Robust Password- Protected Secret Sharing

Size: px

Start display at page:

Download "Robust Password- Protected Secret Sharing"

Eustace Stokes
5 years ago
Views:

1 Robust Password- Protected Secret Sharing Michel Abdalla, Mario Cornejo, Anca Niţulescu, David Pointcheval École Normale Supérieure, CNRS and INRIA, Paris, France R E S E A R C H UNIVERSITY

2 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents

3 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents

4 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents Everyone might have access to the data

5 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents

6 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents Provider still has access to the data

7 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents

8 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents

9 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents We can remember just low-entropy passwords (and not too many). Humans cannot remember large secret keys. Provider/authorities might perform an offline dictionary attack.

10 PPSS: Motivation Cloud provider taxes medical records paychecks top secret documents USB Tokens might not be always available. Tokens might fall into the wrong hands. Large keys give better security.

11 PPSS: Password-Protected Secret Sharing Cloud provider taxes

12 PPSS: Password-Protected Secret Sharing Cloud provider User creates a cryptographic key. taxes

13 PPSS: Password-Protected Secret Sharing Cloud provider User creates a cryptographic key. Encrypts her data using this key. taxes

14 PPSS: Password-Protected Secret Sharing Cloud provider Keys store User creates a cryptographic key. Encrypts her data using this key. Stores her secret key into servers by using her password and some public information. n taxes

15 PPSS: Password-Protected Secret Sharing Cloud provider Keys store taxes User creates a cryptographic key. Encrypts her data using this key. Stores her secret key into servers by using her password and some public information. Stores the data into the provider. n

16 PPSS: Password-Protected Secret Sharing Cloud provider Keys store After t +1interactions using her password, the user can recover her secret key taxes

17 PPSS: Password-Protected Secret Sharing Cloud provider Keys store After t +1interactions using her password, the user can recover her secret key taxes

18 PPSS: Properties A PPSS scheme defines two steps: Initialization: Secret & password are processed Reconstruction: The user can recover the secret by interacting with a subset of t +1servers. Additional properties: Soundness: Even if the adversary cannot make the user recover a different secret. Robustness: The recovery is guaranteed if there are s t +1non-corrupt servers.

19 PPSS: Instantiations of PPSS Scheme Messages Client inter-server Robust ZKP BJSL11 4 PKI PKI No Costly CLLN14 10 Std PKI No Costly JKK14 2 CRS None Yes Costly JKKX16 2 CRS None No No

20 PPSS: Instantiations of PPSS Scheme Messages Client inter-server Robust ZKP BJSL11 4 PKI PKI No Costly CLLN14 10 Std PKI No Costly JKK14 2 CRS None Yes Costly JKKX16 2 CRS None No No This work 2 CRS None Yes No

21 Robust Password-Protected Secret Sharing PPSS OPRF Robust Gap Secret Sharing Secret Sharing Scheme

22 Robust Password-Protected Secret Sharing PPSS OPRF Robust Gap Secret Sharing Secret Sharing Scheme

23 Robust Password-Protected Secret Sharing PPSS OPRF Robust Gap Secret Sharing Secret Sharing Scheme

24 Robust Password-Protected Secret Sharing PPSS OPRF Robust Gap Secret Sharing Secret Sharing Scheme

25 PPSS: Secret Sharing Scheme s 1 s 2 Secret s 3 s n

26 PPSS: Secret Sharing Scheme s 1 s 2 s 3 Secret s n

27 PPSS: Robust Gap Secret Sharing Scheme How do we implement robustness?

28 PPSS: Robust Gap Secret Sharing Scheme Assume a set of valid shares from a Threshold SSS s 1 s 2 s 3 s n (s 1,...,s n )

29 PPSS: Robust Gap Secret Sharing Scheme Fingerprint function: Hash function s 1 1 s 2 2 s 3 3 s n n (s 1,...,s n ) ( 1,..., n)

30 PPSS: Robust Gap Secret Sharing Scheme Generate a prime number N 2 2k(n t r)+1 <Napple 2 2k(n t r)+2 s 1 1 s 2 2 s 3 3 S s n n (s 1,...,s n ) ( 1,..., n) S = Q n i=1 i mod N

31 PPSS: Robust Gap Secret Sharing Scheme Generate a prime number N 2 2k(n t r)+1 <Napple 2 2k(n t r)+2 s 1 s 2 s 3 Output: {s k } n = s 1 s 2 s 3 s n SSInfo =(S,N) { S, N } S s n n (s 1,...,s n ) ( 1,..., n) S = Q n i=1 i mod N

32 PPSS: Robust Gap Secret Sharing Scheme How can we decide which are the valid sets of shares to reconstruct?

33 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } s 1 s 2 s 3 s n

34 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } s 1 1 s 2 2 s 3 3 s n n

35 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } s 1 1 s 2 2 s 3 3 T s n n

36 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } = T S

37 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n n

38 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0

39 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0 gcd( 1, T 0 ) 1

40 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0 gcd( 1, T 0 ) 1 Correct fingerprint!

41 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0 gcd( 1, T 0 ) 1 Correct fingerprint! gcd( 2, T 0 ) k Incorrect fingerprint!

42 PPSS: Robust Gap Secret Sharing Scheme Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0 gcd( 1, T 0 ) 1 Correct fingerprint! gcd( 2, T 0 ) k Incorrect fingerprint! gcd( 3, T 0 ) 1 Correct fingerprint!

43 PPSS: Oblivious PRF pw sk F (sk, pw) F The output is indistinguishable from random The server learns nothing

44 PPSS: Password-Protected Secret Sharing Initialization phase

45 The user interacts with n PPSS: Initialization servers to obliviously evaluate the PRF (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n )

46 The user interacts with n PPSS: Initialization servers to obliviously evaluate the PRF (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) pw

47 The user interacts with n PPSS: Initialization servers to obliviously evaluate the PRF (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) 2 = F sk2 (pw) pw

48 The user interacts with n PPSS: Initialization servers to obliviously evaluate the PRF (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) pw

49 PPSS: Initialization Each share is encrypted using the each PRF evaluation (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) R = K r pw { k } n {pk k } n

50 PPSS: Initialization Each share is encrypted using the each PRF evaluation (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) R = K r (s 1,...,s n, SSInfo) ShareGen(R) pw { k } n {pk k } n

51 PPSS: Initialization Each share is encrypted using the each PRF evaluation (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) R = K r (s 1,...,s n, SSInfo) ShareGen(R) k = k s k pw { k } n {pk k } n

52 The user computes a commitment PPSS: Initialization (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) C = Commit(pw, H({pk k } n, { k } n, SSInfo,K); r) pw { k } n {pk k } n K r SSInfo { k } n

53 PPSS: Initialization The user uploads the encrypted data (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo PInfo =({pk k } n, { k } n, SSInfo,C) pw { k } n {pk k } n K r SSInfo { k } n C

54 PPSS: Password-Protected Secret Sharing Reconstruction phase

55 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) PInfo pw

56 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) PInfo pw

57 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) PInfo pw

58 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) 1 1 = s 1 pw

59 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) pw 1 1 = s = s 2

60 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) pw 1 1 = s = s = s 3

61 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) pw 1 1 = s = s = s 3 n n = s n

62 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) pw 1 1 = s = s Reconstruct( = s 3 )? = R = K r n n = s n

63 PPSS: Reconstruction The user interacts with the server (pk 1,sk 1 ) (pk 2,sk 2 ) (pk n,sk n ) PInfo PInfo PInfo 1 = F sk1 (pw) 2 = F sk2 (pw) n = F skn (pw) Commit(pw, H({pk k } n, { k } n, SSInfo,K); r)? = C pw

64 PPSS: Proof [Sketch] We build simulators for each PRFs Adversary s probability is bounded by:

65 PPSS: Proof [Sketch] We build simulators for each PRFs Adversary s probability is bounded by: Probability of guessing pw Pr[PWinC] = q u #Dict

66 PPSS: Proof [Sketch] We build simulators for each PRFs Adversary s probability is bounded by: Probability of breaking the OPRF Pr[PWinF] ="

67 PPSS: Comparison By using our robust threshold secret sharing we avoid the verifiability requirements for the OPRF. We reduce the communication to the half, because of the simplification of the OPRF. Our communication and computation complexities are asymptotically equivalent to [JKK14], in real life they are twice better.

68 Robust Password- Protected Secret Sharing Michel Abdalla, Mario Cornejo, Anca Niţulescu, David Pointcheval École Normale Supérieure, CNRS and INRIA, Paris, France R E S E A R C H UNIVERSITY

69 PPSS: Experimental Results Given SSInfo =(S,N) { S, N } T = = S n T 0 = n S 0

70 PPSS: Experimental Results Given SSInfo =(S,N) { S, N } T = = S n = n T 00 S 00 gcd( 1, ) =11 Correct fingerprint! T 00

71 PPSS: Experimental Results Given SSInfo =(S,N) { S, N } T = = S n = n T 00 S 00 gcd( 1, ) =11 Correct fingerprint! T 00 gcd( 1, ) =21 Correct fingerprint! T 00 gcd( 1, ) =31 Correct fingerprint! T 00

72 PPSS: Experimental Results 2 gcd(, ) = k1 Incorrect fingerprint! T 00 gcd(, ) = k1 1 Incorrect fingerprint! 2 T 00 gcd(, T 00 ) 1 Incorrect fingerprint! 2 = k 2

73 PPSS: CDH-based PRF (One-More Gap DH) pk = g sk pw sk A Z H 1 (pw) A B B A sk C B 1/ = H 1 (pw) sk F sk (pw) =H 2 (pw, pk,c)

74 PPSS: DDH-based PRF pk, {c i = Enc pk (a i )} 1}` x =(x 1,x 2,...,x`) 2 {0, G s sk 2 Z s C Enc pk ( a 0 Q ai x i ) C Proof(,x i ) G D G Dec sk (C) g D R G 1/

Flexible Group Key Exchange with On Demand Computation of Subgroup Keys

Flexible Group Key Exchange with On Demand Computation of Subgroup Keys Michel Abdalla 1, Celine Chevalier 2, Mark Manulis 3, David Pointcheval 1 1 École Normale Supérieure CNRS INRIA, Paris, France 2