平成 23 年度文部科学省数学・数理科学と諸科学・産業技術の連携研究のためのワークショップ
「秘密分散とクラウドコンピューティングの数理」ワークショップ
"Secret Sharing and Cloud Computing"
Workshop
Date and time: June 7 (Tue), 2011 10:00-20:00
Venue: Kyushu University, Institute of Mathematics for Industry
(Building B1, Meeting Room 111, Floor B1)
Organized by: MEXT, Institute of Mathematics for Industry
- 1 -
"Secret Sharing and Cloud Computing" Workshop Overview
Workshop Organizers
Kyushu University, Institute of Mathematics for Industry
Prof. Tsuyoshi Takagi, Assistant Prof. Kirill Morozov
A well-developed and technologically advanced telecommunication infrastructure stipulates a rapid growth of electronic data
exchange. Nowadays, it is common for the public and private institutions as well as the industrial companies to outsource
massive electronic databases to storage centers. The cloud computing technology allows the users to work with such centers
without even knowing their internal structure. However, storing all the data in one center creates a single point of failure and
raises privacy and availability concerns, especially in the sense of disaster preparedness and recovery. Secret sharing is
a cryptographic technology, which allows us to address both privacy and availability issues simultaneously.
The "Secret Sharing and Cloud Computing" Workshop was held at the Institute of Mathematics for Industry, Kyushu
University, Fukuoka on June 7, 2011. The workshop was co-hosted by the Ministry of Education, Culture, Sports, Science
and Technology (MEXT), the Global COE Program Education-and-Research Hub for Mathematics-for-Industry (Kyushu
University) and the Institute of Mathematics for Industry. The workshop was attended by a total of 30 participants and
featured one plenary talk, 5 invited talks and two tutorials.
The plenary talk was delivered by Professor Yvo Desmedt (University College London), the Fellow of International
Association of Cryptologic Research (IACR), who is a world renown expect in cryptography. His presentation focused on
applications of secret sharing to secure multiparty computation. The invited talks were arranged in two sessions. The first one
had three presentations by the researchers from industry. Dr. Yuji Suga (IIJ Japan) described business requirements for secret
sharing schemes (SSS) suitable for cloud computing. Dr. Satoshi Obana (NEC) presented his results on protection of SSS
against cheaters. Dr. Jun Kurihara (KDDI) introduced a high-performance SSS using exclusive-or. The second session had
two presentations by the researchers from academia. Assistant professor Maki Yoshida (Osaka University) gave a talk on the
possibility of computing on shares with no interaction. Assistant professor Kenji Yasunaga (Tokyo Institute of Technology)
presented rational SSS (where the game-theoretic approach is used for security proofs) with constant-round reconstruction.
The tutorial presentations – on secret sharing by assistant professor Kirill Morozov (Kyushu University), and on
cryptographic techniques for cloud computing by assistant professor Takashi Nishide (Kyushu University) – provided
the audience with a necessary mathematical background.
Each presentation was met with interest by the audience: several questions and comments were made at
the question-and-answer sessions. The breaks and the internal discussion, which followed the public sessions, featured
a number of stimulating discussions and ideas exchange between the participants. These discussions created new
opportunities for introduction of advanced mathematical techniques for information security applications involving secret
sharing.
The contributed presentations introduced and developed novel mathematical models and techniques, which allow us to
enrich the spectrum of services that secret sharing can provide to the users of cloud computing technology. They deepened
our understanding of which mathematical tools are required in order to bring the existing theoretical constructions closer to
the current industrial needs.
We wish to express our deepest gratitude to the speakers and to all the participants for their contribution to the success
of this workshop.
- 2 -
Program
10:00 – 10:10 Opening by MEXT and IMI 10:10 – 12:00 Tutorial Session
10:10 – 11:00 “Introduction to Secret Sharing” Kirill Morozov (Kyushu University)
11:10 – 12:00 “Cryptographic Techniques for Cloud Computing” Takashi Nishide (Kyushu University)
12:00 – 13:30 Lunch 13:30 – 14:30 Plenary Talk
“Secure Multiparty Computation for Cloud Computing” Yvo Desmedt (University College London)
14:30 – 14:40 Break 14:40 – 16:25 Invited Talks I
14:40 – 15:15 “Business Requirements for Applying Secrete Sharing Schemes to Cloud Computing”
Yuji Suga (Internet Initiative Japan) 15:15 – 15:50 “Efficient Secret Sharing Schemes Secure against Cheating”
Satoshi Obana (NEC) 15:50 – 16:25 “An XOR-based High-Speed Secret Sharing”
Jun Kurihara (KDDI) 16:25 – 16:40 Break 16:40 – 17:50 Invited Talks II
16:40 – 17:15 “On $d$-Multiplicative Non-perfect Secret Sharing” Maki Yoshida (Osaka University)
17:15 – 17:50 “Rational Secret Sharing with Constant-Round Reconstruction”
Kenji Yasunaga (Tokyo Institute of Technology)
17:50 – 18:00 Closing of the public sessions
18:00 – 20:00 Discussion (internal)
- 3 -
Tutorial: Introduction to Secret Sharing
Kirill Morozov
Kyushu University
Secret sharing is a cryptographic technique which allows confidential data
to be split (or "shared") among several storage providers. Individually, each
provider will learn absolutely nothing about these data (no matter how
much computing power it has!). Collectively, a designated group of
providers will be able to recover the data.
First, we will present mathematical techniques for constructing secret
sharing schemes. Second, we will show applications of secret sharing to
improving safety and reliability of cloud storage.
- 4 -
Tutorial: Cryptographic Techniques for Cloud Computing
Takashi Nishide
Kyushu University
In this talk, we briefly review the concept of cloud computing and the
benefits we obtain from using it. At the same time, we consider the security
risks we encounter, if we depend on the cloud without any security
mechanisms. Though traditional encryption can solve privacy-related
problems that arise in this new context, it is not sufficient for our purposes,
so that we will need more elaborate functional cryptographic techniques.
We will introduce some cryptographic techniques that play an
important role in cloud computing security, such as searchable encryption,
proxy re-encryption, attribute-based encryption, homomorphic encryption,
and others.
- 5 -
Secure Multiparty Computation for Cloud Computing
Yvo Desmedt
University College London, UK
In February 2011, the Guardian wrote "The speed with which Amazon
and PayPal dropped WikiLeaks should be a wake-up call to anyone who
thinks that Cloud Computing services can be trusted ...". Moreover, IT
Business wrote: "The countrywide Internet blackout Egypt is experiencing
may resonate with a lot of Canadian ... businesses especially as more and
more companies adopt cloud-based applications ..."
The use of Secure Multiparty Computation would allow to move to a
redundant representation of the data to cope with a potential loss of
availability. Secret sharing is a key technology that enables secure
multiparty computation. In essence secure multiparty computation
computes with shares without the need to reveal data that could leak private
information to some of the cloud servers.
In this talk we first give a brief introduction to secure multiparty
computation. We compare secure multiparty computation with threshold
cryptography from a practical viewpoint. We then discuss how secure
multiparty computation could move from a primarily theoretical research
topic to one in which practical concerns are addressed.
- 6 -
Business Requirements for Applying Secret Sharing Schemes to Cloud Computing
Yuji Suga [email protected]
Internet Initiative Japan Inc.,
Jinbocho Mitsui Bldg. 1-105 Kandajinbo-cho
Chiyoda-ku, 101-0051, Japan
ENTERPRISE REQUIREMENTS
Using cloud technology means entrusting the cloud with
the management and processing of various data. For exam-
ple, it is of concern whether or not the CIA (confidentiality,
integrity, availability) of storage in the cloud can be managed
appropriately from the user’s perspective. This is also a
concern we face with existing outsourcing methods, and
by making appropriate situational use of the cloud, and
enforcing compliance with contractual and operational rules,
countermeasures identical to those already in place can be
considered [1].
In this talk, we discuss about enterprise/system require-
ments in case of deployments of security/cryptographic
technologies, especially cloud storage solutions with secret
sharing schemes. Needs of secret sharing schemes are de-
rived from privacy concerns by private/enterprise use cases,
for example we feel skeptical to deposit our sensitive/private
data to untrusted cloud services.
SYSTEM REQUIREMENTS
In deployments of secret sharing schemes in cloud stor-
age, we have to consider new proprietary system require-
ments: Transparency in data flow and Lightweightness.
When cloud servicers replicate customer’s data into different
cloud servicers (in figure 1), one of servicers can obtain the
qualified sets unintentionally, so we require a transparency
functionality of data flow.
Figure 1. Asymmetric Cloud Services
Secondly, we require to reduce cryptographic process
because of comfortable response/operation in using storage
service. In this talk, we consider data flow model in figure 2
that encryption and secret sharing are commutative where M
is a plain data, C is an encrypted (using certain symmetric
cipher) with related to M , and X → {xi} means that {xi}are shares with related to X by applying a secret sharing
scheme.
Figure 2. Data Flow Model
EXTENSION OF A (2, n)-THRESHOLD VSS SCHEME
Now we consider extensions of a (2, n)-threshold VSS
scheme called as graph-based access structure. A graph is
a pair G = (V, E) consisting of a set V , referred to as the
vertex set of G and a set E of 2-subsets of V , referred to as
the edge set of G. Assume that our graph does not contain
loops, undirected edges and multiple edges. Two vertices
{vi, vj} have a common edge if and only if participants
can reconstruct the secret from 2 shares with related to
{vi, vj}. Note that a graph-based access structure scheme
with a complete graph (that any different two vertices have a
common edge) is as same as a (2, n)-threshold secret sharingscheme.
In this access structure, we focus on a fact that a fast (k,
n)-threshold secret sharing (that uses only XOR operation)
[2] and block cipher encryption with the CTR mode (or
stream cipher) are commutative. This characteristic satisfies
the second requirement ”lightweightness”.
REFERENCES
[1] IIJ, IIR vol.4, 1.4.3 Cloud Computing and Security, http://www.iij.ad.jp/en/development/iir/pdf/iir vol04 infra EN.pdf
[2] J. Kurihara, S. Kiyomoto, K. Fukushima, and T. Tanaka, Ona fast (k, n)-threshold secret sharing scheme, IEICE Trans.Fundamentals, vol.91-A, no.9, Sep. 2008.
- 7 -
- 8 -
An XOR-based High-Speed Secret Sharing
Jun KuriharaKDDI R&D Laboratories, Inc. / Tokyo Institute of Technology
In Shamir’s classic (k, n)-threshold scheme, a heavy computational cost is required forshare generation and secret reconstruction. Several fast threshold schemes had beenproposed as solutions to this problem. However, there had been no fast ideal (k, n)-threshold scheme, where k and n are arbitrary. In this presentation, we introducean XOR-based construction of (k, n)-threshold scheme, which uses just Exclusive-OR(XOR) operations both for share generation and secret reconstruction. It is proved thatthis scheme is an ideal secret sharing scheme similar to Shamir’s scheme. We moreovershow its efficiency in terms of the speed for share generation and secret recovery, andpoint out the relation between this scheme and coding theory for array codes.
s rs1 s2 r1 r2
s1s1 s2s2r1 r1 r1r2r2 r2Share ofMr. Suzuki Share ofMr. Honda Share ofMr. Toyota
Divide DivideMake Shares by XOR00…000
s0(dummy)
00…000 00…000
Figure 1: Example of share generation for(k, n) = (2, 3) in our scheme.
Mr. Suzukinot joined
Figure 2: Example of secret reconstructionfor (k, n) = (2, 3) in our scheme.
10-1
100
101
102
103
(3,11) (3,59) (3,109) (5,11) (10,11)
Ave
rage
Pro
cess
ing
Tim
e (S
ec)
(Threshold k, Number of Participants n)
Our Scheme (Distribution)Shamir’s Scheme (Distribution)
Our Scheme (Recovery)Shamir’s Scheme (Recovery)
Figure 3: Result of computer simulation for5MB secret.
1
- 9 -
On $d$-Multiplicative Non-perfect Secret Sharing
Maki Yoshida
Osaka University
An important issue of secret sharing is to characterize the $d$-multiplicative
schemes. For the perfect schemes, it has been proved that $d$-multiplicative
secret sharing is impossible if some $d$ non-access subsets of players cover
the whole set of players.
In this presentation, we extend this result to the non-perfect schemes.
Specifically, we prove that $d$-multiplicative secret sharing is impossible if
some $d$ semi-access and/or non-access subsets cover the whole set of
players.
Our result indicates no need of relaxing the privacy requirement only for
the purpose of realizing $d$-multiplicative property.
Fig.1. d-Multiplicative Secret Sharing Fig.2. Overview of our work
- 10 -
Rational Secret Sharing with Constant-Round Reconstruction
Kenji Yasunaga, Tokyo Institute of Technology We consider the problem of rational secret sharing, in which players behave rationally in a game-theoretic sense. The payoff of players is characterized as follows: they want to learn the secret, and want fewer players to learn the secret. In the presence of rational players, conventional secret sharing may not work. We propose a construction of rational secret sharing with constant-round reconstruction. Our protocol can be based on any rational secret-sharing protocol. If an underlying sub-protocol achieves a strict Nash equilibrium, the resulting protocol also achieves a strict Nash equilibrium. Our construction also preserves the coalition resilience and the immunity to malicious players.
- 11 -
