Secret Sharing (or, more accurately, “Secret Splitting”) Original slides by Nisarg Raval Material is adapted from CS513 lecture notes (Cornell) http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html
Why split a secret? http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg
Goal Given a secret s first held by a “dealer” and then splits n shares among n parties called “players” All n players together recover s Less than n players can not recover s
Naive Scheme S=10011 Concatenate shares to reveal secret High Order Low Order Concatenate shares to reveal secret S = (S1)(S2) = (100)(11) = 10011 What is the problem? - Think of a salary or password https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
No Partial Disclosure Given a secret s and n players All n players together recover s Less than n can not recover any information about s (unconditional security)
Dealer Generates Shares using XOR S1 = Rand S2 = S XOR S1 10100 00111 10011 S = S1 XOR S2 https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
General Scheme Given a secret s and n players Dealer generates n-1 random strings as first n-1 shares Last share is the bitwise XOR of s with all the other n-1 shares
General Scheme Given a secret s and n players Dealer generates n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares Security Check Can n players generate s?
General Scheme Given a secret s and n parties Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares Security Check Can n players generate s? Can any n-1 players generate s?
A More Flexible Scenario https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
A More Flexible Scenario ? S can be constructed by 2 or more generals Less than 2 generals can not construct s https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
(n,t) Secret Sharing Given a secret s and n players Any t or more players can recover s Less than t players have no information about s (3,2) secret sharing S=10011 S1 S2 S3 S
(n,2) Secret Sharing y (0,S) x secret S is y intercept
(n,2) Secret Sharing (xn-1,yn-1) (xn,yn) (x1,y1) y (x2,y2) (0,S) x
(n,2) Secret Sharing y shares x (xn-1,yn-1) (xn,yn) (x1,y1) (x2,y2)
(n,2) Secret Sharing (xn-1,yn-1) (x1,y1) y (0,S) x
(n,2) Secret Sharing one share does not suffice y x for every secret S, there is a line through x1,y1 (x1,y1) y (0,S) x
three points determine a quadratic polynomial (n,3) Secret Sharing (0,S) (x1,y1) (x2,y2) (xn-1,yn-1) (xn,yn) three points determine a quadratic polynomial
Shamir’s Secret Sharing It takes t points to define a polynomial of degree t-1 Easy to prove corollary of the Fundamental Theorem of Algebra, which states that a polynomial of degree n > 0 has exactly n roots (when counted with multiplicity) Suppose two distinct degree-(t-1) polynomials p1(x) and p2(x) both pass through the same set of t points. Then p1(x)-p2(x) has t roots, which is absurd. Create a degree-(t-1) polynomial with secret as the constant coefficient and the remaining coefficients chosen at random Find n points on the curve (not at x=0) and give one to each of the players. At least t points are required to fit the polynomial and hence to recover secret (and any t points will suffice) y = at-1 * xt-1 + at-2 * xt-2 + … + a1 * x + a0 Shamir, Adi (1979), "How to share a secret", Communications of the ACM
Use Case S1 (3,2) Secret Sharing Scheme S2 S3 Private Key
Dyadic Security Product Pure-software virtual hardware security module (HSM). (Other vendors sell HSMs similar to TPMs that can store private keys and perform TLS operations.) Share secret (e.g., private key for TLS) across multiple servers. Perform TLS operations using secure multiparty computation so that no server learns private key. Assumes that it is more difficult to break into one server than several.
Unconditional Security Each share must be as long as the secret itself, e.g., number of possible values of polynomial at each point where it is evaluated must be the same as number of possible y-intercepts Require random bits of length proportional to the number of players n as well as length of the secret l Can the sizes of the shares be reduced?
“Secret Sharing Made Short” Dealer begins by choosing a random symmetric key, e.g., a 256-bit AES key Dealer encrypts the secret using the symmetric key Symmetric key is split using Shamir’s (n,t) scheme (n shares, each 256 bits): n*256 bits Encrypted secret is encoded using an (n,t) error correcting code Suppose encrypted secret length is l bits. Code uses n “symbols” each l/t bits long: nl/t bits. Any t symbols out of n suffice to recover the encrypted secret. Total bits: n*256 + nl/t (versus nl)
Idea Behind Error Correcting Code Use a polynomial as before. Break the “message” (e.g., the encrypted secret) into t pieces of length l/t. Let yi denote the i’th piece. Create a polynomial f(x) where f(xi)=yi for some arbitrarily chosen x1, x2, …, xt, e.g., xi=i. Now the goal is to recover not f(0), but f(x1), f(x2), …, f(xt) Evaluate the polynomial at n-t other locations xt+1,…,xn, e.g., xi=i. The n f(xi) values are the symbols Can recover the full polynomial from any t symbols Once the polynomial is recovered, find values at x1, …, xt.
Why is this scheme not unconditionally secure? It’s possible to learn some of the information about the encrypted secret from fewer than t shares, e.g., knowing f(x1) means knowing the first piece of the encrypted secret. The error correcting code isn’t trying to hide information. The goal is the opposite: enable the recovery of as much information as possible from whatever symbols are at hand. So the security depends on the strength of the encryption system, e.g., AES, which is NOT unconditionally secure, since key length (256 bits) may be less than secret length l.
Why isn’t AES Unconditionally Secure? Suppose message length is l bits, and key length is k bits, e.g., k=256, where k may be much less than l. Given a ciphertext encrypted with a k-bit key, adversary can narrow down plaintext to 2k possibilities out of 2l by decrypting with all possible k-bit key values. (Although this approach is not computationally efficient.)
Problem? S1 compromised S1 S2 compromised S2 S3 S1 + S2 Secret Time
Refresh Shares S’’1 S’’3 S’’2 S’1 S’3 S’2 S1 S2 S3 Time Trusted Third Party S’’1 S’’3 S’’2 S’1 S’3 S’2 S1 S2 S3 Time
Refresh Shares S’1 S’’1 S1 S’2 S’’2 S2 S’3 S’’3 can not Trusted Third Party S’1 S’’1 S1 S1 compromised S’2 S’’2 S2 S’2 compromised S’3 S’’3 can not construct secret S3 Time
Proactive Secret Sharing Server 1 Server 2 S1 S2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
Proactive Secret Sharing Server 1 Server 2 S1 S2 S11 S12 S21 S22 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
Proactive Secret Sharing Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
Proactive Secret Sharing Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 Compute New Shares S’2 S’1 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
Proactive Secret Sharing Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 S’2 S’1 Recover S (S11 S21) (S12 S22) S
BitCoin Multi-Signature Addresses Related to, but different than secret sharing. Secret sharing: split a single secret into multiple shares. Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction. Examples: 2 out of 2, 2 out of 3, 3 out of 5.
Opening the Vault