Secret Swarm Unit Reactive k-Secret Sharing INDOCRYPT 2007 Shlomi Dolev 1, Limor Lahiani 1, Moti Yung 2 Department of Computer Science 1 Ben-Gurion University, Israel 2 Columbia University, NYC
Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions
Intro: What is a Swarm A collection of processors collaborating on a mission UAVs Mobile sensors Processors / RFIDs
Intro: Swarm Motivation Robustness Fault tolerance Security
Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions
Swarm’s Global Secret Distributed secret shares
Swarm’s Global Secret Distributed secret shares p
The Problem Can members modify the global secret without knowing the secret before and after the change and with no internal communication? THINK AGAIN!
Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions
Swarm Settings (1) n swarm members Distributed secret shares Any less thank k cannot reveal At least k to reveal (p) Compromising adversary Listening (no sending) Compromise at most f < k Corruptive adversary Listening (no sending) Corrupt at most f < k
Swarm Settings (2) No internal communication Avoided/safe area Simultaneous external input Controller Event observed/sensed X X X X
Swarm Settings (3) Swarm input actions set() step() regainConsistencyRequest() joinRequest() joinReply() regainConsistencyReply()
Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions
Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions
Our Polynomial Based Solution Shamir’s (k,n)-threshold scheme Secret: Globl counter GC p(x) = a 0 +a 1 x+a 2 x 2 +…+a k x k a 1..a k are random Secret: a 0 = GC Secret distribution n distinct points: (x i,p(x i )), x i 0 GC = p(0) Any k points reveals the secret No less than k reveals it
Our Polynomial Based counter Increment counter: GC GC+δ p(x) = GC+a 1 x+a 2 x 2 +…+a k x k q(x) = p(x) + δ q(x) is defined by x i,p(x i )+δ Multiply : Gc GC·μ p(x) = GC+a 1 x+a 2 x 2 +…+ a k x k q(x) = p(x)·μ q(x) is defined by x i,p(x i )·μ
Our Polynomial based solution Swarm input: set set( x i,p(x i ) )
Our Polynomial based solution Swarm input: step step() x i, p(x i ) x i, p(x i )+ And the same for multiplication by μ
Our Polynomial based solution input: regain consistency request regainConsistencyReq() leader x i, p(x i )
Our Polynomial based solution input: regain consistency request leader
Our Polynomial based solution input: regain consistency reply leader x i, p(x i )
Our Polynomial based solution input: join request & reply joinReq() joinReply()
Our Polynomial Based Solution (Corruptive Adversary) Berlekamp-Welch Polynomial p(x) of degree k k+r points e errors Decode p(x) if e r/2 Polynomial based solution Decode p(x) if f (n–k–lp)/2 Where lp = num of leaving processes between two regainConsistency ops.
Our Polynomial Based Solution Tuple Share I think it is unnecessary in he polynomial Polynomial p(x) of degree l k Secret share: A tuple of s distinct points x i1,p(x i1 ) , x i2,p(x i2 ) ,…., x is,p(x is ) s = l/k Probability that m shares reveal: Pr m m k missing point Pr m =0 m k Pr m = [1-(1-p) m ] l
Talk Outline Introduction & motivation The Problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions
From Polynomial Solution to Chinese Remainder Solution Secret D Polynomial based solution x,p(x) is of order of D Minimum k·logD space Chinese remainder solution 0 D p 1 p 2 … p k Minimum logD space actually l k
Our Chinese Remainder Based Solution Swarm secret: global counter GC p 1 < p 2 < … < p k relatively primes M k = p 1 p 2 … p k 0 GC M k GC r 1,p 1 , r 2,p 2 ,…, r l,p k [CRT] r i = GC mod p i GC r 1, r 2,…,r k Secret share r i, p i , r i = GC mod p i
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1 1 0,2,2
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1 2 0,2,2 3 1,0,3
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1 2 0,2,2 3 1,0,3 4 0,1,4
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1 2 0,2,2 3 1,0,3 4 0,1,4 5 1,2,0
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1 2 0,2,2 6 0,0,1 3 1,0,3 4 0,1,4 5 1,2,0
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1 2 0,2,2 6 0,0,1 3 1,0,3 4 0,1,4 5 1,2,0 7 1,1,2
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1 2 0,2,2 6 0,0,1 3 1,0,3 4 0,1,4 5 1,2,0 7 1,1,2 8 0,2,3
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1 2 0,2,2 6 0,0,1 3 1,0,3 4 0,1,4 5 1,2,0 7 1,1,2 8 0,2,3 9 1,0,4
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1 2 0,2,2 6 0,0,1 3 1,0,3 4 0,1,4 5 1,2,0 7 1,1,2 8 0,2,3 10 0,1,0 9 1,0,4
Example p 1 =2, p 2 =3, p 3 =5 , r 1 =0, r 2 =0, r 3 =0 0 GC 30 0 0,0,0 1 1,1,1 2 0,2,2 6 0,0,1 3 1,0,3 4 0,1,4 5 1,2,0 7 1,1,2 8 0,2,3 10 0,1,0 9 1,0,4 29 1,2,4
Swarm Input p i x i, r i p(x i ) set() step() regainConsistencyRequest() joinRequest() joinReply() regainConsistencyReply()
Our Chinese Remainder Based Solution Swarm input: step step(δ) r i, p i r i + mod p i, p i
Our Chinese Remainder Based Solution (Corruptive adversary) Mandelbaum p 1 < p 2 <…< p k <…< p k+r, relatively primes M k = p 1 p 2 … p k 0 GC M k e errors Detect: e r Correct: e r/2 Chinese remainder based solution Detect: f n-k-lp Correct: f (n-k-lp)/2
Our Chinese Remainder Based Solution Tuple Share Secret: 0 GC M l p 1 < p 2 <…< p l, l k M l = p 1 p 2 … p l Secret share A tuple of s pairs r i1,p i1 ) , r i2,p i2 ,…., r is,p is r ij, p ij , r ij = GC mod p ij s = l/k Probability to reveal Pr m m k missing pair Pr m =0 NOT, m k Pr m = [1-(1-p) m ] l
Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions
Virtual I/O Automaton I/O Automaton A Implemented by the swarm Global state (Global secret) Current state of A Replicated at least T n times Regain consistency ensures: At least T+lp+f replicas of the global state At most T-f-1 replicas of any other state Global output Output with at least T n replicas Threshold device
Virtual I/O Automaton Secret share Tuple s i1,s i2,…,s im of candidates At most 1 state is the global state Step( ) transition step on s i1,s i2,…,s im and New tuple of candidates: s’ i1,s’ i2,…,s’ im Output actions o i1,o i2,…,o im At least T replicas of the global output
Talk Outline Introduction & motivation The problem Swarm Settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions
polynomial based solution Addition & multiplication Error correcting [Berlekamp-Welch] Chinese remaindering based solution Addition Error correcting [Mandelbaum] Virtual I/O automaton Mask the global state Further results: Vandermonde matrix Support XOR operations
Thank You!