nach oben

Journal of Cryptology

Erschienen in:

14.01.2016

Secret-Sharing for NP

verfasst von: Ilan Komargodski, Moni Naor, Eylon Yogev

Erschienen in: Journal of Cryptology | Ausgabe 2/2017

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

A computational secret-sharing scheme is a method that enables a dealer, that has a secret, to distribute this secret among a set of parties such that a “qualified” subset of parties can efficiently reconstruct the secret while any “unqualified” subset of parties cannot efficiently learn anything about the secret. The collection of “qualified” subsets is defined by a monotone Boolean function. It has been a major open problem to understand which (monotone) functions can be realized by a computational secret-sharing scheme. Yao suggested a method for secret-sharing for any function that has a polynomial-size monotone circuit (a class which is strictly smaller than the class of monotone functions in \({\mathsf {P}}\)). Around 1990 Rudich raised the possibility of obtaining secret-sharing for all monotone functions in \({\mathsf {NP}}\): in order to reconstruct the secret a set of parties must be “qualified” and provide a witness attesting to this fact. Recently, Garg et al. (Symposium on theory of computing conference, STOC, pp 467–476, 2013) put forward the concept of witness encryption, where the goal is to encrypt a message relative to a statement \(x\in L\) for a language \(L\in {\mathsf {NP}}\) such that anyone holding a witness to the statement can decrypt the message; however, if \(x\notin L\), then it is computationally hard to decrypt. Garg et al. showed how to construct several cryptographic primitives from witness encryption and gave a candidate construction. One can show that computational secret-sharing implies witness encryption for the same language. Our main result is the converse: we give a construction of a computational secret-sharing scheme for any monotone function in \({\mathsf {NP}}\) assuming witness encryption for \({\mathsf {NP}}\) and one-way functions. As a consequence we get a completeness theorem for secret-sharing: computational secret-sharing scheme for any single monotone \({\mathsf {NP}}\)-complete function implies a computational secret-sharing scheme for every monotone function in \({\mathsf {NP}}\).

Vorheriger Artikel Acoustic Cryptanalysis

Nächster Artikel Security of Blind Signatures Revisited

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nur mit Berechtigung zugänglich

It is most sensible to consider only monotone sets of “qualified” subsets of parties. A set M of subsets is called monotone if \(A\in M\) and \(A\subseteq A'\), then \(A'\in M\). It is hard to imagine a meaningful method for sharing a secret to a set of “qualified” subsets that does not satisfy this property.

Moreover, there are not even non-constructive lower bounds for secret-sharing schemes. The usual counting arguments (e.g. arguments that show that most functions require large circuits) do not work here since one needs to enumerate over the sharing and reconstruction algorithms whose complexity may be larger than the share size.

In the access structure for directed connectivity, the parties correspond to edge slots in the complete directed graph and the “qualified” subsets are those edges that connect two distinguished nodes s and t.

In the access structure for matching the parties correspond to edge slots in the complete graph and the “qualified” subsets are those edges that contain a perfect matching. Even though matching is in \({\mathsf {P}}\), it is known that there is no monotone circuit that computes it [31].

Rudich raised it in private communication with the second author around 1990 and was not written to the best of our knowledge; some of Rudich’s results can be found in Beimel’s survey [2] and in Naor’s presentation [29].

Moreover, it is possible to show that if \({\mathsf {NP}}\not \subseteq {\textsf {co}{\mathsf {AM}}}\), then there is no statistical secret-sharing scheme for the Hamiltonian access structure in which the sharing of the secret can be done efficiently [29].

The resulting reduction is non-black-box. Also, note that the results of Rudich apply for any other monotone \({\mathsf {NP}}\)-complete problem as well.

The class \({\mathsf {MA}}\) is defined similarly to the verifier-based definition of \({\mathsf {NP}}\) where the verifier is allowed to use randomness.

Using standard Karp/Levin reductions between \({\mathsf {NP}}\)-complete languages, one can transform a witness encryption scheme for a single \({\mathsf {NP}}\)-complete language to a witness encryption scheme for any other language in \({\mathsf {NP}}\).

See [23] for a thorough discussion of the need in additional hardness assumptions on top of \({i\mathcal {O}}\).

N. Alon, J. Spencer, The Probabilistic Method (3rd ed.) (Wiley, 2008)

A. Beimel, Secret-sharing schemes: a survey, in 3rd International Workshop, IWCC (2011), pp. 11–46

B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs, in CRYPTO. Lecture Notes in Computer Science, vol. 2139 (Springer, 2001), pp. 1–18

B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012). Preliminary version appeared in CRYPTO 2001

B. Barak, S. Garg, Y. T. Kalai, O. Paneth, A. Sahai, Protecting obfuscation against algebraic attacks, in 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EYROCRYPTO (2014), pp. 221–238

A. Beimel, Y. Ishai, On the power of nonlinear secrect-sharing. SIAM J. Discrete Math. 19(1), 258–280 (2005)

J. C. Benaloh, J. Leichter, Generalized secret sharing and monotone functions, in 8th Annual International Cryptology Conference, CRYPTO (1988), pp. 27–35

G. R. Blakley, Safeguarding cryptographic keys. Proc. AFIPS Natl. Comput. Conf. 22, 313–317 (1979)

M. Bellare, P. Rogaway, Robust computational secret sharing and a unified account of classical secret-sharing goals, in ACM Conference on Computer and Communications Security (ACM, 2007), pp. 172–184

10.

Z. Brakerski, G. N. Rothblum, Black-box obfuscation for \(d\)-CNFs, in Innovations in Theoretical Computer Science, ITCS (2014), pp. 235–250

11.

Z. Brakerski, G. N. Rothblum, Virtual black-box obfuscation for all circuits via generic graded encoding, in 11th Theory of Cryptography Conference, TCC (2014), pp. 1–25

12.

D. Boneh, M. Zhandry, Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation, in 34th Annual Cryptology Conference, CRYPTO (2014), pp. 480–499

13.

C. Dwork, M. Naor, O. Reingold, L. J. Stockmeyer, Magic functions. J. ACM 50(6), 852–921 (2003)

14.

S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits, in 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS (2013), pp. 40–49

15.

S. Garg, C. Gentry, A. Sahai, B. Waters, Witness encryption and its applications, in Symposium on Theory of Computing Conference, STOC (2013), pp. 467–476

16.

C. Gentry, A. B. Lewko, A. Sahai, B. Waters, Indistinguishability obfuscation from the multilinear subgroup elimination assumption. IACR Cryptol. ePrint Arch. 2014, 309 (2014)

17.

C. Gentry, A. B. Lewko, B. Waters, Witness encryption from instance independent assumptions, in 34th Annual Cryptology Conference, CRYPTO (2014), pp. 426–443

18.

S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)

19.

M. Grigni, M. Sipser, Monotone complexity, in LMS Workshop on Boolean Function Complexity (1992), pp. 57–75

20.

J. Håstad, R. Impagliazzo, L. A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)

21.

R. Impagliazzo, A personal view of average-case complexity, in 10th Annual Structure in Complexity Theory Conference (1995), pp. 134–147

22.

M. Ito, A. Saito, T. Nishizeki, Multiple assignment scheme for sharing secret. J. Cryptol. 6(1), 15–20 (1993)

23.

I. Komargodski, T. Moran, M. Naor, R. Pass, A. Rosen, E. Yogev, One-way functions and (im)perfect obfuscation, in 55th IEEE Annual Symposium on Foundations of Computer Science, FOCS (2014), pp. 374–383

24.

H. Krawczyk, Secret sharing made short, in 13th Annual International Cryptology Conference, CRYPTO (1993), pp. 136–146

25.

M. Karchmer, A. Wigderson, On span programs, in 8th Annual Structure in Complexity Theory Conference (1993), pp. 102–111

26.

I. Komargodski, M. Zhandry, Cutting-edge cryptography through the lens of secret sharing. IACR Cryptol. ePrint Arch. 2015, 735 (2015). To appear in TCC 2016-A

27.

M. Naor, Bit commitment using pseudorandomness. J. Cryptol. 4(2), 151–158 (1991)

28.

M. Naor, On cryptographic assumptions and challenges, in 23rd Annual International Cryptology Conference, CRYPTO (2003), pp. 96–109

29.

M. Naor, Secret sharing for access structures beyond \({\sf P}\) (2006). Slides: http://www.wisdom.weizmann.ac.il/~naor/PAPERS/minicrypt.html

30.

R. Pass, K. Seth, S. Telang, Indistinguishability obfuscation from semantically-secure multilinear encodings, in 34th Annual Cryptology Conference, CRYPTO (2014), pp. 500–517

31.

A. A. Razborov, Lower bounds for the monotone complexity of some Boolean functions. Dokl. Ak. Nauk. SSSR 281, 798–801 (1985). English translation in: Soviet Math. Dokl. 31, 354–357 (1985)

32.

A. Shamir, How to share a secret. Commun. ACM 22(11), 612–613 (1979)

33.

A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in Symposium on Theory of Computing, STOC (2014), pp. 475–484

34.

V. Vinod, A. Narayanan, K. Srinathan, C. P. Rangan, K. Kim, On the power of computational secret sharing, in 4th International Conference on Cryptology in India, INDOCRYPT (2003), pp. 162–176

Titel: Secret-Sharing for NP
verfasst von: Ilan Komargodski
Moni Naor
Eylon Yogev
Publikationsdatum: 14.01.2016
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 2/2017
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-015-9226-0

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2017

Acoustic Cryptanalysis

The Security of Tandem-DM in the Ideal Cipher Model

Photonic Side-Channel Analysis of Arbiter PUFs

Design Methodology and Validity Verification for a Reactive Countermeasure Against EM Attacks

Efficient Cryptosystems From -th Power Residue Symbols

Jacobian Coordinates on Genus 2 Curves