Publicly Verifiable Secret Sharing for Cloud-based Key Management

Transcription

1 Publicly Verifiable Secret Sharing for Cloud-based Key Management Roy D Souza, David Jao, Ilya Mironov and Omkant Pandey Microsoft Corporation and University of Waterloo December 13, 2011

2 Overview Motivation: Allow users to store encrypted files in untrusted cloud servers. Experience shows that some proportion of users will forget their keys, necessitating key recovery services. One way to perform key recovery is via trusted third parties. Results: We define the notion of a public-key encryption scheme supporting publicly-verifiable secret sharing. We construct a PKE-supporting-PVSS scheme secure under DBDH. Our scheme is also the first (plain) PVSS scheme provably secure in the standard model.

3 Access structures Let {P 1,..., P n } be a set of parties. A collection A 2 {P 1,...,P n} is monotone if B, C: if B A and B C then C A. An access structure (resp., monotone access structure) is a collection (resp., monotone collection) A of non-empty subsets of {P 1,..., P n }. The sets in A are called authorized sets, and the sets not in A are called unauthorized sets. In this work we consider access structures (necessarily monotone) that are representable by a tree of threshold gates.

4 Public-key encryption scheme supporting Publicly-Verifiable Secret Sharing A PKE supporting PVSS for an access structure A consists of algorithms {K, E, D, Setup, GenShare, Verify, Reconst} where PKE = {K, E, D} is a public-key encryption scheme and: Setup(1 κ, n) : i [1, n] {(PP 1, SK 1 ),..., (PP n, SK n )} GenShare(PK, SK, A) : (PK, SK, A) π Verify(PK, π, A) : outputs either 1 or 0 where Prob[Verify(PK, π, A) = 1 : (PK, SK) K(1 κ ) π GenShare(PK, SK, A)] = 1. Reconst(PK, π, A, SK S ) : reconstructs the secret key SK from π, where S A is an authorized set.

5 Related work Stadler, Eurocrypt 1996: First PVSS scheme. Can easily be adapted to support public-key encryption. Schoenmakers, Crypto 1999: Fastest extant PVSS scheme. Does not support public-key encryption.

6 The scheme: Key generation, encryption, and decryption Let e : G 1 G 1 G 2 be a pairing. Key Generation K: h $ G 1. SK = h, and PK = e(g, h). Encryption E PK (m G 2 ): R g R, m PK R. $ Z p, output: Decryption D( C 1, C 2, SK): Output C 2 /e(c 1, SK).

7 The scheme: Setup and share generation Setup(1 κ $, n) : For every i [1, n]: sample y i Zp ; output SK i = y i and PP i = g y i. GenShare(PK, SK, T ) : Choose a polynomial q x for every node x (including the leaves) in the T. For the root node r, set q r (0) = s. Choose d r more points randomly to completely fix the polynomial q r. For every other node x, set qx (0) = q parent(x) (id(x)); i.e., the constant term of q x is set to q parent(x) (id(x)). Choose the remaining d x points randomly to completely define the polynomial q x. Encapsulate shares: For every leaf node x, the share of node x is defined by: λ x = g qx (id(x)) (compute using polynomial interpolation). For every node x and every 0 i dx, define the following values: A x,i = g qx (i) and Âx,i = e(g, A x,i ) = e(g, g) qx (i).

8 The scheme: Share generation The output string π consists of the following: 1. For every node x (including the leaf nodes), the committed polynomial : {Âx,i} dx i=1 ; 2. For every leaf node, the encapsulations: B x, C x.

9 The scheme: Verification Verify(PK, π, T ) : 1. For every node x in T, parse π to obtain the committed points {Âx,i} dx i=1 of polynomial q x. For every leaf node x in T, parse π to obtain the encapsulations B x, C x of secrets λ x. 2. For the root node, verify that Âr,0 = PK. For every other node x, verify that: d z ) i,γz (w) Â x,0 = (Âz,i, (1) i=0 where z = parent(x), w = id(x), and γ z = {0, 1,..., d z }. 3. For every leaf node x, verify that: where i = id(x). If all tests pass, output 1; otherwise output 0. Â x,0 = e(g, C x) e(b x, PP i ), (2)

10 The scheme: Reconstruction To define Reconst(PK, π, T, SK S ) we define a recursive algorithm DecryptNode(π, SK S, x) that outputs an element in G 1 or. If x is a leaf node then let y i SK S be the secret key corresponding to PP i where i = id(x). Set DecryptNode(π, SK S, x) = C x B y i x = λ x PP Rx i g Rx y i qx (0) = λ x = g for i S and DecryptNode(π, SK S, x) = for i / S.

11 The scheme: Reconstruction If x is not a leaf node: For all nodes z that are children of x, call DecryptNode(π, SK S, z) and store the output as F z. Let γ x be an arbitrary k x -sized set of child nodes z such that F z. (If no such set exists then return.) Compute: F x = (0) i,γ F x z z γ x = g qz (0) (0) i,γ x z γ x = z γ x g qparent(z)(id(z)) i,γ (0) x = z γ x g qx (i) i,γ where i = id(z) and γ x = {id(z) : z γ x }. (0) x = g q x (0) Set Reconst(PK, π, T, SK S ) = DecryptNode(π, SK S, r).

12 Security for our PKE supporting PVSS scheme Theorem If a polynomial time adversary A wins the security game for PKE scheme supporting publicly verifiable secret-sharing scheme, then there exists a polynomial time simulator B to break the Bilinear Diffie-Hellman Assumption. See paper for the definition of the PKE-supporting-PVSS security game and the proof of the theorem.

13 Performance: Share generation 128 bit k = n = Figure: Time in milliseconds for GenShare, at the 128-bit security level, for various k and n. Top numbers in each cell are for our scheme; bottom numbers are for [Schoenmakers 99].

14 Performance: Verification 128 bit k = n = Figure: Time in milliseconds for Verify, at the 128-bit security level, for various k and n. Top numbers in each cell are for our scheme; bottom numbers are for [Schoenmakers 99].

15 Performance: Reconstruction 128 bit k = n = Figure: Time in milliseconds for Reconst, at the 128-bit security level, for various k and n. Top numbers in each cell are for our scheme; bottom numbers are for [Schoenmakers 99].