写在前面
Share Conversion Pseudorandom Secret-Sharing and Applications to Secure Computation 有点读不下去了,所以一直没更新。打算看点概括性的东西,于是就有了以下内容。
1. Reed-Solomon编码
RS编码有两个主要的参数
n
,
t
(
t
<
n
)
n, t(t < n)
n,t(t<n),它可以检测出
n
−
t
−
1
n - t - 1
n−t−1 个错误,可以纠正
n
−
t
−
1
2
\frac{n - t - 1}{2}
2n−t−1 个错误,具体编码方式如下。
首先选择一个有限域
F
q
(
q
>
n
)
\mathbb{F}_q(q > n)
Fq(q>n),考虑
F
q
[
x
]
\mathbb{F}_q[x]
Fq[x] 上所有次数不超过
t
t
t的元素组成的集合:
P
=
{
f
0
+
f
1
⋅
X
+
⋯
+
f
t
⋅
X
t
∣
f
i
∈
F
q
,
1
≤
i
≤
t
}
\mathbb{P} = \{f_0 + f_1 \cdot X + \cdots + f_t \cdot X^t | f_i \in \mathbb{F}_q, 1\leq i \leq t\}
P={f0+f1⋅X+⋯+ft⋅Xt∣fi∈Fq,1≤i≤t}如果将
P
\mathbb{P}
P 中的元素作为码字,则一共有
q
t
+
1
q^{t+1}
qt+1 个码字。但事实上,码字通过一个
n
n
n 元组定义:
C
=
{
(
f
(
1
)
,
f
(
2
)
,
⋯
,
f
(
n
)
∣
f
∈
P
)
}
\mathbb{C} = \{(f(1), f(2), \cdots, f(n) | f\in \mathbb{P})\}
C={(f(1),f(2),⋯,f(n)∣f∈P)}如果将
f
f
f 看作消息,
c
∈
C
c\in \mathbb{C}
c∈C 看作码字,那么该方法使用
n
⋅
log
2
q
n \cdot \log_2q
n⋅log2q bits表示了
t
⋅
log
2
q
t\cdot\log_2 q
t⋅log2q bits 的信息,是存在冗余的。这种冗余正是用来检测和纠正错误的,此处不给出详细说明。
2. LSSS
这个东西感觉定义比较迷,我按自己理解写一写。
P
\mathcal{P}
P 是参与方集合且
#
P
=
n
\#\mathcal{P} = n
#P=n,
F
q
\mathbb{F}_q
Fq 是一个有限域,
M
∈
F
q
m
×
d
M\in \mathbb{F}_q^{m\times d}
M∈Fqm×d 是一个矩阵,称为共享份额生成矩阵(share-generating matrix),
v
∈
F
q
d
×
1
\pmb{v} \in \mathbb{F}_q^{d \times 1}
vvv∈Fqd×1 是一个列向量,
χ
:
{
1
,
⋯
,
m
}
→
{
1
,
⋯
,
n
}
\chi : \{1, \cdots, m\} \to \{1, \cdots, n\}
χ:{1,⋯,m}→{1,⋯,n} 是一个映射。
对于秘密
s
s
s,找到列向量
k
∈
F
q
d
×
1
\pmb{k} \in \mathbb{F}_q^{d \times 1}
kkk∈Fqd×1 使得
s
=
v
T
⋅
k
s=\pmb{v}^T\cdot \pmb{k}
s=vvvT⋅kkk,然后生成共享份额
s
=
(
s
1
,
⋯
,
s
m
)
=
M
⋅
k
\pmb{s} = (s_1, \cdots, s_m) = M\cdot \pmb{k}
sss=(s1,⋯,sm)=M⋅kkk。对于每一个共享份额
s
i
,
1
≤
i
≤
m
s_i, 1\leq i\leq m
si,1≤i≤m,
s
i
s_i
si 由
P
j
∈
P
,
j
=
χ
(
i
)
P_j \in \mathcal{P}, j = \chi(i)
Pj∈P,j=χ(i) 持有。
- 如何理解 d d d:在门限秘密共享中,可以理解为门限值 + 1
- 如何理解 v \pmb{v} vvv:一个固定的列向量,和可以恢复出秘密的用户集合(Qualified Set)有关
- 怎么做到秘密恢复:对于用户集合 A A A, M A M_A MA 定义为由 M M M 中第 i i i 行( χ ( i ) = j , P j ∈ A \chi(i) = j, P_j\in A χ(i)=j,Pj∈A)组成的子矩阵,设 M A M_A MA 共有 r r r 行。如果 M A M_A MA 的行向量“包含”了 v \pmb{v} vvv,则秘密可以被成功恢复。所谓“包含”,就是说存在列向量 x A T ∈ F r × 1 \pmb{x}_A^T \in \mathbb{F}^{r \times 1} xxxAT∈Fr×1,使得 v T = x A T ⋅ M A \pmb{v}^T = \pmb{x}_A^T \cdot M_A vvvT=xxxAT⋅MA。 从而 x A T ⋅ s A = x A T ⋅ ( M A ⋅ k ) = v T ⋅ k = s \pmb{x}_A^T\cdot \pmb{s}_A = \pmb{x}_A^T\cdot (M_A \cdot \pmb{k}) = \pmb{v}^T \cdot \pmb{k} = s xxxAT⋅sssA=xxxAT⋅(MA⋅kkk)=vvvT⋅kkk=s。其中 s A \pmb{s}_A sssA 是由 A A A 中用户掌握的共享份额
- 如何理解线性和分享:秘密 s s s 实际上是 k \pmb{k} kkk 的行向量的线性组合,而共享份额 M ⋅ k M \cdot \pmb{k} M⋅kkk 也是 k \pmb{k} kkk 的行向量的线性组合。所谓线性,指的是秘密是共享份额的线性组合;所谓分享,指的是将一个线性组合( v T ⋅ k \pmb{v}^T \cdot \pmb{k} vvvT⋅kkk)拆分成多个线性组合 M ⋅ k M \cdot \pmb{k} M⋅kkk
在这种定义下,很容易在本地计算秘密 s , s ′ s, s' s,s′的线性函数:
- 加法: s + s ′ s + s' s+s′的秘密分享为 s + s ′ = M ⋅ ( k + k ′ ) \pmb{s} + \pmb{s'} = M\cdot (\pmb{k} + \pmb{k'}) sss+s′s′s′=M⋅(kkk+k′k′k′)
- 数乘: α ⋅ s , α ∈ F p \alpha \cdot s, \alpha \in \mathbb{F}_p α⋅s,α∈Fp的秘密分享为 α ⋅ s = M ⋅ ( α ⋅ k ) \alpha \cdot \pmb{s} = M\cdot(\alpha \cdot \pmb{k}) α⋅sss=M⋅(α⋅kkk)
接下来以SSS和Replicated SS为例对LSSS的定义进行简单的说明和理解。
2.1 Shamir SS
M = ( 1 1 ⋯ 1 t 1 2 ⋯ 2 t ⋮ ⋮ 1 n ⋯ n t ) ∈ F q n × ( t + 1 ) v = ( 1 , 0 , ⋯ , 0 ) ∈ F q t + 1 \begin{aligned} M &= \left( \begin{matrix} 1 & 1 & \cdots & 1^t\\ 1 & 2 & \cdots & 2^t\\ \vdots & & & \vdots\\ 1 & n & \cdots & n^t \end{matrix} \right) \in \mathbb{F}_q^{n \times (t + 1)}\\ \pmb{v} &= (1, 0, \cdots, 0)\in \mathbb{F}_q^{t + 1}\\ \end{aligned} Mvvv=⎝⎜⎜⎜⎛11⋮112n⋯⋯⋯1t2t⋮nt⎠⎟⎟⎟⎞∈Fqn×(t+1)=(1,0,⋯,0)∈Fqt+1映射 χ ( i ) = i \chi(i) = i χ(i)=i。对于秘密 s s s, k = ( s , a 0 , ⋯ , a t ) T \pmb{k} = (s, a_0, \cdots, a_t)^T kkk=(s,a0,⋯,at)T,其中 a 0 , ⋯ , a t a_0, \cdots, a_t a0,⋯,at为多项式系数。
- 当 ∣ A ∣ ≤ t |A| \leq t ∣A∣≤t时, r a n k ( M A v ) = ∣ A ∣ + 1 > r a n k ( M A ) = ∣ A ∣ rank\binom{M_A}{\mathbf{v}} = |A| + 1 > rank(M_A) = |A| rank(vMA)=∣A∣+1>rank(MA)=∣A∣, x A T ⋅ M A = v \pmb{x}_A^T\cdot M_A = \pmb{v} xxxAT⋅MA=vvv无解,秘密不可被恢复
- 当 ∣ A ∣ > t |A| > t ∣A∣>t时, r a n k ( M A v ) = t + 1 = r a n k ( M A ) rank\binom{M_A}{\mathbf{v}} = t + 1 = rank(M_A) rank(vMA)=t+1=rank(MA), x A T ⋅ M A = v \pmb{x}_A^T\cdot M_A = \pmb{v} xxxAT⋅MA=vvv有唯一解,秘密可被恢复
2.2 Replicated SS
一个(1, 3)-RSS方案(3参与方,门限值为1)的参数如下:
M
=
(
0
1
0
0
0
1
1
0
0
0
0
1
1
0
0
0
1
0
)
∈
F
q
6
×
3
v
=
(
1
,
1
,
1
)
∈
F
q
3
\begin{aligned} M &= \left( \begin{matrix} 0 & 1 & 0\\ 0 & 0 & 1\\ 1 & 0 & 0\\ 0 & 0 & 1\\ 1 & 0 & 0\\ 0 & 1 & 0 \end{matrix} \right) \in \mathbb{F}_q^{6 \times 3}\\ \pmb{v} &= (1, 1, 1)\in \mathbb{F}_q^3\\ \end{aligned}
Mvvv=⎝⎜⎜⎜⎜⎜⎜⎛001010100001010100⎠⎟⎟⎟⎟⎟⎟⎞∈Fq6×3=(1,1,1)∈Fq3映射
χ
(
i
)
=
⌈
i
2
⌉
\chi(i) = \lceil \frac{i}{2}\rceil
χ(i)=⌈2i⌉。秘密
s
s
s 首先被分为三个加法共享值
s
=
s
1
+
s
2
+
s
3
s = s_1 + s_2 + s_3
s=s1+s2+s3,从而
k
=
(
s
1
,
s
2
,
s
3
)
T
,
s
=
M
⋅
k
=
(
s
2
,
s
3
,
s
1
,
s
3
,
s
1
,
s
2
)
T
\pmb{k} = (s_1, s_2, s_3)^T, \pmb{s} = M \cdot \pmb{k} = (s_2, s_3, s_1, s_3, s_1, s_2)^T
kkk=(s1,s2,s3)T,sss=M⋅kkk=(s2,s3,s1,s3,s1,s2)T。根据映射
χ
\chi
χ,
P
1
P_1
P1 获得
(
s
2
,
s
3
)
(s_2, s_3)
(s2,s3),
P
2
P_2
P2 获得
(
s
3
,
s
1
)
(s_3, s_1)
(s3,s1),
P
3
P_3
P3 获得
(
s
1
,
s
2
)
(s_1, s_2)
(s1,s2)。任意一个参与方无法恢复
s
s
s,任意两个参与方可以恢复
s
s
s。
2.3 Multiplicative SS
对于一个LSSS方案,给定 s s s 和 s ′ s' s′ 两个秘密的共享份额 ( s 1 , ⋯ , s n ) , ( s 1 ′ , ⋯ , s n ′ ) (\pmb{s}_1, \cdots, \pmb{s}_n), (\pmb{s}_1', \cdots, \pmb{s}_n') (sss1,⋯,sssn),(sss1′,⋯,sssn′),如果存在向量 ( v 1 , ⋯ , v n ) (\pmb{v}_1, \cdots, \pmb{v}_n) (vvv1,⋯,vvvn)满足:
- ∣ v i ∣ = ∣ s i ⊗ s i ′ ∣ , 1 ≤ i ≤ n |\pmb{v}_i| = |\pmb{s}_i \otimes \pmb{s}_i'|, 1\leq i \leq n ∣vvvi∣=∣sssi⊗sssi′∣,1≤i≤n
- s ⋅ s ′ = ∑ i = 1 n v i ⋅ ( s i ⊗ s i ′ ) s\cdot s' = \sum_{i=1}^n \pmb{v}_i\cdot (\pmb{s}_i \otimes \pmb{s}_i') s⋅s′=∑i=1nvvvi⋅(sssi⊗sssi′)
其中 ⊗ \otimes ⊗为舒尔乘积(Schur product),那么该方案是一个乘性LSSS方案。
- 乘性Shamir SS:当 t < n 2 t < \frac{n}{2} t<2n时,SSS显然具有乘法性质——多项式相乘之后的次数严格小于 n n n
- 乘性Replicated SS:以2.2中的方案为例
s 1 ⊗ s 1 ′ = ( s 2 ⋅ s 2 ′ , s 2 ⋅ s 3 ′ , s 3 ⋅ s 2 ′ , s 3 ⋅ s 3 ′ ) s 2 ⊗ s 2 ′ = ( s 3 ⋅ s 3 ′ , s 3 ⋅ s 1 ′ , s 1 ⋅ s 3 ′ , s 1 ⋅ s 1 ′ ) s 3 ⊗ s 3 ′ = ( s 1 ⋅ s 1 ′ , s 1 ⋅ s 2 ′ , s 2 ⋅ s 1 ′ , s 2 ⋅ s 2 ′ ) \pmb{s}_1 \otimes \pmb{s}_1' = (s_2\cdot s_2', s_2\cdot s_3', s_3\cdot s_2', s_3\cdot s_3')\\ \pmb{s}_2 \otimes \pmb{s}_2' = (s_3\cdot s_3', s_3\cdot s_1', s_1\cdot s_3', s_1\cdot s_1')\\ \pmb{s}_3 \otimes \pmb{s}_3' = (s_1\cdot s_1', s_1\cdot s_2', s_2\cdot s_1', s_2\cdot s_2') sss1⊗sss1′=(s2⋅s2′,s2⋅s3′,s3⋅s2′,s3⋅s3′)sss2⊗sss2′=(s3⋅s3′,s3⋅s1′,s1⋅s3′,s1⋅s1′)sss3⊗sss3′=(s1⋅s1′,s1⋅s2′,s2⋅s1′,s2⋅s2′)
取 v 1 = ( 1 , 1 , 1 , 0 ) , v 2 = ( 1 , 1 , 1 , 0 ) , v 3 = ( 1 , 1 , 1 , 0 ) \pmb{v}_1=(1, 1, 1, 0), \pmb{v}_2 = (1, 1, 1, 0), \pmb{v}_3 = (1, 1, 1, 0) vvv1=(1,1,1,0),vvv2=(1,1,1,0),vvv3=(1,1,1,0),则:
∑ i = 1 3 v i ⋅ ( s i ⊗ s i ′ ) = ( s 2 ⋅ s 2 ′ + s 2 ⋅ s 3 ′ + s 3 ⋅ s 2 ′ ) + ( s 3 ⋅ s 3 ′ + s 3 ⋅ s 1 ′ + s 1 ⋅ s 3 ′ ) + ( s 1 ⋅ s 1 ′ + s 1 ⋅ s 2 ′ + s 2 ⋅ s 1 ′ ) = ( s 1 + s 2 + s 3 ) ⋅ ( s 1 ′ + s 2 ′ + s 3 ′ ) = s ⋅ s ′ \begin{aligned} &\sum_{i=1}^3 \pmb{v}_i\cdot (\pmb{s}_i \otimes \pmb{s}_i')\\ =&\ (s_2\cdot s_2' + s_2\cdot s_3' + s_3\cdot s_2')\\ +& \ (s_3\cdot s_3' + s_3\cdot s_1' + s_1\cdot s_3')\\ +& \ (s_1\cdot s_1' + s_1\cdot s_2' + s_2\cdot s_1')\\ =& \ (s_1 + s_2 + s_3) \cdot (s_1' + s_2' + s_3')\\ =& \ s\cdot s' \end{aligned} =++==i=1∑3vvvi⋅(sssi⊗sssi′) (s2⋅s2′+s2⋅s3′+s3⋅s2′) (s3⋅s3′+s3⋅s1′+s1⋅s3′) (s1⋅s1′+s1⋅s2′+s2⋅s1′) (s1+s2+s3)⋅(s1′+s2′+s3′) s⋅s′