Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Transcription

1 Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval 2/26 Key Management In case of a critical private key (decryption or signing key) Abuse: one user can use the secret key alone Loss: in case of loss of the key (destruction) = share the secret key between several users NS/CNRS/INRIA Cascade David Pointcheval 3/26ENS/CNRS/INRIA Cascade David Pointcheval 4/26

2 Secret Sharing Schemes [Shamir 1979] Secret Sharing Schemes Let S {0, 1} l be a secret bit-string to be shared between two people (Alice and Bob): Security: one chooses a random S 1 {0, 1} l, and sends it to Alice one computes S 2 = S S 1, and sends it to Bob Alice knows a random value Bob knows a value masked by a random value: a random value! = individually, they have no information on S Together, they can recover S = S 1 S 2 Let S {0, 1} l be a secret bit-string to be shared between n people (U 1,..., U n ): one chooses random values S i {0, 1} l, for i = 1,..., n 1 and sends S i to U i Security: one computes S n = S S 1... S n 1, and sends it to U n U 1,..., U n 1 know random values U n knows a value masked by random values: a random value! = individually, they have no information on S = but also, any subgroup of (n 1) people has no information on S All together, they can recover S = S 1... S n NS/CNRS/INRIA Cascade David Pointcheval 5/26ENS/CNRS/INRIA Cascade David Pointcheval 6/26 Unconditional Security Any subgroup of (n 1) people has no information on S! = if one people does not want / is not able to cooperate: S is lost forever! Threshold Secret Sharing (n, k)-threshold Secret Sharing A secret S is shared among n users: any subgroup of k people (or more) can recover S any subgroup of less than k people has no information about S NS/CNRS/INRIA Cascade David Pointcheval 7/26ENS/CNRS/INRIA Cascade David Pointcheval 8/26

3 [Shamir 1979] : (n, k)-threshold Lagrange Interpolation of Polynomials Let us be given k points (x 1, y 1 ),..., (x k, y k ), with distinct abscissa. There exists a unique polynomial P of degree k 1 such that P(x i ) = y i for i = 1,..., k L (X) = =1 i=k i=1 i X x i x x i { L (x ) = 1 L (x i ) = 0 for all i As a consequence: k { deg(p) = k 1 P(X) = y L (X) satisfies P(x i ) = y i i = 1,..., k For any subset S of k indices: and L S, (X) = i S i X x i x x i P(X) = S { LS, (x ) = 1 L S, (x i ) = 0 for all i S, i y L S, (X) : S = P(0) = S y L S, (0) If one notes λ S, = L S, (0) (that can be publicly computed) x = S y λ S,. NS/CNRS/INRIA Cascade David Pointcheval 9/26ENS/CNRS/INRIA Cascade David Pointcheval 10/26 [Chor-Goldwasser-Micali-Awerbuch FOCS 85] If Eve claims she shared her decryption key: how can we trust her? we try to recover the key? how to do without revealing additional information? = For DL Keys [Feldman FOCS 87] Eve s keys are, in a group G = g of prime order q, sk = x pk = y = g x (n, k)-secret sharing: x = P(0) for P(X) = k 1 i=0 a ix i = S i = P(i) for i = 1..., n For any subset S of k indices: x = S S λ S, y = g x = g S S λ S, = S (gs ) λ S, = S v λ S, for v = g S NS/CNRS/INRIA Cascade David Pointcheval 11/26ENS/CNRS/INRIA Cascade David Pointcheval 12/26

4 for DL Keys For DL Keys [Feldman FOCS 87] Eve s keys are, in a group G = g of prime order q, sk = x pk = y = g x (n, k)-secret sharing: x = P(0) for P(X) = k 1 i=0 a ix i Eve computes S i = P(i) for i = 1..., n and v i = g S i Eve sends each S i privately to each U i Eve publishes v i = g S i for i = 1,..., n Each U i can then check its own v i w.r.t. to its S i Anybody can check y = S v λ S, for any subset S of size k NS/CNRS/INRIA Cascade David Pointcheval 13/26ENS/CNRS/INRIA Cascade David Pointcheval 14/26 Secret Sharing vs. Distributed Cryptography If Eve shares her decryption key sk, the (U i ) will have to cooperate to recover the key sk and then decrypt the ciphertext But then, they all know the decryption key sk! How can the (U i ) use their shares (S i ) to decrypt (or sign), without leaking any additional information about sk? = Multi-party computation Let us try on ElGamal decryption (with shared DL keys) NS/CNRS/INRIA Cascade David Pointcheval 15/26ENS/CNRS/INRIA Cascade David Pointcheval 16/26

5 ElGamal Encryption [ElGamal 1985] Robustness ElGamal Encryption In a group G = g of order q K(G, g, q): x R Z q, and sk x and pk y = g x E pk (m): r R Z q, c 1 g r and c 2 y r m. Then, the ciphertext is c = (c 1, c 2 ) D sk (c) outputs c 2 /c x 1 We assume an (n, k)-secret sharing of x and a qualified set S: x = S S λ S, D sk (c) = c 2 /c x 1 : one needs to compute cx 1 c1 x = c S S λ S, 1 = (c S 1 )λ S, S In a group G = g of order q K(G, g, q): x R Z q, and sk x and pk y = g x E pk (m): r R Z q, c 1 g r and c 2 y r m. Then, the ciphertext is c = (c 1, c 2 ) D sk (c) outputs c 2 /c x 1 Given a qualified set S: x = S S λ S, Each user computes C = c S 1, and then cx 1 = S Cλ S, Assume Charlie a.k.a. U 1, sends a random C 1 : the others will compute a wrong decryption Charlie will be able to extract the plaintext! Each user computes C = c S 1, and then cx 1 = S Cλ S, NS/CNRS/INRIA Cascade David Pointcheval 17/26ENS/CNRS/INRIA Cascade David Pointcheval 18/26 Fraud Detection NIZK Diffie-Hellman Language Each user computes C = c S 1, and then cx 1 = S Cλ S, But U 1, sends a random C 1 : instead of c S 1 1, knowing also v 1 = g S 1 = Decide a DDH tuple (g, c 1, v 1, C 1 ) Robustness A defrauder can be detected = Proof of DDH membership for the tuple (g, c 1, v 1, C 1 ), without leakage of any information about S 1 In a group G = g of prime order q, the DDH(g, h) assumption states it is hard to distinguish L = (u = g x, v = h x ) from G 2 = (u = g x, v = h y ) P knows x, such that (u = g x, v = h x ) and wants to prove it P chooses k R Z q, sets U = g k and V = h k P computes h = H(g, h, u, v, U, V ) Z q P computes s = k + xh mod q The proof consists of the pair (h, s): anybody can check whether h = H(g, h, u, v, g s u h, h s v h ) This proof allows to detect the defrauder NS/CNRS/INRIA Cascade David Pointcheval 19/26ENS/CNRS/INRIA Cascade David Pointcheval 20/26

6 Schnorr Signature [Schnorr Eurocrypt 89 - Crypto 89] Schnorr Signature G = g of order q and H: {0, 1} Z q Key Generation (y, x): x Z q and y = g x Signature of m (r, h, s) k R Z q r = g k h = H(m, r) s = k + xh mod q Verification of (m, r, s) compute h = H(m, r) and check r? = g s y h We assume an (n, k)-secret sharing of x (with the v i ) and a qualified set S: x = S S λ S, The users generate a common r and then sign (m, r) with a partial signature s i under v i : = the linearity leads to a global signature NS/CNRS/INRIA Cascade David Pointcheval 21/26ENS/CNRS/INRIA Cascade David Pointcheval 22/26 Distributed Schnorr Signature G = g of order q and H: {0, 1} Z q Key Generation (y, x): x Z q and y = g x We assume an (n, k)-secret sharing of x (with the v i = g S i ) and a qualified set S: x = S S λ S, Signature of m (r, h, s) R each U i chooses k i Z q and publishes r i = g k i they all compute r = r i λ S, and h = H(m, r) each U i computes and publishes s i = k i + S i h mod q Then, s = s i λ S,i Verification of (m, r, s) compute h = H(m, r) and check r? = g s y h Each partial signature (m, r i, s i ) can be checked: r i? = g s i v h i NS/CNRS/INRIA Cascade David Pointcheval 23/26ENS/CNRS/INRIA Cascade David Pointcheval 24/26

7 In the previous schemes (ElGamal encryption and Schnorr signature) the keys are generated in a centralized way: someone knows the secret key! Distributed cryptography should include a distributed key generation: the secret key should never exist in one place. (n, n)-threshold DL Key Generation G = g of order q Key Generation (y, x): R each U i chooses x i Z q and publishes y i = g x i anybody can compute y = y i = g x i The public key y corresponds to the virtual secret key x = x i mod q (n, k)-threshold DL Key Generation G = g of order q Key Generation (y, x): each U i chooses a polynomial P i of degree k 1, and sends S i, = P i () to U each U can then compute S = i S i, = i P i() = P(), where P = i P i each U computes and publishes v = g S The (S ) are an (n, k)-secret sharing of the virtual secret key x, corresponding to the public key y, that anybody can compute: For any qualified set S: Secretly: x = S S λ S, mod q Publicly: y = S v λ S, NS/CNRS/INRIA Cascade David Pointcheval 25/26ENS/CNRS/INRIA Cascade David Pointcheval 26/26