berkeley cs276 mit 6 875
play

Berkeley CS276 & MIT 6.875 Secret sharing and applications - PowerPoint PPT Presentation

Berkeley CS276 & MIT 6.875 Secret sharing and applications Lecturer: Raluca Ada Popa Starting to record Nuclear launch codes A judge, president and general receive shares ! , " , # of a secret from a


  1. Berkeley CS276 & MIT 6.875 Secret sharing and applications Lecturer: Raluca Ada Popa

  2. Starting to record β€’

  3. Nuclear launch codes β€’ A judge, president and general receive shares 𝑑 ! , 𝑑 " , 𝑑 # of a secret 𝑑 from a dealer. If the nuke station receives 𝑑 , it launches the nuke If any two come together, their shares together should reveal no info β€’ about about 𝑑 𝑑 ! 𝑑 " 𝑑 Ideas? 𝑑 # 3

  4. Nuclear launch codes: xor secret sharing A trusted dealer chooses 𝑑 ! and 𝑑 " randomly in 0,1 $ , and β€’ computes 𝑑 # = 𝑑 βŠ• 𝑑 ! βŠ• 𝑑 " The parties recover 𝑑 by computing 𝑑 ! βŠ• 𝑑 " βŠ• 𝑑 # β€’ 𝑑 ! 𝑑 " 𝑑 𝑑 # 4

  5. Nuclear launch codes: xor secret sharing A trusted dealer chooses 𝑑 ! and 𝑑 " randomly in 0,1 $ , and β€’ computes 𝑑 # = 𝑑 βŠ• 𝑑 ! βŠ• 𝑑 " The parties recover 𝑑 by computing 𝑑 ! βŠ• 𝑑 " βŠ• 𝑑 # β€’ Claim: nothing is learned about 𝑑 from any one or two shares shares ] = Pr[𝑑] Pr 𝑑 (information theoretic security) 5

  6. Nuclear launch codes: xor secret sharing A trusted dealer chooses 𝑑 ! and 𝑑 " randomly in 0,1 $ , and β€’ computes 𝑑 # = 𝑑 βŠ• 𝑑 ! βŠ• 𝑑 " The parties recover 𝑑 by computing 𝑑 ! βŠ• 𝑑 " βŠ• 𝑑 # β€’ 3-out-of-3 secret sharing How about π‘œ -out-of- π‘œ xor secret sharing? Similarly, choose 𝑑 ! , … , 𝑑 "#! ← 0,1 $ , and set 𝑑 " = 𝑑 βŠ• 𝑑 ! βŠ• β‹― βŠ• 𝑑 "#! . 6

  7. How about 1-out-of-3 xor secret sharing? β€’ Trivial: 𝑑 + = 𝑑 , = 𝑑 - = 𝑑 7

  8. Shamir secret sharing β€’ 𝑒 -out-of- π‘œ : any 𝑒 shares out of π‘œ shares can recover the secret β€’ Shamir, Adi (1979), "How to share a secret" 8

  9. Syntax Let 𝐺 be a finite field of size 𝑄 a prime number. Let 0< 𝑒 ≀ π‘œ < 𝑄. A 𝑒 -out-of- π‘œ secret sharing scheme for 𝐺 is a pair of PPT algorithms (Share, Recover): Share( 𝑑 ∈ F ) outputs 𝑑 ! , 𝑑 % , … , 𝑑 " β€’ Recover ( 𝑑 & $ , 𝑑 &% , … , 𝑑 & % ) outputs 𝑑 β€’ Correctness: βˆ€π‘‘ ∈ 𝐺, βˆ€ 𝑑 ! , 𝑑 % , … , 𝑑 " ← Share( 𝑑) , for any subset of 𝑒 distinct indices 𝑗 ! , … , 𝑗 ' of size 𝑒: Recover( 𝑑 & $ , … , 𝑑 & % ) = 𝑑 . 9

  10. Security Given any < 𝑒 shares, absolutely nothing is learned about 𝑑 . Namely, the conditional distribution given the known shares for 𝑑 should be the a priori distribution for 𝑑 : How would you formalize this? βˆ€π‘€ ∈ 𝐺, βˆ€ distinct 𝑗 " , … , 𝑗 #$" ∈ 1, π‘œ Pr[𝑑 = 𝑀 | 𝑑 % ! , … , 𝑑 % "#! ; 𝑑 " , 𝑑 & , … , 𝑑 ' ← Share( 𝑑)] = Pr[𝑑 = 𝑀] 10

  11. Shamir’s intuition β€’ 𝑒 distinct points in 𝐺 determine precisely one polynomial of degree 𝑒 βˆ’ 1 β€’ 𝑒 βˆ’ 1 points could belong to an exponential number of polynomials of degree 𝑒 in 𝐺 How would you design it? 11

  12. Shamir’s 𝑒 -out-of- π‘œ scheme Let 𝛽 " … 𝛽 ' ∈ 𝐺 be distinct non-zero elements known to all parties Share( 𝑑): - sample 𝑏 " , … 𝑏 #$" ← 𝐺 independently and uniformly at random. #$" 𝑏 % 𝑦 % - let 𝑄 ( 𝑦 ) = 𝑑 + βˆ‘ %(" - for each 𝑗, set share 𝑑 % = ( 𝑗 , 𝑄 𝛽 % ) How to recover? 12

  13. Shamir’s 𝑒 -out-of- π‘œ scheme Let 𝛽 " … 𝛽 ' ∈ 𝐺 be distinct non-zero elements known to all parties Share( 𝑑): 𝑑 % = 𝑄 𝛽 % Recover( 𝑑 % ! , … , 𝑑 % " ): - find a polynomial π‘Ÿ of degree 𝑒 βˆ’ 1 such that π‘Ÿ 𝛽 % $ = 𝑑 % $ , βˆ€π‘˜ - output 𝑑 to be π‘Ÿ(0) Why? Theorem: Shamir’s scheme is correct and secure 13

  14. Lagrange interpolation Theorem: βˆ€πΊ, βˆ€π‘’ distinct values 𝑦 ! , … , 𝑦 " , and every 𝑒 values 𝑧 ! , … , 𝑧 " , there exists a unique polynomial 𝑅 of degree at most 𝑒 βˆ’ 1 s.t. 𝑅 𝑦 # = 𝑧 # βˆ€π‘˜ Lagrange interpolation in our case: ' 𝛽 & ' βˆ’ 𝑦 𝑅 𝑦 = 9 𝑑 & β„“ : 𝛽 & ' βˆ’ 𝛽 & β„“ !*+*' β„“)! +,β„“ 14

  15. Homomorphism of shares Share( 𝑑): 𝑑 . = 𝑄 𝛽 . homomorphic? Additively homomorphic, 𝑑 $ + 𝑑′ $ is the 𝑗 -th share for 𝑑 + 𝑑′ because the Lagrange interpolation of the sum of the shares is the sum of 𝑄(𝑦) + 𝑄’(𝑦) which evaluates to 𝑑 + 𝑑’ for 𝑦 = 0 ' 𝛽 & ' βˆ’ 𝑦 - ) : 𝑄 𝑦 + 𝑄′(𝑦) = 9 (𝑑 & β„“ +𝑑 & β„“ 𝛽 & ' βˆ’ 𝛽 & β„“ !*+*' β„“)! 15 +,β„“

  16. How about xor secret sharing? Shares of 𝑑 are 𝑑 + , … , 𝑑 / s.t. 𝑑 + βŠ• β‹― βŠ• 𝑑 / = 𝑑 Homomorphic for XOR: 0 for 𝑗 ∈ 1, π‘œ are shares of 𝑑 βŠ• 𝑑’ 𝑑 . βŠ• 𝑑 . 16

  17. What are some problems with using Shamir secret sharing with malicious parties? β€’ If a participants cheats during recover, the wrong secret is recovered. The other participants cannot even tell this is the case. β€’ There is total trust in the dealer of the shares. β€’ The scheme is one time. β€’ The scheme only allows revealing the secret and not computing on it without revealing. 17

  18. Verifiable Secret Sharing (VSS) β€’ The players can verify that their shares are consistent to some committed value β€’ Concept first introduced in 1985 by Benny Chor, Shafi Goldwasser, and Silvio Micali β€’ We will look at Feldman scheme based on Pedersen commitments 18

  19. Setup β€’ Dealer publishes a commitment to 𝑑 and to the polynomial used for the shares 𝑄(𝑦) β€’ The dealer signs all messages it sends to the parties β€’ Each party receiving a share 𝑑 $ can check their share against the commitment 19

  20. Construction Recall Pedersen commitments: 𝑑𝑝𝑛𝑛 𝑦 = 𝑕 % β„Ž & ∈ 𝐻 for 𝑠 random, 𝑕, β„Ž public Dealer publishes a commitment to 𝑑 and to the polynomial used for the shares 𝑄(𝑦) = 𝑑 + a ! x + β‹― + 𝑏 "%! 𝑦 "%! = 𝑕 & β„Ž ' . , 𝑑𝑝𝑛𝑛 𝑏 ! , … , 𝑑𝑝𝑛𝑛 𝑏 "%! , signed by 𝑑𝑝𝑛𝑛 𝑑 the dealer Let 𝑆(𝑦) be the polynomial with the randomness from these commitments " 𝑦 + β‹― + 𝑠 #$" x *$" 𝑆 𝑦 = 𝑠 ) + 𝑠 20

  21. Construction The dealer gives to each party 𝑗 : its share 𝑑 . = 𝑄 𝛽 . and 𝑆 𝛽 . . Party 𝑗 checks that "#$ 𝑑𝑝𝑛𝑛 𝑑 βˆ— 𝑑𝑝𝑛𝑛 𝑏 + : ! βˆ— β‹― βˆ— comm a ;<+ : ! equals 𝑕 = : ! β„Ž > : ! 21

  22. Security properties β€’ What malicious behavior of a dealer would this prevent? β€’ What malicious behavior of the parties would this prevent? β€’ What malicious behavior would it not prevent? 22

  23. Security properties (informally) β€’ Parties know their shares are consistent (different subsets of 𝑒 shares will reveal the same value 𝑑 ), or prove misbehavior of the dealer. β€’ Party 𝑗 can check that it indeed received share 𝑗 β€’ Upon reveal, a party can check the share of another party, so a malicious party cannot affect a reveal β€’ Dealer can still commit to 𝑑 of its choice β€’ Still assumes trusted setup of public parameters? 23

  24. Why do the security properties hold? (informally) β€’ Parties know their shares are consistent (different subsets of 𝑒 shares will reveal the same value 𝑑 ), or prove misbehavior of the dealer – Because the commitment is binding β€’ Upon reveal, a party can check the share of another party – Because the commitment is binding Secrecy of the secret What is the hiding property used for? sharing scheme 24

  25. Applications What applications come to mind? 25

  26. Applications β€’ Key recovery for end-to-end encryption β€’ Custody of secrets for cryptocurrencies 26

  27. End-to-end encryption Server Hello K&4!f K&4!f Hello The server cannot decrypt user data The server is not a central point of attack, does not have the decryption key

  28. End-to-end encryption Server Hello K&4!f K&4!f Hello The server cannot decrypt user data

  29. Key recovery is challenging key recovery end-to- usability end security

  30. Key recovery challenge client server backup: Secret Usability issue: If Alice loses her key, she loses access to her data (e.g., PGP) Security issue: Existing solutions prefer to compromise on security: save key at the server! Ideas?

  31. Secret sharing keys Each user chooses a set of trusted users who can reconstruct her lost key β€’ None of the users in the group can reconstruct the key by itself β€’ Alice Alice’s approval group: 2 out of 3 must agree admin 2 Alice’s boss admin 1

  32. Richer policies for organizations OR How would you implement this? AND AND 2/2 3/4 Alice’s Boss Admin1 Bob Chris Dan Matt

  33. Cryptocurrency application β€’ We saw that secret keys control assets in Bitcoin, Zcash, etc. β€’ Need to back these secret keys to prevent asset loss β€’ Ideas? – Some crypto custodians offer secret sharing 33

  34. Cryptocurrency application Even storing the secret on the user device that performs payments is worrisome, so newer technologies store the secret key secret shared and sign transactions using it by recovering the secret from shares β€œunder encryption” – we will learn how to do this in secure-multi party computation Another huge application of secret sharing 34

Recommend


More recommend