2) - y2

Δ3= f3’(3) - y3

S broadcasts

Decryption phase

y1=f3(1)

S y2=f3(2)

y3

SΔ1= f3’(1) -y1

Δ2= f3’(2) -y2

Δ3= f3’(3)-y3

From these 2 equations, R can compute f3’(1) =Δ1+f3(1)

R

y1=f3(1)

S y2=f3(2)

y3

SΔ1= f3’(1) -y1

Δ2= f3’(2) -y2

Δ3= f3’(3)-y3

From these 2 equations, R can compute f3’(2) =Δ2+f3(2)

R

y1=f3(1)

S y2=f3(2)

y3

SΔ1= f3’(1) -y1

Δ2= f3’(2) -y2

Δ3= f3’(3)-y3

Then R can obtain f3’(x)by applying Lagrange formulato f3’(1) and f3’(2)

R

Perfect Reliability

• R can obtain f1’(x) and f2’(x) similarly

Perfect Reliability


• Remember that R received

c = s + f1’(1) + f2’(2) + f3’(3)

Perfect Reliability



c = s + f1’(1) + f2’(2) + f3’(3)

• Now R can compute s

Perfect Reliability



c = s + f1’(1) + f2’(2) + f3’(3)

• Now R can compute s

• Therefore perfect reliability is satisfied

Perfect Privacy

S broadcasts

c = s + f1’(1) + f2’(2) + f3’(3)

Perfect Privacy

S broadcasts

c = s + f1’(1) + f2’(2) + f3’(3)

• Y1 is broadcast by S as a pseudo-basis

Perfect Privacy

S broadcasts

c = s + f1’(1) + f2’(2) + f3’(3)


• Adversary observed f3’(x)

Perfect Privacy

S broadcasts

c = s + f1’(1) + f2’(2) + f3’(3)



• But she has no info. on f2’(2)= f2(2)

Perfect Privacy

S broadcasts

c = s + f1’(1) + f2’(2) + f3’(3)



• But she has no info. on f2’(2) = f2(2)

• Hence

perfect privacy is also satisfied

Final scheme

• R sends many fi(x) in parallel

• S uses “generalized broadcast”

• Then

we can obtain

the transmission rate = O(n)

Now what is pseudo-basis

• Let C be a linear code such that

the codewords are

(f(1), , f(n)), ⋯ where deg f(x) ≦t

• That is,

C={ (f(1), , f(n)) | deg f(x) ⋯ ≦t }

We write Y1 = Y2 mod C

• if

Y1 - Y2 C∈

We write Y1 = Y2 mod C

• if

Y1 - Y2 C∈

• In particular, if

Y=X+E,

• then

Y=E mod C

Linearly pseudo-expressed

• We say that

Y0 is linearly pseudo-expressed

by {Y1, , Y⋯ k} if

Y0 = a1Y1 + + a⋯ kYk mod C

for some (a1, , a⋯ k)

Pseudo Span

• Let Λ Y = {Y⊆ 1, , Y⋯ m},

• We say that Λ pseudo spans Y

if each Yi is linearly pseudo-expressed

by Λ

Pseudo-Basis

• We say that Λ is a pseudo-basis of Y

if it is a minimum set

which pseudo-spans Y

Pseudo-Dimension

• Suppose that Λ is a pseudo-basis of Y

• We say that

k=|Λ| is the pseudo-dimension of Y

Admissible Error Vector Set

We say that

{E1, ,E⋯ m} is an admissible error vector set of Y={Y1, ,Y⋯ m}

if

• Ei=Yi mod C for all i

• |U NonZero(Ei)|≦t

i

Theorem

• Let {E1, ,E⋯ m} be an admissible error vector set of Y= {Y1, ,Y⋯ m}

Y= {Y1, …, Ym} E = [E1, …, Em].

Y has Pseudo dim k iff E has dim k

Y has a Pseudo basis

{Yj1, …, Yjk}

iff E has a basis

{Ej1, …, Ejk}

Corollary

• Let {E1, ,E⋯ m} be the real error vector set caused by the adversary

Y= {Y1, …, Ym} E = [E1, …, Em].

If Y has Pseudo dim k then E has dim k

If Y has a Pseudo basis

{Yj1, …, Yjk}

then E has a basis

{Ej1, …, Ejk}

Next how to check

linearly pseudo-expressed

Y3 –(a1Y1+a2Y2) = 0 mod C

• This equation means

LHS = some codeword (f(1), , f(n))⋯

　　

First construct f(a1,a2)(x)

by applying Lagrange formula

to the first t+1 elements of Y3 – (a1Y1+a2Y2)like this

　　 f(a1,a2) (1) = y3,1 ー　 (a1y1,1 + a2y2,1) ⋮ ⋮ f(a1,a2) (t+1) = y3.t+1 ー　 (a1y1,t+1 + a2y2,t+1)

Next check if

f(a1,a2) (x) is consistent with

the remaining elements of Y3 – (a1Y1+a2Y2)

for some (a1,a2)

f(a1,a2)(t+2) = y3,t+2 ー　 (a1y1,t+2 + a2y2,t+2) ⋮ f(a1,a2) (n) = y3,n ー　 (a1y1,n + a2y2,n)

This can be done easily

By checking if the following linear equations has

a solution (a1,a2)

f(a1,a2) (t+2) = y3,t+2 ー　 (a1y1,t+2 + a2y2,t+2) ⋮ f(a1,a2) (n) = y3,n ー　 (a1y1,n + a2y2,n)

If yes, then

• Y3 is linearly pseudo-expressed by {Y1,Y2}

Algorithm for finding pseudo-basis

Input: Y={Y1, …, Ym}

• Let Λ=empty

• For i=1 to m, do:

While |Λ|<t, do:

Add Yi to Λ if Yi is not

linearly pseudo-expressed by Λ.

• Finally output Λ as a pesudo-basis of Y.



Exp-time


Poly-time


Kurosawa, Suzuki (2008)

Transmission rate

For the details

・ Please look at the paper

Truly Efficient 2-Round Perfectly Secure Message Transmission Scheme

Kurosawa and Suzuki

Preliminary: Eurocrypt 2008Final: IEEE Trans. on IT, 2009

Patra, Choudhary and Rangan

Used pseudo-basis to construct

• Communication optimal 3 and 6 round PSMT in directed networks

(ICDCN 2010)

• 3-round communication optimal PSMT tolerating mobile mixed adversary

(PODC 2010)

Yang and Desmedt

used pseudo-basis to construct

• 2-round PSMT for Q2 adversary structure

(Asiacrypt 2010)

Open Problem (1)

• Can we apply pseudo-basis

to another problems ?

Open Problem (2)

• The transmission rate is the total number of bits transmitted the size of the secrets

Open Problem (2)

• In our PSMT the total number of bits transmitted = O(n3) the size of the secrets = O(n2) to achieve the transmission rate = O(n)

Open Problem (2)

• In our PSMT the total number of bits transmitted = O(n3) the size of the secrets = O(n2) to achieve the transmission rate = O(n)

• What is a lower bound on

the communication complexity

to achieve our goal ?

Next 2nd setting




Desmedt et at.

• Threshold adversaries are not realistic

• when dealing with computer viruses,

• such as

• the I LOVE YOU virus

• and the Internet virus/worm

• that only spread to

• Windows, respectively Unix.

{1,2,3} use Windows

S R3

2

1

4

5

Sender Receiver

{3,4} use UNIX

S R3

2

1

4

5

Sender Receiver

{1,5} use TRON

S R3

2

1

4

5

Sender Receiver

Adversary Structure

• Adversary can corrupt

B1={1,2,3} or B2={3,4} or B3={1,5}.

• Let

Γ={B1, B2, B3}

• Such Γ is called an adversary structure.

Hirt and Maurer

• Introduced adversary structure

in the context of multiparty protocols

• They generalized

n≧2t+1 to Q2 adversary structure

n≧3t+1 to Q3 adversary structure

Γ satisfies Q2

• If

Bi ⋃ Bj ≠ {1, ⋯, n}

• for any Bi, Bj ∊ Γ

Γ satisfies Q3

• If

Bi ⋃ Bj ⋃ Bk ≠ {1, ⋯, n}

• for any Bi, Bj, Bk ∊ Γ

PSMT for General Adversary

• 2002 Kumar, Goudan, Srinatahn, Rangan

Many round PSMT for Q2

• 2005 Desmedt, Wang, Burmester

Exp-time 1-round PSMT for Q3

• 2009 Kurosawa

Poly-time 1-round PSMT for Q3

• 2010 Yang, Desmedt


I will explain

• 2002 Kumar, Goudan, Srinatahn, Rangan

Many round PSMT for Q2


Exp-time 1-round PSMT for Q3

• 2009 Kurosawa


• 2010 Yang, Desmedt

2-round PSMT for Q2

Monotone

• We say that Γ is monotone

if B Γ and B’ B, then B’ Γ∈ ⊂ ∈• For example.

if an adversary can corrupt B={1,2,3},

then she can corrupt B’={1,2} clearly.

• In what follows,

we assume that Γ is monotone

Proposition

For any monotone adversary structure Γ,

there exists a linear secret sharing scheme

such that

• if B ∈ Γ, then B has no information on s

• If A ∉ Γ, then A can reconstruct s

Proposition

For any monotone adversary structure Γ,

there exists a (linear) secret sharing scheme

such that



We call such a scheme

a secret sharing scheme for Γ

What is a difference between

• Shamir’s threshold secret sharing scheme

and

• general secret sharing schemes ?

Secret Sharing Scheme

• Sharing phase:

For a secret s,

Dealer computes a share vector

V=(v1, , v⋯ n),

and gives vi to player Pi

Secret Sharing Scheme

• Reconstruction phase:

Suppose that some subset of players

B Γ open forged shares∈ Let

Y=V+E

where V is a share vector and

E is an error vector

In Shamir’s threshold SS,

• If n≧3t+1, then

Berlekamp-Weltch algorithm

can correct t erros in

Y=V+E

in poly-time

For Q3 adversary structure,

• no secret sharing scheme was known

such that

s can be reconstructed in poly-time from

Y (=V+E)• This is the reason why

the construction of 1-round PSMT for Q3

is difficult

I constructed

• A secret sharing scheme for Q3

such that

s can be reconstructed from

Y (=V+E)

in poly-time

Proposed construction

For a Q3-adversary structure Γ,

let LSSS be a linear secret sharing scheme

such that



Step 1

LSSS

v1

⋮

vn

s

r0

Step 2

LSSS

u11

⋮

u1n

v1

r1

LSSS

v1

⋮

vn

s

r0

Dealer distributes

P1 (v1, r1)u11

P2 u12

⋮ ⋮

Pn u1n

Similarly

LSSS

u21

⋮

u2n

v2

r2

LSSS

v1

v2

⋮

vn

s

r0

Dealer distributes

P1 (v1, r1)u11

u21

P2 u12 (v2, r2)u22

⋮ ⋮ ⋮

Pn u1n u2n

And so on.

P1 (v1, r1)u11

u21 ⋯ un1

P2 u12 (v2, r2)u22

⋯ un2

⋮ ⋮ ⋮ ⋯ ⋮

Pn u1n u2n ⋯ (vn, rn)unn

In the Reconstruction phase

• Suppose that some subset of players B Γ open forged shares∈

• We will show a poly-time algorithm

which can reconstruct s

Suppose that

P1 (v1, r1)u11

u21 ⋯ un1

P2 u12 (v2, r2)u22

⋯ un2

⋮ ⋮ ⋮ ⋯ ⋮

Pn u1n u2n ⋯ (vn, rn)unn

Each player opened blue shares

Decoding algorithm: Step 1

LSSS

u11

⋮

u1n

v1

r1

Run the LSSS on input (v1, r1)to generate red shares

Then compare the red shares with the blue shares

LSSS

u11

⋮

u1n

v1

r1u11

⋮

u1n

Accept v1 if { j | u1j ≠ u1j } Γ∈

≠

=

Similarly

LSSS

ui1

⋮

uin

vi

ri

Run the LSSS on input (vi, ri)to generate red shares

Compare the red shares with the blue shares

LSSS

ui1

⋮

uin

vi

riui1

⋮

uin

Accept vi if { j | uij ≠ uij } Γ∈

Decoding algorithm: Step 2

• Finally apply the reconstruction alorithm

of the LSSS to {acepted vi},

• and reconstruct s

That is,

Reconstruction algorithm of LSSS

{ accepted vi }

s

Theorem

• Proposed scheme is a secret sharing scheme for a Q3 adversary structure Γ

Theorem

• Proposed scheme is a secret sharing scheme for a Q3 adverary structure Γ

• Even if some B Γ open forged shares,∈ the decoding algorithm can reconstruct s

in poly-time in the size of the LSSS

(which is the total size of the shares)

Application to PSMT

• We can construct a 1-round PSMT

for any Q3-adverary structure

which runs in poly-time

in the size of the underlying LSSS

Proposed PSMT

Channel 1

(v1, r1)u11

u21 ⋯ un1

Channel 2

u12 (v2, r2)u22

⋯ un2

⋮ ⋮ ⋮ ⋯ ⋮

Channel n

u1n u2n ⋯ (vn, rn)unn

For Q3 adversary structure


Exp-time 1-round PSMT

• 2009 Kurosawa

Poly-time 1-round PSMT

For the details

• Please look at the paper

• ePrint 2009/263

General Error Decodable Secret Sharing

Scheme and Its Application

Kaoru Kurosawa

Summary

• Poly-time 2-round PSMT for n=2t+1

with the trans. rate O(n)

• Poly-time 1-round PSMT

for Q3 adversary structure

Open Problems

It seems that

there are many open problems in this area

because there are

• many variants of this model,

• some parameters to be optimized.

THANK YOU !!

Brief Announcement

on our new result

• ePrint 2010/609

• The Round Complexity of General VSS

Ashish Choudhary

Kaoru Kurosawa

Arpita Patra

Verifiable Secret Sharing (VSS)

• Is a fundamental building block in many distributed cryptographic protocols.

• In this model,

Adversary can corrupt

not only some subset of players

but also the dealer

Even though,

• A unique secret must be reconstructed

• in the reconstruction phase

• no matter how malicious players behave.

STOC 2001

Gennaro, Ishai, Kushilevitz and Rabin

showed that

• 2 round VSS is possible iff n≧4t+1

• 3 round VSS is possible iff n≧3t+1

TCC 2006

Fitzi, Garay, Gollakota, Rangan and Srinathan

• Constructed a poly-time 3-round VSS

for n≧3t+1

We consider general adversary

Our result Previous

2-round VSS iff Γ is Q4 n≧4t+1

3-round VSS iff Γ is Q3 n≧3t+1

As a special case of our VSS

• We can obtain a more efficient

3-round VSS than the VSS of Fitzi et al.

for n = 3t+1

• The communication complexity of the reconstruction phase

is reduced from O(n3) to O(n2)

Further

• We point out a flaw in the reconstruction phase of VSS of Fitzi et al.,

• and show how to fix it.

For the details

Please look at the paper

• ePrint 2010/609

• The Round Complexity of General VSS

Ashish Choudhary

Kaoru Kurosawa

Arpita Patra

THANK YOU, AGAIN !!

cryptography for unconditionally secure message transmission in networks kaoru kurosawa

Documents