Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secret Sharing Nisarg Raval Sep 24, 2014 Material is adapted from CS513 lecture notes.

Published byEsmond Hill Modified over 8 years ago

Similar presentations

Presentation on theme: "Secret Sharing Nisarg Raval Sep 24, 2014 Material is adapted from CS513 lecture notes."— Presentation transcript:

1 Secret Sharing Nisarg Raval Sep 24, 2014 http://www.cs.cornell.edu/courses/cs513/2000sp/SecretSharing.html Material is adapted from CS513 lecture notes (Cornell) CPS 290 - Computer Security

2 Why share a secret? http://s3.amazonaws.com/rapgenius/1604757_1306648362304.08res_250_319.jpg

3 Goal Given a secret s and n parties a.All n parties together recover s b.Less than n parties can not recover s

4 https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg Naive Scheme S=10011 S 1 = 100S 2 = 11 Concat shares to reveal secret - S = (S 1 )(S 2 ) = (100)(11) = 10011 High OrderLow Order What is the problem? - Think of a salary or password

5 Partial Disclosure Given a secret s and n parties a.All n parties together recover s b.Less than n can not recover any information about s

6 Generate Shares using XOR S=10011 1010000111 S 1 = RandS 2 = S XOR S 1 S = S 1 XOR S 2 10011 https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

7 General Scheme Given a secret s and n parties a.Generate n-1 random strings as first n-1 shares b.Last share is the bitwise XORing of s with all the other n-1 shares

8 General Scheme Given a secret s and n parties a.Generate n-1 random strings as first n-1 shares b.Last share is the bitwise XORing of s with all the other n-1 shares Security Check a.Can n parties generate s?

9 General Scheme Given a secret s and n parties a.Generate n-1 random strings as first n-1 shares b.Last share is the bitwise XORing of s with all the other n-1 shares Security Check a.Can n parties generate s? b.Can any n-1 parties generate s?

10 Example S=10011 S1S1 S2S2 S3S3 S2S2 S https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

11 Problem? S=10011 S1S1 S2S2 S3S3 S2S2 ? S can be constructed by 2 or more generals Less than 2 generals can not construct s https://c2.staticflickr.com/8/7158/6761951167_54f2d69fb6_z.jpg

12 (n,t) Secret Sharing Given a secret s and n parties a.Any t or more parties can recover s b.Less than t parties have no information about s S=10011 S1S1 S2S2 S3S3 S2S2 S (3,2) secret sharing

13 (n,2) Secret Sharing (0,S) x y

14 (n,2) Secret Sharing (0,S) (x 1,y 1 ) (x 2,y 2 ) (x n-1,y n-1 )(x n,y n ) x y

15 (n,2) Secret Sharing (0,S) (x 1,y 1 ) (x 2,y 2 ) (x n-1,y n-1 )(x n,y n ) x y Shares

16 (n,2) Secret Sharing (0,S) (x 1,y 1 ) (x n-1,y n-1 ) x y

17 (n,2) Secret Sharing (0,S) (x 1,y 1 ) x y Exist a line for every S

18 (n,3) Secret Sharing (0,S)(x 1,y 1 ) (x 2,y 2 ) (x n-1,y n-1 ) (x n,y n )

19 Shamir’s Secret Sharing It takes t points to define a polynomial of degree t-1 Create a (t-1) - degree polynomial with secret as the first coefficient and the remaining coefficient picked at random Find n points on the curve and give one to each of the parties. At least t points are required to fit the polynomial and hence to recover secret Shamir, Adi (1979), "How to share a secret", Communications of the ACM y = a t-1 * x t-1 + a t-2 * x t-2 + … + a 1 * x + a 0

20 Use Case S1S1 S3S3 S2S2 (3,2) Secret Sharing Scheme (3,2) Secret Sharing Scheme Private Key

21 Problem? Time S1S1 S3S3 S2S2 S 1 compromised S 2 compromised S 1 + S 2 = Secret

22 Refresh Shares S1S1 S3S3 S2S2 Time Trusted Third Party S’ 1 S’ 3 S’ 2 S’’ 1 S’’ 3 S’’ 2

23 Refresh Shares S1S1 S3S3 S2S2 Time Trusted Third Party S’ 1 S’ 3 S’ 2 S’’ 1 S’’ 3 S’’ 2 S 1 compromised S’ 2 compromised can not construct secret

24 Proactive Secret Sharing S1S1 S S2S2 Server 1Server 2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

25 Proactive Secret Sharing S1S1 S S2S2 S 11 S 12 S 21 S 22 Server 1Server 2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

26 Proactive Secret Sharing S1S1 S S2S2 S 11 S 12 S 21 S 22 S 21 S 12 Exchange Partial Shares Server 1Server 2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

27 Proactive Secret Sharing S1S1 S S2S2 S 11 S 12 S 21 S 22 S 21 S 12 Exchange Partial Shares S’ 1 S’ 2 Server 1Server 2 Goal: without changing the secret, periodically update shares in a way that old shares are invalidated.

28 Proactive Secret Sharing S1S1 S S2S2 S 11 S 12 S 21 S 22 S 21 S 12 Exchange Partial Shares S’ 1 S’ 2 S Server 1Server 2 (S 11 + S 21 ) + (S 12 + S 22 ) Recover S

29 BitCoin Multi-Signature Addresses Related to, but different than secret sharing. Secret sharing: break a single secret into multiple shares. Multi-signature address: requires multiple signatures with different private keys (secrets) to authorize a transaction. Examples: 2 out of 2, 2 out of 3, 3 out of 5.

30 Opening the Vault

31 Summary Useful technique to distribute secret Confidentiality Reliability Each share must be as long as the secret itself Require random bits of length proportional to the number of parties as well as length of the secret

Download ppt "Secret Sharing Nisarg Raval Sep 24, 2014 Material is adapted from CS513 lecture notes."

Similar presentations

MPC for Comparing Two Shared Secrets without Bit-Decomposition Takashi Nishide * Kazuo Ohta The University of Electro-Communications * Hitachi Software.

MPC for Comparing Two Shared Secrets without Bit-Decomposition Takashi Nishide * Kazuo Ohta The University of Electro-Communications * Hitachi Software.
Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.

Authors: Yanchao Zhang, Member, IEEE, Wei Liu, Wenjing Lou,Member, IEEE, and Yuguang Fang, Senior Member, IEEE Source: IEEE TRANSACTIONS ON DEPENDABLE.
1 Visual Cryptography: Secret Sharing without a Computer Ricardo Martin GWU Cryptography Group September 2005.

1 Visual Cryptography: Secret Sharing without a Computer Ricardo Martin GWU Cryptography Group September 2005.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Cryptography and Network Security

Cryptography and Network Security
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.

Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York 14853.

Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.

Public-key based. Public-key Techniques based Protocols –may use either weak or strong passwords –high computation complexity (Slow) –high deployment.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.

Apr 30, 2002Mårten Trolin1 Previous lecture – passwords Passwords for authentication –Storing hashed passwords –Use of salt Passwords for key generation.
Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim.

Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim.
Mar 25, 2003Mårten Trolin1 Previous lecture – smart-cards Card-terminal authentication Card-issuer authentication.

Mar 25, 2003Mårten Trolin1 Previous lecture – smart-cards Card-terminal authentication Card-issuer authentication.
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Similar presentations

Ads by Google