Download presentation
Presentation is loading. Please wait.
Published byEsmond Hill Modified over 9 years ago
1
Secret Sharing Nisarg Raval Sep 24, 2014 http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html Material is adapted from CS513 lecture notes (Cornell) CPS 290 - Computer Security
2
Why share a secret? http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg
3
Goal Given a secret s and n parties a.All n parties together recover s b.Less than n parties can not recover s
4
https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg Naive Scheme S=10011 S 1 = 100S 2 = 11 Concat shares to reveal secret - S = (S 1 )(S 2 ) = (100)(11) = 10011 High OrderLow Order What is the problem? - Think of a salary or password
5
Partial Disclosure Given a secret s and n parties a.All n parties together recover s b.Less than n can not recover any information about s
6
Generate Shares using XOR S=10011 1010000111 S 1 = RandS 2 = S XOR S 1 S = S 1 XOR S 2 10011 https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
7
General Scheme Given a secret s and n parties a.Generate n-1 random strings as first n-1 shares b.Last share is the bitwise XORing of s with all the other n-1 shares
8
General Scheme Given a secret s and n parties a.Generate n-1 random strings as first n-1 shares b.Last share is the bitwise XORing of s with all the other n-1 shares Security Check a.Can n parties generate s?
9
General Scheme Given a secret s and n parties a.Generate n-1 random strings as first n-1 shares b.Last share is the bitwise XORing of s with all the other n-1 shares Security Check a.Can n parties generate s? b.Can any n-1 parties generate s?
10
Example S=10011 S1S1 S2S2 S3S3 S2S2 S https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
11
Problem? S=10011 S1S1 S2S2 S3S3 S2S2 ? S can be constructed by 2 or more generals Less than 2 generals can not construct s https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg
12
(n,t) Secret Sharing Given a secret s and n parties a.Any t or more parties can recover s b.Less than t parties have no information about s S=10011 S1S1 S2S2 S3S3 S2S2 S (3,2) secret sharing
13
(n,2) Secret Sharing (0,S) x y
14
(n,2) Secret Sharing (0,S) (x 1,y 1 ) (x 2,y 2 ) (x n-1,y n-1 )(x n,y n ) x y
15
(n,2) Secret Sharing (0,S) (x 1,y 1 ) (x 2,y 2 ) (x n-1,y n-1 )(x n,y n ) x y Shares
16
(n,2) Secret Sharing (0,S) (x 1,y 1 ) (x n-1,y n-1 ) x y
17
(n,2) Secret Sharing (0,S) (x 1,y 1 ) x y Exist a line for every S
18
(n,3) Secret Sharing (0,S)(x 1,y 1 ) (x 2,y 2 ) (x n-1,y n-1 ) (x n,y n )
19
Shamir’s Secret Sharing It takes t points to define a polynomial of degree t-1 Create a (t-1) - degree polynomial with secret as the first coefficient and the remaining coefficient picked at random Find n points on the curve and give one to each of the parties. At least t points are required to fit the polynomial and hence to recover secret Shamir, Adi (1979), "How to share a secret", Communications of the ACM y = a t-1 * x t-1 + a t-2 * x t-2 + … + a 1 * x + a 0
20
Use Case S1S1 S3S3 S2S2 (3,2) Secret Sharing Scheme (3,2) Secret Sharing Scheme Private Key
21
Problem? Time S1S1 S3S3 S2S2 S 1 compromised S 2 compromised S 1 + S 2 = Secret
22
Refresh Shares S1S1 S3S3 S2S2 Time Trusted Third Party S’ 1 S’ 3 S’ 2 S’’ 1 S’’ 3 S’’ 2
23
Refresh Shares S1S1 S3S3 S2S2 Time Trusted Third Party S’ 1 S’ 3 S’ 2 S’’ 1 S’’ 3 S’’ 2 S 1 compromised S’ 2 compromised can not construct secret
24
Proactive Secret Sharing S1S1 S S2S2 Server 1Server 2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
25
Proactive Secret Sharing S1S1 S S2S2 S 11 S 12 S 21 S 22 Server 1Server 2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
26
Proactive Secret Sharing S1S1 S S2S2 S 11 S 12 S 21 S 22 S 21 S 12 Exchange Partial Shares Server 1Server 2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
27
Proactive Secret Sharing S1S1 S S2S2 S 11 S 12 S 21 S 22 S 21 S 12 Exchange Partial Shares S’ 1 S’ 2 Server 1Server 2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.
28
Proactive Secret Sharing S1S1 S S2S2 S 11 S 12 S 21 S 22 S 21 S 12 Exchange Partial Shares S’ 1 S’ 2 S Server 1Server 2 (S 11 + S 21 ) + (S 12 + S 22 ) Recover S
29
BitCoin Multi-Signature Addresses Related to, but different than secret sharing. Secret sharing: break a single secret into multiple shares. Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction. Examples: 2 out of 2, 2 out of 3, 3 out of 5.
30
Opening the Vault
31
Summary Useful technique to distribute secret Confidentiality Reliability Each share must be as long as the secret itself Require random bits of length proportional to the number of parties as well as length of the secret
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.