secret sharing using non commutative groups
play

Secret Sharing Using Non-Commutative Groups Bren Cavallo The - PowerPoint PPT Presentation

Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013 Outline 1. Introduction 2. Shamir Secret Sharing and Habeeb-Kahrobaei-Shpilrain secret sharing 3. Adjustments to HKS secret sharing and analysis


  1. Secret Sharing Using Non-Commutative Groups Bren Cavallo The Graduate Center, CUNY 5/30/2013

  2. Outline 1. Introduction 2. Shamir Secret Sharing and Habeeb-Kahrobaei-Shpilrain secret sharing 3. Adjustments to HKS secret sharing and analysis Bren Cavallo Secret Sharing Using Non-Commutative Groups

  3. What is Secret Sharing? Secret sharing is a cryptographic protocol in which a dealer distributes a secret via shares to participants such that only certain subsets of participants can recover the secret. The ideal setting is when dealing with information that is both very important but also highly sensitive. Bren Cavallo Secret Sharing Using Non-Commutative Groups

  4. What is Secret Sharing? The fact that there are multiple shares, as opposed to one private key as in private key cryptography, makes the secret less likely to be lost while still allowing high levels of confidentiality. If any one share is compromised, other participants can still reconstruct the secret, and since the secret is spread out over multiple shares and is limited by its access structure, the subsets of participants that can recover the secret, the secret remains secure. Applications include multiparty encryption, threshold encryption among others, numbered bank accounts, and wills among others. Bren Cavallo Secret Sharing Using Non-Commutative Groups

  5. Formal Definition A secret sharing scheme consists of a dealer, n participants, and an access structure A ⊆ 2 { P 1 , ··· , P n } such that for all A ∈ A and A ⊆ B ∈ 2 { P 1 , ··· , P n } , B ∈ A . To share a secret s , the dealer runs an algorithm: Share ( s ) = ( s 1 , · · · , s n ) and then distributes each share s i to P i . Bren Cavallo Secret Sharing Using Non-Commutative Groups

  6. Formal Definition In order to recover the secret, the participants run the algorithm Recover which has the following property that for all A ∈ A : Recover ( { s i : i ∈ A } ) = s and if A / ∈ A then Recover is infeasible. As such, only groups of participants in A can access the secret. If a set B contains as a subset A ∈ A , then they could run Recover on A and obtain the secret. Hence it makes sense to have B ∈ A Bren Cavallo Secret Sharing Using Non-Commutative Groups

  7. Threshold Secret Sharing Schemes One of the more common access structures one sees in secret sharing is the ( k , n ) threshold: A = { A ∈ 2 { P 1 , ··· , P n } : | A | ≥ k } We call a secret sharing scheme with such an access structure a (k,n) threshold scheme . The problem of discovering a non-trivial ( k , n ) scheme was solved independently by G. Blakely [3] and A. Shamir [12] in 1979. Notice that this problem becomes non-trivial in part because the shares have to be consistent. This means any k person subset recovers the same secret. Bren Cavallo Secret Sharing Using Non-Commutative Groups

  8. Shamir’s Scheme In Shamir’s scheme the secret is an element of Z p where p is a prime larger than n . Given a secret s the dealer generates the shares for a ( k , n ) threshold by doing the following: The dealer randomly selects a 1 , · · · , a k − 1 ∈ Z p such that a k − 1 � = 0 and constructs the polynomial f ( x ) = a k − 1 x k − 1 + · · · + a 1 x + s For each participant P i the dealer publishes a corresponding x i ∈ Z p . The dealer distributes the share s i = f ( x i ) to each P i over a private channel. Any subset of k participants can then reconstruct the polynomial f ( x ) by using polynomial interpolation and then finding f (0) = s . Bren Cavallo Secret Sharing Using Non-Commutative Groups

  9. Polynomial Interpolation In order to reconstruct a polynomial f ( x ) = a 0 + a 1 x + · · · a k − 1 x k − 1 given points ( x 1 , f ( x 1 )) , · · · , ( x k , f ( x k )) one can solve for the coefficients column in the following system linear equations: x 1 k − 1 x 12       · · · x 1 1 a k − 1 f ( x 1 ) x 2 k − 1 x 22 · · · x 2 1 a k − 2 f ( x 2 )        =  . . . .   .   .  . . . . . .       . · · · . . . . .      x kk − 1 x k 2 · · · x k 1 a 0 f ( x k ) One can see that k − 1 shares give no information about a 0 as there are k − 1 equations and k unknowns. Hence a 0 could be any element in Z p . Bren Cavallo Secret Sharing Using Non-Commutative Groups

  10. Habeeb-Kahrobaei-Shpilrain Secret Sharing In this case the secret, s , is an element of { 0 , 1 } k which we view as a column vector. The scheme is initialized by making a set of generators X = { x 1 , · · · , x n } public. To each P i the dealer distributes a set of words R i in the alphabet X ± over a private channel. The R i are such that each group G i = � X | R i � has an efficient word problem. The dealer randomly selects shares s i ∈ { 0 , 1 } k for i = 1 , · · · , n − 1 and s n = s − � n − 1 j =0 s j . Note that addition is the standard XOR. For each i , the dealer publishes the words w 1 i , · · · , w ki over the alphabet X ± such that w ji is trivial in G i if s ji = 1 and non-trivial if s ji = 0 Bren Cavallo Secret Sharing Using Non-Commutative Groups

  11. Habeeb-Kahrobaei-Shpilrain Secret Sharing Since the G i have efficiently solvable word problem, each P i can effectively determine if the w ji are trivial or not and can independently find s i To recover the secret, the P i add together the s i and find s . The w ij can be made public, since the participants do not know each others relators and cannot discern trivial versus non-trivial words in another participants group. Bren Cavallo Secret Sharing Using Non-Commutative Groups

  12. Habeeb-Kahrobaei-Shpilrain Secret Sharing The above ( n , n ) scheme can be further extended to an ( k , n ) scheme in the following fashion: As is the case with Shamir’s scheme, the secret s is an element of Z p and the shares, s i are points along a random polynomial of degree k − 1 with constant term s . The dealer converts each s i into its binary representation. As such, each share can again be viewed as a column vector. The shares s i are distributed in the same way as the ( n , n ) scheme. Trivial and non-trivial words a published such that the column each P i recovers is s i in binary. The secret is then recovered with polynomial interpolation. Bren Cavallo Secret Sharing Using Non-Commutative Groups

  13. Shortlex Ordering Let X = { x 1 , · · · , x n } and G = F ( X ). A shortlex ordering on G is induced by an order on X ± as follows. Given reduced w = x i 1 · · · x i p and l = x j 1 · · · x j q with w � = l then w < l iff: | w | < | l | or if | w | = | l | and x i a < x j a where a = min α { x i α � = x j α } For example, say we let X = { x , y } and give X ± the ordering x < x − 1 < y < y − 1 . Then the first bunch of words in order would be: e < x < x − 1 < y < y − 1 < x 2 < xy < xy − 1 < x − 2 < x − 1 y < x − 1 y − 1 < yx < yx − 1 < y 2 < y − 1 x < y − 1 x − 1 < y − 2 < x 3 < x 2 y < x 2 y − 1 < xyx < xyx − 1 < · · · Bren Cavallo Secret Sharing Using Non-Commutative Groups

  14. Habeeb-Kahrobaei-Shpilrain Secret Sharing Using Shortlex Ordering In this case, the dealer publishes the letters X and over a private channel sends a set of words, R i in X ± to each P i such that G i = � X | R i � is a group with an efficient algorithm to reduce words to a normal form in terms of the R i . The dealer chooses a secret s ∈ Z p for some large prime p > n and generates a random polynomial, f in Z p [ x ] with constant term s The dealer assigns a public x i to each participant, computes f ( x i ), and finds s i ∈ F ( X ) such that s i is the f ( x i ) th word in F ( X ). Bren Cavallo Secret Sharing Using Non-Commutative Groups

  15. Habeeb-Kahrobaei-Shpilrain Secret Sharing Using Shortlex Ordering The dealer publishes a word w i that reduces to s i in G i . This can be done efficiently by interspersing conjugated products of relators between the letters of s i . Each participant, P i computes their share by reducing w i to get s i and then computing its position in F ( X ). Using their shares they find the secret using polynomial interpolation. Bren Cavallo Secret Sharing Using Non-Commutative Groups

  16. HKS Secret Sharing Using Shortlex Ordering It is important to realize the following: s i must be completely reduced in G i . Some reduction algorithms can be done in multiple ways given the same initial conditions, so it is important to fix a protocol so that whatever process P i uses to reduce w i terminates at s i . If a random f ( x i ) does not have a corresponding reduced word, the dealer can always assign P i a different x i . In the case of certain groups, words with small length are often reduced and the length of the s i can be kept down since they grow logarithmically with respect to the number of generators of the free group. Bren Cavallo Secret Sharing Using Non-Commutative Groups

  17. Analysis Assuming that it is efficient to generate relators for groups with the desired properties and that it is efficient to generate random small words, the above steps can be done efficiently. Finding the position of any word in a free group or finding the i th word can be done with a combinatorial formula. The w i can be made by inserting conjugated products of relators between the letters of s i . Bren Cavallo Secret Sharing Using Non-Commutative Groups

Recommend


More recommend