Asymptotics of arithmetic codices and towers of function fields - PowerPoint PPT Presentation

Asymptotics of arithmetic codices and towers of function fields Ignacio Cascudo CWI Amsterdam Joint work with Ronald Cramer (CWI/ULeiden) and Chaoping Xing(NTU) Algebraic curves over finite fields Linz, 15 November 2013 Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Secret sharing Setting Players A dealer and n players. The dealer knows a secret c 1 s in certain (public) set S . c 2 Sends information (shares) Dealer c i to each player P i ( c i c 3 belong to public sets S i ). s c n Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Secret sharing Setting Players s ? A dealer and n players. c 1 The dealer knows a secret c 2 s in certain (public) set S . Sends information (shares) Dealer c i to each player P i ( c i c 3 belong to public sets S i ). s t -privacy: Any t of shares → no information about s . c n Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Secret sharing Setting Players A dealer and n players. c 1 s The dealer knows a secret c 2 s in certain (public) set S . Sends information (shares) Dealer c i to each player P i ( c i c 3 belong to public sets S i ). s t -privacy: Any t of shares → no information about s . m -reconstruction: Any m c n shares → determines s . Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Shamir’s secret sharing scheme F q finite field. Space of secrets: F q . Spaces of shares: F q . Let 1 ≤ t < n , with n < q . Let x 1 , . . . , x n ∈ F q \ { 0 } distinct. To deal a secret s ∈ F q , the dealer: Selects unif. random f ∈ F q [ X ] with deg f ≤ t , f ( 0 ) = s . 1 Sends c i = f ( x i ) to player P i . 2 f(x 1 ) f(x 2 ) f(x 3 ) f(0) f(x n ) Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Properties t players have no information about the secret. t + 1 players can fully determine f, and hence s. Proof For any y 1 , y 2 , . . . , y t + 1 ∈ F q distinct the following is a bijection { f ∈ F q [ X ] : deg f ≤ t } → F t + 1 q f �→ ( f ( y 1 ) , f ( y 2 ) , . . . , f ( y t + 1 )) f(x 1 ) f(x 2 ) f(x 3 ) f(0) f(x n ) Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Properties t players have no information about the secret. t + 1 players can fully determine f, and hence s. Proof For any x i 1 , x i 2 . . . , x i t + 1 ∈ F q distinct the following is a bijection { f ∈ F q [ X ] : deg f ≤ t } → F t + 1 q f �→ ( f ( x i 1 ) , f ( x i 2 ) , . . . , f ( x i t + 1 )) f(x 1 ) f(x 2 ) f(x 3 ) f(0) f(x n ) Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Properties t players have no information about the secret. t + 1 players can fully determine f, and hence s. Proof For any x i 1 , x i 2 , . . . , x i t ∈ F q distinct the following is a bijection { f ∈ F q [ X ] : deg f ≤ t } → F t + 1 q f �→ ( f ( 0 ) , f ( x i 1 ) , . . . , f ( x i t )) f(x 1 ) f(x 2 ) f(x 3 ) f(0) f(x n ) Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Secret sharing with algebraic properties Secret sharing with extra algebraic properties is very interesting for applications. Space of secrets: F q -vector space S , and spaces of shares: F q . Property (Linearity)  c 1 , . . . , c n shares for s   ⇒ c 1 + λ c ′ 1 , . . . , c n + λ c ′ c ′ 1 , . . . , c ′ n shares for s ′ n are shares for s + λ s ′ λ ∈ F q Remark Shamir’s secret sharing scheme is linear since � deg f , deg g ≤ t ⇒ deg ( f + λ g ) ≤ t λ ∈ F q Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Space of secrets : F q -algebra (such as F q k , F k q ). Property ( r -multiplicativity) For any A ⊆ { 1 , . . . , n } , | A | = r, the products { c i c ′ i } i ∈ A determine ss ′ . Remark Shamir’s scheme has 2 t + 1 -multiplicativity since deg f , deg g ≤ t ⇒ deg fg ≤ 2 t and therefore 2 t + 1 evaluations of fg determine fg (and hence fg ( 0 ) ) . Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Algebraic properties of secret sharing are important for applications in cryptography, especially to secure multiparty computation (MPC) . Very useful notion ( t -strong multiplication): linearity + t -privacy + ( n − t ) -multiplicativity for “large” t . Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

General linear construction Let S be a F q -algebra. Suppose C ⊆ F n q vector subspace and ψ : C → S is a surjective F q -linear map. Protocol To share s ∈ S, Dealer selects unif. random c = ( c 1 , . . . , c n ) ∈ ψ − 1 ( s ) ⊆ C 1 Dealer sends c i to player P i , for i = 1 , . . . , n. 2 c 1 c 2 c 3 s =y (c) c n Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Arithmetic codex Question What properties besides linearity does this construction have (privacy, multiplicativity)? We will introduce the notion of arithmetic codex : Captures notion of linear secret sharing with multiplicative properties. Also encompasses other concepts: bilinear multiplication algorithm (algebraic complexity). Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Arithmetic codex Definition ( d -th power of a linear code) Let C ⊆ F n q be a vector subspace over F q , d > 0 an integer. Let C ∗ d := F q �{ c ( 1 ) ∗ c ( 2 ) . . . ∗ c ( d ) : ( c ( 1 ) , c ( 2 ) , . . . , c ( d ) ) ∈ C d }� Notation For ∅ � = A = { i 1 , . . . , i ℓ } ⊆ { 1 , . . . , n } , let π A : F n q → F ℓ q ( c 1 , . . . , c n ) �→ ( c i 1 , . . . , c i ℓ ) Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Arithmetic codex Definition K (finite) field, S finite dimensional K -algebra, n , t , d , r ∈ Z with 0 ≤ t < r ≤ n , d ≥ 1. An ( n , t , d , r ) -codex ( C , ψ ) for S over K consists of: A vector subspace C ⊆ K n A linear map ψ : C → S satisfying 3 properties: ψ is surjective. 1 ( t -disconnection): If t ≥ 1, for any A ⊆ { 1 , . . . , n } with 2 | A | = t the map C → S × π A ( C ) c �→ ( ψ ( c ) , π A ( c )) is surjective. Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Arithmetic codex Definition (cont.) ( ( d , r ) -multiplicativity): 3 There exists a function ψ : C ∗ d → S such that ψ is linear. For all c ( 1 ) , . . . , c ( d ) ∈ C , d � ψ ( c ( 1 ) ∗ · · · ∗ c ( d ) ) = ψ ( c ( j ) ) . i = 1 ψ is ” r -wise determined”: for all B ⊆ { 1 , . . . , n } , | B | = r , C ∗ d ∩ Ker π B ⊆ Ker ψ. Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Using codices for linear multiplicative secret sharing Given ( C , ψ ) a ( n , t , d , r ) -codex used for secret sharing. Properties t shares c i give no info about s (by t-disconnection) Linearity (by C being a v.space, and linearity of ψ ) If s ( 1 ) , . . . , s ( d ) ∈ S are shared, j = 1 s ( j ) is determined by products of shares of r players Π d (by ( d , r ) -multiplicativity) c 1 c 2 c 3 s =y (c) c n Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Associated linear code Now consider S = F k q . For a ( n , t , d , r ) -codex ( C , ψ ) for S over F q , we define the associated linear code � C := { ( ψ ( c ) , c ) : c ∈ C } ⊆ F n + k q Proposition Given a linear code � C ⊆ F n + k , if the unit vectors q C ∗ d ∪ � C ⊥ then � ∈ � e 1 , . . . , e k / C is the associated code of an ( n , 0 , d , n ) -codex. Proposition If in addition d min ( � C ⊥ ) ≥ t + k + 1 and d min ( � C ∗ d ) ≥ n − r + k + 1 , then � C is the associated code of an ( n , t , d , r ) -codex. Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Asymptotics Drawback of Shamir’s scheme: n < q . Asymptotics: q fixed, n → ∞ , and asymptotic requirements on other parameters. Example: Do there exists families of ( n , t , 2 , n − t ) -codex for F k q over F q , where t = Ω( n ) ? “Random codices do not seem to work” (C., Cramer, Mirandola, Zémor, 2013). Only known tool: algebraic geometric secret sharing (Chen, Cramer, 2006). Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

AG-codices Let: F / F q be a function field. Q 1 , . . . , Q k , P 1 , . . . , P n ∈ P ( 1 ) ( F ) . G ∈ Div ( F ) . L ( G ) Riemann-Roch space of G . Question When is � C := { ( f ( Q 1 ) , . . . , f ( Q k ) , f ( P 1 ) , . . . , f ( P n )) | f ∈ L ( G ) } an ( n , t , d , r ) -codex for F k q over F q ? Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields

Sufficient condition Q := � k j = 1 Q j . For A ∈ { 1 , . . . , n } , P A := � i ∈ A P i ∈ Div ( F ) . W canonical divisor. ℓ ( G ) := dim L ( G ) . Proposition (Sufficient condition) Suppose G satisfies the following equations. � ℓ ( W − G + P A + Q ) = 0 for all A ⊆ { 1 , . . . , n } , | A | = t . ℓ ( dG − P B ) = 0 for all B ⊆ { 1 , . . . , n } , | B | = r . Then � C := { ( f ( Q 1 ) , . . . , f ( Q k ) , f ( P 1 ) , . . . , f ( P n )) | f ∈ L ( G ) } is an ( n , t , d , r ) -codex for F k q over F q . ∗ d ⊆ � Key fact: If d ∈ Z , d ≥ 1, then � C L ( D , G ) C L ( D , dG ) . Ignacio Cascudo Asymptotics of arithmetic codices and towers of function fields