Secret Sharing CPS 290 - Computer Security Nisarg Raval Sep 24, 2014 Material is adapted from CS513 lecture notes (Cornell) http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html

Why share a secret? http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg

Goal Given a secret s and n parties All n parties together recover s Less than n parties can not recover s

Naive Scheme S=10011 S1 = 100 S2 = 11 High Order Low Order Concatenate shares to reveal secret - S = (S1)(S2) = (100)(11) = 10011 What is the problem? - Think of a salary or password https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

No Partial Disclosure Given a secret s and n parties All n parties together recover s Less than n can not recover any information about s

Generate Shares using XOR S1 = Rand S2 = S XOR S1 10100 00111 10011 S = S1 XOR S2 https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

General Scheme Given a secret s and n parties Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares

General Scheme Given a secret s and n parties Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares Security Check Can n parties generate s?

General Scheme Given a secret s and n parties Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares Security Check Can n parties generate s? Can any n-1 parties generate s?

A More Flexible Scenario https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

A More Flexible Scenario ? S can be constructed by 2 or more generals Less than 2 generals can not construct s https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

(n,t) Secret Sharing Given a secret s and n parties Any t or more parties can recover s Less than t parties have no information about s (3,2) secret sharing S=10011 S1 S2 S3 S

(n,2) Secret Sharing y (0,S) x

(n,2) Secret Sharing (xn-1,yn-1) (xn,yn) (x1,y1) y (x2,y2) (0,S) x

(n,2) Secret Sharing y Shares x (xn-1,yn-1) (xn,yn) (x1,y1) (x2,y2)

(n,2) Secret Sharing (xn-1,yn-1) (x1,y1) y (0,S) x

(n,2) Secret Sharing Exist a line for every S (x1,y1) y (0,S) x

(n,3) Secret Sharing (0,S) (x1,y1) (x2,y2) (xn-1,yn-1) (xn,yn)

Shamir’s Secret Sharing It takes t points to define a polynomial of degree t-1 Easy to prove corollary of the Fundamental Theorem of Algebra – a polynomial of degree n has exactly n roots (when counted with multiplicity) Suppose two distinct degree-(t-1) polynomials p1(x) and p2(x) both pass through the same set of t points. Then p1(x)-p2(x) has t roots, which is absurd. Create a (t-1)-degree polynomial with secret as the first coefficient and the remaining coefficient picked at random Find n points on the curve and give one to each of the parties. At least t points are required to fit the polynomial and hence to recover secret y = at-1 * xt-1 + at-2 * xt-2 + … + a1 * x + a0 Shamir, Adi (1979), "How to share a secret", Communications of the ACM

Use Case S1 (3,2) Secret Sharing Scheme S2 S3 Private Key

Problem? S1 compromised S1 S2 compromised S2 S1 + S2 = Secret S3 Time

Refresh Shares S’’1 S’’3 S’’2 S’1 S’3 S’2 S1 S2 S3 Time Trusted Third Party S’’1 S’’3 S’’2 S’1 S’3 S’2 S1 S2 S3 Time

Refresh Shares S’1 S’’1 S1 S’2 S’’2 S2 S’3 S’’3 can not Trusted Third Party S’1 S’’1 S1 S1 compromised S’2 S’’2 S2 S’2 compromised S’3 S’’3 can not construct secret S3 Time

Proactive Secret Sharing Server 1 Server 2 S1 S2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

Proactive Secret Sharing Server 1 Server 2 S1 S2 S11 S12 S21 S22 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

Proactive Secret Sharing Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

Proactive Secret Sharing Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 S’2 S’1 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

Proactive Secret Sharing Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 S’2 S’1 Recover S (S11 + S21) + (S12 + S22) S

BitCoin Multi-Signature Addresses Related to, but different than secret sharing. Secret sharing: break a single secret into multiple shares. Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction. Examples: 2 out of 2, 2 out of 3, 3 out of 5.

Opening the Vault

Summary Useful technique to distribute secret Confidentiality Reliability Each share must be as long as the secret itself Require random bits of length proportional to the number of parties as well as length of the secret