Improvements on Distributed Key Generation Bachelor Project Kopiga - PowerPoint PPT Presentation

Improvements on Distributed Key Generation Bachelor Project Kopiga Rasiah Responsible Supervisor Bryan Ford Nicolas Gailly 1

Improvements on Distributed Key Generation • Objective: Bringing improvements in order to enhance the security of the protocol 2

Outline • Background: • What is DKG • Shamir’s secret • Feldman’s VSS • How DKG works • My work: Proactive secret sharing • Implementation • Conclusion 3

Distributed Key Generation • Set of n participants who collectively generate a shared private/public key • Each node have a share of the secret (private key) • No single point failure: attacker needs to break into multiple location to have access to the secret. • DKG is mostly used in group digital signature, or decrypt shared ciphertexts. 4

Shamir’s secret sharing dealer 5

Shamir’s secret sharing dealer 6

Shamir’s secret sharing • f(x) = s + a 1 x + a 2 x 2 + … + a t-1 x t-1 , t < n • f(0) = secret • construct n points out of it (shares) and distributes to the nodes 7

Shamir’s secret sharing f(1) f(2) f(3) f(4) f(5) • t points are sufficient to reconstruct a t-1 degree polynomial function 1 2 3 4 5

Shamir’s secret sharing 1 2 3 4 5 9

Feldman’s verifiable secret sharing • Based on Shamir’s secret sharing nodes can verify if their shares are consistent • • dealer broadcasts F( • ) = f( • ) * g • F(i) == s i * g 10

Distributed Key Generation • Based on Feldman’s VSS • System without any trusted party • Executes n VSS instances in parallel: every node is a dealer • Each node generates f i (x) = z i + a 1 x + a 2 x 2 +…+ a t-1 x t-1 , where z i is random 11

Distributed Key Generation f 1 (1) f 1 (2) 2 1 f 1 (4) f 1 (3) 3 4 12

Distributed Key Generation f 1 (1) f 1 (2) f 2 (2) 2 1 f 2 (1) f 2 (3) f 1 (4) f 1 (3) f 2 (4) 3 4 13

Distributed Key Generation f 1 (1) f 1 (2) +f 2 (1) +f 2 (2) +f 3 (1) +f 3 (2) +f 4 (1) +f 4 (2) 1 2 = s 1 = s 2 f 1 (3) f 1 (4) +f 2 (3) +f 2 (4) +f 3 (3) +f 3 (4) +f 4 (3) +f 4 (4) 3 4 = s 3 = s 4 14

Distributed Key Generation f 1 (1) f 1 (2) +f 2 (1) +f 2 (2) +f 3 (1) +f 3 (2) +f 4 (1) +f 4 (2) 1 2 = s 1 = s 2 s = ∑ j f j (0) S = ∑ j F j (0) = s * g f 1 (3) f 1 (4) +f 2 (3) +f 2 (4) +f 3 (3) +f 3 (4) +f 4 (3) +f 4 (4) 3 4 = s 3 = s 4 15

Proactive secret sharing • Given enough time, an attacker can gradually break into more than t servers • Not practical to change the secret • Solution: Proactive secret sharing. • We only focus on refreshing the shares 16

Proactive secret sharing • Why refreshing ? • Refreshing the shares makes the underlying polynomial change ! • Old stolen information become useless 17

The idea • Let’s assume that the initial DKG round has been done • Each node generates new intermediate random polynomials g i (x) • g i (x) = 0 + b 1,i x + b 2,i x 2 +…+ b t-1,i x t-1 • They execute again the DKG protocol: • distributions of the intermediate shares 18

Distributed Key Generation g 1 (1) g 2 (2) g 1 (2) g 1 (x) g 2 (x) g 2 (1) 1 2 g 2 (4) g 1 (3) g 2 (3) g 1 (4) g 3 (x) g 4 (x) 3 4 19

Proactive secret sharing s i = ∑ j f j (i) for node i s i ’ = ∑ j g j (i) 20

Proactive secret sharing s i = ∑ j f j (i) + s i ’ = ∑ j g j (i) <— 2 nd round DKG r i = ∑ j h j (i) 21

Proactive secret sharing s i = ∑ j f j (i) + s i ’ = ∑ j g j (i) r i = ∑ j h j (i) 22

Proactive secret sharing s i = ∑ j f j (i) s = ∑ j f j (0) = 0 + s i ’ = ∑ j g j (i) + s i ’ = ∑ j g j (0) s = ∑ j h j (0) r i = ∑ j h j (i) g i (x) = 0 + b 1,i x + b 2,i x 2 +…+ b t-1,i x t-1 23

Distributed Key Generation s 2 s 1 + ∑ j g j (2) + ∑ j g j (1) = r 2 = r 1 1 2 s 3 s 4 + ∑ j g j (3) + ∑ j g j (4) = r 3 = r 4 3 4 24

Distributed Key Generation s 2 s 1 + ∑ j g j (2) + ∑ j g j (1) = r 2 = r 1 1 2 renewed share s 3 s 4 + ∑ j g j (3) + ∑ j g j (4) = r 3 = r 4 3 4 25

Proactive secret sharing • The attacker’s time is now restricted between the updating process • He need to break into servers at the same period 26

Implementation 2 nd round of DKG for updating the shares: • • Renew function adds 2 shares according to their indices: • check if G(0) = 0 ( = 0 * g) • check share1.index == share2.index 27

Conclusion • enhances security of the protocol • much more interesting if periodicity is implemented Future work • Implement the periodicity • Implement the share recovering process Current work • Drand (distributed randomness beacon daemon) where • nodes collectively produces random values 28