Robust Secret Sharing Schemes Against Local Adversaries Allison - PowerPoint PPT Presentation

Robust Secret Sharing Schemes Against Local Adversaries Allison Bishop Lewko Valerio Pastro Columbia University April 2, 2015 Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 1 / 22

Secret Sharing (Informal) (Share , Rec) pair of algorithms: Share Rec � ( s 1 , . . . , s n ) ✤ � s s ✤ s 1 , . . . , s t ⇒ no info on s t -privacy: r -reconstructability: s 1 , . . . , s r ⇒ s uniquely determined For threshold schemes : r = t + 1. Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 2 / 22

Example: Shamir Secret Sharing [Sha79] F field, public x 1 , . . . , x n ∈ F . Shamir . Share t ( s ): 1 pick uniform a 1 , . . . , a t ∈ F 2 define polynomial f ( X ) := s + � t j =1 a j X j ∈ F [ X ] 3 compute s i ← f ( x i ) 4 output ( s 1 , . . . , s n ) Shamir . Rec t ( s 1 , . . . , s n ): 1 Lagrange interpolation to recover f ( X ) 2 output f (0) Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 3 / 22

� Robust Secret Sharing – Standard Model (Share , Rec) Secret Sharing, ( t , δ ) -robust : for any Adv, Share � ( s 1 , . . . , s t , s t +1 , . . . , s n ) s ✤ ❴ ( � s 1 ,..., � s t )=Adv( s 1 ,..., s t ) Rec � s ′ ( � s 1 , . . . , � s t , s t +1 , . . . , s n ) ✤ Pr[ s ′ � = s ] ≤ δ Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 4 / 22

� Robust Secret Sharing – with Local Adversaries (Share , Rec) Secret Sharing, locally ( t , δ ) -robust : for any Adv 1 , . . . , Adv t , Share � ( s 1 , . . . , s t , s t +1 , . . . , s n ) s ✤ ❴ s 1 =Adv 1 ( s 1 ) ,..., � � s t =Adv t ( s t ) Rec � s ′ ( � s 1 , . . . , � s t , s t +1 , . . . , s n ) ✤ Pr[ s ′ � = s ] ≤ δ Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 5 / 22

Does Locality Make Sense? It captures the following: Pre-Game: Players talk to each other, set their actions Game: Players are given private inputs Players run protocol without revealing inputs to others Output of protocol is set Post-Game: Players talk to each other again, possibly revealing inputs Similar to collusion-free protocols [LMs05]. Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 6 / 22

Locality – Possible Scenarios Corrupt parties unwilling to coordinate (e.g. different goals) Corrupt parties oblivious about existence of each other Network with (independently) faulty channels Data is required to travel fast, coordination impossible . . . Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 7 / 22

Locality – Related Work Interactive Proofs: Multi-prover interactive proofs: MIP=NEXP, [BFL91] (IP=PSPACE, [Sha92]) Multi-party Computation: Collusion-free protocols [LMs05, AKL + 09, AKMZ12] Local UC [CV12] Leakage-resilient crypto: Split secret state and independent leakage [DP08] Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 8 / 22

Facts about Robust Secret Sharing n / 3 n / 2 Easy Tricky Impossible 0 t t < n / 3: perfect robustness ( δ = 0) no share size overhead ( | s i | = | s | =: m ) e.g. Shamir share + Reed-Solomon decoding RS decodes up to ( n − t ) / 2 > (3 · t − t ) / 2 = t errors n / 3 ≤ t < n / 2: tricky! no perfect robustness ( δ = 2 − k ) [Cev11] shares larger than secret ( | s i | > m ) [Cev11] All of the above: independent of standard/local adv. model Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 9 / 22

The Tricky Case The trickiest case: n = 2 · t + 1. Analysis of | s i | : m + � O ( k + n ) m + k standard lower bound best eff. construction [CSV93] [CFOR12] gap n � Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 10 / 22

The Tricky Case The trickiest case: n = 2 · t + 1. Analysis of | s i | : m + � O ( k + n ) m + k standard lower bound best eff. construction [CSV93] [CFOR12] gap n � m + k − 4 ∼ m + � O ( k ) local adv. Our result: lower bound & eff. construction (essentially) match. � Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 10 / 22

Our Construction 1 Previous Constructions Privacy: Shamir secret sharing, degree= t Robustness: one-time MAC, O ( n ) keys per player. ⇒ | s i | inherent depends (at least) linearly on n Our Construction Privacy: Shamir secret sharing, degree= t Robustness: one-time MAC, one key only. 1 Conceptually simpler; thanks to Daniel Wichs for fruitful discussions. Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 11 / 22

In Detail Share( s ): 1 sample MAC key z ∈ X 2 ( s 1 , . . . , s n ) ← Shamir . Share t ( s ) 3 ( z 1 , . . . , z n ) ← Shamir . Share 1 ( z ) 4 t i ← MAC z ( s i ) 5 output S i = ( s i , z i , t i ) to P i Rec( S 1 , . . . , S n ): 1 z ← RS . Rec 1 ( z 1 , . . . , z n ) 2 set i ∈ G if t i = MAC z ( s i ) 3 s ← Shamir . Rec t ( s G ) Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 12 / 22

Privacy – Proof Intuition Share( s ): 1 sample MAC key z ∈ X 2 ( s 1 , . . . , s n ) ← Shamir . Share t ( s ) 3 ( z 1 , . . . , z n ) ← Shamir . Share 1 ( z ) 4 t i ← MAC z ( s i ) 5 output S i = ( s i , z i , t i ) to P i z uniform, independent of s , s 1 , . . . , s n t -privacy: s 1 , . . . , s t give no info on s , (privacy of Shamir . Share t ) t 1 , . . . , t t functions only of z , s 1 , . . . , s t ⇒ S 1 , . . . , S t give no info on s Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 13 / 22

Robustness – Proof Intuition Rec( S 1 , . . . , S n ): 1 z ← RS . Rec 1 ( z 1 , . . . , z n ) 2 set i ∈ G if t i = MAC z ( s i ) 3 s ← Shamir . Rec t ( s G ) ( t , δ ) -robustness: z correct, because RS . Rec 1 decodes up to ( n − 1) / 2 = (2 t + 1 − 1) / 2 = t errors Adv i sees only s i , z i , t i ⇒ no info on z (privacy of Shamir . Share 1 ) MAC ε -secure ⇒ Pr[ i ∈ G | � s i � = s i ] ≤ ε ⇒ Pr[ G ⊆ H ∪ P ] ≥ 1 − t · ε ⇒ δ ≤ t · ε Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 14 / 22

Possible MAC and Overhead Analysis Remember: δ ≤ t · ε Assume: m = | s | , 2 · c = | z | , c = | t i | , m = 2 · d · c ( F 2 c ) 2 MAC : × → F 2 m F 2 c � d l =1 a l · m l + b . ( a , b ) , ( m 1 , . . . , m d ) �→ Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 15 / 22

Possible MAC and Overhead Analysis Remember: δ ≤ t · ε Assume: m = | s | , 2 · c = | z | , c = | t i | , m = 2 · d · c ( F 2 c ) 2 MAC : × → F 2 m F 2 c � d l =1 a l · m l + b . ( a , b ) , ( m 1 , . . . , m d ) �→ Fact: MAC is ε = d · 2 − c -secure. Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 15 / 22

Possible MAC and Overhead Analysis Remember: δ ≤ t · ε Assume: m = | s | , 2 · c = | z | , c = | t i | , m = 2 · d · c ( F 2 c ) 2 MAC : × → F 2 m F 2 c � d l =1 a l · m l + b . ( a , b ) , ( m 1 , . . . , m d ) �→ Fact: MAC is ε = d · 2 − c -secure. ⇒ construction is δ = t · ε = t · d · 2 − c = t · m · 2 − c − 1 · c − 1 -secure. Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 15 / 22

Possible MAC and Overhead Analysis Remember: δ ≤ t · ε Assume: m = | s | , 2 · c = | z | , c = | t i | , m = 2 · d · c ( F 2 c ) 2 MAC : × → F 2 m F 2 c � d l =1 a l · m l + b . ( a , b ) , ( m 1 , . . . , m d ) �→ Fact: MAC is ε = d · 2 − c -secure. ⇒ construction is δ = t · ε = t · d · 2 − c = t · m · 2 − c − 1 · c − 1 -secure. O ( k ) ⇒ δ ≤ t · m · 2 − k − log( t · m ) − 1 · c − 1 ≤ 2 − k Set c = k + log( t · m ) = � Overhead: | z | + | t i | = 2 c + c = 3 c = � O ( k ) Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 15 / 22

Possible MAC and Overhead Analysis Remember: δ ≤ t · ε Assume: m = | s | , 2 · c = | z | , c = | t i | , m = 2 · d · c ( F 2 c ) 2 MAC : × → F 2 m F 2 c � d l =1 a l · m l + b . ( a , b ) , ( m 1 , . . . , m d ) �→ Fact: MAC is ε = d · 2 − c -secure. ⇒ construction is δ = t · ε = t · d · 2 − c = t · m · 2 − c − 1 · c − 1 -secure. O ( k ) ⇒ δ ≤ t · m · 2 − k − log( t · m ) − 1 · c − 1 ≤ 2 − k Set c = k + log( t · m ) = � Overhead: | z | + | t i | = 2 c + c = 3 c = � O ( k ) � Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 15 / 22

Optimality of Construction Want to show: Scheme ( t , 2 − k )-robust against local advs ⇒ | s i | ≥ m + k − 4 Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 16 / 22

Optimality of Construction Want to show: Scheme ( t , 2 − k )-robust against local advs ⇒ | s i | ≥ m + k − 4 What we do: prove a stronger result! Scheme ( t , 2 − k )-robust against oblivious advs ⇒ | s i | ≥ m + k − 4 local adv: � s i = Adv i ( s i ) � s i = Adv i ( ∅ ) oblivious adv: Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 16 / 22

Optimality of Construction Want to show: Scheme ( t , 2 − k )-robust against local advs ⇒ | s i | ≥ m + k − 4 What we do: prove a stronger result! Scheme ( t , 2 − k )-robust against oblivious advs ⇒ | s i | ≥ m + k − 4 local adv: � s i = Adv i ( s i ) s i = Adv i ( ∅ ) � oblivious adv: Proof structure: 1 define an oblivious attack 2 link success of attack with share size Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 16 / 22