1. Mehrdad Nojoumian David R. Cheriton School of Computer Science University of Waterloo, Canada CrySP Lab Supervisor: Professor Douglas R. Stinson PhD Thesis Defence August 14, 2012 Novel Secret Sharing and Commitment Schemes for Cryptographic Applications

2. Mehrdad Nojoumian Contents of the Thesis 2

3. Mehrdad Nojoumian Cryptographic Primitives  Commitment Scheme: 1.Commit: in a commitment scheme, the first party (Bob) initially commits to a value while keeping this value hidden. 2.Reveal: then, he reveals the committed value to the second party (Alice) in order to be checked.  Secret Sharing: 1.Sharing: a secret is divided into n shares in order to be distributed among n players. 2.Reconstruction: an authorize subset of players then cooperate to reveal the secret, e.g., t players where t < n is the threshold. 3 Secret = 1 Head Head/Tail can not change it, just reveal it Bob Alice

4. Mehrdad Nojoumian Rational Secret Sharing  Problem: the players deny to reveal their shares in the secret recovery phase, therefore, the secret is not reconstructed at all. Example: f (x) = 3 + 2 x + x 2  t=3 shares are enough for recovery. Model: players are selfish rather than being honest or malicious. If all players act selfishly, secret recovery fails.  Solution: 4 PiPi PjPj PkPk 6 11 only P k learns the secret “3” 6 11 18 selfish unknown real recovery round fake secret recovery rounds …

5. Mehrdad Nojoumian Trust and Reputation  Trust vs Reputation: trust is a personal quantity, created between “2” players, whereas reputation is a social quantity in a network of “n” players. If all players have an equal view, trust = reputation.  Our Function is not just a function of a single round, but of the history: 5 A1A1 A2A2 A3A3 A4A4 0.4 0.5 0.6 0.5 Bad P i (C) Newcomer P i (C) Good P i (C) Bad P i (D) Newcomer P i (D) Good P i (D)

6. Mehrdad Nojoumian Part I 6

7. Mehrdad Nojoumian 1. Social Secret Sharing  Motivation: components of a secure system may have different levels of importance (weight) as well as reputation (in terms of availability), therefore, a good protocol should balance these two factors respectively.  Contribution: we propose a social secret sharing scheme where shares are allocated based on each player's reputation. It is similar to human social life where people share more secrets with whom they trust and vice versa.  Review: we use two different secret sharing schemes: Proactive Secret Sharing: to update shares without changing the secret in order to deal with a mobile adversary. Weighted Secret Sharing: to assign multiple shares to some specific players rather than a single share. 7

8. Mehrdad Nojoumian GoogleAmazon YahooMicrosoft  3 = 3  2 = 2  4 = 1  1 = 4 Dealer 1. Cooperation P i (C): is available during secret recovery and sends correct shares. 2. Defection P i (D): is not available at the required time or may respond with delay. 3. Corruption P i (X): has been compromised by a passive or active adversary. GoogleAmazon YahooMicrosoft s4s4 s1s1 s2s2 s3s3 s9s9 s 10 s 11 s5s5 s6s6 s 13 Application: Self-Organizing Clouds 8 s5s5 s6s6 s 13 s9s9 s 10 s 11 s4s4 s1s1 s2s2 s3s3  3 = 3  2 = 2  4 = 2  1 = 3 Dealer Free s9s9 s 10 s 11 s 13 s 14 s1s1 s2s2 s3s3 s5s5 s6s6

9. Mehrdad Nojoumian Subprotocol: Enrollment  Share Enrollment: How to enroll a new share without having access to the original secret sharing polynomial f(x)? Example: f (x) = 3 + 2 x + x 2 (we need at least t = 3 players) C 1 = (4-2)(4-3) / (1-2)(1-3) = 1 C 2 = (4-1)(4-3) / (2-1)(2-3) = -3Lagrange constants C 3 = (4-1)(4-2) / (3-1)(3-2) = 3 9 P1P1 2 P2P2 8 P3P3 6 3 1 2 1 5 7 P1P1 2 P2P2 8 P3P3 3 6 1 2 5 1 7 P1P1 6 P2P2 11 P4P4 ? P3P3 18 * C 1 + * C 2 + * C 3 = 13 2 6 1 P1P1 * C 1 + * C 2 + * C 3 = -7 8 5 2 P2P2 * C 1 + * C 2 + * C 3 = 21 1 7 3 P3P3 27

10. Mehrdad Nojoumian P2P2 P4P4 P3P3 P1P1 Proactive Secret Sharing s1s1 s2s2 s3s3 s4s4  Share Update: adding a polynomial with zero constant term to the original secret sharing polynomial. 1 95 6 Subprotocol: Share Update 10 g (x) = 0 + 4x + 2x 2 + 10x 3 f’ (x) = 3 + 8x + 9x 2 + 2x 3 g (1) = 3 g (2) = 5 g (3) = 1 g (4) = 12 f’ (1) = 9 f’ (2) = 6 f’ (3) = 6 f’ (4) = 8 f (1) = 6 f (2) = 1 f (3) = 5 f (4) = 9 f (x) = 3 + 4x + 7x 2 + 5x 3  Z 13 [x] 35112 9 6 8 6 + secret = 3 s 3 and s 4 are now useless mobile adversary

11. Mehrdad Nojoumian  Social Secret Sharing: sharing and reconstruction phases are similar to Shamir’s scheme, the only difference is the social tuning step. 1.Tuning: based on the availability, reputation and consequently  i are adjusted. 2.Enrollment: players jointly cooperate to generate s 14  f(x); original polynomial. 3.Update & Disenrollment: players update shares except s 4 where new s i  f’(x). Our Construction 11 Enrollment Amazon Microsoft s 14 s1s1 s2s2 s3s3 s 13  4 = 2  1 = 4 s4s4 Update & Disenrollment Amazon Microsoft s 14 s1s1 s2s2 s3s3 s 13  4 = 2  1 = 3 Amazon Microsoft s4s4 s1s1 s2s2 s3s3 s 13  4 = 1  1 = 4

12. Mehrdad Nojoumian Part II 12

13. Mehrdad Nojoumian 2. Socio-Rational Secret Sharing  Motivation: we would like to consider a repeated secret sharing game where players enter into a long-term interaction for executing an unknown number of independent secret sharing schemes.  Contribution: we propose a socio-rational secret sharing scheme where a public trust network is constructed to incentivize the players to be cooperative, i.e., they can gain extra utility if they cooperate.  Reminder: the concept of socio-rational secret sharing is new. Social Secret Sharing: to update weights of players in a setting with “honest” and “malicious” players. Rational Secret Sharing: to deal with secret recovery in a rational setting with “selfish” players. 13

14. Mehrdad Nojoumian Application: Repeated Games  Sealed-Bid Auctions: repeated secret sharing game, where 1.Bidders select “n” out of “N” auctioneers based on their reputation. 2.Each bidder then acts as an independent dealer and shares his bid. 3.Auctioneers simulate a secure MPC protocol to define the outcome. 4.In the last round of the MPC, they need to recover the selling price. Only auctioneers who learn (report) the selling price are rewarded. At the end of each game, the reputation of each auctioneer is updated. 14

15. Mehrdad Nojoumian Utility Assumption  Rational vs Socio-Rational Secret Sharing: : whether P i has learned the secret or not, and let. 1.The first preference illustrates that whether P i learns the secret or not, he prefers to stay reputable. 2.The second assumption means P i prefers the outcome in which he learns the secret. 3.The third one means P i prefers the outcome in which the fewest number of other players learn the secret. 15 Socio-Rational Rational

16. Mehrdad Nojoumian Utility Computation  Sample Function: which satisfies our utility assumptions 16 assume P i has contributed in two consecutive periods p and p-1  i  [1, 3] suppose  = $100 [-3, -1] or [1, 3]

17. Mehrdad Nojoumian  (2,2)-Socio-Rational Secret Sharing: despite rational secret sharing, cooperation is always the best strategy even if the other party defects.  Utility Comparison: where (2,2)- Secret Sharing with Selfish Players (2,2)- Socio-Rational Secret Sharing Comparison 17

18. Mehrdad Nojoumian Part III 18

19. Mehrdad Nojoumian 3. Dynamic Secret Sharing  Motivation: in a threshold scheme, the sensitivity of the secret as well as the number of players may fluctuate due to various reasons. Over time, mutual trust might be decreased: perhaps due to the organizational problems or security incidents, and vise versa. The structure of the organization to which the players belong might be changed: new players may join the organization or current parties may leave the organization. Therefore, modifying the threshold and/or changing the secret might be required throughout the lifetime of a secret  Contribution: we analyze the re-sharing technique in both passive and active adversary models, provide a simple dynamic scheme for changing the secret and threshold, and propose sequential secret sharing. 19

20. Mehrdad Nojoumian Threshold Modification (passive)  Example : using Lagrange/Vandermonde method, let 20  P 3 generates

21. Mehrdad Nojoumian Threshold Decrease (passive/active) 21 P1P1 1 P2P2 3 P3P3 3 1 1 2 2 3 2 P1P1 2 P2P2 3 P3P3 1 3 1 1 3 2 2 P1P1 3 P2P2 7 P 4 : Public Share ? P3P3 8 * 1 + 2 * -3 + * 3 = 1 * 1 + * -3 + * 3 = 4 * 1 + * -3 + * 3 = 1 2 3 1 P1P1 3 3 1 P2P2 2 2 1 P3P3 6 ^ ^ ^ ^

22. Mehrdad Nojoumian Threshold Increase (passive/active) 22

23. Mehrdad Nojoumian Part IV 23

24. Mehrdad Nojoumian 4. Multicomponent Commitment  Motivation: to construct a commitment scheme suitable for sealed-bid auctions, where the bidders decide on their bids ahead of time and independent of whatever info they may gain during the auction.  Contribution: a new multicomponent commitment scheme with several committers & verifiers, and three unconditionally secure first-price auction protocols with a decreasing price mechanism, i.e., Dutch-style auction.  Review: the goal of a sealed-bid auction is to protect different parameters. Secrecy of the selling price and winner’s identity are optional. To have a fair auction, confidentiality of the losing bids is important: They can be used in future auctions and negotiations by different parties, e.g., auctioneers to maximize their revenues or competitors to win the auction. 24

25. Mehrdad Nojoumian Our Construction Multicomponent Commitment Scheme: we assume that majority of players are honest. Our proposed scheme consists of a trusted initializer T and n players P 1 … P n (T leaves the scheme after the initialization). 1.Initialize: T selects n polynomials of degree n-1 and sends g i (x) to P i and also n-1 distinct points on each g i (x) to other players: 2.Commit: each player P i computes y i = g i (x i ) as a committed value and broadcasts y i to other players, where x i is the secret of P i. That is, y 1 …y n are committed values and x 1 …x n are secrets of players accordingly. 3.Reveal: each P i discloses g i (x) and his secret x i to other parties through the public broadcast channel. Other players P j investigate the validity of y i = g i (x i ). They then check to see if all n-1 points are on g i (x), i.e., voting. 25 g1g1 g2g2 gngn … n-1 points … … …

26. Mehrdad Nojoumian Application: Secure 1 st -Price Auction Verifiable Protocol with Non-Repudiation:  i  [ ,  ] and  =  -  +1 1.Initialize: trusted initializer T randomly selects  polys for each bidder, where B 1 …B n. He sends n-1 distinct points on each poly to other parties. 2.Commit: suppose  i  [0,7],  = 8,  i = 7 - 5 = 2, and Z 13. B i first converts  i to a specific binary vector and then converts it to a non-binary vector as shown below. Finally, he commits to the resulting field elements. 3.Reveal: auction starts with  and continues by a decreasing price mechanism. The winner proves his claim by revealing all commitments. Losers also prove that their bids have been less than the winning price. E.g., if  win = 4, B i reveals (7- 4 +1)= 4 values in [7,13), i.e.,  i has been at most 3 26 x=1→[7,13) x=0→[0,7)

27. Mehrdad Nojoumian Application: Secure 1 st -Price Auction Efficient Verifiable Protocol with Non-Repudiation: ≈ log 2  1.Initialize: T randomly selects polynomials for each bidder. He then sends n-1 distinct points on each polynomial to other parties. 2.Commit: suppose  i  [0,7], = log 2 8 = 3,  i = 7- (101) 2 = 2, and Z 13. B i first converts  -  i to a binary vector and then converts it to a non-binary vector as shown here. Finally, he commits to the resulting field elements. 3.Reveal: auction starts with  and continues by a decreasing price mechanism. The winner proves his claim by revealing all commitments. Losers also prove that their bids have been less than the winning price. E.g., if  win = 5, B i reveals the 3 rd value: 7-(1??) 2 = 3, i.e.,  i has been at most 3 if  win = 3, B i reveals 1 st and 3 rd values: 7-(1?1) 2 = 2, i.e.,  i has been at most 2 27 x=1→[7,13) x=0→[0,7)

28. Mehrdad Nojoumian  There still exist many untouched areas in cryptography that need to be explored, specially from a multidisciplinary perspective, e.g., social and socio-rational secret sharing schemes.  The sealed-bid auctions are just an instance of financial functionalities. A similar privacy preserving approach can be used in other problem instances such as investment agreement, stock exchange, strategic negotiations, etc. Final Remarks 28

29. Mehrdad Nojoumian Thank You Very Much Special Thanks to Douglas Stinson, Ian Goldberg (UW), Urs Hengartner (UW), Christos Papadimitriou (UCBerkeley), Charles Rackoff (U of T), Omer Reingold (Microsoft), Ronald Cramer (CWI), defense committee members, my friends in the CrySP lab, and my deepest gratitude to my father who passed away on July 13 and loved to see this moment. 29

30. Mehrdad Nojoumian Review of a Well-Known Solution  Previous Solution: trust value T(p+1) is given by the following equations and it depends on the previous trust rating where:   0 and   0 [CIA’00]. 30 T(p)CooperationDefection > 0 T(p) +  ( 1-T(p) )( T(p) +  ) / ( 1- min{ |T(p)|, |  | } ) < 0 ( T(p) +  ) / ( 1 - min{ |T(p)|, |  | } ) T(p) +  ( 1+T(p) ) = 0  T(p) < 0 T(p) = 0 T(p) > 0 T(p) < 0 T(p) = 0 T(p) > 0

31. Mehrdad Nojoumian Intuition and Motivation 31 There exist some common principles for trust modeling AB A lies to B for the 1 st time: defection AB A lies to B for the 2 nd time: same defection + past history AB A cheat on B: costly defection Impact of the brain’s history

32. Mehrdad Nojoumian Secret Sharing in a Multidisciplinary Model 32

33. Mehrdad Nojoumian 33 Non-cooperative Games  Prisoner’s Dilemma: is a well-known non-cooperative game. 1.Players: P 1 and P 2 2.Actions: Confess or Keep Quiet 3.Payoffs:  Nash Equilibrium: no matter P i selects “C” or “D”, P j chooses “D”. -1, -1+1, -2 D: Confess -2, +10, 0 C: Quiet D: ConfessC: Quiet P2P2 P1P1 -1, -1+1, -2 -2, +10, 0 P2P2 -1, -1+1, -2 -2, +10, 0 P2P2 P1P1 P1P1 +1 : Free 0 : Jail for 1 year -1 : Jail for 2 years -2 : Jail for 3 years -1, -1+1, -2 -2, +10, 0 P1P1 P 1 : “what if I cooperate” -1, -1+1, -2 -2, +10, 0 P1P1 P 1 : “what if I defect” P2P2 P2P2 the ideal outcome

34. Mehrdad Nojoumian STOC’04 Paper  Problem: 3-out-of-3 rational secret sharing.  Solution: a multi-round recovery approach. 1.In each round, dealer initiates a fresh secret sharing of the same secret. 2.During an iteration, each P i flips a biased coin c i with Pr[c i = 1] = . 3.Players then compute c* =  c i by MPC without revealing c i -s. 4.If c* = c i = 1, player P i broadcast his share. There are 3 possibilities: a.If all shares are revealed, the secret is recovered and the protocol ends. b.If c* = 1 and 0 or 2 shares are revealed, players terminate the protocol. c.In any other cases, the dealer and players proceed to the next round. 34 c1c1 c2c2 c3c3 cici reveal 0000- 0011 s3s3 0101 s2s2 0110- 1001 s1s1 1010- 1100- 1111s 1,s 2,s 3 P1P1 P2P2 P3P3 s1s1 s2s2 s3s3 all players are selfish 3 0 0 0 0 1 1 1 1 0, 2 0 0 0

35. Mehrdad Nojoumian Our Construction in Nutshell  Utility Estimation Function: is used by a rational foresighted player. Estimation of the future gain/loss due to the trust adjustment (virtual). Learning the secret at the current time (real). The number of other players learning the secret at the moment (real).  Prominent Properties: our solution Has a single reconstruction round. Provides a stable solution concept. Is immune to rushing attack. Prevents the players to abort. 35 decision making $ despite all the existing protocols

36. Mehrdad Nojoumian Protocol: Socio-Rational SS 36 1.Secret Sharing: 2.Secret Recovery:

37. Mehrdad Nojoumian Threshold Modification (active)  Example: using bivar-poly 37 9 + 2 (2 3 ) + 7 (2 3 ) 2 ? = ? 3 + 12 (2 2 ) + 2 (2 2 ) 2  473  83  5 (mod 13) fails to increase the threshold P 1 generates 

38. Mehrdad Nojoumian Application: Sequential SS  Sharing : in the first phase, 38

39. Mehrdad Nojoumian Application: Sequential SS  Reconstruction: in the second phase, 39   2 is uniquely determined   1 is uniquely determined (original secret)

40. Mehrdad Nojoumian 40  Sequential Secret Sharing: generating multiple secrets with various t -s 1.Conjunctive [TCC’04] At least 2 users at L 0 At least 3 users at L 0 | L 1 At least 4 users at L 0 | L 1 | L 2 At least 6 users at L 0 | L 1 | L 2 | L 3 Application of Our Dynamic Scheme L 0 : t 0 = 2 L 1 : t 1 = 3 L 2 : t 2 = 4 L 3 : t 3 = 6 2. Disjunctive [Crypto’88] 2 users at L 0 is enough 3 users at L 0 | L 1 is enough 4 users at L 0 | L 1 | L 2 is enough 6 users at L 0 | L 1 | L 2 | L 3 is enough original Secret 0 intermediate Secret 1 intermediate Secret 2 last Secret 3

41. Mehrdad Nojoumian 41 Disjunctive Secret Sharing Disjunctive Secret Sharing  Example: t 0 = 2 < t 1 = 3 < t 2 = 4 < t 3 = 6 : max threshold f (x)= 2 + 3 x 1 + 1 x 2 + 5 x 3 + 6 x 4 + 13 x 5  Z 19 Secret is the leading coefficient ids are in monotonically decreasing order by level (can be random) 1415 10798 111312 65243 1 L 0 : t 0 = 2 L 1 : t 1 = 3 L 2 : t 2 = 4 L 3 : t 3 = 6 f (6-2 = 4) (x) = 11 + 2 x f (6-3 = 3) (x) = 11 + 11 x + x 2 f (6-4 = 2) (x) = 2 + 11 x + 15 x 2 + 13 x 3 f (6-6 = 0) (x) = 2 + 3 x + 1 x 2 + 5 x 3 + 6 x 4 + 13 x 5 f (0) (x) = a + b x + c x 2 + d x 3 + e x 4 + g x 5 f (1) (x) = b + 2 c x + 3 d x 2 + 4 e x 3 + 5 g x 4 f (2) (x) = 2 c + 6 d x + 12 e x 2 + g x 3 f (3) (x) = 6 d + 5 e x + 3 g x 2 f (4) (x) = 5 e + 6 g x 5 e + 6 g (14) = 1 e = 6 5 e + 6 g (15) = 3 g = 13 (14, 1) (15, 3)

42. Mehrdad Nojoumian 42 Conjunctive Secret Sharing Conjunctive Secret Sharing  Example: t 0 = 2 < t 1 = 3 < t 2 = 4 < t 3 = 6 : ids are in increasing order or random f (x)= 13 + 3 x + 1 x 2 + 5 x 3 + 6 x 4 + 2 x 5  Z 19 Secret is the constant coefficient 12 9687 354 1514111312 10 L 0 : t 0 = 2 L 1 : t 1 = 3 L 2 : t 2 = 4 L 3 : t 3 = 6 f (x) = 13 + 3 x + 1 x 2 + 5 x 3 + 6 x 4 + 2 x 5 f (t 0 = 2) (x) = 2 + 11 x + 15 x 2 + 2 x 3 f (t 1 = 3) (x) = 11 + 11 x + 6 x 2 f (t 2 = 4) (x) = 11 + 12 x a + b + c + d + e + g = 11 a + 2 b + 4 c + 8 d + 16 e + 13 g = 14 (1, 11)(2, 14) f (0) (x) = a + b x + c x 2 + d x 3 + e x 4 + g x 5 (11, 10) (10, 17) 5 e + 3 g = 17 5 e + 9 g = 10 f (4) (x) = 5 e + 6 g x (3, 15) 2 c + 18 d + 13 e + 8 g = 15 f (2) (x) = 2 c + 6 d x + 12 e x 2 + g x 3 (6, 8) 6 d + 11 e + 13 g = 8 f (3) (x) = 6 d + 5 e x + 3 g x 2 a = 13 b = 3 c = 1 d = 5 e = 6 g = 2

43. Mehrdad Nojoumian Security of the MCS 1.Hiding: each receiver is computationally unbounded and cannot learn secrets before the reveal phase except with a negligible probability 2.Binding: each sender is computationally unbounded and cannot cheat by revealing a fake secret except with a negligible probability 3.Validating: with the honest majority assumption, players can validate all secrets correctly during the reveal phase in the presence of colluders. 43 dishonest minority honest majority guessing one point of honest players

44. Mehrdad Nojoumian Dutch-Style Auction  Decreasing Mechanism: starts from the highest price and continues by a decreasing mechanism. This is secure without using any crypto techniques but we are looking for other properties. Example:  1 = 2  2 = 1  3 = 1 (2 bits for each bid: 4 options) 1.Let j = 2 2 – 1 = 3 possible prices (excluding zero). 2.Each bidder B i broadcasts 1 or 0 depending on whether he wants to pay price j or not. 3.If all agent broadcast 0, set j = j – 1 and go to step-2 otherwise j is the selling price and the bidder who submitted 1 wins. Losing bids are not revealed by losers. 44 2 3 1 21

45. Mehrdad Nojoumian Cost Analysis  Computation & Communication: interpolating a polynomial of degree at most n-1 at n points takes O(C(n) log n), that is, O(n log 2 n) using FFT: 1.MCS: n polynomials (n-1) are evaluated at n points. 2.VNR: n  polynomials (n-1) are evaluated at n points. 3.EVNR: n =n*log 2  polynomials (n-1) are evaluated at n points. we have full secrecy, i.e., (n-1) players cannot learn the committed value, and the honest majority assumption is for the correctness. 45