Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
7abc8d7e801cb9d0feea3ec34fc8b535c7f18e2a
NoteNextra-origin/content/CSE5313/CSE5313_L18.md
Trance-0 000922f9bd
Some checks failed
Sync from Gitea (main→main, keep workflow) / mirror (push) Has been cancelled
Details
bugfix
2025-11-22 15:18:52 -06:00

270 lines
9.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# CSE5313 Coding and information theory for data science (Lecture 18)
## Secret sharing
The president and the vice president must both consent to a nuclear missile launch.
We would like to share the nuclear code such that:
- $Share1, Share2 \mapsto Nuclear Code$
- $Share1 \not\mapsto Nuclear Code$
- $Share2 \not\mapsto Nuclear Code$
- $Share1 \not\mapsto Share2$
- $Share2 \not\mapsto Share1$
In other words:
- The two shares are everything.
- One share is nothing.
<details>
<summary>Solution</summary>
Scheme:
- The nuclear code is a field element $m \in \mathbb{F}_q$, chosen at random $m \sim M$ (M arbitrary).
- Let $p(x) = m + rx \in \mathbb{F}_q[x]$.
- $r \sim U$, where $U = Uniform \mathbb{F}_q$, i.e., $Pr(\alpha = 1/q)$ for every $\alpha \in \mathbb{F}_q$.
- Fix $\alpha_1, \alpha_2 \in \mathbb{F}_q$ (not random).
- $s_1 = p(\alpha_1) = m + r\alpha_1, s_1 \sim S_1$.
- $s_2 = p(\alpha_2) = m + r\alpha_2, s_2 \sim S_2$.
And then:
- One share reveals nothing about $m$.
- I.e., $I(S_i; M) = 0$ (gradient could be anything)
- Two shares reveal $p \Rightarrow reveal p(0) = m$.
- I.e., $H(M|S_1, S_2) = 0$ (two points determine a line).
</details>
### Formalize the notion of secret sharing
#### Problem setting
A dealer is given a secret $m$ chosen from an arbitrary distribution $M$.
The dealer creates $n$ shares $s_1, s_2, \cdots, s_n$ and send to $n$ parties.
Two privacy parameters: $t,z\in \mathbb{N}$ $z<t$.
**Requirements**:
For $\mathcal{A}\subseteq[n]$ denote $S_\mathcal{A} = \{s_i:i\in \mathcal{A}\}$.
- Decodability: Any set of $t$ shares can reconstruct the secret.
- $H(M|S_\mathcal{T}) = 0$ for all $\mathcal{T}\subseteq[n]$ with $|\mathcal{T}|\geq t$.
- Security: Any set of $z$ shares reveals no information about the secret.
- $I(M;S_\mathcal{Z}) = 0$ for all $\mathcal{Z}\subseteq[n]$ with $|\mathcal{Z}|\leq z$.
This is called $(n,z,t)$-secret sharing scheme.
#### Interpretation
- $\mathcal{Z} \subseteq [n]$, $|\mathcal{Z}| \leq z$ is a corrupted set of parties.
- An adversary which corrupts at most $z$ parties cannot infer anything about the secret.
#### Applications
- Secure distributed storage.
- Any $\leq z$ hacked servers reveal nothing about the data.
- Secure distributed computing with a central server (e.g., federated learning).
- Any $\leq z$ corrupted computation nodes know nothing about the data.
- Secure multiparty computing (decentralized).
- Any $\leq z$ corrupted parties cannot know the inputs of other parties.
### Scheme 1: Shamir secret sharing scheme
Parameters $n,t$, and $z=t-1$.
Fix $\mathbb{F}_q$, $q>n$ and distinct points $\alpha_1, \alpha_2, \cdots, \alpha_n \in \mathbb{F}_q\setminus \{0\}$. (public, known to all).
Given $m\sim M$ the dealer:
- Choose $r_1, r_2, \cdots, r_z \sim U_1, U_2, \cdots, U_z$ (uniformly random from $\mathbb{F}_q$).
- Defines $p\in \mathbb{F}_q[x]$ by $p(x) = m + r_1x + r_2x^2 + \cdots + r_zx^z$.
- Send share $s_i = p(\alpha_i)$ to party $i$.
#### Theorem valid encoding scheme
This is an $(n,t-1,t)$-secret sharing scheme.
Decodability:
- $\deg p=t-1$, any $t$ shares can reconstruct $p$ by Lagrange interpolation.
<details>
<summary>Proof</summary>
Specifically, any $t$ parties $\mathcal{T}\subseteq[n]$ can define the interpolation polynomial $h(x)=\sum_{i\in \mathcal{T}} s_i \delta_{i}(x)$, where $\delta_{i}(x)=\prod_{j\in \mathcal{T}\setminus \{i\}} \frac{x-\alpha_j}{\alpha_i-\alpha_j}$. ($\delta_{i}(\alpha_i)=1$, $\delta_{i}(\alpha_j)=0$ for $j\neq i$).
$\deg h=\deg p=t-1$, so $h(x)=p(x)$ for all $x\in \mathcal{T}$.
Therefore, $h(0)=p(0)=m$.
</details>
Privacy:
Need to show that $I(M;S_\mathcal{Z})=0$ for all $\mathcal{Z}\subseteq[n]$ with $|\mathcal{Z}|=z$.
> that is equivalent to show that $M$ and $s_\mathcal{Z}$ are independent for all $\mathcal{Z}\subseteq[n]$ with $|\mathcal{Z}|=z$.
<details>
<summary>Proof</summary>
We will show that $\operatorname{Pr}(s_\mathcal{Z}|M=m)=\operatorname{Pr}(M=m)$, for all $s_\mathcal{Z}\in S_\mathcal{Z}$ and $m\in M$.
Let $m,\mathcal{Z}=(i_1,i_2,\cdots,i_z)$, and $s_\mathcal{Z}$.
$$
\begin{bmatrix}
m & U_1 & U_2 & \cdots & U_z
\end{bmatrix} = \begin{bmatrix}
1 & 1 & 1 & \cdots & 1 \\
\alpha_{i_1} & \alpha_{i_2} & \alpha_{i_3} & \cdots & \alpha_{i_n} \\
\alpha_{i_1}^2 & \alpha_{i_2}^2 & \alpha_{i_3}^2 & \cdots & \alpha_{i_n}^2 \\
\vdots & \vdots & \vdots & \ddots & \vdots \\
\alpha_{i_1}^{z} & \alpha_{i_2}^{z} & \alpha_{i_3}^{z} & \cdots & \alpha_{i_n}^{z}
\end{bmatrix}=s_\mathcal{Z}=\begin{bmatrix}
s_{i_1} \\ s_{i_2} \\ \vdots \\ s_{i_z}
\end{bmatrix}
$$
So,
$$
\begin{bmatrix}
U_1 & U_2 & \cdots & U_z
\end{bmatrix} = (s_\mathcal{Z}-\begin{bmatrix}
m & m & m & \cdots & m
\end{bmatrix})
\begin{bmatrix}
\alpha_{i_1}^{-1} & \alpha_{i_2}^{-1} & \alpha_{i_3}^{-1} & \cdots & \alpha_{i_n}^{-1} \\
\end{bmatrix}
\begin{bmatrix}
1 & 1 & 1 & \cdots & 1 \\
\alpha_1 & \alpha_2 & \alpha_3 & \cdots & \alpha_n \\
\alpha_1^2 & \alpha_2^2 & \alpha_3^2 & \cdots & \alpha_n^2 \\
\vdots & \vdots & \vdots & \ddots & \vdots \\
\alpha_1^{z-1} & \alpha_2^{z-1} & \alpha_3^{z-1} & \cdots & \alpha_n^{z-1}
\end{bmatrix}^{-1}
$$
So exactly one solution for $U_1, U_2, \cdots, U_z$ is possible.
So $\operatorname{Pr}(U_1, U_2, \cdots, U_z|M=m)=\frac{1}{q^z}$ for all $m\in M$.
Recall the law of total probability:
$$
\operatorname{Pr}(s_\mathcal{Z})=\sum_{m'\in M} \operatorname{Pr}(s_\mathcal{Z}|M=m') \operatorname{Pr}(M=m')=\frac{1}{q^z}\sum_{m'\in M} \operatorname{Pr}(M=m')=\frac{1}{q^z}
$$
So $\operatorname{Pr}(s_\mathcal{Z}|M=m)=\operatorname{Pr}(M=m)\implies I(M;S_\mathcal{Z})=0$.
</details>
### Scheme 2: Ramp secret sharing scheme (McEliece-Sarwate scheme)
- Any $z$ know nothing
- Any $t$ knows everything
- Partial knowledge for $z<s<t$
Parameters $n,t$, and $z<t$.
Fix $\mathbb{F}_q$, $q>n$ and distinct points $\alpha_1, \alpha_2, \cdots, \alpha_n \in \mathbb{F}_q\setminus \{0\}$. (public, known to all)
Given $m_1, m_2, \cdots, m_n \sim M$, the dealer:
- Choose $r_1, r_2, \cdots, r_z \sim U_1, U_2, \cdots, U_z$ (uniformly random from $\mathbb{F}_q$).
- Defines $p(x) = m_1+m_2x + \cdots + m_{t-z}x^{t-z-1} + r_1x^{t-z} + r_2x^{t-z+1} + \cdots + r_zx^{t-1}$.
- Send share $s_i = p(\alpha_i)$ to party $i$.
Decodability
Similar to Shamir scheme, any $t$ shares can reconstruct $p$ by Lagrange interpolation.
Privacy
Similar to the proof of Shamir, exactly one value of $U_1, \cdots, U_z$
is possible!
$\operatorname{Pr}(s_\mathcal{Z}|m_1, \cdots, m_{t-z}) = \operatorname{Pr}(U_1, \cdots, U_z) = the above = 1/q^z$
($U_i$'s are uniform and independent).
Conclude similarly by the law of total probability.
$\operatorname{Pr}(s_\mathcal{Z}|m_1, \cdots, m_{t-z}) = \operatorname{Pr}(s_\mathcal{Z}) \implies I(S_\mathcal{Z}; M_1, \cdots, M_{t-z}) = 0$.
### Conditional mutual information
The dealer needs to communicate the shares to the parties.
Assumed: There exists a noiseless communication channel between the dealer and every party.
From previous lecture:
- The optimal number of bits for communicating $s_i$ (i'th share) to the i'th party is $H(s_i)$.
- Q: What is $H(s_i|M)$?
Tools:
- Conditional mutual information.
- Chain rule for mutual information.
#### Definition of conditional mutual information
The conditional mutual information $I(X;Y|Z)$ of $X$ and $Y$ given $Z$ is defined as:
$$
\begin{aligned}
I(X;Y|Z)&=H(X|Z)-H(X|Y,Z)\\
&=H(X|Z)+H(X)-H(X)-H(X|Y,Z)\\
&=(H(X)-H(X|Y,Z))-(H(X)-H(X|Z))\\
&=I(X; Y,Z)- I(X; Z)
\end{aligned}
$$
where $H(X|Y,Z)$ is the conditional entropy of $X$ given $Y$ and $Z$.
#### The chain rule of mutual information
$$
I(X;Y,Z)=I(X;Y|Z)+I(X;Z)
$$
Conditioning reduces entropy.
#### Lower bound for communicating secret
Consider the Shamir scheme ($z = t - 1$, one message).
Q: What is $H(s_i)$ with respect to $H(M)$ ?
A: Fix any $\mathcal{T} = \{i_1, \cdots, i_t\} \subseteq [n]$ of size $t$, and let $\mathcal{Z} = \{i_1, \cdots, i_{t-1}\}$.
$$
\begin{aligned}
H(M) &= I(M; S_\mathcal{T}) + H(M|S_\mathcal{T}) \text{(by def. of mutual information)}\\
&= I(M; S_\mathcal{T}) \text{(since }S_\mathcal{T}\text{ suffice to decode M)}\\
&= I(M; S_{i_t}, S_\mathcal{Z}) \text{(since }S_\mathcal{T} = S_\mathcal{Z} S_{i_t})\\
&= I(M; S_{i_t}|S_\mathcal{Z}) + I(M; S_\mathcal{Z}) \text{(chain rule)}\\
&= I(M; S_{i_t}|S_\mathcal{Z}) \text{(since }\mathcal{Z}\leq z \text{, it reveals nothing about M)}\\
&= I(S_{i_t}; M|S_\mathcal{Z}) \text{(symmetry of mutual information)}\\
&= H(S_{i_t}|S_\mathcal{Z}) - H(S_{i_t}|M,S_\mathcal{Z}) \text{(def. of conditional mutual information)}\\
&\leq H(S_{i_t}|S_\mathcal{Z}) \text{(entropy is non-negative)}\\
&\leq H(S_{i_t}|S_\mathcal{Z}) \text{(conditioning reduces entropy)} \\
\end{aligned}
$$
So the bits used for sharing the secret is at least the bits of actual secret.
In Shamir we saw: $H(s_i) \geq H(M)$.
- If $M$ is uniform (standard assumption), then Shamir achieves this bound with equality.
- In ramp secret sharing we have $H(s_i) \geq \frac{1}{t-z}H(M_1, \cdots, M_{t-z})$ (similar proof).
- Also optimal if $M$ is uniform.
#### Downloading file with lower bandwidth from more servers
[link to paper](https://arxiv.org/abs/1505.07515)
Reference in New Issue View Git Blame Copy Permalink