Secret sharing schemes

Transcription

1 Secret sharing schemes Martin Stanek Department of Computer Science Comenius University Cryptology 1 (2017/18)

2 Content Introduction Shamir s secret sharing scheme perfect secret sharing Information rate Generalized access structures Additional topics Asmuth-Bloom scheme Proactive secret sharing Verifiable secret sharing Secret sharing schemes 2 / 21,

3 Introduction secret sharing schemes distribute a secret (e.g. key) among some group of participants (users, servers) rules what group can reconstruct the secret (qualified group) share secret piece of information of individual participant; a scheme consists of two algorithms/protocols: producing and distributing the shares (usually uses a dealer) reconstructing the shared secret motivation Can you trust a single authority (admin or server)? basis for other constructions threshold cryptography, distributing computation among group of trusted servers, multi-party secure computation, electronic voting,... Secret sharing schemes 3 / 21,

4 Secret sharing schemes n participants P = {P 1, P 2,, P n } shared secret s shares: P i s i access structure A 2 P (power set) A P can reconstruct s A A usually monotone access structure: A, B P : A B & A A B A (t, n) threshold access structure, for 1 t n: {A A P & A t} Secret sharing schemes 4 / 21,

5 Simple examples (1, n) threshold distribute the secret as individual shares: s i = s (n, n) threshold 1st attempt let s {0, 1} l divide s into n shares s 1,, s n of length l/n bits reconstruction: s = s 1 s n n 1 participants reconstruct a large part of s, approx. l(n 1)/n bits (n, n) threshold let s {0, 1} l $ let s i {0, 1} l for i = 1,, n 1, and s n = s s 1 s n 1 reconstruction: s = s 1 s n security: any n 1 (or less) participants learn nothing about s perfect scheme Secret sharing schemes 5 / 21,

6 Simple examples (1, n) threshold distribute the secret as individual shares: s i = s (n, n) threshold 1st attempt let s {0, 1} l divide s into n shares s 1,, s n of length l/n bits reconstruction: s = s 1 s n n 1 participants reconstruct a large part of s, approx. l(n 1)/n bits (n, n) threshold let s {0, 1} l $ let s i {0, 1} l for i = 1,, n 1, and s n = s s 1 s n 1 reconstruction: s = s 1 s n security: any n 1 (or less) participants learn nothing about s perfect scheme Secret sharing schemes 5 / 21,

7 Shamir s secret sharing scheme idea: t points uniquely determine the polynomial of degree t 1 finite field Z p, for a prime p > n shared secret s Z p ; let us assume s $ Z p computing the shares: choose a random polynomial f (x) = s + a 1 x + + a t 1 x t 1, $ where a i Z p for i = 1,, t 1 notice that f (0) = s share for P i : (i, s i ), where s i = f (i) reconstruction; WLOG let us assume t participants P 1,, P t : Lagrange interpolation using (i, s i ) for i = 1,, t: f (x) = t i=1 f (i) }{{} s i 1 j t j i x j i j compute s = f (0) (all computations are in the finite field) Secret sharing schemes 6 / 21,

8 Shamir s secret sharing scheme idea: t points uniquely determine the polynomial of degree t 1 finite field Z p, for a prime p > n shared secret s Z p ; let us assume s $ Z p computing the shares: choose a random polynomial f (x) = s + a 1 x + + a t 1 x t 1, $ where a i Z p for i = 1,, t 1 notice that f (0) = s share for P i : (i, s i ), where s i = f (i) reconstruction; WLOG let us assume t participants P 1,, P t : Lagrange interpolation using (i, s i ) for i = 1,, t: f (x) = t i=1 f (i) }{{} s i 1 j t j i x j i j compute s = f (0) (all computations are in the finite field) Secret sharing schemes 6 / 21,

9 Shamir s secret sharing scheme security consider a non-qualified group of participants (WLOG P 1,, P t 1 ) the shared secret can be anything: combine the shares and add point (0, s ) for an arbitrary s Z p t points unique polynomial f f is consistent with shares of P 1,, P t 1 P 1,, P t 1 are in the same position as someone without any share probability of finding s is 1/p (guessing) perfect secret sharing scheme Secret sharing schemes 7 / 21,

10 Linear equations perspective unknown polynomial f (its coefficients) a share (i, s i ) forms a linear equation: s i = a 0 + a 1 i + + a t 1 i t 1 t cooperating participants the system of t equations with t variables square Vandermonde matrix with distinct elements (i.e. non-zero determinant) the system has a unique solution t 1 cooperating participants the system of t 1 equations with t variables add an additional equation: s = a 0 square Vandermonde matrix with distinct elements (because any i 0) the system has a unique solution for any s... perfect scheme Secret sharing schemes 8 / 21,

11 Remarks reconstruction is just a linear combination of shares: f (0) = s i r i for coefficients r i = j S {i} j/(i j), and S {1,, n}, S = t the scheme can use any points (x i, f (x i )) for distinct non-zero x 1,, x n as shares homomorphic property with respect to addition: two (t, n) threshold schemes defined by polynomials f and g adding shares: (i, f (i)), (i, g(i)) (i, f (i) + g(i)) polynomial (the shared secret is the addition of shared secrets a 0 + a 0 ): i S t 1 t 1 t 1 f (x) + g(x) = a i x i + a i xi = (a i + a i )xi i=1 i=1 i=1 Secret sharing schemes 9 / 21,

12 Remarks (2) efficiency polynomial time long s can be divided into shorter pieces and shared by independent schemes (or we can encrypt s and share the encryption key) trusted dealer generates the polynomial and distributes the shares one-time scheme? secret revealed after reconstruction vs. black-box reconstruction cheating in reconstruction: for example P 1,, P t try to reconstruct s P 1 cheats and reveals an incorrect share (1, s 1 ) the participants compute: s = s + s 1 r 1 s 1 r 1...and P 1 can easily compute s from s Secret sharing schemes 10 / 21,

13 Information rate the size of share(s) vs. the size of the shared secret notation S set of secrets K(P i ) set of all possible shares for P i random variables information rate for P i : ρ i = H(S)/H(K(P i )) information rate of the scheme: ρ = min i ρ i uniform probability case: ρ = min i lg S /lg K(P i ) Secret sharing schemes 11 / 21,

14 Information rate (2) information rate for Shamir s scheme: ρ = 1 perfect secret sharing scheme... ρ 1 let us assume that ρ > 1 i : ρ i > 1 for all i: lg S /lg K(P i ) > 1 lg S > lg K(P i ) S > K(P i ) there exists A P: P i A, A A, and A {P i } A take all shares from participants in A and all candidate shares from K(P i ) compute all possible values of the shared secret...less than S the scheme cannot be perfect (we can exclude some impossible secrets) a perfect secret sharing scheme with ρ = 1 is called ideal Secret sharing schemes 12 / 21,

15 Generalized access structures playing with Shamir s scheme example 1: assigning more shares to a participant n = 4, polynomial f with deg(f ) 1...(2, 4) threshold P 1 gets two shares, others as usual What access structure is this? Is the scheme perfect? example 2: combining two Shamir s schemes the first one (3, 6) scheme, and the second one (1, 2) scheme shared secret is the sum of two shared secrets P 1 and P 2 get shares in both schemes; others in the first scheme only What access structure is this? Is the scheme perfect? Secret sharing schemes 13 / 21,

16 Generalized access structures (2) monotone Boolean functions (x 1,, x n ) (y 1,, y n ) f (x 1,, x n ) f (y 1,, y n ) where (x 1,, x n ) (y 1,, y n ) x 1 y 1 & & x n y n monotone access structures monotone Boolean functions n participants...bf with n variables A P (x 1,, x n ) {0, 1} n, where x i = 1 P i A we can write A instead of (x 1,, x n ) and vice versa A 2 P BF f such that A P : f (A) = 1 A A example: n = 4, access structure: P 1 or at least two participants f (x 1,, x 4 ) = x 1 x 2 x 3 x 2 x 4 x 3 x 4 monotone BF all formulas using only and operators uninteresting case of f (x) = 0 Secret sharing schemes 14 / 21,

17 Monotone construction Boolean circuit for a monotone function implement each gate as a perfect secret sharing scheme n-ary AND gate (n, n) threshold n-ary OR gate (1, n) threshold start with output s and proceed backwards each participant P i gets a set of shares (corresponding to arrows starting in x i ) perfect scheme inefficient (generally, exponential number of shares) x 1 x 2 x 3 x 4 s Secret sharing schemes 15 / 21,

18 Asmuth-Bloom scheme (t, n) threshold access structure based on the Chinese Remainder Theorem (CRT) generating shares: 1. generate pairwise coprime integers m 0 < m 1 < < m n such that M = m 1 m 2 m t } {{ } t smallest > m 0 m n m n 1 m n t+2 } {{ } t 1 largest 2. shared secret s Z m0 3. choose a random integer a such that: 0 y = s + am 0 < M 4. share for P i : s i = y mod m i Secret sharing schemes 16 / 21,

19 Asmuth-Bloom scheme example example: (3, 5) threshold m 0 = 89, m 1 = 101, m 2 = 103, m 3 = 107, m 4 = 109, m 5 = 113 M = m 1 m 2 m 3 = let s = 11, and random a = 2013 then y = s + am 0 = shares: s 1 = 95, s 2 = 51, s 3 = 50, s 4 = 81, s 5 = 63 Secret sharing schemes 17 / 21,

20 Asmuth-Bloom scheme reconstruction & security reconstruction: P i1,, P it for 1 i 1 < < i t n the system of linear congruences: x s ij (mod m ij ) pairwise coprime... unique solution mod M = m i1 m i2 m it (CRT) M M and y is a solution as well, i.e. the solution is y s = y mod m 0 security: assume a non-qualified set of t 1 participants P i1,, P it 1 let M = m i1 m it 1 they solve their system and obtain y : y = y mod M M/M > m 0 (follows from the condition in the generation protocol) y can be expressed: y = y + km ; at least m 0 candidates: y mod m 0, y + M mod m 0,..., y + (m 0 1)M mod m 0, gcd(m 0, M ) = 1 candidates are distinct therefore every s Z m0 is possible (!) Secret sharing schemes 18 / 21,

21 Asmuth-Bloom scheme is not perfect example: (2, 2) scheme with m 0 = 3, m 1 = 4, and m 2 = 5 M = m 1 m 2 = 20; the condition is satisfied: M > m 0 m 2 = 15 this table shows all y and corresponding s 2 values for all s Z 3 : s y (s 2 ) 0 0 (0) 3 (3) 6 (1) 9 (4) 12 (2) 15 (0) 18 (3) 1 1 (1) 4 (4) 7 (2) 10 (0) 13 (3) 16 (1) 19 (4) 2 2 (2) 5 (0) 8 (3) 11 (1) 14 (4) 17 (2) if s $ Z 3 then Pr[s = 0] = 1/3 knowing the share s 2 allows P 2 to infer different probabilities: Pr[s = 0 s 2 = 0] = 1/2, Pr[s = 1 s 2 = 0] = Pr[s = 2 s 2 = 0] = 1/4 Pr[s = 1 s 2 = 1] = 1/2, Pr[s = 0 s 2 = 1] = Pr[s = 2 s 2 = 1] = 1/4... Secret sharing schemes 19 / 21,

22 Proactive secret sharing What if some shares are compromised? reduce the time for an attacker to collect enough shares update shares (without dealer) forget the old shares the shared secret does not change update in (t, n) Shamir s secret sharing scheme 1. P i chooses a random g i (x) = a i,1 x + a i,2 x a i,t 1 x t 1, i.e. g i (0) = 0 2. P i P j : u i,j = g i (j) 3. P i updates its share s i = s i + u 1,i + + u n,i using the homomorphic property of the scheme problems: compromised server distributing invalid shares (verification) all participants needed for updating every single participant secure communication needed for sending updates Secret sharing schemes 20 / 21,

23 Verifiable secret sharing secret sharing schemes that provide resilience against malicious dealer distributing incorrect shares (some or all) malicious participants lying about their shares in reconstruction a share s i can be verified by P i in publicly verifiable secret sharing by anyone application: electronic voting some roles in the voting process are split among group of servers Secret sharing schemes 21 / 21,