![Page 1: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/1.jpg)
Cryptography for Unconditionally Secure
Message Transmission in Networks
Kaoru Kurosawa
![Page 2: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/2.jpg)
Popular Encryption Schemes
Must sharea secret-key
Don’t sharea secret-key
Computational SKE PKE
Unconditional One-time pad
![Page 3: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/3.jpg)
Does there exist ?
Must sharea secret-key
Don’t sharea secret-key
Computational SKE PKE
Unconditional One-time pad ???
![Page 4: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/4.jpg)
Yes
• (1975) Wyner
Wire-tap channel model
• (1984) Bennett and Brassard
BB84
• (1993) Dolev, Dwork, Waarts and Yung
Network model
![Page 5: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/5.jpg)
In the model of DDWY
• Alice and Bob are a part of a network
• There are n channels between them
• Adversary can corrupt (observe and forge)
at most t channels
Alice Bob
![Page 6: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/6.jpg)
Indeed, in Internet
• There are many channels
between A and B
• No adversary can corrupt all the routers
![Page 7: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/7.jpg)
Dolev, Dwork, Waarts and Yung
Showed that we can achieve
• (Perfect Privacy)
Adversary learns no information on
the secret message s
• (Perfect Reliability)
Bob can receive s correctly
(Adversary cannot forge s)
![Page 8: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/8.jpg)
There are many variants
Network Adversary Security
Undirected Threshold Perfect
Directed General Almost perfect
and etc.
![Page 9: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/9.jpg)
Many authors since DDWY
• Sayeed, Abu-Amara
• Franklin, Wright
• Kumar, Goudan, Srinatahn, Rangan,
Narayanan, Patra, Choudhary
• Desmedt, Wang, Burmester, Yang
• Agarwal, Cramer, de Haan
• Garay, Ostrovsky, Fitzi, Vardhan
• Kurosawa, Suzuki
![Page 10: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/10.jpg)
This talk
Network Adversary Security
Undirected Threshold Perfect
Directed General Almost perfect
![Page 11: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/11.jpg)
We begin with 1st setting
Network Adversary Security
Undirected Threshold Perfect
Directed General Almost perfect
![Page 12: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/12.jpg)
In an Undirected Network
• Each channel is two-way
Alice Bob
![Page 13: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/13.jpg)
1 Round Protocol
SenderReceiver
![Page 14: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/14.jpg)
2 Round Protocol
SenderReceiver
SenderReceiver
1st
2nd
![Page 15: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/15.jpg)
PSMT denotes
• Perfectly
• Secure
• Message
• Transmission • Scheme
![Page 16: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/16.jpg)
DDWY showed
1-round PSMTexists
iff n ≧ 3t+1
2-round PSMT exists
iff n ≧ 2t+1
where the adversary can corrupt t out of n channels.
![Page 17: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/17.jpg)
Let’s look at
1-round PSMT iff n ≧ 3t+1
2-round PSMT for n = 2t+1
where an adversary can corrupt t out of n channels.
![Page 18: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/18.jpg)
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n)
Exp-time
DDWY (1993)
Poly-time
Transmission rate
![Page 19: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/19.jpg)
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n)
Exp-time
DDWY (1993)
Poly-time
Sayeed, Abu-Amara (1996)
Transmission rate
![Page 20: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/20.jpg)
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n) Srinathan, Narayan Rangan (2004)
Exp-time
DDWY (1993)
Poly-time
Sayeed, Abu-Amara (1996)
Transmission rate
![Page 21: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/21.jpg)
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n) Srinathan, Narayan Rangan (2004)
Exp-time
DDWY (1993) Agarwal, Cramer, de Haan (2006)
Poly-time
Sayeed, Abu-Amara (1996)
Transmission rate
![Page 22: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/22.jpg)
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n) Srinathan, Narayan Rangan (2004)
Exp-time
DDWY (1993) Agarwal, Cramer, de Haan (2006)
Poly-time
Sayeed, Abu-Amara (1996)
Kurosawa, Suzuki (2008)
Transmission rate
![Page 23: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/23.jpg)
Alice Bobs
f(1)
f(t)
f(n)
・・・
・・・
Suppose thatAlice chooses a random f(x) such thatf(0)=s and deg f(x)≦t
![Page 24: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/24.jpg)
Adversary
Alice Bobs
f(1)
f(t)
f(n)
・・・
・・・
corrupts t channels.
![Page 25: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/25.jpg)
Perfect Privacy
• Is satisfied because
• this is a (t+1, n)-secret sharing scheme
• Hence
the adverasry learns no information on s.
![Page 26: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/26.jpg)
Adversary
Alice Bobs
f(1)
f(t)
f(n)
・・・
・・・
forges t channels. How about Perfect Reliability
f(1)’ = f(1)+ e1
f(t)’ = f(t)+ et
![Page 27: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/27.jpg)
Perfect Reliability
• Bob can compute s if
X=(f(1),…, f(n))
• is a codeword of a t-error correcting code.
![Page 28: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/28.jpg)
X=(f(1),…, f(n))
• has at most t zeros because deg f(x) ≦ t.
![Page 29: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/29.jpg)
X=(f(1),…, f(n))
• has at most t zeros because deg f(x) ≦ t.
• Hence
X has the minimum Hamming weight
n-t.
![Page 30: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/30.jpg)
X=(f(1),…, f(n))
• has at most t zeros because deg f(x) ≦ t.
• Hence
X has the minimum Hamming weight
n-t.
• Therefore
the minimum Hamming distance of this linear code is
d=n-t.
![Page 31: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/31.jpg)
If n=3t+1,
• the minimum Hamming distance is
d = n – t
= (3t+1) – t
= 2t+1.
![Page 32: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/32.jpg)
If n=3t+1,
• the minimum Hamming distance is
d=n – t = (3t+1) – t = 2t+1.
• Hence the receiver can correct t errors caused by the adversary.
![Page 33: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/33.jpg)
If n=3t+1,
• the minimum Hamming distance of C is
d=n – t = (3t+1) – t = 2t+1.
• Hence the receiver can correct t errors caused by the adversary
• by using Berlekamp-Weltch algorithm
![Page 34: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/34.jpg)
If n=3t+1,
• the minimum Hamming distance is
d=n – t = (3t+1) – t = 2t+1.
• Hence the receiver can correct t errors caused by the adversary.
• Thus perfect reliability is also satisfied.
![Page 35: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/35.jpg)
If n=3t+1,
• the minimum Hamming distance of C is
d=n – t = (3t+1) – t = 2t+1.
• Hence the receiver can correct t errors caused by the adversary.
• Thus perfect reliability is satisfied.
• Therefore
we can obtain a 1-round PSMT easily
for n≧3t+1
![Page 36: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/36.jpg)
If n=2t+1, however,
• the minimum Hamming distance is
d = n - t
= (2t+1) – t
= t+1
![Page 37: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/37.jpg)
If n=2t+1, however,
• the minimum Hamming distance of C is
d=n-t=(2t+1)-t= t+1
• Hence the receiver can only detect t errors,
but cannot correct them.
![Page 38: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/38.jpg)
If n=2t+1, however,
• the minimum Hamming distance of C is
d=n-t=(2t+1)-t=t+1
• Hence the receiver can only detect t errors,
but cannot correct them.
• This is the main reason
why PSMT for n=2t+1 is difficult.
![Page 39: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/39.jpg)
DDWY showed
• Exp-time 2-round PSMT• Poly-time 3-round PSMT such that the transmission rate is O(n5),• where the transmission rate is defined as
the total number of bits transmitted the size of the secrets
![Page 40: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/40.jpg)
Sayeed and Abu-Amara
• 2-round PSMT such that
the transmission rate is O(n3)
![Page 41: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/41.jpg)
Srinathan, Narayan and Rangan
• the transmission rate ≧ n
for any 2-round PSMT with n=2t+1.
(CRYPTO 2004)
![Page 42: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/42.jpg)
Agarwal, Cramer and de Haan
・ Exp-time 2-round PSMT such that the trans. rate is O(n) . (CRYPTO 2006)
![Page 43: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/43.jpg)
Kurosawa and Suzuki
・ Poly-time 2-round PSMT such that the trans. rate is O(n) .
at Eurocrypt 2008 Final version: IEEE Trans. on IT, 2009
![Page 44: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/44.jpg)
Our Idea
• What is a difference
between error correction and PSMT ?
![Page 45: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/45.jpg)
What is a difference
• If the sender sends a single codeword,
then adversary causes t errors randomly.
![Page 46: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/46.jpg)
What is a difference
• If the sender sends a single codeword,
then adversary causes t errors randomly.
• Hence there is no difference.
![Page 47: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/47.jpg)
However
• If the sender sends many codewords
X1, …, Xm,
then the errors are not totally random
• because
the errors always occur
at the same t (or less) places !
![Page 48: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/48.jpg)
Our Observation
• Suppose that the receiver received
Y1=X1+ E1, …, Ym=Xm+ Em,
• where E1, …, Em are error vectors
![Page 49: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/49.jpg)
Our Observation
• Let
E = [E1, …, Em].• Then dim E t≦ because the errors always occur at the same t (or less) places !
![Page 50: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/50.jpg)
But
• The receiver does not know
the error vectors E1, …, Em
![Page 51: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/51.jpg)
Our Contribution
• We introduced a notion of
pseudo-dimension
pseudo-basis,
![Page 52: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/52.jpg)
Let
Y= {Y1, …, Ym}
Let
E = [E1, …, Em].
If Y has Pseudo dim k then E has dim k
If Y has a Pseudo basis
{Yj1, …, Yjk}
then E has a basis
{Ej1, …, Ejk}
Intuition
![Page 53: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/53.jpg)
Our Contribution
• We then showed a poly-time algorithm
which finds
pseudo-basis and pseudo-dimension
from Y={Y1, …, Ym}.
![Page 54: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/54.jpg)
More Observation
For example,
• E1=(1,0, …, 0),
• E2=(1,1,0, …, 0),
• …
• Et=(1,…,1,0, …, 0),
is a basis of E.
![Page 55: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/55.jpg)
More Observation
• E1=(1,0, …, 0), NonZero(E1)={1}
• E2=(1,1,0, …, 0), NonZero(E2)={1,2}
• …
• Et=(1,…,1,0, …, 0), NonZero(Et)={1, …, t}
![Page 56: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/56.jpg)
More Observation
• E1=(1,0, …, 0), NonZero(E1)={1}• E2=(1,1,0, …, 0), NonZero(E2)={1,2}• …• Et=(1,…,1,0, …, 0), NonZero(Et)={1, …, t}
• Define
FORGED = U NonZero(Ei) basis
![Page 57: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/57.jpg)
More Observation
• E1=(1,0, …, 0), NonZero(E1)={1}• E2=(1,1,0, …, 0), NonZero(E2)={2}• …• Et=(1, …, 1, 0, …, 0), NonZero(Et)= {t}
• Define
FORGED ≡ U basis NonZero(Ei) Then FORGED = {all forged channels}
![Page 58: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/58.jpg)
Our basic 2-round PSMT
• Let
t = 1 and
n = 2t+1 = 3
• That is,
Adversary can corrupt 1 out of 3 channels
![Page 59: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/59.jpg)
It consists of 3 phases
• Encryption phase
• Error detection phase
• Decryption phase
We run them in parallel
![Page 60: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/60.jpg)
Encryption phase (1st R)
• R sends random f1(x), f2(x) and f3(x)
with deg fi(x)≦1 as follows
f1(x)
f2(x)
f3(x)
S R
![Page 61: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/61.jpg)
Encryption phase (1st R)
• S receives f1’(x), f2’(x) and f3’(x)
f1’(x)
f2’(x)
f3’(x)
S
![Page 62: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/62.jpg)
Encryption phase (2nd R)
• S broadcasts
c = s + f1’(1) +f2’(2) + f3’(3)
c
c
c
S R
![Page 63: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/63.jpg)
Encryption phase (2nd R)• R can receive c correctly
by taking majority vote
because at most 1 channel is corrupted
c
c
c’
R
![Page 64: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/64.jpg)
Error detection phase (1st R)• R sends X1, X2, X3 such that
R
f2(1)
f2(2)
f2(3)
X2
||
f1(1)
f1(2)
f1(3)
X1
||
f3(1)
f3(2)
f3(3)
X3
||
![Page 65: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/65.jpg)
S receives
S
f2(1)’
f2(2)’
f2(3)’
Y2
||
f1(1)’
f1(2)’
f1(3)’
Y1
||
f3(1)’
f3(2)’
f3(3)’
Y3
||
![Page 66: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/66.jpg)
From {Y1, Y2, Y3}
S
f2(1)’
f2(2)’
f2(3)’
Y2
f1(1)’
f1(2)’
f1(3)’
Y1
f3(1)’
f3(2)’
f3(3)’
Y3
S computes the psudo-dimension kand a pseudo-basis Λby using the proposed algorithm
![Page 67: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/67.jpg)
For example
S
f2(1)’
f2(2)’
f2(3)’
Y2
f1(1)’
f1(2)’
f1(3)’
Y1
f3(1)’
f3(2)’
f3(3)’
Y3
S computes the psudo-dimension k=1and a pseudo-basis Λ={Y1}
![Page 68: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/68.jpg)
S broadcasts
S
f2(1)’
f2(2)’
f2(3)’
Y2
f1(1)’
f1(2)’
f1(3)’
Y1
f3(1)’
f3(2)’
f3(3)’
Y3
S k=1, Λ={Y1}
![Page 69: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/69.jpg)
R sent X1 and received Y1=X1+E1
R
f2(1)
f2(2)
f2(3)
X2
f1(1)
f1(2)
f1(3)
X1
f3(1)
f3(2)
f3(3)
X3
Rk=1, Λ={Y1}
![Page 70: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/70.jpg)
Hence R can compute E1=Y1- X1
R
f2(1)
f2(2)
f2(3)
X2
f1(1)
f1(2)
f1(3)
X1
f3(1)
f3(2)
f3(3)
X3
k=1, Λ={Y1} R
![Page 71: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/71.jpg)
Suppose that E1=Y1- X1 =[0,0,e3]T
R
f2(1)
f2(2)
f2(3)
X2
f1(1)
f1(2)
f1(3)
X1
f3(1)
f3(2)
f3(3)
X3
k=1, Λ={Y1} R
![Page 72: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/72.jpg)
Suppose that E1=[0,0,e3]T
Then R sees that channel 3 is corrupted
R
f2(1)
f2(2)
f2(3)
f1(1)
f1(2)
f1(3)
f3(1)
f3(2)
f3(3)
X1X2 X3
Adversary
![Page 73: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/73.jpg)
f1(x)
f2(x)
f3(x) S R
What happened ?
X1 X2 X3
![Page 74: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/74.jpg)
• Adversary corrupted channel 3
f1(x)
f2(x)
f3(x) S R
What happened ?
Adversary
X1 X2 X3
![Page 75: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/75.jpg)
• Adversary corrupted channel 3
• S broadcast c and Y1=pseudo-basis
f1(x)
f2(x)
f3(x) S R
S c, Y1
What happened ?
Adversary
X1 X2 X3
![Page 76: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/76.jpg)
• Adversary corrupted channel 3
• S broadcast c and Y1=pseudo-basis
• Then R found that channel 3 was corrupted
f1(x)
f2(x)
f3(x) S R
S c, Y1
What happened ?
Adversary
X1 X2 X3
![Page 77: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/77.jpg)
• Adversary observed f3(x) and Y1 f≃ 1(x)
f1(x)
f2(x)
f3(x) S R
S c, Y1
In particular
Adversary
X1 X2 X3
![Page 78: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/78.jpg)
• Adversary observed f3(x) and Y1 f≃ 1(x)
• But f2(2) is kept hidden
f1(x)
f2(x)
f3(x) S R
S c, Y1
In particular
Adversary
X1 X2 X3
f2(2)
![Page 79: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/79.jpg)
• R can find the corrupted channel
keeping f2(2) secret
f1(x)
f2(x)
f3(x) S R
S c, Y1
In other words
Adversary
X1 X2 X3
f2(2)
![Page 80: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/80.jpg)
• If R sends f1(x), , f⋯ 6(x),
• then R can find the corrupted channel
• keeping f2(2), f4(1), f5(2) secret
f1(x), f4(x)
f2(x), f5(x)
f3(x), f6(x) S R
S Y1 Adversary
![Page 81: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/81.jpg)
• If R sends f1(x), , f⋯ 6(x),
• then R can find the corrupted channel
• keeping f2(2), f4(1), f5(2) secret
• Only Y1 is broadcast as a pseudo-basis
f1(x), f4(x)
f2(x), f5(x)
f3(x), f6(x) S R
S Y1 Adversary
![Page 82: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/82.jpg)
Going back to our basic schemelet’s look at f3(x)
R
f3(1)
f3(2)
f3(3)f3(x)
![Page 83: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/83.jpg)
R knows that
S
y1=f3(1)
y2=f3(2)
f3’(x), y3
S received
![Page 84: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/84.jpg)
y1=f3(1)
S y2=f3(2)
f3’(x), y3
SΔ1= f3’(1) - y1
Δ2= f3’(2) - y2
Δ3= f3’(3) - y3
S broadcasts
Decryption phase
![Page 85: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/85.jpg)
y1=f3(1)
S y2=f3(2)
y3
SΔ1= f3’(1) -y1
Δ2= f3’(2) -y2
Δ3= f3’(3)-y3
From these 2 equations, R can compute f3’(1) =Δ1+f3(1)
R
![Page 86: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/86.jpg)
y1=f3(1)
S y2=f3(2)
y3
SΔ1= f3’(1) -y1
Δ2= f3’(2) -y2
Δ3= f3’(3)-y3
From these 2 equations, R can compute f3’(2) =Δ2+f3(2)
R
![Page 87: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/87.jpg)
y1=f3(1)
S y2=f3(2)
y3
SΔ1= f3’(1) -y1
Δ2= f3’(2) -y2
Δ3= f3’(3)-y3
Then R can obtain f3’(x)by applying Lagrange formulato f3’(1) and f3’(2)
R
![Page 88: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/88.jpg)
Perfect Reliability
• R can obtain f1’(x) and f2’(x) similarly
![Page 89: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/89.jpg)
Perfect Reliability
• R can obtain f1’(x) and f2’(x) similarly
• Remember that R received
c = s + f1’(1) + f2’(2) + f3’(3)
![Page 90: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/90.jpg)
Perfect Reliability
• R can obtain f1’(x) and f2’(x) similarly
• Remember that R received
c = s + f1’(1) + f2’(2) + f3’(3)
• Now R can compute s
![Page 91: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/91.jpg)
Perfect Reliability
• R can obtain f1’(x) and f2’(x) similarly
• Remember that R received
c = s + f1’(1) + f2’(2) + f3’(3)
• Now R can compute s
• Therefore perfect reliability is satisfied
![Page 92: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/92.jpg)
Perfect Privacy
S broadcasts
c = s + f1’(1) + f2’(2) + f3’(3)
![Page 93: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/93.jpg)
Perfect Privacy
S broadcasts
c = s + f1’(1) + f2’(2) + f3’(3)
• Y1 is broadcast by S as a pseudo-basis
![Page 94: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/94.jpg)
Perfect Privacy
S broadcasts
c = s + f1’(1) + f2’(2) + f3’(3)
• Y1 is broadcast by S as a pseudo-basis
• Adversary observed f3’(x)
![Page 95: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/95.jpg)
Perfect Privacy
S broadcasts
c = s + f1’(1) + f2’(2) + f3’(3)
• Y1 is broadcast by S as a pseudo-basis
• Adversary observed f3’(x)
• But she has no info. on f2’(2)= f2(2)
![Page 96: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/96.jpg)
Perfect Privacy
S broadcasts
c = s + f1’(1) + f2’(2) + f3’(3)
• Y1 is broadcast by S as a pseudo-basis
• Adversary observed f3’(x)
• But she has no info. on f2’(2) = f2(2)
• Hence
perfect privacy is also satisfied
![Page 97: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/97.jpg)
Final scheme
• R sends many fi(x) in parallel
• S uses “generalized broadcast”
• Then
we can obtain
the transmission rate = O(n)
![Page 98: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/98.jpg)
Now what is pseudo-basis
• Let C be a linear code such that
the codewords are
(f(1), , f(n)), ⋯ where deg f(x) ≦t
• That is,
C={ (f(1), , f(n)) | deg f(x) ⋯ ≦t }
![Page 99: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/99.jpg)
We write Y1 = Y2 mod C
• if
Y1 - Y2 C∈
![Page 100: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/100.jpg)
We write Y1 = Y2 mod C
• if
Y1 - Y2 C∈
• In particular, if
Y=X+E,
• then
Y=E mod C
![Page 101: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/101.jpg)
Linearly pseudo-expressed
• We say that
Y0 is linearly pseudo-expressed
by {Y1, , Y⋯ k} if
Y0 = a1Y1 + + a⋯ kYk mod C
for some (a1, , a⋯ k)
![Page 102: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/102.jpg)
Pseudo Span
• Let Λ Y = {Y⊆ 1, , Y⋯ m},
• We say that Λ pseudo spans Y
if each Yi is linearly pseudo-expressed
by Λ
![Page 103: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/103.jpg)
Pseudo-Basis
• We say that Λ is a pseudo-basis of Y
if it is a minimum set
which pseudo-spans Y
![Page 104: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/104.jpg)
Pseudo-Dimension
• Suppose that Λ is a pseudo-basis of Y
• We say that
k=|Λ| is the pseudo-dimension of Y
![Page 105: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/105.jpg)
Admissible Error Vector Set
We say that
{E1, ,E⋯ m} is an admissible error vector set of Y={Y1, ,Y⋯ m}
if
• Ei=Yi mod C for all i
• |U NonZero(Ei)|≦t
i
![Page 106: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/106.jpg)
Theorem
• Let {E1, ,E⋯ m} be an admissible error vector set of Y= {Y1, ,Y⋯ m}
Y= {Y1, …, Ym} E = [E1, …, Em].
Y has Pseudo dim k iff E has dim k
Y has a Pseudo basis
{Yj1, …, Yjk}
iff E has a basis
{Ej1, …, Ejk}
![Page 107: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/107.jpg)
Corollary
• Let {E1, ,E⋯ m} be the real error vector set caused by the adversary
Y= {Y1, …, Ym} E = [E1, …, Em].
If Y has Pseudo dim k then E has dim k
If Y has a Pseudo basis
{Yj1, …, Yjk}
then E has a basis
{Ej1, …, Ejk}
![Page 108: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/108.jpg)
Next how to check
linearly pseudo-expressed
Y3 –(a1Y1+a2Y2) = 0 mod C
• This equation means
LHS = some codeword (f(1), , f(n))⋯
![Page 109: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/109.jpg)
First construct f(a1,a2)(x)
by applying Lagrange formula
to the first t+1 elements of Y3 – (a1Y1+a2Y2)like this
f(a1,a2) (1) = y3,1 ー (a1y1,1 + a2y2,1) ⋮ ⋮ f(a1,a2) (t+1) = y3.t+1 ー (a1y1,t+1 + a2y2,t+1)
![Page 110: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/110.jpg)
Next check if
f(a1,a2) (x) is consistent with
the remaining elements of Y3 – (a1Y1+a2Y2)
for some (a1,a2)
f(a1,a2)(t+2) = y3,t+2 ー (a1y1,t+2 + a2y2,t+2) ⋮ f(a1,a2) (n) = y3,n ー (a1y1,n + a2y2,n)
![Page 111: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/111.jpg)
This can be done easily
By checking if the following linear equations has
a solution (a1,a2)
f(a1,a2) (t+2) = y3,t+2 ー (a1y1,t+2 + a2y2,t+2) ⋮ f(a1,a2) (n) = y3,n ー (a1y1,n + a2y2,n)
![Page 112: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/112.jpg)
If yes, then
• Y3 is linearly pseudo-expressed by {Y1,Y2}
![Page 113: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/113.jpg)
Algorithm for finding pseudo-basis
Input: Y={Y1, …, Ym}
• Let Λ=empty
• For i=1 to m, do:
While |Λ|<t, do:
Add Yi to Λ if Yi is not
linearly pseudo-expressed by Λ.
• Finally output Λ as a pesudo-basis of Y.
![Page 114: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/114.jpg)
2-round PSMT for n=2t+1
Larger than O(n) Lower bound O(n) Srinathan, Narayan Rangan (2004)
Exp-time
DDWY (1993) Agarwal, Cramer, de Haan (2006)
Poly-time
Sayeed, Abu-Amara (1996)
Kurosawa, Suzuki (2008)
Transmission rate
![Page 115: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/115.jpg)
For the details
・ Please look at the paper
Truly Efficient 2-Round Perfectly Secure Message Transmission Scheme
Kurosawa and Suzuki
Preliminary: Eurocrypt 2008Final: IEEE Trans. on IT, 2009
![Page 116: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/116.jpg)
Patra, Choudhary and Rangan
Used pseudo-basis to construct
• Communication optimal 3 and 6 round PSMT in directed networks
(ICDCN 2010)
• 3-round communication optimal PSMT tolerating mobile mixed adversary
(PODC 2010)
![Page 117: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/117.jpg)
Yang and Desmedt
used pseudo-basis to construct
• 2-round PSMT for Q2 adversary structure
(Asiacrypt 2010)
![Page 118: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/118.jpg)
Open Problem (1)
• Can we apply pseudo-basis
to another problems ?
![Page 119: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/119.jpg)
Open Problem (2)
• The transmission rate is the total number of bits transmitted the size of the secrets
![Page 120: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/120.jpg)
Open Problem (2)
• In our PSMT the total number of bits transmitted = O(n3) the size of the secrets = O(n2) to achieve the transmission rate = O(n)
![Page 121: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/121.jpg)
Open Problem (2)
• In our PSMT the total number of bits transmitted = O(n3) the size of the secrets = O(n2) to achieve the transmission rate = O(n)
• What is a lower bound on
the communication complexity
to achieve our goal ?
![Page 122: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/122.jpg)
Next 2nd setting
Network Adversary Security
Undirected Threshold Perfect
Directed General Almost perfect
![Page 123: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/123.jpg)
Desmedt et at.
• Threshold adversaries are not realistic
• when dealing with computer viruses,
• such as
• the I LOVE YOU virus
• and the Internet virus/worm
• that only spread to
• Windows, respectively Unix.
![Page 124: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/124.jpg)
{1,2,3} use Windows
S R3
2
1
4
5
Sender Receiver
![Page 125: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/125.jpg)
{3,4} use UNIX
S R3
2
1
4
5
Sender Receiver
![Page 126: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/126.jpg)
{1,5} use TRON
S R3
2
1
4
5
Sender Receiver
![Page 127: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/127.jpg)
Adversary Structure
• Adversary can corrupt
B1={1,2,3} or B2={3,4} or B3={1,5}.
• Let
Γ={B1, B2, B3}
• Such Γ is called an adversary structure.
![Page 128: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/128.jpg)
Hirt and Maurer
• Introduced adversary structure
in the context of multiparty protocols
• They generalized
n≧2t+1 to Q2 adversary structure
n≧3t+1 to Q3 adversary structure
![Page 129: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/129.jpg)
Γ satisfies Q2
• If
Bi ⋃ Bj ≠ {1, ⋯, n}
• for any Bi, Bj ∊ Γ
![Page 130: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/130.jpg)
Γ satisfies Q3
• If
Bi ⋃ Bj ⋃ Bk ≠ {1, ⋯, n}
• for any Bi, Bj, Bk ∊ Γ
![Page 131: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/131.jpg)
PSMT for General Adversary
• 2002 Kumar, Goudan, Srinatahn, Rangan
Many round PSMT for Q2
• 2005 Desmedt, Wang, Burmester
Exp-time 1-round PSMT for Q3
• 2009 Kurosawa
Poly-time 1-round PSMT for Q3
• 2010 Yang, Desmedt
Poly-time 2-round PSMT for Q2
![Page 132: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/132.jpg)
I will explain
• 2002 Kumar, Goudan, Srinatahn, Rangan
Many round PSMT for Q2
• 2005 Desmedt, Wang, Burmester
Exp-time 1-round PSMT for Q3
• 2009 Kurosawa
Poly-time 1-round PSMT for Q3
• 2010 Yang, Desmedt
2-round PSMT for Q2
![Page 133: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/133.jpg)
Monotone
• We say that Γ is monotone
if B Γ and B’ B, then B’ Γ∈ ⊂ ∈• For example.
if an adversary can corrupt B={1,2,3},
then she can corrupt B’={1,2} clearly.
• In what follows,
we assume that Γ is monotone
![Page 134: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/134.jpg)
Proposition
For any monotone adversary structure Γ,
there exists a linear secret sharing scheme
such that
• if B ∈ Γ, then B has no information on s
• If A ∉ Γ, then A can reconstruct s
![Page 135: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/135.jpg)
Proposition
For any monotone adversary structure Γ,
there exists a (linear) secret sharing scheme
such that
• if B ∈ Γ, then B has no information on s
• If A ∉ Γ, then A can reconstruct s
We call such a scheme
a secret sharing scheme for Γ
![Page 136: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/136.jpg)
What is a difference between
• Shamir’s threshold secret sharing scheme
and
• general secret sharing schemes ?
![Page 137: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/137.jpg)
Secret Sharing Scheme
• Sharing phase:
For a secret s,
Dealer computes a share vector
V=(v1, , v⋯ n),
and gives vi to player Pi
![Page 138: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/138.jpg)
Secret Sharing Scheme
• Reconstruction phase:
Suppose that some subset of players
B Γ open forged shares∈ Let
Y=V+E
where V is a share vector and
E is an error vector
![Page 139: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/139.jpg)
In Shamir’s threshold SS,
• If n≧3t+1, then
Berlekamp-Weltch algorithm
can correct t erros in
Y=V+E
in poly-time
![Page 140: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/140.jpg)
For Q3 adversary structure,
• no secret sharing scheme was known
such that
s can be reconstructed in poly-time from
Y (=V+E)• This is the reason why
the construction of 1-round PSMT for Q3
is difficult
![Page 141: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/141.jpg)
I constructed
• A secret sharing scheme for Q3
such that
s can be reconstructed from
Y (=V+E)
in poly-time
![Page 142: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/142.jpg)
Proposed construction
For a Q3-adversary structure Γ,
let LSSS be a linear secret sharing scheme
such that
• if B ∈ Γ, then B has no information on s
• If A ∉ Γ, then A can reconstruct s
![Page 143: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/143.jpg)
Step 1
LSSS
v1
⋮
vn
s
r0
![Page 144: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/144.jpg)
Step 2
LSSS
u11
⋮
u1n
v1
r1
LSSS
v1
⋮
vn
s
r0
![Page 145: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/145.jpg)
Dealer distributes
P1 (v1, r1)u11
P2 u12
⋮ ⋮
Pn u1n
![Page 146: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/146.jpg)
Similarly
LSSS
u21
⋮
u2n
v2
r2
LSSS
v1
v2
⋮
vn
s
r0
![Page 147: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/147.jpg)
Dealer distributes
P1 (v1, r1)u11
u21
P2 u12 (v2, r2)u22
⋮ ⋮ ⋮
Pn u1n u2n
![Page 148: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/148.jpg)
And so on.
P1 (v1, r1)u11
u21 ⋯ un1
P2 u12 (v2, r2)u22
⋯ un2
⋮ ⋮ ⋮ ⋯ ⋮
Pn u1n u2n ⋯ (vn, rn)unn
![Page 149: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/149.jpg)
In the Reconstruction phase
• Suppose that some subset of players B Γ open forged shares∈
• We will show a poly-time algorithm
which can reconstruct s
![Page 150: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/150.jpg)
Suppose that
P1 (v1, r1)u11
u21 ⋯ un1
P2 u12 (v2, r2)u22
⋯ un2
⋮ ⋮ ⋮ ⋯ ⋮
Pn u1n u2n ⋯ (vn, rn)unn
Each player opened blue shares
![Page 151: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/151.jpg)
Decoding algorithm: Step 1
LSSS
u11
⋮
u1n
v1
r1
Run the LSSS on input (v1, r1)to generate red shares
![Page 152: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/152.jpg)
Then compare the red shares with the blue shares
LSSS
u11
⋮
u1n
v1
r1u11
⋮
u1n
Accept v1 if { j | u1j ≠ u1j } Γ∈
≠
=
![Page 153: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/153.jpg)
Similarly
LSSS
ui1
⋮
uin
vi
ri
Run the LSSS on input (vi, ri)to generate red shares
![Page 154: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/154.jpg)
Compare the red shares with the blue shares
LSSS
ui1
⋮
uin
vi
riui1
⋮
uin
Accept vi if { j | uij ≠ uij } Γ∈
![Page 155: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/155.jpg)
Decoding algorithm: Step 2
• Finally apply the reconstruction alorithm
of the LSSS to {acepted vi},
• and reconstruct s
![Page 156: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/156.jpg)
That is,
Reconstruction algorithm of LSSS
{ accepted vi }
s
![Page 157: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/157.jpg)
Theorem
• Proposed scheme is a secret sharing scheme for a Q3 adversary structure Γ
![Page 158: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/158.jpg)
Theorem
• Proposed scheme is a secret sharing scheme for a Q3 adverary structure Γ
• Even if some B Γ open forged shares,∈ the decoding algorithm can reconstruct s
in poly-time in the size of the LSSS
(which is the total size of the shares)
![Page 159: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/159.jpg)
Application to PSMT
• We can construct a 1-round PSMT
for any Q3-adverary structure
which runs in poly-time
in the size of the underlying LSSS
![Page 160: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/160.jpg)
Proposed PSMT
Channel 1
(v1, r1)u11
u21 ⋯ un1
Channel 2
u12 (v2, r2)u22
⋯ un2
⋮ ⋮ ⋮ ⋯ ⋮
Channel n
u1n u2n ⋯ (vn, rn)unn
![Page 161: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/161.jpg)
For Q3 adversary structure
• 2005 Desmedt, Wang, Burmester
Exp-time 1-round PSMT
• 2009 Kurosawa
Poly-time 1-round PSMT
![Page 162: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/162.jpg)
For the details
• Please look at the paper
• ePrint 2009/263
General Error Decodable Secret Sharing
Scheme and Its Application
Kaoru Kurosawa
![Page 163: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/163.jpg)
Summary
• Poly-time 2-round PSMT for n=2t+1
with the trans. rate O(n)
• Poly-time 1-round PSMT
for Q3 adversary structure
![Page 164: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/164.jpg)
Open Problems
It seems that
there are many open problems in this area
because there are
• many variants of this model,
• some parameters to be optimized.
![Page 165: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/165.jpg)
THANK YOU !!
![Page 166: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/166.jpg)
Brief Announcement
on our new result
• ePrint 2010/609
• The Round Complexity of General VSS
Ashish Choudhary
Kaoru Kurosawa
Arpita Patra
![Page 167: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/167.jpg)
Verifiable Secret Sharing (VSS)
• Is a fundamental building block in many distributed cryptographic protocols.
• In this model,
Adversary can corrupt
not only some subset of players
but also the dealer
![Page 168: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/168.jpg)
Even though,
• A unique secret must be reconstructed
• in the reconstruction phase
• no matter how malicious players behave.
![Page 169: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/169.jpg)
STOC 2001
Gennaro, Ishai, Kushilevitz and Rabin
showed that
• 2 round VSS is possible iff n≧4t+1
• 3 round VSS is possible iff n≧3t+1
![Page 170: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/170.jpg)
TCC 2006
Fitzi, Garay, Gollakota, Rangan and Srinathan
• Constructed a poly-time 3-round VSS
for n≧3t+1
![Page 171: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/171.jpg)
We consider general adversary
Our result Previous
2-round VSS iff Γ is Q4 n≧4t+1
3-round VSS iff Γ is Q3 n≧3t+1
![Page 172: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/172.jpg)
As a special case of our VSS
• We can obtain a more efficient
3-round VSS than the VSS of Fitzi et al.
for n = 3t+1
• The communication complexity of the reconstruction phase
is reduced from O(n3) to O(n2)
![Page 173: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/173.jpg)
Further
• We point out a flaw in the reconstruction phase of VSS of Fitzi et al.,
• and show how to fix it.
![Page 174: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/174.jpg)
For the details
Please look at the paper
• ePrint 2010/609
• The Round Complexity of General VSS
Ashish Choudhary
Kaoru Kurosawa
Arpita Patra
![Page 175: Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa](https://reader035.vdocuments.net/reader035/viewer/2022062515/56649c7b5503460f9492f03b/html5/thumbnails/175.jpg)
THANK YOU, AGAIN !!