VIDEO Intypedia008en LESSON 8: SECRET SHARING PROTOCOL. AUTHOR: Luis Hernández Encinas. Spanish Scientific Research Council in Madrid, Spain

Transcription

1 VIDEO Intypedia008en LESSON 8: SECRET SHARING PROTOCOL AUTHOR: Luis Hernández Encinas Spanish Scientific Research Council in Madrid, Spain Hello and welcome to Intypedia. We have learned many things about cipher systems and network security up to this date. Today we will see how a secret can be protected without using encryption systems. Join us! SCENE 1. PROTECTING A SECRET Hi! Today we will see how to design and carry out a protocol to protect a secret from possible loss, theft or damage. In particular, we will see how to protect a secret key that we have used to encrypt a document, or the private key that we use to sign digitally. Does that mean that if I lose my secret key or if it gets damaged I can recover it? Or that I can prevent someone from stealing it even if I have it hidden in my house? That would be fantastic! Well, not exactly, Bob. What I mean is that you can take measures to avoid losing your secret keys or prevent someone from stealing them if you keep them somewhere that is not Script Intypedia008en 1

2 adequately protected. For this, there are protocols that allow a secret to be recovered from certain pieces of information that have been prepared previously. These are known as sharing protocols or secret sharing protocols. This doesn't mean sharing or distributing secrets with other people. It has to do with dividing the secret into many pieces in a way that will allow you to recover the secret later. That sounds great but I still don't understand it very well. Don't worry, Bob, you'll see how easy it is. Let me show you in the next chapter. SCENE 2. SECRET SHARING PROTOCOL The original idea for recovering a secret is to divide it into several pieces so that if later on you have some of these pieces, not all of them necessarily, it is possible to recover the secret that had been hidden. Let's see if I understand this. Suppose I have written my secret key on a piece of paper. What you are saying is that I have to break that paper into several pieces, so that I will be able to recover the key just by gluing the pieces of the original paper back together again? In that case, it doesn't seem like a very bright idea. The example you've given doesn't work because the method you suggest is too simple and insecure. In fact, it isn't a good method because it has several problems: for example, you won't be able to recover the key if you lose only one piece of paper and if someone gets one of your pieces of paper, they will know part of your key. In practice, a protocol for sharing and distributing secrets is a cryptographic process that allows you to obtain a series of values or shadows from a given secret, so it is possible to recover the original secret using a previously specified number of those shadows, but impossible if there are fewer shadows. If I've understood correctly, you mean shadows that are derived from the original secret, but are not part of the secret. Does that mean that the shadows don't contain pieces of the secret information, like the pieces of paper that I mentioned earlier? Script Intypedia008en 2

3 That's it. The aim is to obtain different values from the secret, so that these values don't give clues about the content of the secret. I haven't said anything about the size of the shadows. If the shadows are the same size as the secret, the protocol is said to be ideal. Furthermore, there is no need to use all the shadows that were generated initially in order to recover the secret. To be more precise, if in a secret sharing protocol n shadows are generated and we need k of them to recover the secret, the k is considered a threshold value and the protocol is called a (k, n) threshold protocol. In this way, if less than k shadows are known, that is, k 1 or less, it is impossible to recover the secret. So, for example, if I use a (3, 5) threshold protocol to share my password, I will obtain 5 shadows from my secret key and I will be able to recover the complete original key using any 3 shadows. Is that correct? Can I keep one shadow of my secret in my laptop, another on a flash drive, another at home, one more in the office and the last one in a CD? Of course! That way, if you lose the CD, for example, you won't lose the key, you would have only lost one of the shadows. And you could use any of the 3 remaining shadows to recover the secret. This way, your password is protected against loss, damage and theft. An attacker won't be able to recover your password if they retrieve, in this example, 2 or fewer shadows. Alice, you've convinced me about the usefulness of these protocols. But how are they used in practice? Are they complicated? It's easy to understand. We'll take a look at an example in the next chapter. SCENE 3. EFFECTIVE IMPLEMENTATION OF A SECRET SHARING PROTOCOL One of the easiest ways to conduct a secret sharing protocol is using polynomials as a mathematical tool, although it's not the only way to do it. There are other ways, but they are more complicated. Script Intypedia008en 3

4 Well, I think I can handle polynomials; they aren't very difficult. So please explain how they are used in secret sharing. First of all, remember that a polynomial can be used to plot a curve through the points that verify this polynomial. Secondly, a polynomial of a fixed degree can be determined if we know the values that this polynomial takes on as many points as its degree value plus one. Do you mean that to find the three coefficients of a polynomial of degree 2, for example, I just need to know the values of the polynomial in three points, that is, for three values of x? That's the idea. Remember that two points determine a single line, that is a polynomial of degree 1; three points determine a single parable, which is a polynomial of degree 2, and so on. So if you know the values of a polynomial for certain points, you can determine the polynomial that passes through these points and whose degree is one less than the number of known points. The process of calculating a polynomial from its points is known as the Lagrange interpolation method. Sorry, Alice, but I still can't see how you can use polynomials to hide secrets. Patience, we're on to it. Adi Shamir, one of the most important cryptographers of today, came up with the idea of using polynomials for this protocol. The idea is to hide a secret inside of a polynomial so that given certain partial information of the polynomial you can recover the secret that was hidden in it. Okay, but there are two problems. The first one is to hide the secret in the polynomial and the second is to recover the polynomial to recover the secret. Script Intypedia008en 4

5 Let's see the first one: if my secret is, for example, the number 263 and we use a (3, 5) threshold protocol, how can we hide it in a polynomial? Bob, you have chosen the value k=3 as the threshold, so we will use a polynomial of degree 2, which has 3 factors: p(x) = ax2+bx+c. So the threshold is the same as the number of coefficients in the polynomial. Once this has been decided, the polynomial's independent term will correspond to the secret value, that is: c = 263. For the other two coefficients, two random numbers are chosen, for example: a = 167; b = 227. So our polynomial would be: p(x) = 167x2+227x+263. Now we just have to calculate the polynomial for any 5 values of x (5 shadows). For example, to make it simple, we can choose for x the values 1, 2, 3, 4 and 5, although it can be any other set of 5 numbers. That's something I can do. If I substitute the value x = 1 in the polynomial, it would be: p(1)= =657. And the other values would be 1385, 2447, 3843 and Well done! You've built the 5 shadows you needed. Each shadow is the pair formed by the value of x and the corresponding value of the polynomial. That is, your 5 shadows are the following pairs of numbers (1, 657), (2, 1385), (3, 2447), (4, 3843) and (5, 5573). Now you can save them in five different places. As you can see in this example, none of the shadows look like your secret. There is no way that anyone could find out that your secret value is 263 by stealing or finding a pair of the above numbers. But you must not forget to destroy the paper where you had written your secret number or delete the file where you had saved it. By the way, you should also delete all traces of the polynomial so that no one can find it and see your secret number on it. SCENE 4. RECOVERING THE SECRET This was easy, but now comes the second part: how can we recover the secret value using only 3 of the 5 shadows? Script Intypedia008en 5

6 To recover the secret we must obtain the polynomial and consider its independent term. To do this we consider 3 of the 5 shadows (x, p (x)). For example, the second (2, 1385), the third (3, 2447) and the fifth (5, 5573), and we use the Lagrange interpolation method to recover the polynomial. Let's calculate it: We would have k points: (x 1, y 1 )... (x k,y k ). And the polynomial is determined by calculating: p(x) = k j=1 y j q j (x), where q j (x)= k i=1,i j (x x i )/(x j x i ), with j=1,,k. In our example the 3 points are: (x 2, y 2 ), (x 3, y 3 ), (x 5, y 5 ), to simplify the calculation. The corresponding auxiliary polynomial q(x) is calculated for each point, so we obtain: Point (x 2, y 2 ) = (2, 1385) q 2 (x) = ((x x 3 )/(x 2 x 3 )) ((x x 5 )/(x 2 x 5 )) = ((x 3)/(2 3)) ((x 5)/(2 5)) = x 2 /3 8x/3+5 Point (x 3, y 3 ) = (3, 2447) q 3 (x) = ((x x 2 )/(x 3 x 2 )) ((x x 5 )/(x 3 x 5 )) = ((x 2)/(3 2)) ((x 5)/(3 5)) = x 2 /2+7x/2 5 Point (x 5,y 5 ) = (5, 5573) q 5 (x) = ((x x 2 )/(x 5 x 2 )) ((x x 3 )/(x 5 x 3 )) = ((x 2)/(5 2)) ((x 3)/(5 3)) = x 2 /6 5x/6+1 The original polynomial is obtained by calculating p(x) = j=2,3,5 y j q j (x) p(x) = y 2 q 2 (x)+y 3 q 3 (x)+y 5 q 5 (x) So the final result is: p(x) = 1385 q 2 (x)+2447 q 3 (x)+5573 q 5 (x) = 167x x+263. And your secret number is 263. You can do this same calculation with any other 3 shadows. No matter which ones you use, you will always get the same polynomial. I love it, it s fantastic. It's clear that with 3 shadows my secret can be recovered, so I'll have to be careful that no one gets 3 of the shadows. I imagine that secret sharing protocols have other uses. You're right. Although protection was their original motivation, nowadays these protocols are used and applied in other situations. For example, a secret can be divided and each shadow can be given to a different person, so the secret is recovered only if a certain number of people Script Intypedia008en 6

7 agree to share their shadows and create the secret. This approach is used for access control, opening safes or military device initialization. Alice, I only have one question: how safe is this protocol? Has anyone tried to break it? The security of the protocol has been demonstrated. It is true that there have been attempts to break it, but so far there is no known way to violate the protocol, provided that the established guidelines are followed and that their implementation has no errors. Well this is enough for today. In future lessons we will see different protocols that allow other interesting actions. On the Intypedia website you will find additional documentation for this lesson, like an example of the impossibility to recover a secret with k 1 shadows. Goodbye! See you later. Script adapted to the Intypedia format from the document sent by Dr. Luis Hernández Encinas from the Spanish Scientific Research Council in Madrid, Spain. Madrid, Spain. June Script Intypedia008en 7