Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robust Sharing of Secrets when the Dealer Is Honest or Cheating Tal Rabin 1994 Brian Fry COEN 317 12-03-2003.

Published byNatalie James Modified over 9 years ago

Similar presentations

Presentation on theme: "Robust Sharing of Secrets when the Dealer Is Honest or Cheating Tal Rabin 1994 Brian Fry COEN 317 12-03-2003."— Presentation transcript:

1 Robust Sharing of Secrets when the Dealer Is Honest or Cheating Tal Rabin 1994 Brian Fry COEN 317 12-03-2003

2 Introduction •Verifiable Secret Sharing •n>=2t+1 where t are cheaters •k>t required to reconstruct secret •Assumes private communication and group broadcast (for dishonest dealers) •Information checking for authentication  Weak Secret Sharing – may not always complete with dishonest dealers

3 Example Application •Company checks require secret key authentication •3 of the 20 Vice presidents must approve check •Any 2 can not decipher the key •Can also distribute key to CEO

4 (k,n) secret sharing scheme •Shamir. 1979. How to share a secret •q(x)=D+a 1 x+... +a k-1 x k-1 •D=Data to be shared •a=k-1 random numbers •Pick (n>=k) random unique values of x •Distribute x, q(x) to each n •Any k together can interpolate D

5 Linear Example (k=2)

6 Quadratic Example (k=3)

7 Interpolation •k=2, y=mx+b for 2 points •k=3, y=m 1 x 2 +m 2 x+b for 3 points •k equations, k unknowns •Entire polynomial is reconstructed to recreate secret

8 Motivation  Shamir ’ s algorithm doesn ’ t work with dishonest players  Need to detect cheaters – use digital signatures or information checking •Byzantine Agreements possible •Exponentially small probability of error

9 Information Checking • Dealer hands information to intermediary, then later delivers to recipient • Must assure reliable, correct, and secure delivery • The dealer D chooses two random numbers b, y and computes c=sb+y. • The dealer hands to INT the values s and y. • The dealer hands to R b, c • INT will transmit s and y to the recipient R. • R will compute sb + y and will accept if it equals c.

10 Terminology  Players: participants, 2 types Knights – honest, Knaves – dishonest •Dealer: coordinator, could also be a player •Adversary: any knight may become a knave at any time dynamically •All computations done modulus a large prime

11 Weak Secret Sharing  Use Shamir ’ s secret sharing scheme •Verify all data using Information Checking for all other nodes •Secretly communicate sharing data, but broadcast checking data •Require n>=2t+1 where t are cheaters, pick k required for secret sharing >t

12 Analysis •Probability of failure < k 2 n/2 k •6 rounds of communication •4n 2 k messages per round •2kn computations per round

13 Verifiable Secret Sharing •If a player is determined to be a cheater by using Information Checking, then broadcast sharing data from the dealer •Share 2 values and check the sum •Zero knowledge proof •Protocol must complete so check that all players have properly received the share

14 Analysis •Probability of failure < 7k 2 n 4 /2 k •14 rounds of communication •4n 3 k 2 messages per round •2k 2 n 2 computations per round

15 Conclusion •Weak Secret Sharing much simpler than Verifiable Secret Sharing •If the dealer is known to be honest, there are less rounds and no need for broadcasting •Information checking can be used in other applications

16 Questions?

Download ppt "Robust Sharing of Secrets when the Dealer Is Honest or Cheating Tal Rabin 1994 Brian Fry COEN 317 12-03-2003."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
A Perfect Threshold Secret Sharing Scheme to Identify Cheaters Marco Carpentieri Designs, Codes and Cryptography 5(3):183-187, May 1995 Presented by Po-Kun.

A Perfect Threshold Secret Sharing Scheme to Identify Cheaters Marco Carpentieri Designs, Codes and Cryptography 5(3): , May 1995 Presented by Po-Kun.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.

1 Authenticated key agreement without using one-way hash functions Harn, L.; Lin, H.-Y. Electronics Letters, Volume: 37 Issue: 10, 10 May 2001 Presented.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.

1 Key Management in Mobile Ad Hoc Networks Presented by Edith Ngai Spring 2003.
Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 90321019 王怡君.

Sec final project A Preposition Secret Sharing Scheme for Message Authentication in Broadcast Networks 王怡君.
Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Secure Multi-party Computations (MPC) A useful tool to cryptographic applications Vassilis Zikas.

Similar presentations

Ads by Google