Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Secret Sharing CPS 290 - Computer Security Nisarg Raval Sep 24, 2014

advertisement 
CPS 290 - Computer Security
Secret Sharing
Nisarg Raval
Sep 24, 2014
Material is adapted from CS513 lecture notes (Cornell)
http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html
Why share a secret?
http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg
Goal
•
Given a secret s and n parties
a. All n parties together recover s
b. Less than n parties can not recover s
Naive Scheme
S1 = 100
S=10011
High Order
S2 = 11
Low Order
•
Concat shares to reveal secret - S = (S1)(S2) = (100)(11) = 10011
•
What is the problem? - Think of a salary or password
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
Partial Disclosure
•
Given a secret s and n parties
a. All n parties together recover s
b. Less than n can not recover any information
about s
Generate Shares using XOR
S1 = Rand
S=10011
10100
S2 = S XOR S1
00111
10011
S = S1 XOR S2
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
General Scheme
•
Given a secret s and n parties
a. Generate n-1 random strings as first n-1 shares
b. Last share is the bitwise XORing of s with all the
other n-1 shares
General Scheme
•
Given a secret s and n parties
a. Generate n-1 random strings as first n-1 shares
b. Last share is the bitwise XORing of s with all the
other n-1 shares
•
Security Check
a. Can n parties generate s?
General Scheme
•
Given a secret s and n parties
a. Generate n-1 random strings as first n-1 shares
b. Last share is the bitwise XORing of s with all the
other n-1 shares
•
Security Check
a. Can n parties generate s?
b. Can any n-1 parties generate s?
Example
S2
S=10011
S1
S2
S
S3
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
Problem?
S2
S=10011
S1
S2
?
S3
•
S can be constructed by 2 or more generals
•
Less than 2 generals can not construct s
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
(n,t) Secret Sharing
•
Given a secret s and n parties
a. Any t or more parties can recover s
b. Less than t parties have no information about s
(3,2) secret sharing
S
S1
2
S=10011
S2
S3
S
(n,2) Secret Sharing
y
(0,S)
x
(n,2) Secret Sharing
(xn-1,yn-1)
y
(x1,y1)
(x2,y2)
(0,S)
x
(xn,yn)
(n,2) Secret Sharing
(xn-1,yn-1)
y
(x1,y1)
(xn,yn)
(x2,y2)
Shares
(0,S)
x
(n,2) Secret Sharing
(xn-1,yn-1)
y
(x1,y1)
(0,S)
x
(n,2) Secret Sharing
Exist a line for every S
(x1,y1)
y
(0,S)
x
(n,3) Secret Sharing
(xn,yn)
(xn-1,yn-1)
(0,S)
(x1,y1)
(x2,y2)
Shamir’s Secret Sharing
•
It takes t points to define a polynomial of degree t-1
•
Create a (t-1)-degree polynomial with secret as the first coefficient
and the remaining coefficient picked at random
•
Find n points on the curve and give one to each of the parties.
•
At least t points are required to fit the polynomial and hence to
recover secret
y = at-1 * xt-1 + at-2 * xt-2 + … + a1 * x + a0
Shamir, Adi (1979), "How to share a secret", Communications of the ACM
Use Case
S1
(3,2)
Secret
Sharing
Scheme
S2
S3
Private Key
Problem?
S1 compromised
S1
S2
S2 compromised
S1 + S2 = Secret
S3
Time
Refresh Shares
Trusted
Third
Party
S1
S2
S3
S’1
S’’1
S’2
S’’2
S’3
S’’3
Time
Refresh Shares
Trusted
Third
Party
S1
S2
S3
S’1
S’’1
S1 compromised
S’2
S’’2
S’3
S’’3
Time
S’2 compromised
can not
construct secret
Proactive Secret Sharing
Server 1
S1
S
Server 2
S2
Goal: without changing the secret, periodically update
shares in a way that old shares are invalidated.
Proactive Secret Sharing
Server 1
S
Server 2
S1
S11
S2
S12
S21
S22
Goal: without changing the secret, periodically update
shares in a way that old shares are invalidated.
Proactive Secret Sharing
Server 1
S
Server 2
S1
S11
S2
S12
S21
Exchange
Partial Shares
S21
S22
S12
Goal: without changing the secret, periodically update
shares in a way that old shares are invalidated.
Proactive Secret Sharing
Server 1
S
Server 2
S1
S11
S2
S12
S21
S’1
Exchange
Partial Shares
S21
S22
S12
S’2
Goal: without changing the secret, periodically update
shares in a way that old shares are invalidated.
Proactive Secret Sharing
S
Server 1
Server 2
S1
S11
S2
S12
Exchange
Partial Shares
S21
S’1
S21
S22
S12
S’2
Recover S
(S11 + S21) + (S12 + S22)
S
BitCoin Multi-Signature Addresses
•
Related to, but different than secret sharing.
•
Secret sharing: break a single secret into multiple
shares.
•
Multi-signature address: requires multiple signatures
with different private keys (secrets) to authorize a
transaction.
•
Examples: 2 out of 2, 2 out of 3, 3 out of 5.
Opening the Vault
Summary
•
Useful technique to distribute secret
•
Confidentiality
•
Reliability
•
Each share must be as long as the secret itself
•
Require random bits of length proportional to the
number of parties as well as length of the secret
Related documents
U.S. DOD Form dod-sd-194
U.S. DOD Form dod-sd-194
25 Ways to Win With People
25 Ways to Win With People
Principles of Information Technology
Principles of Information Technology
The big secret in life is that there is no... secret. Whatever your goal, you can get there if
The big secret in life is that there is no... secret. Whatever your goal, you can get there if
GEMS—Codes and Ciphers Today we explored one kind of coding
GEMS—Codes and Ciphers Today we explored one kind of coding
Download
advertisement