Verifiable Secret Sharing
-
Upload
docsa-nshm -
Category
Documents
-
view
234 -
download
0
Transcript of Verifiable Secret Sharing
-
7/27/2019 Verifiable Secret Sharing
1/21
Verifiable Secret Sharing
CMSC 652: Cryptology, Spring 2009
Presented by: Vivek Relan
-
7/27/2019 Verifiable Secret Sharing
2/21
Outline
Motivation
Applications of VSS
Types of VSS
VSS scheme by T Pedersen (1991)
Commitment scheme
Conclusion
-
7/27/2019 Verifiable Secret Sharing
3/21
Motivation
Shamir's secret sharing scheme assumed thatdealer is reliable
But, in reality dealer may misbehave and can
deal inconsistent shares to the participants Thus, kparticipants will unable to reconstruct a
secret
Verifiable Secret Sharing (VSS) schemeaddresses this issue
-
7/27/2019 Verifiable Secret Sharing
4/21
Verifiable Secret Scheme
Shares are verifiable without revealing sharesand secret
Convinces shareholders that their shares are k-
consistent Each shareholder assures that every subset ofk
out ofn defines the same secret
Detects malicious dealer or maliciousshareholder
-
7/27/2019 Verifiable Secret Sharing
5/21
Applications
End-to-end auditable voting systems
Threshold software key escrow
Secure storage
-
7/27/2019 Verifiable Secret Sharing
6/21
Types of VSS
Interactive VSS
Interaction between dealer and shareholder isneeded for verification
e.g. Goldwasser-Micali Scheme (1985), BenalohVSS scheme (1986)
Non-interactive VSS
No interaction between dealer and shareholder isneeded for verification
e.g. T Pedersen's VSS scheme (1991)
-
7/27/2019 Verifiable Secret Sharing
7/21
T Pedersen's VSS Scheme
Non-interactive and information-theoreticsecure verifiable secret sharing
Published in
Crypto'91
Springer'92
Citation count 661
-
7/27/2019 Verifiable Secret Sharing
8/21
Preliminaries
Discrete logarithm problem
Let g, h Gq
and x Z (set of integer)
gx % N = h
Given g, xand N, it is easy to find h
But, it is hard to findxfrom g, h and N
Let p and q be prime and p = 2q+1. Z/pZ forms
a group. We will restrict our attention toquadratic residue in this group.
-
7/27/2019 Verifiable Secret Sharing
9/21
Math overview
G = (g, h) A = (a, b) C = (c, d)
A + C = (a+c, b+d)
n*A = (n*a, n*b)
GA = (ga * hb)
Let's consider a polynomial f(x) and g(x)
f(x) = a0
+ a1x + a
2x2 + a
3x3 + ... + a
k-1xk-1
g(x) = b0
+ b1x + b
2x2 + b
3x3 + ... + b
k-1xk-1
F = (f, g) F(m) = (f(m), g(m))
Fm = (am, bm)
-
7/27/2019 Verifiable Secret Sharing
10/21
Math overview (cont)
commit(A) = GA = ga * hb
commit(A+C) = GA+C = G(a,b)+(c,d) = G(a+c, b+d)
= (ga+c * hb+d)
= (ga * gc *hb *hd)
= (ga * hb)*(gc * hd)
commit(A+C) = commit(A)*commit(C) (+, *) - Homomorphic property
-
7/27/2019 Verifiable Secret Sharing
11/21
Commitment scheme
Commit is hiding
Given commit(A), one has no idea aboutA
Commit is binding
It is hard to findA'such that
commit(A) = commit(A')
Based on discrete logarithm problem
-
7/27/2019 Verifiable Secret Sharing
12/21
VSS: Sharing Protocol
Dealer chooses F = (f, g) randomly, where f, gare (k-1)-degree polynomials and f(0) = a
0and
F(0) = (a0, b
0)
f(x) = a0 + a1x + a2x2 + a3x3 + ... + ak-1xk-1
g(x) = b0
+ b1x + b
2x2 + b
3x3 + ... + b
k-1xk-1
a0
is secret
a1, a
2, ..., a
k-1and b
0, b
1, ..., b
k-1are selected
randomly in a finite field
-
7/27/2019 Verifiable Secret Sharing
13/21
VSS: Sharing Protocol (cont)
Dealer computes Ai= commit(F
i) i=0,1, ..., k-1
and broadcasts all these commitment Aito n
participants
Dealer computes Xi= F(i) and sends this value
Xito participant i, for each 1
-
7/27/2019 Verifiable Secret Sharing
14/21
VSS: Verification phase
Each person Piverifies the following
LHS equals RHS by (+, *) homomorphismproperty of commitment scheme
-
7/27/2019 Verifiable Secret Sharing
15/21
VSS: Verification phase (cont)
If verification fails for participant Pi,
Broadcast accusation (Xi, sign
D(X
i)) to all other
participants
There are two cases in front of otherparticipants
Dealer D is faulty
Participant Pi is faulty
-
7/27/2019 Verifiable Secret Sharing
16/21
VSS: Verification phase (cont)
Dealer D proves that he is not faulty bybroadcasting X
ito all participants
Each participants can verify his share
Participant Piaborts if he sees at least ksuch
accusation or his check fails
-
7/27/2019 Verifiable Secret Sharing
17/21
Dishonest dealer
Lot of trust is placed in a dealer
Instead of choosing prime numbers to constructa quadratic residue subgroup, dealer might pick
his phone number. Dealer can find the discrete log before
distributing the shares and can manipulate theshares.
How do we totally remove trust in the dealer ?
-
7/27/2019 Verifiable Secret Sharing
18/21
Linear combination of sharedsecrets
Let two instances of VSS scheme are runningwith same participants
By combining above these two procedures
Secret E0
+ F0
= (x+y)
Each person receives E(i) + F(i) = Xi+ Y
i
-
7/27/2019 Verifiable Secret Sharing
19/21
Linear combination of sharedsecrets (cont)
Due to (+, *) homomorphism property,
Combining two VSS procedure yields
-
7/27/2019 Verifiable Secret Sharing
20/21
Linear combination of sharedsecrets (cont)
Assume each participant acts as dealer andpicks F[i], 1
-
7/27/2019 Verifiable Secret Sharing
21/21
Conclusion
Non-interactive verifiable (k, n)-thresholdscheme protects the secret to be distributedunconditionally for any value of k (1