Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science
Key Management Secret Sharing Shamir s Threshold Scheme Multiparty computation 2/21
Outline Key Management Secret Sharing Shamir s Threshold Scheme Multiparty computation 3/21
Key management (1) The distribution of public keys Public announcement (ie PGP: public key attached to a public message) Public available directory (under the responsibility of a trusted entity) Public-key authority (secure communication with the public authority) Public-key certificates The use of public-key encryption to distribute secret keys (next slide) 4/21
Distribution of secret keys K S : Secret key to share (KU A, KR A ): Public key and private key of Alice ID A : Identifier of Alice N i : Nonce Simple key distribution Alice (1) KU A ID A Bob (2) E KUA (K S ) Secret-key distribution with confidentiality and authentication When Alice and Bob have already exchanged their public key (1) E KUB (N 1 ID A ) (2) E KUA (N 1 N 2 ) Alice Bob (3) E KUB (N 2 ) (4) E KUB (E KRA (K S )) 5/21
Key Management: Security Goals Quality of keys: secrecy, randomness, sufficient length Secure agreement of keys: authenticated Diffie-Hellman, public key encryption, secret key encryption Secure distribution of public keys Secure storage of cryptographic keys: secret sharing Using keys to implement access control: secret sharing 6/21
Outline Key Management Secret Sharing Shamir s Threshold Scheme Multiparty computation 7/21
Secret sharing schemes Secret sharing schemes are multi-party protocols related to key establishment. The idea of secret sharing is to start with a secret, and divide it into pieces called shares which are distributed among users such that the pooled shares of specific subsets of users allow reconstruction of the original secret. Applications Secret sharing schemes have applications in (at least) voting protocols. 8/21
The three Generals problem: description Consider three military Generals: Alice, Bob, and Carol. A safe holds nuclear launch codes. The codes must only be used if at least two of three Generals agree to it (i.e., majority). The key to the safe must be divided into shares in such a way that enforces this policy: Alice s (Bob s, Carol s) share alone should not be enough to recover the key. 9/21
The three Generals problem: solution Assume the key is 2n bits represented as the vector u = (u 0, u 1 ) F 2 2 n. Consider the linear map θ : F 2 2 F 3 n 2 by θ : u Mu where M n is a 3 2 matrix over F 2 n. 1 0 M = 0 1 1 1 Observe θ expands u to 3n bits v = (v 0, v 1, v 2 ) F 3 2 n. Mu = v = (v 0, v 1, v 2 ) = (u 0, u 1, u 0 u 1 ) Alice is issued share v 0, Bob v 1, and Carol v 2. 10/21
The three Generals problem: key reconstruction Alice and Bob collaborate: They share (v 0, v 1 ). u = (u 0, u 1 ) = (v 0, v 1 ) Alice and Carol collaborate: They share (v 0, v 2 ). (u 0, u 1 ) = (v 0, v 2 v 0 ) Bob and Carol collaborate: They share (v 1, v 2 ). (u 0, u 1 ) = (v 2 v 1, v 1 ) 11/21
Threshold schemes A (t, n) threshold scheme (t n) is a method by which a trusted party computes secret shares S i, 1 i n from an initial secret S, and securely distributes S i to user P i, such that the following holds: any t or more users who pool their shares may easily recover S, but any group knowing only t 1 or fewer shares may not. Example The previous scheme is a (2, 3) threshold scheme: there are n = 3 shares and t 2 users suffices to recover S = u. 12/21
Outline Key Management Secret Sharing Shamir s Threshold Scheme Multiparty computation 13/21
Polynomial interpolation (1) Consider d + 1 pairs (x i, y i ) where x i, y i F q and all x i are distinct. Then there exists a unique d-degree polynomial c(x) F q [x] c(x) = c d x d + c d 1 x d 1 + + c 2 x 2 + c 1 x + c 0 such that c(x i ) = y i for all i. The polynomial c(x) interpolates point-value pairs (x i, y i ). 14/21
Polynomial interpolation (2) The d + 1 point-value pairs (x i, y i ) and definition of c(x) gives the following linear relation. 1 x 0 x0 2 x d 0 1 x 1 x1 2 x d 1 1 x 2 x2 2 x2 d..... 1 x d 1 xd 1 2 xd 1 d 1 x d xd 2 xd d c 0 c 1 c 2. c d 1 c d = y 0 y 1 y 2. y d 1 y d This allows recovering c(x) by inverting the matrix on the left. 15/21
Shamir s threshold scheme A. Shamir (1979) Fix public q such that n < q and S < q both hold. Dividing the secret Trusted party T constructs and distributes n shares of S as follows. 1. T selects a random (t 1)-degree polynomial c(x) F q [x]. 2. T sets c 0 = S. 3. T computes S i = c(i) for 1 i n and trasmits S i to P i over a secure channel. The index i can be public. 16/21
Shamir s threshold scheme (2) Reconstructing the secret Any t users can pool their shares (and indices) and compute c(x) with polynomial interpolation. Reconstruct the secret as S = c(0). Security Any t 1 users must consider all q possible candidate polynomials. 17/21
Example Suppose that our secret is S = 1234 We want to construct a (3,6) threshold scheme We set at random two numbers 166, 94 The coefficients of the polynomial are (c 0 = 1234; c 1 = 166; c 2 = 94) f (x) = 1234 + 166x + 94x 2 We construct 6 points D x 1 = (x, f (x)): D 0 = (1, 1494) ; D 1 = (2, 1942) ; D 2 = (3, 2578) D 3 = (4, 3402) ; D 4 = (5, 4414) ; D 5 = (6, 5614) We give each participant a different single point D i Note that the secret (f (0)) is not shared. Reconstruction: with 3 points and a polynomial interpolation 18/21
Outline Key Management Secret Sharing Shamir s Threshold Scheme Multiparty computation 19/21
Multiparty computation Problem: How to use external untrusted services to compute the average of secret integers? Solution: Use three separated services. Express each secret as a sum of three integers, e.g., A = a 1 + a 2 + a 3, where a i is stored by the i th service. Each service computes a share avg i of the average AVG. A = a 1 + a 2 + a 3 B = b 1 + b 2 + b 3. = X = x 1 + x 2 + x 3 Y = y 1 + y 2 + y 3 AVG = avg 1 + avg 2 + avg 3 20/21
Supplemental reading Cryptography and Network Security, William Stallings Section 10.1 Handbook of applied cryptography Section 12.7 21/21