threshold cryptography - uni-potsdam.de · threshold cryptography 09.07.2013 threshold cryptography...
TRANSCRIPT
![Page 1: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/1.jpg)
Threshold Cryptography
Cloud Security Mechanisms
Björn Groneberg - Summer Term 2013
09.07.2013 Threshold Cryptography 1
![Page 2: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/2.jpg)
09.07.2013 Threshold Cryptography 2
?
![Page 3: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/3.jpg)
Threshold Cryptography
• Sharing Secrets – Treasure Map
– Sharing keys on multiple server
• Threshold Encryption – Protect top secret document, only group of people can decrypt it
• Threshold Signature – Signing checks
• E-Voting – Do not trust only one voting authority
09.07.2013 Threshold Cryptography 3
![Page 4: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/4.jpg)
Threshold Cryptography
09.07.2013 Threshold Cryptography 4
1. Basic Maths
2. Lagrange Polynomial Interpolation
3. Shamir‘s Secret Sharing
4. Elgamal Encryption
5. Threshold Elgamal
6. Threshold RSA
7. E-Voting
![Page 5: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/5.jpg)
Basic Maths
• 𝑝 is a prime
• modulo operator mod: – find remainder of division of two numbers
20 ∶ 6 = 18 𝑅: 2 20 mod 6 = 2
• modulo congruent = – two numbers are congruent modulo 𝑚 if they have the same
remainder by the division of 𝑚
20 mod 6 =2 and 14 mod 6 = 2 20 = 14 mod 6
09.07.2013 Threshold Cryptography 5
![Page 6: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/6.jpg)
Basic Maths
• Residue class – Collect all integers which are congruent given a modulo 𝑚
– Example: mod 6
• Residue class system (ring) ℤ𝑛 – Collect all residue classes and have two operations
– Example:
ℤ6 = 0 6, 1 6, 2 6, 3 6, 4 6, 5 6 = {0, 1, 2, 3, 4, 5}
5 + 4 = 3 3 + 4 = 1 9 + 12 = 5 mod 6
5 ∙ 4 = 2 3 ∙ 4 = 0 9 ∙ 12 = 0 mod 6
09.07.2013 Threshold Cryptography 6
[0]6= {… ,−6, 0, 6, 12, 18,… } [1]6= {… ,−5, 1, 7, 13, 19,… }
[2]6= {… ,−4, 2, 8, 14, 20,… } [3]6= {… ,−3, 3, 9, 15, 21,… }
[4]6= {… ,−2, 4, 10, 16, 22,… } [5]6= {… ,−1, 5, 11, 17, 23 … }
![Page 7: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/7.jpg)
Threshold Cryptography
09.07.2013 Threshold Cryptography 7
1. Basic Maths
2. Lagrange Polynomial Interpolation
3. Shamir‘s Secret Sharing
4. Elgamal Encryption
5. Threshold Elgamal
6. Threshold RSA
7. E-Voting
![Page 8: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/8.jpg)
Lagrange Polynomial Interpolation
• Find polynomial to given set of points
-1
0
1
2
3
-3 -2 -1 0 1 2 3
-1
0
1
2
3
-3 -2 -1 0 1 2 3
𝑓(𝑥)
1, 2 , −2, 2 , 2, 1 𝑓 𝑥 = ?
09.07.2013 Threshold Cryptography 8
![Page 9: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/9.jpg)
Lagrange Polynomial Interpolation
Interpolate polynomial function out of given points
Given: 𝑘 + 1 data points:
𝑥0, 𝑦0 , … , 𝑥𝑗 , 𝑦𝑗 , … , 𝑥𝑘 , 𝑦𝑘
where no two 𝑥𝑗 are the same
Lagrange polynomial interpolation is:
𝐿 𝑥 ≔ 𝑦𝑗ℓ𝑗
𝑘
𝑗=0
= 𝑦0ℓ1 +⋯+ 𝑦𝑗ℓ𝑗 +⋯+ 𝑦𝑘ℓ𝑘
where ℓ𝑗 is Lagrange basis polynomials:
ℓ𝑗 ≔ 𝑥 − 𝑥𝑚𝑥𝑗 − 𝑥𝑚
0≤𝑚≤𝑘𝑚≠𝑗
= 𝑥 − 𝑥0𝑥𝑗 − 𝑥0
…𝑥 − 𝑥𝑗−1
𝑥𝑗 − 𝑥𝑗−1
𝑥 − 𝑥𝑗+1
𝑥𝑗 − 𝑥𝑗+1…𝑥 − 𝑥𝑘𝑥𝑗 − 𝑥𝑘
[La13]
Joseph-Louis Lagrange
09.07.2013 Threshold Cryptography 9
![Page 10: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/10.jpg)
Lagrange Example
• Given Points: 1, 2 , −2, 2 , 2, 1 𝑘 = 2
• Calculate Lagrange basis polynomials
ℓ0 ≔ 𝑥 − 𝑥1(𝑥0−𝑥1)
𝑥 − 𝑥2𝑥0 − 𝑥2
=𝑥 + 2
1 + 2
𝑥 − 2
1 − 2= −1
3(𝑥2 − 4)
ℓ1 ≔ 𝑥 − 𝑥0(𝑥1−𝑥0)
𝑥 − 𝑥2𝑥0 − 𝑥2
=𝑥 − 1
−2 − 1
𝑥 − 2
−2 − 2=1
12(𝑥2 − 3𝑥 + 2)
ℓ2 ≔ 𝑥 − 𝑥0(𝑥2−𝑥0)
𝑥 − 𝑥1𝑥2 − 𝑥1
=𝑥 − 1
2 − 1
𝑥 + 2
2 + 2=1
4(𝑥2 + 𝑥 − 2)
• Calculate Lagrange polynomial:
𝐿 𝑥 = 𝑦0ℓ0 + 𝑦1ℓ1 + 𝑦2ℓ2
𝐿 𝑥 = 2 ∙ −1
3𝑥2 − 4 + 2 ∙
1
12𝑥2 − 3𝑥 + 2 + 1 ∙
1
4𝑥2 + 𝑥 − 2 = −
𝟏
𝟒𝒙𝟐 −𝟏
𝟒𝒙 +𝟓
𝟐
𝐿 𝑥 ≔ 𝑦𝑗ℓ𝑗
𝑘
𝑗=0
ℓ𝑗 ≔ 𝑥 − 𝑥𝑚𝑥𝑗 − 𝑥𝑚
0≤𝑚≤𝑘𝑚≠𝑗
09.07.2013 Threshold Cryptography 10
[La13]
![Page 11: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/11.jpg)
Lagrange Polynomial Interpolation
• Find polynom to given set of points
-1
0
1
2
3
-3 -2 -1 0 1 2 3
-1
0
1
2
3
-3 -2 -1 0 1 2 3
𝑓(𝑥)
1, 2 , −2, 2 , 2, 1 𝑓 𝑥 = −
1
4𝑥2 −1
4𝑥 +5
2
09.07.2013 Threshold Cryptography 11
![Page 12: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/12.jpg)
Threshold Cryptography
09.07.2013 Threshold Cryptography 12
1. Basic Maths
2. Lagrange Polynomial Interpolation
3. Shamir‘s Secret Sharing
4. Elgamal Encryption
5. Threshold Elgamal
6. Threshold RSA
7. E-Voting
![Page 13: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/13.jpg)
Secret Sharing
• How to distribute secret 𝑠 to 𝑛 parties in that way, that
– Only all 𝑛 parties together or
– 𝑘 out of 𝑛 parties
can recompute the secret?
Bob
Chris
Dave
secret 𝑠
secret 𝑠0
secret 𝑠1
secret 𝑠2
Trusted dealer
09.07.2013 Threshold Cryptography 13
![Page 14: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/14.jpg)
Secret Sharing
• Recomputation of the secret all 𝑛 out of 𝑛 parties: (𝑛, 𝑛) threshold
𝑛 − 1, 𝑛 − 2, … parties should not be able to recompute the secret
Every party (or group of parties) should not be able to retreive any information about the global secret from their own secret(s)
Bob
Chris
secret 𝑠0
Trusted dealer
secret 𝑠1
secret 𝑠2
secret 𝑠
09.07.2013 Threshold Cryptography 14
![Page 15: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/15.jpg)
Secret Sharing
• Recomputation of the secret 𝑘 out of 𝑛 parties: (𝑘, 𝑛) threshold
𝑘 − 1, k − 2, … parties should not be able to recompute the secret
Every party (or group of parties) should not be able to retreive any information about the global secret from their own secret(s)
Bob
Chris
secret 𝑠0
Trusted dealer
secret 𝑠1
secret 𝑠2
secret 𝑠
09.07.2013 Threshold Cryptography 15
![Page 16: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/16.jpg)
Secret Sharing
• Real world‘s solution: – Multiple locks with keys heavy key ring
• Naive solution (bad): – Split secret in parts:
– Disadvantage: • needs (𝑛, 𝑛) threshold
• 𝑛 − 1 out of 𝑛 parties dramatically reduce possible keys
1873 7632 8732 3253 2312
1873 7632 8732 3253 2312
09.07.2013 Threshold Cryptography 16
![Page 17: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/17.jpg)
Shamir‘s Secret Sharing
• Published 1979 by Adi Shamir
• (𝑘, 𝑛) threshold sharing
• Based on Lagrange polynomials
• Dealing Algorithm:
– Given: (𝑘, 𝑛) threshold and secret 𝑠 ∈ ℤ𝑞
– Randomly choose 𝑘 − 1 coefficients 𝑎1, … , 𝑎𝑘−1
– Set 𝑎0 ∶= 𝑠
– Build polynomial 𝑓 𝑥 = 𝑎0 + 𝑎1𝑥 + 𝑎2𝑥2 + 𝑎𝑘−1𝑥
𝑘−1
– Set 𝑖 = 1,… , 𝑛 and calculate Points 𝑠𝑖 = 𝑖, 𝑓 𝑖 mod 𝑞
– Every party gets (at least) one point 𝑠𝑖
Adi Shamir – The „S“ in RSA
09.07.2013 Threshold Cryptography 17
[Sha79]
![Page 18: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/18.jpg)
Shamir‘s Secret Sharing - Example
• Dealing Algorithm
Given: (𝑘, 𝑛) and secret 𝑠 ∈ ℤ𝑞 (𝟑, 𝟓) threshold 𝒔 = 𝟔 ∈ ℤ22
Randomly 𝑘 − 1: 𝑎1, … , 𝑎𝑘−1 𝑎1 = 2 𝑎2 = 1
Set 𝑎0 ∶= 𝑠 𝑎0 = 6
𝑓 𝑥 = 𝑎0 + 𝑎1𝑥 + 𝑎2𝑥2 + 𝑎𝑘−1𝑥
𝑘−1 𝑓 𝑥 = 𝑥2 + 2𝑥 + 6
𝑖 = 1,… , 𝑛 calculate
𝑠𝑖 = 𝑖, 𝑓 𝑖 mod 𝑞
1, 9 2, 14 , 3, 21 , 4, 8 , (5, 19)
Trusted dealer
𝑠 = 6 Bob
Chris
Dave
Felix
George
𝑠1 = (1, 9)
𝑠2 = (2, 14)
𝑠3 = (3, 21)
𝑠4 = (4, 8)
𝑠5 = (5, 19)
09.07.2013 Threshold Cryptography 18
![Page 19: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/19.jpg)
Shamir‘s Secret Sharing
• Recomputation – Given: 𝑘 Points 𝑠𝑖 = (𝑥𝑖 , 𝑦𝑖)
– Goal: find 𝑓 𝑥 = 𝑎0 + 𝑎1𝑥 + 𝑎2𝑥2 + 𝑎𝑘−1𝑥
𝑘−1
with 𝑓 0 = 𝑎0 as the secret
– Using 𝑓 𝑥 = 𝐿 𝑥 ,
𝑆 ⊆ 1,… , 𝑛 , 𝑆 = 𝑘 and calculate
𝑓 0 = 𝐿 0 = 𝑦𝑗ℓ𝑗,0,𝑆 mod 𝑞
𝑗∈𝑆
with ℓ𝑗,0 as Lagrange basis polynomials with 𝑥 = 0 and 𝑆:
ℓ𝑗,0,𝑆 ≔ −𝑥𝑚𝑥𝑗 − 𝑥𝑚
𝑚∈𝑆𝑚≠𝑗
mod 𝑞
Lagrange:
𝐿 𝑥 ≔ 𝑦𝑗ℓ𝑗
𝑘
𝑗=0
ℓ𝑗 ≔ 𝑥 − 𝑥𝑚𝑥𝑗 − 𝑥𝑚
0≤𝑚≤𝑘𝑚≠𝑗
09.07.2013 Threshold Cryptography 19
[Sha79]
![Page 20: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/20.jpg)
Shamir‘s Secret Sharing - Example • Recomputation of basis polynomials:
ℓ2,0,{2,4,5} = −𝑥4𝑥2 − 𝑥4
−𝑥5𝑥2 − 𝑥5
=−4
2 − 4
−5
2 − 5= 10 ∙ 3−1 = 10 ∙ 15 = 18 mod 22
ℓ4,0,{2,4,5} = −𝑥2(𝑥4−𝑥2)
−𝑥5𝑥4 − 𝑥5
=−2
4 − 2
−5
4 − 5= −5 = 17 mod 22
ℓ5,0,{2,4,5} = −𝑥2(𝑥5−𝑥2)
−𝑥4𝑥5 − 𝑥4
=−2
5 − 2
−4
5 − 4= 8 ∙ 3−1 = 8 ∙ 15 = 10 mod 22
Trusted dealer
Bob
Chris
Dave
Felix
George
𝑠2 = (2, 14) 𝑠4 = (4, 8)
𝑠5 = (5, 19)
„Shamir‘s Lagrange“:
𝐿 0 = 𝑦𝑗ℓ𝑗,0,𝑆𝑗∈𝑆
ℓ𝑗,0,𝑆 ≔ −𝑥𝑚𝑥𝑗 − 𝑥𝑚
𝑚∈𝑆𝑚≠𝑗
09.07.2013 Threshold Cryptography 20
![Page 21: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/21.jpg)
Shamir‘s Secret Sharing - Example
• Recomputation: ℓ2,0,{2,4,5} = 18, ℓ4,0,{2,4,5} = 17, ℓ5,0,{2,4,5} = 10
𝑠 = 𝐿 0 = 𝑦2 ∙ ℓ2,0, 2,4,5 + 𝑦4 ∙ ℓ4,0, 2,4,5 + 𝑦5 ∙ ℓ5,0, 2,4,5
𝑠 = 𝐿 0 = 14 ∙ 18 + 8 ∙ 17 + 19 ∙ 10 mod 22
𝒔 = 𝟔
Trusted dealer
𝑠 = 6 Bob
Chris
Dave
Felix
George
𝑠2 = (2, 14) 𝑠4 = (4, 8)
𝑠5 = (5, 19)
„Shamir‘s Lagrange“:
𝐿 0 = 𝑦𝑗ℓ𝑗,0,𝑆𝑗∈𝑆
ℓ𝑗,0,𝑆 ≔ −𝑥𝑚𝑥𝑗 − 𝑥𝑚
𝑚∈𝑆𝑚≠𝑗
09.07.2013 Threshold Cryptography 21
![Page 22: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/22.jpg)
Shamir‘s Secret Sharing - Remarks
• Graphical Interpretation
09.07.2013 Threshold Cryptography 22
-1
0
1
2
3
4
5
-1 0 1 2 3 4
• Flexibility – Increase 𝑛 and compute new
shares without affecting other shares
– Removing existing shares (shares have to be destroyed)
– Replace shares without changing the secret: new polynomial 𝑓∗(𝑥)
– One party can have more than one share
[Li04]
![Page 23: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/23.jpg)
Threshold Cryptography
09.07.2013 Threshold Cryptography 23
1. Basic Maths
2. Lagrange Polynomial Interpolation
3. Shamir‘s Secret Sharing
4. Elgamal Encryption
5. Threshold Elgamal
6. Threshold RSA
7. E-Voting
![Page 24: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/24.jpg)
Elgamal Encryption
• Published 1985 by Taher Elgamal
• Based on Diffie-Hellman key exchange
• Public / private key encryption:
• Generation: pub, priv
• Encryption: cipher = encpub(𝑚)
• Decryption: 𝑚 = decpriv cipher
Alice Bob
priv Alice pub
Alice pub
Taher Elgamal
From: Bob To: Alice 𝑚 =…
From: Bob To: Alice cipher
From: Bob To: Alice 𝑚 =…
09.07.2013 Threshold Cryptography 24
![Page 25: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/25.jpg)
Elgamal Encryption - Example
• Public / private key generation
1. large prime 𝑝 with generator 𝑔 𝑝 = 23 𝑔 = 5
2. randomly 𝑎 ∈ {1, … , 𝑝 − 1} 𝑎 = 6
3. Calculate 𝐴 = 𝑔𝑎 𝑚𝑜𝑑 𝑝 𝐴 = 56 = 8 mod 23
4. pub = (𝑝, 𝑔, 𝐴) priv = 𝑎 pub = (23, 5, 8) priv = 6
Alice Bob
priv = 6
Alice pub = (23,5,8)
Alice pub = (23,5,8)
09.07.2013 Threshold Cryptography 25
[El85]
![Page 26: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/26.jpg)
Elgamal Encryption - Example
• Encryption
Given: message 𝑚 ∈ 0, … , 𝑝 − 1 𝑚 = 12
Randomly 𝑏 ∈ {1, … , 1 − 𝑝} 𝑏 = 3
Calculate 𝐵 = 𝑔𝑏 mod 𝑝 𝑐 = 𝐴𝑏𝑚 mod 𝑝
𝐵 = 53 = 10 mod 23 𝑐 = 83 ∙ 12 = 3 mod 23
Cipher text is cipher = (𝐵, 𝑐) cipher = (10, 3)
Alice pub = (23,5,8)
From: Bob To: Alice cipher = (10, 3)
Alice Bob
From: Bob To: Alice 𝑚 = 12
09.07.2013 Threshold Cryptography 26
![Page 27: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/27.jpg)
Elgamal Encryption - Example • Decryption
• General Idea: 𝑚 = 𝐵𝑎 −1 ∙ 𝑐 = 𝐵(𝑝−1−𝑎) mod 𝑝
Given: cypher = (𝐁, 𝐜) and priv = 𝑎 cypher = (10,3) priv = 6
Calculate 𝑥 = 𝑝 − 1 − 𝑎 𝑥 = 23 − 1 − 6 = 16
Calculate 𝑚 = 𝐵𝑥𝑐 mod 𝑝 𝑚 = 1016 ∙ 3 = 12 mod 23
Encrypted message 𝑚 𝑚 = 12
Alice Bob
Alice pub = (23,5,8)
From: Bob To: Alice cipher = (10, 3)
From: Bob To: Alice 𝑚 = 12
a = 6
09.07.2013 Threshold Cryptography 27
[El85]
![Page 28: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/28.jpg)
Threshold Cryptography
09.07.2013 Threshold Cryptography 28
1. Basic Maths
2. Lagrange Polynomial Interpolation
3. Shamir‘s Secret Sharing
4. Elgamal Encryption
5. Threshold Elgamal
6. Threshold RSA
7. E-Voting
![Page 29: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/29.jpg)
Threshold Elgamal
• Using Elgamal encryption scheme in a treshold environment
• Generation: – Generate pub = (𝑝, 𝑔, 𝐴) priv = 𝑎 like normal Elgamal encryption
– Share priv = 𝑎 among 𝑛 parties, using Shamir‘s secret sharing with 𝑞 = 𝜑 𝑝 =∗ 𝑝 − 1
– Every party 𝑗 gets (at least) one point 𝑠𝑗 = (𝑥𝑗 , 𝑦𝑗)
Example: pub = (23, 5, 8) priv = 6 (3,5)-threshold
Trusted dealer
𝑠 = 6
Bob
Chris
Dave
Felix
George
𝑠1 = (1, 9)
𝑠2 = (2, 14)
𝑠3 = (3, 21)
𝑠4 = (4, 8)
𝑠5 = (5, 19)
∗ if 𝑝 is prime
09.07.2013 Threshold Cryptography 29
BCDFG pub = (23,5,8)
[Ca06]
![Page 30: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/30.jpg)
Threshold Elgamal
• Encryption – Normal Elgamal encryption with message 𝑚 and pub = 𝑝, 𝑔, 𝐴
Trusted dealer
Bob
Chris
Dave
Felix
George
𝑠4
𝑠5
𝑠2
09.07.2013 Threshold Cryptography 30
𝑠1
𝑠3 Alice
From: Alice To: BCDFG cipher = (10, 3)
BCDFG pub = (23,5,8)
[Ca06]
![Page 31: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/31.jpg)
Threshold Elgamal
• Decryption – Trusted dealer and every party can receive cipher = (𝐵, 𝑐)
– at least 𝑘 parties have to compute decryption share 𝑑𝑗 = 𝐵𝑦𝑗 mod 𝑝
– Trusted dealer can compute 𝑚 with set 𝑆 of 𝑗 ∈ {1, … , 𝑛} which returned their 𝑑𝑗
– Party: 𝑑𝑗 = 𝐵
𝑦𝑗 mod 𝑝
– Trusted Dealer:
𝑚 = 𝑑𝑗ℓ𝑗,0,𝑆
𝑗∈𝑆
−1
∙ 𝑐 mod 𝑝
Trusted dealer
Bob
Chris
Dave
Felix
George
𝑠4
𝑠5
𝑠2 𝑑4
𝑑5
𝑑2
09.07.2013 Threshold Cryptography 31
[Ca06]
![Page 32: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/32.jpg)
(4, 8)
(5, 19)
Threshold Elgamal - Example
• Decryption – Every party computes decryption share: 𝑑2 = 𝐵
𝑦2 = 1014 = 12 mod 23 𝑑4 = 𝐵
𝑦5 = 108 = 2 mod 23 𝑑5 = 𝐵
𝑦5 = 1019 = 21 mod 23
– Trusted dealer computes ℓ𝑗,0,𝑆:
ℓ2,0,{2,4,5} = 18
ℓ4,0,{2,4,5} = 17 ℓ5,0,{2,4,5} = 10
Shamir‘s secret sharing, slide 20
Threshold Elgamal
cipher = (𝐵, 𝑐)
𝑑𝑗 = 𝐵𝑦𝑗 mod 𝑝
𝑚 = 𝑑𝑗ℓ𝑗,0,𝑆
𝑗∈𝑆
−1
∙ 𝑐 mod 𝑝
Trusted dealer
Bob
Chris
Dave
Felix
George
(2, 14)2 2
21
12
From: Alice To: BCDFG cipher = (10, 3)
09.07.2013 Threshold Cryptography 32
„Shamir‘s Lagrange“:
ℓ𝑗,0,𝑆 ≔ −𝑥𝑚𝑥𝑗 − 𝑥𝑚
𝑚∈𝑆𝑚≠𝑗
![Page 33: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/33.jpg)
(4, 8)
(5, 19)
Threshold Elgamal - Example
• Decryption
𝑑2 = 12, 𝑑4= 2, 𝑑5= 21
ℓ2,0,{2,4,5} = 18, ℓ4,0,{2,4,5} = 17, ℓ5,0,{2,4,5} = 10
– Trusted dealer computes 𝑚:
𝑚 = 𝑑2ℓ2,0,{2,4,5} ∙ 𝑑4
ℓ4,0,{2,4,5} ∙ 𝑑5ℓ5,0,{2,4,5}
−1∙ 𝑐 mod 𝑝
𝑚 = 1218 ∙ 217 ∙ 2110 −1 ∙ 3 mod 23 𝑚 = 6 −1 ∙ 3 mod 23 𝑚 = 4 ∙ 3 mod 23
𝒎 = 𝟏𝟐
Threshold Elgamal
cipher = (𝐵, 𝑐)
𝑑𝑗 = 𝐵𝑦𝑗 mod 𝑝
𝑚 = 𝑑𝑗ℓ𝑗,0,𝑆
𝑗∈𝑆
−1
∙ 𝑐 mod 𝑝
Trusted dealer
Bob
Chris
Dave
Felix
George
(2, 14)
From: c To: BCDFG cipher = (10, 3)
Note: (6)−1 = 4 mod 23 (Extended Euclidean algorithm)
From: Alice To: BCDGF 𝑚 = 12
09.07.2013 Threshold Cryptography 33
![Page 34: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/34.jpg)
Threshold Cryptography
09.07.2013 Threshold Cryptography 34
1. Basic Maths
2. Lagrange Polynomial Interpolation
3. Shamir‘s Secret Sharing
4. Elgamal Encryption
5. Threshold Elgamal
6. Threshold RSA
7. E-Voting
![Page 35: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/35.jpg)
RSA Threshold Signatures
• Signatures
• Requires: Public / private key and hash function 𝐻(𝑥)
• Sign a message:
– Hash message 𝑚 and encrypt with private key: sign = encpriv 𝐻 𝑚
• Verify signature
– Decrypt signature with public key and check hash: decpub sign = 𝐻(𝑚)
From: Bob To: Alice 𝑚 = …
Alice Bob
sign from: Bob
priv =…
Bob pub = …
?
09.07.2013 Threshold Cryptography 35
[Ca06]
![Page 36: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/36.jpg)
RSA Threshold Signatures • Every party signs with own private
key
• Trusted dealer can compute global signature
Party 𝑖:
sign𝑖 = encpriv𝑖 𝐻(𝑚)
Trusted dealer:
sign = collect sign1, … , sign𝑛
• V. Shoup: “Practical threshold
signatures” shows threshold signature scheme with RSA [Sh]
Trusted dealer
Bob
Chris
Dave
Felix
George
priv4
priv5
priv1
priv2
priv3
From: BCDFG To: Alice 𝑚 = …
sign from: BCDFG
BCDFG pub = …
sign4
sign5
sign2
sign1
sign3
09.07.2013 Threshold Cryptography 36
![Page 37: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/37.jpg)
Threshold Cryptography
09.07.2013 Threshold Cryptography 37
1. Basic Maths
2. Lagrange Polynomial Interpolation
3. Shamir‘s Secret Sharing
4. Elgamal Encryption
5. Threshold Elgamal
6. Threshld RSA
7. E-Voting
![Page 38: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/38.jpg)
E-Voting
• Secret voting using Elgamal threshold encryption
• Voter encrypts vote with public key
• Private key is shared among voting authorities
09.07.2013 Threshold Cryptography 38
Bob
Alice
Chris
vote = 1
priv2
Authority 1
Authority 2
Voting pub
vote = −1
vote = −1
priv1
From: Bob vBob = (𝐵, 𝑐)
From: Alice vAlice = (𝐵, 𝑐)
From: Chris vChris = (𝐵, 𝑐)
Bulletin Board
[Cr97]
![Page 39: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/39.jpg)
E-Voting
• Voting authorities “counting” encrypted votes
• Decrypt result of “counting” with shared secrets
09.07.2013 Threshold Cryptography 39
Bob
Alice
Chris
vote = 1
vote = −1
vote = −1
From: Bob vBob = (𝐵, 𝑐)
priv2
Authority 1 Authority 2
priv1
From: Alice vAlice = (𝐵, 𝑐)
From: Chris vChris = (𝐵, 𝑐)
vResult = count(vBob, vAlice, vChris) vResult = (𝐵, 𝑐)
Bulletin Board
Result = decpriv vResult
Result = −1
• Cramer, et. al.: "A secure and optimally efficient multi‐authority election scheme." [Cr97]
![Page 40: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/40.jpg)
Summary Threshold Cryptography
• Sharing Secrets
• Threshold Encryption
• Threshold Signatures
• E-Voting
• General Problem: Trusted Dealer
• Secret sharing schemes without trusted dealer
09.07.2013 Threshold Cryptography 40
![Page 41: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/41.jpg)
09.07.2013 Threshold Cryptography 41
?
![Page 42: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/42.jpg)
09.07.2013 Threshold Cryptography 42
!
![Page 43: Threshold Cryptography - uni-potsdam.de · Threshold Cryptography 09.07.2013 Threshold Cryptography 4 1. Basic Maths 2. Lagrange Polynomial Interpolation 3. Shamir‘s Secret Sharing](https://reader031.vdocuments.us/reader031/viewer/2022020104/5baf0cd009d3f2c70e8bb809/html5/thumbnails/43.jpg)
References [La13] Lagrange polynomial. (2013, May 22). In Wikipedia, The Free Encyclopedia. Retrieved 06:22, June 24, 2013, from
http://en.wikipedia.org/w/index.php?title=Lagrange_polynomial&oldid=556301912
[El85] ElGamal, T. (1985, January). A public key cryptosystem and a signature scheme based on discrete logarithms. In Advances in Cryptology (pp. 10-18). Springer Berlin Heidelberg.
[Sho00] V. Shoup, Practical threshold signatures, Advances in Cryptology: EUROCRYPT 2000 (B. Preneel, ed.), Lecture Notes in Computer Science, vol. 1087, Springer, 2000, pp. 207–220.
[Sha79] Shamir, Adi. "How to share a secret." Communications of the ACM 22.11 (1979): 612-613.
[Cr97] Cramer, Ronald, Rosario Gennaro, and Berry Schoenmakers. "A secure and optimally efficient multi‐authority election scheme." European transactions on Telecommunications 8.5 (1997): 481-490.
[Li04] T-79.159 Cryptography and Data Security, 24.03.2004 Lecture 9: Secret Sharing, Threshold Cryptography, MPC, Helger Lipmaa
[Ca06] Security and Fault-tolerance in Distributed Systems, Winter 2006/07, 7 Distributed Cryptography, Christian Cachin, IBM Zurich Research Lab
09.07.2013 Threshold Cryptography 43