Latin squares are a classical and well-studied topic of discrete mathematics, and recently Takeuti and Adachi (IACR ePrint, 2023) proposed (2, n)-threshold secret sharing based on mutually orthogonal Latin squares (MOLS). Hence efficient constructions of as large sets of MOLS as possible are also important from practical viewpoints. In this letter, we determine the maximum number of MOLS among a known class of Latin squares defined by weighted sums. We also mention some known property of Latin squares interpreted via the relation to secret sharing and a connection of Takeuti-Adachi’s scheme to Shamir’s secret sharing scheme.
Mamoru SHIBATA Ryutaroh MATSUMOTO
Secret sharing is a cryptographic scheme to encode a secret to multiple shares being distributed to participants, so that only qualified sets of participants can restore the original secret from their shares. When we encode a secret by a secret sharing scheme and distribute shares, sometimes not all participants are accessible, and it is desirable to distribute shares to those participants before a secret information is determined. Secret sharing schemes for classical secrets have been known to be able to distribute some shares before a given secret. Lie et al. found a ((2, 3))-threshold secret sharing for quantum secrets can distribute some shares before a given secret. However, it is unknown whether distributing some shares before a given secret is possible with other access structures of secret sharing for quantum secrets. We propose a quantum secret sharing scheme for quantum secrets that can distribute some shares before a given secret with other access structures.
Shogo CHIWAKI Ryutaroh MATSUMOTO
Stabilizer-based quantum secret sharing has two methods to reconstruct a quantum secret: The erasure correcting procedure and the unitary procedure. It is known that the unitary procedure has a smaller circuit width. On the other hand, it is unknown which method has smaller depth and fewer circuit gates. In this letter, it is shown that the unitary procedure has smaller depth and fewer circuit gates than the erasure correcting procedure which follows a standard framework performing measurements and unitary operators according to the measurements outcomes, when the circuits are designed for quantum secret sharing using the [[5, 1, 3]] binary stabilizer code. The evaluation can be reversed if one discovers a better circuit for the erasure correcting procedure which does not follow the standard framework.
Reo ERIGUCHI Noboru KUNIHIRO Koji NUIDA
Ramp secret sharing is a variant of secret sharing which can achieve better information ratio than perfect schemes by allowing some partial information on a secret to leak out. Strongly secure ramp schemes can control the amount of leaked information on the components of a secret. In this paper, we reduce the construction of strongly secure ramp secret sharing for general access structures to a linear algebraic problem. As a result, we show that previous results on strongly secure network coding imply two linear transformation methods to make a given linear ramp scheme strongly secure. They are explicit or provide a deterministic algorithm while the previous methods which work for any linear ramp scheme are non-constructive. In addition, we present a novel application of strongly secure ramp schemes to symmetric PIR in a multi-user setting. Our solution is advantageous over those based on a non-strongly secure scheme in that it reduces the amount of communication between users and servers and also the amount of correlated randomness that servers generate in the setup.
In secure multiparty computation (MPC), floating-point numbers should be handled in many potential applications, but these are basically expensive. In particular, for MPC based on secret sharing (SS), the floating-point addition takes many communication rounds though the addition is the most fundamental operation. In this paper, we propose an SS-based two-party protocol for floating-point addition with 13 rounds (for single/double precision numbers), which is much fewer than the milestone work of Aliasgari et al. in NDSS 2013 (34 and 36 rounds, respectively) and also fewer than the state of the art in the literature. Moreover, in contrast to the existing SS-based protocols which are all based on “roundTowardZero” rounding mode in the IEEE 754 standard, we propose another protocol with 15 rounds which is the first result realizing more accurate “roundTiesToEven” rounding mode. We also discuss possible applications of the latter protocol to secure Validated Numerics (a.k.a. Rigorous Computation) by implementing a simple example.
The extended visual cryptography scheme (EVCS) proposed by Ateniese et al. is one of variations of the visual cryptography scheme such that a secret image is recovered by superimposition of certain qualified collections of shares, where cover images are visible on respective shares. In this paper, we give a new definition of the EVCS for improving visibility of the recovered secret image as well as the cover images. We formulate the problem to construct the basis matrices of the EVCS with the minimum pixel expansion as an integer programming problem. We solve the integer programming problem for general access structures with less than or equal to five participants and show that basis matrices with a smaller pixel expansion can be obtained for certain cases. We also analyze security of the EVCS meeting the new definition from an information-theoretic viewpoint. We give a condition under which any forbidden collection of shares does not reveal any additional information on not only a secret image but also the cover images that are not visible on the other shares.
Naohisa NISHIDA Tatsumi OBA Yuji UNAGAMI Jason PAUL CRUZ Naoto YANAI Tadanori TERUYA Nuttapong ATTRAPADUNG Takahiro MATSUDA Goichiro HANAOKA
Machine learning models inherently memorize significant amounts of information, and thus hiding not only prediction processes but also trained models, i.e., model obliviousness, is desirable in the cloud setting. Several works achieved model obliviousness with the MNIST dataset, but datasets that include complicated samples, e.g., CIFAR-10 and CIFAR-100, are also used in actual applications, such as face recognition. Secret sharing-based secure prediction for CIFAR-10 is difficult to achieve. When a deep layer architecture such as CNN is used, the calculation error when performing secret calculation becomes large and the accuracy deteriorates. In addition, if detailed calculations are performed to improve accuracy, a large amount of calculation is required. Therefore, even if the conventional method is applied to CNN as it is, good results as described in the paper cannot be obtained. In this paper, we propose two approaches to solve this problem. Firstly, we propose a new protocol named Batch-normalizedActivation that combines BatchNormalization and Activation. Since BatchNormalization includes real number operations, when performing secret calculation, parameters must be converted into integers, which causes a calculation error and decrease accuracy. By using our protocol, calculation errors can be eliminated, and accuracy degradation can be eliminated. Further, the processing is simplified, and the amount of calculation is reduced. Secondly, we explore a secret computation friendly and high accuracy architecture. Related works use a low-accuracy, simple architecture, but in reality, a high accuracy architecture should be used. Therefore, we also explored a high accuracy architecture for the CIFAR10 dataset. Our proposed protocol can compute prediction of CIFAR-10 within 15.05 seconds with 87.36% accuracy while providing model obliviousness.
Sanghun CHOI Shuichiro HARUTA Yichen AN Iwao SASASE
Since the owner's data might be leaked from the centralized server storage, the distributed storage schemes with the server storage have been investigated. To ensure the owner's data in those schemes, they use Reed Solomon code. However, those schemes occur the burden of data capacity since the parity data are increased by how much the disconnected data can be restored. Moreover, the calculation time for the restoration will be higher since many parity data are needed to restore the disconnected data. In order to reduce the burden of data capacity and the calculation time, we proposed the server-based distributed storage using Secret Sharing with AES-256 for lightweight safety restoration. Although we use Secret Sharing, the owner's data will be safely kept in the distributed storage since all of the divided data are divided into two pieces with the AES-256 and stored in the peer storage and the server storage. Even though the server storage keeps the divided data, the server and the peer storages might know the pair of divided data via Secret Sharing, the owner's data are secure in the proposed scheme from the inner attack of Secret Sharing. Furthermore, the owner's data can be restored by a few parity data. The evaluations show that our proposed scheme is improved for lightweight, stability, and safety.
Hiraku MORITA Nuttapong ATTRAPADUNG Tadanori TERUYA Satsuya OHATA Koji NUIDA Goichiro HANAOKA
We present an improved constant-round secure two-party protocol for integer comparison functionality, which is one of the most fundamental building blocks in secure computation. Our protocol is in the so-called client-server model, which is utilized in real-world MPC products such as Sharemind, where any number of clients can create shares of their input and distribute to the servers who then jointly compute over the shares and return the shares of the result to the client. In the client-aided client-server model, as mentioned briefly by Mohassel and Zhang (S&P'17), a client further generates and distributes some necessary correlated randomness to servers. Such correlated randomness admits efficient protocols since otherwise, servers have to jointly generate randomness by themselves, which can be inefficient. In this paper, we improve the state-of-the-art constant-round comparison protocols by Damgå rd et al. (TCC'06) and Nishide and Ohta (PKC'07) in the client-aided model. Our techniques include identifying correlated randomness in these comparison protocols. Along the way, we also use tree-based techniques for a building block, which deviate from the above two works. Our proposed protocol requires only 5 communication rounds, regardless of the bit length of inputs. This is at least 5 times fewer rounds than existing protocols. We implement our secure comparison protocol in C++. Our experimental results show that this low-round complexity benefits in high-latency networks such as WAN. We also present secure Min/Argmin protocols using the secure comparison protocol.
(k,n)-visual secret sharing scheme ((k,n)-VSSS) is a method to divide a secret image into n images called shares that enable us to restore the original image by only stacking at least k of them without any complicated computations. In this paper, we consider (2,2)-VSSS to share two secret images at the same time only by two shares, and investigate the methods to improve the quality of decoded images. More precisely, we consider (2,2)-VSSS in which the first secret image is decoded by stacking those two shares in the usual way, while the second one is done by stacking those two shares in the way that one of them is used reversibly. Since the shares must have some subpixels that inconsistently correspond to pixels of the secret images, the decoded pixels do not agree with the corresponding pixels of the secret images, which causes serious degradation of the quality of decoded images. To reduce such degradation, we propose several methods to construct shares that utilize 8-neighbor Laplacian filter and halftoning. Then we show that the proposed methods can effectively improve the quality of decoded images. Moreover, we demonstrate that the proposed methods can be naturally extended to (2,2)-VSSS for RGB images.
We propose two secret sharing schemes realizing general access structures, which are based on unauthorized subsets. In the proposed schemes, shares are generated by Tassa's (k,n)-hierarchical threshold scheme instead of Shamir's (k,n)-threshold scheme. Consequently, the proposed schemes can reduce the number of shares distributed to each participant.
Kazuma OHARA Yohei WATANABE Mitsugu IWAMOTO Kazuo OHTA
In recent years, multi-party computation (MPC) frameworks based on replicated secret sharing schemes (RSSS) have attracted the attention as a method to achieve high efficiency among known MPCs. However, the RSSS-based MPCs are still inefficient for several heavy computations like algebraic operations, as they require a large amount and number of communication proportional to the number of multiplications in the operations (which is not the case with other secret sharing-based MPCs). In this paper, we propose RSSS-based three-party computation protocols for modular exponentiation, which is one of the most popular algebraic operations, on the case where the base is public and the exponent is private. Our proposed schemes are simple and efficient in both of the asymptotic and practical sense. On the asymptotic efficiency, the proposed schemes require O(n)-bit communication and O(1) rounds,where n is the secret-value size, in the best setting, whereas the previous scheme requires O(n2)-bit communication and O(n) rounds. On the practical efficiency, we show the performance of our protocol by experiments on the scenario for distributed signatures, which is useful for secure key management on the distributed environment (e.g., distributed ledgers). As one of the cases, our implementation performs a modular exponentiation on a 3,072-bit discrete-log group and 256-bit exponent with roughly 300ms, which is an acceptable parameter for 128-bit security, even in the WAN setting.
In secret sharing schemes for general access structures, an important issue is the number of shares distributed to each participant. However, in general, the existing schemes are impractical in this respect when the size of the access structure is very large. In 2015, a secret sharing scheme that can reduce the number of shares distributed to specified participants was proposed (the scheme A of T15). In this scheme, we can select a subset of participants and reduce the number of shares distributed to any participant who belongs to the selected subset though this scheme cannot reduce the number of shares distributed to every participant. In other words, this scheme cannot reduce the number of shares distributed to each participant who does not belong to the selected subset. In this paper, we modify the scheme A of T15 and propose a new secret sharing scheme realizing general access structures. The proposed scheme can reduce the number of shares distributed to each participant who does not belong to the selected subset as well. That is, the proposed scheme is more efficient than the scheme A of T15.
We show a construction of a quantum ramp secret sharing scheme from a nested pair of linear codes. Necessary and sufficient conditions for qualified sets and forbidden sets are given in terms of combinatorial properties of nested linear codes. An algebraic geometric construction for quantum secret sharing is also given.
Ryo KIKUCHI Koji CHIDA Dai IKARASHI Koki HAMADA
The performance of secret-sharing (SS)-based multiparty computation (MPC) has recently increased greatly, and several efforts to implement and use it have been put into practice. Authentication of clients is one critical mechanism for implementing SS-based MPC successfully in practice. We propose a password-based authentication protocol for SS-based MPC. Our protocol is secure in the presence of secure channels, and it is optimized for practical use with SS-based MPC in the following ways. Threshold security: Our protocol is secure in the honest majority, which is necessary and sufficient since most practical results on SS-based MPC are secure in the same environment. Establishing distinct channels: After our protocol, a client has distinct secure and two-way authenticated channels to each server. Ease of implementation: Our protocol consists of SS, operations involving SS, and secure channels, which can be reused from an implementation of SS-based MPC. Furthermore, we implemented our protocol with an optimization for the realistic network. A client received the result within 2 sec even when the network delay was 200 ms, which is almost the delay that occurs between Japan and Europe.
Olav GEIL Stefano MARTIN Umberto MARTÍNEZ-PEÑAS Ryutaroh MATSUMOTO Diego RUANO
Asymptotically good sequences of linear ramp secret sharing schemes have been intensively studied by Cramer et al. in terms of sequences of pairs of nested algebraic geometric codes [4]-[8], [10]. In those works the focus is on full privacy and full reconstruction. In this paper we analyze additional parameters describing the asymptotic behavior of partial information leakage and possibly also partial reconstruction giving a more complete picture of the access structure for sequences of linear ramp secret sharing schemes. Our study involves a detailed treatment of the (relative) generalized Hamming weights of the considered codes.
We show a simple example of a secret sharing scheme encoding classical secret to quantum shares that can realize an access structure impossible by classical information processing with limitation on the size of each share. The example is based on quantum stabilizer codes.
Shoichiro YAMASAKI Tomoko K. MATSUSHIMA Shinichiro MIYAZAKI Kotoku OMURA Hirokazu TANAKA
Secret sharing is a method to protect information for security. The information is divided into n shares, and the information is reconstructed from any k shares but no knowledge of it is revealed from k-1 shares. Physical layer security is a method to yield a favorable receive condition to an authorized destination terminal in wireless communications based on multi-antenna transmission. In this study, we propose wireless packet communications protected by the secret sharing based on Reed Solomon coding and the physical layer security based on vector coding, which implements a single-antenna system and a multi-antenna system. Evaluation results show the validity of the proposed scheme.
Wataru NAKAMURA Hirosuke YAMAMOTO Terence CHAN
In this paper, we treat (k, L, n) ramp secret sharing schemes (SSSs) that can detect impersonation attacks and/or substitution attacks. First, we derive lower bounds on the sizes of the shares and random number used in encoding for given correlation levels, which are measured by the mutual information of shares. We also derive lower bounds on the success probabilities of attacks for given correlation levels and given sizes of shares. Next we propose a strong (k, L, n) ramp SSS against substitution attacks. As far as we know, the proposed scheme is the first strong (k, L, n) ramp SSSs that can detect substitution attacks of at most k-1 shares. Our scheme can be applied to a secret SL uniformly distributed over GF(pm)L, where p is a prime number with p≥L+2. We show that for a certain type of correlation levels, the proposed scheme can achieve the lower bounds on the sizes of the shares and random number, and can reduce the success probability of substitution attacks within nearly L times the lower bound when the number of forged shares is less than k. We also evaluate the success probability of impersonation attack for our schemes. In addition, we give some examples of insecure ramp SSSs to clarify why each component of our scheme is essential to realize the required security.
The multiple assignment scheme is to assign one or more shares to single participant so that any kind of access structure can be realized by classical secret sharing schemes. We propose its quantum version including ramp secret sharing schemes. Then we propose an integer optimization approach to minimize the average share size.