A Model for Adversarial Wiretap Channels and its Applications

Abstract: Abstract:In the wiretap model of secure communication, Alice is connected to Bob and Eve by two noisy channels. Wyner's insight was that the difference in noise between the two channels can be used to provide perfect secrecy for communication between Alice and Bob, against the eavesdropper Eve. In Wyner's model, the adversary is passive. We consider a coding-theoretic model for wiretap channels with active adversaries who can choose their view of the communication channel and also add adversarial noise to the … Show more

“…In other words, we use a variant of Shamir's scheme based on folded Reed-Solomon codes (instead of plain Reed-Solomon codes) combined with an AMD pre-code. This is very similar to what used in [CDF + 08] to provide robustness in the sense of error-detection, as well as the coding-theoretic construction of SafaviNaini and Wang [SNW15] (the latter additionally uses subspace-evasive sets that we do not need). Combining Shamir's scheme with some type of information-theoretic pre-code (such as a message authentication code) can also be seen as the underlying idea of other existing constructions such as [CDF01].…”

“…Same as Shamir's scheme and [SNW15], our result does not necessarily require the observations of the adversary to coincide or overlap with the set of manipulated shares. In fact, the number of adaptive observations by the adversary may in general be different from the number of incorrect shares, and this is allowed as long as the total fraction of observations and incorrect shares add up to a quantity sufficiently smaller than 1.…”

“…Finally, Safavi-Naini and Wang [SNW15] construct secret sharing schemes based on codes for the wiretap channel problem for the case n = 2t + 1. This construction is based on wiretap codes that are in turn based on list decodable Reed-Solomon codes, subspace-evasive sets and AMD codes, and attains a share length of k + O(n 2 (log n)(log log n) + n log(1/η)).…”

“…Our construction and underlying ideas share an overlap with the above-mentioned recent result k + O(log(1/η)) Yes Only robust in the sense of error detection [BP14] k + O(log(1/η)) Yes Only secure against local adversaries [CPS99] k + O(n + log(1/η)) No [CFOR12] k +Õ(n + log(1/η)) Yes Secure against rushing adversaries [RBO89] k + O(n log(1/η)) Yes Secure against rushing adversaries [SNW15] k +Õ(n 2 + n log(1/η)) Yes Restricted to n = 2t + 1…”

“…The error resilience of Shamir's scheme is based on the minimum distance of Reed-Solomon code, and thus the power of the adversary is irrelevant for this scheme as long as the number of manipulations is less than the minimum distance of the code. In fact in the reconstruction phase the adversary may observe everyone's shares and then decide which ones to corrupt, and the set of corrupted shares may or may not overlap with the set of t shares observed by the adversary before reconstruction (an interesting property that is not in general required in robust secret sharing, but is nevertheless satisfied by some known constructions that rely on error-correcting codes to provide robustness; e.g., [SNW15]). …”

Nearly optimal robust secret sharing

“…In other words, we use a variant of Shamir's scheme based on folded Reed-Solomon codes (instead of plain Reed-Solomon codes) combined with an AMD pre-code. This is very similar to what used in [CDF + 08] to provide robustness in the sense of error-detection, as well as the coding-theoretic construction of SafaviNaini and Wang [SNW15] (the latter additionally uses subspace-evasive sets that we do not need). Combining Shamir's scheme with some type of information-theoretic pre-code (such as a message authentication code) can also be seen as the underlying idea of other existing constructions such as [CDF01].…”

“…Same as Shamir's scheme and [SNW15], our result does not necessarily require the observations of the adversary to coincide or overlap with the set of manipulated shares. In fact, the number of adaptive observations by the adversary may in general be different from the number of incorrect shares, and this is allowed as long as the total fraction of observations and incorrect shares add up to a quantity sufficiently smaller than 1.…”

“…Finally, Safavi-Naini and Wang [SNW15] construct secret sharing schemes based on codes for the wiretap channel problem for the case n = 2t + 1. This construction is based on wiretap codes that are in turn based on list decodable Reed-Solomon codes, subspace-evasive sets and AMD codes, and attains a share length of k + O(n 2 (log n)(log log n) + n log(1/η)).…”

“…Our construction and underlying ideas share an overlap with the above-mentioned recent result k + O(log(1/η)) Yes Only robust in the sense of error detection [BP14] k + O(log(1/η)) Yes Only secure against local adversaries [CPS99] k + O(n + log(1/η)) No [CFOR12] k +Õ(n + log(1/η)) Yes Secure against rushing adversaries [RBO89] k + O(n log(1/η)) Yes Secure against rushing adversaries [SNW15] k +Õ(n 2 + n log(1/η)) Yes Restricted to n = 2t + 1…”

“…The error resilience of Shamir's scheme is based on the minimum distance of Reed-Solomon code, and thus the power of the adversary is irrelevant for this scheme as long as the number of manipulations is less than the minimum distance of the code. In fact in the reconstruction phase the adversary may observe everyone's shares and then decide which ones to corrupt, and the set of corrupted shares may or may not overlap with the set of t shares observed by the adversary before reconstruction (an interesting property that is not in general required in robust secret sharing, but is nevertheless satisfied by some known constructions that rely on error-correcting codes to provide robustness; e.g., [SNW15]). …”

Nearly optimal robust secret sharing

Nearly optimal robust secret sharing

Meaningful secret image sharing resist to typical image processing of shadows