Overview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy

Similar documents
Secret sharing schemes

Introduction to Modern Cryptography Lecture 11

Winter 2011 Josh Benaloh Brian LaMacchia

Lecture 1. 1 Introduction. 2 Secret Sharing Schemes (SSS) G Exposure-Resilient Cryptography 17 January 2007

Secret Sharing CPT, Version 3

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Multi-Party Computation with Conversion of Secret Sharing

Secure Computation. Unconditionally Secure Multi- Party Computation

CIS 551 / TCOM 401 Computer and Network Security

Secret Sharing Homomorphisms: Keeping Shares of a Secret Secret (Extended Abstract)

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Secret Sharing Schemes

Cryptographic Voting Systems (Ben Adida)

Linear Secret-Sharing Schemes for Forbidden Graph Access Structures

Characterizing Ideal Weighted Threshold Secret Sharing

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Threshold Cryptography

Characterizing Ideal Weighted Threshold Secret Sharing

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Sharing DSS by the Chinese Remainder Theorem

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion

Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant

Lecture Notes 15 : Voting, Homomorphic Encryption

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

1/p-Secure Multiparty Computation without an Honest Majority and the Best of Both Worlds

Privacy-preserving Data Mining

Cryptographic Protocols Notes 2

Introduction to Cryptography Lecture 13

Perfectly-Secret Encryption

Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araújo

Lecture 2: Perfect Secrecy and its Limitations

Broadcast and Verifiable Secret Sharing: New Security Models and Round-Optimal Constructions

Selections:! Internet voting with over-the-shoulder coercion-resistance. Jeremy Clark

Benny Pinkas Bar Ilan University

Linear Integer Secret Sharing and Distributed Exponentiation

Notes on Zero Knowledge

Secure Multiparty Computation from Graph Colouring

Verifiable Secret Redistribution

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Theory of Computation Chapter 12: Cryptography

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Homework 3 Solutions

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Midterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

Near-Optimal Secret Sharing and Error Correcting Codes in AC 0

Some ZK security proofs for Belenios

Circuit Complexity. Circuit complexity is based on boolean circuits instead of Turing machines.

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Lecture 1: Introduction to Public key cryptography

Communication Efficient Secret Sharing

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Multiparty Computation

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

1 Secure two-party computation

Lecture Notes 20: Zero-Knowledge Proofs

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

Randomized Component and Group Oriented (t,m,n)-secret Sharing

Protocols for Multiparty Coin Toss with a Dishonest Majority

Practical Provably Correct Voter Privacy Protecting End to End Voting Employing Multiparty Computations and Split Value Representations of Votes

Minimal Design for Decentralized Wallet. Omer Shlomovits

1 Number Theory Basics

Lecture 15 - Zero Knowledge Proofs

Cryptographic Protocols FS2011 1

Notes 10: Public-key cryptography

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Notes for Lecture 17

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Ma/CS 6a Class 3: The RSA Algorithm

Lecture 5, CPA Secure Encryption from PRFs

Linear Integer Secret Sharing and Distributed Exponentiation

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

Cryptographical Security in the Quantum Random Oracle Model

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Communication Efficient Secret Sharing

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Lecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting

Public Key Cryptography

March 19: Zero-Knowledge (cont.) and Signatures

INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING

6.892 Computing on Encrypted Data September 16, Lecture 2

Secret-Sharing for NP

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Lecture 3,4: Multiparty Computation

Lecture 9 - Symmetric Encryption

Historical cryptography. cryptography encryption main applications: military and diplomacy

How to Shuffle in Public

Lecture 17: Constructions of Public-Key Encryption

Improving Privacy in Cryptographic Elections Josh D. Cohen April 26, 1994 Abstract This report describes two simple extensions to the paper A Robust a

Week 7 An Application to Cryptography

The Theory and Applications of Homomorphic Cryptography

Secret Sharing. Qi Chen. December 14, 2015

Conditional Disclosure of Secrets and d-uniform Secret Sharing with Constant Information Rate

Privacy and Computer Science (ECI 2015) Day 4 - Zero Knowledge Proofs Mathematics

On Expected Constant-Round Protocols for Byzantine Agreement

Transcription:

Overview of the Talk Secret Sharing CS395T Design and Implementation of Trusted Services Ankur Gupta Hugo Krawczyk. Secret Sharing Made Short, 1993. Josh Cohen Benaloh. Secret Sharing Homomorphisms: Keeping Shares of A Secret Secret, 1987. Josh Cohen Benaloh and Jerry Leichter. Generalized Secret Sharing and Monotone Functions, 1990. Secret Sharing Made Short Hugo Krawczyk 1993 Motivation: Shamir s (n, m) threshold scheme requires that each secret share be as long as the secret to be shared. Therefore, for a secret S of length r, total length of share is rn. We present an optimal scheme that requires each secret share to be only r/m + a constant (independent of r, n) in size. Perfect Secrecy Perfect Secrecy 1) In Shamir s (n, m) threshold scheme, no information about the secret is revealed in the information theoretic sense. If S 0 is the secret, for every k < m, let S 1,, S k be any k shares then Pr(S 0 S 1,, S k ) = Pr(S 0 ) 2) No bounds on the computation power of adversary are assumed. 1

Computational Secrecy Computation Secrecy: Formal definition Computational Secrecy: a) Adversary is resource bounded. b) No information is revealed using only polynomial resources. Polynomial Indistinguishability: Two probability distributions are polynomial time indistinguishable if any probabilistic polynomial time algorithm behaves essentially the same when its input is selected from either of the two distributions. An (n, m) threshold scheme is computationally secure if for any two secrets S and S, for any k < m, the distributions on shares D(S ; S 1,, S k ) and D(S ; S 1,, S k ) introduced by the scheme are polynomially indistinguishable. Ingredients of the Scheme Distribution Scheme (n, m) Information Dispersal Scheme (IDS) introduced by Rabin. A piece of information (say a file F) is divided into n shares and transmitted over an unreliable channel. Any m shares suffice to reconstruct the file F. Size of each share is F /m. Secure private key encryption (ENC) Perfect (n, m) Secret Sharing Scheme (PSS) like Shamir s threshold scheme. 1) Choose a random encryption key K. Let E=ENC K (S) where S=secret 2) Using IDS partition E into n fragments E 1, E 2,, E n. 3) Using PSS generate n shares of the key K: K 1, K 2,, K n. 4) Send to participant P i, the share (E i, K i ) privately. 2

Reconstruction Scheme 1) Collect from any m participants P j, 1<=j<=m, their shares S j =(E j, K j ). 2) Using IDS, reconstruct E from E j s. 3) Using PSS reconstruct K from K j s. 4) Decrypt E using K to recover the secret S. Analysis Length of each share S i =( S /m, K ). Correctness (Sketch): a) m-1 E j s reveal no more information about S than E itself (by security of ENC). b) m-1 shares reveal absolutely no information about the encryption key K (by security of PSS). Robust Secret Sharing How to ensure recovery of secret in presence of malicious participants? Solution: Let the dealer digitally sign all the shares. Now a participant can t cheat! Secret Sharing Homomorphisms: Josh Benaloh 1987 Motivation: 1) Alice distributes a secret A to n agents using an (n, m) scheme. 2) Bob distributes secret B to the same n agents using an (n, m) scheme. 3) How can any m of the n agents determine A + B while revealing as little about A and B as possible. 3

Homomorphism Property Let F: T m -> S be a (n, m) threshold scheme. If D i1, D i2,, D im be any m shares then the secret D is D=F(D i1, D i2,, D im ) (n, m) is (+, *) homomorphic, if D=F(D i1, D i2,, D im ) D =F(D i1, D i2,, D im ) then D+D =F(D i1 *D i1,, D im * D im ) (+, *) Composite Scheme Is an (n, m) scheme which divides a set of s secrets d 1,, d s into subshares d i,j 1<= i <= n, 1<= j <= s, such that 1) The super-secret D=d 1 +d 2 + +d s is easily computable from the super-shares D i =d i,1 * *d i,s 2) Pr(d j =x j D=X) = Pr(d j =x j D=X, 1<=i<=n, D i =X i, for all i in I, 1<=j<=s, d i,j =x i,j ) for every I, I <m i.e. knowing all supershares, super-secret and at most m-1 subshares of each sub-secret reveals no information about every sub-share Homomorphism and Compositeness Theorem: If S = T are finite then every (+, *) homomorphic threshold scheme is a (+, *) composite threshold scheme. Proof (sketch): Assume s=2 I.e. there are only two sub secrets A and B. Let S=A+B. Further let k=m-1 conspire together so that a 1,, a k and b 1,, b k are known. Therefore s 1,, s k (where s i =a i +b i ) are also known. As S is known, and since S = T (and finite), therefore F m-1 :T->S is 1-1 and hence s k+1,, s n can be computed. Thus knowing them beforehand gives no additional information. Examples Shamir s scheme is (+, +) homomorphic but not (x, x) or (x, +). A variation of Shamir scheme is (x, +) homomorphic (secret=g a, a is divided into n subshares using the Shamir scheme). By above theorem they are also composite schemes. Hence composition of sub-secrets can be obtained without revealing the subsecrets. 4

Applications Verifiable Secret Sharing Will use (+,x) homomorphism property of an encryption scheme and (+,+) composite scheme. Secret Ballot Election Will use a (+,+) composite scheme. Encryption Scheme Verifiable secret sharing scheme will use the following encryption scheme: Let r > S be prime, p and q also prime s.t. r divides p-1 but not q-1. N=pq. Let y be such that gcd(n, y) =1 and y is NOT the r th residue mod N (I.e. y a r mod N, for any a). (N, y) are made public. To encrypt a secret s, choose a random x (relatively prime to N) and let E(s,x,y,N)=y s x r mod N. Knowing p and q, s can be easily determined. E is (+, x) homomorphic. Verifiable Secret Sharing Objective: Dealer should be able to prove the participants that he made a consistent deal I.e. from every k sub-shares we get the same secret s, without revealing the secret s. This is useful in voting schemes where a voter needs to prove that he cast a valid vote. We assume Shamir s scheme as the secret sharing scheme (and hence a (+,+) composite scheme). Solution: Interactive Proof Interactive Proof (Probabilistic) Dealer will convince the participants that he made a consistent deal with high probability. For Shamir s scheme, this boils down for dealer to convince the participants that he used at most d=m-1 degree polynomial P. 5

Algorithm 1. Encryptions of the values of the points that describe P are released by dealer. 2. Similar encryptions of 100 more random polynomials of degree at most d are released to the verifiers. 3. A random subset of the random polynomials is selected by the verifiers. 4. The chosen subset of polynomials are decrypted by the prover and shown to verifiers. All these polynomials be of at most degree d. 5. Each remaining polynomial is added to P. Each of these sum polynomials is decrypted by prover. They all must be of degree at most d. Proof of Correctness Fact: If sum of two polynomials is of degree at most d, then either both polynomials are of degree at most d or both are of degree greater than d. Revealing a random subset of the set of random polynomials gives the confidence that the remaining polynomials are each of degree at most d. Since sum of each of the remaining polynomials with the polynomial P is of degree at most d, therefore P itself is of degree at most d. The homomorphism of E and Shamir s scheme helps in guaranteeing that sum of secrets can be revealed without revealing the constituent secret polynomial. Secret-Ballot Voting Each voter votes 0 or 1 (yes or no). N independent organizations hold the election. Assumption: at most m-1 of them collude. Voter uses an (+,+)-composite (n, m) threshold scheme and sends the shares to the organizations. After election, each organization sums up the shares that it received from different voters. Any m organization can get the vote count without compromising secrecy of each voter s vote. Generalized Secret Sharing and Monotone Functions: Josh Benaloh and Jerry Leicheter 1990 Motivation: Let a secret S be shared among P, a set of trustees, such that any qualified subset of trustees is able to recover the secret and no unqualified subset of trustees is able to get any information about the secret. Example: Let access structure be Q={{a},{b,c},{d,e,f,g} 3 } I.e. either a can recover secret, or b and c together or any 3 of {d,e,f,g} together can recover secret. 6

Monotonic Access Structures The access structure must be monotonic. Monotonic Access Structure: Let be any family of set of subsets of P. is said to be monotonic if for all nonthreshold sets A: A Π,A A' A' Π Facts Every monotone access structure can be represented by a boolean formula (containing only and and or and threshold gates) where each variable v i in formula corresponds to a participant P i. Therefore, it suffices to show how the secret should be shared across and, or and threshold gates. Example: The access structure Q given earlier can be written as: Q = a (b c) Thres3(d,e, f,g) Impossibility Result Theorem: There exists monotone structures for which no (n, m) threshold scheme exists. Similar to Quorum Systems vs Voting assignments Proof: Consider the access structure defined by ((A B) (C D)) Let a, b, c and d denote the weights of each participant and the threshold scheme be (n, t) where n=a+b+c+d. Then a+b>=t, c+d>=t. WLOG, let a>=b and c>=d. Then a>=t/2, c>=t/2, therefore a+c>=t. Hence A and C together can determine secret S. Not allowed! Hence no such (n, t) threshold scheme exists. Generalized Secret Sharing Definition: Given a set P and a monotone access structure, a generalized secret sharing scheme divides a secret s into shares s i,j such that : 1. When A is in, s can be reconstructed from the shares s i,j in A. 2. For A not in, shares s i,j in A give no information about secret s. Notation: Let T m (s;p 1,..,p n ) denote a (n, m) threshold scheme. 7

Intuition Suppose a secret s, 0 <= s < r, needs to be shared between P 1 and P 2 s.t.: a) Either of them should be able to determine the secret. Scheme: give s to both of them b) Only both of them together should be able to determine s: choose s 1 and s 2 randomly s.t. s= s 1 +s 2 mod r. Give s 1 to P 1 and s 2 to P 2. Scheme Let T(s,F) be our generalized secret scheme. We define it recursively: 1. T(s,v p )=assign share s to p. 2. T(s, Or(F 1,,F n ))=T(s, F 1 ),,T(s, F n ) I.e divide s as s to all formula F i 3. T(s, And(F 1,,F n ))=T(s i, F i ) 1<=i<=n where s= 1<=i<=n s i, s i being random 4. T(s,THRES m (F 1,,F n ))= T(s i, F i ) 1<=i<=n where s=t m (s;f 1,..,f n )=[s i ] 1<=i<=n Proof of Correctness We use structural induction on the length of access structure formula. Base case is trivial. Let the monotone formula f be of form Or(F 1,,F n ). Since s is divided over each F i independently (by using T(s, F i )) therefore for any A not in, no joint information is conveyed by shares that belong to different T(s, F i ). F=And(F 1,,F n ). If A not in then there is an i s.t. shares of T(s i, F i ) in A give no information about s i. Since all s j were chosen randomly s.t. s= s j therefore if s i is not known then no information about s is revealed. Similar argument applies for the threshold operator. Homomorphism Theorem: If the T m (s;p 1,..,p n ) is (+,+) homorphic then the generalized secret sharing scheme is also (+,+) homomorphic. 8

Limitations Theorem: There exists monotone access structures for which the scheme is not efficient (formula size and hence number of shares is not polynomial in n) Proof (Sketch): Combinatorial Argument: There are doubly exponential monotonic access structures whereas there are only exponentially many polynomial sized access structures corresponding to polynomial sized formulae. 9

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback