Secret sharing schemes
|
|
- Jocelin McBride
- 5 years ago
- Views:
Transcription
1 Secret sharing schemes Martin Stanek Department of Computer Science Comenius University Cryptology 1 (2017/18)
2 Content Introduction Shamir s secret sharing scheme perfect secret sharing Information rate Generalized access structures Additional topics Asmuth-Bloom scheme Proactive secret sharing Verifiable secret sharing Secret sharing schemes 2 / 21,
3 Introduction secret sharing schemes distribute a secret (e.g. key) among some group of participants (users, servers) rules what group can reconstruct the secret (qualified group) share secret piece of information of individual participant; a scheme consists of two algorithms/protocols: producing and distributing the shares (usually uses a dealer) reconstructing the shared secret motivation Can you trust a single authority (admin or server)? basis for other constructions threshold cryptography, distributing computation among group of trusted servers, multi-party secure computation, electronic voting,... Secret sharing schemes 3 / 21,
4 Secret sharing schemes n participants P = {P 1, P 2,, P n } shared secret s shares: P i s i access structure A 2 P (power set) A P can reconstruct s A A usually monotone access structure: A, B P : A B & A A B A (t, n) threshold access structure, for 1 t n: {A A P & A t} Secret sharing schemes 4 / 21,
5 Simple examples (1, n) threshold distribute the secret as individual shares: s i = s (n, n) threshold 1st attempt let s {0, 1} l divide s into n shares s 1,, s n of length l/n bits reconstruction: s = s 1 s n n 1 participants reconstruct a large part of s, approx. l(n 1)/n bits (n, n) threshold let s {0, 1} l $ let s i {0, 1} l for i = 1,, n 1, and s n = s s 1 s n 1 reconstruction: s = s 1 s n security: any n 1 (or less) participants learn nothing about s perfect scheme Secret sharing schemes 5 / 21,
6 Simple examples (1, n) threshold distribute the secret as individual shares: s i = s (n, n) threshold 1st attempt let s {0, 1} l divide s into n shares s 1,, s n of length l/n bits reconstruction: s = s 1 s n n 1 participants reconstruct a large part of s, approx. l(n 1)/n bits (n, n) threshold let s {0, 1} l $ let s i {0, 1} l for i = 1,, n 1, and s n = s s 1 s n 1 reconstruction: s = s 1 s n security: any n 1 (or less) participants learn nothing about s perfect scheme Secret sharing schemes 5 / 21,
7 Shamir s secret sharing scheme idea: t points uniquely determine the polynomial of degree t 1 finite field Z p, for a prime p > n shared secret s Z p ; let us assume s $ Z p computing the shares: choose a random polynomial f (x) = s + a 1 x + + a t 1 x t 1, $ where a i Z p for i = 1,, t 1 notice that f (0) = s share for P i : (i, s i ), where s i = f (i) reconstruction; WLOG let us assume t participants P 1,, P t : Lagrange interpolation using (i, s i ) for i = 1,, t: f (x) = t i=1 f (i) }{{} s i 1 j t j i x j i j compute s = f (0) (all computations are in the finite field) Secret sharing schemes 6 / 21,
8 Shamir s secret sharing scheme idea: t points uniquely determine the polynomial of degree t 1 finite field Z p, for a prime p > n shared secret s Z p ; let us assume s $ Z p computing the shares: choose a random polynomial f (x) = s + a 1 x + + a t 1 x t 1, $ where a i Z p for i = 1,, t 1 notice that f (0) = s share for P i : (i, s i ), where s i = f (i) reconstruction; WLOG let us assume t participants P 1,, P t : Lagrange interpolation using (i, s i ) for i = 1,, t: f (x) = t i=1 f (i) }{{} s i 1 j t j i x j i j compute s = f (0) (all computations are in the finite field) Secret sharing schemes 6 / 21,
9 Shamir s secret sharing scheme security consider a non-qualified group of participants (WLOG P 1,, P t 1 ) the shared secret can be anything: combine the shares and add point (0, s ) for an arbitrary s Z p t points unique polynomial f f is consistent with shares of P 1,, P t 1 P 1,, P t 1 are in the same position as someone without any share probability of finding s is 1/p (guessing) perfect secret sharing scheme Secret sharing schemes 7 / 21,
10 Linear equations perspective unknown polynomial f (its coefficients) a share (i, s i ) forms a linear equation: s i = a 0 + a 1 i + + a t 1 i t 1 t cooperating participants the system of t equations with t variables square Vandermonde matrix with distinct elements (i.e. non-zero determinant) the system has a unique solution t 1 cooperating participants the system of t 1 equations with t variables add an additional equation: s = a 0 square Vandermonde matrix with distinct elements (because any i 0) the system has a unique solution for any s... perfect scheme Secret sharing schemes 8 / 21,
11 Remarks reconstruction is just a linear combination of shares: f (0) = s i r i for coefficients r i = j S {i} j/(i j), and S {1,, n}, S = t the scheme can use any points (x i, f (x i )) for distinct non-zero x 1,, x n as shares homomorphic property with respect to addition: two (t, n) threshold schemes defined by polynomials f and g adding shares: (i, f (i)), (i, g(i)) (i, f (i) + g(i)) polynomial (the shared secret is the addition of shared secrets a 0 + a 0 ): i S t 1 t 1 t 1 f (x) + g(x) = a i x i + a i xi = (a i + a i )xi i=1 i=1 i=1 Secret sharing schemes 9 / 21,
12 Remarks (2) efficiency polynomial time long s can be divided into shorter pieces and shared by independent schemes (or we can encrypt s and share the encryption key) trusted dealer generates the polynomial and distributes the shares one-time scheme? secret revealed after reconstruction vs. black-box reconstruction cheating in reconstruction: for example P 1,, P t try to reconstruct s P 1 cheats and reveals an incorrect share (1, s 1 ) the participants compute: s = s + s 1 r 1 s 1 r 1...and P 1 can easily compute s from s Secret sharing schemes 10 / 21,
13 Information rate the size of share(s) vs. the size of the shared secret notation S set of secrets K(P i ) set of all possible shares for P i random variables information rate for P i : ρ i = H(S)/H(K(P i )) information rate of the scheme: ρ = min i ρ i uniform probability case: ρ = min i lg S /lg K(P i ) Secret sharing schemes 11 / 21,
14 Information rate (2) information rate for Shamir s scheme: ρ = 1 perfect secret sharing scheme... ρ 1 let us assume that ρ > 1 i : ρ i > 1 for all i: lg S /lg K(P i ) > 1 lg S > lg K(P i ) S > K(P i ) there exists A P: P i A, A A, and A {P i } A take all shares from participants in A and all candidate shares from K(P i ) compute all possible values of the shared secret...less than S the scheme cannot be perfect (we can exclude some impossible secrets) a perfect secret sharing scheme with ρ = 1 is called ideal Secret sharing schemes 12 / 21,
15 Generalized access structures playing with Shamir s scheme example 1: assigning more shares to a participant n = 4, polynomial f with deg(f ) 1...(2, 4) threshold P 1 gets two shares, others as usual What access structure is this? Is the scheme perfect? example 2: combining two Shamir s schemes the first one (3, 6) scheme, and the second one (1, 2) scheme shared secret is the sum of two shared secrets P 1 and P 2 get shares in both schemes; others in the first scheme only What access structure is this? Is the scheme perfect? Secret sharing schemes 13 / 21,
16 Generalized access structures (2) monotone Boolean functions (x 1,, x n ) (y 1,, y n ) f (x 1,, x n ) f (y 1,, y n ) where (x 1,, x n ) (y 1,, y n ) x 1 y 1 & & x n y n monotone access structures monotone Boolean functions n participants...bf with n variables A P (x 1,, x n ) {0, 1} n, where x i = 1 P i A we can write A instead of (x 1,, x n ) and vice versa A 2 P BF f such that A P : f (A) = 1 A A example: n = 4, access structure: P 1 or at least two participants f (x 1,, x 4 ) = x 1 x 2 x 3 x 2 x 4 x 3 x 4 monotone BF all formulas using only and operators uninteresting case of f (x) = 0 Secret sharing schemes 14 / 21,
17 Monotone construction Boolean circuit for a monotone function implement each gate as a perfect secret sharing scheme n-ary AND gate (n, n) threshold n-ary OR gate (1, n) threshold start with output s and proceed backwards each participant P i gets a set of shares (corresponding to arrows starting in x i ) perfect scheme inefficient (generally, exponential number of shares) x 1 x 2 x 3 x 4 s Secret sharing schemes 15 / 21,
18 Asmuth-Bloom scheme (t, n) threshold access structure based on the Chinese Remainder Theorem (CRT) generating shares: 1. generate pairwise coprime integers m 0 < m 1 < < m n such that M = m 1 m 2 m t } {{ } t smallest > m 0 m n m n 1 m n t+2 } {{ } t 1 largest 2. shared secret s Z m0 3. choose a random integer a such that: 0 y = s + am 0 < M 4. share for P i : s i = y mod m i Secret sharing schemes 16 / 21,
19 Asmuth-Bloom scheme example example: (3, 5) threshold m 0 = 89, m 1 = 101, m 2 = 103, m 3 = 107, m 4 = 109, m 5 = 113 M = m 1 m 2 m 3 = let s = 11, and random a = 2013 then y = s + am 0 = shares: s 1 = 95, s 2 = 51, s 3 = 50, s 4 = 81, s 5 = 63 Secret sharing schemes 17 / 21,
20 Asmuth-Bloom scheme reconstruction & security reconstruction: P i1,, P it for 1 i 1 < < i t n the system of linear congruences: x s ij (mod m ij ) pairwise coprime... unique solution mod M = m i1 m i2 m it (CRT) M M and y is a solution as well, i.e. the solution is y s = y mod m 0 security: assume a non-qualified set of t 1 participants P i1,, P it 1 let M = m i1 m it 1 they solve their system and obtain y : y = y mod M M/M > m 0 (follows from the condition in the generation protocol) y can be expressed: y = y + km ; at least m 0 candidates: y mod m 0, y + M mod m 0,..., y + (m 0 1)M mod m 0, gcd(m 0, M ) = 1 candidates are distinct therefore every s Z m0 is possible (!) Secret sharing schemes 18 / 21,
21 Asmuth-Bloom scheme is not perfect example: (2, 2) scheme with m 0 = 3, m 1 = 4, and m 2 = 5 M = m 1 m 2 = 20; the condition is satisfied: M > m 0 m 2 = 15 this table shows all y and corresponding s 2 values for all s Z 3 : s y (s 2 ) 0 0 (0) 3 (3) 6 (1) 9 (4) 12 (2) 15 (0) 18 (3) 1 1 (1) 4 (4) 7 (2) 10 (0) 13 (3) 16 (1) 19 (4) 2 2 (2) 5 (0) 8 (3) 11 (1) 14 (4) 17 (2) if s $ Z 3 then Pr[s = 0] = 1/3 knowing the share s 2 allows P 2 to infer different probabilities: Pr[s = 0 s 2 = 0] = 1/2, Pr[s = 1 s 2 = 0] = Pr[s = 2 s 2 = 0] = 1/4 Pr[s = 1 s 2 = 1] = 1/2, Pr[s = 0 s 2 = 1] = Pr[s = 2 s 2 = 1] = 1/4... Secret sharing schemes 19 / 21,
22 Proactive secret sharing What if some shares are compromised? reduce the time for an attacker to collect enough shares update shares (without dealer) forget the old shares the shared secret does not change update in (t, n) Shamir s secret sharing scheme 1. P i chooses a random g i (x) = a i,1 x + a i,2 x a i,t 1 x t 1, i.e. g i (0) = 0 2. P i P j : u i,j = g i (j) 3. P i updates its share s i = s i + u 1,i + + u n,i using the homomorphic property of the scheme problems: compromised server distributing invalid shares (verification) all participants needed for updating every single participant secure communication needed for sending updates Secret sharing schemes 20 / 21,
23 Verifiable secret sharing secret sharing schemes that provide resilience against malicious dealer distributing incorrect shares (some or all) malicious participants lying about their shares in reconstruction a share s i can be verified by P i in publicly verifiable secret sharing by anyone application: electronic voting some roles in the voting process are split among group of servers Secret sharing schemes 21 / 21,
Secret Sharing CPT, Version 3
Secret Sharing CPT, 2006 Version 3 1 Introduction In all secure systems that use cryptography in practice, keys have to be protected by encryption under other keys when they are stored in a physically
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationSELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION
Journal of Applied Mathematics and Computational Mechanics 2016, 15(1), 39-47 www.amcm.pcz.pl p-issn 2299-9965 DOI: 10.17512/jamcm.2016.1.04 e-issn 2353-0588 SELECTED APPLICATION OF THE CHINESE REMAINDER
More informationOverview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy
Overview of the Talk Secret Sharing CS395T Design and Implementation of Trusted Services Ankur Gupta Hugo Krawczyk. Secret Sharing Made Short, 1993. Josh Cohen Benaloh. Secret Sharing Homomorphisms: Keeping
More informationSecret Sharing for General Access Structures
SECRET SHARING FOR GENERAL ACCESS STRUCTURES 1 Secret Sharing for General Access Structures İlker Nadi Bozkurt, Kamer Kaya, and Ali Aydın Selçuk Abstract Secret sharing schemes (SSS) are used to distribute
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationMultiparty Computation (MPC) Arpita Patra
Multiparty Computation (MPC) Arpita Patra MPC offers more than Traditional Crypto! > MPC goes BEYOND traditional Crypto > Models the distributed computing applications that simultaneously demands usability
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationSecret Sharing Schemes
Secret Sharing Schemes 1.1 Introduction 1 1 Handling secret has been an issue of prominence from the time human beings started to live together. Important things and messages have been always there to
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationUniversity Alexandru Ioan Cuza of Iaşi Faculty of Computer Science. Threshold RSA Based on the General Chinese Remainder Theorem
University Alexandru Ioan Cuza of Iaşi Faculty of Computer Science T E C H N I C A L R E P O R T Threshold RSA Based on the General Chinese Remainder Theorem Sorin Iftene TR 05-05, August 2005 ISSN 1224-9327
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationCarmen s Core Concepts (Math 135)
Carmen s Core Concepts (Math 135) Carmen Bruni University of Waterloo Week 8 1 The following are equivalent (TFAE) 2 Inverses 3 More on Multiplicative Inverses 4 Linear Congruence Theorem 2 [LCT2] 5 Fermat
More informationSecure Computation. Unconditionally Secure Multi- Party Computation
Secure Computation Unconditionally Secure Multi- Party Computation Benny Pinkas page 1 Overview Completeness theorems for non-cryptographic faulttolerant distributed computation M. Ben-Or, S. Goldwasser,
More informationBenny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar-Ilan University 1 What is N? Bar-Ilan University 2 Completeness theorems for non-cryptographic fault-tolerant
More informationCheating Detection and Cheater Identification in CRT-based Secret Sharing Schemes
Cheating Detection and Cheater Identification in CRT-based Secret Sharing Schemes Daniel Pasailă, Vlad Alexa, Sorin Iftene Department of Computer Science Al I Cuza University Iasi, Romania Email: {danielpasaila,vladalexa,siftene}@infouaicro
More informationAn Efficient Lattice-based Secret Sharing Construction
An Efficient Lattice-based Secret Sharing Construction Rachid El Bansarkhani 1 and Mohammed Meziani 2 1 Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraße
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationCompartmented Threshold RSA Based on the Chinese Remainder Theorem
Compartmented Threshold RSA Based on the Chinese Remainder Theorem Sorin Iftene Department of Computer Science, Al. I. Cuza University, 700483 Iasi, Romania siftene@info.uaic.ro Manuela Grindei LSV, ENS
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationApplications of Galois Geometries to Coding Theory and Cryptography
Applications of Galois Geometries to Coding Theory and Cryptography Ghent University Dept. of Mathematics Krijgslaan 281 - Building S22 9000 Ghent Belgium Albena, July 1, 2013 1. Affine spaces 2. Projective
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationRandomized Component and Group Oriented (t,m,n)-secret Sharing
Randomized Component and Group Oriented (t,m,n)-secret Sharing Miao Fuyou School of Computer Sci. & Tech.,USTC 2016.4.10 Outline (t,n)-secret Sharing 2 Attacks Against (t,n)-ss Randomized Component (t,m,n)-group
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationDetection of Cheaters in Non-interactive Polynomial Evaluation
Detection of Cheaters in Non-interactive Polynomial Evaluation Maki Yoshida 1 and Satoshi Obana 2 1 Osaka University, Japan 2 Hosei University, Japan Abstract. In this paper, we consider both theoretical
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationThe security of RSA (part 1) The security of RSA (part 1)
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)
More informationA PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS
A PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS STEPHANIE DEACON, EDUARDO DUEÑEZ, AND JOSÉ IOVINO Abstract. We present a generalization of Pedersen s public-key threshold cryptosystem. Pedersen
More informationSecret Sharing and Secure Multi-party Computation
Secret Sharing and Secure Multi-party Computation Michael Mortensen 1. July 2007 Department of Informatics University of Bergen PB. 7800 N-5020 BERGEN Preface This thesis explores the different secret
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 22 November 27, 2017 CPSC 467, Lecture 22 1/43 BBS Pseudorandom Sequence Generator Secret Splitting Shamir s Secret Splitting Scheme
More informationCryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures
Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures Kallepu Raju, Appala Naidu Tentu, V. Ch. Venkaiah Abstract: Group key distribution protocol is
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationWeighted Threshold Secret Sharing Based on the Chinese Remainder Theorem
Weighted Threshold Secret Sharing Based on the Chinese Remainder Theorem Sorin Iftene and Ioana Boureanu Faculty of Computer Science Al. I. Cuza University Iaşi, Romania {siftene,iboureanu}@infoiasi.ro
More informationSecret Sharing: Four People, Need Three
Secret Sharing A secret is an n-bit string. Throughout this talk assume that Zelda has a secret s {0, 1} n. She will want to give shares of the secret to various people. Applications Rumor: Secret Sharing
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism Feige-Fiat-Shamir
More informationMultipartite Secret Sharing Based on CRT
Wireless Pers Commun DOI 10.1007/s11277-014-1751-x Multipartite Secret Sharing Based on CRT Ching-Fang Hsu Lein Harn Springer Science+Business Media New York 2014 Abstract Secure communication has become
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationLecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007
G22.3033-013 Exposure-Resilient Cryptography 17 January 2007 Lecturer: Yevgeniy Dodis Lecture 1 Scribe: Marisa Debowsky 1 Introduction The issue at hand in this course is key exposure: there s a secret
More informationarxiv: v1 [cs.cr] 1 May 2012
A SECRET SHARING SCHEME BASED ON GROUP PRESENTATIONS AND THE WORD PROBLEM arxiv:1205.0157v1 [cs.cr] 1 May 2012 MAGGIE HABEEB, DELARAM KAHROBAEI, AND VLADIMIR SHPILRAIN Abstract. A (t, n)-threshold secret
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationCompartmented Secret Sharing Based on the Chinese Remainder Theorem
Compartmented Secret Sharing Based on the Chinese Remainder Theorem Sorin Iftene Faculty of Computer Science Al. I. Cuza University Iaşi, Romania siftene@infoiasi.ro Abstract A secret sharing scheme starts
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationEfficient General-Adversary Multi-Party Computation
Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d
10. Linear congruences In general we are going to be interested in the problem of solving polynomial equations modulo an integer m. Following Gauss, we can work in the ring Z m and find all solutions to
More informationLecture notes: Algorithms for integers, polynomials (Thorsten Theobald)
Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures
More informationINFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING Changlu Lin State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China Key Lab. of Network Security
More informationLecture 14: Secure Multiparty Computation
600.641 Special Topics in Theoretical Cryptography 3/20/2007 Lecture 14: Secure Multiparty Computation Instructor: Susan Hohenberger Scribe: Adam McKibben 1 Overview Suppose a group of people want to determine
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationCharacterizing Ideal Weighted Threshold Secret Sharing
Characterizing Ideal Weighted Threshold Secret Sharing Amos Beimel Tamir Tassa Enav Weinreb August 12, 2004 Abstract Weighted threshold secret sharing was introduced by Shamir in his seminal work on secret
More informationLecture 10. Public Key Cryptography: Encryption + Signatures. Identification
Lecture 10 Public Key Cryptography: Encryption + Signatures 1 Identification Public key cryptography can be also used for IDENTIFICATION Identification is an interactive protocol whereby one party: prover
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationMinimal Design for Decentralized Wallet. Omer Shlomovits
Minimal Design for Decentralized Wallet Omer Shlomovits 1 !2 Motivation Imagine we had a private key management system where: No single point of failure Move of assets (signing) cannot happen without Owner
More informationICS141: Discrete Mathematics for Computer Science I
ICS141: Discrete Mathematics for Computer Science I Dept. Information & Computer Sci., Jan Stelovsky based on slides by Dr. Baek and Dr. Still Originals by Dr. M. P. Frank and Dr. J.L. Gross Provided by
More informationA CRT-based verifiable secret sharing scheme secure against unbounded adversaries
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2016; 9:4416 4427 Published online 4 October 2016 in Wiley Online Library (wileyonlinelibrary.com)..1617 RESEARCH ARTICLE A CRT-based verifiable
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationCharacterizing Ideal Weighted Threshold Secret Sharing
Characterizing Ideal Weighted Threshold Secret Sharing Amos Beimel Tamir Tassa Enav Weinreb October 2, 2006 Abstract Weighted threshold secret sharing was introduced by Shamir in his seminal work on secret
More informationEfficient Conversion of Secret-shared Values Between Different Fields
Efficient Conversion of Secret-shared Values Between Different Fields Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We show how to effectively convert a
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationOptimal Ramp Schemes and Related Combinatorial Objects
Optimal Ramp Schemes and Related Combinatorial Objects Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo BCC 2017, Glasgow, July 3 7, 2017 1 / 18 (t, n)-threshold Schemes
More informationSecret Sharing. Qi Chen. December 14, 2015
Secret Sharing Qi Chen December 14, 2015 What is secret sharing? A dealer: know the secret S and distribute the shares of S to each party A set of n parties P n {p 1,, p n }: each party owns a share Authorized
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationLecture 04: Secret Sharing Schemes (2) Secret Sharing
Lecture 04: Schemes (2) Recall: Goal We want to Share a secret s Z p to n parties, such that {1,..., n} Z p, Any two parties can reconstruct the secret s, and No party alone can predict the secret s Recall:
More information19. Coding for Secrecy
19. Coding for Secrecy 19.1 Introduction Protecting sensitive information from the prying eyes and ears of others is an important issue today as much as it has been for thousands of years. Government secrets,
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationMTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Zero-knowledge Proofs Sven Laur University of Tartu Formal Syntax Zero-knowledge proofs pk (pk, sk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) (pk,sk)? R
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 3, 2014 CPSC 467, Lecture 18 1/43 Zero Knowledge Interactive Proofs (ZKIP) Secret cave protocol ZKIP for graph isomorphism
More informationAn Unconditionally Secure Protocol for Multi-Party Set Intersection
An Unconditionally Secure Protocol for Multi-Party Set Intersection Ronghua Li 1,2 and Chuankun Wu 1 1 State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationAn Efficient and Secure Protocol for Privacy Preserving Set Intersection
An Efficient and Secure Protocol for Privacy Preserving Set Intersection PhD Candidate: Yingpeng Sang Advisor: Associate Professor Yasuo Tan School of Information Science Japan Advanced Institute of Science
More information1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds Amos Beimel Department of Computer Science Ben Gurion University Be er Sheva, Israel Eran Omri Department of Computer
More informationHomework 3 Solutions
5233/IOC5063 Theory of Cryptology, Fall 205 Instructor Prof. Wen-Guey Tzeng Homework 3 Solutions 7-Dec-205 Scribe Amir Rezapour. Consider an unfair coin with head probability 0.5. Assume that the coin
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationSaints and Scoundrels and Two Theorems That Are Really the Same
Saints and Scoundrels and Two Theorems That Are Really the Same Ezra Brown Ezra (Bud) Brown (ezbrown@mathvtedu) grew up in New Orleans and has degrees from Rice University and Louisiana State University
More informationInteractive protocols & zero-knowledge
Interactive protocols & zero-knowledge - interactive protocols formalize what can be recognized by polynomial time restricted verifiers in arbitrary protocols - generalizes NP - zero-knowledge formalizes
More informationMultiparty Computation, an Introduction
Multiparty Computation, an Introduction Ronald Cramer and Ivan Damgård Lecture Notes, 2004 1 introduction These lecture notes introduce the notion of secure multiparty computation. We introduce some concepts
More informationLecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations
CMSC 858K Advanced Topics in Cryptography April 20, 2004 Lecturer: Jonathan Katz Lecture 22 Scribe(s): agaraj Anthapadmanabhan, Ji Sun Shin 1 Introduction to These otes In the previous lectures, we saw
More informationMultilevel Threshold Secret and Function Sharing based on the Chinese Remainder Theorem
1 Multilevel Threshold Secret and Function Sharing based on the Chinese Remainder Theorem Oğuzhan Ersoy, Kamer Kaya and Kerem Kaşkaloğlu arxiv:1605.07988v1 [cs.cr] 25 May 2016 Abstract A recent work of
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 16 March 19, 2012 CPSC 467b, Lecture 16 1/58 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationIntroduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes
Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More
More information