cryptography for unconditionally secure message transmission in networks kaoru kurosawa
TRANSCRIPT
Cryptography for Unconditionally Secure
Message Transmission in Networks
Kaoru Kurosawa
Popular Encryption Schemes
Must sharea secret-key
Don’t sharea secret-key
Computational SKE PKE
Unconditional One-time pad
Does there exist ?
Must sharea secret-key
Don’t sharea secret-key
Computational SKE PKE
Unconditional One-time pad ???
Yes
• (1975) Wyner
Wire-tap channel model
• (1984) Bennett and Brassard
BB84
• (1993) Dolev, Dwork, Waarts and Yung
Network model
In the model of DDWY
• Alice and Bob are a part of a network
• There are n channels between them
• Adversary can corrupt (observe and forge)
at most t channels
Alice Bob
Indeed, in Internet
• There are many channels
between A and B
• No adversary can corrupt all the routers
Dolev, Dwork, Waarts and Yung
Showed that we can achieve
• (Perfect Privacy)
Adversary learns no information on
the secret message s
• (Perfect Reliability)
Bob can receive s correctly
(Adversary cannot forge s)
There are many variants
Network Adversary Security
Undirected Threshold Perfect
Directed General Almost perfect
and etc.
Many authors since DDWY
• Sayeed, Abu-Amara
• Franklin, Wright
• Kumar, Goudan, Srinatahn, Rangan,
Narayanan, Patra, Choudhary
• Desmedt, Wang, Burmester, Yang
• Agarwal, Cramer, de Haan
• Garay, Ostrovsky, Fitzi, Vardhan
• Kurosawa, Suzuki
This talk
Network Adversary Security
Undirected Threshold Perfect
Directed General Almost perfect
We begin with 1st setting
Network Adversary Security
Undirected Threshold Perfect
Directed General Almost perfect
In an Undirected Network
• Each channel is two-way
Alice Bob
1 Round Protocol
SenderReceiver
2 Round Protocol
SenderReceiver
SenderReceiver
1st
2nd
PSMT denotes
• Perfectly
• Secure
• Message
• Transmission • Scheme
DDWY showed
1-round PSMTexists
iff n ≧ 3t+1
2-round PSMT exists
iff n ≧ 2t+1
where the adversary can corrupt t out of n channels.
Let’s look at
1-round PSMT iff n ≧ 3t+1
2-round PSMT for n = 2t+1
where an adversary can corrupt t out of n channels.
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n)
Exp-time
DDWY (1993)
Poly-time
Transmission rate
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n)
Exp-time
DDWY (1993)
Poly-time
Sayeed, Abu-Amara (1996)
Transmission rate
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n) Srinathan, Narayan Rangan (2004)
Exp-time
DDWY (1993)
Poly-time
Sayeed, Abu-Amara (1996)
Transmission rate
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n) Srinathan, Narayan Rangan (2004)
Exp-time
DDWY (1993) Agarwal, Cramer, de Haan (2006)
Poly-time
Sayeed, Abu-Amara (1996)
Transmission rate
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n) Srinathan, Narayan Rangan (2004)
Exp-time
DDWY (1993) Agarwal, Cramer, de Haan (2006)
Poly-time
Sayeed, Abu-Amara (1996)
Kurosawa, Suzuki (2008)
Transmission rate
Alice Bobs
f(1)
f(t)
f(n)
・・・
・・・
Suppose thatAlice chooses a random f(x) such thatf(0)=s and deg f(x)≦t
Adversary
Alice Bobs
f(1)
f(t)
f(n)
・・・
・・・
corrupts t channels.
Perfect Privacy
• Is satisfied because
• this is a (t+1, n)-secret sharing scheme
• Hence
the adverasry learns no information on s.
Adversary
Alice Bobs
f(1)
f(t)
f(n)
・・・
・・・
forges t channels. How about Perfect Reliability
f(1)’ = f(1)+ e1
f(t)’ = f(t)+ et
Perfect Reliability
• Bob can compute s if
X=(f(1),…, f(n))
• is a codeword of a t-error correcting code.
X=(f(1),…, f(n))
• has at most t zeros because deg f(x) ≦ t.
X=(f(1),…, f(n))
• has at most t zeros because deg f(x) ≦ t.
• Hence
X has the minimum Hamming weight
n-t.
X=(f(1),…, f(n))
• has at most t zeros because deg f(x) ≦ t.
• Hence
X has the minimum Hamming weight
n-t.
• Therefore
the minimum Hamming distance of this linear code is
d=n-t.
If n=3t+1,
• the minimum Hamming distance is
d = n – t
= (3t+1) – t
= 2t+1.
If n=3t+1,
• the minimum Hamming distance is
d=n – t = (3t+1) – t = 2t+1.
• Hence the receiver can correct t errors caused by the adversary.
If n=3t+1,
• the minimum Hamming distance of C is
d=n – t = (3t+1) – t = 2t+1.
• Hence the receiver can correct t errors caused by the adversary
• by using Berlekamp-Weltch algorithm
If n=3t+1,
• the minimum Hamming distance is
d=n – t = (3t+1) – t = 2t+1.
• Hence the receiver can correct t errors caused by the adversary.
• Thus perfect reliability is also satisfied.
If n=3t+1,
• the minimum Hamming distance of C is
d=n – t = (3t+1) – t = 2t+1.
• Hence the receiver can correct t errors caused by the adversary.
• Thus perfect reliability is satisfied.
• Therefore
we can obtain a 1-round PSMT easily
for n≧3t+1
If n=2t+1, however,
• the minimum Hamming distance is
d = n - t
= (2t+1) – t
= t+1
If n=2t+1, however,
• the minimum Hamming distance of C is
d=n-t=(2t+1)-t= t+1
• Hence the receiver can only detect t errors,
but cannot correct them.
If n=2t+1, however,
• the minimum Hamming distance of C is
d=n-t=(2t+1)-t=t+1
• Hence the receiver can only detect t errors,
but cannot correct them.
• This is the main reason
why PSMT for n=2t+1 is difficult.
DDWY showed
• Exp-time 2-round PSMT• Poly-time 3-round PSMT such that the transmission rate is O(n5),• where the transmission rate is defined as
the total number of bits transmitted the size of the secrets
Sayeed and Abu-Amara
• 2-round PSMT such that
the transmission rate is O(n3)
Srinathan, Narayan and Rangan
• the transmission rate ≧ n
for any 2-round PSMT with n=2t+1.
(CRYPTO 2004)
Agarwal, Cramer and de Haan
・ Exp-time 2-round PSMT such that the trans. rate is O(n) . (CRYPTO 2006)
Kurosawa and Suzuki
・ Poly-time 2-round PSMT such that the trans. rate is O(n) .
at Eurocrypt 2008 Final version: IEEE Trans. on IT, 2009
Our Idea
• What is a difference
between error correction and PSMT ?
What is a difference
• If the sender sends a single codeword,
then adversary causes t errors randomly.
What is a difference
• If the sender sends a single codeword,
then adversary causes t errors randomly.
• Hence there is no difference.
However
• If the sender sends many codewords
X1, …, Xm,
then the errors are not totally random
• because
the errors always occur
at the same t (or less) places !
Our Observation
• Suppose that the receiver received
Y1=X1+ E1, …, Ym=Xm+ Em,
• where E1, …, Em are error vectors
Our Observation
• Let
E = [E1, …, Em].• Then dim E t≦ because the errors always occur at the same t (or less) places !
But
• The receiver does not know
the error vectors E1, …, Em
Our Contribution
• We introduced a notion of
pseudo-dimension
pseudo-basis,
Let
Y= {Y1, …, Ym}
Let
E = [E1, …, Em].
If Y has Pseudo dim k then E has dim k
If Y has a Pseudo basis
{Yj1, …, Yjk}
then E has a basis
{Ej1, …, Ejk}
Intuition
Our Contribution
• We then showed a poly-time algorithm
which finds
pseudo-basis and pseudo-dimension
from Y={Y1, …, Ym}.
More Observation
For example,
• E1=(1,0, …, 0),
• E2=(1,1,0, …, 0),
• …
• Et=(1,…,1,0, …, 0),
is a basis of E.
More Observation
• E1=(1,0, …, 0), NonZero(E1)={1}
• E2=(1,1,0, …, 0), NonZero(E2)={1,2}
• …
• Et=(1,…,1,0, …, 0), NonZero(Et)={1, …, t}
More Observation
• E1=(1,0, …, 0), NonZero(E1)={1}• E2=(1,1,0, …, 0), NonZero(E2)={1,2}• …• Et=(1,…,1,0, …, 0), NonZero(Et)={1, …, t}
• Define
FORGED = U NonZero(Ei) basis
More Observation
• E1=(1,0, …, 0), NonZero(E1)={1}• E2=(1,1,0, …, 0), NonZero(E2)={2}• …• Et=(1, …, 1, 0, …, 0), NonZero(Et)= {t}
• Define
FORGED ≡ U basis NonZero(Ei) Then FORGED = {all forged channels}
Our basic 2-round PSMT
• Let
t = 1 and
n = 2t+1 = 3
• That is,
Adversary can corrupt 1 out of 3 channels
It consists of 3 phases
• Encryption phase
• Error detection phase
• Decryption phase
We run them in parallel
Encryption phase (1st R)
• R sends random f1(x), f2(x) and f3(x)
with deg fi(x)≦1 as follows
f1(x)
f2(x)
f3(x)
S R
Encryption phase (1st R)
• S receives f1’(x), f2’(x) and f3’(x)
f1’(x)
f2’(x)
f3’(x)
S
Encryption phase (2nd R)
• S broadcasts
c = s + f1’(1) +f2’(2) + f3’(3)
c
c
c
S R
Encryption phase (2nd R)• R can receive c correctly
by taking majority vote
because at most 1 channel is corrupted
c
c
c’
R
Error detection phase (1st R)• R sends X1, X2, X3 such that
R
f2(1)
f2(2)
f2(3)
X2
||
f1(1)
f1(2)
f1(3)
X1
||
f3(1)
f3(2)
f3(3)
X3
||
S receives
S
f2(1)’
f2(2)’
f2(3)’
Y2
||
f1(1)’
f1(2)’
f1(3)’
Y1
||
f3(1)’
f3(2)’
f3(3)’
Y3
||
From {Y1, Y2, Y3}
S
f2(1)’
f2(2)’
f2(3)’
Y2
f1(1)’
f1(2)’
f1(3)’
Y1
f3(1)’
f3(2)’
f3(3)’
Y3
S computes the psudo-dimension kand a pseudo-basis Λby using the proposed algorithm
For example
S
f2(1)’
f2(2)’
f2(3)’
Y2
f1(1)’
f1(2)’
f1(3)’
Y1
f3(1)’
f3(2)’
f3(3)’
Y3
S computes the psudo-dimension k=1and a pseudo-basis Λ={Y1}
S broadcasts
S
f2(1)’
f2(2)’
f2(3)’
Y2
f1(1)’
f1(2)’
f1(3)’
Y1
f3(1)’
f3(2)’
f3(3)’
Y3
S k=1, Λ={Y1}
R sent X1 and received Y1=X1+E1
R
f2(1)
f2(2)
f2(3)
X2
f1(1)
f1(2)
f1(3)
X1
f3(1)
f3(2)
f3(3)
X3
Rk=1, Λ={Y1}
Hence R can compute E1=Y1- X1
R
f2(1)
f2(2)
f2(3)
X2
f1(1)
f1(2)
f1(3)
X1
f3(1)
f3(2)
f3(3)
X3
k=1, Λ={Y1} R
Suppose that E1=Y1- X1 =[0,0,e3]T
R
f2(1)
f2(2)
f2(3)
X2
f1(1)
f1(2)
f1(3)
X1
f3(1)
f3(2)
f3(3)
X3
k=1, Λ={Y1} R
Suppose that E1=[0,0,e3]T
Then R sees that channel 3 is corrupted
R
f2(1)
f2(2)
f2(3)
f1(1)
f1(2)
f1(3)
f3(1)
f3(2)
f3(3)
X1X2 X3
Adversary
f1(x)
f2(x)
f3(x) S R
What happened ?
X1 X2 X3
• Adversary corrupted channel 3
f1(x)
f2(x)
f3(x) S R
What happened ?
Adversary
X1 X2 X3
• Adversary corrupted channel 3
• S broadcast c and Y1=pseudo-basis
f1(x)
f2(x)
f3(x) S R
S c, Y1
What happened ?
Adversary
X1 X2 X3
• Adversary corrupted channel 3
• S broadcast c and Y1=pseudo-basis
• Then R found that channel 3 was corrupted
f1(x)
f2(x)
f3(x) S R
S c, Y1
What happened ?
Adversary
X1 X2 X3
• Adversary observed f3(x) and Y1 f≃ 1(x)
f1(x)
f2(x)
f3(x) S R
S c, Y1
In particular
Adversary
X1 X2 X3
• Adversary observed f3(x) and Y1 f≃ 1(x)
• But f2(2) is kept hidden
f1(x)
f2(x)
f3(x) S R
S c, Y1
In particular
Adversary
X1 X2 X3
f2(2)
• R can find the corrupted channel
keeping f2(2) secret
f1(x)
f2(x)
f3(x) S R
S c, Y1
In other words
Adversary
X1 X2 X3
f2(2)
• If R sends f1(x), , f⋯ 6(x),
• then R can find the corrupted channel
• keeping f2(2), f4(1), f5(2) secret
f1(x), f4(x)
f2(x), f5(x)
f3(x), f6(x) S R
S Y1 Adversary
• If R sends f1(x), , f⋯ 6(x),
• then R can find the corrupted channel
• keeping f2(2), f4(1), f5(2) secret
• Only Y1 is broadcast as a pseudo-basis
f1(x), f4(x)
f2(x), f5(x)
f3(x), f6(x) S R
S Y1 Adversary
Going back to our basic schemelet’s look at f3(x)
R
f3(1)
f3(2)
f3(3)f3(x)
R knows that
S
y1=f3(1)
y2=f3(2)
f3’(x), y3
S received
y1=f3(1)
S y2=f3(2)
f3’(x), y3
SΔ1= f3’(1) - y1
Δ2= f3’(2) - y2
Δ3= f3’(3) - y3
S broadcasts
Decryption phase
y1=f3(1)
S y2=f3(2)
y3
SΔ1= f3’(1) -y1
Δ2= f3’(2) -y2
Δ3= f3’(3)-y3
From these 2 equations, R can compute f3’(1) =Δ1+f3(1)
R
y1=f3(1)
S y2=f3(2)
y3
SΔ1= f3’(1) -y1
Δ2= f3’(2) -y2
Δ3= f3’(3)-y3
From these 2 equations, R can compute f3’(2) =Δ2+f3(2)
R
y1=f3(1)
S y2=f3(2)
y3
SΔ1= f3’(1) -y1
Δ2= f3’(2) -y2
Δ3= f3’(3)-y3
Then R can obtain f3’(x)by applying Lagrange formulato f3’(1) and f3’(2)
R
Perfect Reliability
• R can obtain f1’(x) and f2’(x) similarly
Perfect Reliability
• R can obtain f1’(x) and f2’(x) similarly
• Remember that R received
c = s + f1’(1) + f2’(2) + f3’(3)
Perfect Reliability
• R can obtain f1’(x) and f2’(x) similarly
• Remember that R received
c = s + f1’(1) + f2’(2) + f3’(3)
• Now R can compute s
Perfect Reliability
• R can obtain f1’(x) and f2’(x) similarly
• Remember that R received
c = s + f1’(1) + f2’(2) + f3’(3)
• Now R can compute s
• Therefore perfect reliability is satisfied
Perfect Privacy
S broadcasts
c = s + f1’(1) + f2’(2) + f3’(3)
Perfect Privacy
S broadcasts
c = s + f1’(1) + f2’(2) + f3’(3)
• Y1 is broadcast by S as a pseudo-basis
Perfect Privacy
S broadcasts
c = s + f1’(1) + f2’(2) + f3’(3)
• Y1 is broadcast by S as a pseudo-basis
• Adversary observed f3’(x)
Perfect Privacy
S broadcasts
c = s + f1’(1) + f2’(2) + f3’(3)
• Y1 is broadcast by S as a pseudo-basis
• Adversary observed f3’(x)
• But she has no info. on f2’(2)= f2(2)
Perfect Privacy
S broadcasts
c = s + f1’(1) + f2’(2) + f3’(3)
• Y1 is broadcast by S as a pseudo-basis
• Adversary observed f3’(x)
• But she has no info. on f2’(2) = f2(2)
• Hence
perfect privacy is also satisfied
Final scheme
• R sends many fi(x) in parallel
• S uses “generalized broadcast”
• Then
we can obtain
the transmission rate = O(n)
Now what is pseudo-basis
• Let C be a linear code such that
the codewords are
(f(1), , f(n)), ⋯ where deg f(x) ≦t
• That is,
C={ (f(1), , f(n)) | deg f(x) ⋯ ≦t }
We write Y1 = Y2 mod C
• if
Y1 - Y2 C∈
We write Y1 = Y2 mod C
• if
Y1 - Y2 C∈
• In particular, if
Y=X+E,
• then
Y=E mod C
Linearly pseudo-expressed
• We say that
Y0 is linearly pseudo-expressed
by {Y1, , Y⋯ k} if
Y0 = a1Y1 + + a⋯ kYk mod C
for some (a1, , a⋯ k)
Pseudo Span
• Let Λ Y = {Y⊆ 1, , Y⋯ m},
• We say that Λ pseudo spans Y
if each Yi is linearly pseudo-expressed
by Λ
Pseudo-Basis
• We say that Λ is a pseudo-basis of Y
if it is a minimum set
which pseudo-spans Y
Pseudo-Dimension
• Suppose that Λ is a pseudo-basis of Y
• We say that
k=|Λ| is the pseudo-dimension of Y
Admissible Error Vector Set
We say that
{E1, ,E⋯ m} is an admissible error vector set of Y={Y1, ,Y⋯ m}
if
• Ei=Yi mod C for all i
• |U NonZero(Ei)|≦t
i
Theorem
• Let {E1, ,E⋯ m} be an admissible error vector set of Y= {Y1, ,Y⋯ m}
Y= {Y1, …, Ym} E = [E1, …, Em].
Y has Pseudo dim k iff E has dim k
Y has a Pseudo basis
{Yj1, …, Yjk}
iff E has a basis
{Ej1, …, Ejk}
Corollary
• Let {E1, ,E⋯ m} be the real error vector set caused by the adversary
Y= {Y1, …, Ym} E = [E1, …, Em].
If Y has Pseudo dim k then E has dim k
If Y has a Pseudo basis
{Yj1, …, Yjk}
then E has a basis
{Ej1, …, Ejk}
Next how to check
linearly pseudo-expressed
Y3 –(a1Y1+a2Y2) = 0 mod C
• This equation means
LHS = some codeword (f(1), , f(n))⋯
First construct f(a1,a2)(x)
by applying Lagrange formula
to the first t+1 elements of Y3 – (a1Y1+a2Y2)like this
f(a1,a2) (1) = y3,1 ー (a1y1,1 + a2y2,1) ⋮ ⋮ f(a1,a2) (t+1) = y3.t+1 ー (a1y1,t+1 + a2y2,t+1)
Next check if
f(a1,a2) (x) is consistent with
the remaining elements of Y3 – (a1Y1+a2Y2)
for some (a1,a2)
f(a1,a2)(t+2) = y3,t+2 ー (a1y1,t+2 + a2y2,t+2) ⋮ f(a1,a2) (n) = y3,n ー (a1y1,n + a2y2,n)
This can be done easily
By checking if the following linear equations has
a solution (a1,a2)
f(a1,a2) (t+2) = y3,t+2 ー (a1y1,t+2 + a2y2,t+2) ⋮ f(a1,a2) (n) = y3,n ー (a1y1,n + a2y2,n)
If yes, then
• Y3 is linearly pseudo-expressed by {Y1,Y2}
Algorithm for finding pseudo-basis
Input: Y={Y1, …, Ym}
• Let Λ=empty
• For i=1 to m, do:
While |Λ|<t, do:
Add Yi to Λ if Yi is not
linearly pseudo-expressed by Λ.
• Finally output Λ as a pesudo-basis of Y.
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n) Srinathan, Narayan Rangan (2004)
Exp-time
DDWY (1993) Agarwal, Cramer, de Haan (2006)
Poly-time
Sayeed, Abu-Amara (1996)
Kurosawa, Suzuki (2008)
Transmission rate
For the details
・ Please look at the paper
Truly Efficient 2-Round Perfectly Secure Message Transmission Scheme
Kurosawa and Suzuki
Preliminary: Eurocrypt 2008Final: IEEE Trans. on IT, 2009
Patra, Choudhary and Rangan
Used pseudo-basis to construct
• Communication optimal 3 and 6 round PSMT in directed networks
(ICDCN 2010)
• 3-round communication optimal PSMT tolerating mobile mixed adversary
(PODC 2010)
Yang and Desmedt
used pseudo-basis to construct
• 2-round PSMT for Q2 adversary structure
(Asiacrypt 2010)
Open Problem (1)
• Can we apply pseudo-basis
to another problems ?
Open Problem (2)
• The transmission rate is the total number of bits transmitted the size of the secrets
Open Problem (2)
• In our PSMT the total number of bits transmitted = O(n3) the size of the secrets = O(n2) to achieve the transmission rate = O(n)
Open Problem (2)
• In our PSMT the total number of bits transmitted = O(n3) the size of the secrets = O(n2) to achieve the transmission rate = O(n)
• What is a lower bound on
the communication complexity
to achieve our goal ?
Next 2nd setting
Network Adversary Security
Undirected Threshold Perfect
Directed General Almost perfect
Desmedt et at.
• Threshold adversaries are not realistic
• when dealing with computer viruses,
• such as
• the I LOVE YOU virus
• and the Internet virus/worm
• that only spread to
• Windows, respectively Unix.
{1,2,3} use Windows
S R3
2
1
4
5
Sender Receiver
{3,4} use UNIX
S R3
2
1
4
5
Sender Receiver
{1,5} use TRON
S R3
2
1
4
5
Sender Receiver
Adversary Structure
• Adversary can corrupt
B1={1,2,3} or B2={3,4} or B3={1,5}.
• Let
Γ={B1, B2, B3}
• Such Γ is called an adversary structure.
Hirt and Maurer
• Introduced adversary structure
in the context of multiparty protocols
• They generalized
n≧2t+1 to Q2 adversary structure
n≧3t+1 to Q3 adversary structure
Γ satisfies Q2
• If
Bi ⋃ Bj ≠ {1, ⋯, n}
• for any Bi, Bj ∊ Γ
Γ satisfies Q3
• If
Bi ⋃ Bj ⋃ Bk ≠ {1, ⋯, n}
• for any Bi, Bj, Bk ∊ Γ
PSMT for General Adversary
• 2002 Kumar, Goudan, Srinatahn, Rangan
Many round PSMT for Q2
• 2005 Desmedt, Wang, Burmester
Exp-time 1-round PSMT for Q3
• 2009 Kurosawa
Poly-time 1-round PSMT for Q3
• 2010 Yang, Desmedt
Poly-time 2-round PSMT for Q2
I will explain
• 2002 Kumar, Goudan, Srinatahn, Rangan
Many round PSMT for Q2
• 2005 Desmedt, Wang, Burmester
Exp-time 1-round PSMT for Q3
• 2009 Kurosawa
Poly-time 1-round PSMT for Q3
• 2010 Yang, Desmedt
2-round PSMT for Q2
Monotone
• We say that Γ is monotone
if B Γ and B’ B, then B’ Γ∈ ⊂ ∈• For example.
if an adversary can corrupt B={1,2,3},
then she can corrupt B’={1,2} clearly.
• In what follows,
we assume that Γ is monotone
Proposition
For any monotone adversary structure Γ,
there exists a linear secret sharing scheme
such that
• if B ∈ Γ, then B has no information on s
• If A ∉ Γ, then A can reconstruct s
Proposition
For any monotone adversary structure Γ,
there exists a (linear) secret sharing scheme
such that
• if B ∈ Γ, then B has no information on s
• If A ∉ Γ, then A can reconstruct s
We call such a scheme
a secret sharing scheme for Γ
What is a difference between
• Shamir’s threshold secret sharing scheme
and
• general secret sharing schemes ?
Secret Sharing Scheme
• Sharing phase:
For a secret s,
Dealer computes a share vector
V=(v1, , v⋯ n),
and gives vi to player Pi
Secret Sharing Scheme
• Reconstruction phase:
Suppose that some subset of players
B Γ open forged shares∈ Let
Y=V+E
where V is a share vector and
E is an error vector
In Shamir’s threshold SS,
• If n≧3t+1, then
Berlekamp-Weltch algorithm
can correct t erros in
Y=V+E
in poly-time
For Q3 adversary structure,
• no secret sharing scheme was known
such that
s can be reconstructed in poly-time from
Y (=V+E)• This is the reason why
the construction of 1-round PSMT for Q3
is difficult
I constructed
• A secret sharing scheme for Q3
such that
s can be reconstructed from
Y (=V+E)
in poly-time
Proposed construction
For a Q3-adversary structure Γ,
let LSSS be a linear secret sharing scheme
such that
• if B ∈ Γ, then B has no information on s
• If A ∉ Γ, then A can reconstruct s
Step 1
LSSS
v1
⋮
vn
s
r0
Step 2
LSSS
u11
⋮
u1n
v1
r1
LSSS
v1
⋮
vn
s
r0
Dealer distributes
P1 (v1, r1)u11
P2 u12
⋮ ⋮
Pn u1n
Similarly
LSSS
u21
⋮
u2n
v2
r2
LSSS
v1
v2
⋮
vn
s
r0
Dealer distributes
P1 (v1, r1)u11
u21
P2 u12 (v2, r2)u22
⋮ ⋮ ⋮
Pn u1n u2n
And so on.
P1 (v1, r1)u11
u21 ⋯ un1
P2 u12 (v2, r2)u22
⋯ un2
⋮ ⋮ ⋮ ⋯ ⋮
Pn u1n u2n ⋯ (vn, rn)unn
In the Reconstruction phase
• Suppose that some subset of players B Γ open forged shares∈
• We will show a poly-time algorithm
which can reconstruct s
Suppose that
P1 (v1, r1)u11
u21 ⋯ un1
P2 u12 (v2, r2)u22
⋯ un2
⋮ ⋮ ⋮ ⋯ ⋮
Pn u1n u2n ⋯ (vn, rn)unn
Each player opened blue shares
Decoding algorithm: Step 1
LSSS
u11
⋮
u1n
v1
r1
Run the LSSS on input (v1, r1)to generate red shares
Then compare the red shares with the blue shares
LSSS
u11
⋮
u1n
v1
r1u11
⋮
u1n
Accept v1 if { j | u1j ≠ u1j } Γ∈
≠
=
Similarly
LSSS
ui1
⋮
uin
vi
ri
Run the LSSS on input (vi, ri)to generate red shares
Compare the red shares with the blue shares
LSSS
ui1
⋮
uin
vi
riui1
⋮
uin
Accept vi if { j | uij ≠ uij } Γ∈
Decoding algorithm: Step 2
• Finally apply the reconstruction alorithm
of the LSSS to {acepted vi},
• and reconstruct s
That is,
Reconstruction algorithm of LSSS
{ accepted vi }
s
Theorem
• Proposed scheme is a secret sharing scheme for a Q3 adversary structure Γ
Theorem
• Proposed scheme is a secret sharing scheme for a Q3 adverary structure Γ
• Even if some B Γ open forged shares,∈ the decoding algorithm can reconstruct s
in poly-time in the size of the LSSS
(which is the total size of the shares)
Application to PSMT
• We can construct a 1-round PSMT
for any Q3-adverary structure
which runs in poly-time
in the size of the underlying LSSS
Proposed PSMT
Channel 1
(v1, r1)u11
u21 ⋯ un1
Channel 2
u12 (v2, r2)u22
⋯ un2
⋮ ⋮ ⋮ ⋯ ⋮
Channel n
u1n u2n ⋯ (vn, rn)unn
For Q3 adversary structure
• 2005 Desmedt, Wang, Burmester
Exp-time 1-round PSMT
• 2009 Kurosawa
Poly-time 1-round PSMT
For the details
• Please look at the paper
• ePrint 2009/263
General Error Decodable Secret Sharing
Scheme and Its Application
Kaoru Kurosawa
Summary
• Poly-time 2-round PSMT for n=2t+1
with the trans. rate O(n)
• Poly-time 1-round PSMT
for Q3 adversary structure
Open Problems
It seems that
there are many open problems in this area
because there are
• many variants of this model,
• some parameters to be optimized.
THANK YOU !!
Brief Announcement
on our new result
• ePrint 2010/609
• The Round Complexity of General VSS
Ashish Choudhary
Kaoru Kurosawa
Arpita Patra
Verifiable Secret Sharing (VSS)
• Is a fundamental building block in many distributed cryptographic protocols.
• In this model,
Adversary can corrupt
not only some subset of players
but also the dealer
Even though,
• A unique secret must be reconstructed
• in the reconstruction phase
• no matter how malicious players behave.
STOC 2001
Gennaro, Ishai, Kushilevitz and Rabin
showed that
• 2 round VSS is possible iff n≧4t+1
• 3 round VSS is possible iff n≧3t+1
TCC 2006
Fitzi, Garay, Gollakota, Rangan and Srinathan
• Constructed a poly-time 3-round VSS
for n≧3t+1
We consider general adversary
Our result Previous
2-round VSS iff Γ is Q4 n≧4t+1
3-round VSS iff Γ is Q3 n≧3t+1
As a special case of our VSS
• We can obtain a more efficient
3-round VSS than the VSS of Fitzi et al.
for n = 3t+1
• The communication complexity of the reconstruction phase
is reduced from O(n3) to O(n2)
Further
• We point out a flaw in the reconstruction phase of VSS of Fitzi et al.,
• and show how to fix it.
For the details
Please look at the paper
• ePrint 2010/609
• The Round Complexity of General VSS
Ashish Choudhary
Kaoru Kurosawa
Arpita Patra
THANK YOU, AGAIN !!