Date post: | 20-Jan-2016 |
Category: |
Documents |
Upload: | esmond-hill |
View: | 216 times |
Download: | 2 times |
Secret Sharing
Nisarg Raval
Sep 24, 2014
http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html
Material is adapted from CS513 lecture notes (Cornell)
CPS 290 - Computer Security
Why share a secret?
http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg
Goal• Given a secret s and n parties
a. All n parties together recover s
b. Less than n parties can not recover s
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
Naive Scheme
S=10011S1 = 100 S2 = 11
• Concat shares to reveal secret - S = (S1)(S2) = (100)(11) = 10011
High Order Low Order
• What is the problem? - Think of a salary or password
Partial Disclosure• Given a secret s and n parties
a. All n parties together recover s
b. Less than n can not recover any information about s
Generate Shares using XOR
S=10011
10100 00111
S1 = Rand S2 = S XOR S1
S = S1 XOR S2
10011
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
General Scheme• Given a secret s and n parties
a. Generate n-1 random strings as first n-1 shares
b. Last share is the bitwise XORing of s with all the other n-1 shares
General Scheme• Given a secret s and n parties
a. Generate n-1 random strings as first n-1 shares
b. Last share is the bitwise XORing of s with all the other n-1 shares
• Security Check
a. Can n parties generate s?
General Scheme• Given a secret s and n parties
a. Generate n-1 random strings as first n-1 shares
b. Last share is the bitwise XORing of s with all the other n-1 shares
• Security Check
a. Can n parties generate s?
b. Can any n-1 parties generate s?
Example
S=10011
S1S2
S3
S2 S
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
Problem?
S=10011
S1S2
S3
S2 ?
• S can be constructed by 2 or more generals
• Less than 2 generals can not construct s
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
(n,t) Secret Sharing• Given a secret s and n parties
a. Any t or more parties can recover s
b. Less than t parties have no information about s
S=10011
S1S2
S3
S2 S
(3,2) secret sharing
(n,2) Secret Sharing
(0,S)
x
y
(n,2) Secret Sharing
(0,S)
(x1,y1)(x2,y2)
(xn-1,yn-1) (xn,yn)
x
y
(n,2) Secret Sharing
(0,S)
(x1,y1)(x2,y2)
(xn-1,yn-1) (xn,yn)
x
yShares
(n,2) Secret Sharing
(0,S)
(x1,y1)
(xn-1,yn-1)
x
y
(n,2) Secret Sharing
(0,S)
(x1,y1)
x
yExist a line for every S
(n,3) Secret Sharing
(0,S) (x1,y1)
(x2,y2)
(xn-1,yn-1)
(xn,yn)
Shamir’s Secret Sharing
• It takes t points to define a polynomial of degree t-1
• Create a (t-1)-degree polynomial with secret as the first coefficient and the remaining coefficient picked at random
• Find n points on the curve and give one to each of the parties.
• At least t points are required to fit the polynomial and hence to recover secret
Shamir, Adi (1979), "How to share a secret", Communications of the ACM
y = at-1 * xt-1 + at-2 * xt-2 + … + a1 * x + a0
Use Case
S1
S3
S2(3,2) Secret
Sharing Scheme
Private Key
Problem?
Time
S1
S3
S2
S1 compromised
S2 compromised
S1 + S2 = Secret
Refresh Shares
S1
S3
S2
Time
Trusted
Third Party
S’1
S’3
S’2
S’’1
S’’3
S’’2
Refresh Shares
S1
S3
S2
Time
Trusted
Third Party
S’1
S’3
S’2
S’’1
S’’3
S’’2
S1 compromised
S’2 compromised
can not construct secret
Proactive Secret Sharing
S1
S
S2
Server 1 Server 2
Goal: without changing the secret, periodically update shares in a way that old shares are in-validated.
Proactive Secret Sharing
S1
S
S2
S11 S12 S21 S22
Server 1 Server 2
Goal: without changing the secret, periodically update shares in a way that old shares are in-validated.
Proactive Secret Sharing
S1
S
S2
S11 S12 S21 S22
S21 S12
Exchange Partial Shares
Server 1 Server 2
Goal: without changing the secret, periodically update shares in a way that old shares are in-validated.
Proactive Secret Sharing
S1
S
S2
S11 S12 S21 S22
S21 S12
Exchange Partial Shares
S’1S’2
Server 1 Server 2
Goal: without changing the secret, periodically update shares in a way that old shares are in-validated.
Proactive Secret Sharing
S1
S
S2
S11 S12 S21 S22
S21 S12
Exchange Partial Shares
S’1S’2
S
Server 1 Server 2
(S11 + S21) + (S12 + S22)
Recover S
BitCoin Multi-Signature Addresses
• Related to, but different than secret sharing.
• Secret sharing: break a single secret into multiple shares.
• Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction.
• Examples: 2 out of 2, 2 out of 3, 3 out of 5.
Opening the Vault
Summary• Useful technique to distribute secret
• Confidentiality
• Reliability
• Each share must be as long as the secret itself
• Require random bits of length proportional to the number of parties as well as length of the secret