Original slides by Nisarg Raval httpwwwcscornelleducoursescs5132000spSecretSharinghtml Material is adapted from CS513 lecture notes Cornell Why split a secret https3amazonawscomrapgenius1604757130664836230408res250319jpg ID: 759125
Download Presentation The PPT/PDF document "Secret Sharing (or, more accurately, ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Secret Sharing(or, more accurately, “Secret Splitting”)
Original slides by Nisarg Raval
http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html
Material is adapted from CS513 lecture notes (Cornell)
Slide2Why split a secret?
http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg
Slide3Goal
Given a secret s
first held by a “dealer”
and
then splits n shares among
n parties
called “players”
All n
p
layers
together recover s
Less than n
p
layers
can not recover s
Slide4https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
Naive Scheme
S=10011
S
1
= 100
S
2
= 11
Concat
enate
shares to reveal secretS = (S1)(S2) = (100)(11) = 10011
High Order
Low Order
What is the problem? - Think of a salary or password
Slide5No Partial Disclosure
Given a secret s and n
players
All n
players
together recover s
Less than n can not recover
any information
abou
t s (unconditional security)
Slide6Dealer Generates Shares using XOR
S=10011
10100
00111
S
1
= Rand
S
2
= S XOR S
1
S = S
1 XOR S2
10011
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
Slide7General Scheme
Given a secret s and n
players
Dealer ge
nerate
s
n-1 random strings as first n-1 shares
Last share is the bitwise
XOR
of s with all the other n-1 shares
Slide8General Scheme
Given a secret s and n
players
Dealer g
enerate
s
n-1 random strings as first n-1 shares
Last share is the bitwise
XORing
of s with all the other n-1 shares
Security Check
Can n
p
layers
generate s?
Slide9General Scheme
Given a secret s and n parties
Generate n-1 random strings as first n-1 shares
Last share is the bitwise
XORing
of s with all the other n-1 shares
Security Check
Can n
p
layers
generate s?
Can any n-1
p
layers
generate
s?
Slide10A More Flexible Scenario
S=10011
S
1
S
2
S
3
S
2
S
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
Slide11A More Flexible Scenario
S=10011
S
1
S
2
S
3
S
2
?
S can be constructed by 2 or more generals
Less than 2 generals can not construct s
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
Slide12(n,t) Secret Sharing
Given a secret s and n playersAny t or more players can recover sLess than t players have no information about s
S=10011
S
1
S
2
S
3
S
2
S
(3,2) secret sharing
Slide13(n,2) Secret Sharing
(0,S)
x
y
secret S is y
intercept
Slide14(n,2) Secret Sharing
(0,S)
(x
1
,y
1
)
(x
2
,y
2)
(x
n-1,yn-1)
(x
n,yn)
x
y
Slide15(n,2) Secret Sharing
(0,S)
(x
1
,y
1
)
(x
2
,y
2)
(x
n-1,yn-1)
(x
n,yn)
x
y
shares
Slide16(n,2) Secret Sharing
(0,S)
(x
1
,y
1
)
(x
n-1
,y
n-1)
x
y
Slide17(n,2) Secret Sharing
(0,S)
(x
1
,y
1
)
x
y
for
every
secret
S
, there is a line through x
1
,y
1
one share does not suffice
Slide18(n,3) Secret Sharing
(0,S)
(x
1
,y
1
)
(x
2
,y
2
)
(x
n-1,yn-1)
(xn,yn)
three points determine
a quadratic polynomial
Slide19Shamir’s Secret Sharing
It takes t points to define a polynomial of degree t-1Easy to prove corollary of the Fundamental Theorem of Algebra, which states that a polynomial of degree n > 0 has exactly n roots (when counted with multiplicity)Suppose two distinct degree-(t-1) polynomials p1(x) and p2(x) both pass through the same set of t points. Then p1(x)-p2(x) has t roots, which is absurd.Create a degree-(t-1) polynomial with secret as the constant coefficient and the remaining coefficients chosen at randomFind n points on the curve (not at x=0) and give one to each of the players.At least t points are required to fit the polynomial and hence to recover secret (and any t points will suffice)
Shamir, Adi (1979), "How to share a secret", Communications of the ACM
y = a
t-1
* x
t-1
+ a
t-2
* x
t-2
+ … + a
1
* x + a
0
Slide20Use Case
S
1
S
3
S
2
(3,2)
Secret Sharing Scheme
Private Key
Slide21Dyadic Security Product
Pure-software virtual hardware security module (HSM).(Other vendors sell HSMs similar to TPMs that can store private keys and perform TLS operations.)Share secret (e.g., private key for TLS) across multiple servers.Perform TLS operations using secure multiparty computation so that no server learns private key.Assumes that it is more difficult to break into one server than several.
Slide22Unconditional Security
Each
share must be as long as the secret
itself
, e.g., number of possible values of polynomial at each point where it is evaluated must be the same as number of possible y-intercepts
Require
random bits of length proportional to the number of
p
layers
n
as
well as length of the
secret
l
Can the sizes of the shares be reduced?
Slide23“Secret Sharing Made Short”
Dealer begins by choosing a random symmetric key, e.g., a 256-bit AES key
Dealer encrypts the secret using the symmetric key
Symmetric key is split using Shamir’s (
n,t
) scheme (n shares, each 256 bits): n*256 bits
Encrypted secret is encoded using an (
n,t
) error correcting code
Suppose encrypted secret length is l bits. Code uses n “symbols” each l/t bits long:
nl
/t bits. Any t symbols out of n suffice to recover the encrypted secret.
Total bits: n*256 +
nl
/t (versus
nl
)
Slide24Idea Behind Error Correcting Code
Use a polynomial as before.
Break the “message” (e.g., the encrypted secret) into t pieces of length l/t. Let
y
i
denote the
i’th
piece.
Create a polynomial f(x) where f(x
i
)=
y
i
for some arbitrarily chosen x
1
, x
2
, …,
x
t
, e.g., x
i
=
i
.
Now the goal is to recover not f(0), but f(x
1
), f(x
2
), …, f(
x
t
)
Evaluate the polynomial at n-t other locations x
t+1
,…,
x
n
, e.g., x
i
=
i
.
The n f(x
i
) values are the symbols
Can recover the full polynomial from any t symbols
Once the polynomial is recovered, find values at x
1
, …,
x
t
.
Slide25Why is this scheme not unconditionally secure?
It’s possible to learn some of the information about the encrypted secret from fewer than t shares, e.g., knowing f(x
1
) means knowing the first piece of the encrypted secret. The error correcting code isn’t trying to hide information. The goal is the opposite: enable the recovery of as much information as possible from whatever symbols are at hand.
So the security depends on the strength of the encryption system, e.g., AES, which is NOT unconditionally secure, since key length (256 bits) may be less than secret length l.
Slide26Why isn’t AES Unconditionally Secure?
Suppose message length is l bits, and key length is k bits, e.g., k=256, where k may be much less than l.
Given a
ciphertext
encrypted with a k-bit key, adversary can narrow down plaintext to 2
k
possibilities out of 2
l
by decrypting with all possible k-bit key values.
(Although this approach is not computationally efficient.)
Slide27Problem?
Time
S
1
S
3
S
2
S
1
compromised
S
2
compromised
S
1
+ S
2
Secret
Slide28Refresh Shares
S
1
S
3
S
2
Time
Trusted Third Party
S’
1
S’
3
S’
2
S’’
1
S’’
3
S’’
2
Slide29Refresh Shares
S
1
S
3
S
2
Time
Trusted Third Party
S’
1
S’
3
S’
2
S’’
1
S’’
3
S’’
2
S
1
compromised
S’
2
compromised
can not construct secret
Slide30Proactive Secret Sharing
S1
S
S2
Server 1
Server 2
Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
Slide31Proactive Secret Sharing
S1
S
S2
S
11
S
12
S21
S22
Server 1
Server 2
Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
Slide32Proactive Secret Sharing
S1
S
S2
S
11
S
12
S21
S22
S
21
S
12
Exchange
Partial Shares
Server 1
Server 2
Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
Slide33Proactive Secret Sharing
S1
S
S2
S
11
S
12
S21
S22
S
21
S
12
Exchange
Partial Shares
S’
1
S’
2
Server 1
Server 2
Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
Compute
New
Shares
Slide34Proactive Secret Sharing
S1
S
S2
S
11
S
12
S21
S22
S
21
S
12
Exchange
Partial Shares
S’
1
S’
2
S
Server 1
Server 2
(S
11
S
21
)
(S12 S22)
Recover S
Slide35BitCoin Multi-Signature Addresses
Related to, but different than secret sharing.
Secret sharing: split a single secret into multiple shares.
Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction.
Examples: 2 out of 2, 2 out of 3, 3 out of 5.
Slide36Opening the Vault