Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secret Sharing (or, more accurately, “Secret Splitting”)

Published byFrancis Shields Modified over 6 years ago

Similar presentations

Presentation on theme: "Secret Sharing (or, more accurately, “Secret Splitting”)"— Presentation transcript:

1 Secret Sharing (or, more accurately, “Secret Splitting”)
Original slides by Nisarg Raval Material is adapted from CS513 lecture notes (Cornell)

2 Why split a secret?

3 Goal Given a secret s first held by a “dealer” and then splits n shares among n parties called “players” All n players together recover s Less than n players can not recover s

4 Naive Scheme S=10011 Concatenate shares to reveal secret
High Order Low Order Concatenate shares to reveal secret S = (S1)(S2) = (100)(11) = 10011 What is the problem? - Think of a salary or password

5 No Partial Disclosure Given a secret s and n players
All n players together recover s Less than n can not recover any information about s (unconditional security)

6 Dealer Generates Shares using XOR
S1 = Rand S2 = S XOR S1 10100 00111 10011 S = S1 XOR S2

7 General Scheme Given a secret s and n players
Dealer generates n-1 random strings as first n-1 shares Last share is the bitwise XOR of s with all the other n-1 shares

8 General Scheme Given a secret s and n players
Dealer generates n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares Security Check Can n players generate s?

9 General Scheme Given a secret s and n parties
Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares Security Check Can n players generate s? Can any n-1 players generate s?

10 A More Flexible Scenario

11 A More Flexible Scenario
? S can be constructed by 2 or more generals Less than 2 generals can not construct s

12 (n,t) Secret Sharing Given a secret s and n players
Any t or more players can recover s Less than t players have no information about s (3,2) secret sharing S=10011 S1 S2 S3 S

13 (n,2) Secret Sharing y (0,S) x secret S is y intercept

14 (n,2) Secret Sharing (xn-1,yn-1) (xn,yn) (x1,y1) y (x2,y2) (0,S) x

15 (n,2) Secret Sharing y shares x (xn-1,yn-1) (xn,yn) (x1,y1) (x2,y2)

16 (n,2) Secret Sharing (xn-1,yn-1) (x1,y1) y (0,S) x

17 (n,2) Secret Sharing one share does not suffice y x
for every secret S, there is a line through x1,y1 (x1,y1) y (0,S) x

18 three points determine a quadratic polynomial
(n,3) Secret Sharing (0,S) (x1,y1) (x2,y2) (xn-1,yn-1) (xn,yn) three points determine a quadratic polynomial

19 Shamir’s Secret Sharing
It takes t points to define a polynomial of degree t-1 Easy to prove corollary of the Fundamental Theorem of Algebra, which states that a polynomial of degree n > 0 has exactly n roots (when counted with multiplicity) Suppose two distinct degree-(t-1) polynomials p1(x) and p2(x) both pass through the same set of t points. Then p1(x)-p2(x) has t roots, which is absurd. Create a degree-(t-1) polynomial with secret as the constant coefficient and the remaining coefficients chosen at random Find n points on the curve (not at x=0) and give one to each of the players. At least t points are required to fit the polynomial and hence to recover secret (and any t points will suffice) y = at-1 * xt-1 + at-2 * xt-2 + … + a1 * x + a0 Shamir, Adi (1979), "How to share a secret", Communications of the ACM

20 Use Case S1 (3,2) Secret Sharing Scheme S2 S3 Private Key

21 Dyadic Security Product
Pure-software virtual hardware security module (HSM). (Other vendors sell HSMs similar to TPMs that can store private keys and perform TLS operations.) Share secret (e.g., private key for TLS) across multiple servers. Perform TLS operations using secure multiparty computation so that no server learns private key. Assumes that it is more difficult to break into one server than several.

22 Unconditional Security
Each share must be as long as the secret itself, e.g., number of possible values of polynomial at each point where it is evaluated must be the same as number of possible y-intercepts Require random bits of length proportional to the number of players n as well as length of the secret l Can the sizes of the shares be reduced?

23 “Secret Sharing Made Short”
Dealer begins by choosing a random symmetric key, e.g., a 256-bit AES key Dealer encrypts the secret using the symmetric key Symmetric key is split using Shamir’s (n,t) scheme (n shares, each 256 bits): n*256 bits Encrypted secret is encoded using an (n,t) error correcting code Suppose encrypted secret length is l bits. Code uses n “symbols” each l/t bits long: nl/t bits. Any t symbols out of n suffice to recover the encrypted secret. Total bits: n*256 + nl/t (versus nl)

24 Idea Behind Error Correcting Code
Use a polynomial as before. Break the “message” (e.g., the encrypted secret) into t pieces of length l/t. Let yi denote the i’th piece. Create a polynomial f(x) where f(xi)=yi for some arbitrarily chosen x1, x2, …, xt, e.g., xi=i. Now the goal is to recover not f(0), but f(x1), f(x2), …, f(xt) Evaluate the polynomial at n-t other locations xt+1,…,xn, e.g., xi=i. The n f(xi) values are the symbols Can recover the full polynomial from any t symbols Once the polynomial is recovered, find values at x1, …, xt.

25 Why is this scheme not unconditionally secure?
It’s possible to learn some of the information about the encrypted secret from fewer than t shares, e.g., knowing f(x1) means knowing the first piece of the encrypted secret. The error correcting code isn’t trying to hide information. The goal is the opposite: enable the recovery of as much information as possible from whatever symbols are at hand. So the security depends on the strength of the encryption system, e.g., AES, which is NOT unconditionally secure, since key length (256 bits) may be less than secret length l.

26 Why isn’t AES Unconditionally Secure?
Suppose message length is l bits, and key length is k bits, e.g., k=256, where k may be much less than l. Given a ciphertext encrypted with a k-bit key, adversary can narrow down plaintext to 2k possibilities out of 2l by decrypting with all possible k-bit key values. (Although this approach is not computationally efficient.)

27 Problem? S1 compromised S1 S2 compromised S2 S3 S1 + S2  Secret Time

28 Refresh Shares S’’1 S’’3 S’’2 S’1 S’3 S’2 S1 S2 S3 Time
Trusted Third Party S’’1 S’’3 S’’2 S’1 S’3 S’2 S1 S2 S3 Time

29 Refresh Shares S’1 S’’1 S1 S’2 S’’2 S2 S’3 S’’3 can not
Trusted Third Party S’1 S’’1 S1 S1 compromised S’2 S’’2 S2 S’2 compromised S’3 S’’3 can not construct secret S3 Time

30 Proactive Secret Sharing
Server 1 Server 2 S1 S2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

31 Proactive Secret Sharing
Server 1 Server 2 S1 S2 S11  S12 S21  S22 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

32 Proactive Secret Sharing
Server 1 Server 2 S1 S2 Exchange Partial Shares S11  S12 S21  S22 S21 S12 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

33 Proactive Secret Sharing
Server 1 Server 2 S1 S2 Exchange Partial Shares S11  S12 S21  S22 S21 S12 Compute New Shares   S’2 S’1 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

34 Proactive Secret Sharing
Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 S’2 S’1 Recover S (S11  S21)  (S12  S22) S

35 BitCoin Multi-Signature Addresses
Related to, but different than secret sharing. Secret sharing: split a single secret into multiple shares. Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction. Examples: 2 out of 2, 2 out of 3, 3 out of 5.

36 Opening the Vault

Download ppt "Secret Sharing (or, more accurately, “Secret Splitting”)"

Similar presentations

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.

Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
Mar 25, 2003Mårten Trolin1 Previous lecture – smart-cards Card-terminal authentication Card-issuer authentication.

Mar 25, 2003Mårten Trolin1 Previous lecture – smart-cards Card-terminal authentication Card-issuer authentication.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.

Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Aggregation in Sensor Networks

Aggregation in Sensor Networks
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Cryptography, Authentication and Digital Signatures

Cryptography, Authentication and Digital Signatures
1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS 4362 - CIS 5357 Network Security.

1 Lecture 9 Public Key Cryptography Public Key Algorithms CIS CIS 5357 Network Security.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.

CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.

Chapter 3: Basic Protocols Dulal C. Kar. Key Exchange with Symmetric Cryptography Session key –A separate key for one particular communication session.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!

Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.

Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
1 Secret Sharing. 2 Suppose you and your friend accidentally discovered a map that you believe would lead you to an island full of treasure. You and your.

1 Secret Sharing. 2 Suppose you and your friend accidentally discovered a map that you believe would lead you to an island full of treasure. You and your.
15-499Page 1 15-499:Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.

15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.

Attacking RSA Brian Winant Reference “Twenty Years of Attacks on the RSA Cryptosystem” By Dan Boneh In Notices of the American Mathematical.
Secret Sharing Nisarg Raval Sep 24, 2014 Material is adapted from CS513 lecture notes.

Secret Sharing Nisarg Raval Sep 24, Material is adapted from CS513 lecture notes.

Similar presentations

Ads by Google