secret sharing nisarg raval sep 24, 2014 material is adapted from cs513 lecture notes

Secret Sharing

Nisarg Raval

Sep 24, 2014

http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html

Material is adapted from CS513 lecture notes (Cornell)

CPS 290 - Computer Security

Why share a secret?

http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg

Goal• Given a secret s and n parties

a. All n parties together recover s

b. Less than n parties can not recover s

https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

Naive Scheme

S=10011S1 = 100 S2 = 11

• Concat shares to reveal secret - S = (S1)(S2) = (100)(11) = 10011

High Order Low Order

• What is the problem? - Think of a salary or password

Partial Disclosure• Given a secret s and n parties

a. All n parties together recover s

b. Less than n can not recover any information about s

Generate Shares using XOR

S=10011

10100 00111

S1 = Rand S2 = S XOR S1

S = S1 XOR S2

10011

https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

General Scheme• Given a secret s and n parties

a. Generate n-1 random strings as first n-1 shares

b. Last share is the bitwise XORing of s with all the other n-1 shares

General Scheme• Given a secret s and n parties

a. Generate n-1 random strings as first n-1 shares

b. Last share is the bitwise XORing of s with all the other n-1 shares

• Security Check

a. Can n parties generate s?

General Scheme• Given a secret s and n parties

a. Generate n-1 random strings as first n-1 shares

b. Last share is the bitwise XORing of s with all the other n-1 shares

• Security Check

a. Can n parties generate s?

b. Can any n-1 parties generate s?

Example

S=10011

S1S2

S3

S2 S

https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

Problem?

S=10011

S1S2

S3

S2 ?

• S can be constructed by 2 or more generals

• Less than 2 generals can not construct s

https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

(n,t) Secret Sharing• Given a secret s and n parties

a. Any t or more parties can recover s

b. Less than t parties have no information about s

S=10011

S1S2

S3

S2 S

(3,2) secret sharing

(n,2) Secret Sharing

(0,S)

x

y

(n,2) Secret Sharing

(0,S)

(x1,y1)(x2,y2)

(xn-1,yn-1) (xn,yn)

x

y

(n,2) Secret Sharing

(0,S)

(x1,y1)(x2,y2)

(xn-1,yn-1) (xn,yn)

x

yShares

(n,2) Secret Sharing

(0,S)

(x1,y1)

(xn-1,yn-1)

x

y

(n,2) Secret Sharing

(0,S)

(x1,y1)

x

yExist a line for every S

(n,3) Secret Sharing

(0,S) (x1,y1)

(x2,y2)

(xn-1,yn-1)

(xn,yn)

Shamir’s Secret Sharing

• It takes t points to define a polynomial of degree t-1

• Create a (t-1)-degree polynomial with secret as the first coefficient and the remaining coefficient picked at random

• Find n points on the curve and give one to each of the parties.

• At least t points are required to fit the polynomial and hence to recover secret

Shamir, Adi (1979), "How to share a secret", Communications of the ACM

y = at-1 * xt-1 + at-2 * xt-2 + … + a1 * x + a0

Use Case

S1

S3

S2(3,2) Secret

Sharing Scheme

Private Key

Problem?

Time

S1

S3

S2

S1 compromised

S2 compromised

S1 + S2 = Secret

Refresh Shares

S1

S3

S2

Time

Trusted

Third Party

S’1

S’3

S’2

S’’1

S’’3

S’’2

Refresh Shares

S1

S3

S2

Time

Trusted

Third Party

S’1

S’3

S’2

S’’1

S’’3

S’’2

S1 compromised

S’2 compromised

can not construct secret

Proactive Secret Sharing

S1

S

S2

Server 1 Server 2

Goal: without changing the secret, periodically update shares in a way that old shares are in-validated.

Proactive Secret Sharing

S1

S

S2

S11 S12 S21 S22

Server 1 Server 2

Goal: without changing the secret, periodically update shares in a way that old shares are in-validated.

Proactive Secret Sharing

S1

S

S2

S11 S12 S21 S22

S21 S12

Exchange Partial Shares

Server 1 Server 2

Goal: without changing the secret, periodically update shares in a way that old shares are in-validated.

Proactive Secret Sharing

S1

S

S2

S11 S12 S21 S22

S21 S12

Exchange Partial Shares

S’1S’2

Server 1 Server 2

Goal: without changing the secret, periodically update shares in a way that old shares are in-validated.

Proactive Secret Sharing

S1

S

S2

S11 S12 S21 S22

S21 S12

Exchange Partial Shares

S’1S’2

S

Server 1 Server 2

(S11 + S21) + (S12 + S22)

Recover S

BitCoin Multi-Signature Addresses

• Related to, but different than secret sharing.

• Secret sharing: break a single secret into multiple shares.

• Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction.

• Examples: 2 out of 2, 2 out of 3, 3 out of 5.

Opening the Vault

Summary• Useful technique to distribute secret

• Confidentiality

• Reliability

• Each share must be as long as the secret itself

• Require random bits of length proportional to the number of parties as well as length of the secret