CPS 290 - Computer Security Secret Sharing Nisarg Raval Sep 24, 2014 Material is adapted from CS513 lecture notes (Cornell) http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html Why share a secret? http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg Goal • Given a secret s and n parties a. All n parties together recover s b. Less than n parties can not recover s Naive Scheme S1 = 100 S=10011 High Order S2 = 11 Low Order • Concat shares to reveal secret - S = (S1)(S2) = (100)(11) = 10011 • What is the problem? - Think of a salary or password https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg Partial Disclosure • Given a secret s and n parties a. All n parties together recover s b. Less than n can not recover any information about s Generate Shares using XOR S1 = Rand S=10011 10100 S2 = S XOR S1 00111 10011 S = S1 XOR S2 https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg General Scheme • Given a secret s and n parties a. Generate n-1 random strings as first n-1 shares b. Last share is the bitwise XORing of s with all the other n-1 shares General Scheme • Given a secret s and n parties a. Generate n-1 random strings as first n-1 shares b. Last share is the bitwise XORing of s with all the other n-1 shares • Security Check a. Can n parties generate s? General Scheme • Given a secret s and n parties a. Generate n-1 random strings as first n-1 shares b. Last share is the bitwise XORing of s with all the other n-1 shares • Security Check a. Can n parties generate s? b. Can any n-1 parties generate s? Example S2 S=10011 S1 S2 S S3 https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg Problem? S2 S=10011 S1 S2 ? S3 • S can be constructed by 2 or more generals • Less than 2 generals can not construct s https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg (n,t) Secret Sharing • Given a secret s and n parties a. Any t or more parties can recover s b. Less than t parties have no information about s (3,2) secret sharing S S1 2 S=10011 S2 S3 S (n,2) Secret Sharing y (0,S) x (n,2) Secret Sharing (xn-1,yn-1) y (x1,y1) (x2,y2) (0,S) x (xn,yn) (n,2) Secret Sharing (xn-1,yn-1) y (x1,y1) (xn,yn) (x2,y2) Shares (0,S) x (n,2) Secret Sharing (xn-1,yn-1) y (x1,y1) (0,S) x (n,2) Secret Sharing Exist a line for every S (x1,y1) y (0,S) x (n,3) Secret Sharing (xn,yn) (xn-1,yn-1) (0,S) (x1,y1) (x2,y2) Shamir’s Secret Sharing • It takes t points to define a polynomial of degree t-1 • Create a (t-1)-degree polynomial with secret as the first coefficient and the remaining coefficient picked at random • Find n points on the curve and give one to each of the parties. • At least t points are required to fit the polynomial and hence to recover secret y = at-1 * xt-1 + at-2 * xt-2 + … + a1 * x + a0 Shamir, Adi (1979), "How to share a secret", Communications of the ACM Use Case S1 (3,2) Secret Sharing Scheme S2 S3 Private Key Problem? S1 compromised S1 S2 S2 compromised S1 + S2 = Secret S3 Time Refresh Shares Trusted Third Party S1 S2 S3 S’1 S’’1 S’2 S’’2 S’3 S’’3 Time Refresh Shares Trusted Third Party S1 S2 S3 S’1 S’’1 S1 compromised S’2 S’’2 S’3 S’’3 Time S’2 compromised can not construct secret Proactive Secret Sharing Server 1 S1 S Server 2 S2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated. Proactive Secret Sharing Server 1 S Server 2 S1 S11 S2 S12 S21 S22 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated. Proactive Secret Sharing Server 1 S Server 2 S1 S11 S2 S12 S21 Exchange Partial Shares S21 S22 S12 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated. Proactive Secret Sharing Server 1 S Server 2 S1 S11 S2 S12 S21 S’1 Exchange Partial Shares S21 S22 S12 S’2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated. Proactive Secret Sharing S Server 1 Server 2 S1 S11 S2 S12 Exchange Partial Shares S21 S’1 S21 S22 S12 S’2 Recover S (S11 + S21) + (S12 + S22) S BitCoin Multi-Signature Addresses • Related to, but different than secret sharing. • Secret sharing: break a single secret into multiple shares. • Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction. • Examples: 2 out of 2, 2 out of 3, 3 out of 5. Opening the Vault Summary • Useful technique to distribute secret • Confidentiality • Reliability • Each share must be as long as the secret itself • Require random bits of length proportional to the number of parties as well as length of the secret