Threshold Cryptography

Transcription

1 Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term Threshold Cryptography 1

2 ? Threshold Cryptography 2

3 Threshold Cryptography Sharing Secrets Treasure Map Sharing keys on multiple server Threshold Encryption Protect top secret document, only group of people can decrypt it Threshold Signature Signing checks E-Voting Do not trust only one voting authority Threshold Cryptography 3

4 Threshold Cryptography 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir s Secret Sharing 4. Elgamal Encryption 5. Threshold Elgamal 6. Threshold RSA 7. E-Voting Threshold Cryptography 4

5 Basic Maths p is a prime modulo operator mod: find remainder of division of two numbers modulo congruent = 20 6 = 18 R: 2 20 mod 6 = 2 two numbers are congruent modulo m if they have the same remainder by the division of m 20 mod 6 =2 and 14 mod 6 = 2 20 = 14 mod Threshold Cryptography 5

6 Basic Maths Residue class Collect all integers which are congruent given a modulo m Example: mod 6 [0] 6 = {, 6, 0, 6, 12, 18, } [1] 6 = {, 5, 1, 7, 13, 19, } [2] 6 = {, 4, 2, 8, 14, 20, } [3] 6 = {, 3, 3, 9, 15, 21, } [4] 6 = {, 2, 4, 10, 16, 22, } [5] 6 = {, 1, 5, 11, 17, 23 } Residue class system (ring) Z n Collect all residue classes and have two operations Example: Z 6 = 0 6, 1 6, 2 6, 3 6, 4 6, 5 6 = {0, 1, 2, 3, 4, 5} = = = 5 mod = = = 0 mod Threshold Cryptography 6

7 Threshold Cryptography 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir s Secret Sharing 4. Elgamal Encryption 5. Threshold Elgamal 6. Threshold RSA 7. E-Voting Threshold Cryptography 7

8 Lagrange Polynomial Interpolation Find polynomial to given set of points f(x) , 2, 2, 2, 2, 1 f x =? Threshold Cryptography 8

9 Lagrange Polynomial Interpolation Interpolate polynomial function out of given points Given: k + 1 data points: x 0, y 0,, x j, y j,, x k, y k where no two x j are the same Lagrange polynomial interpolation is: k Joseph-Louis Lagrange L x y j l j j=0 where l j is Lagrange basis polynomials: x x m l j x j x m 0 m k m j = y 0 l y j l j + + y k l k = x x 0 x j x 0 x x j 1 x j x j 1 x x j+1 x j x j+1 x x k x j x k [La13] Threshold Cryptography 9

10 Lagrange Example Given Points: 1, 2, 2, 2, 2, 1 k = 2 Calculate Lagrange basis polynomials l 0 l 1 x x 1 (x 0 x 1 ) x x 0 (x 1 x 0 ) x x 2 = x + 2 x 0 x x x 2 = x 1 x 0 x x = 1 3 (x2 4) x = 1 12 (x2 3x + 2) L x y j l j l j 0 m k m j k j=0 x x m x j x m l 2 x x 0 (x 2 x 0 ) x x 1 = x 1 x 2 x x = 1 4 (x2 + x 2) Calculate Lagrange polynomial: L x = y 0 l 0 + y 1 l 1 + y 2 l 2 L x = x x2 3x x2 + x 2 = 1 4 x2 1 4 x [La13] Threshold Cryptography 10

11 Lagrange Polynomial Interpolation Find polynom to given set of points f(x) , 2, 2, 2, 2, 1 f x = 1 4 x2 1 4 x Threshold Cryptography 11

12 Threshold Cryptography 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir s Secret Sharing 4. Elgamal Encryption 5. Threshold Elgamal 6. Threshold RSA 7. E-Voting Threshold Cryptography 12

13 Secret Sharing How to distribute secret s to n parties in that way, that Only all n parties together or k out of n parties can recompute the secret? secret s 0 secret s Bob secret s 1 Chris Trusted dealer Dave secret s Threshold Cryptography 13

14 Secret Sharing Recomputation of the secret all n out of n parties: (n, n) threshold secret s 0 Bob secret s Trusted dealer Chris secret s 2 secret s 1 n 1, n 2, parties should not be able to recompute the secret Every party (or group of parties) should not be able to retreive any information about the global secret from their own secret(s) Threshold Cryptography 14

15 Secret Sharing Recomputation of the secret k out of n parties: (k, n) threshold secret s 0 Bob secret s Trusted dealer Chris secret s 2 secret s 1 k 1, k 2, parties should not be able to recompute the secret Every party (or group of parties) should not be able to retreive any information about the global secret from their own secret(s) Threshold Cryptography 15

16 Secret Sharing Real world s solution: Multiple locks with keys heavy key ring Naive solution (bad): Split secret in parts: Disadvantage: needs (n, n) threshold n 1 out of n parties dramatically reduce possible keys Threshold Cryptography 16

17 Shamir s Secret Sharing Published 1979 by Adi Shamir (k, n) threshold sharing Based on Lagrange polynomials Dealing Algorithm: Given: (k, n) threshold and secret s Z q Randomly choose k 1 coefficients a 1,, a k 1 Set a 0 = s Build polynomial f x = a 0 + a 1 x + a 2 x 2 + a k 1 x k 1 Set i = 1,, n and calculate Points s i = i, f i mod q Every party gets (at least) one point s i Adi Shamir The S in RSA [Sha79] Threshold Cryptography 17

18 Shamir s Secret Sharing - Example Dealing Algorithm Given: (k, n) and secret s Z q (3, 5) threshold s = 6 Z 22 Randomly k 1: a 1,, a k 1 a 1 = 2 a 2 = 1 Set a 0 = s a 0 = 6 f x = a 0 + a 1 x + a 2 x 2 + a k 1 x k 1 f x = x 2 + 2x + 6 i = 1,, n calculate s i = i, f i mod q s 4 = (4, 8) s 5 = (5, 19) Felix George s = 6 Trusted dealer 1, 9 2, 14, 3, 21, 4, 8, (5, 19) Bob Dave s 1 = (1, 9) Chris s 3 = (3, 21) s 2 = (2, 14) Threshold Cryptography 18

19 Shamir s Secret Sharing Recomputation Given: k Points s i = (x i, y i ) Goal: find f x = a 0 + a 1 x + a 2 x 2 + a k 1 x k 1 with f 0 = a 0 as the secret Using f x = L x, S 1,, n, S = k and calculate Lagrange: L x y j l j l j 0 m k m j k j=0 x x m x j x m f 0 = L 0 = y j l j,0,s mod q j S with l j,0 as Lagrange basis polynomials with x = 0 and S: x m l j,0,s mod q x j x m m S m j [Sha79] Threshold Cryptography 19

20 Shamir s Secret Sharing - Example Recomputation of basis polynomials: l 2,0,{2,4,5} = x 4 x 2 x 4 x 5 x 2 x 5 = = = = 18 mod 22 l 4,0,{2,4,5} = x 2 (x 4 x 2 ) x 5 = 2 x 4 x = 5 = 17 mod 22 l 5,0,{2,4,5} = x 2 (x 5 x 2 ) x 4 = 2 x 5 x = = 8 15 = 10 mod 22 Shamir s Lagrange : s 4 = (4, 8) s 5 = (5, 19) Felix George Trusted dealer Bob Dave Chris s 2 = (2, 14) L 0 = y j l j,0,s l j,0,s j S m S m j x m x j x m Threshold Cryptography 20

21 Shamir s Secret Sharing - Example Recomputation: l 2,0,{2,4,5} = 18, l 4,0,{2,4,5} = 17, l 5,0,{2,4,5} = 10 s = L 0 = y 2 l 2,0, 2,4,5 + y 4 l 4,0, 2,4,5 + y 5 l 5,0, 2,4,5 s = L 0 = mod 22 s = 6 Shamir s Lagrange : s 4 = (4, 8) s 5 = (5, 19) Felix George s = 6 Trusted dealer Bob Dave Chris s 2 = (2, 14) L 0 = y j l j,0,s l j,0,s j S m S m j x m x j x m Threshold Cryptography 21

22 Shamir s Secret Sharing - Remarks Graphical Interpretation Flexibility Increase n and compute new shares without affecting other shares Removing existing shares (shares have to be destroyed) Replace shares without changing the secret: new polynomial f (x) One party can have more than one share [Li04] Threshold Cryptography 22

23 Threshold Cryptography 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir s Secret Sharing 4. Elgamal Encryption 5. Threshold Elgamal 6. Threshold RSA 7. E-Voting Threshold Cryptography 23

24 Elgamal Encryption Published 1985 by Taher Elgamal Based on Diffie-Hellman key exchange Public / private key encryption: Generation: pub, priv Encryption: cipher = enc pub (m) Decryption: m = dec priv cipher Taher Elgamal priv From: Bob To: Alice m = Alice Alice pub From: Bob To: Alice cipher Bob Alice pub From: Bob To: Alice m = Threshold Cryptography 24

25 Elgamal Encryption - Example Public / private key generation 1. large prime p with generator g p = 23 g = 5 2. randomly a {1,, p 1} a = 6 3. Calculate A = g a mod p A = 5 6 = 8 mod pub = (p, g, A) priv = a pub = (23, 5, 8) priv = 6 priv = 6 Alice pub = (23,5,8) Alice pub = (23,5,8) Alice Bob [El85] Threshold Cryptography 25

26 Elgamal Encryption - Example Encryption Given: message m 0,, p 1 m = 12 Randomly b {1,, 1 p} b = 3 Calculate B = g b mod p c = A b m mod p B = 5 3 = 10 mod 23 c = = 3 mod 23 Cipher text is cipher = (B, c) cipher = (10, 3) From: Bob To: Alice cipher = (10, 3) Alice pub = (23,5,8) Alice Bob From: Bob To: Alice m = Threshold Cryptography 26

27 Elgamal Encryption - Example Decryption Given: cypher = (B, c) and priv = a cypher = (10,3) priv = 6 Calculate x = p 1 a x = = 16 Calculate m = B x c mod p m = = 12 mod 23 Encrypted message m m = 12 General Idea: m = B a 1 c = B (p 1 a) mod p a = 6 Alice pub = (23,5,8) From: Bob To: Alice m = 12 Alice From: Bob To: Alice cipher = (10, 3) Bob [El85] Threshold Cryptography 27

28 Threshold Cryptography 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir s Secret Sharing 4. Elgamal Encryption 5. Threshold Elgamal 6. Threshold RSA 7. E-Voting Threshold Cryptography 28

29 Threshold Elgamal Using Elgamal encryption scheme in a treshold environment Generation: Generate pub = (p, g, A) priv = a like normal Elgamal encryption Share priv = a among n parties, using Shamir s secret sharing with q = φ p = p 1 Every party j gets (at least) one point s j = (x j, y j ) Example: pub = (23, 5, 8) priv = 6 (3,5)-threshold s 4 = (4, 8) s 5 = (5, 19) Felix George s = 6 Trusted dealer Bob Dave s 1 = (1, 9) Chris s 3 = (3, 21) s 2 = (2, 14) if p is prime BCDFG pub = (23,5,8) [Ca06] Threshold Cryptography 29

30 Threshold Elgamal Encryption Normal Elgamal encryption with message m and pub = p, g, A s 1 From: Alice To: BCDFG cipher = (10, 3) BCDFG pub = (23,5,8) Bob s 4 s 2 Felix Chris s 5 George Trusted dealer Dave s 3 Alice [Ca06] Threshold Cryptography 30

31 Threshold Elgamal Decryption Trusted dealer and every party can receive cipher = (B, c) at least k parties have to compute decryption share d j = B y j mod p Trusted dealer can compute m with set S of j {1,, n} which returned their d j Party: d j = B y j mod p Trusted Dealer: m = d j l j,0,s j S 1 c mod p s 4 d 4 s 5 d 5 Felix George Bob Trusted dealer Chris Dave s 2 d 2 [Ca06] Threshold Cryptography 31

32 Threshold Elgamal - Example Decryption Every party computes decryption share: d 2 = B y 2 = = 12 mod 23 d 4 = B y 5 = 10 8 = 2 mod 23 d 5 = B y 5 = = 21 mod 23 Trusted dealer computes l j,0,s : l 2,0,{2,4,5} = 18 l 4,0,{2,4,5} = 17 l 5,0,{2,4,5} = 10 Shamir s secret sharing, slide 20 Shamir s Lagrange : (4, 8) 2 Felix Threshold Elgamal cipher = (B, c) d j = B y j mod p m = d j l j,0,s Bob j S Chris 1 c mod p From: Alice To: BCDFG cipher = (10, 3) (2, 14) 2 12 l j,0,s x m x j x m (5, 19) 21 George Trusted dealer m S m j Dave Threshold Cryptography 32

33 Threshold Elgamal - Example Decryption d 2 = 12, d 4 = 2, d 5 = 21 l 2,0,{2,4,5} = 18, l 4,0,{2,4,5} = 17, l 5,0,{2,4,5} = 10 Trusted dealer computes m: m = d 2 l 2,0,{2,4,5} d 4 l 4,0,{2,4,5} d 5 l 5,0,{2,4,5} 1 c mod p m = mod 23 m = mod 23 m = 4 3 mod 23 m = 12 Note: (6) 1 = 4 mod 23 (Extended Euclidean algorithm) (4, 8) Felix (5, 19) George Threshold Elgamal cipher = (B, c) d j = B y j mod p m = d j l j,0,s Bob Trusted dealer j S From: Alice To: BCDGF m = 12 Chris Dave 1 c mod p From: c To: BCDFG cipher = (10, 3) Threshold Cryptography 33 (2, 14)

34 Threshold Cryptography 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir s Secret Sharing 4. Elgamal Encryption 5. Threshold Elgamal 6. Threshold RSA 7. E-Voting Threshold Cryptography 34

35 RSA Threshold Signatures Signatures priv = From: Bob To: Alice m = sign from: Bob Bob pub = Bob Alice Requires: Public / private key and hash function H(x) Sign a message: Hash message m and encrypt with private key: sign = enc priv H m Verify signature? Decrypt signature with public key and check hash: dec pub sign = H(m) [Ca06] Threshold Cryptography 35

36 RSA Threshold Signatures priv 4 sign 4 Felix Bob priv 1 sign 1 Chris priv 2 sign 2 Every party signs with own private key Trusted dealer can compute global signature priv 5 sign 5 George BCDFG pub = Trusted dealer From: BCDFG To: Alice m = Dave priv 3 sign 3 sign from: BCDFG Party i: sign i = enc privi Trusted dealer: H(m) sign = collect sign 1,, sign n V. Shoup: Practical threshold signatures shows threshold signature scheme with RSA [Sh] Threshold Cryptography 36

37 Threshold Cryptography 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir s Secret Sharing 4. Elgamal Encryption 5. Threshold Elgamal 6. Threshld RSA 7. E-Voting Threshold Cryptography 37

38 E-Voting Secret voting using Elgamal threshold encryption Voter encrypts vote with public key Private key is shared among voting authorities vote = 1 Bob Bulletin Board From: Bob v Bob = (B, c) priv 1 vote = 1 Alice Voting pub From: Alice v Alice = (B, c) Authority 1 vote = 1 From: Chris v Chris = (B, c) Authority 2 priv 2 Chris [Cr97] Threshold Cryptography 38

39 E-Voting Voting authorities counting encrypted votes Decrypt result of counting with shared secrets vote = 1 Bob Bulletin Board From: Bob v Bob = (B, c) v Result = count(v Bob, v Alice, v Chris ) v Result = (B, c) priv 1 priv 2 vote = 1 vote = 1 Alice Chris From: Alice v Alice = (B, c) From: Chris v Chris = (B, c) Authority 1 Authority 2 Result = dec priv v Result Result = 1 Cramer, et. al.: "A secure and optimally efficient multi authority election scheme." [Cr97] Threshold Cryptography 39

40 Summary Threshold Cryptography Sharing Secrets Threshold Encryption Threshold Signatures E-Voting General Problem: Trusted Dealer Secret sharing schemes without trusted dealer Threshold Cryptography 40

41 ? Threshold Cryptography 41

42 ! Threshold Cryptography 42

43 References [La13] [El85] [Sho00] Lagrange polynomial. (2013, May 22). In Wikipedia, The Free Encyclopedia. Retrieved 06:22, June 24, 2013, from ElGamal, T. (1985, January). A public key cryptosystem and a signature scheme based on discrete logarithms. In Advances in Cryptology (pp ). Springer Berlin Heidelberg. V. Shoup, Practical threshold signatures, Advances in Cryptology: EUROCRYPT 2000 (B. Preneel, ed.), Lecture Notes in Computer Science, vol. 1087, Springer, 2000, pp [Sha79] Shamir, Adi. "How to share a secret." Communications of the ACM (1979): [Cr97] [Li04] [Ca06] Cramer, Ronald, Rosario Gennaro, and Berry Schoenmakers. "A secure and optimally efficient multi authority election scheme." European transactions on Telecommunications 8.5 (1997): T Cryptography and Data Security, Lecture 9: Secret Sharing, Threshold Cryptography, MPC, Helger Lipmaa Security and Fault-tolerance in Distributed Systems, Winter 2006/07, 7 Distributed Cryptography, Christian Cachin, IBM Zurich Research Lab Threshold Cryptography 43