Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secret Sharing CPS Computer Security Nisarg Raval Sep 24, 2014

Published bySophia Harris Modified over 5 years ago

Similar presentations

Presentation on theme: "Secret Sharing CPS Computer Security Nisarg Raval Sep 24, 2014"— Presentation transcript:

1 Secret Sharing CPS 290 - Computer Security Nisarg Raval Sep 24, 2014
Material is adapted from CS513 lecture notes (Cornell)

2 Why share a secret?

3 Goal Given a secret s and n parties All n parties together recover s
Less than n parties can not recover s

4 Naive Scheme S=10011 S1 = 100 S2 = 11 High Order Low Order
Concatenate shares to reveal secret - S = (S1)(S2) = (100)(11) = 10011 What is the problem? - Think of a salary or password

5 No Partial Disclosure Given a secret s and n parties
All n parties together recover s Less than n can not recover any information about s

6 Generate Shares using XOR
S1 = Rand S2 = S XOR S1 10100 00111 10011 S = S1 XOR S2

7 General Scheme Given a secret s and n parties
Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares

8 General Scheme Given a secret s and n parties
Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares Security Check Can n parties generate s?

9 General Scheme Given a secret s and n parties
Generate n-1 random strings as first n-1 shares Last share is the bitwise XORing of s with all the other n-1 shares Security Check Can n parties generate s? Can any n-1 parties generate s?

10 A More Flexible Scenario

11 A More Flexible Scenario
? S can be constructed by 2 or more generals Less than 2 generals can not construct s

12 (n,t) Secret Sharing Given a secret s and n parties
Any t or more parties can recover s Less than t parties have no information about s (3,2) secret sharing S=10011 S1 S2 S3 S

13 (n,2) Secret Sharing y (0,S) x

14 (n,2) Secret Sharing (xn-1,yn-1) (xn,yn) (x1,y1) y (x2,y2) (0,S) x

15 (n,2) Secret Sharing y Shares x (xn-1,yn-1) (xn,yn) (x1,y1) (x2,y2)

16 (n,2) Secret Sharing (xn-1,yn-1) (x1,y1) y (0,S) x

17 (n,2) Secret Sharing Exist a line for every S (x1,y1) y (0,S) x

18 (n,3) Secret Sharing (0,S) (x1,y1) (x2,y2) (xn-1,yn-1) (xn,yn)

19 Shamir’s Secret Sharing
It takes t points to define a polynomial of degree t-1 Easy to prove corollary of the Fundamental Theorem of Algebra – a polynomial of degree n has exactly n roots (when counted with multiplicity) Suppose two distinct degree-(t-1) polynomials p1(x) and p2(x) both pass through the same set of t points. Then p1(x)-p2(x) has t roots, which is absurd. Create a (t-1)-degree polynomial with secret as the first coefficient and the remaining coefficient picked at random Find n points on the curve and give one to each of the parties. At least t points are required to fit the polynomial and hence to recover secret y = at-1 * xt-1 + at-2 * xt-2 + … + a1 * x + a0 Shamir, Adi (1979), "How to share a secret", Communications of the ACM

20 Use Case S1 (3,2) Secret Sharing Scheme S2 S3 Private Key

21 Problem? S1 compromised S1 S2 compromised S2 S1 + S2 = Secret S3 Time

22 Refresh Shares S’’1 S’’3 S’’2 S’1 S’3 S’2 S1 S2 S3 Time
Trusted Third Party S’’1 S’’3 S’’2 S’1 S’3 S’2 S1 S2 S3 Time

23 Refresh Shares S’1 S’’1 S1 S’2 S’’2 S2 S’3 S’’3 can not
Trusted Third Party S’1 S’’1 S1 S1 compromised S’2 S’’2 S2 S’2 compromised S’3 S’’3 can not construct secret S3 Time

24 Proactive Secret Sharing
Server 1 Server 2 S1 S2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

25 Proactive Secret Sharing
Server 1 Server 2 S1 S2 S11 S12 S21 S22 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

26 Proactive Secret Sharing
Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

27 Proactive Secret Sharing
Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 S’2 S’1 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

28 Proactive Secret Sharing
Server 1 Server 2 S1 S2 Exchange Partial Shares S11 S12 S21 S22 S21 S12 S’2 S’1 Recover S (S11 + S21) + (S12 + S22) S

29 BitCoin Multi-Signature Addresses
Related to, but different than secret sharing. Secret sharing: break a single secret into multiple shares. Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction. Examples: 2 out of 2, 2 out of 3, 3 out of 5.

30 Opening the Vault

31 Summary Useful technique to distribute secret Confidentiality
Reliability Each share must be as long as the secret itself Require random bits of length proportional to the number of parties as well as length of the secret

Download ppt "Secret Sharing CPS Computer Security Nisarg Raval Sep 24, 2014"

Similar presentations

Notes 6.6 Fundamental Theorem of Algebra

Notes 6.6 Fundamental Theorem of Algebra
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
General Results for Polynomial Equations

General Results for Polynomial Equations
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, A Public-Key Cryptosystem and a Signature Scheme.

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
Objectives Fundamental Theorem of Algebra 6-6

Objectives Fundamental Theorem of Algebra 6-6
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
9.9 The Fundamental Theorem of Algebra

9.9 The Fundamental Theorem of Algebra
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
The Rational Root Theorem.  Is a useful way to find your initial guess when you are trying to find the zeroes (roots) of the polynomial.  THIS IS JUST.

The Rational Root Theorem.  Is a useful way to find your initial guess when you are trying to find the zeroes (roots) of the polynomial.  THIS IS JUST.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
1 Secret Sharing. 2 Suppose you and your friend accidentally discovered a map that you believe would lead you to an island full of treasure. You and your.

1 Secret Sharing. 2 Suppose you and your friend accidentally discovered a map that you believe would lead you to an island full of treasure. You and your.
COMPLEX ZEROS: FUNDAMENTAL THEOREM OF ALGEBRA Why do we have to know imaginary numbers?

COMPLEX ZEROS: FUNDAMENTAL THEOREM OF ALGEBRA Why do we have to know imaginary numbers?
Secret Sharing Nisarg Raval Sep 24, 2014 Material is adapted from CS513 lecture notes.

Secret Sharing Nisarg Raval Sep 24, Material is adapted from CS513 lecture notes.
Secret Sharing and Key Escrow Supplemental Information for Cryptology Class Lecture slides by Richard Newman.

Secret Sharing and Key Escrow Supplemental Information for Cryptology Class Lecture slides by Richard Newman.
1 © 2010 Pearson Education, Inc. All rights reserved © 2010 Pearson Education, Inc. All rights reserved Chapter 3 Polynomial and Rational Functions.

1 © 2010 Pearson Education, Inc. All rights reserved © 2010 Pearson Education, Inc. All rights reserved Chapter 3 Polynomial and Rational Functions.
3.6 Complex Zereos. The Fundamental Theorem of Algebra The Fundamental Theorem of Algebra says that every polynomial with complex coefficients must have.

3.6 Complex Zereos. The Fundamental Theorem of Algebra The Fundamental Theorem of Algebra says that every polynomial with complex coefficients must have.
Holt McDougal Algebra 2 6-6 Fundamental Theorem of Algebra Use the Fundamental Theorem of Algebra and its corollary to write a polynomial equation of least.

Holt McDougal Algebra Fundamental Theorem of Algebra Use the Fundamental Theorem of Algebra and its corollary to write a polynomial equation of least.
1 Lect. 19: Secret Sharing and Threshold Cryptography.

1 Lect. 19: Secret Sharing and Threshold Cryptography.
Every polynomial P(x) of degree n>0 has at least one zero in the complex number system. N Zeros Theorem Every polynomial P(x) of degree n>0 can be expressed.

Every polynomial P(x) of degree n>0 has at least one zero in the complex number system. N Zeros Theorem Every polynomial P(x) of degree n>0 can be expressed.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.

CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.

Similar presentations

Ads by Google