广播秘密共享,边界和应用

I. Damgård, Kasper Green Larsen, Sophia Yakoubov
{"title":"广播秘密共享,边界和应用","authors":"I. Damgård, Kasper Green Larsen, Sophia Yakoubov","doi":"10.4230/LIPIcs.ITC.2021.10","DOIUrl":null,"url":null,"abstract":"Consider a sender S and a group of n recipients. S holds a secret message m of length l bits and the goal is to allow S to create a secret sharing of m with privacy threshold t among the recipients, by broadcasting a single message c to the recipients. Our goal is to do this with information theoretic security in a model with a simple form of correlated randomness. Namely, for each subset A of recipients of size q, S may share a random key with all recipients in A. (The keys shared with different subsets A must be independent.) We call this Broadcast Secret-Sharing (BSS) with parameters l, n, t and q. Our main question is: how large must c be, as a function of the parameters? We show that n−t q l is a lower bound, and we show an upper bound of ( n(t+1) q+t − t)l, matching the lower bound whenever t = 0, or when q = 1 or n − t. When q = n − t, the size of c is exactly l which is clearly minimal. The protocol demonstrating the upper bound in this case requires S to share a key with every subset of size n − t. We show that this overhead cannot be avoided when c has minimal size. We also show that if access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes n−t q λ + l − negl(λ) (where λ is the length of the input to the PRG). The upper bound becomes ( n(t+1) q+t − t)λ + l. BSS can be applied directly to secret-key threshold encryption. We can also consider a setting where the correlated randomness is generated using computationally secure and non-interactive key exchange, where we assume that each recipient has an (independently generated) public key for this purpose. In this model, any protocol for non-interactive secret sharing becomes an ad hoc threshold encryption (ATE) scheme, which is a threshold encryption scheme with no trusted setup beyond a PKI. Our upper bounds imply new ATE schemes, and our lower bound becomes a lower bound on the ciphertext size in any ATE scheme that uses a key exchange functionality and no other cryptographic primitives. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":" 43","pages":"10:1-10:20"},"PeriodicalIF":0.0000,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Broadcast Secret-Sharing, Bounds and Applications\",\"authors\":\"I. Damgård, Kasper Green Larsen, Sophia Yakoubov\",\"doi\":\"10.4230/LIPIcs.ITC.2021.10\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Consider a sender S and a group of n recipients. S holds a secret message m of length l bits and the goal is to allow S to create a secret sharing of m with privacy threshold t among the recipients, by broadcasting a single message c to the recipients. Our goal is to do this with information theoretic security in a model with a simple form of correlated randomness. Namely, for each subset A of recipients of size q, S may share a random key with all recipients in A. (The keys shared with different subsets A must be independent.) We call this Broadcast Secret-Sharing (BSS) with parameters l, n, t and q. Our main question is: how large must c be, as a function of the parameters? We show that n−t q l is a lower bound, and we show an upper bound of ( n(t+1) q+t − t)l, matching the lower bound whenever t = 0, or when q = 1 or n − t. When q = n − t, the size of c is exactly l which is clearly minimal. The protocol demonstrating the upper bound in this case requires S to share a key with every subset of size n − t. We show that this overhead cannot be avoided when c has minimal size. We also show that if access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes n−t q λ + l − negl(λ) (where λ is the length of the input to the PRG). The upper bound becomes ( n(t+1) q+t − t)λ + l. BSS can be applied directly to secret-key threshold encryption. We can also consider a setting where the correlated randomness is generated using computationally secure and non-interactive key exchange, where we assume that each recipient has an (independently generated) public key for this purpose. In this model, any protocol for non-interactive secret sharing becomes an ad hoc threshold encryption (ATE) scheme, which is a threshold encryption scheme with no trusted setup beyond a PKI. Our upper bounds imply new ATE schemes, and our lower bound becomes a lower bound on the ciphertext size in any ATE scheme that uses a key exchange functionality and no other cryptographic primitives. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques\",\"PeriodicalId\":6403,\"journal\":{\"name\":\"2007 IEEE International Test Conference\",\"volume\":\" 43\",\"pages\":\"10:1-10:20\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2007 IEEE International Test Conference\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.4230/LIPIcs.ITC.2021.10\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE International Test Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4230/LIPIcs.ITC.2021.10","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

摘要

考虑一个发送者S和一组n个接收者。S持有长度为l位的秘密消息m,目标是允许S通过向接收方广播一条消息c,在接收方之间创建一个具有隐私阈值为t的秘密共享m。我们的目标是在具有简单形式的相关随机性的模型中使用信息理论安全性来做到这一点。即,对于大小为q的接收者的每个子集A, S可以与A中的所有接收者共享一个随机密钥(与不同子集A共享的密钥必须是独立的)。我们将此称为带有参数l、n、t和q的广播秘密共享(BSS)。我们的主要问题是:作为参数的函数,c必须有多大?我们证明了n - tql是一个下界,并且我们证明了(n(t+1) q+t - t)l的上界,当t = 0或q = 1或n - t时,它匹配下界。当q = n - t时,c的大小正好是l,这显然是最小的。在这种情况下,证明上界的协议要求S与大小为n - t的每个子集共享一个密钥。我们表明,当c具有最小大小时,这种开销无法避免。我们还证明,如果对一个理想的PRG进行额外的访问,密文大小的下界变成n−q λ + l−negl(λ)(其中λ是PRG的输入长度)。其上界变为(n(t+1) q+t−t)λ +1。BSS可以直接应用于秘钥阈值加密。我们还可以考虑一种设置,其中使用计算安全和非交互式密钥交换生成相关随机性,其中我们假设每个接收方为此目的都有一个(独立生成的)公钥。在这个模型中,任何用于非交互式秘密共享的协议都成为一个特设阈值加密(ATE)方案,这是一个除了PKI之外没有可信设置的阈值加密方案。我们的上界意味着新的ATE方案,我们的下界成为任何使用密钥交换功能而不使用其他加密原语的ATE方案中密文大小的下界。2012 ACM主题分类安全与隐私→信息理论技术
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Broadcast Secret-Sharing, Bounds and Applications
Consider a sender S and a group of n recipients. S holds a secret message m of length l bits and the goal is to allow S to create a secret sharing of m with privacy threshold t among the recipients, by broadcasting a single message c to the recipients. Our goal is to do this with information theoretic security in a model with a simple form of correlated randomness. Namely, for each subset A of recipients of size q, S may share a random key with all recipients in A. (The keys shared with different subsets A must be independent.) We call this Broadcast Secret-Sharing (BSS) with parameters l, n, t and q. Our main question is: how large must c be, as a function of the parameters? We show that n−t q l is a lower bound, and we show an upper bound of ( n(t+1) q+t − t)l, matching the lower bound whenever t = 0, or when q = 1 or n − t. When q = n − t, the size of c is exactly l which is clearly minimal. The protocol demonstrating the upper bound in this case requires S to share a key with every subset of size n − t. We show that this overhead cannot be avoided when c has minimal size. We also show that if access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes n−t q λ + l − negl(λ) (where λ is the length of the input to the PRG). The upper bound becomes ( n(t+1) q+t − t)λ + l. BSS can be applied directly to secret-key threshold encryption. We can also consider a setting where the correlated randomness is generated using computationally secure and non-interactive key exchange, where we assume that each recipient has an (independently generated) public key for this purpose. In this model, any protocol for non-interactive secret sharing becomes an ad hoc threshold encryption (ATE) scheme, which is a threshold encryption scheme with no trusted setup beyond a PKI. Our upper bounds imply new ATE schemes, and our lower bound becomes a lower bound on the ciphertext size in any ATE scheme that uses a key exchange functionality and no other cryptographic primitives. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Csirmaz's Duality Conjecture and Threshold Secret Sharing Online Mergers and Applications to Registration-Based Encryption and Accumulators Exponential Correlated Randomness Is Necessary in Communication-Optimal Perfectly Secure Two-Party Computation The Cost of Statistical Security in Proofs for Repeated Squaring Tight Estimate of the Local Leakage Resilience of the Additive Secret-Sharing Scheme & Its Consequences
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1