Robust Secret Sharing Schemes Against Local Adversaries

Robust Secret Sharing Schemes
Against Local Adversaries
Allison Bishop Lewko
Valerio Pastro
Columbia University
April 2, 2015
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
1 / 22
Secret Sharing (Informal)
(Share, Rec) pair of algorithms:
s
Share
/ (s1 , . . . , sn ) /s
Rec
t-privacy:
s1 , . . . , st
⇒
no info on s
r -reconstructability:
s1 , . . . , sr
⇒
s uniquely determined
For threshold schemes: r = t + 1.
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
2 / 22
Example: Shamir Secret Sharing [Sha79]
F field, public x1 , . . . , xn ∈ F.
Shamir.Sharet (s):
1
2
3
4
pick uniform a1 , . . . , at ∈ F
P
define polynomial f (X ) := s + tj=1 aj X j ∈ F[X ]
compute si ← f (xi )
output (s1 , . . . , sn )
Shamir.Rect (s1 , . . . , sn ):
1 Lagrange interpolation to recover f (X )
2 output f (0)
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
3 / 22
Robust Secret Sharing – Standard Model
(Share, Rec) Secret Sharing, (t, δ)-robust: for any Adv,
s
Share
/ (s1 , . . . , st , st+1 , . . . , sn )
_
(se1 ,...,set )=Adv(s1 ,...,st )
(se1 , . . . , set , st+1 , . . . , sn ) Rec
/ s0
Pr[s 0 6= s] ≤ δ
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
4 / 22
Robust Secret Sharing – with Local Adversaries
(Share, Rec) Secret Sharing, locally (t, δ)-robust: for any Adv1 , . . . , Advt ,
s
Share
/ (s1 , . . . , st , st+1 , . . . , sn )
_
se1 =Adv1 (s1 ),...,set =Advt (st )
(se1 , . . . , set , st+1 , . . . , sn ) Rec
/ s0
Pr[s 0 6= s] ≤ δ
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
5 / 22
Does Locality Make Sense?
It captures the following:
Pre-Game: Players talk to each other, set their actions
Game:
Players are given private inputs
Players run protocol without revealing inputs to others
Output of protocol is set
Post-Game: Players talk to each other again, possibly revealing inputs
Similar to collusion-free protocols [LMs05].
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
6 / 22
Locality – Possible Scenarios
Corrupt parties unwilling to coordinate (e.g. different goals)
Corrupt parties oblivious about existence of each other
Network with (independently) faulty channels
Data is required to travel fast, coordination impossible
...
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
7 / 22
Locality – Related Work
Interactive Proofs:
Multi-prover interactive proofs:
MIP=NEXP, [BFL91] (IP=PSPACE, [Sha92])
Multi-party Computation:
Collusion-free protocols [LMs05, AKL+ 09, AKMZ12]
Local UC [CV12]
Leakage-resilient crypto:
Split secret state and independent leakage [DP08]
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
8 / 22
Facts about Robust Secret Sharing
Easy
0
n/3
Tricky
n/2
Impossible
t
t < n/3:
perfect robustness (δ = 0)
no share size overhead (|si | = |s| =: m)
e.g. Shamir share + Reed-Solomon decoding
RS decodes up to (n − t)/2 > (3 · t − t)/2 = t errors
n/3 ≤ t < n/2:
tricky!
no perfect robustness (δ = 2−k ) [Cev11]
shares larger than secret (|si | > m) [Cev11]
All of the above: independent of standard/local adv. model
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
9 / 22
The Tricky Case
The trickiest case: n = 2 · t + 1.
Analysis of |si |:
m+k
e + n)
m + O(k
lower bound
[CSV93]
best eff. construction
[CFOR12]
standard
gap n /
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
10 / 22
The Tricky Case
The trickiest case: n = 2 · t + 1.
Analysis of |si |:
m+k
e + n)
m + O(k
lower bound
[CSV93]
best eff. construction
[CFOR12]
standard
gap n /
e
m + k − 4 ∼ m + O(k)
local adv.
Our result:
lower bound & eff. construction
(essentially) match. ,
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
10 / 22
Our Construction1
Previous Constructions
Privacy: Shamir secret sharing, degree=t
Robustness: one-time MAC, O(n) keys per player.
⇒ |si | inherent depends (at least) linearly on n
Our Construction
Privacy: Shamir secret sharing, degree=t
Robustness: one-time MAC, one key only.
1
Conceptually simpler; thanks to Daniel Wichs for fruitful discussions.
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
11 / 22
In Detail
Share(s):
1
2
3
4
5
sample MAC key z ∈ X
(s1 , . . . , sn ) ← Shamir.Sharet (s)
(z1 , . . . , zn ) ← Shamir.Share1 (z)
ti ← MACz (si )
output Si = (si , zi , ti ) to Pi
Rec(S1 , . . . , Sn ):
1
2
3
z ← RS.Rec1 (z1 , . . . , zn )
set i ∈ G if ti = MACz (si )
s ← Shamir.Rect (sG )
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
12 / 22
Privacy – Proof Intuition
Share(s):
1
2
3
4
5
t-privacy:
sample MAC key z ∈ X
(s1 , . . . , sn ) ← Shamir.Sharet (s)
(z1 , . . . , zn ) ← Shamir.Share1 (z)
ti ← MACz (si )
output Si = (si , zi , ti ) to Pi
z uniform, independent of s, s1 , . . . , sn
s1 , . . . , st give no info on s, (privacy of Shamir.Sharet )
t1 , . . . , tt functions only of z, s1 , . . . , st
⇒ S1 , . . . , St give no info on s
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
13 / 22
Robustness – Proof Intuition
Rec(S1 , . . . , Sn ):
1
2
3
z ← RS.Rec1 (z1 , . . . , zn )
set i ∈ G if ti = MACz (si )
s ← Shamir.Rect (sG )
(t, δ)-robustness:
z correct, because RS.Rec1 decodes up to
(n − 1)/2 = (2t + 1 − 1)/2 = t errors
Advi sees only si , zi , ti
⇒ no info on z (privacy of Shamir.Share1 )
MAC ε-secure
⇒ Pr[i ∈ G | sei 6= si ] ≤ ε
⇒ Pr[G ⊆ H ∪ P] ≥ 1 − t · ε
⇒ δ ≤t ·ε
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
14 / 22
Possible MAC and Overhead Analysis
Remember: δ ≤ t · ε
Assume: m = |s|,
2 · c = |z|,
c = |ti |,
m =2·d ·c
MAC : (F2c )2 ×
F2m
→ F2c
Pd
l
(a, b),
(m1 , . . . , md ) 7→
l=1 a · ml + b.
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
15 / 22
Possible MAC and Overhead Analysis
Remember: δ ≤ t · ε
Assume: m = |s|,
2 · c = |z|,
c = |ti |,
m =2·d ·c
MAC : (F2c )2 ×
F2m
→ F2c
Pd
l
(a, b),
(m1 , . . . , md ) 7→
l=1 a · ml + b.
Fact: MAC is ε = d · 2−c -secure.
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
15 / 22
Possible MAC and Overhead Analysis
Remember: δ ≤ t · ε
Assume: m = |s|,
2 · c = |z|,
c = |ti |,
m =2·d ·c
MAC : (F2c )2 ×
F2m
→ F2c
Pd
l
(a, b),
(m1 , . . . , md ) 7→
l=1 a · ml + b.
Fact: MAC is ε = d · 2−c -secure.
⇒ construction is δ = t · ε = t · d · 2−c = t · m · 2−c−1 · c −1 -secure.
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
15 / 22
Possible MAC and Overhead Analysis
Remember: δ ≤ t · ε
Assume: m = |s|,
2 · c = |z|,
c = |ti |,
m =2·d ·c
MAC : (F2c )2 ×
F2m
→ F2c
Pd
l
(a, b),
(m1 , . . . , md ) 7→
l=1 a · ml + b.
Fact: MAC is ε = d · 2−c -secure.
⇒ construction is δ = t · ε = t · d · 2−c = t · m · 2−c−1 · c −1 -secure.
e
Set c = k + log(t · m) = O(k)
⇒ δ ≤ t · m · 2−k−log(t·m)−1 · c −1 ≤ 2−k
e
Overhead: |z| + |ti | = 2c + c = 3c = O(k)
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
15 / 22
Possible MAC and Overhead Analysis
Remember: δ ≤ t · ε
Assume: m = |s|,
2 · c = |z|,
c = |ti |,
m =2·d ·c
MAC : (F2c )2 ×
F2m
→ F2c
Pd
l
(a, b),
(m1 , . . . , md ) 7→
l=1 a · ml + b.
Fact: MAC is ε = d · 2−c -secure.
⇒ construction is δ = t · ε = t · d · 2−c = t · m · 2−c−1 · c −1 -secure.
e
Set c = k + log(t · m) = O(k)
⇒ δ ≤ t · m · 2−k−log(t·m)−1 · c −1 ≤ 2−k
e
Overhead: |z| + |ti | = 2c + c = 3c = O(k)
,
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
15 / 22
Optimality of Construction
Want to show:
Scheme (t, 2−k )-robust against local advs ⇒ |si | ≥ m + k − 4
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
16 / 22
Optimality of Construction
Want to show:
Scheme (t, 2−k )-robust against local advs ⇒ |si | ≥ m + k − 4
What we do: prove a stronger result!
Scheme (t, 2−k )-robust against oblivious advs ⇒ |si | ≥ m + k − 4
local adv:
oblivious adv:
sei = Advi (si )
sei = Advi (∅)
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
16 / 22
Optimality of Construction
Want to show:
Scheme (t, 2−k )-robust against local advs ⇒ |si | ≥ m + k − 4
What we do: prove a stronger result!
Scheme (t, 2−k )-robust against oblivious advs ⇒ |si | ≥ m + k − 4
local adv:
oblivious adv:
sei = Advi (si )
sei = Advi (∅)
Proof structure:
1
define an oblivious attack
2
link success of attack with share size
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
16 / 22
The Attack
Let st+1 be the shortest share.
Specifications:
“decide” whether to corrupt P1 , . . . , Pt (L) or Pt+2 , . . . , Pn (R)
sample secret e
s ← M, randomness e
r ←R
run (se1 , . . . , sen ) ← Share(e
s, e
r)
if L, submit se1 , . . . , set ; if R, submit sg
t+2 , . . . , sen
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
17 / 22
The Attack
Let st+1 be the shortest share.
Specifications:
“decide” whether to corrupt P1 , . . . , Pt (L) or Pt+2 , . . . , Pn (R)
sample secret e
s ← M, randomness e
r ←R
run (se1 , . . . , sen ) ← Share(e
s, e
r)
if L, submit se1 , . . . , set ; if R, submit sg
t+2 , . . . , sen
Intuition: hope that corrupt shares & st+1 consistent with dishonest secret.


partial sharing of s L
}|
{

z
Rec s1 , . . . , st , st+1 , st+2 , . . . , sn  = ?
|
{z
}
partial sharing of s R
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
17 / 22
The Decision
Intuitively: find out whether L is more promising than R.
Graph: (s L , r L ) connected to (s R , r R ) if:
Share(s L , r L )t+1 = y = Share(s R , r R )t+1 , and s L 6= s R
(s L , r L )
Lewko, Pastro (Columbia)
(s R , r R )
RSSS & Loc Advs
April 2, 2015
18 / 22
The Decision
Intuitively: find out whether L is more promising than R.
Graph: (s L , r L ) connected to (s R , r R ) if:
Share(s L , r L )t+1 = y = Share(s R , r R )t+1 , and s L 6= s R
Label edge with L (resp. R) if:
R , . . . , s R ) 6= s R resp. 6= s L )
Rec(s1L , . . . , stL , y , st+2
n
(s L , r L )
Lewko, Pastro (Columbia)
(s R , r R )
RSSS & Loc Advs
April 2, 2015
18 / 22
The Decision
Intuitively: find out whether L is more promising than R.
Graph: (s L , r L ) connected to (s R , r R ) if:
Share(s L , r L )t+1 = y = Share(s R , r R )t+1 , and s L 6= s R
Label edge with L (resp. R) if:
R , . . . , s R ) 6= s R resp. 6= s L )
Rec(s1L , . . . , stL , y , st+2
n
Decide L if #L-edges ≥ #R-edges.
(s L , r L )
Lewko, Pastro (Columbia)
(s R , r R )
RSSS & Loc Advs
April 2, 2015
18 / 22
The Success (WLOG assume L)
sL
}|
{
z
s1 , . . . , st , st+1 , st+2 , . . . , sn
| {z } |
{z
}
e
s
Lewko, Pastro (Columbia)
sR
RSSS & Loc Advs
April 2, 2015
19 / 22
The Success (WLOG assume L)


sL
}|
{
z
Rec s1 , . . . , st , st+1 , st+2 , . . . , sn  6= s R
| {z } |
{z
}
e
s
Lewko, Pastro (Columbia)
sR
RSSS & Loc Advs
April 2, 2015
19 / 22
The Success (WLOG assume L)


sL
}|
{
z
Rec s1 , . . . , st , st+1 , st+2 , . . . , sn  6= s R
| {z } |
{z
}
e
s
sR
(s L , r L )
(e
s, e
r)
Share(e
s, e
r ){1,...,t} = Share(s L , r L ){1,...,t}
Lewko, Pastro (Columbia)
(s R , r R )
Share(s L , r L )t+1 = Share(s R , r R )t+1
RSSS & Loc Advs
April 2, 2015
19 / 22
The Success (WLOG assume L)


sL
}|
{
z
Rec s1 , . . . , st , st+1 , st+2 , . . . , sn  6= s R
| {z } |
{z
}
e
s
sR
(s L , r L )
(e
s, e
r)
Share(e
s, e
r ){1,...,t} = Share(s L , r L ){1,...,t}
(s R , r R )
Share(s L , r L )t+1 = Share(s R , r R )t+1
L
δ = 2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
19 / 22
Mass Distribution
For a1 , . . . , at+1 ,
let Ba1 ,...,at+1 = {(s L , r L ) | Share(s L , r L ){1,...,t+1} = a1 , . . . , at+1 },
let Aa1 ,...,at+1 = {(e
s, e
r ) | Share(e
s, e
r ){1,...,t} = a1 , . . . , at }.
Fact 1∗ : by reconstructability, (s 0 , r 0 ), (s 00 , r 00 ) ∈ Ba1 ,...,at+1 ⇒ s 0 = s 00 .
(s L , r L )
(e
s, e
r)
Share(e
s, e
r ){1,...,t} = Share(s L , r L ){1,...,t}
Lewko, Pastro (Columbia)
(s R , r R )
Share(s L , r L )t+1 = Share(s R , r R )t+1
RSSS & Loc Advs
April 2, 2015
20 / 22
Mass Distribution
For a1 , . . . , at+1 ,
let Ba1 ,...,at+1 = {(s L , r L ) | Share(s L , r L ){1,...,t+1} = a1 , . . . , at+1 },
let Aa1 ,...,at+1 = {(e
s, e
r ) | Share(e
s, e
r ){1,...,t} = a1 , . . . , at }.
Fact 1∗ : by reconstructability, (s 0 , r 0 ), (s 00 , r 00 ) ∈ Ba1 ,...,at+1 ⇒ s 0 = s 00 .
Fact 2: by privacy, |Aa1 ,...,at+1 | ≥ 2m · |Ba1 ,...,at+1 |.
(s L , r L )
(e
s, e
r)
Share(e
s, e
r ){1,...,t} = Share(s L , r L ){1,...,t}
Lewko, Pastro (Columbia)
(s R , r R )
Share(s L , r L )t+1 = Share(s R , r R )t+1
RSSS & Loc Advs
April 2, 2015
20 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
21 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
(Fact 1&2)
L
≥ 2m · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
21 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
(Fact 1&2)
L
≥ 2m · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
≥ 2m−1 · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
X
≥ 2m−1 ·
Pr (s L ,r L ,s R ,r R ) [Share(s L , r L ) = at+1 , Share(s R , r R ) = at+1 ]
at+1
m−1
≥2
·
X
Pr (s,r ) [Share(s, r ) = at+1 ]2
at+1
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
21 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
(Fact 1&2)
L
≥ 2m · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
≥ 2m−1 · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
X
≥ 2m−1 ·
Pr (s L ,r L ,s R ,r R ) [Share(s L , r L ) = at+1 , Share(s R , r R ) = at+1 ]
at+1
m−1
≥2
·
X
Pr (s,r ) [Share(s, r ) = at+1 ]2
(Cauchy-Schwarz)
at+1
!2
m−1
≥2
·2
−|st+1 |
X
Pr (s,r ) [Share(s, r ) = at+1 ] · 1
at+1
= 2m−1 · 2−|st+1 |
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
21 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
(Fact 1&2)
L
≥ 2m · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
≥ 2m−1 · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
X
≥ 2m−1 ·
Pr (s L ,r L ,s R ,r R ) [Share(s L , r L ) = at+1 , Share(s R , r R ) = at+1 ]
at+1
m−1
≥2
·
X
Pr (s,r ) [Share(s, r ) = at+1 ]2
(Cauchy-Schwarz)
at+1
!2
m−1
≥2
·2
−|st+1 |
X
Pr (s,r ) [Share(s, r ) = at+1 ] · 1
at+1
= 2m−1 · 2−|st+1 |
|st+1 | ≥ m + k − 1
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
21 / 22
Putting Things Together – Intuition
Actual analysis needs more correcting factors (loss of ∼ 4 bits).
L
2−k ≥ Pr (es ,er ,s R ,r R ) [∃(s L , r L ) | (e
s, e
r )—(s L , r L )—(s R , r R )]
(Fact 1&2)
L
≥ 2m · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
≥ 2m−1 · Pr (s L ,r L ,s R ,r R ) [(s L , r L )—(s R , r R )]
X
≥ 2m−1 ·
Pr (s L ,r L ,s R ,r R ) [Share(s L , r L ) = at+1 , Share(s R , r R ) = at+1 ]
at+1
m−1
≥2
·
X
Pr (s,r ) [Share(s, r ) = at+1 ]2
(Cauchy-Schwarz)
at+1
!2
m−1
≥2
·2
−|st+1 |
X
Pr (s,r ) [Share(s, r ) = at+1 ] · 1
at+1
= 2m−1 · 2−|st+1 |
|st+1 | ≥ m + k − 1
Lewko, Pastro (Columbia)
RSSS & Loc Advs
,
April 2, 2015
21 / 22
Conclusion
Robust SS with n = 2 · t + 1 players, eff. reconstruction. Share size:
model
standard
NEW: local adv.
Lewko, Pastro (Columbia)
construction
e + k)
m + O(n
lower bound
e
m + O(k)
m+k −4
RSSS & Loc Advs
m+k
April 2, 2015
22 / 22
Conclusion
Robust SS with n = 2 · t + 1 players, eff. reconstruction. Share size:
model
standard
NEW: local adv.
construction
e + k)
m + O(n
lower bound
e
m + O(k)
m+k −4
m+k
Future:
Locality in more complicated settings:
I
I
info theoretic MPC: circumvent lower bounds?
general MPC: more eff/practical protocols?
standard RSSS: lower bound & construction matching?
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
22 / 22
Conclusion
Robust SS with n = 2 · t + 1 players, eff. reconstruction. Share size:
model
standard
NEW: local adv.
construction
e + k)
m + O(n
lower bound
e
m + O(k)
m+k −4
m+k
Future:
Locality in more complicated settings:
I
I
info theoretic MPC: circumvent lower bounds?
general MPC: more eff/practical protocols?
standard RSSS: lower bound & construction matching?
Thanks!
https://eprint.iacr.org/2014/909
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
22 / 22
Jo¨el Alwen, Jonathan Katz, Yehuda Lindell, Giuseppe Persiano, abhi
shelat, and Ivan Visconti.
Collusion-free multiparty computation in the mediated model.
In Shai Halevi, editor, Advances in Cryptology - CRYPTO 2009, 29th
Annual International Cryptology Conference, Santa Barbara, CA,
USA, August 16-20, 2009. Proceedings, volume 5677 of Lecture Notes
in Computer Science, pages 524–540. Springer, 2009.
Jo¨el Alwen, Jonathan Katz, Ueli Maurer, and Vassilis Zikas.
Collusion-preserving computation.
In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in
Cryptology - CRYPTO 2012 - 32nd Annual Cryptology Conference,
Santa Barbara, CA, USA, August 19-23, 2012. Proceedings, volume
7417 of Lecture Notes in Computer Science, pages 124–143. Springer,
2012.
L´aszl´o Babai, Lance Fortnow, and Carsten Lund.
Non-deterministic exponential time has two-prover interactive
protocols.
Computational Complexity, 1:3–40, 1991.
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
22 / 22
Alfonso Cevallos.
Reducing the share size in robust secret sharing.
http://www.algant.eu/documents/theses/cevallos.pdf, 2011.
Alfonso Cevallos, Serge Fehr, Rafail Ostrovsky, and Yuval Rabani.
Unconditionally-secure robust secret sharing with compact shares.
In David Pointcheval and Thomas Johansson, editors, EUROCRYPT,
volume 7237 of Lecture Notes in Computer Science, pages 195–208.
Springer, 2012.
Marco Carpentieri, Alfredo De Santis, and Ugo Vaccaro.
Size of shares and probability of cheating in threshold schemes.
In Tor Helleseth, editor, Advances in Cryptology - EUROCRYPT ’93,
Workshop on the Theory and Application of of Cryptographic
Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings, volume
765 of Lecture Notes in Computer Science, pages 118–125. Springer,
1993.
Ran Canetti and Margarita Vald.
Universally composable security with local adversaries.
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
22 / 22
In Ivan Visconti and Roberto De Prisco, editors, Security and
Cryptography for Networks - 8th International Conference, SCN 2012,
Amalfi, Italy, September 5-7, 2012. Proceedings, volume 7485 of
Lecture Notes in Computer Science, pages 281–301. Springer, 2012.
Stefan Dziembowski and Krzysztof Pietrzak.
Leakage-resilient cryptography.
In 49th Annual IEEE Symposium on Foundations of Computer
Science, FOCS 2008, October 25-28, 2008, Philadelphia, PA, USA,
pages 293–302. IEEE Computer Society, 2008.
Matt Lepinski, Silvio Micali, and abhi shelat.
Collusion-free protocols.
In Harold N. Gabow and Ronald Fagin, editors, Proceedings of the
37th Annual ACM Symposium on Theory of Computing, Baltimore,
MD, USA, May 22-24, 2005, pages 543–552. ACM, 2005.
Adi Shamir.
How to share a secret.
Commun. ACM, 22(11):612–613, 1979.
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
22 / 22
Adi Shamir.
IP = PSPACE.
J. ACM, 39(4):869–877, 1992.
Lewko, Pastro (Columbia)
RSSS & Loc Advs
April 2, 2015
22 / 22
`