Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES Galois geometries contributing to cryptography Leo Storme Ghent University Dept. of Mathematics Krijgslaan 281 - S22 9000 Ghent Belgium Opatija, 2010 Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES O UTLINE 1 C RYPTOGRAPHY 2 S ECRET SHARING SCHEME 3 M ESSAGE A UTHENTICATION CODE (MAC) 4 L INEAR MDS CODE IN AES Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES O UTLINE 1 C RYPTOGRAPHY 2 S ECRET SHARING SCHEME 3 M ESSAGE A UTHENTICATION CODE (MAC) 4 L INEAR MDS CODE IN AES Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES C RYPTOGRAPHY Transmit information in confidential way, 1 Split secret into shares, 2 Authentication. 3 Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES O UTLINE 1 C RYPTOGRAPHY 2 S ECRET SHARING SCHEME 3 M ESSAGE A UTHENTICATION CODE (MAC) 4 L INEAR MDS CODE IN AES Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES S ECRET SHARING SCHEME Secret sharing scheme : cryptographic equivalent of vault 1 that needs several keys to be opened. Secret S divided into shares . 2 Authorised sets : have access to secret S by putting their 3 shares together. Unauthorised sets : have no access to secret S by putting 4 their shares together. Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES ( n , k ) - THRESHOLD SCHEME n participants. 1 Each group of k participants can reconstruct secret S , but 2 less than k participants have no way to learn anything about secret S . Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES S HAMIR ’ S k - OUT - OF - n SECRET SHARING SCHEME F q = finite field of order q . 1 Dealer chooses polynomial 2 f ( X ) = f 0 + f 1 X + · · · + f k − 1 X k − 1 ∈ F q [ X ] , and, gives participant number i , point ( x i , f ( x i )) on graph of f 3 ( x i � = 0). Value f ( 0 ) = f 0 is secret S . 4 Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES S HAMIR ’ S k - OUT - OF - n SECRET SHARING SCHEME Set of k participants can reconstruct 1 f ( X ) = f 0 + f 1 X + · · · + f k − 1 X k − 1 by interpolating their shares ( x i , f ( x i )) . Then they can compute secret f ( 0 ) . If k ′ < k persons try to reconstruct secret, for every y ∈ F q , 2 there are exactly | F q | k − k ′ − 1 polynomials of degree at most k − 1 which pass through their shares and the point ( 0 , y ) . Thus they gain no information about f ( 0 ) . Leo Storme Galois geometries contributing to cryptography
ut ut rs ut ut ut Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES R EALISATION OF S HAMIR ’ S k - OUT - OF - n SECRET SHARING SCHEME secret point S 1 S 3 S 5 S 2 S 4 Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES G EOMETRICAL REALISATION OF S HAMIR ’ S k - OUT - OF - n SECRET SHARING SCHEME (B LAKLEY ) Secret S = point of PG ( 3 , q ) . 1 Shares = planes of PG ( 3 , q ) such that exactly three of 2 them only intersect in S . Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES G EOMETRICAL REALISATION OF S HAMIR ’ S k - OUT - OF - n SECRET SHARING SCHEME (B LAKLEY ) Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES G EOMETRICAL REALISATION OF S HAMIR ’ S k - OUT - OF - n SECRET SHARING SCHEME Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES G EOMETRICAL REALISATION OF S HAMIR ’ S k - OUT - OF - n SECRET SHARING SCHEME Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES C ODING - THEORETICAL REALISATION OF S HAMIR ’ S k - OUT - OF - n SECRET SHARING SCHEME (McEliece and Sarwate) C : [ n + 1 , k , n − k + 2 ] q MDS code. 1 For secret c 0 ∈ F q , dealer creates codeword 2 c = ( c 0 , c 1 , . . . , c n ) ∈ C . Share of participant number i is symbol c i . Since C is MDS code with minimum distance n − k + 2, 3 codeword c can be uniquely reconstructed if only k symbols are known. So any set of k persons can compute secret c 0 . 4 On the other hand, less than k persons do not learn 5 anything about secret, since for any possible secret c ′ , the same number of codewords that fit to secret c ′ and their shares exist. Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES M ORE GENERAL SECRET SHARING SCHEME D EFINITION Support of c = ( c 1 , . . . , c n ) ∈ F n q : sup ( c ) = { i | c i � = 0 } . Let C be linear code. Nonzero codeword c ∈ C is called minimal if ∀ c ′ ∈ C : sup ( c ′ ) ⊆ sup ( c ) = ⇒ c ′ ∈ � c � . Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES M ORE GENERAL SECRET SHARING SCHEME L EMMA (M ASSEY ) Let C be an [ n + 1 , k ] q -code. Secret sharing scheme is constructed from C by choosing codeword c = ( c 0 , . . . , c n ) . Secret is c 0 and shares of participants are coordinates c i ( 1 ≤ i ≤ n). Minimal authorized sets of secret sharing scheme correspond to minimal codewords of C ⊥ with 0 in their supports. Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES M ORE GENERAL SECRET SHARING SCHEME Proof: Suppose set { 1 , . . . , k } is authorised set. This means that c 0 can be determined from c 1 , . . . , c k , i.e. there exist constants a 1 , . . . , a k , with c 0 = a 1 c 1 + · · · + a k c k , (1) which means that ( 1 , − a 1 , . . . , − a k , 0 , . . . , 0 ) is codeword of C ⊥ with 0 in its support. Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES O UTLINE 1 C RYPTOGRAPHY 2 S ECRET SHARING SCHEME 3 M ESSAGE A UTHENTICATION CODE (MAC) 4 L INEAR MDS CODE IN AES Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES P ROBLEM OF AUTHENTICATION Problem: Alice wants to send Bob a message m . 1 Attacker intercepts m and sends alternated message m ′ to 2 Bob. Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES P ROBLEM OF AUTHENTICATION How can Bob be sure that message he gets is correct? Introduce authentication ! Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES E XAMPLE OF MESSAGE AUTHENTICATION CODE l = line of PG ( 2 , q ) . 1 Message m = point of l . 2 Authentication key K = point in PG ( 2 , q ) \ l . 3 Authentication tag = line through message m and key K . 4 Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES Leo Storme Galois geometries contributing to cryptography
Cryptography Secret sharing scheme Message Authentication code (MAC) Linear MDS code in AES E XAMPLE OF AUTHENTICATION CODE If attacker wants to create message ( m , K ) without 1 knowing key K , he must guess an affine line through m . There are q possibilities, i.e. the chance for correct attack is 1 q . If attacker already knows authenticated message ( m , K ) , 2 he knows that key K must lie on the line mK . But for every of q affine points on line mK , there exists line through m . So he cannot do better than guess the key which gives probability of 1 q for successful attack. Leo Storme Galois geometries contributing to cryptography
Recommend
More recommend