## Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors (2008)

### Cached

### Download Links

- [eprint.iacr.org]
- [homepages.cwi.nl]
- [cs.nyu.edu]
- [www.cs.nyu.edu]
- [www.iacr.org]
- [homepages.cwi.nl]
- DBLP

### Other Repositories/Bibliography

Citations: | 24 - 3 self |

### BibTeX

@MISC{Cramer08detectionof,

author = {Ronald Cramer and Yevgeniy Dodis and Serge Fehr and Carles Padró and Daniel Wichs},

title = {Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors},

year = {2008}

}

### OpenURL

### Abstract

Abstract. Consider an abstract storage device Σ(G) that can hold a single element x from a fixed, publicly known finite group G. Storage is private in the sense that an adversary does not have read access to Σ(G) at all. However, Σ(G) is non-robust in the sense that the adversary can modify its contents by adding some offset ∆ ∈ G. Due to the privacy of the storage device, the value ∆ can only depend on an adversary’s a priori knowledge of x. We introduce a new primitive called an algebraic manipulation detection (AMD) code, which encodes a source s into a value x stored on Σ(G) so that any tampering by an adversary will be detected, except with a small error probability δ. We give a nearly optimal construction of AMD codes, which can flexibly accommodate arbitrary choices for the length of the source s and security level δ. We use this construction in two applications: – We show how to efficiently convert any linear secret sharing scheme into a robust secret sharing scheme, which ensures that no unqualified subset of players can modify their shares and cause the reconstruction of some value s ′ � = s. – We show how how to build nearly optimal robust fuzzy extractors for several natural metrics. Robust fuzzy extractors enable one to reliably extract and later recover random keys from noisy and non-uniform secrets, such as biometrics, by relying only on non-robust public storage. In the past, such constructions were known only in the random oracle model, or required the entropy rate of the secret to be greater than half. Our construction relies on a randomly chosen common reference string (CRS) available to all parties. 1

### Citations

1751 | How to share a secret
- Shamir
- 1979
(Show Context)
Citation Context ...me MAC in addition to the one-time-pad key, one can trivially add authentication to this application.s1.1 Linear Secret Sharing Schemes In a linear secret sharing scheme (e.g. Shamir’s secret sharing =-=[26]-=- and many others) a secret s is distributed among n players so that each player gets some algebraic share of the secret. Any qualified subset of the players can pool their shares together and recover ... |

453 | Ecient dispersal of information for security, load balancing and fault tolerance
- Rabin
- 1989
(Show Context)
Citation Context ...ruction, the honest players form a qualified set. The dishonest players are still assumed to form an unqualified set. This problem is known under the name (unconditional) secure information dispersal =-=[24, 17]-=- or non-interactive secure message transmission [14, 13]. There is a generic, though for large player sets computationally inefficient, construction based on a robust secret sharing [8]: for every qua... |

291 | Fuzzy extractors: How to generate strong keys from biometrics and other noisy data
- Dodis, Ostrovsky, et al.
- 2008
(Show Context)
Citation Context ... discuss in Appendix B, the proposed robust secret sharing scheme (respectively AMD code) is completely insecure. 1.2 Fuzzy Extractors A less obvious example comes from the domain of fuzzy extractors =-=[10]-=-. A fuzzy extractor extracts a uniformly random key R from some non-uniform secret w (e.g., biometric data) in such a way that this key can be recovered from any w ′ sufficiently close to w in some ap... |

227 | Randomness is linear in space
- Nisan, Zuckerman
- 1996
(Show Context)
Citation Context ...y a computationally unbounded adversary. We use the notation Ud to denote (fresh) uniform distribution over {0,1} d . RANDOMNESS EXTRACTORS FOR AVG. MIN ENTROPY. A randomness extractor, as defined in =-=[18]-=-, extracts a uniformly random string from any secret with high enough entropy using some randomness as a seed. Here we include a slightly altered definition to ensure that we can extract randomness fr... |

119 | On span programs
- Karchmer, Wigderson
- 1993
(Show Context)
Citation Context ...s of linear secret sharing schemes include Shamir’s secret sharing scheme [26] where the access structure is simply a threshold on the number of players, or a scheme for a general access structure in =-=[16]-=-. We consider a setting where an honest dealer uses a secret sharing scheme to share some secret s among n players. Later, an outside entity called the reconstructor contacts some qualified subset B o... |

102 | Perfectly secure message transmission
- Dolev, Dwork, et al.
- 1990
(Show Context)
Citation Context ...shonest players are still assumed to form an unqualified set. This problem is known under the name (unconditional) secure information dispersal [24, 17] or non-interactive secure message transmission =-=[14, 13]-=-. There is a generic, though for large player sets computationally inefficient, construction based on a robust secret sharing [8]: for every qualified subset of the involved players, invoke the robust... |

78 | Extracting all the randomness and reducing the error in Trevisan’s extractors
- Raz, Reingold, et al.
- 1999
(Show Context)
Citation Context ...Ext(a − b,i) = Ext(a,i) − Ext(b,i). It is easy to see that the extractor defined by Ext(w,i) def = [w · i] ℓ 1 has the required linearity property. We also notice that several other extractors (e.g., =-=[29, 25]-=-) with shorter seed lengths also satisfy this property. As it turns out, it is precisely this property of extractors, not useful in the plain model setting of [11], that would allow us to obtain the f... |

73 | Practical quantum oblivious transfer
- Bennett, Brassard, et al.
- 1992
(Show Context)
Citation Context ...veral related metrics. For this metric we will make use of the syndrome construction from [10], which we review in Appendix E (this construction appeared as a component of protocols earlier, e.g., in =-=[1]-=-). For our current purposes, though, we only need to know that this construction is a linear transformation over F n 2 . STATISTICAL DISTANCE. Let X1,X2 be two probability distributions over some spac... |

65 | Reusable cryptographic fuzzy extractors - Boyen - 2004 |

59 | Secure remote authentication using biometric data
- Boyen, Dodis, et al.
- 2005
(Show Context)
Citation Context ...ers R using w ′ and P . Unfortunately, the original notion of a fuzzy extractor critically depends on the value of P being stored on a tamper-proof (though public) device. As observed by Boyen et al. =-=[6, 5]-=-, this severely limits the usability of the concept. To address this problem, [6, 5] introduced a stronger notion of a robust fuzzy extractor, where any tampering of P will be detected by the user, ev... |

57 |
How to share a secret with cheaters
- Tompa, Woll
- 1988
(Show Context)
Citation Context ...ge of the source state s. No secret keys are required since we rely on the privacy of Σ(G) instead. Using an AMD code, we can turn any linear secret sharing scheme into a robust secret sharing scheme =-=[28]-=-, which ensures that no unqualified subset of players can modify their shares and cause the reconstruction of some value s ′ �= s. The transformation is very simple: apply the linear secret sharing sc... |

37 | Perfectly secure message transmission revisited
- Desmedt, Wang
- 2003
(Show Context)
Citation Context ...shonest players are still assumed to form an unqualified set. This problem is known under the name (unconditional) secure information dispersal [24, 17] or non-interactive secure message transmission =-=[14, 13]-=-. There is a generic, though for large player sets computationally inefficient, construction based on a robust secret sharing [8]: for every qualified subset of the involved players, invoke the robust... |

36 | Robust fuzzy extractors and authenticated key agreement from close secrets
- Dodis, Katz, et al.
- 2006
(Show Context)
Citation Context ...cing the security of the extracted randomness R. However, there are no guarantees when an active attacker modifies P . To prevent such attacks, robust fuzzy extractors were defined and constructed in =-=[5, 11]-=-. Here we define robust fuzzy extractors in the CRS model. For two (correlated) random variables W,W ′ over a metric space M, we say dis(W,W ′ ) ≤ t if the distance between W and W ′ is at most t with... |

31 |
Distributed Fingerprints and Secure Information Dispersal
- Krawczyk
- 1993
(Show Context)
Citation Context ...ruction, the honest players form a qualified set. The dishonest players are still assumed to form an unqualified set. This problem is known under the name (unconditional) secure information dispersal =-=[24, 17]-=- or non-interactive secure message transmission [14, 13]. There is a generic, though for large player sets computationally inefficient, construction based on a robust secret sharing [8]: for every qua... |

29 |
Authentication theory/coding theory
- Simmons
- 1985
(Show Context)
Citation Context ... KMS-MAC family. For efficiency, we are interested in minimizing the tag size log(T) and the key size log(G). The following well known lower bounds on standard message authentication codes (e.g., see =-=[27]-=-) obviously also apply to the stronger notion of a KMS-MAC. Lemma 1. For any authentication code with security δ ≤ 2 −κ , the key size log(G) must be at least 2κ, and the tag size log(T) must be at le... |

21 | On the (non)universality of the one-time pad
- Dodis, Spencer
- 2002
(Show Context)
Citation Context ...al. [11] showed how to achieve robustness if the initial secret w contains an entropy rate of at least one half (i.e. the entropy of the secret is at least half the length of the secret). The work of =-=[12]-=- shows that this requirement is necessary for information theoretic security in the plain model, even if no errors are allowed (i.e., w = w ′ ). Moreover, when the secret does meet this entropy rate t... |

17 | On the relation between A-Codes and Codes correcting independent errors - Johansson, Kabatianskii, et al. |

8 |
Secret Sharing Schemes with Detection of Cheaters for a General Access Structure
- Cabello, Padró, et al.
- 2002
(Show Context)
Citation Context ...to Prior Work on Secret Sharing. Although AMD codes were never formally defined in previous work, some constructions of AMD codes have appeared, mostly in connection with making secret sharing robust =-=[20, 7, 21]-=-. Although some of these constructions are essentially optimal, all of them are largely inflexible in that the error probability δ is dictated by the cardinality of the source space S: δ ≈ 1/|S|. In p... |

8 | Optimum secret sharing scheme secure against cheating
- Ogata, Kurosawa, et al.
- 2006
(Show Context)
Citation Context ...to Prior Work on Secret Sharing. Although AMD codes were never formally defined in previous work, some constructions of AMD codes have appeared, mostly in connection with making secret sharing robust =-=[20, 7, 21]-=-. Although some of these constructions are essentially optimal, all of them are largely inflexible in that the error probability δ is dictated by the cardinality of the source space S: δ ≈ 1/|S|. In p... |

7 | On the cost of reconstructing a secret, or VSS with optimal reconstruction phase
- Cramer, Damg˚ard, et al.
(Show Context)
Citation Context ...dispersal [24, 17] or non-interactive secure message transmission [14, 13]. There is a generic, though for large player sets computationally inefficient, construction based on a robust secret sharing =-=[8]-=-: for every qualified subset of the involved players, invoke the robust reconstruction until for one set of shares no foul play is detected and a secret is reconstructed. If the robust secret sharing ... |

6 | A.: Information-theoretic security without an honest majority
- Broadbent, Tapp
- 2007
(Show Context)
Citation Context ...he robust secret sharing scheme is 1/2 κ+n -secure, then this procedure succeeds in producing the correct secret except with probability at most 1/2 κ . ANONYMOUS MESSAGE TRANSMISSION. In recent work =-=[3]-=-, Broadbent and Tapp explicitly used the notion of AMD codes introduced in this paper (and our construction of them) in the setting of unconditionally secure multi-party protocols with a dishonest maj... |

3 |
A.: Anonymous quantum communication
- Brassard, Broadbent, et al.
- 2007
(Show Context)
Citation Context ...ishonest majority. Specifically, AMD codes allowed them to obtain robustness in their protocol for anonymous message transmission. This protocol, and with it the underlying AMD code, was then used in =-=[2]-=- as a building block to obtain a protocol for anonymous quantum communication. 4 Message Authentication Codes with Key Manipulation Security As a notion related to AMD codes, we define message authent... |

3 | T.: Almost Optimum Secret Sharing Schemes Secure Against Cheating for Arbitrary Secret Distribution
- Obana, Araki
- 2006
(Show Context)
Citation Context ..., secure private storage and anonymous message transmission. In the context of robust secret sharing, the inflexibility issue mentioned above has recently been addressed in a paper by Obana and Araki =-=[19]-=-, where a flexible robust secret sharing scheme (in fact, an AMD code in our terminology) was proposed and claimed to be “proven” secure. However, as we discuss in Appendix B, the proposed robust secr... |

2 | H.: New combinatorial designs and their applications to authentication codes and secret sharing schemes. Discrete Mathematics 279
- Ogata, Kurosawa, et al.
- 2004
(Show Context)
Citation Context ...to Prior Work on Secret Sharing. Although AMD codes were never formally defined in previous work, some constructions of AMD codes have appeared, mostly in connection with making secret sharing robust =-=[20, 7, 21]-=-. Although some of these constructions are essentially optimal, all of them are largely inflexible in that the error probability δ is dictated by the cardinality of the source space S: δ ≈ 1/|S|. In p... |

2 |
J.L.: Detection of cheaters in vector space secret sharing schemes
- Padró, Sáez, et al.
- 1999
(Show Context)
Citation Context ...ded to achieve a particular security threshold. In contrast, our constructions can accommodate arbitrary choices of security δ and message length u. For example, Cabello, Padró and Sáez [7] (see also =-=[23, 22]-=-) proposed an elegant construction of a robust secret sharing scheme which implicitly relies on the following AMD code. For any finite field F of order q, the encoding of the secret s ∈ F is a triple ... |

2 |
Anonymous quantum communication. Available at http://arxiv.org/abs/0706.2356. To be published in ASIACRYPT '07.3
- Fitzsimons, Tapp
- 1997
(Show Context)
Citation Context ...ishonest majority. Specifically, AMD codes allowed them to obtain robustness in their protocol for anonymous message transmission. This protocol, and with it the underlying AMD code, was then used in =-=[2]-=- as a building block to obtain a protocol for anonymous quantum communication. 4 Message Authentication Codes with Key Manipulation Security As a notion related to AMD codes, we define message authent... |

2 |
Distributed ngerprints and secure information dispersal
- Krawczyk
- 1993
(Show Context)
Citation Context ... an unquali ed set, the correct secret will always be reconstructed (we do not allow the option of reconstructing ⊥). This problem is known under the name (unconditional) secure information dispersal =-=[23,16]-=- or non-interactive secure message transmission [14,13]. There is a generic, though for large player sets computationally inef cient, construction based on a robust secret sharing [7]: for every 9qua... |

1 |
A.: Lower bounds for robust secret sharing schemes
- Blundo, Santis
- 1997
(Show Context)
Citation Context ...he reconstructor contacts a minimal qualified subset of the players, then even a single corrupted player can cause the reconstruction of an incorrect secret. Robust secret sharing schemes (defined in =-=[28, 4]-=-) ensure that such attacks 8 We can also imagine situations where the “base” field F ′ of some characteristic p is given to us, and our freedom is in choosing the extension field F and the appropriate... |

1 |
On the cost of recons tructing a secret, or VSS with optimal reconstruction phase
- Cramer, ard, et al.
- 2001
(Show Context)
Citation Context ...dispersal [24, 17] or non-interactive secure message transmission [14, 13]. There is a generic, though for large player sets computationally inefficient, construction based on a robust secret sharing =-=[8]-=-: for every qualified subset of the involved players, invoke the robust reconstruction until for one set of shares no foul play is detected and a secret is reconstructed. If the robust secret sharing ... |

1 |
Dodis Exposure Resillient Cryptography
- unknown authors
(Show Context)
Citation Context ... of the CRS. This is a very natural assumption for biometrics and many other scenarios. However, it also means that our scheme is not applicable in the setting of exposure resilient cryptography (see =-=[9]-=-) where the attacker can learn some function of the secret after seeing the CRS. What our result shows, however, is that this seemingly minor addition not only allows us to achieve robustness without ... |

1 |
Robust vector space secret sharing schemes
- Padró
- 1998
(Show Context)
Citation Context ...ded to achieve a particular security threshold. In contrast, our constructions can accommodate arbitrary choices of security δ and message length u. For example, Cabello, Padró and Sáez [7] (see also =-=[23, 22]-=-) proposed an elegant construction of a robust secret sharing scheme which implicitly relies on the following AMD code. For any finite field F of order q, the encoding of the secret s ∈ F is a triple ... |

1 |
Anonymous quantum communication
- Fitzsimons, Tapp
- 2007
(Show Context)
Citation Context ...dishonest majority. Speci cally, AMD codes allowed them to obtain robustness in their protocol for anonymous message transmission. This protocol, and with it the underlying AMD code, was then used in =-=[1]-=- as a building block to obtain a protocol for anonymous quantum communication. 4 Message Authentication Codes with Key Manipulation Security As a notion related to AMD codes, we de ne message authenti... |

1 | Exposure Resillient Cryptography - Dodis - 2000 |