CPS 290 - Computer Security
Secret Sharing
Nisarg Raval
Sep 24, 2014
Material is adapted from CS513 lecture notes (Cornell)
http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html
Why share a secret?
http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg
Goal
•
Given a secret s and n parties
a. All n parties together recover s
b. Less than n parties can not recover s
Naive Scheme
S1 = 100
S=10011
High Order
S2 = 11
Low Order
•
Concat shares to reveal secret - S = (S1)(S2) = (100)(11) = 10011
•
What is the problem? - Think of a salary or password
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
Partial Disclosure
•
Given a secret s and n parties
a. All n parties together recover s
b. Less than n can not recover any information
about s
Generate Shares using XOR
S1 = Rand
S=10011
10100
S2 = S XOR S1
00111
10011
S = S1 XOR S2
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
General Scheme
•
Given a secret s and n parties
a. Generate n-1 random strings as first n-1 shares
b. Last share is the bitwise XORing of s with all the
other n-1 shares
General Scheme
•
Given a secret s and n parties
a. Generate n-1 random strings as first n-1 shares
b. Last share is the bitwise XORing of s with all the
other n-1 shares
•
Security Check
a. Can n parties generate s?
General Scheme
•
Given a secret s and n parties
a. Generate n-1 random strings as first n-1 shares
b. Last share is the bitwise XORing of s with all the
other n-1 shares
•
Security Check
a. Can n parties generate s?
b. Can any n-1 parties generate s?
Example
S2
S=10011
S1
S2
S
S3
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
Problem?
S2
S=10011
S1
S2
?
S3
•
S can be constructed by 2 or more generals
•
Less than 2 generals can not construct s
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
(n,t) Secret Sharing
•
Given a secret s and n parties
a. Any t or more parties can recover s
b. Less than t parties have not information about s
(3,2) secret sharing
S
S1
2
S=10011
S2
S3
S
(n,2) Secret Sharing
y
(0,S)
x
(n,2) Secret Sharing
(xn-1,yn-1)
y
(x1,y1)
(x2,y2)
(0,S)
x
(xn,yn)
(n,2) Secret Sharing
(xn-1,yn-1)
y
(x1,y1)
(xn,yn)
(x2,y2)
Shares
(0,S)
x
(n,2) Secret Sharing
(xn-1,yn-1)
y
(x1,y1)
(0,S)
x
(n,2) Secret Sharing
Exist a line for every S
(x1,y1)
y
(0,S)
x
(n,3) Secret Sharing
(xn,yn)
(xn-1,yn-1)
(0,S)
(x1,y1)
(x2,y2)
Shamir’s Secret Sharing
•
It takes t points to define a polynomial of degree t-1
•
Create a t-1 degree polynomial with secret as the first coefficient
and the remaining coefficient picked at random
•
Find n points on the curve and give one to each of the parties.
•
At least t points are required to fit the polynomial and hence to
recover secret
y = at-1 * xt-1 + at-2 * xt-2 + … + a1 * x + a0
Shamir, Adi (1979), "How to share a secret", Communications of the ACM
Use Case
S1
(3,2)
Secret
Sharing
Scheme
S2
S3
Private Key
Problem?
S1
S1 compromised
S2
S2 compromised
S1 + S2 = Secret
S3
Time
Refresh Shares
Trusted
Third
Party
S1
S2
S3
S’1
S’’1
S’2
S’’2
S’3
S’’3
Time
Refresh Shares
Trusted
Third
Party
S1
S2
S3
S’1
S’’1
S1 compromised
S’2
S’’2
S’3
S’’3
Time
S’2 compromised
can not
construct secret
Proactive Secret Sharing
Server 1
S1
S
Server 2
S2
Proactive Secret Sharing
Server 1
S
Server 2
S1
S11
S2
S12
S21
S22
Proactive Secret Sharing
Server 1
S
Server 2
S1
S11
S2
S12
S21
Exchange
Partial Shares
S21
S12
S22
Proactive Secret Sharing
Server 1
S
Server 2
S1
S11
S2
S12
S21
S’1
Exchange
Partial Shares
S21
S22
S12
S’2
Proactive Secret Sharing
S
Server 1
Server 2
S1
S11
S2
S12
Exchange
Partial Shares
S21
S’1
S21
S22
S12
S’2
Recover S
(S11 + S21) + (S12 + S22)
S
Summary
•
Useful technique to distribute secret
•
Confidentiality
•
Reliability
•
Each share must be as long as the secret itself
•
Require random bits of length proportional to the
number of parties as well as length of the secret