Formalisation of Bayesian concealment

In order to assure the concealment by cryptographic protocols, it is an effective measure to prove the concealment in a formal logical system. In the contemporary context of cryptographic protocol, the concealment has to be proved by using probability theory. There are several concepts of concealment in probability theory. One of them is Bayesian concealment. This study proposes a formal logical system to prove the Bayesian concealment of a secret sharing scheme.


Motivation
In order to assure the concealment by cryptographic protocols, it is an effective measure to prove the concealment in a formal logical system. In the contemporary context of cryptographic protocol, the concealment has to be proved by using probability theory. There are several concepts of concealment in probability theory, as is explained by Takeuti [9]. One of them is Bayesian concealment. This study proposes a formal logical system to prove the Bayesian concealment of a secret sharing scheme.
Takeuti and Adachi [10] state two reasons of using formal logical system to assure the concealment by cryptographic protocols as below.
The first is academic: formal logic can sometimes elicit the essential features underlying a proof that may remain hidden if an informal proof is used.

3
The second reason is industrial: if you assure only yourself of the concealment of a protocol, you may prove the concealment informally. However, to assure other people of the concealment, you must demonstrate to them the proof of the concealment. Such proofs can be quite difficult to understand, particularly when the proof deals with probability. By itself, proof difficulty does not demonstrate concealment; however, a formal proof can be verified through mechanical checking using, e.g., computing. For these reasons, we use a formal logical system in this paper.

Concealment by cryptographic protocol
In this study the word of concealment refers to the concept of hiding some secret by a cryptographic protocol as in the study by Takeuti and Adachi [10], in which the concealment is explained as below.
In this study a cryptographic protocol refers to a protocol to use in order to conceal some data from some party.
As an example of a cryptographic protocol, Diffie-Hellman key exchange protocol is a protocol to conceal a secret key from an eavesdropper.
In this protocol, two participants A and B firstly share a finite group G and an element e ∈ G . Then, A generates an integer a and sends e a to B. Also B generates an integer b and sends e b to A. At last, A and B share a secret key e ab . It takes too much time for an eavesdropper to obtain the secret key e ab even if it knows sent messages such as G, e, e a and e b , according to a conjecture of contemporary mathematics. The secret key is concealed from the eavesdropper in this sense.
In this study we discuss a secret sharing scheme as a cryptographic protocol. In this protocol, the dealer sends a fragment of the secret to each of n participants. There is a threshold t such that a group of participants of number t can restore the secret from their fragments, although a group of participants of number less than t cannot do it. This protocol conceals the secret from a group of participants of number less than t.

Probabilistic variables
In the modern cryptographic theory, the concept of concealment is written in the words of probabilistic theory. This study proposes a formal logical system with probabilistic variables for proving concealment of cryptography. Some studies on formal systems for probabilistic theory implement probabilistic theory in general formal system of type theory. One of them is the literature [2] by Affeldt, Garrigue and Saikawa. Such studies implement the probabilistic theory as a special case of measure theory, and do not use probabilistic variables. Probabilistic variables are familiar for human, and give a nice abstraction which aids human's abstracted thought. That is why we propose a formal system with probabilistic variables.

3
Formalisation of Bayesian concealment

Outline
We explain the preliminaries of probability theory and Bayesian theory in Sect. 2. We list up six concepts of concealment in Sect. 3, which consists of the quotation from the study by Takeuti [9]. We explain secret sharing schemata in Sect. 4. We explain the previous studies on formal logical system for proving concealment in Sect. 5. We propose our formal logical system in Sect. 6. By using this system, we prove the concealment of Shamir's secret sharing scheme in Sect. 7. We explain related works in Sect. 8.

Preliminaries of probability theory and Bayesian theory
In this section we put the preliminaries of probability theory and Bayesian theory, which we use to define the concepts of concealment.

Evenness and independency
The probability space consists of a triple ( , B, ) , where is the set of elementary events, B is the set of measurable sets over , and is the probability measure. In this study, the set is always finite, and B is always the power set of . Thus, for each E ∈ B , the probability (E) is expressed by the summation ∑ ∈E ({ }) . We use the letters X, Y, Z, … for probabilistic variables. A probabilistic variable X represents a function f X of into V X which is the set where X ranges. The notation We say that the distribution of X is even when, for each x ∈ V X , Pr[X = x] = 1∕|V X | . We say that the distributions of X and Y are independent when, for each x ∈ V X and each y ∈ V Y ,

Prior distribution and posterior distribution
There appear the concepts of joint probability distribution, prior distribution and posterior distribution in Bayesian theory. The joint probability distribution of X and Y is the distribution The prior distribution of X is the distribution The posterior distribution of X after observing Y = y is the distribution If the distributions of X and Y are independent, then the posterior distribution of X is equal to its prior distribution.

Concepts of concealment
As discussed by Takeuti [9], there are several concepts of concealment. The following subsections are the list of six concepts of concealment which is the quotation from his study [9]. In the following explanation, there appear the concepts of computational concealment and Bayesian concealment. Although many studies discuss computational concealment, we discuss Bayesian concealment in this study.

Possibilistic concealment and probabilistic concealment
Possibilistic concealment Although it is known that the concealed data X is either x 1 or x 0 , both X = x 0 and X = x 1 are possible and the adversary cannot tell which of them is the case. Probabilistic concealment When the concealed data X is either x 1 or x 0 in probability 1/2, even if the adversary observes any observable variables, both Pr[X = x 1 ] and Pr[X = x 0 ] are still equal or very near to 1/2 for the adversary.
The concept of 'very near' in the definition of probabilistic concealment should be defined formally. In most cases this concept of 'very near' is defined as in the concept of asymptotic concealment, which appears below.
The words 'possibilistic' and 'probabilistic' appear in the study by O'Neill and Halpern [7]. The concept of possibilistic concealment is called concealment under a non-probabilistic argument in the study by Takeuti and Adachi [10]. Both the studies by O'Neill and Halpern [7] and by Takeuti and Adachi [10] state that possibilistic concealment is weak and probabilistic concealment is desired to discuss the safety of cryptographic protocols.
All of the following four concepts of concealment are the refinements of the concept of probabilistic concealment.

Asymptotic concealment and information-theoretic concealment
Asymptotic concealment Suppose that the concealed data X is either x 1 or x 0 in probability 1/2. For an arbitrary polynomial p, there is a large number N such that, for any security parameter n > N which is as large as the length of encryption key, in computation time of polynomial of n, for the computation result X ′ , | Pr[X = X � ] − 1∕2| is smaller than 1/p(n).
Information-theoretic concealment When the concealed data X is either x 1 or x 0 in probability 1/2, even if the adversary observes any observable variables, both Pr[X = x 1 ] and Pr[X = x 0 ] are still exactly equal to 1/2 for the adversary.
The concept of asymptotic concealment is popular in the context of public-key cryptography, as in the book by Goldreich [5].
Information-theoretic concealment can be realised in the settings of some secret sharing schemes. One of them is Shamir's secret sharing scheme [10], although Shamir did not show information-theoretic concealment of his secret sharing scheme [8].
Not all secret sharing schemes realise information-theoretic concealment. Boyle et al. [3] discuss asymptotic concealment by a secret sharing scheme.
Information-theoretic concealment is stronger than asymptotic concealment is. Therefore, it is better to realise information-theoretic concealment than asymptotic concealment if it is possible. However, it is impossible to realise information-theoretic concealment and only asymptotic concealment is realisable in some settings, namely, the setting of public-key cryptography.

Computational concealment and Bayesian concealment
Computational concealment When the concealed data X is either x 1 or x 0 in probability 1/2, even if the adversary makes any computation using observable variables in the given computation power, the probability that the adversary guesses the collect value of X is equal to or very near to 1/2.
Bayesian concealment Even if the adversary observes any observable variables, the posterior distribution of the concealed variable is equal to its prior distribution.
We say that the data is concealed Bayesianly when the Bayesian concealment is realised.
If the probabilistic distribution of the observable variables are independent to that of the concealed data, then the concealed data is concealed Bayesianly.
The definition of computational concealment mentions both the concepts of computation and of probability, while the definition of Bayesian concealment mentions only the concept of probability.

Applicability
The following explanations around the last four concepts in the literature [9].
Two dichotomies are shown around the concept of probabilistic concealment; one dichotomy is asymptotic concealment versus information-theoretic concealment in Sect. 3.2, and the other is computational concealment versus Bayesian concealment in Sect. 3.3. The former one in Sect. 3.2 captures what phenomenon happens, and the latter one in Sect. 3.3 captures the method how to observe the phenomenon. We apply the method indicated by the dichotomy in Sect. 3.3 to observing the phenomenon indicated by the dichotomy in Sect. 3.2.
Not both methods are applicable to both phenomena. The concept of asymptotic concealment is essentially computational, and Bayesian concealment is not applicable to asymptotic concealment. Bayesian concealment is applicable to only information-theoretic concealment. On the other hand, computational concealment is applicable to both asymptotic concealment and information-theoretic concealment.

Merit of the concept of Bayesian concealment
As the merit of the concept of Bayesian concealment, the concept of Bayesian concealment captures probabilistic concealment more directly than computational concealment does. A formal system for proving computational concealment has to have some devices of computation theory as well as of probabilistic theory. The formal system by Takeuti and Adachi [10] has the undefined function symbol f which denote an arbitrary computation as well as the probabilistic modality. On the other hand, the formal system which we propose in Sect. 6 has only probabilistic predicates.
As the profit of using the concept of Bayesian concealment, the proof of the Bayesian concealment is more direct and easier to analyse than the proof of computational concealment is. Takeuti and Adachi [10] prove the computational concealment of the secret sharing scheme in Sect. 4.3. Although it proves the computational concealment explicitly, the proof uses Bayesian concealment implicitly. In Sect. 3.3 of the literature [10], they prove In this expression, is a linear combination of the observable variables, and f � (x 1 , x 2 , … , x k ) is independent to the secrets. Therefore, this expression implicitly meaning that the observable variables are independent to the secrets, that is, Bayesian concealment is realised here. Their proof of computational concealment is a little hard to analyse. However, in order to prove its information-theoretic concealment, it is sufficient to prove its Bayesian concealment, and it is not necessary to prove its computational concealment. It is much clearer to prove its Bayesian concealment than to prove its computational concealment.

Threshold secret sharing scheme
A typical secret sharing scheme realises the following situation. There are n persons, each of which has its own fragment of the secret, and t persons out of them together can restore the secret but t − 1 persons cannot. If it realises this situation, then it is called (n, t)-threshold secret sharing scheme.

Simple secret sharing scheme
We can construct a simple secret sharing system by a finite group G as below.
There are a dealer and two persons P 1 and P 2 . The group G is open. There is a secret X ∈ G . The dealer chooses a fresh key Y from G, that is, the distribution of Y is even and independent to that of X. The dealer gives Y to a person P 1 and gives Z = XY to another person P 2 . The distribution of Z is also even, and X and Z is also

3
Formalisation of Bayesian concealment independent, because of the following proposition. Neither P 1 nor P 2 alone can solve the value of X, because X is concealed Bayesianly both from Y and from Z. On the other hand, P 1 and P 2 in collaboration can solve the value of X as X = ZY −1 .
Proposition 1 Let G be a finite group and X and Y be probabilistic variables over G. Suppose that the distribution of Y is even and independent to that of X. Put Z = XY . Then, the distribution of Z is even and independent to that of X.
Proof For any x, z ∈ G , it holds that On the other hand, This is a (2, 2)-threshold secret sharing scheme.

Shamir's secret sharing scheme
Shamir [8] proposes (n, t)-threshold secret sharing scheme. We will show the construction of his (3, 3)-threshold secret sharing scheme as an example. Take a finite field F of characteristic ≥ 5.
For a secret data M ∈ F , the dealer takes fresh variables X 1 , X 2 ∈ F , that is, their distributions are even, and the distributions of them and M are independent.
The dealer calculates Then the dealer delivers the data Y 1 , Y 2 and Y 3 to three persons P 1 , P 2 and P 3 respectively. By knowing all of Y 1 , Y 2 , Y 3 , one can solve the equation system and obtain M. On the other hand, one cannot obtain M from only two of Y 1 , Y 2 , Y 3 , because the degree of freedom is not enough and one cannot solve the equation system. Therefore, it is (3, 3)-threshold secret sharing scheme.
Shamir [8] discusses (n, t)-threshold secret sharing schemes for general n and t by using general Vandermonde's matrices.
Although Shamir shows only possibilistic concealment of this scheme, it is actually probabilistic concealment, as is shown by Takeuti and Adachi [10].

Formal systems in previous studies
There are several previous studies which propose formal systems to prove concealment of cryptographic protocol. We point out two of them.
One is the study by Takeuti and Adachi [10] which proposes the formal logical system which proves the information-theoretic concealment of Shamir's secret sharing scheme. The other is the study by Abadí and Rogaway [1] which proposes the formal system which can show asymptotic concealment of cryptographic protocols with an encryption function.

Previous system for the secret sharing scheme
Takeuti and Adachi [10] prove its computational concealment of the secret sharing scheme in Sect. 4.3 by using its Bayesian concealment.
In this secret sharing scheme, the secret is M, the random seeds are X 1 and X 2 , and the observable variables are Y 1 , Y 2 and Y 3 . They prove the following fact. Suppose that a party knows only two of the three observable variables, namely, Y 1 and Y 2 . Then for an arbitrary function f, the distribution of the result of the calculation f (Y 1 , Y 2 ) is independent to that of M. In other words, the variable M is concealed Bayesianly from Y 1 and Y 2 . By using this fact, they prove computational concealment of M from Y 1 and Y 2 .
The logical system is a little heavy, since it has modal operators for denoting probability as well as full propositional logical connectives. The proof is also a little heavy to analyse.
In order to assure the probabilistic concealment, it is sufficient to prove Bayesian concealment and it is not necessary to prove computational concealment. In order to prove only Bayesian concealment, we can simplify the system and the proof much more.

Previous system for the cryptographic protocol with an encryption function
Abadí and Rogaway [1] propose the formal system which can show asymptotic concealment of cryptographic protocols with an encryption function. The system is to derive a term from terms. The system is quite simple.
The terms are defined by the following grammar: The derivation rules are the follows: They [1] prove that this system enjoys soundness and completeness, where soundness means that, if M 1 , M 2 , … , M n ⊢ M is derivable in this system, then M is obtained from M 1 , M 2 , … , M n , and completeness means that, if M 1 , M 2 , … , M n ⊢ M is not derivable in this system, then M is concealed from M 1 , M 2 , … , M n . For example, one asserts that X is concealed from {X} K because X is not derived from {X} K .

Overview
We propose a formal system which proves Bayesian concealment. The targets of this system are formulae without logical connectives. In order to deal with Bayesian concealment, it is necessary to state evenness and independency of probabilistic distribution. Hence the system has the predicates which denote evenness and independency, thus the system targets not terms but formulae. However, this system does not have logical connectives. Therefore, this system is a little more complicated than the system by Abadí and Rogaway [1], but not so as the system by Takeuti and Adachi [10].
We prove the soundness of this system. Its completeness is unknown. Even if it is not complete, the system which proves useful theorems is useful.
We fix a finite field where secret sharing scheme is calculated. Its reason is the same as that in the study by Takeuti and Adachi [10], which states as below.
The secret sharing scheme uses a finite field. In order to deal with general fields, the formal logical system must have a general theory of finite fields, which is a kind of complicated. We would like to divide the problem into two parts: one is that of probability and the other problem is that of general finite fields. In this paper we discuss only probability. Therefore, we fix a particular finite field.

Syntax
We fix a finite field F.
There are only finite probabilistic variables. Terms are defined as the following syntax: where X is a probabilistic variable and e ∈ F. Formulae are in the following forms: and I(t t , t 2 , … , t n ).
A formula E(t) denotes that the distribution of t is even. A formula I(t t , t 2 , … , t n ) denotes that the distributions of t 1 , t 2 , … , t n−1 and t n are independent. A term t is said to be made of t 1 , t 2 , … , t n when t is a term generated from only t 1 , t 2 , … , t n and some e 1 , e 2 , … , e m ∈ F with only +, ⋅ and (−) −1 .

Semantics
An assignment assigns an element e ∈ F to each probabilistic variable. Note that there are only finite assignments, because probabilistic variables are finite and F is also finite.
The value [[t]] ∈ F of a term t under an assignment is defined in the ordinary way as follows: We define [[0 −1 ]] = 0 in order to make [[−]] a total function over terms, although 0 −1 is undefined in mathematics.
The probability space here is ( , B, ) where the underlying set is the set of all the assignment of elements in F to probabilistic variables, the Borel family B is the power set of , and is a probability measure over B.
In the following text, the notation for each ∈ , for each (e 1 , e 2 , … , e n ) ∈ F n .

Inference rules
The inference rules are listed below:

Soundness
We show the soundness of the logical system in this section. In the proofs of the following lemmata, in order to distinguish from comparison of the values of terms, we use the symbol ≡ to denote that two are of the same form, that is, we write t ≡ t ′ to denote that the term t is the same term as t ′ .

t) and u is a term made of t, then ⊧ I(t � , u).
Proof Let x 1 , x 2 , … , x n be variables.
Because u is a term made of t , there is some term u * (x 1 , x 2 , … , x n ) which is made of x 1 , x 2 , … , x n such that u ≡ u * (t).
For e ∈ F , the set u −1 * (e) ⊂ F n is defined as As the assumption, for any e 1 , e 2 , … , e n , e � 1 , e � 2 , … , e � m in F, it holds that Let e, e � 1 , e � 2 , … , e � m be arbitrary elements in F. Then,

t) and u is a term made of t, then ⊧ I(t + u,t).
Proof Let x 1 , x 2 , … , x n be variables. Because u is a term made of t , there is some term u * (x 1 , x 2 , … , x n ) which is made of x 1 , x 2 , … , x n such that u ≡ u * (t).
For e ∈ F , the set u −1 * (e) ⊂ F n is defined as As the assumption, Pr[t = e] = 1∕|F| for each e ∈ F. As the assumption, for any e, e 1 , e 2 , … , e n in F, it holds that Let e, e 1 , e 2 , … , e n be arbitrary elements in F. Then, .

Proof of Bayesian concealment in secret sharing scheme
In this section we prove Bayesian concealment of the secret sharing system of Sect. 4.3 in the formal system of Sect. 6. In the secret sharing system of Sect. 4.3, there are probabilistic variables M, X 1 , X 2 , Y 1 , Y 2 and Y 3 . The variable where M is a secret, The variables X 1 and X 2 are fresh variables, that is, the distributions of X 1 and X 2 are even and M, X 1 and X 2 are independent, The variables Y 1 , Y 2 and Y 3 are calculated as Although one can calculate M from all of Y 1 , Y 2 and Y 3 , it is concealed Bayesianly from two of them.
We show the formal proof of the Bayesian concealment of M from Y 1 and Y 2 .
Therefore, it is proved that the probabilistic distributions of M, Y 1 and Y 2 are independent, that is, M is concealed Bayesianly from Y 1 and Y 2 . This proof is the inverse way of row reduction to solve the equation system. The concealment of Shamir's secret sharing system depends on the unsolvability of the linear equation system. Thus, the proof of its concealment follows the steps of solving the linear equation system. While the proof in the literature [10] uses the inverse matrix, the proof in this study follows the inverse way of row reduction step by step.

Future work
We proposed a formal logical system which proves the Bayesian concealment. Our system shows which operations in field theory preserve the evenness and the independency of probabilistic distributions. Therefore, our system proves the concealment of only the cryptographic protocols based on fields theory. Especially, this system is applied to only one example which is the concealment of Shamir's secret sharing scheme. To apply this system to more examples is a future work.

Related works
As is explained in Sect. 5.2, Abadí and Rogaway [1] define a formal system which proves one can computed a term from other terms, and show the completeness of the system for a computational model. Their system targets not formulae but a terms. Its completeness yields that if a term is not derived from the set of other terms, then the term is concealed from the person who knows only the set of terms. The concealment which is proved here is asymptotic concealment.
In their theory, the impossibility of derivation yields concealment. Hence its completeness is necessary. On the other hand, our system derives the independency of terms which implies the concealment. Hence its soundness is sufficient and its completeness is not required.
As is explained in Sect. 5.1, Takeuti and Adachi [10] propose a formal logical system which proves the probabilistic concealment of Shamir's secret sharing scheme. Their system has full Boolean logical connectives and modal operators for denoting probability. The system is a little heavy, and the proof is a little hard to analyse. On the other hand, our system in this study has no logical symbols and the proof is easy to analyse.
Affeldt et al. [2] implement probabilistic theory in the general logical system Coq, and develop the theory of conditional probability. The theory of conditional probability can describe independency of events, therefore it can deal with Bayesian concealment. They regard probabilistic theory as a special case of measure theory. The implementation does not use probabilistic variables but uses the functions represented by propositional variables, that is, they use the expression { ∈ |f X ( ) = x} instead of Pr[X = x] . They use probabilistic variables in informal expressions, but do not give formal expressions with probabilistic variables. Some studies on formal systems for probability discuss modal logic for probabilistic transitions. One of them is the literature [6] by Aviad Heifetz and Philippe Mongin. They axiomatise modal logic for probabilistic transitions and prove the soundness and completeness of the axiomatisation. The logic for probabilistic transitions cannot write independency of events, therefore it cannot deal with Bayesian concealment.
Dougherty and Guttman [4] define a formal theory of fields in order to prove the security of a modification of Diffie-Hellman key exchange protocol against manin-the-middle attack. The result is not a direct theorem of the formal system but a conclusion of a discussion of informal logic with an aid of formal theory.