Committee Chair: Michael McLendon Vice Chair: Brother Beavers Brother Smalls Brother Leaf
ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack...
Transcript of ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack...
![Page 1: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/1.jpg)
Security of Linear Secret-Sharing Schemes Against Mass SurveillanceRuxandra F. Olimid
Crypto vs. Mass Surveillance: The Uneasy Relationship Workshop 2016
November 14, 2016 Trondheim, Norway
![Page 2: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/2.jpg)
2
Security of
Linear Secret-Sharing Schemes
Against Mass Surveillance
![Page 3: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/3.jpg)
3
Secret Sharing Schemes (SSS)
Split a secret into shares such that the secret can be recovered only by using an authorised set of shares
![Page 4: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/4.jpg)
4
Secret Sharing Schemes (SSS)
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
![Page 5: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/5.jpg)
5
Secret Sharing Schemes (SSS)
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
![Page 6: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/6.jpg)
6
Secret Sharing Schemes (SSS)
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
![Page 7: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/7.jpg)
7
Visual SSS
= +
= +
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
![Page 8: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/8.jpg)
8
All-or-Nothing SSS
1000 1101 = 1011 0110 XOR 0011 1011
0??? ???? = 1011 0110 XOR 1??? ????
???? ???? = 1011 0110 XOR ???? ????
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
![Page 9: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/9.jpg)
9
Linear SSS
s
rMS = .
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
![Page 10: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/10.jpg)
10
Linear SSS s
rMS = .
![Page 11: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/11.jpg)
11
Connection to Mass Surveillance?
Motivation: management of cryptographic keys
[A.Shamir, How to Share a Secret (1979)]
![Page 12: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/12.jpg)
12
Real-Life Scenario: DNSSEC
https://www.youtube.com/watch?v=1LLHPnxQm-M
https://www.iana.org/dnssec/ceremonies
https://www.nanog.org/sites/default/files/1_Lewis_Rolling_the_Root_Zone_DNSSEC_Key_Signing_Key.pdf
![Page 13: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/13.jpg)
13
Assumptions
(1) decouple the user from the dealer (2) the dealer only interacts with the user
![Page 14: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/14.jpg)
14
Assumptions
(1) decouple the user from the dealer (2) the dealer only interacts with the user
![Page 15: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/15.jpg)
15
Assumptions
(1) decouple the user from the dealer (2) the dealer only interacts with the user
![Page 16: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/16.jpg)
16
Assumptions
(3) big brother controls some servers (not enough to reconstruct!) (4) big brother might had previously interacted with the dealer
![Page 17: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/17.jpg)
17
Assumptions
(3) big brother controls some servers (not enough to reconstruct!) (4) big brother might had previously interacted with the dealer
![Page 18: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/18.jpg)
18
Existing Work
[Crypto’14]
[EuroCrypt’97]
randomisation
Encryption
Key Exchange
Signature Schemes
…
[’04]
![Page 19: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/19.jpg)
19
Security of Linear Secret-SharingSchemes Against Mass Surveillance
- Based on the paper by -
Irene Giacomelli, Ruxandra F.Olimid , Samuel Ranellucci
Aarhus University, Denmark; University of Bucharest, Romania
Special thanks to Samuel Ranellucci for kindly allowing meto build my presentation on top of the slides he had used for CANS`15.
![Page 20: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/20.jpg)
20
Parties
![Page 21: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/21.jpg)
21
GoalsUser
Big Brother
wants to hide secrets from big brother
wants to learn the user`s secret
wants to detect if big brother is trying to learn the secret
might use a detector
wants to hide that he is trying to learn the secret
might previously subvert the dealer
![Page 22: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/22.jpg)
22
Successful Subversion
Surveillance
![Page 23: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/23.jpg)
23
Successful Subversion
Undetectability
![Page 24: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/24.jpg)
24
Successful Subversion
![Page 25: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/25.jpg)
25
Successful Resilience
No surveillance
![Page 26: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/26.jpg)
26
Successful Resilience
Detectable subversion
![Page 27: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/27.jpg)
27
Successful Resilience
![Page 28: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/28.jpg)
28
Results
![Page 29: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/29.jpg)
29
Shares Replacement Attack
Subverted dealer:
• generates t shares using big brother`s PK such that: • big brother uses SK to reconstruct (part of) s from
the t corrupted shares (surveillance) • the t shares are indistinguishable from shares
generated by a honest dealer (undetectability)
• fixes the above shares and extends to the full set of shares
![Page 30: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/30.jpg)
30
Shares Replacement Attack (t>1)
![Page 31: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/31.jpg)
31
Subversion Resilience
![Page 32: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/32.jpg)
32
Subversion Resilience
![Page 33: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/33.jpg)
33
Subversion Resilience
![Page 34: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/34.jpg)
34
Subversion Resilience
![Page 35: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/35.jpg)
35
Subversion Resilience
![Page 36: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/36.jpg)
36
Subversion Resilience
![Page 37: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/37.jpg)
37
Subversion Resilience
![Page 38: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/38.jpg)
38
Subversion Resilience
![Page 39: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/39.jpg)
39
Subversion Resilience
![Page 40: ROL#LSSS Mass Surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 Shares Replacement Attack Subverted dealer: • generates t shares using big brother`s PK such that: • big brother](https://reader035.fdocuments.in/reader035/viewer/2022070912/5fb4124b3cb1f82b6d28ee9b/html5/thumbnails/40.jpg)
40
Thank you!
Q&A