proactive secret sharing with a dishonest majority
play

Proactive Secret Sharing with a Dishonest Majority Shlomi Dolev*, - PowerPoint PPT Presentation

Aug 27, 2022 •346 likes •569 views

Proactive Secret Sharing with a Dishonest Majority Shlomi Dolev*, Karim ElDefrawy**, Joshua Lampkins**, Rafail Ostrovsky***, Moti Yung**** * Ben-Gurion University ** Hughes Research Labs (HRL) *** University of California Los Angeles (UCLA)

  1. Proactive Secret Sharing with a Dishonest Majority Shlomi Dolev*, Karim ElDefrawy**, Joshua Lampkins**, Rafail Ostrovsky***, Moti Yung**** * Ben-Gurion University ** Hughes Research Labs (HRL) *** University of California Los Angeles (UCLA) **** Snapchat and Columbia University 10 th Conference on Security and Cryptography for Networks (SCN’16) 1

  2. Secret Sharing (1/2) • A t out of n secret sharing scheme shares a secret among n parties. • Any t + 1 parties can combine their shares to reconstruct the secret. • With only t of the n shares one does not learn any information about the secret. • Invented independently by Blakely and Shamir (1979). Secret Share Secret Share Secret Share Secret Share #3 #4 #1 #2 10 th Conference on Security and Cryptography for Networks (SCN’16) 2

  3. Secret Sharing (2/2) • Shamir’s Technique : store secret in constant term of degree t polynomial to tolerate up to p(x) = 0.5 - 0.7x + 0.1x 2 t leaked shares (called t + 1 out of n ) share of secret1 server 2 share of server 3 • Secret Sharing Involves Two Algorithms: share of server 1 Share: for secret s , pick random coefficients a 1 … a t i. and p(x) = a 0 + a 1 x + a 2 x 2 + … a t x t & set a 0 = s distribute shares as p(1), p(2) … f(n) to the n parties Open/Reconstruct: from p(1), p(2) … p(t+1) interpolate p(x) ii. and recover secret as p(0)= a 0 = s 10 th Conference on Security and Cryptography for Networks (SCN’16) 3

  4. Mobile Adversaries Server 1 Server 1 Shares Collected by Adversary Server 7 Server 7 Server 2 Server 2 Share of Server 2 Share of Server 7 Share of Server 4 Over time, a mobile adversary compromises Share of Server 5 Server 6 Server 6 Server 3 Server 3 Share of Server 3 more than t servers & recovers the secret! Share of Server 1 Share of Server 6 Server 5 Server 5 Server 4 Server 4 10 th Conference on Security and Cryptography for Networks (SCN’16) 4

  5. Proactive Security Shares with different colors are from different time epochs share 1 share 1 share 1 share 1 share 1 and can NOT be combined. Server 1 Server 1 share 7 share 7 share 7 share 7 share 7 share 2 share 2 share 2 share 2 share 2 Shares Collected by Adversary Server 7 Server 7 Server 7 Server 2 Server 2 Server 2 share 2 – Epoch 1 A mobile adversary eventually compromises share 7 – Epoch 1 everyone, but not at the same time! share 4 – Epoch 2 share 6 share 6 share 6 share 6 share 6 share 5 – Epoch 2 share 3 share 3 share 3 share 3 share 3 Server 6 Server 6 Server 3 share 3 – Epoch 3 Server 3 share 1 – Epoch 3 share 6 – Epoch 4 share 5 share 5 share 5 share 5 share 5 share 4 share 4 share 4 share 4 share 4 Server 5 Server 5 Server 5 Server 4 Server 4 Proactively refresh/rerandomize shares on Server 4 servers, and randomly reboot servers to a pristine state and recover their shares. 10 th Conference on Security and Cryptography for Networks (SCN’16) 5

  6. Relevance of Proactive Security Model • Proactively secure protocols for various cryptographic primitives were developed since 90s: – Proactive secure multi-party computation [OY91, BELO14, BELO15]. – Proactive encryption/signature schemes [FGMY97a, FGMY97b, Rab98, CGJ+99, FMY01, Bol03, JS05, JO08, ADN06]. – Proactive secret sharing [WWW02, ZSvR05, CKLS02, Sch07, HJKY95, DELOY16]. 10 th Conference on Security and Cryptography for Networks (SCN’16) 6

  7. Mixed Adversaries Model • Threshold of corruptions is defined by ( 𝑩 ∗ , 𝑸 ∗ ) : – Set of Passive Corruptions ( 𝑸 ∗ ): semi-honest, follows protocols but tries to violate privacy – Set of Active Corruptions ( 𝑩 ∗ ): fully malicious, can deviate arbitrarily from protocols • Each active corruption is also a passive corruption ( 𝑩 ∗ ⊑ 𝑸 ∗ ) • Multi-threshold: – Correctness ( 𝑼 𝒅 ): threshold for which correctness is ensured – Secrecy ( 𝑼 𝒕 ): threshold for which secrecy is ensured – Robustness (𝑼 𝒔 ): threshold for which robustness is ensured 10 th Conference on Security and Cryptography for Networks (SCN’16) 7

  8. Our Result Paper Network Dynamic Security Threshold Communication Model Groups (amortized) [WWW02] Synch. No Crypto. t/n < 1/2 exp(n) [ZSvR05] Asynch. No Crypto t/n < 1/3 exp(n) [CKLS02] Asynch. No Crypto t/n < 1/3 O(n 4 ) [Sch07] Asynch. Yes Crypto t/n < 1/3 O(n 4 ) O(n 3 ) [OY91] Synch. No Statistical t/n < 1/3 O(n 2 ) [HJKY95] Synch. No Crypto t/n < 1/2 [BELO14] Synch. No Perfect / Statistical t/n < 1/3-ε / t/n < 1/2-ε O(1) [BELO15] Synch. Yes Perfect / Statistical t/n < 1/3-ε / t/n < 1/2-ε O(1) [DELOY16] Synch. No Crypto t < n – r (passive only) O(n 4 ) (homomorphic t < n/2 – r (active) commitments) t < n – k – r (mixed adversaries) t = total corruptions k = active corruptions r = number of nodes reset in parallel [DELOY16] Proactive Secret Sharing (PSS) where t could be > n/2, when k = 0 (i.e., passive corruptions only) t < n – r, r = 1 if nodes will be reset serially. 10 th Conference on Security and Cryptography for Networks (SCN’16) 8

  9. Background: Gradual Secret Sharing • First introduced in [HML13] for mixed adversaries (a mix of passive and active corruptions) • Secure against a dishonest majority with identifiable aborts • Share: A d-gradual secret sharing of a secret s does the following: 0 – Split s into d random summands, 𝑡 = ∑ 𝑡 / /12 – Share each 𝑡 / with a random polynomial of degree i • Reconstruct: to recover s shared with a d-gradual secret sharing: – Reconstruct the d polynomials in decreasing order (from d down to 1 ) – For polynomial i if less than i+1 parties are honest abort and identify misbehaving parties 10 th Conference on Security and Cryptography for Networks (SCN’16) 9

  10. Single vs. Gradual Secret Sharing Gradual Sharing [HML13] Linear Sharing [Sha79] share2 for S2 share1 shared secret (s) for S2 shared summand S2 share1 share2 share2 for S1 share1 shared for S1 summand S1 • Secret is stored as a free term in a • Confidentiality is not lost as long as at most polynomial of degree t d < n parties are compromised • Confidentiality lost if t+1 parties • Non-robust with active adversaries compromised, typically t < n/2 • Robust 10 th Conference on Security and Cryptography for Networks (SCN’16) 10

  11. PSS Blueprint for Dishonest Majority • Use Gradual Secret Sharing with a maximum degree less than d = n – r where r is the number of parties that can be rebooted in parallel. • Proactivizing Gradual Secret Sharing by developing two protocols with same security guarantees against mixed adversaries and dishonest majority: 1. Refresh: distributed rerandomization of shares 2. Recovery: distributed recovery of shares (for rebooted nodes) 10 th Conference on Security and Cryptography for Networks (SCN’16) 11

  12. Refreshing Shares of a Summand (1/3) 10 th Conference on Security and Cryptography for Networks (SCN’16) 12

  13. Refreshing Shares of a Summand (2/3) 10 th Conference on Security and Cryptography for Networks (SCN’16) 13

  14. Refreshing Shares of a Summand (3/3) 10 th Conference on Security and Cryptography for Networks (SCN’16) 14

  15. Recovering Shares of a Summand (1/3) 10 th Conference on Security and Cryptography for Networks (SCN’16) 15

  16. Recovering Shares of a Summand (2/3) 10 th Conference on Security and Cryptography for Networks (SCN’16) 16

  17. Recovering Shares of a Summand (3/3) 10 th Conference on Security and Cryptography for Networks (SCN’16) 17

  18. Main Theorem • For r = 1 (rebooting nodes in series) we get the highest thresholds. Theorem: • Given a gradual secret sharing parameter 𝑒 < 𝑜 − k − 1 there exists a computationally secure (T s ,T r ,T c )- secure PSS scheme, utilizing a computationally secure homomorphic commitment scheme, for mixed adversaries characterized by (A ∗ ,P ∗ ) where A ∗ ⊆ P ∗ . • The PSS scheme ensures secrecy if |P ∗ | ≤ d , is robust against |A ∗ | ≤ k if d < n−k−1 and |P ∗ | ≤ d , and is correct with agreement on aborts if |P ∗ | ≤ d ∧ |P ∗ |+|A ∗ | ≤ n−2 . 10 th Conference on Security and Cryptography for Networks (SCN’16) 18

  19. Proof Sketches • Since this is only a SS, prove correctness and security as properties of the SS scheme • Can be formalized to provide full simulator showing that view in real world ~ view ideal world • Secrecy: straightforward because of degree of polynomial • Robustness: given a polynomial with degree less than n – r, have r redundant points so can reconstruct without them • Correctness (with agreement on aborts): prove by contradiction by breaking correctness of PSS scheme to security of underlying commitment scheme 10 th Conference on Security and Cryptography for Networks (SCN’16) 19

Recommend

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides
Not If But When Me, I'm dishonest. And a dishonest man, you can always trust to be dishonest.

Not If But When Me, I'm dishonest. And a dishonest man, you can always trust to be dishonest.

Not If But When Me, I'm dishonest. And a dishonest man, you can always trust to be dishonest. Honestly, it's the honest ones you want to watch out for, because you can never predict when they're going to do something incredibly stupid.

369 views • 25 slides
Scalable RSA Modulus Generation with a Dishonest Majority Muthu Venkitasubramaniam Ligero Inc.

Scalable RSA Modulus Generation with a Dishonest Majority Muthu Venkitasubramaniam Ligero Inc.

Scalable RSA Modulus Generation with a Dishonest Majority Muthu Venkitasubramaniam Ligero Inc. &amp; University of Rochester Megan Chen, Carmit Hazay, Yuval Ishai, Yuriy Kashnikov, Daniele Micciancio, Tarik Riviere, abhi shelat, Ruihan Wang

1.12k views • 54 slides
Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e

Homomorphic Secret Sharing II Homomorphic Secret Sharing for Branching Programs Under DDH Ele:e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion &amp; UCLA Secure ComputaGon Approaches Classical

342 views • 33 slides
Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp. 612613 Eli Biham - May 3, 2005 c 497 Secret Sharing (17) How to Keep a Secret Key Securely Information can be secured by encryption under a

597 views • 23 slides
Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT

Breaking the Circuit-Size Barrier in Secret Sharing Tianren Liu Vinod Vaikuntanathan MIT MIT 50th ACM Symposium on Theory of Computing June 27, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret Secret Sharing

790 views • 75 slides
Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013

Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013

Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013 Outline 1. Introduction 2. Shamir Secret Sharing and Habeeb-Kahrobaei-Shpilrain secret sharing 3. Adjustments to HKS secret sharing and analysis

444 views • 27 slides
Expected Constant Round Byzantine Broadcast under Dishonest Majority Jun Wan (junwan@mit.edu)

Expected Constant Round Byzantine Broadcast under Dishonest Majority Jun Wan (junwan@mit.edu)

. . . . . . . . . . . . . . . . Expected Constant Round Byzantine Broadcast under Dishonest Majority Jun Wan (junwan@mit.edu) Hanshen Xiao (hsxiao@mit.edu) Elaine Shi (runting@gmail.com) . . . . . . . . . . . . . .

274 views • 11 slides
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need at least 3 out of 5 people to

513 views • 23 slides
Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and

Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and

Homomorphic Secret Sharing for Low Degree Polynomials Russell W. F. Lai, Giulio Malavolta , and Dominique Schrder Friedrich-Alexander University Erlangen-Nrnberg Homomorphic Secret Sharing A secret-sharing scheme allows a client to share his

247 views • 14 slides
Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit Sahai UCLA Secure Multiparty Computation A set of mutually distrustful parties (n) wish to compute a joint function of their private inputs

309 views • 16 slides
Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod

Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod

Towards Breaking the Exponential Barrier for General Secret Sharing Tianren Liu Vinod Vaikuntanathan Hoeteck Wee MIT MIT CNRS and ENS May 6, 2018 Secret Sharing [Blakley79,Shamir79,Ito-Saito-Nishizeki87] Secret s { 0 , 1 }

1.02k views • 85 slides
CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom Austin San Jos State University Secret Sharing: Motivation Goal: make secret available, but make it hard to peek. Divide secret among

731 views • 48 slides
On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes

On the Local Leakage Resilience of Linear Secret Sharing Schemes Linear Secret Sharing Schemes Akshay Degwekar (MIT) Joint with Fabrice Benhamouda (IBM Research), Yuval Ishai (Technion) and Tal Rabin (IBM Research) Leakage attacks can be

547 views • 30 slides
Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with

Securing Secret Sharing Against Leakage and Tampering Ashutosh Kumar Based on joint works with Vipul Goyal, Raghu Meka, and Amit Sahai Secret Sharing secret s n s 1 s i Correctness: Any out of parties can

1.72k views • 144 slides
A Latin square autotopism secret sharing scheme Talk by Rebecca J. Stones Co-authors: Ming Su,

A Latin square autotopism secret sharing scheme Talk by Rebecca J. Stones Co-authors: Ming Su,

A Latin square autotopism secret sharing scheme Talk by Rebecca J. Stones Co-authors: Ming Su, Xiaoguang Liu, Gang Wang, (Nankai University) and Sheng Lin (Tianjin University of Technology). September 12, 2014 Secret sharing schemes Secret

1.43k views • 86 slides
Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey

Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey

Secure Multi-party Quantum Computation with a Dishonest Majority Yfke Dulek, Alex Grilo, Stacey Je ff ery, Christian Majenz, Christian Scha ff ner Introduction Multi-party computation (MPC) Input (player i): x i 83 false Output: f(x 1 , ,

686 views • 20 slides
Berkeley CS276 &amp; MIT 6.875 Secret sharing and applications Lecturer: Raluca Ada Popa

Berkeley CS276 &amp; MIT 6.875 Secret sharing and applications Lecturer: Raluca Ada Popa

Berkeley CS276 &amp; MIT 6.875 Secret sharing and applications Lecturer: Raluca Ada Popa Starting to record Nuclear launch codes A judge, president and general receive shares ! , &quot; , # of a secret from a

473 views • 35 slides
Today. Secret Sharing. Polynomials A polynomial P ( x ) = a d x d + a d 1 x d 1 +

Today. Secret Sharing. Polynomials A polynomial P ( x ) = a d x d + a d 1 x d 1 +

Today. Secret Sharing. Polynomials A polynomial P ( x ) = a d x d + a d 1 x d 1 + a 0 . is specified by coefficients a d ,... a 0 . Share secret among n people. Polynomials. P ( x ) contains point ( a , b ) if b = P ( a ) .

221 views • 8 slides
Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini

Efficient Leakage-Resilient Secret Sharing Peihan Miao Akshayaram Srinivasan Prashant Nalini Vasudevan UC Berkeley Secret Sharing [Shamir 79, Blakley 79] Share 1 , , Reconstruction: Given at least

1.45k views • 20 slides
Vector Space Secret Sharing Scheme Mustafa Atici Western Kentucky University Department of

Vector Space Secret Sharing Scheme Mustafa Atici Western Kentucky University Department of

Vector Space Secret Sharing Scheme Mustafa Atici Western Kentucky University Department of Mathematics and Computer Science 52 MIGHTY Conference, Indiana State University, Terre Haute IN. April 27-28, 2012 Mustafa Atici Secret Sharing Scheme

461 views • 21 slides
How to Keep a Secret Key Securely Information can be secured by encryption under a secret key.

How to Keep a Secret Key Securely Information can be secured by encryption under a secret key.

How to Keep a Secret Key Securely Information can be secured by encryption under a secret key. The ciphertext can be replicated. Even if one replicated copy is lost, or stolen, Secret Sharing the information

181 views • 6 slides
Ideal Multipartite Secret Sharing Schemes Oriol Farrs, Jaume Mart-Farr, Carles Padr

Ideal Multipartite Secret Sharing Schemes Oriol Farrs, Jaume Mart-Farr, Carles Padr

Ideal Secret Sharing Schemes Ideal Multipartite Access Structures Ideal Multipartite Secret Sharing Schemes Oriol Farrs, Jaume Mart-Farr, Carles Padr Universitat Politcnica de Catalunya Eurocrypt 2007, Barcelona Farrs,

890 views • 33 slides

More recommend