Verifiable Secret-Sharing Schemes

Like dokumenter
Kneser hypergraphs. May 21th, CERMICS, Optimisation et Systèmes

Slope-Intercept Formula

UNIVERSITETET I OSLO

Graphs similar to strongly regular graphs

EN Skriving for kommunikasjon og tenkning

Unit Relational Algebra 1 1. Relational Algebra 1. Unit 3.3

Moving Objects. We need to move our objects in 3D space.

Physical origin of the Gouy phase shift by Simin Feng, Herbert G. Winful Opt. Lett. 26, (2001)

KROPPEN LEDER STRØM. Sett en finger på hvert av kontaktpunktene på modellen. Da får du et lydsignal.

Databases 1. Extended Relational Algebra

Level Set methods. Sandra Allaart-Bruin. Level Set methods p.1/24

SVM and Complementary Slackness

0:7 0:2 0:1 0:3 0:5 0:2 0:1 0:4 0:5 P = 0:56 0:28 0:16 0:38 0:39 0:23

Dynamic Programming Longest Common Subsequence. Class 27

Trigonometric Substitution

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS

Perpetuum (im)mobile

Existence of resistance forms in some (non self-similar) fractal spaces

Public roadmap for information management, governance and exchange SINTEF

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

Neural Network. Sensors Sorter

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

HØGSKOLEN I NARVIK - SIVILINGENIØRUTDANNINGEN

TFY4170 Fysikk 2 Justin Wells

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

UNIVERSITETET I OSLO

Gradient. Masahiro Yamamoto. last update on February 29, 2012 (1) (2) (3) (4) (5)

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

1 Aksiomatisk definisjon av vanlige tallsystemer

Hvor mye praktisk kunnskap har du tilegnet deg på dette emnet? (1 = ingen, 5 = mye)

Medisinsk statistikk, KLH3004 Dmf, NTNU Styrke- og utvalgsberegning

Prosjektet Digital kontaktinformasjon og fullmakter for virksomheter Digital contact information and mandates for entities

Oppgave 1. ( xφ) φ x t, hvis t er substituerbar for x i φ.

Motzkin monoids. Micky East. York Semigroup University of York, 5 Aug, 2016

Call function of two parameters

Gol Statlige Mottak. Modul 7. Ekteskapsloven

Gir vi de resterende 2 oppgavene til én prosess vil alle sitte å vente på de to potensielt tidskrevende prosessene.

Solutions #12 ( M. y 3 + cos(x) ) dx + ( sin(y) + z 2) dy + xdz = 3π 4. The surface M is parametrized by σ : [0, 1] [0, 2π] R 3 with.

Siste seminar: Foreslåtte oppgaver basert på ønsker.

Oppgåvesettet er på 3 sider med oppgåvene Engelsk omsetjing på sidene 4-6.

5 E Lesson: Solving Monohybrid Punnett Squares with Coding

INF5820 Natural Language Processing - NLP. H2009 Jan Tore Lønning

Exercise 1: Phase Splitter DC Operation

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

Mathematics 114Q Integration Practice Problems SOLUTIONS. = 1 8 (x2 +5x) 8 + C. [u = x 2 +5x] = 1 11 (3 x)11 + C. [u =3 x] = 2 (7x + 9)3/2

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

Trust region methods: global/local convergence, approximate January methods 24, / 15

FYSMEK1110 Eksamensverksted 23. Mai :15-18:00 Oppgave 1 (maks. 45 minutt)

STILLAS - STANDARD FORSLAG FRA SEF TIL NY STILLAS - STANDARD

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

Stationary Phase Monte Carlo Methods

FYS2140 Kvantefysikk. Løsningsforslag for Oblig 7

Hvordan føre reiseregninger i Unit4 Business World Forfatter:

Generalization of age-structured models in theory and practice

Oppgave 1a Definer følgende begreper: Nøkkel, supernøkkel og funksjonell avhengighet.

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

Han Ola of Han Per: A Norwegian-American Comic Strip/En Norsk-amerikansk tegneserie (Skrifter. Serie B, LXIX)

Compello Fakturagodkjenning Versjon 10 Software as a service. Tilgang til ny modulen Regnskapsføring

HONSEL process monitoring

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

Level-Rebuilt B-Trees

Compello Fakturagodkjenning Versjon 10.5 As a Service. Tilgang til Compello Desktop - Regnskapsføring og Dokument import

Maple Basics. K. Cooper

UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS

Geir Lieblein, IPV. På spor av fremragende utdanning NMBU, 7. oktober 2015 GL

Ma Linær Algebra og Geometri Øving 5

Kartleggingsskjema / Survey

Evaluating Call-by-need on the Control Stack

Roller og ansvar. Hva er behandlingsansvarlig og hva er en databehandler? Thea Rølsåsen, faglig prosjektleder

UNIVERSITY OF OSLO DEPARTMENT OF ECONOMICS

EXAM TTM4128 SERVICE AND RESOURCE MANAGEMENT EKSAM I TTM4128 TJENESTE- OG RESSURSADMINISTRASJON

Dialogkveld 03. mars Mobbing i barnehagen

Hanne Solheim Hansen, Hugo Nordseth, Grete Ingemann Knudsen, Kaja Skårdal Hegstad, Jose de Pool, Just Kornfeldt,

Emneevaluering GEOV272 V17

EKSAMENSOPPGAVE I SØK 1002 INNFØRING I MIKROØKONOMISK ANALYSE

UNIVERSITETET I OSLO ØKONOMISK INSTITUTT

DecisionMaker Frequent error codes (valid from version 7.x and up)

UNIVERSITETET I OSLO

6350 Månedstabell / Month table Klasse / Class 1 Tax deduction table (tax to be withheld) 2012

KAMPANJE APK : APK-4: Kontroll montering EGT-2

Ma Flerdimensjonal Analyse Øving 1

Dagens tema: Eksempel Klisjéer (mønstre) Tommelfingerregler

melting ECMI Modelling week 2008 Modelling and simulation of ice/snow melting Sabrina Wandl - University of Linz Tuomo Mäki-Marttunen - Tampere UT

Requirements regarding Safety, Health and the Working Environment (SHWE), and pay and working conditions

PSY 1002 Statistikk og metode. Frode Svartdal April 2016

Lovlig bruk av Cloud Computing. Helge Veum, avdelingsdirektør Difi, Oslo

Splitting the differential Riccati equation

Lovlig bruk av Cloud Computing. Helge Veum, avdelingsdirektør Cloud Inspiration Day, UBC

Utstyr for avstandsmåling. Dommersamling 14. mars 2015 Stein Jodal

Appendix 1: All 26 cases with statistics

Rolleavklaringer i partnerskap

Independent Inspection

Ringvorlesung Biophysik 2016

TMA4240 Statistikk 2014

Managing Risk in Critical Railway Applications

PATIENCE TÅLMODIGHET. Is the ability to wait for something. Det trenger vi når vi må vente på noe

Den som gjør godt, er av Gud (Multilingual Edition)

Eksamen ENG1002/1003 Engelsk fellesfag Elevar og privatistar/elever og privatister. Nynorsk/Bokmål

The regulation requires that everyone at NTNU shall have fire drills and fire prevention courses.

Transkript:

Aarhus University Verifiable Secret-Sharing Schemes Irene Giacomelli joint work with Ivan Damgård, Bernardo David and Jesper B. Nielsen Aalborg, 30th June 2014 Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 1 / 14

Packed Linear Secret-Sharing Scheme among n players Sharing Phase: (t, r)-lsss for secret s F l dealer secret s F l share c 1 F to player P 1 share c 2 F to player P 2... share c n F to player P n Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 2 / 14

Packed Linear Secret-Sharing Scheme among n players Sharing Phase: (t, r)-lsss for secret s F l dealer secret s F l share c 1 F to player P 1 share c 2 F to player P 2... Reconstruction Phase: share c 1 F share c 2 F. share c n F share c n F to player P n s F l Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 2 / 14

Packed Linear Secret-Sharing Scheme among n players (t, r)-lsss for secret s F l t-privacy share c i1 F share c i2 F. share c it F? r-reconstruction share c j1 F share c j2 F. share c jr F s F l Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 3 / 14

An example: Shamir s scheme (l = 1) for n players Let β 1,..., β n be n distinct nonzero elements of F, secret s F D chooses t f (x) = s + a i x i i=1 random shares: c i = f (β i ) i = 1,..., n Note: Shamir s scheme has t-privacy and (t + 1)-reconstruction. Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 4 / 14

An example: Shamir s scheme (l = 1) for n players Let β 1,..., β n be n distinct nonzero elements of F, secret s F D chooses t f (x) = s + a i x i i=1 random shares: c i = f (β i ) i = 1,..., n Note: Shamir s scheme has t-privacy and (t + 1)-reconstruction. 1 β 1... β1 t 1 β 2... β2 t... 1 β n... βn t s f (β 1 ) a 1.. = f (β 2 ). a t f (β n ) Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 4 / 14

An example: Shamir s scheme (l = 1) for n players Let β 1,..., β n be n distinct nonzero elements of F, secret s F D chooses t f (x) = s + a i x i i=1 random shares: c i = f (β i ) i = 1,..., n Note: Shamir s scheme has t-privacy and (t + 1)-reconstruction. The set { (s, c 1,..., c n ) } = { (f = (0), f (β1 ),..., f (β n ) ) } deg(f ) t is a [n + 1, t + 1]-Reed-Solomon code over F. Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 4 / 14

An example: Franklin and Yung s scheme (l > 1) Let {α 1,..., α l } and {β 1,..., β n } be two disjoint sets of distinct elements of F, secret s F l f (x) F[x] random s.t. deg(f ) t + l 1 and f (α i ) = s[i] i = 1,..., l shares: c i = f (β i ) i = 1,..., n s[1] s[2] where s =. s[l] Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 5 / 14

What kind of security?! Assume the dealer is honest: t-privacy security for the dealer against at most t corrupted curious players (passive corruption); Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 6 / 14

What kind of security?! Assume the dealer is honest: t-privacy security for the dealer against at most t corrupted curious players (passive corruption); What happens if the corrupted players during the reconstruction phase provide faulty shares (active corruption)?! robust reconstruction the set of the n shares determines the secret even if t of them are faulty (robust SSS) Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 6 / 14

What kind of security?! Assume the dealer is honest: t-privacy security for the dealer against at most t corrupted curious players (passive corruption); What happens if the corrupted players during the reconstruction phase provide faulty shares (active corruption)?! robust reconstruction the set of the n shares determines the secret even if t of them are faulty (robust SSS) e.g. If t < n/3, Shamir s scheme is robust (Reed-Solomon decoding) Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 6 / 14

Security: the players point of view What happens if the dealer is not honest?! Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 7 / 14

Security: the players point of view What happens if the dealer is not honest?! Consider Shamir s scheme with n = 4 and t = 1 (r = 2): s Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 7 / 14

Security: the players point of view What happens if the dealer is not honest?! Consider Shamir s scheme with n = 4 and t = 1 (r = 2): s c 1 c 2 c 3 c 4 P 1 P 2 P 3 P 4 } s } s P 1 P 2 P 3 P 4 Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 7 / 14

Security: the players point of view What happens if the dealer is not honest?! Consider Shamir s scheme with n = 4 and t = 1 (r = 2): s c 1 P 1 c 2 P 2 c 3 P 3 c 4 P 4 Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 7 / 14

Security: the players point of view What happens if the dealer is not honest?! Consider Shamir s scheme with n = 4 and t = 1 (r = 2): s P 1 s c 1 P 1 c 2 P 2 c 3 P 3 c 4 P 4 P 2 P 3 P 4 } s } s s s Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 7 / 14

Definition of VSSS: A (t, r)-sss among n players is verifiable if t-privacy: when the dealer is honest, any set of t players no info about the secret. P i1 P i2. P it? Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 8 / 14

Definition of VSSS: A (t, r)-sss among n players is verifiable if t-privacy: when the dealer is honest, any set of t players no info about the secret. P i1 P i2. P it? r-robust reconstruction: when the dealer is corrupt, the sharing phase succeeds any set of r honest players reconstruct the same secret For any {i 1,..., i r } = {j 1,..., j r }, if P i1 P i2. P ir s F l and P j1 P j2. P jr s F l = s = s Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 8 / 14

A general construction from LSSS to VSSS: (t, r)-lsss for secret s F l (t, r)-vsss for secrets {s 1,..., s l } F l Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 9 / 14

A general construction from LSSS to VSSS: (t, r)-lsss for secret s F l (t, r)-vsss for secrets {s 1,..., s l } F l Notation for (t, r)-lsss for secret s F l : d = l + e (for some integer e > 0); M F n d π l : F d F l v (v[1],..., v[l]) secret s F l D chooses f F d random s.t. π l (f) = s shares: c i = m i f i = 1,..., n where m i is the ith row of M. Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 9 / 14

The complexity (t, r)-lsss for secret s F l (t, r)-vsss for secrets {s 1,..., s l } F l Assuming F = {0, 1} and l = Θ(n), secret bits shared communication complexity LSSS l Θ(n) VSSS l 2 Θ(n 2 ) Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 10 / 14

t-privacy in the LSSS t-privacy in the VSSS Proposition: If the dealer is honest, then for any set C {1,..., n} such that C t, the views { gi, h i} i C give no info about the secrets held by the dealer. view g i1, h i 1 view g i2, h i 2. view g it, h it? Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 11 / 14

t-privacy in the LSSS t-privacy in the VSSS Proposition: If the dealer is honest, then for any set C {1,..., n} such that C t, the views { gi, h i} i C give no info about the secrets held by the dealer. If the dealer is honest, then for any set C {1,..., n} such that C t and for any λ 1,..., λ l in F, the views { g i, h i, } l λ k s k k=1 i C give no extra info about the secrets held by the dealer. Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 11 / 14

r-robust reconstruction r-reconstruction in the LSSS + checks m j h i = g j m i r-robust reconstruction in the VSSS Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 12 / 14

r-robust reconstruction r-reconstruction in the LSSS + checks m j h i = g j m i Proposition r-robust reconstruction in the VSSS Assume that no player rejects. Then, even if the dealer is corrupt, any set of at least r honest players reconstruct the same secrets. For any {i 1,..., i r } {j 1,..., j r }, if view g i1, h i1 view g i2, h i2 {s 1,..., s l } F l. view g ir, h ir view g j1, h j1 view g j2, h j2.. view g jr, h jr {s 1,..., s l} F l = {s 1,..., s l } = {s 1,..., s l} Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 12 / 14

Extensions: checking a public linear relation between the secrets generate shares of 0 F l Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 13 / 14

Applications: MPC protocols Commitment Schemes... In these cases, we need to base the construction on a LSSS with t-strong multiplication such that n + F constant t, l = Θ(n) (e.g. AG Secret-Sharing Schemes!) Verifiable Secret-Sharing Schemes Aalborg, 30th June 2014 14 / 14

2024 © DocPlayer.me Konfidensialitetspolitikk | Servicebetingelser | Tilbakemelding