Share conversion, pseudorandom secret-sharing and ... - NVTI · Application II: Non-interactive...
Transcript of Share conversion, pseudorandom secret-sharing and ... - NVTI · Application II: Non-interactive...
Share conversion, pseudorandom secret-sharing and
applications to secure distributed computing
Ronald Cramer (CWI & Leiden University), Ivan Damg�ard
(Aarhus University), Yuval Ishai (Technion)
Friday, February 11, 2005
1
(t; n) Replicated secret sharing
� Consider all�nt
�subsets B � f1; : : : ; ng with jBj = n� t. Call
these subsets cells.
� Additively secret-share the secret s, where each cell gets one
of the shares.
In other words the i-th share is replicated among the players
in the i-th cell Bi.
� Thus: s =P
B sB; and player Pj holds fsBgB:j2B
2
Privacy:
� Consider A � f1; : : : ; ng with jAj = t.
There is a cell B that has empty intersection with A, namely
B = f1; : : : ; ng nA
� So, A lack the share sB.
3
Reconstruction:
� All players jointly can determine the secret s.
� With n > 2t: the intersection of any two cells is non-empty.
� So each B jointly have all shares, and can can reconstruct.
[Example: if n = 2t+1, then t-private, > t reconstruction.]
4
� n > 3t ) perfect recovery from malicious errors in recon-
struction:
{ In each cell, there is a majority of good guys (n�t � 2t+1)
{ So �nd correct sB by local \majority voting" among the
shares received from members of B
Drawback: e�ciency proportional to�nt
�.
5
Why interested in this scheme...???
After all...there is Shamir's scheme..
Ito/Nishizeki/Saito: introduced general, non-threshold secret shar-
ing secret sharing (m-out-of m additive sharing within each \qual-
i�ed set")
Beaver/Wool: simple protocol for MPC, passive adversary, gen-
eral adversary
Maurer: extension to active case
6
But: only makes sense when n is small (or more generally, when
t is small).
Moreover, in all these cases more e�cient solutions are known
by more sophisticated techniques
Good reasons to revisit this technique to follow...
7
Pseudo-random secret sharing
Unbounded source of sharings of random secrets, no interaction.
� Trusted Initialization: replace share sB by a pseudo-random
function GB(�).
� De�ne
s(�) =X
B
GB(�):
Notation: suppress globally agreed argument (�)
� Variation: seeds for pseudo-random number generator
8
Pseudo-random secret sharing introduced earlier byMicali/Sidney,
and further studied by Ishai/Gilboa,..
Here: we develop enhanced pseudo-random secret sharing schemes
and give new applications of pseudo-random secret sharing:
taking interaction out of certain secure computations, threshold
crypto-systems, without paying a penalty in communication
9
Application I: Pseudo-random VSS with t < n=3
� Give all pseudo-random functions to a single designated player
(the dealer): non-interactive VSS of random secret r, known
by dealer.
� Adaptation to secret s of his choice: dealer broadcasts cor-
rection value s� r.
� Players adapt their shares locally using linearity: add in s� r.
� Reconstruction in presence of malicious errors: by e�cient
error correction
10
Application II: Non-interactive secure multiplication (shared output)
Here: n > 4t. Adversary actively corrupts at most t players.
� Intersection of any two cells contains majority of good guys.
For each pair of cells B;B0, designate a (unique) subset C �
B \B0 of size 2t+1. Call this a subcell.
� Initialization: for each subcell, replicate a fresh instance of
the pseudo-random VSS set-up.
11
� Starting condition: sharings of �; � in the replicated secret
sharing scheme. Thus:
� =X
B
�B; � =X
B
�B; � � � =X
B;B0
�B � �B0:
� Basic Idea:
For each subcell C: usual re-sharing of local products �B ��B0,
but done with pseudo-random VSS instead
Re-sharings of a correct local products occur in majority
This is due to pseudo-random VSS replicas; recognized by
voting over the broadcasted correction value
Bunch it up non-interactively to a sharing of the product
12
Note 1: No broadcast needed here in pseudo-random VSS
Note 2: (information theoretic pre-processing versus pseudo-
random approach)
preprocessing leads to apriori bounded horizon, pseudorandom-
ness makes it ongoing, unbounded horizon
13
Compressed pseudo-random secret sharing
New feature: share size \as in Shamir', still non-interactive.
Only local computation proportional to�nt
�
� For each cell B, choose �xed polynomial fB so that
1. deg(f) = t
2. f(0) = 1 but f(i) = 0 if i 62 B
� De�ne
f(X) =X
B
sB � fB(X)
14
Player Pi can compute his Shamir-share from his shares from the
replication based scheme:
f(i) =
X
B
sB � fB(i) =
X
B:i2B
sB � fB(i) +X
B:i62B
sB � fB(i) =
=X
B:i2B
sB � fB(i)
Privacy: the info held by A � f1; : : : ; ng with jAj = t lacks at
least one random coin in the expression for f(X)...
15
Compressed pseudo-random VSS
This works as before (non-interactive), with n > 3t
All pseudo-random functions given to designated player
Broadcast di�erence of pseudo-random secret and secret of in-
terest
Reconstruction: e�cient Reed-Solomon decoding (say Berlekamp
Welch)
16
Compressed non-interactive secure multiplication
n > 4t
Adversary actively corrupts t players
� Initialization: compressed pseudo-random secret sharing in
place (actually, a small variation...)
� Input:(t; n)-Shamir sharings
(�1; : : : ; �n); (�1; : : : ; �n)
of secrets �; �
� Output: � � �.
17
Pseudo-random zero-sharing: (with n > 4t) creation of random
deg 2t Shamir-sharing of the value 0.
� For each cell B, choose a �xed basis of polynomials f1B; : : : ; ftB
for the vector space of polynomials f with
1. deg(f) � 2t
2. f(0) = 0
3. f(i) = 0 if i 62 B
18
� Instead of a single one, hand pseudo-random functions
G1B(�); : : : ; G
tB(�)
to the players in B.
� De�ne
f(X) =X
B
tX
i=1
siB � f iB(X)
19
Compressed secure multiplication is now easy, by standard tech-
nique plus masking using pseudo-random zero-sharing
� i: player i's share in the pseudo-random zero-sharing.
� Masking: player i computes
�i � �i+ i;
sends it to all players
� Each player on his own applies Berlekamp-Welch to do error
correction.
20
� Indeed:
f : polynomial for zero-sharing
f�; f�: polynomials for sharing of �; �
So f� � f� + f of degree � 2t,
we have n > 4t points with � t errors.
So the error correction is possible.
� This way, each player obtains a polynomial whose free term
is � � �.
Generalization: non-interactive secure computation of degree-2
bi-variate polynomials
21
Theoretical Results on Share Compression
� Thm.: Pseudo-random secret sharing schemes can be com-
pressed to any linear secret sharing scheme
Proof: generalize the Shamir compression using canonical
monotone span programs
� Thm.: Our approach is optimal in the model where each
player gets a subset of a given collection of independently
distributed random sources
Proof: By information theoretic arguments: # random sources
� # maximal unquali�ed sets
22
Application to non-interactive threshold crypto
� Non-interactive version of the threshold-CS98 from Canetti
Goldwasser:
test of validity of ciphertext by non-interactive randomiza-
tionby (compressed secure multiplication \in the exponent")
� Communication-e�cient variant of Naor/Pinkas/Reingold Dis-
tributed Pseudo-Random Function
� Threshold signatures without random oracles based on Boneh
Boyen scheme.
23