Unless specifically indicated herein, the approaches described in this section should not be construed as prior art to the claims of the present application and are not admitted to be prior art by inclusion in this section.
Secret sharing is a cryptographic scheme that allows a party, referred to as a dealer, to distribute a secret among a group of other parties, referred to as receivers, in a secure manner. Secret sharing proceeds according to two phases: a sharing phase during which the dealer divides the secret into a number of shares and provides a share to each receiver, and a reconstruction phase during which some subset of receivers attempt to reconstruct (and thereby reveal) the secret by combining their respective shares. The shares are designed such that no receiver can learn anything regarding the secret solely from his/her individual share, but the secret can be reconstructed if a sufficient number or permutation of receivers combine their shares.
According to one type of secret sharing scheme known as (t,n) threshold secret sharing, at least t out of n total receivers must agree to reveal the secret in order to reconstruct it using their respective shares. In other words, any subset of t or more receivers can reconstruct the secret by combining their shares, whereas no subset of fewer than t receivers can.
According to another type of secret sharing scheme known as general access structure secret sharing (GAS-SS), the dealer defines the specific subsets of receivers that are authorized to reconstruct the secret using their shares. These subsets of receivers are referred to as qualified sets. For example, consider a secret sharing scenario with a total of five receivers R1, R2, R3, R4, and R5. In this scenario, the dealer may define three qualified sets (R1,R3,R5), (R1,R3,R4), and (R2,R5) such that only these subsets of receivers may combine their shares to successfully reconstruct the secret during the reconstruction phase. Any other subset, such as (R1,R2,R3), will not be able to do so.
GAS-SS is relevant to many real-world applications where different receivers may have different levels of privilege/authorization with respect to their ability to reconstruct the secret. However, an issue with existing GAS-SS implementations is that they generally rely on complex and expensive cryptographic primitives, resulting in high resource overhead and/or slow performance.
In the following description, for purposes of explanation, numerous examples and details are set forth in order to provide an understanding of various embodiments. It will be evident, however, to one skilled in the art that certain embodiments can be practiced without some of these details or can be practiced with modifications or equivalents thereof.
Embodiments of the present disclosure are directed to an improved general access structure secret sharing (GAS-SS) scheme that leverages an authentic garbled circuit protocol (referred to herein as garbled circuit-based GAS-SS). A garbled circuit protocol is a cryptographic protocol that allows two parties to jointly compute a function over inputs that are private to each party, where the function is represented as a Boolean circuit. An authentic garbled circuit protocol is a garbled circuit protocol that exhibits the property of authenticity, which means that the output of a garbled circuit evaluated via the protocol cannot be forged.
Sections (1)-(3) below present an overview of Boolean circuits, garbled circuit protocols, and authentic garbled circuit protocols to provide context for the garbled circuit-based GAS-SS scheme of the present disclosure. Section (4) then presents the details of this scheme, including example sharing phase and reconstruction phase workflows.
A Boolean circuit is a mathematical representation of a function that is composed of a set of gates coupled via wires that carry a bit value of zero or one. Generally speaking, each gate is a Boolean function ƒ(x,y)→z where x and y are bit values carried on the gate's incoming wires and z is a bit value carried on the gate's outgoing wire. Examples of such Boolean functions include logical AND, logical OR, logical XOR, and so on. The input to a Boolean circuit is a bit string carried over the set of wires that are not output by any gate of the circuit (referred to as the circuit's input wires), and the output of a Boolean circuit is a bit string carried over the set of wires that are not used as input to any gate of the circuit (referred to as the circuit's output wires).
By way of example,
In particular, bit values “1” and “0” are provided over input wires 102(1) and 102(2) as inputs to AND gate 106, resulting in an output of “0” on intermediary wire 114(1). Further, bit values “1” and “0” are provided over input wires 102(3) and 102(4) as inputs to OR gate 108, resulting in an output of “1” on intermediary wire 114(2). Yet further, bit values “0” and “1” are provided over intermediary wire 114(2) and input wire 102(5) as inputs to XOR gate 110, resulting in an output of “0” on intermediary wire 114(3). Finally, bit values “0” and “0” are provided over intermediary wires 114(1) and 114(3) as inputs to AND gate 112, resulting in an output of “0” on output wire 104.
A garbled circuit protocol is a cryptographic protocol that enables secure two-party computation over a function that is represented as a Boolean circuit. This protocol is composed of the following algorithms:
A proper garbled circuit protocol implementation exhibits the properties of correctness and privacy. With respect to the correctness property, assume y′ is the result of evaluating Boolean circuit C on the input bit string x1, x2, . . . , xn (i.e., C(x1, x2, . . . , xn)→y′). In this case, correctness guarantees that if C and x1, x2, . . . , xn are provided as input to the Garble algorithm and the Encode, Evaluate, and Decode algorithms are executed faithfully based on the outputs of Garble, output value y of the Decode algorithm will equal y′.
The privacy property guarantees that a party that is given garbled circuit F and garbled input X and executes the Evaluate and/or Decode algorithms to obtain output value y will not learn anything other than y. For example, the party will not learn anything regarding the original input bit values x1, x2, . . . , xn.
With the foregoing in mind, the protocol typically proceeds as follows:
An authentic garbled circuit protocol is a garbled circuit protocol that also exhibits the property of authenticity (in addition to correctness and privacy). In the protocol description above with parties P1 and P2, authenticity guarantees that at step (5), P2 cannot provide to P1 a garbled output Y′≠Y such that Decode(Y′,d) produces a valid output value y. Stated another way, P2 cannot forge the garbled output by replacing it with something else that allows the protocol to complete successfully.
A corollary of this authenticity property is the following—assume output value y is a single bit value (i.e., either “0” or “1”); this means that Evaluate (F,X) will result in one of two garbled outputs: Y0 which decodes to y=0, or Y1 which decodes to y=1. In this scenario, if P2 executes Evaluate (F,X) in accordance with step (4) and the garbled output is Y0, P2 is guaranteed to not learn anything regarding the other possible garbled output Y1 (and vice versa). This is because if P2 could learn the other garbled output Y1, P2 could return Y1 instead of the correct garbled output Y0 at step (5), which would allow the Decode algorithm to generate a valid output value of y=1 and thus violate the authenticity property.
As mentioned in the Background section, a secret sharing scheme allows a dealer to securely share a secret among a set of receivers by sending a portion (i.e., share) of the secret to each receiver. An individual receiver cannot learn anything regarding the secret using only his/her share; however, a subset of the receivers can reconstruct the secret using their respective shares if one or more conditions are met.
General access structure secret sharing (GAS-SS) is particular type of secret sharing scheme in which a subset of receivers can reveal the secret if and only if that subset is authorized to do so by the dealer. Such an authorized subset is known as a qualified set and the set of qualified sets for a secret sharing is known as an access structure (denoted by the symbol F).
By way of example,
In particular,
GAS-SS is an important building block for other cryptographic schemes and applications such as secure multi-party computation (MPC), secure storage of data, user authentication, and so on. However, existing GAS-SS implementations rely on complex and expensive cryptographic primitives like public/private key encryption that often result in high overhead and poor performance.
To address this, embodiments of the present disclosure provide an improved GAS-SS scheme that employs an authentic garbled circuit protocol (i.e., garbled circuit-based GAS-SS). Such authentic garbled circuit protocols are generally simpler in design than other cryptographic primitives, thereby allowing for better efficiency and performance. This scheme leverages the observation that every access structure F for the sharing of a secret s among a set of N receivers R via GAS-SS can be represented by a Boolean circuit CΓ which:
With this Boolean circuit CΓ, the garbled circuit-based GAS-SS scheme of the present disclosure can generally proceed as follows:
Significantly, due to the property of authenticity described in section (3) above, the receivers will not be able to learn anything regarding Y1 by running the Evaluate algorithm of the authentic garbled circuit protocol on garbled circuit F and garbled input X in the case where Evaluate outputs Y0. Accordingly, garbled circuit-based GAS-SS ensures that secret s cannot be revealed by the receivers if only an unqualified set wants to do so, because an unqualified set will not be able to obtain decryption key Y1.
The remaining subsections of the present disclosure provide example workflows for implementing the sharing and reconstruction phases of garbled circuit-based GAS-SS according to certain embodiments. It should be appreciated that the foregoing description and figures are illustrative and not intended to limit embodiments of the present disclosure. For example, details such as specific algorithm names (e.g., Garble, Encode, Evaluate, Decode, etc.) are provided for explanation purposes only and can be changed without affecting the algorithms' functionalities. One of ordinary skill in the art will recognize other variations, modifications, and alternatives.
Starting with step 302, dealer D can define an access structure F for the sharing of secret s. As explained previously, this access structure is the set of qualified receiver sets that can reconstruct s using their respective shares. For example, if there is a total of five receivers R1, R2, R3, R4, and R5, dealer D may define access structure F as including three qualified sets (R1,R3,R5), (R1,R3,R4), and (R2,R5) such that only these particular subsets of receivers may combine their shares to successfully reconstruct secret s during the reconstruction phase.
At step 304, dealer D (or some other entity) can create a Boolean circuit CΓ based on access structure Γ that takes as input N bit values xR′=(x1R′, . . . , xNR′) corresponding to a subset of receivers R′⊆R (where xiR′=1 if receiver Ri∈R′ and xiR′=0 if receiver Ri∈R′) and outputs 1 if R′∈Γ (thereby indicating that R′ is a qualified set) and 0 if R′∈Γ (thereby indicating that R′ is not a qualified set). Dealer D can then run, via an authentic garbled circuit protocol, Garble(CΓ)→F, e, d where F is the garbled version of Boolean circuit CΓ and where e is encoding information comprising N label pairs corresponding to the N receivers (step 306). For example, encoding information e can include a first label pair (L01,L11) for the first receiver R1, a second label pair (L02,L12) for the second receiver R2, and so on. Each label of a label pair can be a random value/string.
At step 308, dealer D can compute Encrypt(s,Y1)→ct, or in other words encrypt secret s using Y1 (i.e., the garbled output of F that will decode to y=1) as a symmetric key, resulting in ciphertext ct. This means that Y1 will be needed to decrypt ciphertext ct back into secret s.
Finally at step 310, dealer D can send to each receiver Ri the garbled circuit F, ciphertext ct, and the label pair for that receiver (as specified in encoding information e) according to the receiver's index i. For example, dealer D can send label pair (L01,L11) in encoding information e to receiver R1, (L02,L12) in e to receiver R2, and so on.
Starting with step 402, each receiver Ri can inform the other receivers whether it wants to reveal secret s or not. In particular, if receiver Ri wants to reveal secret s, it can broadcast its one label L1i to the other receivers and to itself. If receiver Ri does not want to reveal secret s, it can broadcast its zero label L0i to the other receivers and to itself. Upon completion of this step, every receiver will have a set of labels X comprising, for each input wire i of garbled circuit F, one label out of the two possible labels for that input wire indicating whether receiver Ri wants reveal s.
For example, assume there are three receivers R1, R2, and R3 and R1 does not want to reveal secret s while R2 and R3 do. In this scenario, upon the completion of step 402, each receiver will have garbled circuit F, ciphertext ct, and the set of labels X=(L01,L12,L13).
At step 404, each receiver Ri can run, via the authentic garbled circuit protocol, Evaluate(F,X)→Y where garbled output Y∈{Y0,Y1}. Whether Y equals Y0 or Y1 will depend on whether the subset of receivers that want to reveal the secret (and thus have broadcast its one label at step 402) is a qualified set or not; if they are a qualified set, the latter will be true, otherwise the former will be true.
Finally, upon obtaining garbled output Y, each receiver Ri can attempt to decrypt ciphertext ct using Y as the decryption key (i.e., compute Decrypt(ct,Y)) (step 406). If Y=Y0, which means the subset of receivers that want to reveal secret s is not a qualified set, this decryption operation will fail because it requires Y1 as the decryption key, and thus the receivers will not be able to reveal s. This is the correct outcome per the definition of general access structure secret sharing. As mentioned previously, in this scenario Y1 cannot be learned by the receivers per the authenticity property of the authentic garbled circuit protocol, which thus prevents secret s from being leaked to, e.g., an adversary.
On the other hand if Y=Y1, which means the subset of receivers that want to reveal secret s is a qualified set, the decryption operation at step 406 will be successful and the receivers will be able to reveal s. This is also a correct outcome because a qualified set of receivers should be able to reveal/reconstruct the secret per the definition of general access structure secret sharing.
Certain embodiments described herein can employ various computer-implemented operations involving data stored in computer systems. For example, these operations can require physical manipulation of physical quantities—usually, though not necessarily, these quantities take the form of electrical or magnetic signals, where they (or representations of them) are capable of being stored, transferred, combined, compared, or otherwise manipulated. Such manipulations are often referred to in terms such as producing, identifying, determining, comparing, etc. Any operations described herein that form part of one or more embodiments can be useful machine operations.
Further, one or more embodiments can relate to a device or an apparatus for performing the foregoing operations. The apparatus can be specially constructed for specific required purposes, or it can be a generic computer system comprising one or more general purpose processors (e.g., Intel or AMD x86 processors) selectively activated or configured by program code stored in the computer system. In particular, various generic computer systems may be used with computer programs written in accordance with the teachings herein, or it may be more convenient to construct a more specialized apparatus to perform the required operations. The various embodiments described herein can be practiced with other computer system configurations including handheld devices, microprocessor systems, microprocessor-based or programmable consumer electronics, minicomputers, mainframe computers, and the like.
Yet further, one or more embodiments can be implemented as one or more computer programs or as one or more computer program modules embodied in one or more non-transitory computer readable storage media. The term non-transitory computer readable storage medium refers to any storage device, based on any existing or subsequently developed technology, that can store data and/or computer programs in a non-transitory state for access by a computer system. Examples of non-transitory computer readable media include a hard drive, network attached storage (NAS), read-only memory, random-access memory, flash-based nonvolatile memory (e.g., a flash memory card or a solid state disk), persistent memory, NVMe device, a CD (Compact Disc) (e.g., CD-ROM, CD-R, CD-RW, etc.), a DVD (Digital Versatile Disc), a magnetic tape, and other optical and non-optical data storage devices. The non-transitory computer readable media can also be distributed over a network coupled computer system so that the computer readable code is stored and executed in a distributed fashion.
Finally, boundaries between various components, operations, and data stores are somewhat arbitrary, and particular operations are illustrated in the context of specific illustrative configurations. Other allocations of functionality are envisioned and may fall within the scope of the invention(s). In general, structures and functionality presented as separate components in exemplary configurations can be implemented as a combined structure or component. Similarly, structures and functionality presented as a single component can be implemented as separate components.
As used in the description herein and throughout the claims that follow, “a,” “an,” and “the” includes plural references unless the context clearly dictates otherwise. Also, as used in the description herein and throughout the claims that follow, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
The above description illustrates various embodiments along with examples of how aspects of particular embodiments may be implemented. These examples and embodiments should not be deemed to be the only embodiments and are presented to illustrate the flexibility and advantages of particular embodiments as defined by the following claims. Other arrangements, embodiments, implementations, and equivalents can be employed without departing from the scope hereof as defined by the claims.