1 Secret Sharing
2 Suppose you and your friend accidentally discovered a map that you believe would lead you to an island full of treasure. You and your friend are very excited and would like to go home and get ready for the exciting journey to the great fortune. Now who is going to keep the map?
3 Secret Sharing Suppose you and your so-called friend do not really trust each other and are afraid that, if the other one has the map, he/she might just go alone and take everything Now we need a scheme that could make sure that the map is shared in a way so that no one would be left out in this trip. What would you suggest?
4 Secret Sharing to split the map into two pieces and make sure that both pieces are needed in order to find the island. You can happily go home and be assured that your friend has to go with you in order to find the island. This illustrates the basic concept of secret sharing.
5 Generalization Given a secret s, we would like n parties to share the secret so that the following properties hold: –All n parties can get together and recover s. –Less than n parties cannot recover s. In the map example, s is the map, while you and your friends are two parties that share the secret.
6 Generalization In general, to achieve such a sharing, we split the secret into n pieces s1, s2,..., sn and give one piece to each party. Each piece here is called a share. This is actually a special case of secret sharing and is called secret splitting in some literature.
7 Generalization We know that every piece of information is stored as a bit string or a number on a computer. So, if we know how to share a secret bit string or a secret number, then we know how to share any information on a computer. –For example, assume that your salary is stored as a number –Now you want to split your salary into two shares for two parties. –You want to make sure that no party by itself knows your salary. –On the other hand, two parties can get together and recover your salary.
8 Generalization We can split the digits into two sets and give one set to each party as a share. For example, can give the first 4 digits to party 1 and the other 4 to party 2. It is easy to verify that this scheme satisfies the two properties listed.
9 Generalization However, there is a problem with this scheme. Suppose I am the first party who gets the most significant 4 digits of your salary. It is true that I don't know exactly how much your salary is, but I have a pretty good idea about the range of your salary (>= ), because I have the 4 most significant digits. Such partial information may be unacceptable for you.
10 Partial Information Disclosure A share may not contain all the information about a secret, but could disclose partial information. In certain cases, such partial information disclosure could be fatal.
11 Partial Information Disclosure Suppose two parties are going to share a password. Here a password consists of 8 characters, with each selected from a set of 100 possible characters. If we split the password into two shares and each share has 4 characters of the password, then each share effectively gives out the secret under a brute-force attack.
12 Partial Information Disclosure A brute-force attack tries every possible combination of the the password in order to find the right password. So now let's do some calculations. –There are 100 possible characters to choose from for each of the 8 characters, –so there are 1008 possible passwords. –If it takes 1 microsecond to generate and check one password, then it takes 100 * 10-6 seconds ~ 300 years to try every possible password. 8
13 Partial Information Disclosure A naive way of splitting a secret could cause partial information disclosure, which might be undesirable in certain cases and fatal in others.
14 Partial Information Disclosure We would like to solve the partial information disclosure problem: –we strengthen property 2 to stipulate that no information about the secret will be disclosed from less than n shares. –It may seem counter-intuitive that the shares generated from a secret can contain no information about the secret, but you will be surprised how easily one can design a scheme that ensures these two new properties.
15 Partial Information Disclosure Suppose two parties are going to share a secret bit string The two shares are generated as follows: –To generate the first bit of the two shares, we flip a coin. If the result of the coin flipping is a head, then the first bit of the first share is 0; if the result of the coin flipping is a tail, then the first bit of the first share is a 1. –Now generate the first bit of the second share. If the result of the previous coin flipping was a head, then we copy the first bit of the secret. Else, if result of the previous coin flipping was a tail, then we flip the first bit of the secret and use that. We repeat this random process for each bit of the secret.
16 Partial Information Disclosure Suppose for our example where the secret bit string is 1011, we flip the coin 4 times and get the sequence head, tail, tail, and head. Then the bits of our first share would simply be As a result, the bits of the second share would be 1101
17 Partial Information Disclosure Now we need to show that this scheme satisfies the two properties mentioned earlier. –First, it is easy to see that the secret can be reconstructed from the two shares –Second, we also need to show that the secret cannot be recovered with less than two shares.
18 Partial Information Disclosure We know that the first share is generated through coin flipping. Obviously, it is random and has nothing to do with the secret. As for the second share, it is the result of a random transformation, based on coin flipping, of the secret. It should also be random.
19 Partial Information Disclosure Suppose you have the first share. Since you can't see the first share or the secret, you cannot distinguish the two cases. Therefore you cannot decide which secret you're sharing, and you can't figure out even a single bit of the secret.
20 Partial Information Disclosure If you had the second share, the situation is the same. Again, you cannot learn any bit of the secret from your share alone.
21 Partial Information Disclosure The precise meaning of "no information disclosure" can be formalized. We can easily generalize the scheme for cases where there are n parties: –we generate n-1 random bit strings (with the same number of bits as the secret) as the first n-1 shares.
22 Modifying Disclosure Conditions Now we have this nice secret splitting scheme. But such a secret splitting scheme may not suffice in certain cases. Imagine that you are asked to design a control mechanism for a nuclear missile launch. –There is a control panel with a key board. –You can enter a secret code through the keyboard. –If the secret code is correct, then the missile gets launched. –There are three generals who are in charge of a missile launch.
23 Modifying Disclosure Conditions A simple solution would be to give the secret code to these three generals, But then it is possible for a lunatic general to start a war and destroy the planet. We need some sort of secret sharing here. –We will generate 3 shares from the secret code and give one share to each general.
24 Modifying Disclosure Conditions Because of the second property of secret splitting, we know that no single general is able to launch the missile by himself, because each general has only one share and has no information about the secret code. On the other hand, what if one general is a spy from a hostile country?
25 Modifying Disclosure Conditions We're not worried about him launching the missile by himself. But he can disable the missile launch capability by throwing away his share. Because the other two generals cannot authorize a missile launch without the third share, no missile can be launched, even if the country is under attack.
26 Modifying Disclosure Conditions The problem is really the availability of the secret code. This is an essential issue in this example because the capability to launch a missile depends on the availability of the secret code. Assuming that it is unlikely that more than 1 general could be compromised or unavailable
27 Modifying Disclosure Conditions we may postulate the following policies: –A missile can be launched with 2 or more generals –Less than 2 generals may not launch a missile.
28 (n,t) Secret Sharing To generalize the properties, we get (n,t) secret sharing. Given a secret s, to be shared among n parties, that sharing should satisfy the following properties: –Availability: greater than or equal to t parties can recover s. –Confidentiality: less than t parties have no information about s.
29 (n,t) Secret Sharing In the missile launch example, we are in fact using a (3,2) secret sharing scheme. Also note that a secret splitting scheme is simply a special case of secret sharing where n is equal to t.
30 (n,t) Secret Sharing Let's start with the design of an (n,2) scheme. Let's say we want to share a secret s among n parties. We use some basic geometry
31 (n,t) Secret Sharing Each point that is picked represents a share. We claim that these n shares constitute an (n,2) sharing of s. Now we need to show that this scheme satisfies both the availability and confidentiality properties.
32 (n,t) Secret Sharing To show availability, we need to prove that two parties can recover the secret. Two parties have two shares; that is two points. Given these two points, how can we recover the secret? –We know that two points determine a line, so we can figure out the line that goes through both points. –Once we know the line, we know the intersection of the line with the y axis. –Then, we get the secret. –So, it only takes us two points (shares) to make the secret available.
33 (n,t) Secret Sharing What about confidentiality? We need to show that one share does not disclose any information about the secret. There are infinite possible lines that go through this point, and these lines intersect with the y- axis at different points, all of which yield different "secrets". In fact, given any possible secret, we can draw a line that goes through the secret and the given share. This means that with one point, no information about the secret is exposed.
34 (n,t) Secret Sharing Using the same idea, can we design an (n, 3) secret sharing scheme? Note that the key point in the (n,2) scheme is that a line is determined by two points, but not by 1. Now we need a curve that is determined by three points, but not 2.
35 (n,t) Secret Sharing To generalize the scheme even further, we have a construction of an (n, t) secret sharing scheme. Now we use the curve that corresponds to a (t-1) degree polynomial We randomly select a curve corresponding to such a polynomial that goes through the secret on the y-axis. Then we select n points on the curve. Using the same arguments, we can show that this scheme satisfies both availability and confidentiality properties.
36 Online Secret Sharing Suppose now we want to maintain a secret on-line. We can store the secret on one server. However, if we do so, the secret would be disclosed if the server is compromised. If the server is corrupted, then the secret may be corrupted or lost.
37 Online Secret Sharing In Distributed Systems we can use replication to improve the availability of a service and achieve fault tolerance. Naive replication does improve availability, but the service gets more vulnerable.
38 Online Secret Sharing To solve these problems, we can split the secret into three shares using (3,2) secret sharing scheme and give one share to one server. Now, assuming that it is unlikely that two servers would be compromised, the secret will remain available and confidential. Even if an adversary steals a share from one server, the adversary does not know the secret because a (3, 2) secret sharing scheme is used -- a single share exposed no information about the secret. In the even that a share is lost because of the collapse of one server, we still have two shares to recover the secret.
39 Online Secret Sharing How does a compromised server recover? Traditionally, server recovery is performed by re-starting the server with a clean copy of the code and the up-to-date state. Such recovery is no longer sufficient if a secret share is stored on this server.
40 Online Secret Sharing Let's look at what could happen over time. We have these three servers with three shares, a (3, 2) sharing of a secret s. In January, server 3 was attacked and share s3 is disclosed. We recovered the server immediately. In May, the same attacker successfully broke into server 2 and grabbed share s2. Now, this attacker has two shares and thus is able to recover the secret!
41 Online Secret Sharing
42 Online Secret Sharing The problem lies in the fact that the recovery of server 3 was not complete. One thing we should have done is to make any possibly exposed share obsolete. What do we mean by making a share "obsolete"? –Share s3, by itself, does not contain any information about the secret. –But it can be used together with share s1 or s2 to recover s. –If shares s1 and s2 are deleted (or forgotten) by the other two servers, then s3 becomes useless (i.e., obsolete). –The information on s3 is useless without s2 and s1.
43 Online Secret Sharing We cannot simply ask servers 1 and 2 to delete their shares, because we still want the servers to maintain the secret. What we can do, on the other hand, is to have another (3, 2) sharing of the same secret s, say s1', s2', s3', to replace the old shares.
44 Online Secret Sharing If we have a trusted entity, then this resharing can be performed as follows. –The servers first submit their shares to this trusted entity through secure links. –The trusted entity can then recover the secret from these shares and generate a new set of shares (s1', s2', s3') for s using a (3, 2) sharing scheme. –Note that the scheme to generate shares is random, so the new shares should be totally independent from the old ones. –That is, knowing two points on two different lines gives no disclosure of the secret.
45 Online Secret Sharing Unfortunately, we don't have the luxury of a trusted entity. In fact, such a trusted entity could become a vulnerability in the system; if the trusted entity is compromised when it performs re-sharing, then the secret could be disclosed. Therefore, we have to rely on the servers themselves to do re-sharing in a distributed manner. Again, no server can ever reconstruct the secret because otherwise the secret could be exposed if the server was compromised.
46 Proactive Secret Sharing We need a scheme that allows servers to generate a new set of shares for the same secret from the old shares without reconstructing the secret. Such a scheme is called a proactive secret scheme (PSS). We have argued that PSS is needed for server recovery. But, in reality, break-ins to a server are very hard to detect, especially when the attacker simply steals certain secret information without modifying anything on the victim server. An attacker can cover his tracks when he exits. To strengthen the security of a replicated service, we can invoke our PSS periodically (at regular intervals)
47 Proactive Secret Sharing
48 Proactive Secret Sharing Before the execution of the PSS, every server checks the integrity of its code and state, trying to remove any attackers that might exist in that server at that point in time. How would our PSS improve security through periodic executions?
49 Proactive Secret Sharing With no PSS, using an (n, t) secret sharing scheme, a service can tolerate up to t-1 compromised servers during the entire lifetime of the service, because any more failures could lead to the exposure of the secret. With a PSS, we know that the PSS refreshes all the shares, so that old shares become useless. Now an adversary has to gather enough shares (at least t) between two executions of the PSS, which obviously makes the attackers job more difficult. The secret remains confidential if fewer than t servers could be compromised from the start of one PSS to the end of the next PSS.
50 Proactive Secret Sharing We first assume that an adversary can only break into a server and have access to information stored or collected by that server. The adversary cannot change the code of the server. Suppose we have a simple (2, 2) sharing scheme. To generate two shares for secret s, we randomly select s1 and s2, so that s1 + s2 = s. We want the two servers with shares s1 and s2 to change their shares to s1' and s2', so that these two shares remain an (2,2) sharing of the same secret s and these two shares are independent from the old shares (cannot be inferred from the old shares).
51 Proactive Secret Sharing The proactive secret sharing can be performed in the following steps: –Server 1 generates two subshares s11 and s12 from its share s1 using the same secret sharing scheme as the one used to generate s1 and s2 from s; that is, server 1 randomly selects two subshares s11 and s12, so that s1 = s11 + s12,. Server 2 does the same thing to s2: It randomly generates two subshares s21 and s22, so that s2 = s21 + s22. –Server 1 sends s12 to server 2 through a certain secure channel. Server 2 sends s21 to Server 1. –Server 1 has both s11 and s21 and can add them up to get a new share s1' = s11 + s21. Server 2, on the other hand, has both s12 and s22 and can generate a new share s2' = s12 + s22. Now we show that s1' and s2' constitute a (2,2) sharing. The sum of these two shares is the sum of all the four subshares, which is the sum of s1 and s2, which is s.
52 Proactive Secret Sharing These two shares are independent from the old ones because these subshares are generated randomly. Also, no server knows the secret during the entire process. –Server 1 generates s11 and s12 and learns s21 from server 2, –but server 1 never knows s22 and thus does not know s2' or s. –Server 2, on the other hand, never knows s11, and thus does not know s1' or s.
53 Proactive Secret Sharing