 # Robust Secret Sharing Schemes Against Local Adversaries

```Robust Secret Sharing Schemes
Allison Bishop Lewko
Valerio Pastro
Columbia University
April 2, 2015
Lewko, Pastro (Columbia)
April 2, 2015
1 / 22
Secret Sharing (Informal)
(Share, Rec) pair of algorithms:
s
Share
/ (s1 , . . . , sn ) /s
Rec
t-privacy:
s1 , . . . , st
⇒
no info on s
r -reconstructability:
s1 , . . . , sr
⇒
s uniquely determined
For threshold schemes: r = t + 1.
Lewko, Pastro (Columbia)
April 2, 2015
2 / 22
Example: Shamir Secret Sharing [Sha79]
F field, public x1 , . . . , xn ∈ F.
Shamir.Sharet (s):
1
2
3
4
pick uniform a1 , . . . , at ∈ F
P
define polynomial f (X ) := s + tj=1 aj X j ∈ F[X ]
compute si ← f (xi )
output (s1 , . . . , sn )
Shamir.Rect (s1 , . . . , sn ):
1 Lagrange interpolation to recover f (X )
2 output f (0)
Lewko, Pastro (Columbia)
April 2, 2015
3 / 22
Robust Secret Sharing – Standard Model
(Share, Rec) Secret Sharing, (t, δ)-robust: for any Adv,
s
Share
/ (s1 , . . . , st , st+1 , . . . , sn )
_
(se1 , . . . , set , st+1 , . . . , sn ) Rec
/ s0
Pr[s 0 6= s] ≤ δ
Lewko, Pastro (Columbia)
April 2, 2015
4 / 22
Robust Secret Sharing – with Local Adversaries
(Share, Rec) Secret Sharing, locally (t, δ)-robust: for any Adv1 , . . . , Advt ,
s
Share
/ (s1 , . . . , st , st+1 , . . . , sn )
_
(se1 , . . . , set , st+1 , . . . , sn ) Rec
/ s0
Pr[s 0 6= s] ≤ δ
Lewko, Pastro (Columbia)
April 2, 2015
5 / 22
Does Locality Make Sense?
It captures the following:
Pre-Game: Players talk to each other, set their actions
Game:
Players are given private inputs
Players run protocol without revealing inputs to others
Output of protocol is set
Post-Game: Players talk to each other again, possibly revealing inputs
Similar to collusion-free protocols [LMs05].
Lewko, Pastro (Columbia)
April 2, 2015
6 / 22
Locality – Possible Scenarios
Corrupt parties unwilling to coordinate (e.g. different goals)
Corrupt parties oblivious about existence of each other
Network with (independently) faulty channels
Data is required to travel fast, coordination impossible
...
Lewko, Pastro (Columbia)
April 2, 2015
7 / 22
Locality – Related Work
Interactive Proofs:
Multi-prover interactive proofs:
MIP=NEXP, [BFL91] (IP=PSPACE, [Sha92])
Multi-party Computation:
Collusion-free protocols [LMs05, AKL+ 09, AKMZ12]
Local UC [CV12]
Leakage-resilient crypto:
Split secret state and independent leakage [DP08]
Lewko, Pastro (Columbia)
April 2, 2015
8 / 22
Easy
0
n/3
Tricky
n/2
Impossible
t
t < n/3:
perfect robustness (δ = 0)
no share size overhead (|si | = |s| =: m)
e.g. Shamir share + Reed-Solomon decoding
RS decodes up to (n − t)/2 > (3 · t − t)/2 = t errors
n/3 ≤ t < n/2:
tricky!
no perfect robustness (δ = 2−k ) [Cev11]
shares larger than secret (|si | > m) [Cev11]
All of the above: independent of standard/local adv. model
Lewko, Pastro (Columbia)
April 2, 2015
9 / 22
The Tricky Case
The trickiest case: n = 2 · t + 1.
Analysis of |si |:
m+k
e + n)
m + O(k
lower bound
[CSV93]
best eff. construction
[CFOR12]
standard
gap n /
Lewko, Pastro (Columbia)
April 2, 2015
10 / 22
The Tricky Case
The trickiest case: n = 2 · t + 1.
Analysis of |si |:
m+k
e + n)
m + O(k
lower bound
[CSV93]
best eff. construction
[CFOR12]
standard
gap n /
e
m + k − 4 ∼ m + O(k)
Our result:
lower bound & eff. construction
(essentially) match. ,
Lewko, Pastro (Columbia)
April 2, 2015
10 / 22
Our Construction1
Previous Constructions
Privacy: Shamir secret sharing, degree=t
Robustness: one-time MAC, O(n) keys per player.
⇒ |si | inherent depends (at least) linearly on n
Our Construction
Privacy: Shamir secret sharing, degree=t
Robustness: one-time MAC, one key only.
1
Conceptually simpler; thanks to Daniel Wichs for fruitful discussions.
Lewko, Pastro (Columbia)
April 2, 2015
11 / 22
In Detail
Share(s):
1
2
3
4
5
sample MAC key z ∈ X
(s1 , . . . , sn ) ← Shamir.Sharet (s)
(z1 , . . . , zn ) ← Shamir.Share1 (z)
ti ← MACz (si )
output Si = (si , zi , ti ) to Pi
Rec(S1 , . . . , Sn ):
1
2
3
z ← RS.Rec1 (z1 , . . . , zn )
set i ∈ G if ti = MACz (si )
s ← Shamir.Rect (sG )
Lewko, Pastro (Columbia)
April 2, 2015
12 / 22
Privacy – Proof Intuition
Share(s):
1
2
3
4
5
t-privacy:
sample MAC key z ∈ X
(s1 , . . . , sn ) ← Shamir.Sharet (s)
(z1 , . . . , zn ) ← Shamir.Share1 (z)
ti ← MACz (si )
output Si = (si , zi , ti ) to Pi
z uniform, independent of s, s1 , . . . , sn
s1 , . . . , st give no info on s, (privacy of Shamir.Sharet )
t1 , . . . , tt functions only of z, s1 , . . . , st
⇒ S1 , . . . , St give no info on s
Lewko, Pastro (Columbia)
April 2, 2015
13 / 22
Robustness – Proof Intuition
Rec(S1 , . . . , Sn ):
1
2
3
z ← RS.Rec1 (z1 , . . . , zn )
set i ∈ G if ti = MACz (si )
s ← Shamir.Rect (sG )
(t, δ)-robustness:
z correct, because RS.Rec1 decodes up to
(n − 1)/2 = (2t + 1 − 1)/2 = t errors
Advi sees only si , zi , ti
⇒ no info on z (privacy of Shamir.Share1 )
MAC ε-secure
⇒ Pr[i ∈ G | sei 6= si ] ≤ ε
⇒ Pr[G ⊆ H ∪ P] ≥ 1 − t · ε
⇒ δ ≤t ·ε
Lewko, Pastro (Columbia)
April 2, 2015
14 / 22
Remember: δ ≤ t · ε
Assume: m = |s|,
2 · c = |z|,
c = |ti |,
m =2·d ·c
MAC : (F2c )2 ×
F2m
→ F2c
Pd
l
(a, b),
(m1 , . . . , md ) 7→
l=1 a · ml + b.
Lewko, Pastro (Columbia)
April 2, 2015
15 / 22
Remember: δ ≤ t · ε
Assume: m = |s|,
2 · c = |z|,
c = |ti |,
m =2·d ·c
MAC : (F2c )2 ×
F2m
→ F2c
Pd
l
(a, b),
(m1 , . . . , md ) 7→
l=1 a · ml + b.
Fact: MAC is ε = d · 2−c -secure.
Lewko, Pastro (Columbia)
April 2, 2015
15 / 22
Remember: δ ≤ t · ε
Assume: m = |s|,
2 · c = |z|,
c = |ti |,
m =2·d ·c
MAC : (F2c )2 ×
F2m
→ F2c
Pd
l
(a, b),
(m1 , . . . , md ) 7→
l=1 a · ml + b.
Fact: MAC is ε = d · 2−c -secure.
⇒ construction is δ = t · ε = t · d · 2−c = t · m · 2−c−1 · c −1 -secure.
Lewko, Pastro (Columbia)
April 2, 2015
15 / 22
Remember: δ ≤ t · ε
Assume: m = |s|,
2 · c = |z|,
c = |ti |,
m =2·d ·c
MAC : (F2c )2 ×
F2m
→ F2c
Pd
l
(a, b),
(m1 , . . . , md ) 7→
l=1 a · ml + b.
Fact: MAC is ε = d · 2−c -secure.
⇒ construction is δ = t · ε = t · d · 2−c = t · m · 2−c−1 · c −1 -secure.
e
Set c = k + log(t · m) = O(k)
⇒ δ ≤ t · m · 2−k−log(t·m)−1 · c −1 ≤ 2−k
e
Overhead: |z| + |ti | = 2c + c = 3c = O(k)
Lewko, Pastro (Columbia)
April 2, 2015
15 / 22
Remember: δ ≤ t · ε
Assume: m = |s|,
2 · c = |z|,
c = |ti |,
m =2·d ·c
MAC : (F2c )2 ×
F2m
→ F2c
Pd
l
(a, b),
(m1 , . . . , md ) 7→
l=1 a · ml + b.
Fact: MAC is ε = d · 2−c -secure.
⇒ construction is δ = t · ε = t · d · 2−c = t · m · 2−c−1 · c −1 -secure.
e
Set c = k + log(t · m) = O(k)
⇒ δ ≤ t · m · 2−k−log(t·m)−1 · c −1 ≤ 2−k
e
Overhead: |z| + |ti | = 2c + c = 3c = O(k)
,
Lewko, Pastro (Columbia)
April 2, 2015
15 / 22
Optimality of Construction
Want to show:
Scheme (t, 2−k )-robust against local advs ⇒ |si | ≥ m + k − 4
Lewko, Pastro (Columbia)
April 2, 2015
16 / 22
Optimality of Construction
Want to show:
Scheme (t, 2−k )-robust against local advs ⇒ |si | ≥ m + k − 4
What we do: prove a stronger result!
Scheme (t, 2−k )-robust against oblivious advs ⇒ |si | ≥ m + k − 4
Lewko, Pastro (Columbia)
April 2, 2015
16 / 22
Optimality of Construction
Want to show:
Scheme (t, 2−k )-robust against local advs ⇒ |si | ≥ m + k − 4
What we do: prove a stronger result!
Scheme (t, 2−k )-robust against oblivious advs ⇒ |si | ≥ m + k − 4
Proof structure:
1
define an oblivious attack
2
link success of attack with share size
Lewko, Pastro (Columbia)
April 2, 2015
16 / 22
The Attack
Let st+1 be the shortest share.
Specifications:
“decide” whether to corrupt P1 , . . . , Pt (L) or Pt+2 , . . . , Pn (R)
sample secret e
s ← M, randomness e
r ←R
run (se1 , . . . , sen ) ← Share(e
s, e
r)
if L, submit se1 , . . . , set ; if R, submit sg
t+2 , . . . , sen
Lewko, Pastro (Columbia)
April 2, 2015
17 / 22
The Attack
Let st+1 be the shortest share.
Specifications:
“decide” whether to corrupt P1 , . . . , Pt (L) or Pt+2 , . . . , Pn (R)
sample secret e
s ← M, randomness e
r ←R
run (se1 , . . . , sen ) ← Share(e
s, e
r)
if L, submit se1 , . . . , set ; if R, submit sg
t+2 , . . . , sen
Intuition: hope that corrupt shares & st+1 consistent with dishonest secret.


partial sharing of s L
}|
{

z
Rec s1 , . . . , st , st+1 , st+2 , . . . , sn  = ?
|
{z
}
partial sharing of s R
Lewko, Pastro (Columbia)
April 2, 2015
17 / 22
The Decision
Intuitively: find out whether L is more promising than R.
Graph: (s L , r L ) connected to (s R , r R ) if:
Share(s L , r L )t+1 = y = Share(s R , r R )t+1 , and s L 6= s R
(s L , r L )
Lewko, Pastro (Columbia)
(s R , r R )
April 2, 2015
18 / 22
The Decision
Intuitively: find out whether L is more promising than R.
Graph: (s L , r L ) connected to (s R , r R ) if:
Share(s L , r L )t+1 = y = Share(s R , r R )t+1 , and s L 6= s R
Label edge with L (resp. R) if:
R , . . . , s R ) 6= s R resp. 6= s L )
Rec(s1L , . . . , stL , y , st+2
n
(s L , r L )
Lewko, Pastro (Columbia)
(s R , r R )
April 2, 2015
18 / 22
The Decision
Intuitively: find out whether L is more promising than R.
Graph: (s L , r L ) connected to (s R , r R ) if:
Share(s L , r L )t+1 = y = Share(s R , r R )t+1 , and s L 6= s R
Label edge with L (resp. R) if:
R , . . . , s R ) 6= s R resp. 6= s L )
Rec(s1L , . . . , stL , y , st+2
n
Decide L if #L-edges ≥ #R-edges.
(s L , r L )
Lewko, Pastro (Columbia)
(s R , r R )
April 2, 2015
18 / 22
The Success (WLOG assume L)
sL
}|
{
z
s1 , . . . , st , st+1 , st+2 , . . . , sn
| {z } |
{z
}
e
s
Lewko, Pastro (Columbia)
sR
April 2, 2015
19 / 22
The Success (WLOG assume L)


sL
}|
{
z
Rec s1 , . . . , st , st+1 , st+2 , . . . , sn  6= s R
| {z } |
{z
}
e
s
Lewko, Pastro (Columbia)
sR
April 2, 2015
19 / 22
The Success (WLOG assume L)


sL
}|
{
z
Rec s1 , . . . , st , st+1 , st+2 , . . . , sn  6= s R
| {z } |
{z
}
e
s
sR
(s L , r L )
(e
s, e
r)
Share(e
s, e
r ){1,...,t} = Share(s L , r L ){1,...,t}
Lewko, Pastro (Columbia)
(s R , r R )
Share(s L , r L )t+1 = Share(s R , r R )t+1
April 2, 2015
19 / 22
The Success (WLOG assume L)


sL
}|
{
z
Rec s1 , . . . , st , st+1 , st+2 , . . . , sn  6= s R
| {z } |
{z
}
e
s
sR
(s L , r L )
(e
s, e
r)
Share(e
s, e
r ){1,...,t} = Share(s L , r L ){1,...,t}
(s R , r R )
Share(s L , r L )t+1 = Share(s R , r R )t+1
L
δ = 2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
Lewko, Pastro (Columbia)
April 2, 2015
19 / 22
Mass Distribution
For a1 , . . . , at+1 ,
let Ba1 ,...,at+1 = {(s L , r L ) | Share(s L , r L ){1,...,t+1} = a1 , . . . , at+1 },
let Aa1 ,...,at+1 = {(e
s, e
r ) | Share(e
s, e
r ){1,...,t} = a1 , . . . , at }.
Fact 1∗ : by reconstructability, (s 0 , r 0 ), (s 00 , r 00 ) ∈ Ba1 ,...,at+1 ⇒ s 0 = s 00 .
(s L , r L )
(e
s, e
r)
Share(e
s, e
r ){1,...,t} = Share(s L , r L ){1,...,t}
Lewko, Pastro (Columbia)
(s R , r R )
Share(s L , r L )t+1 = Share(s R , r R )t+1
April 2, 2015
20 / 22
Mass Distribution
For a1 , . . . , at+1 ,
let Ba1 ,...,at+1 = {(s L , r L ) | Share(s L , r L ){1,...,t+1} = a1 , . . . , at+1 },
let Aa1 ,...,at+1 = {(e
s, e
r ) | Share(e
s, e
r ){1,...,t} = a1 , . . . , at }.
Fact 1∗ : by reconstructability, (s 0 , r 0 ), (s 00 , r 00 ) ∈ Ba1 ,...,at+1 ⇒ s 0 = s 00 .
Fact 2: by privacy, |Aa1 ,...,at+1 | ≥ 2m · |Ba1 ,...,at+1 |.
(s L , r L )
(e
s, e
r)
Share(e
s, e
r ){1,...,t} = Share(s L , r L ){1,...,t}
Lewko, Pastro (Columbia)
(s R , r R )
Share(s L , r L )t+1 = Share(s R , r R )t+1
April 2, 2015
20 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
Lewko, Pastro (Columbia)
April 2, 2015
21 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
(Fact 1&2)
L
≥ 2m · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
Lewko, Pastro (Columbia)
April 2, 2015
21 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
(Fact 1&2)
L
≥ 2m · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
≥ 2m−1 · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
X
≥ 2m−1 ·
Pr (s L ,r L ,s R ,r R ) [Share(s L , r L ) = at+1 , Share(s R , r R ) = at+1 ]
at+1
m−1
≥2
·
X
Pr (s,r ) [Share(s, r ) = at+1 ]2
at+1
Lewko, Pastro (Columbia)
April 2, 2015
21 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
(Fact 1&2)
L
≥ 2m · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
≥ 2m−1 · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
X
≥ 2m−1 ·
Pr (s L ,r L ,s R ,r R ) [Share(s L , r L ) = at+1 , Share(s R , r R ) = at+1 ]
at+1
m−1
≥2
·
X
Pr (s,r ) [Share(s, r ) = at+1 ]2
(Cauchy-Schwarz)
at+1
!2
m−1
≥2
·2
−|st+1 |
X
Pr (s,r ) [Share(s, r ) = at+1 ] · 1
at+1
= 2m−1 · 2−|st+1 |
Lewko, Pastro (Columbia)
April 2, 2015
21 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
(Fact 1&2)
L
≥ 2m · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
≥ 2m−1 · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
X
≥ 2m−1 ·
Pr (s L ,r L ,s R ,r R ) [Share(s L , r L ) = at+1 , Share(s R , r R ) = at+1 ]
at+1
m−1
≥2
·
X
Pr (s,r ) [Share(s, r ) = at+1 ]2
(Cauchy-Schwarz)
at+1
!2
m−1
≥2
·2
−|st+1 |
X
Pr (s,r ) [Share(s, r ) = at+1 ] · 1
at+1
= 2m−1 · 2−|st+1 |
|st+1 | ≥ m + k − 1
Lewko, Pastro (Columbia)
April 2, 2015
21 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
(Fact 1&2)
L
≥ 2m · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
≥ 2m−1 · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
X
≥ 2m−1 ·
Pr (s L ,r L ,s R ,r R ) [Share(s L , r L ) = at+1 , Share(s R , r R ) = at+1 ]
at+1
m−1
≥2
·
X
Pr (s,r ) [Share(s, r ) = at+1 ]2
(Cauchy-Schwarz)
at+1
!2
m−1
≥2
·2
−|st+1 |
X
Pr (s,r ) [Share(s, r ) = at+1 ] · 1
at+1
= 2m−1 · 2−|st+1 |
|st+1 | ≥ m + k − 1
Lewko, Pastro (Columbia)
,
April 2, 2015
21 / 22
Conclusion
Robust SS with n = 2 · t + 1 players, eff. reconstruction. Share size:
model
standard
Lewko, Pastro (Columbia)
construction
e + k)
m + O(n
lower bound
e
m + O(k)
m+k −4
m+k
April 2, 2015
22 / 22
Conclusion
Robust SS with n = 2 · t + 1 players, eff. reconstruction. Share size:
model
standard
construction
e + k)
m + O(n
lower bound
e
m + O(k)
m+k −4
m+k
Future:
Locality in more complicated settings:
I
I
info theoretic MPC: circumvent lower bounds?
general MPC: more eff/practical protocols?
standard RSSS: lower bound & construction matching?
Lewko, Pastro (Columbia)
April 2, 2015
22 / 22
Conclusion
Robust SS with n = 2 · t + 1 players, eff. reconstruction. Share size:
model
standard
construction
e + k)
m + O(n
lower bound
e
m + O(k)
m+k −4
m+k
Future:
Locality in more complicated settings:
I
I
info theoretic MPC: circumvent lower bounds?
general MPC: more eff/practical protocols?
standard RSSS: lower bound & construction matching?
Thanks!
https://eprint.iacr.org/2014/909
Lewko, Pastro (Columbia)
April 2, 2015
22 / 22
Jo¨el Alwen, Jonathan Katz, Yehuda Lindell, Giuseppe Persiano, abhi
shelat, and Ivan Visconti.
Collusion-free multiparty computation in the mediated model.
In Shai Halevi, editor, Advances in Cryptology - CRYPTO 2009, 29th
Annual International Cryptology Conference, Santa Barbara, CA,
USA, August 16-20, 2009. Proceedings, volume 5677 of Lecture Notes
in Computer Science, pages 524–540. Springer, 2009.
Jo¨el Alwen, Jonathan Katz, Ueli Maurer, and Vassilis Zikas.
Collusion-preserving computation.
In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in
Cryptology - CRYPTO 2012 - 32nd Annual Cryptology Conference,
Santa Barbara, CA, USA, August 19-23, 2012. Proceedings, volume
7417 of Lecture Notes in Computer Science, pages 124–143. Springer,
2012.
L´aszl´o Babai, Lance Fortnow, and Carsten Lund.
Non-deterministic exponential time has two-prover interactive
protocols.
Computational Complexity, 1:3–40, 1991.
Lewko, Pastro (Columbia)
April 2, 2015
22 / 22
Alfonso Cevallos.
Reducing the share size in robust secret sharing.
http://www.algant.eu/documents/theses/cevallos.pdf, 2011.
Alfonso Cevallos, Serge Fehr, Rafail Ostrovsky, and Yuval Rabani.
Unconditionally-secure robust secret sharing with compact shares.
In David Pointcheval and Thomas Johansson, editors, EUROCRYPT,
volume 7237 of Lecture Notes in Computer Science, pages 195–208.
Springer, 2012.
Marco Carpentieri, Alfredo De Santis, and Ugo Vaccaro.
Size of shares and probability of cheating in threshold schemes.
In Tor Helleseth, editor, Advances in Cryptology - EUROCRYPT ’93,
Workshop on the Theory and Application of of Cryptographic
Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, volume
765 of Lecture Notes in Computer Science, pages 118–125. Springer,
1993.
Ran Canetti and Margarita Vald.
Universally composable security with local adversaries.
Lewko, Pastro (Columbia)
April 2, 2015
22 / 22
In Ivan Visconti and Roberto De Prisco, editors, Security and
Cryptography for Networks - 8th International Conference, SCN 2012,
Amalfi, Italy, September 5-7, 2012. Proceedings, volume 7485 of
Lecture Notes in Computer Science, pages 281–301. Springer, 2012.
Stefan Dziembowski and Krzysztof Pietrzak.
Leakage-resilient cryptography.
In 49th Annual IEEE Symposium on Foundations of Computer
Science, FOCS 2008, October 25-28, 2008, Philadelphia, PA, USA,
pages 293–302. IEEE Computer Society, 2008.
Matt Lepinski, Silvio Micali, and abhi shelat.
Collusion-free protocols.
In Harold N. Gabow and Ronald Fagin, editors, Proceedings of the
37th Annual ACM Symposium on Theory of Computing, Baltimore,
MD, USA, May 22-24, 2005, pages 543–552. ACM, 2005.
How to share a secret.
Commun. ACM, 22(11):612–613, 1979.
Lewko, Pastro (Columbia)