Robust Secret Sharing Schemes Against Local Adversaries Allison - - PowerPoint PPT Presentation

Robust Secret Sharing Schemes Against Local Adversaries

Allison Bishop Lewko Valerio Pastro

Columbia University

April 2, 2015

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 1 / 22

Secret Sharing (Informal)

(Share, Rec) pair of algorithms: s ✤

Share

(s1, . . . , sn) ✤

Rec

s

t-privacy: s1, . . . , st ⇒ no info on s r-reconstructability: s1, . . . , sr ⇒ s uniquely determined For threshold schemes: r = t + 1.

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 2 / 22

Example: Shamir Secret Sharing [Sha79]

F field, public x1, . . . , xn ∈ F. Shamir.Sharet(s):

1 pick uniform a1, . . . , at ∈ F 2 define polynomial f (X) := s + t

j=1 ajX j ∈ F[X]

3 compute si ← f (xi) 4 output (s1, . . . , sn)

Shamir.Rect(s1, . . . , sn):

1 Lagrange interpolation to recover f (X) 2 output f (0) Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 3 / 22

Robust Secret Sharing – Standard Model

(Share, Rec) Secret Sharing, (t, δ)-robust: for any Adv, s ✤

Share

(s1, . . . , st, st+1, . . . , sn) ❴

( s1,..., st)=Adv(s1,...,st)

• (

s1, . . . , st, st+1, . . . , sn) ✤

Rec

s′

Pr[s′ = s] ≤ δ

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 4 / 22

Robust Secret Sharing – with Local Adversaries

(Share, Rec) Secret Sharing, locally (t, δ)-robust: for any Adv1, . . . , Advt, s ✤

Share

(s1, . . . , st, st+1, . . . , sn) ❴

• s1=Adv1(s1),...,

st=Advt(st)

• (

s1, . . . , st, st+1, . . . , sn) ✤

Rec

s′

Pr[s′ = s] ≤ δ

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 5 / 22

Does Locality Make Sense?

It captures the following: Pre-Game: Players talk to each other, set their actions Game: Players are given private inputs Players run protocol without revealing inputs to others Output of protocol is set Post-Game: Players talk to each other again, possibly revealing inputs Similar to collusion-free protocols [LMs05].

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 6 / 22

Locality – Possible Scenarios

Corrupt parties unwilling to coordinate (e.g. different goals) Corrupt parties oblivious about existence of each other Network with (independently) faulty channels Data is required to travel fast, coordination impossible . . .

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 7 / 22

Locality – Related Work

Interactive Proofs: Multi-prover interactive proofs: MIP=NEXP, [BFL91] (IP=PSPACE, [Sha92]) Multi-party Computation: Collusion-free protocols [LMs05, AKL+09, AKMZ12] Local UC [CV12] Leakage-resilient crypto: Split secret state and independent leakage [DP08]

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 8 / 22

Facts about Robust Secret Sharing

Easy Tricky Impossible t n/3 n/2

t < n/3: perfect robustness (δ = 0) no share size overhead (|si| = |s| =: m) e.g. Shamir share + Reed-Solomon decoding RS decodes up to (n − t)/2 > (3 · t − t)/2 = t errors n/3 ≤ t < n/2: tricky! no perfect robustness (δ = 2−k) [Cev11] shares larger than secret (|si| > m) [Cev11] All of the above: independent of standard/local adv. model

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 9 / 22

The Tricky Case

The trickiest case: n = 2 · t + 1. Analysis of |si|:

standard m + k m + O(k + n) best eff. construction [CFOR12] lower bound [CSV93] gap n

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 10 / 22

The Tricky Case

The trickiest case: n = 2 · t + 1. Analysis of |si|:

standard m + k m + O(k + n) best eff. construction [CFOR12] lower bound [CSV93] gap n local adv. m + k − 4 ∼ m + O(k) Our result: lower bound & eff. construction (essentially) match.

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 10 / 22

Our Construction1

Previous Constructions

Privacy: Shamir secret sharing, degree=t Robustness: one-time MAC, O(n) keys per player. ⇒ |si| inherent depends (at least) linearly on n

Our Construction

Privacy: Shamir secret sharing, degree=t Robustness: one-time MAC, one key only.

1Conceptually simpler; thanks to Daniel Wichs for fruitful discussions. Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 11 / 22

In Detail

Share(s):

1 sample MAC key z ∈ X 2 (s1, . . . , sn) ← Shamir.Sharet(s) 3 (z1, . . . , zn) ← Shamir.Share1(z) 4 ti ← MACz(si) 5 output Si = (si, zi, ti) to Pi

Rec(S1, . . . , Sn):

1 z ← RS.Rec1(z1, . . . , zn) 2 set i ∈ G if ti = MACz(si) 3 s ← Shamir.Rect(sG) Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 12 / 22

Privacy – Proof Intuition

Share(s):

1 sample MAC key z ∈ X 2 (s1, . . . , sn) ← Shamir.Sharet(s) 3 (z1, . . . , zn) ← Shamir.Share1(z) 4 ti ← MACz(si) 5 output Si = (si, zi, ti) to Pi

t-privacy: z uniform, independent of s, s1, . . . , sn s1, . . . , st give no info on s, (privacy of Shamir.Sharet) t1, . . . , tt functions only of z, s1, . . . , st ⇒ S1, . . . , St give no info on s

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 13 / 22

Robustness – Proof Intuition

Rec(S1, . . . , Sn):

1 z ← RS.Rec1(z1, . . . , zn) 2 set i ∈ G if ti = MACz(si) 3 s ← Shamir.Rect(sG)

(t, δ)-robustness: z correct, because RS.Rec1 decodes up to (n − 1)/2 = (2t + 1 − 1)/2 = t errors Advi sees only si, zi, ti ⇒ no info on z (privacy of Shamir.Share1) MAC ε-secure ⇒ Pr[i ∈ G | si = si] ≤ ε ⇒ Pr[G ⊆ H ∪ P] ≥ 1 − t · ε ⇒ δ ≤ t · ε

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 14 / 22

Possible MAC and Overhead Analysis

Remember: δ ≤ t · ε Assume: m = |s|, 2 · c = |z|, c = |ti|, m = 2 · d · c MAC : (F2c)2 × F2m → F2c (a, b), (m1, . . . , md) → d

l=1 al · ml + b.

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 15 / 22

Possible MAC and Overhead Analysis

Remember: δ ≤ t · ε Assume: m = |s|, 2 · c = |z|, c = |ti|, m = 2 · d · c MAC : (F2c)2 × F2m → F2c (a, b), (m1, . . . , md) → d

l=1 al · ml + b.

Fact: MAC is ε = d · 2−c-secure.

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 15 / 22

Possible MAC and Overhead Analysis

Remember: δ ≤ t · ε Assume: m = |s|, 2 · c = |z|, c = |ti|, m = 2 · d · c MAC : (F2c)2 × F2m → F2c (a, b), (m1, . . . , md) → d

l=1 al · ml + b.

Fact: MAC is ε = d · 2−c-secure. ⇒ construction is δ = t · ε = t · d · 2−c = t · m · 2−c−1 · c−1-secure.

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 15 / 22

Possible MAC and Overhead Analysis

Remember: δ ≤ t · ε Assume: m = |s|, 2 · c = |z|, c = |ti|, m = 2 · d · c MAC : (F2c)2 × F2m → F2c (a, b), (m1, . . . , md) → d

l=1 al · ml + b.

Fact: MAC is ε = d · 2−c-secure. ⇒ construction is δ = t · ε = t · d · 2−c = t · m · 2−c−1 · c−1-secure. Set c = k + log(t · m) = O(k) ⇒ δ ≤ t · m · 2−k−log(t·m)−1 · c−1 ≤ 2−k Overhead: |z| + |ti| = 2c + c = 3c = O(k)

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 15 / 22

Possible MAC and Overhead Analysis

Remember: δ ≤ t · ε Assume: m = |s|, 2 · c = |z|, c = |ti|, m = 2 · d · c MAC : (F2c)2 × F2m → F2c (a, b), (m1, . . . , md) → d

l=1 al · ml + b.

Fact: MAC is ε = d · 2−c-secure. ⇒ construction is δ = t · ε = t · d · 2−c = t · m · 2−c−1 · c−1-secure. Set c = k + log(t · m) = O(k) ⇒ δ ≤ t · m · 2−k−log(t·m)−1 · c−1 ≤ 2−k Overhead: |z| + |ti| = 2c + c = 3c = O(k)

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 15 / 22

Optimality of Construction

Want to show: Scheme (t, 2−k)-robust against local advs ⇒ |si| ≥ m + k − 4

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 16 / 22

Optimality of Construction

Want to show: Scheme (t, 2−k)-robust against local advs ⇒ |si| ≥ m + k − 4 What we do: prove a stronger result! Scheme (t, 2−k)-robust against oblivious advs ⇒ |si| ≥ m + k − 4 local adv:

• si = Advi(si)
• blivious adv:
• si = Advi(∅)

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 16 / 22

Optimality of Construction

Want to show: Scheme (t, 2−k)-robust against local advs ⇒ |si| ≥ m + k − 4 What we do: prove a stronger result! Scheme (t, 2−k)-robust against oblivious advs ⇒ |si| ≥ m + k − 4 local adv:

• si = Advi(si)
• blivious adv:
• si = Advi(∅)

Proof structure:

1 define an oblivious attack 2 link success of attack with share size Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 16 / 22

The Attack

Let st+1 be the shortest share.

Specifications:

“decide” whether to corrupt P1, . . . , Pt (L) or Pt+2, . . . , Pn (R) sample secret s ← M, randomness r ← R run ( s1, . . . , sn) ← Share( s, r) if L, submit s1, . . . , st; if R, submit st+2, . . . , sn

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 17 / 22

The Attack

Let st+1 be the shortest share.

Specifications:

“decide” whether to corrupt P1, . . . , Pt (L) or Pt+2, . . . , Pn (R) sample secret s ← M, randomness r ← R run ( s1, . . . , sn) ← Share( s, r) if L, submit s1, . . . , st; if R, submit st+2, . . . , sn Intuition: hope that corrupt shares & st+1 consistent with dishonest secret. Rec   

partial sharing of sL

• s1, . . . , st, st+1, st+2, . . . , sn
• partial sharing of sR

   = ?

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 17 / 22

The Decision

Intuitively: find out whether L is more promising than R. Graph: (sL, rL) connected to (sR, rR) if: Share(sL, rL)t+1 = y = Share(sR, rR)t+1, and sL = sR

(sL, r L) (sR, r R)

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 18 / 22

The Decision

Intuitively: find out whether L is more promising than R. Graph: (sL, rL) connected to (sR, rR) if: Share(sL, rL)t+1 = y = Share(sR, rR)t+1, and sL = sR Label edge with L (resp. R) if: Rec(sL

1 , . . . , sL t , y, sR t+2, . . . , sR n ) = sR resp. = sL)

(sL, r L) (sR, r R)

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 18 / 22

The Decision

Intuitively: find out whether L is more promising than R. Graph: (sL, rL) connected to (sR, rR) if: Share(sL, rL)t+1 = y = Share(sR, rR)t+1, and sL = sR Label edge with L (resp. R) if: Rec(sL

1 , . . . , sL t , y, sR t+2, . . . , sR n ) = sR resp. = sL)

Decide L if #L-edges ≥ #R-edges.

(sL, r L) (sR, r R)

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 18 / 22

The Success (WLOG assume L)

sL

• s

s1, . . . , st, st+1, st+2, . . . , sn

• sR

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 19 / 22

The Success (WLOG assume L)

Rec  

sL

• s

s1, . . . , st, st+1, st+2, . . . , sn

• sR

  = sR

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 19 / 22

The Success (WLOG assume L)

Rec  

sL

• s

s1, . . . , st, st+1, st+2, . . . , sn

• sR

  = sR

( s, r) (sL, r L) (sR, r R)

Share( s, r){1,...,t} = Share(sL, rL){1,...,t} Share(sL, rL)t+1 = Share(sR , rR )t+1 Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 19 / 22

The Success (WLOG assume L)

Rec  

sL

• s

s1, . . . , st, st+1, st+2, . . . , sn

• sR

  = sR

( s, r) (sL, r L) (sR, r R)

Share( s, r){1,...,t} = Share(sL, rL){1,...,t} Share(sL, rL)t+1 = Share(sR , rR )t+1

δ = 2−k ≥ Pr (

s, r,sR,rR)[∃(sL, rL) | (

s, r)—(sL, rL)

L

—(sR, rR)]

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 19 / 22

Mass Distribution

For a1, . . . , at+1, let Ba1,...,at+1 = {(sL, rL) | Share(sL, rL){1,...,t+1} = a1, . . . , at+1}, let Aa1,...,at+1 = {( s, r) | Share( s, r){1,...,t} = a1, . . . , at}. Fact 1∗: by reconstructability, (s′, r′), (s′′, r′′) ∈ Ba1,...,at+1 ⇒ s′ = s′′.

( s, r) (sL, r L) (sR, r R)

Share( s, r){1,...,t} = Share(sL, rL){1,...,t} Share(sL, rL)t+1 = Share(sR , rR )t+1 Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 20 / 22

Mass Distribution

For a1, . . . , at+1, let Ba1,...,at+1 = {(sL, rL) | Share(sL, rL){1,...,t+1} = a1, . . . , at+1}, let Aa1,...,at+1 = {( s, r) | Share( s, r){1,...,t} = a1, . . . , at}. Fact 1∗: by reconstructability, (s′, r′), (s′′, r′′) ∈ Ba1,...,at+1 ⇒ s′ = s′′. Fact 2: by privacy, |Aa1,...,at+1| ≥ 2m · |Ba1,...,at+1|.

( s, r) (sL, r L) (sR, r R)

Share( s, r){1,...,t} = Share(sL, rL){1,...,t} Share(sL, rL)t+1 = Share(sR , rR )t+1 Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 20 / 22

Putting Things Together – Intuition

Actual analysis needs more correcting factors (loss of ∼ 4 bits).

2−k ≥ Pr (

s, r,sR,r R)[∃(sL, r L) | (

s, r)—(sL, r L)

L

—(sR, r R)]

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 21 / 22

Putting Things Together – Intuition

Actual analysis needs more correcting factors (loss of ∼ 4 bits).

2−k ≥ Pr (

s, r,sR,r R)[∃(sL, r L) | (

s, r)—(sL, r L)

L

—(sR, r R)] (Fact 1&2) ≥ 2m · Pr (sL,r L,sR,r R)[(sL, r L)

L

—(sR, r R)]

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 21 / 22

Putting Things Together – Intuition

Actual analysis needs more correcting factors (loss of ∼ 4 bits).

2−k ≥ Pr (

s, r,sR,r R)[∃(sL, r L) | (

s, r)—(sL, r L)

L

—(sR, r R)] (Fact 1&2) ≥ 2m · Pr (sL,r L,sR,r R)[(sL, r L)

L

—(sR, r R)] ≥ 2m−1 · Pr (sL,r L,sR,r R)[(sL, r L)—(sR, r R)] ≥ 2m−1 ·

• at+1

Pr (sL,r L,sR,r R)[Share(sL, r L) = at+1, Share(sR, r R) = at+1] ≥ 2m−1 ·

• at+1

Pr (s,r)[Share(s, r) = at+1]2

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 21 / 22

Putting Things Together – Intuition

Actual analysis needs more correcting factors (loss of ∼ 4 bits).

2−k ≥ Pr (

s, r,sR,r R)[∃(sL, r L) | (

s, r)—(sL, r L)

L

—(sR, r R)] (Fact 1&2) ≥ 2m · Pr (sL,r L,sR,r R)[(sL, r L)

L

—(sR, r R)] ≥ 2m−1 · Pr (sL,r L,sR,r R)[(sL, r L)—(sR, r R)] ≥ 2m−1 ·

• at+1

Pr (sL,r L,sR,r R)[Share(sL, r L) = at+1, Share(sR, r R) = at+1] ≥ 2m−1 ·

• at+1

Pr (s,r)[Share(s, r) = at+1]2 (Cauchy-Schwarz) ≥ 2m−1 · 2−|st+1|

• at+1

Pr (s,r)[Share(s, r) = at+1] · 1 2 = 2m−1 · 2−|st+1|

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 21 / 22

Putting Things Together – Intuition

Actual analysis needs more correcting factors (loss of ∼ 4 bits).

2−k ≥ Pr (

s, r,sR,r R)[∃(sL, r L) | (

s, r)—(sL, r L)

L

—(sR, r R)] (Fact 1&2) ≥ 2m · Pr (sL,r L,sR,r R)[(sL, r L)

L

—(sR, r R)] ≥ 2m−1 · Pr (sL,r L,sR,r R)[(sL, r L)—(sR, r R)] ≥ 2m−1 ·

• at+1

Pr (sL,r L,sR,r R)[Share(sL, r L) = at+1, Share(sR, r R) = at+1] ≥ 2m−1 ·

• at+1

Pr (s,r)[Share(s, r) = at+1]2 (Cauchy-Schwarz) ≥ 2m−1 · 2−|st+1|

• at+1

Pr (s,r)[Share(s, r) = at+1] · 1 2 = 2m−1 · 2−|st+1|

|st+1| ≥ m + k − 1

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 21 / 22

Putting Things Together – Intuition

Actual analysis needs more correcting factors (loss of ∼ 4 bits).

2−k ≥ Pr (

s, r,sR,r R)[∃(sL, r L) | (

s, r)—(sL, r L)

L

—(sR, r R)] (Fact 1&2) ≥ 2m · Pr (sL,r L,sR,r R)[(sL, r L)

L

—(sR, r R)] ≥ 2m−1 · Pr (sL,r L,sR,r R)[(sL, r L)—(sR, r R)] ≥ 2m−1 ·

• at+1

Pr (sL,r L,sR,r R)[Share(sL, r L) = at+1, Share(sR, r R) = at+1] ≥ 2m−1 ·

• at+1

Pr (s,r)[Share(s, r) = at+1]2 (Cauchy-Schwarz) ≥ 2m−1 · 2−|st+1|

• at+1

Pr (s,r)[Share(s, r) = at+1] · 1 2 = 2m−1 · 2−|st+1|

|st+1| ≥ m + k − 1

• Lewko, Pastro (Columbia)

RSSS & Loc Advs April 2, 2015 21 / 22

Conclusion

Robust SS with n = 2 · t + 1 players, eff. reconstruction. Share size: model construction lower bound standard m + O(n + k) m + k NEW: local adv. m + O(k) m + k − 4

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 22 / 22

Conclusion

Robust SS with n = 2 · t + 1 players, eff. reconstruction. Share size: model construction lower bound standard m + O(n + k) m + k NEW: local adv. m + O(k) m + k − 4 Future: Locality in more complicated settings:

◮ info theoretic MPC: circumvent lower bounds? ◮ general MPC: more eff/practical protocols?

standard RSSS: lower bound & construction matching?

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 22 / 22

Conclusion

Robust SS with n = 2 · t + 1 players, eff. reconstruction. Share size: model construction lower bound standard m + O(n + k) m + k NEW: local adv. m + O(k) m + k − 4 Future: Locality in more complicated settings:

◮ info theoretic MPC: circumvent lower bounds? ◮ general MPC: more eff/practical protocols?

standard RSSS: lower bound & construction matching? Thanks! https://eprint.iacr.org/2014/909

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 22 / 22

Jo¨ el Alwen, Jonathan Katz, Yehuda Lindell, Giuseppe Persiano, abhi shelat, and Ivan Visconti. Collusion-free multiparty computation in the mediated model. In Shai Halevi, editor, Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings, volume 5677 of Lecture Notes in Computer Science, pages 524–540. Springer, 2009. Jo¨ el Alwen, Jonathan Katz, Ueli Maurer, and Vassilis Zikas. Collusion-preserving computation. In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in Cryptology - CRYPTO 2012 - 32nd Annual Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2012. Proceedings, volume 7417 of Lecture Notes in Computer Science, pages 124–143. Springer, 2012. L´ aszl´

• Babai, Lance Fortnow, and Carsten Lund.

Non-deterministic exponential time has two-prover interactive protocols. Computational Complexity, 1:3–40, 1991.

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 22 / 22

Alfonso Cevallos. Reducing the share size in robust secret sharing. http://www.algant.eu/documents/theses/cevallos.pdf, 2011. Alfonso Cevallos, Serge Fehr, Rafail Ostrovsky, and Yuval Rabani. Unconditionally-secure robust secret sharing with compact shares. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT, volume 7237 of Lecture Notes in Computer Science, pages 195–208. Springer, 2012. Marco Carpentieri, Alfredo De Santis, and Ugo Vaccaro. Size of shares and probability of cheating in threshold schemes. In Tor Helleseth, editor, Advances in Cryptology - EUROCRYPT ’93, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, volume 765 of Lecture Notes in Computer Science, pages 118–125. Springer, 1993. Ran Canetti and Margarita Vald. Universally composable security with local adversaries.

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 22 / 22

In Ivan Visconti and Roberto De Prisco, editors, Security and Cryptography for Networks - 8th International Conference, SCN 2012, Amalfi, Italy, September 5-7, 2012. Proceedings, volume 7485 of Lecture Notes in Computer Science, pages 281–301. Springer, 2012. Stefan Dziembowski and Krzysztof Pietrzak. Leakage-resilient cryptography. In 49th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2008, October 25-28, 2008, Philadelphia, PA, USA, pages 293–302. IEEE Computer Society, 2008. Matt Lepinski, Silvio Micali, and abhi shelat. Collusion-free protocols. In Harold N. Gabow and Ronald Fagin, editors, Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22-24, 2005, pages 543–552. ACM, 2005. Adi Shamir. How to share a secret.

• Commun. ACM, 22(11):612–613, 1979.

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 22 / 22

Adi Shamir. IP = PSPACE.

• J. ACM, 39(4):869–877, 1992.

Lewko, Pastro (Columbia) RSSS & Loc Advs April 2, 2015 22 / 22