Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secret Swarm Unit Reactive k-Secret Sharing INDOCRYPT 2007 Shlomi Dolev 1, Limor Lahiani 1, Moti Yung 2 Department of Computer Science 1 Ben-Gurion University,

Similar presentations


Presentation on theme: "Secret Swarm Unit Reactive k-Secret Sharing INDOCRYPT 2007 Shlomi Dolev 1, Limor Lahiani 1, Moti Yung 2 Department of Computer Science 1 Ben-Gurion University,"— Presentation transcript:

1 Secret Swarm Unit Reactive k-Secret Sharing INDOCRYPT 2007 Shlomi Dolev 1, Limor Lahiani 1, Moti Yung 2 Department of Computer Science 1 Ben-Gurion University, Israel 2 Columbia University, NYC

2 Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions

3 Intro: What is a Swarm A collection of processors collaborating on a mission UAVs Mobile sensors Processors / RFIDs

4 Intro: Swarm Motivation Robustness Fault tolerance Security

5 Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions

6 Swarm’s Global Secret Distributed secret shares

7 Swarm’s Global Secret Distributed secret shares p

8 The Problem Can members modify the global secret without knowing the secret before and after the change and with no internal communication? THINK AGAIN!

9 Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions

10 Swarm Settings (1) n swarm members Distributed secret shares Any less thank k cannot reveal At least k to reveal (p) Compromising adversary Listening (no sending) Compromise at most f < k Corruptive adversary Listening (no sending) Corrupt at most f < k

11 Swarm Settings (2) No internal communication Avoided/safe area Simultaneous external input Controller Event observed/sensed X X X X

12 Swarm Settings (3) Swarm input actions set() step() regainConsistencyRequest() joinRequest() joinReply() regainConsistencyReply()

13 Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions

14 Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions

15 Our Polynomial Based Solution Shamir’s (k,n)-threshold scheme Secret: Globl counter GC p(x) = a 0 +a 1 x+a 2 x 2 +…+a k x k a 1..a k are random Secret: a 0 = GC Secret distribution n distinct points: (x i,p(x i )), x i   0 GC = p(0) Any k points reveals the secret No less than k reveals it

16 Our Polynomial Based counter Increment counter: GC  GC+δ p(x) = GC+a 1 x+a 2 x 2 +…+a k x k q(x) = p(x) + δ q(x) is defined by  x i,p(x i )+δ  Multiply : Gc  GC·μ p(x) = GC+a 1 x+a 2 x 2 +…+ a k x k q(x) = p(x)·μ q(x) is defined by  x i,p(x i )·μ 

17 Our Polynomial based solution Swarm input: set set(  x i,p(x i )  )

18 Our Polynomial based solution Swarm input: step step()   x i, p(x i )    x i, p(x i )+  And the same for multiplication by μ

19 Our Polynomial based solution input: regain consistency request regainConsistencyReq() leader  x i, p(x i ) 

20 Our Polynomial based solution input: regain consistency request leader

21 Our Polynomial based solution input: regain consistency reply leader  x i, p(x i ) 

22 Our Polynomial based solution input: join request & reply joinReq() joinReply()

23 Our Polynomial Based Solution (Corruptive Adversary) Berlekamp-Welch Polynomial p(x) of degree k k+r points e errors Decode p(x) if e  r/2 Polynomial based solution Decode p(x) if f  (n–k–lp)/2 Where lp = num of leaving processes between two regainConsistency ops.

24 Our Polynomial Based Solution Tuple Share I think it is unnecessary in he polynomial Polynomial p(x) of degree l  k Secret share: A tuple of s distinct points  x i1,p(x i1 ) ,  x i2,p(x i2 ) ,….,  x is,p(x is )  s =  l/k  Probability that m shares reveal: Pr m m  k  missing point  Pr m =0 m  k  Pr m = [1-(1-p) m ] l

25 Talk Outline Introduction & motivation The Problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions

26 From Polynomial Solution to Chinese Remainder Solution Secret D Polynomial based solution  x,p(x)  is of order of D Minimum k·logD space Chinese remainder solution 0  D  p 1  p 2  …  p k Minimum logD space actually l  k

27 Our Chinese Remainder Based Solution Swarm secret: global counter GC p 1 < p 2 < … < p k relatively primes M k = p 1  p 2  …  p k 0  GC  M k GC   r 1,p 1 ,  r 2,p 2 ,…,  r l,p k  [CRT] r i  = GC mod p i GC   r 1, r 2,…,r k  Secret share  r i, p i , r i  = GC mod p i

28 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0 

29 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1 

30 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1  1  0,2,2 

31 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1  2  0,2,2  3  1,0,3 

32 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1  2  0,2,2  3  1,0,3  4  0,1,4 

33 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1  2  0,2,2  3  1,0,3  4  0,1,4  5  1,2,0 

34 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1  2  0,2,2  6  0,0,1  3  1,0,3  4  0,1,4  5  1,2,0 

35 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1  2  0,2,2  6  0,0,1  3  1,0,3  4  0,1,4  5  1,2,0  7  1,1,2 

36 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1  2  0,2,2  6  0,0,1  3  1,0,3  4  0,1,4  5  1,2,0  7  1,1,2  8  0,2,3 

37 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1  2  0,2,2  6  0,0,1  3  1,0,3  4  0,1,4  5  1,2,0  7  1,1,2  8  0,2,3  9  1,0,4 

38 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1  2  0,2,2  6  0,0,1  3  1,0,3  4  0,1,4  5  1,2,0  7  1,1,2  8  0,2,3  10  0,1,0  9  1,0,4 

39 Example  p 1 =2, p 2 =3, p 3 =5 ,  r 1 =0, r 2 =0, r 3 =0  0  GC  30 0  0,0,0  1  1,1,1  2  0,2,2  6  0,0,1  3  1,0,3  4  0,1,4  5  1,2,0  7  1,1,2  8  0,2,3  10  0,1,0  9  1,0,4  29  1,2,4 

40 Swarm Input p i  x i, r i  p(x i ) set() step() regainConsistencyRequest() joinRequest() joinReply() regainConsistencyReply()

41 Our Chinese Remainder Based Solution Swarm input: step step(δ)   r i, p i    r i +  mod p i, p i 

42 Our Chinese Remainder Based Solution (Corruptive adversary) Mandelbaum p 1 < p 2 <…< p k <…< p k+r, relatively primes M k = p 1  p 2  …  p k 0  GC  M k e errors Detect: e  r Correct: e  r/2 Chinese remainder based solution Detect: f  n-k-lp Correct: f  (n-k-lp)/2

43 Our Chinese Remainder Based Solution Tuple Share Secret: 0  GC  M l p 1 < p 2 <…< p l, l  k M l = p 1  p 2  …  p l Secret share A tuple of s pairs  r i1,p i1 ) ,  r i2,p i2 ,….,  r is,p is   r ij, p ij , r ij  = GC mod p ij s =  l/k  Probability to reveal Pr m m  k  missing pair  Pr m =0 NOT, m  k  Pr m = [1-(1-p) m ] l

44 Talk Outline Introduction & motivation The problem Swarm settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions

45 Virtual I/O Automaton I/O Automaton A Implemented by the swarm Global state (Global secret) Current state of A Replicated at least T  n times Regain consistency ensures: At least T+lp+f replicas of the global state At most T-f-1 replicas of any other state Global output Output with at least T  n replicas Threshold device

46 Virtual I/O Automaton Secret share Tuple  s i1,s i2,…,s im  of candidates At most 1 state is the global state Step(  ) transition step on s i1,s i2,…,s im and  New tuple of candidates:  s’ i1,s’ i2,…,s’ im  Output actions  o i1,o i2,…,o im  At least T replicas of the global output

47 Talk Outline Introduction & motivation The problem Swarm Settings Reactive k-secret sharing solutions Polynomial based solution Chinese remaindering based solution Virtual I/O automaton Conclusions

48 polynomial based solution Addition & multiplication Error correcting [Berlekamp-Welch] Chinese remaindering based solution Addition Error correcting [Mandelbaum] Virtual I/O automaton Mask the global state Further results: Vandermonde matrix Support XOR operations

49 Thank You!


Download ppt "Secret Swarm Unit Reactive k-Secret Sharing INDOCRYPT 2007 Shlomi Dolev 1, Limor Lahiani 1, Moti Yung 2 Department of Computer Science 1 Ben-Gurion University,"

Similar presentations


Ads by Google