CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Similar documents
Introduction to Modern Cryptography Lecture 11

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Other Public-Key Cryptosystems

Lecture 1: Introduction to Public key cryptography

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Fundamentals of Modern Cryptography

Winter 2011 Josh Benaloh Brian LaMacchia

Secret Sharing Schemes

Lecture 28: Public-key Cryptography. Public-key Cryptography

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

8.1 Principles of Public-Key Cryptosystems

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

1 Number Theory Basics

Other Public-Key Cryptosystems

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Lecture V : Public Key Cryptography

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

CIS 551 / TCOM 401 Computer and Network Security

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

CPSC 467: Cryptography and Computer Security

Threshold Cryptography

Introduction to Cryptography. Lecture 8

Lecture 04: Secret Sharing Schemes (2) Secret Sharing

Public-Key Cryptosystems CHAPTER 4

Public Key Cryptography

Question: Total Points: Score:

CPSC 467b: Cryptography and Computer Security

Cryptographical Security in the Quantum Random Oracle Model

Secret sharing schemes

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Asymmetric Encryption

One can use elliptic curves to factor integers, although probably not RSA moduli.

Lecture 38: Secure Multi-party Computation MPC

Cryptanalysis of a Group Key Transfer Protocol Based on Secret Sharing: Generalization and Countermeasures

Practice Assignment 2 Discussion 24/02/ /02/2018

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Quantum threat...and quantum solutions

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

Sharing a Secret in Plain Sight. Gregory Quenell

arxiv:quant-ph/ v1 27 Dec 2004

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Sharing DSS by the Chinese Remainder Theorem

Identity-Based Online/Offline Encryption

Cryptography and Security Final Exam

Randomized Component and Group Oriented (t,m,n)-secret Sharing

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007

Chapter 8 Public-key Cryptography and Digital Signatures

Security Implications of Quantum Technologies

Chapter 4 Asymmetric Cryptography

Overview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy

Asymmetric Cryptography

and Other Fun Stuff James L. Massey

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

Colored Burau Matrices, E-multiplication, and the Algebraic Eraser Key Agreement Protocol

CPSC 467b: Cryptography and Computer Security

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

Group Diffie Hellman Protocols and ProVerif

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Introduction. will now introduce finite fields of increasing importance in cryptography. AES, Elliptic Curve, IDEA, Public Key

Lecture 11: Key Agreement

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

RSA. Ramki Thurimella

Secret Sharing CPT, Version 3

Notes for Lecture 17

Lecture 10: Zero-Knowledge Proofs

CPSC 467b: Cryptography and Computer Security

An Introduction to Pairings in Cryptography

Multi-Party Computation with Conversion of Secret Sharing

Introduction to Modern Cryptography. Benny Chor

Public Key Algorithms

Cryptography IV: Asymmetric Ciphers

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Lecture 3,4: Multiparty Computation

Introduction to Modern Cryptography. Benny Chor

Public Key Cryptography

19. Coding for Secrecy

CRYPTOGRAPHY AND NUMBER THEORY

RSA RSA public key cryptosystem

Quantum Wireless Sensor Networks

TROPICAL CRYPTOGRAPHY II: EXTENSIONS BY HOMOMORPHISMS

The Elliptic Curve in https

Noisy Diffie-Hellman protocols

Lecture 17: Constructions of Public-Key Encryption

+ = OTP + QKD = QC. ψ = a. OTP One-Time Pad QKD Quantum Key Distribution QC Quantum Cryptography. θ = 135 o state 1

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

8 Elliptic Curve Cryptography

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Transcription:

Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science

Key Management Secret Sharing Shamir s Threshold Scheme Multiparty computation 2/21

Outline Key Management Secret Sharing Shamir s Threshold Scheme Multiparty computation 3/21

Key management (1) The distribution of public keys Public announcement (ie PGP: public key attached to a public message) Public available directory (under the responsibility of a trusted entity) Public-key authority (secure communication with the public authority) Public-key certificates The use of public-key encryption to distribute secret keys (next slide) 4/21

Distribution of secret keys K S : Secret key to share (KU A, KR A ): Public key and private key of Alice ID A : Identifier of Alice N i : Nonce Simple key distribution Alice (1) KU A ID A Bob (2) E KUA (K S ) Secret-key distribution with confidentiality and authentication When Alice and Bob have already exchanged their public key (1) E KUB (N 1 ID A ) (2) E KUA (N 1 N 2 ) Alice Bob (3) E KUB (N 2 ) (4) E KUB (E KRA (K S )) 5/21

Key Management: Security Goals Quality of keys: secrecy, randomness, sufficient length Secure agreement of keys: authenticated Diffie-Hellman, public key encryption, secret key encryption Secure distribution of public keys Secure storage of cryptographic keys: secret sharing Using keys to implement access control: secret sharing 6/21

Outline Key Management Secret Sharing Shamir s Threshold Scheme Multiparty computation 7/21

Secret sharing schemes Secret sharing schemes are multi-party protocols related to key establishment. The idea of secret sharing is to start with a secret, and divide it into pieces called shares which are distributed among users such that the pooled shares of specific subsets of users allow reconstruction of the original secret. Applications Secret sharing schemes have applications in (at least) voting protocols. 8/21

The three Generals problem: description Consider three military Generals: Alice, Bob, and Carol. A safe holds nuclear launch codes. The codes must only be used if at least two of three Generals agree to it (i.e., majority). The key to the safe must be divided into shares in such a way that enforces this policy: Alice s (Bob s, Carol s) share alone should not be enough to recover the key. 9/21

The three Generals problem: solution Assume the key is 2n bits represented as the vector u = (u 0, u 1 ) F 2 2 n. Consider the linear map θ : F 2 2 F 3 n 2 by θ : u Mu where M n is a 3 2 matrix over F 2 n. 1 0 M = 0 1 1 1 Observe θ expands u to 3n bits v = (v 0, v 1, v 2 ) F 3 2 n. Mu = v = (v 0, v 1, v 2 ) = (u 0, u 1, u 0 u 1 ) Alice is issued share v 0, Bob v 1, and Carol v 2. 10/21

The three Generals problem: key reconstruction Alice and Bob collaborate: They share (v 0, v 1 ). u = (u 0, u 1 ) = (v 0, v 1 ) Alice and Carol collaborate: They share (v 0, v 2 ). (u 0, u 1 ) = (v 0, v 2 v 0 ) Bob and Carol collaborate: They share (v 1, v 2 ). (u 0, u 1 ) = (v 2 v 1, v 1 ) 11/21

Threshold schemes A (t, n) threshold scheme (t n) is a method by which a trusted party computes secret shares S i, 1 i n from an initial secret S, and securely distributes S i to user P i, such that the following holds: any t or more users who pool their shares may easily recover S, but any group knowing only t 1 or fewer shares may not. Example The previous scheme is a (2, 3) threshold scheme: there are n = 3 shares and t 2 users suffices to recover S = u. 12/21

Outline Key Management Secret Sharing Shamir s Threshold Scheme Multiparty computation 13/21

Polynomial interpolation (1) Consider d + 1 pairs (x i, y i ) where x i, y i F q and all x i are distinct. Then there exists a unique d-degree polynomial c(x) F q [x] c(x) = c d x d + c d 1 x d 1 + + c 2 x 2 + c 1 x + c 0 such that c(x i ) = y i for all i. The polynomial c(x) interpolates point-value pairs (x i, y i ). 14/21

Polynomial interpolation (2) The d + 1 point-value pairs (x i, y i ) and definition of c(x) gives the following linear relation. 1 x 0 x0 2 x d 0 1 x 1 x1 2 x d 1 1 x 2 x2 2 x2 d..... 1 x d 1 xd 1 2 xd 1 d 1 x d xd 2 xd d c 0 c 1 c 2. c d 1 c d = y 0 y 1 y 2. y d 1 y d This allows recovering c(x) by inverting the matrix on the left. 15/21

Shamir s threshold scheme A. Shamir (1979) Fix public q such that n < q and S < q both hold. Dividing the secret Trusted party T constructs and distributes n shares of S as follows. 1. T selects a random (t 1)-degree polynomial c(x) F q [x]. 2. T sets c 0 = S. 3. T computes S i = c(i) for 1 i n and trasmits S i to P i over a secure channel. The index i can be public. 16/21

Shamir s threshold scheme (2) Reconstructing the secret Any t users can pool their shares (and indices) and compute c(x) with polynomial interpolation. Reconstruct the secret as S = c(0). Security Any t 1 users must consider all q possible candidate polynomials. 17/21

Example Suppose that our secret is S = 1234 We want to construct a (3,6) threshold scheme We set at random two numbers 166, 94 The coefficients of the polynomial are (c 0 = 1234; c 1 = 166; c 2 = 94) f (x) = 1234 + 166x + 94x 2 We construct 6 points D x 1 = (x, f (x)): D 0 = (1, 1494) ; D 1 = (2, 1942) ; D 2 = (3, 2578) D 3 = (4, 3402) ; D 4 = (5, 4414) ; D 5 = (6, 5614) We give each participant a different single point D i Note that the secret (f (0)) is not shared. Reconstruction: with 3 points and a polynomial interpolation 18/21

Outline Key Management Secret Sharing Shamir s Threshold Scheme Multiparty computation 19/21

Multiparty computation Problem: How to use external untrusted services to compute the average of secret integers? Solution: Use three separated services. Express each secret as a sum of three integers, e.g., A = a 1 + a 2 + a 3, where a i is stored by the i th service. Each service computes a share avg i of the average AVG. A = a 1 + a 2 + a 3 B = b 1 + b 2 + b 3. = X = x 1 + x 2 + x 3 Y = y 1 + y 2 + y 3 AVG = avg 1 + avg 2 + avg 3 20/21

Supplemental reading Cryptography and Network Security, William Stallings Section 10.1 Handbook of applied cryptography Section 12.7 21/21

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback