Program Introduction 1 Definition of Secret Sharing 2 3 Lower - PowerPoint PPT Presentation

I MPROVING THE L INEAR P ROGRAMMING T ECHNIQUE IN THE S EARCH FOR L OWER B OUNDS IN S ECRET S HARING O RIOL F ARRÀS 1 T ARIK K ACED 2 S EBASTIÀ M ARTÍN 3 C ARLES P ADRÓ 3 1 U NIVERSITAT R OVIRA I V IRGILI , T ARRAGONA , S PAIN 2 S ORBONNE U NIVERSITÉ , LIP6, P ARIS , F RANCE 3 U NIVERSITAT P OLITÈCNICA DE C ATALUNYA , B ARCELONA , S PAIN EUROCRYPT 2018

Program Introduction 1 Definition of Secret Sharing 2 3 Lower Bounds on the Information Ratio Improving the LP technique 4

Introduction 1 Definition of Secret Sharing 2 Lower Bounds on the Information Ratio 3 Improving the LP technique 4

Secret Sharing Scheme A method to protect a secret

Secret Sharing Scheme A method to protect a secret Secret P 1 P 2 P 3 P 4 P 5

Secret Sharing Scheme A method to protect a secret Secret s 1 s 5 s 2 s 4 s 3 P 1 P 2 P 3 P 4 P 5

Secret Sharing Scheme A method to protect a secret P 1 P 2 P 3 P 4 P 5

Secret Sharing Scheme A method to protect a secret Authorized subset P 1 P 2 P 3 P 4 P 5 Secret

Secret Sharing Scheme A method to protect a secret Forbidden subset P 1 P 2 P 3 P 4 P 5 No Information

Secret Sharing Schemes: Overview Shamir’79, Blakley’79, Ito Saito Nishizeki’87.

Secret Sharing Schemes: Overview Shamir’79, Blakley’79, Ito Saito Nishizeki’87. Unconditionally secure.

Secret Sharing Schemes: Overview Shamir’79, Blakley’79, Ito Saito Nishizeki’87. Unconditionally secure. Cryptographic primitive with many applications Secure multiparty computation Threshold cryptography Access control Attribute-based encryption Oblivious transfer ...

Secret Sharing Schemes: Overview Shamir’79, Blakley’79, Ito Saito Nishizeki’87. Unconditionally secure. Cryptographic primitive with many applications Secure multiparty computation Threshold cryptography Access control Attribute-based encryption Oblivious transfer ... Need of efficient schemes. Shares have to be small.

Introduction 1 Definition of Secret Sharing 2 Lower Bounds on the Information Ratio 3 Improving the LP technique 4

Shannon Entropy Unconditionally secure schemes Security based on Information Theory. We see the secret and the shares as random variables. Definition of security in terms of Shannon entropy:

Shannon Entropy Unconditionally secure schemes Security based on Information Theory. We see the secret and the shares as random variables. Definition of security in terms of Shannon entropy: The Shannon entropy of a discrete random variable X on E is � p ( x ) log 2 p ( x ) . H ( X ) = − x ∈ E If X 1 , . . . , X n are discrete random variables and A = { i 1 , . . . , i r } ⊆ [ n ] , H ( X A ) = H ( X i 1 × . . . × X i r ) .

Shannon Entropy Unconditionally secure schemes Security based on Information Theory. We see the secret and the shares as random variables. Definition of security in terms of Shannon entropy: The Shannon entropy of a discrete random variable X on E is � p ( x ) log 2 p ( x ) . H ( X ) = − x ∈ E If X 1 , . . . , X n are discrete random variables and A = { i 1 , . . . , i r } ⊆ [ n ] , H ( X A ) = H ( X i 1 × . . . × X i r ) . Also, H ( X ) approximates the min. average length of a binary code for X .

Definition of Secret Sharing Definition A secret sharing scheme on the set P = { 1 , . . . , n } is a collection of discrete random variables Σ = ( S 0 , S 1 , . . . , S n ) such that H ( S 0 ) > 0 and H ( S 0 | S P ) = 0

Definition of Secret Sharing Definition A secret sharing scheme on the set P = { 1 , . . . , n } is a collection of discrete random variables Σ = ( S 0 , S 1 , . . . , S n ) such that H ( S 0 ) > 0 and H ( S 0 | S P ) = 0 A ⊆ P is authorized if H ( S 0 | S A ) = 0 . A ⊆ P is forbidden if H ( S 0 | S A ) = H ( S 0 ) . We just consider perfect schemes: every subset is either authorized or forbidden.

Access Structures and Linear Schemes The access structure Γ of Σ is the family of authorized subsets. It is monotone increasing: if A ∈ Γ and A ⊆ B , then B ∈ Γ Every monotone increasing family of subsets admits a secret sharing scheme.

Access Structures and Linear Schemes The access structure Γ of Σ is the family of authorized subsets. It is monotone increasing: if A ∈ Γ and A ⊆ B , then B ∈ Γ Every monotone increasing family of subsets admits a secret sharing scheme. Definition A scheme Σ = ( S 0 , S 1 , . . . , S n ) is F -linear if it is determined by a F -linear mapping Π : F ℓ → F ℓ 0 × . . . × F ℓ n , taking uniform probability distribution on F ℓ .

Information Ratio Measures of the efficiency: size of the shares: information ratio, average inf. ratio, length of the shares... cost of sharing and reconstructing the secret.

Information Ratio Measures of the efficiency: size of the shares: information ratio, average inf. ratio, length of the shares... cost of sharing and reconstructing the secret. Definition The information ratio of Σ = ( S 0 , S 1 , . . . , S n ) is: σ (Σ) = max i H ( S i ) . H ( S 0 )

Information Ratio Measures of the efficiency: size of the shares: information ratio, average inf. ratio, length of the shares... cost of sharing and reconstructing the secret. Definition The information ratio of Σ = ( S 0 , S 1 , . . . , S n ) is: σ (Σ) = max i H ( S i ) . H ( S 0 ) Definition For every access structure Γ , σ (Γ) is the infimum of the information ratio of the sss for Γ . (optimal information ratio) λ (Γ) is the infimum of the information ratio of the linear sss for Γ .

General Results on the Information Ratio σ (Γ) ≤ λ (Γ) σ (Γ) ≥ 1 σ (Γ) = 2 O ( n ) (Ito Saito Nishizeki’87, Benaloh Leichter’88, Liu Vaikuntanathan’18) There exists a family of access structures { Γ n } n ≥ 1 with � n � σ (Γ n ) = Ω . log n (Csirmaz’97)

Open Problem Improve the techniques for finding lower bounds on σ (Γ)

Open Problem Improve the techniques for finding lower bounds on σ (Γ) Also lower bounds on λ (Γ) σ (Γ) (average optimal information ratio) ˜ ˜ λ (Γ) (average optimal information ratio of linear sss)

Introduction 1 Definition of Secret Sharing 2 Lower Bounds on the Information Ratio 3 Improving the LP technique 4

Towards an LP Problem Let Q = P ∪ { 0 } = { 0 , . . . , n } . If Σ = ( S 0 , . . . , S n ) is a scheme with access structure Γ , then the map f : P ( Q ) → R X �→ H ( S X ) / H ( S 0 ) satisfies the following properties: (P1) f ( ∅ ) = 0 (P2) f ( X ) ≤ f ( Y ) for every X ⊆ Y ⊆ Q (P3) f ( X ∪ Y ) + f ( X ∩ Y ) ≤ f ( X ) + f ( Y ) for every X , Y ⊆ Q . (N) f ( { 0 } ) = 1 ( Γ 1) f ( X ∪ { 0 } ) = f ( X ) if X ∈ Γ ( Γ 2) f ( X ∪ { 0 } ) = f ( X ) + 1 if X / ∈ Γ We will consider the vector ( f ( X )) X ⊆ Q ∈ R P ( Q ) .

LP Technique (I) Linear Programming Problem Minimize max x ∈ P f ( x ) subject to f satisfies ( N ) , (Γ 1 ) , (Γ 2 ) , ( P1 ) , ( P2 ) , ( P3 )

LP Technique (I) Linear Programming Problem Minimize max x ∈ P f ( x ) subject to f satisfies ( N ) , (Γ 1 ) , (Γ 2 ) , ( P1 ) , ( P2 ) , ( P3 ) Specifically, we consider the following LP problem: Minimize v subject to v ≥ f ( x ) for every x ∈ P where ( f ( X )) X ⊆ Q ∈ R P ( Q ) is the vector defined by a function f satisfying ( N ) , (Γ 1 ) , (Γ 2 ) , ( P1 ) , ( P2 ) , ( P3 )

LP Technique (II) Linear Programming Problem Minimize max x ∈ P f ( x ) subject to f satisfies ( N ) , (Γ 1 ) , (Γ 2 ) , ( P1 ) , ( P2 ) , ( P3 ) The optimal value of this LP problem is, by definition, κ (Γ) .

LP Technique (II) Linear Programming Problem Minimize max x ∈ P f ( x ) subject to f satisfies ( N ) , (Γ 1 ) , (Γ 2 ) , ( P1 ) , ( P2 ) , ( P3 ) The optimal value of this LP problem is, by definition, κ (Γ) . κ (Γ) was introduced by Martí-Farré Padró’10. The function f defined from a scheme Σ is a feasible solution of the LP problem, so κ (Γ) ≤ σ (Γ) It is the best lower bound on σ (Γ) that can be obtained from Shannon information inequalities on H ( S X ) : H ( S X ) ≤ H ( S Y ) for every X ⊆ Y ⊆ Q H ( S X ∩ Y ) + H ( S X ∪ Y ) ≤ H ( S X ) + H ( S Y ) for every X , Y ⊆ Q

Applications of the LP Technique If Q is small, the LP problem can be solved: F. et al.’12, Martí-Farré Padró Vázquez’11, Padró Vázquez Yang’13

Applications of the LP Technique If Q is small, the LP problem can be solved: F. et al.’12, Martí-Farré Padró Vázquez’11, Padró Vázquez Yang’13 If Q is big, it is still possible to find useful lower bounds in κ (Γ) by selecting some constraints from ( N ) , (Γ 1 ) , (Γ 2 ) , ( P1 ) , ( P2 ) , ( P3 ) . Every feasible solution of the dual LP problem provides a lower bound on κ (Γ) . Capocelli et al.’93, van Dijk’95, Jackson Martin’96, Blundo et al.’97... Csirmaz’97: For every n , there exists an access structure Γ n on n participants such that � � n κ (Γ n ) = Ω . log n

Limitations of the LP Technique (I) In general, κ is not tight. κ (Γ) ≤ n (Csirmaz’97) .