Broadcast Secret-Sharing, Bounds and Applications

2007 IEEE International Test Conference Pub Date : 2021-01-01 DOI:10.4230/LIPIcs.ITC.2021.10

I. Damgård, Kasper Green Larsen, Sophia Yakoubov

{"title":"Broadcast Secret-Sharing, Bounds and Applications","authors":"I. Damgård, Kasper Green Larsen, Sophia Yakoubov","doi":"10.4230/LIPIcs.ITC.2021.10","DOIUrl":null,"url":null,"abstract":"Consider a sender S and a group of n recipients. S holds a secret message m of length l bits and the goal is to allow S to create a secret sharing of m with privacy threshold t among the recipients, by broadcasting a single message c to the recipients. Our goal is to do this with information theoretic security in a model with a simple form of correlated randomness. Namely, for each subset A of recipients of size q, S may share a random key with all recipients in A. (The keys shared with different subsets A must be independent.) We call this Broadcast Secret-Sharing (BSS) with parameters l, n, t and q. Our main question is: how large must c be, as a function of the parameters? We show that n−t q l is a lower bound, and we show an upper bound of ( n(t+1) q+t − t)l, matching the lower bound whenever t = 0, or when q = 1 or n − t. When q = n − t, the size of c is exactly l which is clearly minimal. The protocol demonstrating the upper bound in this case requires S to share a key with every subset of size n − t. We show that this overhead cannot be avoided when c has minimal size. We also show that if access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes n−t q λ + l − negl(λ) (where λ is the length of the input to the PRG). The upper bound becomes ( n(t+1) q+t − t)λ + l. BSS can be applied directly to secret-key threshold encryption. We can also consider a setting where the correlated randomness is generated using computationally secure and non-interactive key exchange, where we assume that each recipient has an (independently generated) public key for this purpose. In this model, any protocol for non-interactive secret sharing becomes an ad hoc threshold encryption (ATE) scheme, which is a threshold encryption scheme with no trusted setup beyond a PKI. Our upper bounds imply new ATE schemes, and our lower bound becomes a lower bound on the ciphertext size in any ATE scheme that uses a key exchange functionality and no other cryptographic primitives. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques","PeriodicalId":6403,"journal":{"name":"2007 IEEE International Test Conference","volume":" 43","pages":"10:1-10:20"},"PeriodicalIF":0.0000,"publicationDate":"2021-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2007 IEEE International Test Conference","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4230/LIPIcs.ITC.2021.10","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Consider a sender S and a group of n recipients. S holds a secret message m of length l bits and the goal is to allow S to create a secret sharing of m with privacy threshold t among the recipients, by broadcasting a single message c to the recipients. Our goal is to do this with information theoretic security in a model with a simple form of correlated randomness. Namely, for each subset A of recipients of size q, S may share a random key with all recipients in A. (The keys shared with different subsets A must be independent.) We call this Broadcast Secret-Sharing (BSS) with parameters l, n, t and q. Our main question is: how large must c be, as a function of the parameters? We show that n−t q l is a lower bound, and we show an upper bound of ( n(t+1) q+t − t)l, matching the lower bound whenever t = 0, or when q = 1 or n − t. When q = n − t, the size of c is exactly l which is clearly minimal. The protocol demonstrating the upper bound in this case requires S to share a key with every subset of size n − t. We show that this overhead cannot be avoided when c has minimal size. We also show that if access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes n−t q λ + l − negl(λ) (where λ is the length of the input to the PRG). The upper bound becomes ( n(t+1) q+t − t)λ + l. BSS can be applied directly to secret-key threshold encryption. We can also consider a setting where the correlated randomness is generated using computationally secure and non-interactive key exchange, where we assume that each recipient has an (independently generated) public key for this purpose. In this model, any protocol for non-interactive secret sharing becomes an ad hoc threshold encryption (ATE) scheme, which is a threshold encryption scheme with no trusted setup beyond a PKI. Our upper bounds imply new ATE schemes, and our lower bound becomes a lower bound on the ciphertext size in any ATE scheme that uses a key exchange functionality and no other cryptographic primitives. 2012 ACM Subject Classification Security and privacy → Information-theoretic techniques

查看原文本刊更多论文

广播秘密共享，边界和应用

考虑一个发送者S和一组n个接收者。S持有长度为l位的秘密消息m，目标是允许S通过向接收方广播一条消息c，在接收方之间创建一个具有隐私阈值为t的秘密共享m。我们的目标是在具有简单形式的相关随机性的模型中使用信息理论安全性来做到这一点。即，对于大小为q的接收者的每个子集A, S可以与A中的所有接收者共享一个随机密钥(与不同子集A共享的密钥必须是独立的)。我们将此称为带有参数l、n、t和q的广播秘密共享(BSS)。我们的主要问题是:作为参数的函数，c必须有多大?我们证明了n - tql是一个下界，并且我们证明了(n(t+1) q+t - t)l的上界，当t = 0或q = 1或n - t时，它匹配下界。当q = n - t时，c的大小正好是l，这显然是最小的。在这种情况下，证明上界的协议要求S与大小为n - t的每个子集共享一个密钥。我们表明，当c具有最小大小时，这种开销无法避免。我们还证明，如果对一个理想的PRG进行额外的访问，密文大小的下界变成n−q λ + l−negl(λ)(其中λ是PRG的输入长度)。其上界变为(n(t+1) q+t−t)λ +1。BSS可以直接应用于秘钥阈值加密。我们还可以考虑一种设置，其中使用计算安全和非交互式密钥交换生成相关随机性，其中我们假设每个接收方为此目的都有一个(独立生成的)公钥。在这个模型中，任何用于非交互式秘密共享的协议都成为一个特设阈值加密(ATE)方案，这是一个除了PKI之外没有可信设置的阈值加密方案。我们的上界意味着新的ATE方案，我们的下界成为任何使用密钥交换功能而不使用其他加密原语的ATE方案中密文大小的下界。2012 ACM主题分类安全与隐私→信息理论技术

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2007 IEEE International Test Conference

自引率

0.00%

发文量