/
Secret  Sharing (or, more accurately, “Secret Splitting”) Secret  Sharing (or, more accurately, “Secret Splitting”)

Secret Sharing (or, more accurately, “Secret Splitting”) - PowerPoint Presentation

giovanna-bartolotta
giovanna-bartolotta . @giovanna-bartolotta
Follow
344 views
Uploaded On 2019-06-19

Secret Sharing (or, more accurately, “Secret Splitting”) - PPT Presentation

Original slides by Nisarg Raval httpwwwcscornelleducoursescs5132000spSecretSharinghtml Material is adapted from CS513 lecture notes Cornell Why split a secret https3amazonawscomrapgenius1604757130664836230408res250319jpg ID: 759125

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Secret Sharing (or, more accurately, ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Secret Sharing(or, more accurately, “Secret Splitting”)

Original slides by Nisarg Raval

http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html

Material is adapted from CS513 lecture notes (Cornell)

Slide2

Why split a secret?

http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg

Slide3

Goal

Given a secret s

first held by a “dealer”

and

then splits n shares among

n parties

called “players”

All n

p

layers

together recover s

Less than n

p

layers

can not recover s

Slide4

https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

Naive Scheme

S=10011

S

1

= 100

S

2

= 11

Concat

enate

shares to reveal secretS = (S1)(S2) = (100)(11) = 10011

High Order

Low Order

What is the problem? - Think of a salary or password

Slide5

No Partial Disclosure

Given a secret s and n

players

All n

players

together recover s

Less than n can not recover

any information

abou

t s (unconditional security)

Slide6

Dealer Generates Shares using XOR

S=10011

10100

00111

S

1

= Rand

S

2

= S XOR S

1

S = S

1 XOR S2

10011

https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

Slide7

General Scheme

Given a secret s and n

players

Dealer ge

nerate

s

n-1 random strings as first n-1 shares

Last share is the bitwise

XOR

of s with all the other n-1 shares

Slide8

General Scheme

Given a secret s and n

players

Dealer g

enerate

s

n-1 random strings as first n-1 shares

Last share is the bitwise

XORing

of s with all the other n-1 shares

Security Check

Can n

p

layers

generate s?

Slide9

General Scheme

Given a secret s and n parties

Generate n-1 random strings as first n-1 shares

Last share is the bitwise

XORing

of s with all the other n-1 shares

Security Check

Can n

p

layers

generate s?

Can any n-1

p

layers

generate

s?

Slide10

A More Flexible Scenario

S=10011

S

1

S

2

S

3

S

2

S

https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

Slide11

A More Flexible Scenario

S=10011

S

1

S

2

S

3

S

2

?

S can be constructed by 2 or more generals

Less than 2 generals can not construct s

https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

Slide12

(n,t) Secret Sharing

Given a secret s and n playersAny t or more players can recover sLess than t players have no information about s

S=10011

S

1

S

2

S

3

S

2

S

(3,2) secret sharing

Slide13

(n,2) Secret Sharing

(0,S)

x

y

secret S is y

intercept

Slide14

(n,2) Secret Sharing

(0,S)

(x

1

,y

1

)

(x

2

,y

2)

(x

n-1,yn-1)

(x

n,yn)

x

y

Slide15

(n,2) Secret Sharing

(0,S)

(x

1

,y

1

)

(x

2

,y

2)

(x

n-1,yn-1)

(x

n,yn)

x

y

shares

Slide16

(n,2) Secret Sharing

(0,S)

(x

1

,y

1

)

(x

n-1

,y

n-1)

x

y

Slide17

(n,2) Secret Sharing

(0,S)

(x

1

,y

1

)

x

y

for

every

secret

S

, there is a line through x

1

,y

1

one share does not suffice

Slide18

(n,3) Secret Sharing

(0,S)

(x

1

,y

1

)

(x

2

,y

2

)

(x

n-1,yn-1)

(xn,yn)

three points determine

a quadratic polynomial

Slide19

Shamir’s Secret Sharing

It takes t points to define a polynomial of degree t-1Easy to prove corollary of the Fundamental Theorem of Algebra, which states that a polynomial of degree n > 0 has exactly n roots (when counted with multiplicity)Suppose two distinct degree-(t-1) polynomials p1(x) and p2(x) both pass through the same set of t points. Then p1(x)-p2(x) has t roots, which is absurd.Create a degree-(t-1) polynomial with secret as the constant coefficient and the remaining coefficients chosen at randomFind n points on the curve (not at x=0) and give one to each of the players.At least t points are required to fit the polynomial and hence to recover secret (and any t points will suffice)

Shamir, Adi (1979), "How to share a secret", Communications of the ACM

y = a

t-1

* x

t-1

+ a

t-2

* x

t-2

+ … + a

1

* x + a

0

Slide20

Use Case

S

1

S

3

S

2

(3,2)

Secret Sharing Scheme

Private Key

Slide21

Dyadic Security Product

Pure-software virtual hardware security module (HSM).(Other vendors sell HSMs similar to TPMs that can store private keys and perform TLS operations.)Share secret (e.g., private key for TLS) across multiple servers.Perform TLS operations using secure multiparty computation so that no server learns private key.Assumes that it is more difficult to break into one server than several.

Slide22

Unconditional Security

Each

share must be as long as the secret

itself

, e.g., number of possible values of polynomial at each point where it is evaluated must be the same as number of possible y-intercepts

Require

random bits of length proportional to the number of

p

layers

n

as

well as length of the

secret

l

Can the sizes of the shares be reduced?

Slide23

“Secret Sharing Made Short”

Dealer begins by choosing a random symmetric key, e.g., a 256-bit AES key

Dealer encrypts the secret using the symmetric key

Symmetric key is split using Shamir’s (

n,t

) scheme (n shares, each 256 bits): n*256 bits

Encrypted secret is encoded using an (

n,t

) error correcting code

Suppose encrypted secret length is l bits. Code uses n “symbols” each l/t bits long:

nl

/t bits. Any t symbols out of n suffice to recover the encrypted secret.

Total bits: n*256 +

nl

/t (versus

nl

)

Slide24

Idea Behind Error Correcting Code

Use a polynomial as before.

Break the “message” (e.g., the encrypted secret) into t pieces of length l/t. Let

y

i

denote the

i’th

piece.

Create a polynomial f(x) where f(x

i

)=

y

i

for some arbitrarily chosen x

1

, x

2

, …,

x

t

, e.g., x

i

=

i

.

Now the goal is to recover not f(0), but f(x

1

), f(x

2

), …, f(

x

t

)

Evaluate the polynomial at n-t other locations x

t+1

,…,

x

n

, e.g., x

i

=

i

.

The n f(x

i

) values are the symbols

Can recover the full polynomial from any t symbols

Once the polynomial is recovered, find values at x

1

, …,

x

t

.

Slide25

Why is this scheme not unconditionally secure?

It’s possible to learn some of the information about the encrypted secret from fewer than t shares, e.g., knowing f(x

1

) means knowing the first piece of the encrypted secret. The error correcting code isn’t trying to hide information. The goal is the opposite: enable the recovery of as much information as possible from whatever symbols are at hand.

So the security depends on the strength of the encryption system, e.g., AES, which is NOT unconditionally secure, since key length (256 bits) may be less than secret length l.

Slide26

Why isn’t AES Unconditionally Secure?

Suppose message length is l bits, and key length is k bits, e.g., k=256, where k may be much less than l.

Given a

ciphertext

encrypted with a k-bit key, adversary can narrow down plaintext to 2

k

possibilities out of 2

l

by decrypting with all possible k-bit key values.

(Although this approach is not computationally efficient.)

Slide27

Problem?

Time

S

1

S

3

S

2

S

1

compromised

S

2

compromised

S

1

+ S

2

Secret

Slide28

Refresh Shares

S

1

S

3

S

2

Time

Trusted Third Party

S’

1

S’

3

S’

2

S’’

1

S’’

3

S’’

2

Slide29

Refresh Shares

S

1

S

3

S

2

Time

Trusted Third Party

S’

1

S’

3

S’

2

S’’

1

S’’

3

S’’

2

S

1

compromised

S’

2

compromised

can not construct secret

Slide30

Proactive Secret Sharing

S1

S

S2

Server 1

Server 2

Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

Slide31

Proactive Secret Sharing

S1

S

S2

S

11

S

12

S21

S22

Server 1

Server 2

Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.





Slide32

Proactive Secret Sharing

S1

S

S2

S

11

S

12

S21

S22

S

21

S

12

Exchange

Partial Shares

Server 1

Server 2

Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.





Slide33

Proactive Secret Sharing

S1

S

S2

S

11

S

12

S21

S22

S

21

S

12

Exchange

Partial Shares

S’

1

S’

2

Server 1

Server 2

Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

Compute

New

Shares









Slide34

Proactive Secret Sharing

S1

S

S2

S

11

S

12

S21

S22

S

21

S

12

Exchange

Partial Shares

S’

1

S’

2

S

Server 1

Server 2

(S

11

S

21

)

(S12  S22)

Recover S

Slide35

BitCoin Multi-Signature Addresses

Related to, but different than secret sharing.

Secret sharing: split a single secret into multiple shares.

Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction.

Examples: 2 out of 2, 2 out of 3, 3 out of 5.

Slide36

Opening the Vault