Share conversion, pseudorandom secret-sharing and ... - of the NVTI
Share conversion, pseudorandom secret-sharing and ... - of the NVTI
Share conversion, pseudorandom secret-sharing and ... - of the NVTI
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Share</strong> <strong>conversion</strong>, <strong>pseudor<strong>and</strong>om</strong> <strong>secret</strong>-sha<br />
applications to secure distributed comp<br />
Ronald Cramer (CWI & Leiden University), Ivan<br />
(Aarhus University), Yuval Ishai (Technion<br />
Friday, February 11, 2005
Consider all<br />
(t; n) Replicated <strong>secret</strong> <strong>sharing</strong><br />
n<br />
t<br />
<strong>the</strong>se subsets cells.<br />
subsets B f1; : : : ; ng with jBj =<br />
Additively <strong>secret</strong>-share <strong>the</strong> <strong>secret</strong> s, where each<br />
<strong>of</strong> <strong>the</strong> shares.<br />
In o<strong>the</strong>r words <strong>the</strong> i-th share is replicated among<br />
in <strong>the</strong> i-th cell B i .<br />
Thus: s = P B s B ; <strong>and</strong> player P j holds fs B g B:j2B
Privacy:<br />
Consider A f1; : : : ; ng with jAj = t.<br />
There is a cell B that has empty intersection wit<br />
B = f1; : : : ; ng n A<br />
So, A lack <strong>the</strong> share s B .
Reconstruction:<br />
All players jointly can determine <strong>the</strong> <strong>secret</strong> s.<br />
With n > 2t: <strong>the</strong> intersection <strong>of</strong> any two cells is<br />
So each B jointly have all shares, <strong>and</strong> can can r<br />
[Example: if n = 2t + 1, <strong>the</strong>n t-private, > t reco
n > 3t ) perfect recovery from malicious erro<br />
struction:<br />
{ In each cell, <strong>the</strong>re is a majority <strong>of</strong> good guys (n<br />
{ So nd correct s B by local \majority voting"<br />
shares received from members <strong>of</strong> B<br />
Drawback: eciency proportional to<br />
n<br />
t<br />
.
Why interested in this scheme...???<br />
After all...<strong>the</strong>re is Shamir's scheme..<br />
Ito/Nishizeki/Saito: introduced general, non-thresho<br />
ing <strong>secret</strong> <strong>sharing</strong> (m-out-<strong>of</strong> m additive <strong>sharing</strong> within<br />
ied set")<br />
Beaver/Wool: simple protocol for MPC, passive ad<br />
eral adversary<br />
Maurer: extension to active case
But: only makes sense when n is small (or more gen<br />
t is small).<br />
Moreover, in all <strong>the</strong>se cases more ecient solution<br />
by more sophisticated techniques<br />
Good reasons to revisit this technique to follow...
Pseudo-r<strong>and</strong>om <strong>secret</strong> <strong>sharing</strong><br />
Unbounded source <strong>of</strong> <strong>sharing</strong>s <strong>of</strong> r<strong>and</strong>om <strong>secret</strong>s, no<br />
Trusted Initialization: replace share s B by a pse<br />
function G B (¡).<br />
Dene<br />
s(¡) = X B<br />
G B (¡):<br />
Notation: suppress globally agreed argument (¡)<br />
Variation: seeds for pseudo-r<strong>and</strong>om number gen
Pseudo-r<strong>and</strong>om <strong>secret</strong> <strong>sharing</strong> introduced earlier byM<br />
<strong>and</strong> fur<strong>the</strong>r studied by Ishai/Gilboa,..<br />
Here: we develop enhanced pseudo-r<strong>and</strong>om <strong>secret</strong> sh<br />
<strong>and</strong> give new applications <strong>of</strong> pseudo-r<strong>and</strong>om <strong>secret</strong><br />
taking interaction out <strong>of</strong> certain secure computation<br />
crypto-systems, without paying a penalty in commu
Application I: Pseudo-r<strong>and</strong>om VSS with t <<br />
Give all pseudo-r<strong>and</strong>om functions to a single desig<br />
(<strong>the</strong> dealer): non-interactive VSS <strong>of</strong> r<strong>and</strong>om sec<br />
by dealer.<br />
Adaptation to <strong>secret</strong> s <strong>of</strong> his choice: dealer bro<br />
rection value s r.<br />
Players adapt <strong>the</strong>ir shares locally using linearity:<br />
Reconstruction in presence <strong>of</strong> malicious errors:<br />
error correction
Application II: Non-interactive secure multiplication<br />
Here: n > 4t. Adversary actively corrupts at most t<br />
Intersection <strong>of</strong> any two cells contains majority o<br />
For each pair <strong>of</strong> cells B; B 0 , designate a (unique)<br />
B \ B 0 <strong>of</strong> size 2t + 1. Call this a subcell.<br />
Initialization: for each subcell, replicate a fresh<br />
<strong>the</strong> pseudo-r<strong>and</strong>om VSS set-up.
Starting condition: <strong>sharing</strong>s <strong>of</strong> ; in <strong>the</strong> repli<br />
<strong>sharing</strong> scheme. Thus:<br />
= X B<br />
B ;<br />
= X B<br />
B ; ¡ = X B;B 0 B ¡<br />
Basic Idea:<br />
For each subcell C: usual re-<strong>sharing</strong> <strong>of</strong> local prod<br />
but done with pseudo-r<strong>and</strong>om VSS instead<br />
Re-<strong>sharing</strong>s <strong>of</strong> a correct local products occur in<br />
This is due to pseudo-r<strong>and</strong>om VSS replicas; re<br />
voting over <strong>the</strong> broadcasted correction value<br />
Bunch it up non-interactively to a <strong>sharing</strong> <strong>of</strong> th
Note 1: No broadcast needed here in pseudo-r<strong>and</strong>o<br />
Note 2:<br />
r<strong>and</strong>om approach)<br />
(information <strong>the</strong>oretic pre-processing ver<br />
preprocessing leads to apriori bounded horizon, pse<br />
ness makes it ongoing, unbounded horizon
Compressed pseudo-r<strong>and</strong>om <strong>secret</strong> sharin<br />
New feature: share size \as in Shamir', still non-int<br />
Only local computation proportional to<br />
n<br />
t<br />
For each cell B, choose xed polynomial f B so t<br />
1. deg(f) = t<br />
2. f(0) = 1 but f(i) = 0 if i 62 B<br />
Dene<br />
f(X) = X B<br />
s B ¡ f B (X)
Player P i can compute his Shamir-share from his sha<br />
replication based scheme:<br />
X<br />
B:i2B<br />
X<br />
B<br />
f(i) =<br />
s B ¡ f B (i) =<br />
X<br />
s B ¡ f B (i) + s B ¡ f B (i) =<br />
X<br />
B:i62B<br />
= s B ¡ f B (i)<br />
B:i2B<br />
Privacy: <strong>the</strong> info held by A f1; : : : ; ng with jAj =<br />
least one r<strong>and</strong>om coin in <strong>the</strong> expression for f(X)...
Compressed pseudo-r<strong>and</strong>om VSS<br />
This works as before (non-interactive), with n > 3t<br />
All pseudo-r<strong>and</strong>om functions given to designated pl<br />
Broadcast dierence <strong>of</strong> pseudo-r<strong>and</strong>om <strong>secret</strong> <strong>and</strong><br />
terest<br />
Reconstruction: ecient Reed-Solomon decoding (s<br />
Welch)
Compressed non-interactive secure multiplic<br />
n > 4t<br />
Adversary actively corrupts t players<br />
Initialization: compressed pseudo-r<strong>and</strong>om secre<br />
place (actually, a small variation...)<br />
Input:(t; n)-Shamir <strong>sharing</strong>s<br />
<strong>of</strong> <strong>secret</strong>s ; <br />
( 1 ; : : : ; n ); ( 1 ; : : : ; n )<br />
Output: ¡ .
Pseudo-r<strong>and</strong>om zero-<strong>sharing</strong>: (with n > 4t) creation<br />
deg 2t Shamir-<strong>sharing</strong> <strong>of</strong> <strong>the</strong> value 0.<br />
For each cell B, choose a xed basis <strong>of</strong> polynomia<br />
for <strong>the</strong> vector space <strong>of</strong> polynomials f with<br />
1. deg(f) 2t<br />
2. f(0) = 0<br />
3. f(i) = 0 if i 62 B
Instead <strong>of</strong> a single one, h<strong>and</strong> pseudo-r<strong>and</strong>om fu<br />
to <strong>the</strong> players in B.<br />
G 1 B (¡); : : : ; Gt B (¡)<br />
Dene<br />
f(X) = X B<br />
tX<br />
i=1<br />
s i B ¡ f i B (X)
Compressed secure multiplication is now easy, by sta<br />
nique plus masking using pseudo-r<strong>and</strong>om zero-shari<br />
i : player i's share in <strong>the</strong> pseudo-r<strong>and</strong>om zero-s<br />
Masking: player i computes<br />
sends it to all players<br />
i ¡ i + i ;<br />
Each player on his own applies Berlekamp-Welch<br />
correction.
Indeed:<br />
f: polynomial for zero-<strong>sharing</strong><br />
f ; f : polynomials for <strong>sharing</strong> <strong>of</strong> ; <br />
So f ¡ f + f <strong>of</strong> degree 2t,<br />
we have n > 4t points with t errors.<br />
So <strong>the</strong> error correction is possible.<br />
This way, each player obtains a polynomial who<br />
is ¡ .<br />
Generalization: non-interactive secure computation<br />
bi-variate polynomials
Theoretical Results on <strong>Share</strong> Compressio<br />
Thm.: Pseudo-r<strong>and</strong>om <strong>secret</strong> <strong>sharing</strong> schemes<br />
pressed to any linear <strong>secret</strong> <strong>sharing</strong> scheme<br />
Pro<strong>of</strong>: generalize <strong>the</strong> Shamir compression usin<br />
monotone span programs<br />
Thm.:<br />
Our approach is optimal in <strong>the</strong> model<br />
player gets a subset <strong>of</strong> a given collection <strong>of</strong> in<br />
distributed r<strong>and</strong>om sources<br />
Pro<strong>of</strong>: By information <strong>the</strong>oretic arguments: # ra<br />
# maximal unqualied sets
Application to non-interactive threshold cry<br />
Non-interactive version <strong>of</strong> <strong>the</strong> threshold-CS98 f<br />
Goldwasser:<br />
test <strong>of</strong> validity <strong>of</strong> ciphertext by non-interactive<br />
tionby (compressed secure multiplication \in <strong>the</strong><br />
Communication-ecient variant <strong>of</strong> Naor/Pinkas/<br />
tributed Pseudo-R<strong>and</strong>om Function<br />
Threshold signatures without r<strong>and</strong>om oracles bas<br />
Boyen scheme.