( t,w ) Threshold schemes " A master key ! (e.g. for a Certificate Authority) is very very sensitive to exposure or loss – exposure makes the whole system untrustable – loss makes system inaccessible " extra copies increases vulnerability " Solution: split ! into # shadows ! $ %&&&%! # s.t. – with ' shadows, ! can be recovered – with fewer than ' , ! can not be recovered " Give the # shadows to different users – exposure of fewer than ' shadows OK – loss of fewer than # ! ' shadows OK
Shamir threshold scheme " Use a random, secret, polynomial of degree ' ! 1 ( ( ) ) = ( * ' ! 1 ) ' ! 1 + � + * 1 )+* 0 ) mod , – where * 0 = !% ,-!% ,-#% , prime " !.( (0) ! / = ( ( ) / ) for / ! [1, # ], ) / distinct and not secret " Each pair ( ) / % ! / ) is a point on the curve ( ( ) ) – ' points uniquely determine a polynomial of degree ' ! 1 – ( ( ) ) and thus ! can be reconstructed by ' shadows but not fewer
Shamir thresholds (cont) " Given ' shadows ! /$ %&&&% ! /' % ( ( ) ) is reconstructed e.g. by the Lagrange polynomial ' ! /0 ∏ 1. 1, 1 " 0 ' ( ) ! ) /1 )/( ) /0 ! ) /1 ) mod , ( ( ) ) = ∑ 0.$ " Since arithmetic is in Z , , division is by inverses mod , and multiplication. " Features: – More shadows: compute ( ( ) ) for a new ) – Retract shadows: use a new polynomial with same ! – Users may have more than one shadow (president) " Other threshold schemes exist.
Oblivious transfer " A and B want to flip a coin by computer: – A picks two large primes ,%2 and sends 3 = ,2 to B – B picks a random )43 s.t. gcd( )%3 )=1, and sends *.) 2 mod 3 to A – A computes (by Chinese Remainder Theorem) four roots of * and sends one randomly chosen to B " these are )% 3 ! )% 5% 5 ! 3% but A does not know ) – If B receives 5 or 5 ! 3 he can find , and 2 by computing gcd( )+5%3 ) = , or 2& Otherwise he cannot. – B wins if he can factor 3 . " Can be used in contract signing protocols.
Recommend
More recommend
