Secret Sharing

8/6/2019 Secret Sharing

1/29


2/29

Secret sharing

Secret sharing refers to method for distributing a secretamongst

a group of participants, each of whom is allocated a share of the

secret. The secret can be reconstructed only when a sufficient

number of shares are combined together; individual shares are

of no use on their own.


3/29

History*


4/29


5/29

Blakleys Scheme

Secret is encoded as a point in a space.

Keys are given as hyper planes rotated around

the point in space. Therefore the intersection

of t hyper planes will be the key.


6/29


7/29

Shamirs Scheme

Mathematically the goal is to divide some data

D into n pieces D1,, Dn.

The following criteria are met Knowledge of any kor more Di pieces makes D computable.

Knowledge of any k-1 or fewer Di pieces leaves D completely

undetermined.

This scheme is called (k , n) threshold scheme.


8/29

Shamirs Scheme

The scheme turns the secret into a polynomial

of degree k, where k is the number of keys

needed to get the secret.


9/29

Shamirs Scheme

Choose at random k-1 coefficients a1,, ak-1and let a0 be the secret.

f(x)=a0

+a1

x++ ak-1

xk-1

Select randomly any n points out of it (i , f(i)).

Every participant is given a point.


10/29

Verifiable Secret Sharing(VSS)

In verifiable secret sharing (VSS) the object is to resist malicious players,

such as

(i) a dealer sending incorrect shares to some or all of the participants, and

(ii) participants submitting incorrect shares during the reconstruction

protocol

In publicly verifiable secret sharing (PVSS), it is an explicit goal that not just

the participants can verify their own shares, but that anybody can verify that

the participants received correct shares.


11/29

Publically Verifiable Secret Sharing(PVSS)

Proofof correctness for each share released .

No private channels between the dealer and the

participants are assumed.

All communication is done over (authenticated)public channels using public key encryption.


12/29

Model for non-interactive PVSS

Initialization

Generation of system parameters.

Registration of Participants.

The actual set of participants taking part in a run of the PVSS scheme must bea subset of the registered participants.

Distribution

The distribution of a secret s is performed by the dealer D.

The dealer first generates the respective shares sifor participant PiFor each participant Pi the dealer publishes the encrypted share Ei(si).

The dealer also publishes a string PROOFD

to show that each Ei

encrypts ashare si.

The string PROOFD commits the dealer to the value of secret s, and itguarantees that the reconstruction protocol will result in the same value s.


13/29


Verification of the shares.

Any party knowing the public keys for the encryption

methods Ei may verify the shares.

For each participant Pi a non-interactive verificationalgorithm can be run on PROOFD to verify that Ei(si) is

a correct encryption of a share for Pi.

If verifications fail => dealer fails, protocol is aborted.


14/29


ReconstructionThe protocol consists of two steps:

1.Decryption of the shares.

The participants decrypt their shares si from Ei(si). It is not requiredthat all participants succeed in doing so, as long as a qualified set ofparticipants is successful. These participants release si plus a stringPROOFPithat shows that the released share is correct.

2. Pooling the shares.

The strings PROOFPi are used to exclude the participants which aredishonest or fail to reproduce their share si correctly. Reconstruction ofthe secret s can be done from the shares of any qualified set ofparticipants.


15/29

The Math

The prover knows such that h1 = g1 and h2 = g2

:

1. The prover sends a1 = g1w and a2 = g2

w to the verifier,

2. The verifier sends a random challenge c to the prover.

3. The prover responds with r = w

c (mod q).4. The verifier checks that a1 = g1

rh1c and a2 = g1

rh1c


16/29

The Math

Distribution & Verification Distribution of the shares. The dealer picks a random

polynomial p of degree at most t 1 with coefficients in Zq

The dealer shows that the encrypted shares are consistent byproducing a proof of knowledge of the unique p(i), 1


17/29

The Math

Reconstruction

Decryption of the shares: Using its private key xi, each

participant finds the share Si= Gp(i) which comes from

Proof :


18/29

Homomorphic Secret Sharing

Benaloh [Ben87a]


19/29

Electronic Voting

An election proceeds in two phases

Ballot Casting- Voters post their vote in encrypted form.The validity of the vote can be publically verified.

Tallying- The talliers use their private keys to collectivelycompute the final tally corresponding with the

accumulation of all valid ballots.

Technically each voter will act as a dealer in

the PVSS scheme.


20/29

Ballot Casting

A voter casts a vote v0 or 1 and encrypts it as

U= Gs+v where s is a random number.

The voter constructs a PROOFU showing that v

{0,1} without revealing any information on v.

PROOFU refer to the value of C0=gs which is

also published.


21/29

Tallying

The tallying protocol uses the reconstruction

protocol of special PVSS scheme and

homomorphic property.

Accumulate all respective share and compute

the values Yi*, where j ranges over all voters.


22/29

Tallying

Next each tallier Ai applies the reconstruction

protocol to the value Yi*, which will produce

Combining with we obtain

From this the tally can

be computed efficiently.


23/29

Example*

The following example illustrates a sample voting with 5 voters among which

2 are talliers. is the cyclic group under which we shall be working.

Generators used are g=2 and G=7.Note that all the computations henceforth are mod 13

Private

Keys

Public

Keys

Vote S(random

numbers)

U (encrypted votes) gs

1 7 0 7 6 11

2 10 1 8 8 9

3 5 1 1 10 2

4 9 0 2 10 4

5 11 0 11 2 7

The value of C0 = gs is published as part of the PVSS distribution protocol, and

shows that logG U = logg C0 OR logG U = 1 + logg C0 (Vote is 0 or 1)


24/29

Example contd.

Now since there are 2 talliers which implies that all the votes can be

combined iff all of them agrees to tally. For this to work, the curves used

would simply be straight lines with the constant term as the secret values s.

Polynomial pi

(x) pi

(1) pi

(2)

3x+7 10 13

4x+8 12 16

x+1 2 3

11x+2 13 24

7x+11 18 25

Note that the voters do not publish p i(1) or pi(2). They publish Yij which is yipj

(i)

yi is the public key of tallier i, since we have only 2 talliers, I have computed the values

of pi(1) and p2(2) in the table itself and avoided yipj

(i) for clarity.


25/29

Example contd.

Next we compute the values of Y1* and Y2*.

Y1* = 7(10+12+2+13+18) = 755 = 6

Y2* = 10(13+16+3+24+25) =1081 = 12

Now the values of S1 and S2 can be computed by respective talliers by using

their private keys x1 = 1 and x2 = 2.Therefore S1 = (Y1*)

1/x1 = 6and S2 = (Y2*)1/x2 = 121/2 = 5.

Next comes the homomorphic combination of secrets by computing

1 = 2 , 2 = -1 ; Gs = 62 .5-1 = 9/2 = 9*7 = 63 = 11


26/29

Example contd.

Now lets combine the encrypted votes (Uj = Gjs+v)

Gs+v = 6*8*10*10*2 = 9600 = 6.

Almost there , Gs+v/Gs = Gv = 6/11 = 6*6 = 10, Gv = 10 => 7v = 10

=> v= 2 , because 49 (72 mod 13 = 10). Which verifies with the vote count

given in the table. That is it!


27/29

Few other application

Revocable Electronic Cash

Software Key Escrow

Bank AccountsConfidential data

Cloud Computing*


28/29

References*

A Simple Publicly Verifiable Secret Sharing Scheme and its Application to ElectronicVoting - Berry Schoenmakers, Department of Mathematics and Computing

Science, Eindhoven University of Technology, P.O. Box 513, 5600 MB Eindhoven,

The Netherlands. [email protected] | Springer-Verlag , 1999.

How to share a secret. Commm. of ACM , volume 22 (1979).

http://en.wikipedia.org/wiki/Secret_sharing

http://www.cs.uml.edu/~zkissel/secretshare.html

http://en.wikipedia.org/wiki/Secure_multiparty_computation

http://www.proproco.co.uk/million.html

http://www.cs.tau.ac.il/~bchor/Shamir.html

*were not mentioned during presentation
mailto:[email protected]://en.wikipedia.org/wiki/Secret_sharinghttp://www.cs.uml.edu/~zkissel/secretshare.htmlhttp://en.wikipedia.org/wiki/Secure_multiparty_computationhttp://www.proproco.co.uk/million.htmlhttp://www.cs.tau.ac.il/~bchor/Shamir.htmlhttp://www.cs.tau.ac.il/~bchor/Shamir.htmlhttp://www.cs.tau.ac.il/~bchor/Shamir.htmlhttp://www.proproco.co.uk/million.htmlhttp://en.wikipedia.org/wiki/Secure_multiparty_computationhttp://www.cs.uml.edu/~zkissel/secretshare.htmlhttp://www.cs.uml.edu/~zkissel/secretshare.htmlhttp://en.wikipedia.org/wiki/Secret_sharinghttp://en.wikipedia.org/wiki/Secret_sharinghttp://en.wikipedia.org/wiki/Secret_sharingmailto:[email protected]


29/29

Thank You!

Secret Sharing

Documents

Transcript of Secret Sharing