Secret Sharing CPS 290 - Computer Security Nisarg Raval Sep 24, 2014 Material is adapted from CS513 lecture notes (Cornell) http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html

Why share a secret? http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg

Goal Given a secret s and n parties All n parties together recover s Less than n parties can not recover s

Naive Scheme S=10011 S1 = 100 S2 = 11 High Order Low Order Concat shares to reveal secret - S = (S1)(S2) = (100)(11) = 10011 What is the problem? - Think of a salary or password https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

Partial Disclosure Given a secret s and n parties All n parties together recover s Less than n can not recover any information about s

Generate Shares using XOR S1 = Rand S2 = S XOR S1 10100 00111 10011 S = S1 XOR S2 https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

General Scheme Given a secret s and n parties Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares

General Scheme Given a secret s and n parties Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares Security Check Can n parties generate s?

General Scheme Given a secret s and n parties Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares Security Check Can n parties generate s? Can any n-1 parties generate s?

Example S=10011 S1 S2 S3 S https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

Problem? S=10011 ? S1 S2 S3 S can be constructed by 2 or more generals Less than 2 generals can not construct s https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

(n,t) Secret Sharing Given a secret s and n parties Any t or more parties can recover s Less than t parties have not information about s (3,2) secret sharing S=10011 S1 S2 S3 S

(n,2) Secret Sharing y (0,S) x

(n,2) Secret Sharing (xn-1,yn-1) (xn,yn) (x1,y1) y (x2,y2) (0,S) x

(n,2) Secret Sharing y Shares x (xn-1,yn-1) (xn,yn) (x1,y1) (x2,y2)

(n,2) Secret Sharing (xn-1,yn-1) (x1,y1) y (0,S) x

(n,2) Secret Sharing Exist a line for every S (x1,y1) y (0,S) x

(n,3) Secret Sharing (0,S) (x1,y1) (x2,y2) (xn-1,yn-1) (xn,yn)

Shamir’s Secret Sharing It takes t points to define a polynomial of degree t-1 Create a t-1 degree polynomial with secret as the first coefficient and the remaining coefficient picked at random Find n points on the curve and give one to each of the parties. At least t points are required to fit the polynomial and hence to recover secret y = at-1 * xt-1 + at-2 * xt-2 + … + a1 * x + a0 Shamir, Adi (1979), "How to share a secret", Communications of the ACM

Use Case S1 (3,2) Secret Sharing Scheme S2 S3 Private Key

Problem? S1 S1 compromised S2 compromised S2 S1 + S2 = Secret S3 Time

Refresh Shares S’’1 S’’3 S’’2 S’1 S’3 S’2 S1 S2 S3 Time Trusted Third Party S’’1 S’’3 S’’2 S’1 S’3 S’2 S1 S2 S3 Time

Refresh Shares S’1 S’’1 S1 S’2 S’’2 S2 S’3 S’’3 can not Trusted Third Party S’1 S’’1 S1 S1 compromised S’2 S’’2 S2 S’2 compromised S’3 S’’3 can not construct secret S3 Time

Proactive Secret Sharing Server 1 Server 2 S1 S2

Proactive Secret Sharing Server 1 Server 2 S1 S2 S11 S12 S21 S22

Proactive Secret Sharing Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12

Proactive Secret Sharing Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 S’2 S’1

Proactive Secret Sharing Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 S’2 S’1 Recover S (S11 + S21) + (S12 + S22) S

Summary Useful technique to distribute secret Confidentiality Reliability Each share must be as long as the secret itself Require random bits of length proportional to the number of parties as well as length of the secret