Distributed Stream Ciphers

Transcription

1 Linköping Studies in Science and Technology Thesis No Distributed Stream Ciphers Magnus Öberg LIU-TEK-LIC-2003:20 Department of Electrical Engineering Linköping University, SE Linköping, Sweden Linköping 2003

2 Distributed Stream Ciphers c 2003 Magnus Öberg Department of Electrical Engineering Linköping University, SE Linköping, Sweden ISBN ISSN Printed in Sweden by Linköpings Tryckeri AB, Linköping

3 Till Mamma och Pappa

4

5 Abstract Cryptographic operations are normally carried out by a single machine. Sometimes, however, this machine cannot be trusted completely. Threshold cryptography offers an alternative where the cryptographic operation is distributed to a group of machines in such a way that the key used in the cryptographic operation is not revealed to anyone. The tool used to achieve this is threshold secret sharing, by which a secret can be distributed among a group so that subsets (of the members of the group) that are larger than some threshold can cooperate to recover the secret, while subsets smaller than this threshold cannot. This thesis concerns distributed stream ciphers which is a generalisation of threshold cryptography in the sence that the suggested scheme is not restricted to the use of threshold secret sharing schemes. We describe how to do distributed decryption of a ciphertext encrypted by an additive stream cipher. The system works for any secret sharing scheme that is linear under addition. We present a modification of how secret sharing of sequences is done. Due to this modification we can generate shares locally using linear feedback shift registers instead of transmitting shares of each symbol in a sequence. A distributed decryption scheme where the keystream is distributed in this modified way is constructed.

6

7 Acknowledgments During the years I have been working with this project, some people have made my work easier and therefore deserves a special thanks. First, I wish to thank my professor, Ingemar Ingemarsson for inspiration and support. Our meetings always lifted my spirit and when I doubted, you kept me going. Dr. Niclas Wiberg provided the initial ideas to this work and was my major source of inspiration during the first year. Dr. Jacob Löfvenberg and Dr. Tina Lindkvist have been my closest friends during these years. You have been around when I needed help, always taking time to answer questions, read manuscripts and have coffee. Fredrik Claesson, my room-mate during the last year. Besides being a friend, you have read and discussed my work, and answered all my stupid questions about computers. My other colleagues from the divisions of Information Theory, Image Coding and Data Transmission for providing an outstanding atmosphere both inside and outside the office. The importance of 17 should not be underestimated. My parents and my brothers. I doubt that any of you have understood much of my work, but you have always been supportive and interested in my progress.

8 Last but not least, Lotta and our two sons, Robin and Oliver. Thanks for loving me and putting up with me during the days (and nights) I worked late. Thank you all, Magnus

9 Contents 1 Introduction Cryptography Thesis Motivation Scenario Secret Sharing of the Database Simple Encryption Encrypted database and secret sharing of the key Distribution of the Decryption Operation Problem Formulation and Related Work Outline Stream Ciphers Linear Feedback Shift Registers Polynomial description of LFSR Sequences Combining LFSR Sequences i

10 ii CONTENTS 3 Secret Sharing Shamir s Secret Sharing Scheme General Description of Secret Sharing Properties of Secret Sharing Schemes Example of Distributed Decryption Setting Secret Sharing of Key and Cipher Sequences Decryption Discussion Multiparty Computations Basic Operations Distributed Stream Ciphers General Description Limits on using Shamir s Secret Sharing Scheme Modified Secret Sharing of Sequences Example: Modified Secret Sharing of Sequences with Shamir s Scheme Applications Joint Tunnel in a Virtual Private Network Distributed VPN Pseudo-Public-Key Systems

11 CONTENTS iii 8 Security Aspects The Original System The General Distributed System Modified Distribution Conclusions 59 Bibliography 63

12 iv CONTENTS

13 Chapter 1 Introduction This chapter starts with an introduction to cryptography and its vocabulary. Next, motivation for the thesis is given followed by a description of what this thesis is about, how it relates to others work and an outline of the rest of the thesis. 1.1 Cryptography Throughout history people have felt a need to keep some information secret to others. Cryptography is the art of constructing cipher systems [2] and it has been used for many thousand years to hide information during storage and transmission. Those who are not intended to get the information are of course interested in knowing the secret information anyway and will then engage in cryptanalysis to try to break the cipher. There is a constant struggle between the makers and the breakers of cipher systems since once a new cipher has been constructed it will be under attack and if it is broken, a new cipher needs to be constructed. The use of ciphers were until 30 (or so) years ago more or less restricted to the military and governments. After that cryptography 1

14 2 Chapter 1 Introduction has been presented to and made accessible to the public which has led to a growing interest in this fascinating subject. Nowadays cipher systems are used in many places in the modern society, eg. ATM machines, digital television, Internet shopping etc. This has increased the need to research into cryptology which is the scientific study of cryptography and cryptanalysis. The basic idea of a cipher is to provide two operations, encryption and decryption. The first transforms a plaintext into something unintelligible called a ciphertext and the other inverts this transformation and returns the plaintext again, see figure 1.1. Both operations are functions that depend on an additional input called the key. Figure 1.1 The basic operations of a cipher. Encryption key Decryption key Plaintext F Ciphertext Ciphertext F Plaintext (a) Encryption (b) Decryption Cipher systems can be classified into groups based on how they are constructed. In some systems the same key is used for both encryption and decryption. These are said to be symmetric ciphers whereas asymmetric ciphers have different keys for the two operations. The RSA-algorithm [28] is the most widely used asymmetric cryptosystem. Another distinction is made between stream ciphers and block ciphers. Whilst a stream cipher encrypts one character at a time with a timevarying transformation, a block cipher encrypts a group of characters using a fix, but more complex function. Some well known block ciphers are DES [11], IDEA [23] and AES (Rijndael) [1]. In GSMtelephones a stream cipher called A5 [5] is used.

15 1.2 Thesis Motivation 3 The strength of a cipher is measured by the amount of work needed to perform certain attacks. It is usually assumed that an attacker knows everything about a cipher system except for the key. In a ciphertext-only attack, the attacker only knows the ciphertext and the goal is to recover the corresponding plaintext and/or the key. To be considered strong a cipher needs to withstand this attack which means that the best an attacker can do is to try all possible keys (a brute-force attack) and check whether a reasonable plaintext can be found. In practice it is common that some portion of the plaintext together with a corresponding ciphertext is known to the attacker. Then a known-plaintext attack can be mounted. The goal is then to recover the rest of the plaintext and the key. More advanced attacks are the chosen-plaintext attack, where the attacker can ask for the corresponding ciphertext of any chosen plaintext, and the chosenciphertext attack where the attacker can get the corresponding plaintext to any chosen ciphertext. These two attacks aim at recovering the key. For further reading on cryptography, [26] and [31] covers most of the topic in detail. Singh s book [33] gives a non-technical description of classical cryptosystems and [34] is used as a course book for undergraduates. 1.2 Thesis Motivation This section provides the motivation to this thesis. Starting from a short scenario, a discussion about some alternative ways to protect a database containing sensitive information leads to our system with a distributed cipher Scenario Consider a company that keeps some sensitive information stored in a database. They want a system where only authorised users are allowed access to the database and where it is hard for others to read and/or modify the stored information.

16 4 Chapter 1 Introduction Figure 1.2 The basic setting. Database Server Terminal The basic setting is shown in figure 1.2. The idea is that a user logs on to a terminal and then requests information from the database through the server. These three entities are considered to be separate machines, each with at least some processing capability. Access control is of course a necessary part of this system and it can be enforced at one or more places in this setting. This will not be discussed further, but we will assume that having root access to one machine does not automatically give access to other machines. This means that a hacker who gains access to the server does not automatically get full access to the database etc. There are many ways to attack this system. If the goal is to prevent access to the database a so called denial-of-service attack can be mounted where a computer receives so much incoming traffic that it cannot perform its regular tasks. These attacks are hard to protect against, but avoiding single weak spots in the system will make it harder to mount such attacks. Another attack would be that someone breaks into the database and can read or change the sensitive information. Breaking in to the server would make it possible to either listen to or stop traffic through the server or alter the information passed on to the terminal. In order to gain information eavesdropping can be used, either on the channel between the database and server or on the channel between the server and the terminal. Below some countermeasures will be presented, both such that are available today as well as a new scheme. Their protection against some of the attacks described above are discussed. It should be pointed out that if a person who is authorised to access the database turns bad, or if a hacker somehow can masquerade as an authorised user, we have no protection to offer.

17 1.2 Thesis Motivation Secret Sharing of the Database Secret sharing is a tool for distributing (secret) information among a group (humans and/or machines) in such a way that the original information is hidden until several members of the group cooperate to reveal it. Each group member will store a piece of information, called a share, which can be combined with pieces stored at the other entities to reconstruct the original information. The specific secret sharing scheme chosen describes which subsets of the group members that can reconstruct the original information if they cooperate. In chapter 3 secret sharing is discussed in more detail. Figure 1.3 The information is distributed into several databases using secret sharing. Database Database Database Server Terminal Database If we apply secret sharing on our database we get a setting as shown in figure 1.3 where we have distributed the information to a group of databases. We choose to call them databases even though they have no real information on their own. Instead each of them stores a share of the original information.

18 6 Chapter 1 Introduction In this setting the server gets a central part as it will either be responsible for reconstructing the information from the shares or for passing the shares on to the requesting terminal for reconstruction. This means that an attack against the server will be devastating for this system. An eavesdropper can also listen directly in on the communication between the server and the terminal. Another drawback in this setting is that the storage space will increase dramatically compared to the one shown in figure 1.2. A positive effect is that it will be harder for an attacker to read freely from the database since he now needs to contact several entities first. Compared to the basic setting we also get a more stable system since we now can tolerate one or more of the databases breaking down Simple Encryption Another way to protect the information in the database is to use cryptography and encrypt the information before it is stored in the database. We then protect against intrusions directly into the database. The degree of protection depends not only on the chosen cipher, but also on how the decryption key is handled, where the actual decryption is done etc. The location where the decryption key is stored is important since we only want authorised people to be able to read from the database. One option is to give each authorised person a copy of the key but this gives an attacker many ways to try to find the key and if the group of authorised people changes often the key needs to be changed (and the database reencrypted) just as often. Storing the key in the database would of course be silly since this would give away the protection against theft that an enciphered database gives. If the key is stored in another computer there is a chance that a hacker might find it during a break-in. This system will also be very vulnerable to malfunctioning computers or denial of service attacks.

19 1.2 Thesis Motivation 7 The choice of where the decryption should be carried out is also important. Decryption can be done by the database machine. This means that no matter where the key is stored the information will be sent as plaintext from the database to the terminal giving an eavesdropper an easy target. If decryption is done by the server, the plaintext must again be sent to the terminal. If we want to avoid transmitting the plaintext through the system we need a solution where decryption is done by the terminal or by the user outside the network Encrypted database and secret sharing of the key Secret sharing can be used to distribute the decryption key in a cipher system. This was actually the goal Shamir and Blakley tried to achieve in their articles from The shares of the key are then stored in different locations in the system, eg one share in the database, one share in the server and one share in the terminal. When decryption is called for, the shares are sent to the server (or one of the other machines) which reconstructs the key and decrypts the ciphertext. The obvious drawback here is that to be able to decrypt the ciphertext, the decryption key needs to be revealed, at least to the machine where the decryption is carried out. This again leaves a weak spot in the system. This weak spot would be avoided if a system where the decryption key never is revealed to any part of the system can be created. The next section presents a way to achieve this.

20 8 Chapter 1 Introduction Distribution of the Decryption Operation In the previous proposals we have settings where the decryption is done by one single machine. This raises some security issues. This machine will be the expected target of an attack since if this machine can be controlled all messages can be read and the key will be exposed. Here we present some systems where the decryption operation is distributed to a set of servers as shown in figure 1.4. Figure 1.4 A set of servers can be used for distributing the decryption operation. Server Server Database Terminal Server Distributed keys The proposal here is to modify the setting in sections and so that the decryption key is never revealed. This is done by using a set of servers, each given a share of the decryption key, and distributing the actual decryption operation. When a user wants access to the database he sends requests to all servers. Each server then reads the ciphertext from the database and

21 1.2 Thesis Motivation 9 creates a share of the plaintext from the ciphertext and its share of the decryption key as in figure 1.5. The resulting plaintext share is then transmitted to the terminal for reconstruction. This is not possible for every secret sharing scheme and every cipher. We will describe the conditions needed for this to work later in this thesis. This means that none of the servers can read the plaintext but when they send their shares to the user he can reconstruct the plaintext from them. Figure 1.5 Each server creates a share of the plaintext from the ciphertext and a share of the decryption key. Key share Ciphertext F Plaintext share Distributed ciphertext This is another system where a set of servers is used to decrypt the ciphertext. Here all servers are given a copy of the decryption key. The difference to the setting in section is that the database constructs shares of the ciphertext and sends one share to each server. The idea is now that the servers can construct shares of the plaintext from the decryption key and shares of the ciphertext, see figure 1.6. Later in this thesis we will show when this is possible. The downside here is of course that the decryption key can be found at every server. Then an intruder only needs to break into one server to be able to decrypt the stored information.

22 10 Chapter 1 Introduction Figure 1.6 If each server holds a copy of the decryption key a share of the plaintext is created from the copy of the key and a share of the ciphertext. Decryption key Ciphertext share F Plaintext share Distributed decryption The final system is to combine distribution of the key and distribution of the ciphertext. Then each server would have a share of the decryption key and when a request is made, the database would create shares of the ciphertext and send one share to each server. The servers can then, under certain circumstances which will be described later, create shares of the plaintext from shares of the key and ciphertext, see figure 1.7. Figure 1.7 Full distribution of the decryption. Here each server creates a share of the plaintext from a share of the ciphertext and a share of the decryption key. Key share Ciphertext share F Plaintext share In this setting the plaintext is not reconstructed until it reaches the terminal where the user sits. Note that the ciphertext is available only at the database and that each server only gets shares of the key, ciphertext and plaintext.

23 1.3 Problem Formulation and Related Work Problem Formulation and Related Work This thesis is about the problem of creating distributed ciphers, ie constructing systems where encryption or decryption can be carried out without revealing the secret key to anyone during the computations. In the late 1980 s, the area of threshold cryptography evolved. The starting point was Desmedt s concept of Group Oriented Cryptography, [12], which discusses the problem of sending a message to a group of people. The idea is that sometimes it is good to enforce cooperation among a group so that recipients cannot deny receiving the message and one recipient cannot prevent another recipient from getting the message. Soon secret sharing schemes proved to be a useful tool, [20, 14], which led to the term threshold cryptography since the solutions are base on threshold secret sharing scheme. Desmedt has written two surveys on threshold cryptography, [15, 13]. The term threshold cryptography covers all distributed cryptographic operations, where the distribution is through a threshold secret sharing scheme, but so far only public key based operations have been proposed and analysed, see eg [22]. What about symmetric ciphers? Based on the tools available, block ciphers seem to be hard to distribute since they either involve non-linear S-boxes, eg DES and AES, or combine computations in different algebraic groups, eg IDEA. The reason this seems hard is that not all functions can be evaluated in multiparty computations protocols. In a multiparty computation protocol, a group wants to compute a function where each group member holds some input to the function. The task is to compute the correct output of the function without revealing individual inputs. It should be noted that all distributed ciphers actually are special cases of general multiparty computations, [10]. In this thesis distributed stream ciphers are constructed and analysed. The term, distributed cipher, is used since our system is not limited to threshold schemes and the formulation is thus more general. However, in practice threshold schemes will probably be used since they have

24 12 Chapter 1 Introduction simple realisations and they give systems where all entities are equally valuable. Other schemes would mean that some entities are more likely targets of attack due to their extra value. 1.4 Outline The thesis continues with the necessary background on stream ciphers (chapter 2) and secret sharing (chapter 3). This is followed by an example (chapter 4) which presents the idea of distributed stream ciphers. Multiparty computations (chapter 5) describe how general functions can be calculated in a distributed fashion. Next general distributed stream ciphers are discussed followed by a section on possible applications for these systems. Some security aspects are then analysed in chapter 8 followed by conclusions and open problems in chapter 9.

25 Chapter 2 Stream Ciphers A stream cipher divides the plaintext into small entities called characters and encrypts one character at a time using a time-varying transformation [30]. The transformation used at a specific instance depends on the internal state of the cipher. After each encryption the internal state changes according to some rule. Every stream cipher is defined by two functions, the new state -function which determines how the internal state changes and the output -function that gives a ciphertext character from a plaintext character and the current internal state. Systems where the change of state does not depend on the input (plaintext) to the system are called synchronous (in contrast to asynchronous systems). These systems have the property that every plaintext character is enciphered independently of the others and an error in one character does not propagate to other parts of the ciphertext. As described in [29] this has two drawbacks: First, it limits the possibility to detect errors when decrypting. Second, an attacker can insert controlled changes to parts of the ciphertext and may achieve a wanted modification of the plaintext. Thus in a synchronous stream cipher a function of the internal state is somehow combined with the plaintext to create the ciphertext. The most common combining function is addition (exclusive-or for 13

26 14 Chapter 2 Stream Ciphers binary systems) but other functions can also be used. Stream ciphers which use addition as the combining function, see figure 2.1, will be referred to as additive. The sequence produced by the function applied to the internal state is called the keystream. Hereafter only additive synchronous stream ciphers will be discussed. Figure 2.1 An additive synchronous stream cipher where a keystream is added to the plaintext to form the ciphertext. Keystream Generator M K + C If we assume that an attacker knows the combining function and is capable of deriving the keystream, the security of a stream cipher depends on whether or not the next character of the keystream can be predicted. There does not seem to be any unified way to determine if a keystream generator produces sequences that are hard to predict. Instead there are numerous tests defined and if a sequence fails any of these tests it is not suitable for use as a keystream. However, a sequence that passes all these tests might yet be vulnerable to some other attack. One important property of a sequence is its period. If used as a keystream it is important that it does not repeat itself during encryption of a plaintext. Thus the period must be longer than the plaintext. Another test is to use Berlekamp-Massey s algorithm [24] on the sequence to find the shortest linear feedback shift register (LFSR) that can generate the same sequence. The length of this shortest LFSR is called the linear complexity of the sequence. A generalisation of this measure is the maximum order complexity [21] but it is in general harder to find. More tests and a thorough discussion can be found in [29].

27 2.1 Linear Feedback Shift Registers Linear Feedback Shift Registers In practice the keystream is produced by a finite state machine, giving a periodic output. The period is finite and thus the keystream may be regarded as generated by a linear feedback shift register. The Berlekamp-Massey algorithm [24] can be used to find the shortest LFSR that can generate a given finite sequence. Thus there are good reasons to study sequences generated by linear feedback shift registers. Linear feedback shift registers have many interesting properties, see eg [17]. Due to this many proposed keystream generators are based in some way on one or more LFSR s. Let S = s 1, s 2,... be a sequence produced by a LFSR. The sequence then obeys the recursion formula: s i = L c m s i m (2.1) m=1 where L is the memory size of the register and c i, i = 1,, L are constants. Commonly binary systems are considered but the formula is valid in any finite field GF(q). Associated with a recurrence relation is a characteristic polynomial f(x) = 1 + c 1 x + c 2 x c L 1 x L 1 + c L x L which describes the feedback function of the shift register. In a stream cipher the period of the generated sequence should be at least as long as the plaintext. From the characteristic polynomial of an LFSR it is possible to determine the period of the generated sequence. For an LFSR with memory size L the maximum number of states of the register is q L, but since the all zero state will always give the all zero sequence the maximum number of states that a sequence can go through before returning to a state already passed is q L 1. This is also the maximum period of a sequence generated by an LFSR

28 16 Chapter 2 Stream Ciphers with memory size L. If the characteristic polynomial is primitive then the generated sequence has maximum period. The security of a stream cipher depends as we already mentioned on whether or not it is possible to guess the upcoming characters of the key sequence. Sequences generated by a LSFR of length L have the property that if 2L symbols are known from a sequence then the generator can be reconstructed as can be seen in this example: Example Assume that we know that a certain sequence has been produced by a LFSR of length L and somehow we know part of the sequence, say s i, s i+1,..., s i+2l 1. Then we can set up an equation system: s i = c 1 s i 1 + c 2 s i c L s i L s i+1 = c 1 s i + c 2 s i c L s i L+1. s i+2l 1 = c 1 s i+2l 2 + c 2 s i+2l c L s i+l 1 This system consists of 2L equations and 2L unknowns and is thus solvable if the system has full rank. Due to this it is not a good idea to use a single short LFSR as a keystream generator. To be secure the shift register would need to be very long. By addition of two sequences R = (r i ), S = (s i ) we mean termwise addition T = (t i = r i + s i ) and if R and S both fulfils the same recursion formula then T also fulfils this formula since t i = r i + s i = L c m (r i m + s i m ) = m=1 L c m t i m. m=1

29 2.1 Linear Feedback Shift Registers 17 If a constant λ is multiplied with the sequence S to get T = λs = (λs i ) = (t i ) then the new sequence T fulfils the same recursion formula as S. Thus the set of sequences generated by the same LFSR forms a linear space Polynomial description of LFSR Sequences A sequence, s 0, s 1,... generated by a linear feedback shift register satisfies the shift register equation: L c i s j i = 0, for j = L, L + 1,... i=0 Here c 0 = 1. Using the Z-transform the sequence can be written S(z) = s 0 + s 1 z 1 + s 2 z The feedback of the shift register can be described by the feedback polynomial: C(z) = 1 + c 1 z 1 + c 2 z c L z L A linear feedback shift register can be implemented in two essentially equivalent ways using either the Fibonacci or the Galois model. Both are described in terms of the polynomials S(z) and C(z). Figure 2.2 The Galois model for implementing linear feedback shift registers.

30 18 Chapter 2 Stream Ciphers In the Galois model we define another polynomial P (z): P (z) = S(z)C(z) = p 0 + p 1 z 1 + p 2 z p L 1 z L+1 where the coefficients are, see eg [17] for proof: p j = j c i s j i, for j = 0, 1,..., L 1 i=0 Then we see that the sequence can be written as: S(z) = P (z) C(z) which is implemented as shown in figure 2.2. Note that P (z) will be the initial state in this implementation. Figure 2.3 The Fibonacci model for implementing linear feedback shift registers. If the Fibonacci model, shown in figure 2.3, is used, the initial state will be the first L symbols of the output sequence. This is a straight forward realisation of equation Combining LFSR Sequences As was mentioned above, a single LFSR cannot be used as a keystream generator unless it is very long. Combining two or more sequences produced by short LFSR s is a way to address this problem. Then it is interesting to know what properties the combined sequence has.

31 2.1 Linear Feedback Shift Registers 19 If two sequences, S 1 (z), S 2 (z), with different feedback polynomials, C 1 (z), C 2 (z) are added the new sequence is given by S(z) = S 1 (z)+s 2 (z) = P 1(z) C 1 (z) + P 2(z) C 2 (z) = P 1(z) C 2 (z) + P 2 (z) C 1 (z) C 1 (z) C 2 (z) and the period is given by the smallest T such that C 1 (z) C 2 (z) divides 1 z T. If C 1 (z), C 2 (z) are relatively prime and their individual periods are T 1, T 2, the period of the resulting sequence will be T = T 1 T 2. For the linear complexity of a sequence it has been shown [18] that if C 1 (z), C 2 (z) are relatively prime the added sequence will have a complexity that equals the sum of the individual complexity of the two generators. If they are not relatively prime the resulting complexity will be lower than this. In for example references [7] and [18] the linear complexity of other combinations of shift register sequences has been analysed.

32 20 Chapter 2 Stream Ciphers

33 Chapter 3 Secret Sharing Secret sharing deals with situations when someone wants to store a secret, but does not trust any single place to keep it safe. The solution is to distribute the secret by giving pieces of information, called shares or shadows, to a set of shareholders where a shareholder can be a computer or a person. The shares are created so that the secret can be reconstructed only if certain subsets of the shareholders combine their shares. These subsets of the shareholders are called trusted and are chosen when the secret sharing scheme is initiated. In 1979, the concept of secret sharing was independently introduced by Shamir [32] and Blakley [6], both with key management for cryptosystems in mind. Both Shamir and Blakley gave constructions for so called threshold schemes where any subset of t or more (out of n) shareholders can recreate the secret. In this chapter a brief introduction to secret sharing schemes will be given. First Shamir s scheme is described and then follows a more general discussion on secret sharing. 21

34 22 Chapter 3 Secret Sharing 3.1 Shamir s Secret Sharing Scheme Shamir s secret sharing scheme builds on interpolation of polynomials in finite fields. Assume that a t out of n threshold scheme is wanted. Consider GF(q) where q > n and create a polynomial f(x) = s + a 1 x + a 2 x a t 1 x t 1 where s is the secret that is shared and a i are coefficients drawn randomly from GF(q). Let α 1, α 2,..., α n be n distinct (non-zero) elements from GF(q). Then n pieces (shares) are created by calculating f(α k ) for k = 1, 2,...n and shareholder i is given f(α i ). The following example shows how this is done. Example Let us create a (5, 3) threshold scheme to store the secret s = 4. We choose to work in GF (7) which should work since 7 > 5. First a polynomial f(x) is created by choosing the coefficients a i. The resulting polynomial is f(x) = x + 5 x 2. The shares will then be f(1) = 5, f(2) = 2, f(3) = 2, f(4) = 5, f(5) = 4. When trying to reconstruct the secret every share gives an equation in t unknowns and then t independent equations are needed to find a unique solution, ie find s. If t shares are available the secret can be reconstructed using Lagrange s interpolation formula.

35 3.2 General Description of Secret Sharing 23 Example Assume that three shares are collected from the previous example, say f(1) = 5, f(3) = 2, f(4) = 5. These shares gives following equations: f(1) = s + a a f(3) = s + a a f(4) = s + a a With three independent equations and three unknowns this system has a unique solution. What if only t 1 equations are known? It can be shown, see eg [35, p.112] or [4, pp.15-16], that for every possible value of s there is one polynomial that would give the shares that are known. This means that all possible values are equally likely and knowing t 1 shares does not give any additional information compared to not knowing any share. 3.2 General Description of Secret Sharing Here a more general description of secret sharing is given. For this some new notation is needed. A secret sharing scheme involves two functions, SS : S X S REC : S S, where the first creates the shares and the second is used when reconstructing the secret.

36 24 Chapter 3 Secret Sharing The input to the function SS is an element from a finite set S, the set of possible secrets, and an element from an auxiliary set X that provides the necessary randomness of the scheme, eg the coefficients of the sharing polynomial in Shamir s scheme. The size of the set X depends on the chosen secret sharing scheme and its parameters. The output of SS is an n-tuple (randomly chosen) s = ( s (1), s (2),..., s (n) ), consisting of the n shares, where s (i), belonging to the finite set S (i), is the share given to shareholder i. The n-tuple s will be called a sharetuple. To be able to do unique reconstruction the function SS must be injective. Let S be the Cartesian product S = S (1) S (2)... S (n), ie the set of all sharetuples. The set S s = {SS(s, x) : x X } is the set of all possible sharetuples resulting when the secret s is shared. The reconstruction function REC takes a sharetuple as input and outputs the corresponding secret. For all ỹ S s holds that REC(ỹ) = s. Two n-tuples s, s are said to be equivalent if they belong to the same subset S s S Each subset of the shareholders involved in the secret sharing scheme can be classified as trusted or untrusted based on whether or not it is possible for this subset to recover the secret. The set of all trusted subsets F is called the access structure of the scheme. Usually a monotone access structure is used and by this we mean that if a subset is trusted and one more shareholder is added the new subset is also trusted. This can also be written: If A F and A B then B F.

37 3.3 Properties of Secret Sharing Schemes 25 A subset of the shareholders obviously do not know a complete sharetuple. To be able to handle their knowledge the following notation will be used. Let s {1,2} denote the pair (2-tuple) of shares ( s (1), s (2) ) given to shareholders 1 and 2 respectively. This notion is naturally extended so that s {1,2,5} denotes the triple (3-tuple) of shares ( s (1), s (2), s (5) ) and for a subset A of the shareholders their collection of shares forms a tuple s A of size A in the same way. Let A be a subset of the shareholders, and let s A be their part of a sharetuple s. Now define the set Ỹ( s A ) = {ỹ : ỹ S ỹ A = s A } Reconstruction from A s subset of the shares can now be done by determining α = max {ỹ : ỹ α S Ỹ( sa ) REC(ỹ) = α}. This means, check which sharetuples that would give A s (A) and count how many of them that are reconstructed to each of the possible secrets. If two or more secrets get the same count, choose one at random. This is a rather cumbersome method, but it works for all secret sharing schemes. For some secret sharing schemes, eg Shamir s, there are faster reconstruction methods. A secret sharing scheme is called perfect if all subsets not in the access structure have the same probability of guessing the secret as an outsider without any share. This means that no information is leaked to subsets that are not trusted. With the reconstruction method given above this means that if A is a trusted subset only one secret is possible, but if A is not trusted all possible secrets get the same count. 3.3 Properties of Secret Sharing Schemes What are the interesting properties of a secret sharing scheme? Performance aspects naturally comes to mind. The rate, ie the size of

38 26 Chapter 3 Secret Sharing the shares compared to the size of the secret, and the security are aspects that can be measured. It has been shown that to have a perfect secret sharing scheme each share must be of at least the same size as the secret. For complex access structures some of the shares must be even larger [8]. The security of a secret sharing scheme is measured by two things: How hard is it for untrusted subsets of shareholders to find the secret? How hard is it for untrusted subsets of shareholders to disrupt the reconstruction of the secret? For perfect secret sharing schemes the first question has been answered. The second question depends on how erroneous shares are handled during reconstruction. Erroneous shares can come from errors during transmission or from shareholders that deliberately try to disrupt or modify the reconstruction. It is interesting to compare the field of secret sharing with error correcting codes. Bertilsson s thesis [4] concerns linear codes and secret sharing. Note for instance that Shamir s secret sharing scheme and Reed and Solomon s original code construction [27] are essentially the same. This was first noted by McEliece and Sarwate in [25]. From this description we see that each share can be seen as a symbol in a codeword of a Reed-Solomon code and that any t symbols in a (n, t) code can be seen as information symbols. Using secret sharing schemes that can be viewed as error correcting codes means that some erroneous shares can be handled and also that the decoding method of the code can be used for more efficient reconstruction of the secrets. Another way to handle erroneous shares is by using verifiable secret sharing [16] where each transmission in the scheme is accompanied with some kind of proof of the correctness. If an error occurs it is possible to check the proofs to see where the error occured and maybe correct the error.

39 Chapter 4 Example of Distributed Decryption This section provides an example of how secret sharing can be used to achieve distributed decryption of a simple stream cipher. Let us recall the scenario described in section where some company wants to keep information stored in a database available to its employees but out of reach of an intruder. In order to keep the information out of reach for intruders, it is encrypted and then stored in a database. Since this information should be easy to reach for the employees the company has chosen not to burden them with decryption keys. Thus these keys needs to be stored in the system but since it should be hard for an intruder to get access, the keys cannot be stored in any single machine. These requirements are achieved by implementing the system proposed in section 1.2.5, ie through distributed decryption. 27

40 28 Chapter 4 Example of Distributed Decryption 4.1 Setting The company network consists of the database, five servers and some terminals connected as in figure 4.1. There is also a key generator in the system. All employees are trusted to have access to the database through one of the terminals. The five servers are used for distributing the decryption and three of them need to work properly in order for the decryption to work. We assume that there are secure channels between each pair of machines. Figure 4.1 The company network consisting of a database, five servers and some terminals. Each terminal is connected to all servers. Server Server Database Terminal Server When an employee wants access to the database he authenticates himself through one of the terminals and sends a request to the five servers. The servers then contact the database which responds by creating shares of the wanted ciphertext and sending a share to each server. The plaintext have been encrypted previously, by a stream cipher of the type shown in figure 4.2, following the procedure below. Let the plaintext be: Secret! which when transformed from ASCII format to binary format turns into a 56 bit string: M = (m i ) =

41 4.2 Secret Sharing of Key and Cipher Sequences 29 Let C(z) = 1 + z 4 + z 9 be the feedback polynomial and let S = ( ) be the initial state of the linear feedback shift register used for creating the keystream. The 56 bit keystream generated will then be: K = (k i ) = Figure 4.2 Encryption has been done with an additive synchronous stream cipher. Keystream Generator M K + C The encryption is made by termwise addition (modulo 2) of these two sequences as in figure 4.2. The resulting ciphertext sequence is then: C = (c i ) = , which is stored in the database. 4.2 Secret Sharing of Key and Cipher Sequences In this distributed decryption system we want the servers to decrypt the ciphertext without finding the ciphertext, the keystream or the plaintext. To achieve this we let the key generator create shares of the key sequence and distribute them to the servers. The servers will also get shares of the ciphertext constructed by the database. Figure 4.3 shows the relations between key generator, servers and database. The key sequence is distributed to the servers as a sequence of shares constructed using Shamir s secret sharing scheme [32], which was described in chapter 3. First we need to choose which finite field we want to use. We need a field with more than 5 elements to create a 3 out of 5 threshold secret

42 30 Chapter 4 Example of Distributed Decryption Figure 4.3 Secret sharing of key and ciphertext sequences. Server Key Generator SS Server Server Database SS Server Server sharing scheme. Let us choose GF(7). Note here that the ciphertext and keystream are both binary and what we want to compute is the (modulo 2) subtraction of the key from the ciphertext. For each symbol in the keystream we need to construct a polynomial of degree 2, f i (x) = k i + a i x + b i x 2, where k i is the ith symbol from the keystream (seen as an element in GF(7) and a i and b i are randomly drawn from GF(7). The shares are computed as f i (j) for server j. Now let and A = (a i ) = B = (b i ) = be the randomly chosen numbers we need. sharing polynomial will be: f 0 (x) = x + 3 x 2 Then the first secret and the shares for the first key symbol transmitted to the servers will be: f 0 (1) = 2, f 0 (2) = 3, f 0 (3) = 3, f 0 (4) = 2 and f 0 (5) = 0.

43 4.2 Secret Sharing of Key and Cipher Sequences 31 Continuing in this way we see that the sequence of shares of the key sequence received at server 1 will be: F 1 = (f i (1)) = and F 2 = (f i (2)) = , F 3 = (f i (3)) = , F 4 = (f i (4)) = , F 5 = (f i (5)) = will be the corresponding sequences received at the other servers. In the same way we can create and distribute sequences of shares of the ciphertext. We create the polynomials g i (x) = c i + u i x + v i x 2 using the randomly chosen sequences U = (u i ) = and V = (v i ) = The following sequences are received at the servers: G 1 = (g i (1)) = , G 2 = (g i (2)) = , G 3 = (g i (3)) = , G 4 = (g i (4)) = , G 5 = (g i (5)) =

44 32 Chapter 4 Example of Distributed Decryption 4.3 Decryption Each server have now received two sequences of shares. One from the key generator and one from the database. Based on these sequences the server can decrypt the ciphertext, ie create a sequence of shares of the plaintext. These sequences now consist of elements from GF(7), as opposed to the binary sequences we started with. With the simple stream cipher we are using, decryption means that the key share sequence is subtracted termwise from the ciphertext share sequence. Thus at server 1 we subtract F1 from G1 to get: H 1 = (h i (1)) = and the results at the other servers are: H 2 = (h i (2)) = , H 3 = (h i (3)) = , H 4 = (h i (4)) = , H 5 = (h i (5)) = These sequences are now transmitted to the terminal where the request was made. It is now easy to reconstruct the plaintext by solving a simple equation system for each symbol. The equations are set up by assuming that the shares are generated from a polynomial of degree at most 2. For the first symbol in the plaintext sequence we write this polynomial as h 1 (x) = m 1 + l 1 x + n 1 x 2. Let the share received from server 1 be h 1 (1) = 2 (the first symbol in H 1 and the shares from the other servers h 1 (2) = 5, h 1 (3) = 3, h 1 (4) = 3 and h 1 (5) = 5. This gives the following equation system: m 1 + l n = 2 m 1 + l n = 5 m 1 + l n = 3 m 1 + l n = 3 m 1 + l n = 5

45 4.4 Discussion 33 Solving this system gives us m 1 = 1. Continuing with the rest of the symbols we get: M = (m i) = When M is compared to the original plaintext message M = (m i ) = we see a result of using different fields for the encryption and for the secret sharing. The original plaintext was converted into a binary sequence and in M we get 6 s as well. If we change all 6 s into 1 s (since 6 1 (mod 7) and 1 1 (mod 2)) we get the original plaintext again so in this special case it works in spite of the different fields. This is however not true in the general case, see section later in the text, so we should choose the secret sharing field with care. In practice the same field or an extension field should be chosen since then there will not be any such problems. In this example any GF (2 t ) with t 3 would have been a good choice for the secret sharing system. 4.4 Discussion The example above shows that it is possible to distribute decryption of a stream cipher, but it also raises some questions that will be formulated here. We need to send the shares of the key sequence to every server. It would be nice to reduce this traffic. Since each server gets a sequence of symbols from GF(7) and every finite sequence can be generated from an LFSR an idea would be to try to generate the shares locally at the servers. Then we would like these local generators to be short and that it would be enough to transmit shares of the initial state of the key generator to be able to generate these local shares. In order to accomplish this we need to solve the following problems: What is the length of the required LFSR s that can generate the sequences locally if secret sharing is done as above? Are there any limitations to the chosen fields for encryption or decryption?

46 34 Chapter 4 Example of Distributed Decryption

47 Chapter 5 Multiparty Computations This chapter explains how multiparty computations can be performed in a secure way. By this we mean that some group wants to compute a function where each member of the group has some input to the function that he/she wants to keep private. The scheme proposed will give the correct output while keeping the inputs private if enough of the group members are honest. The idea of secure multiparty computations can be traced back to the late 1980s, eg [3, 9]. Many of the protocols constructed are based on Shamir s secret sharing scheme, [32], where each group member shares his input with the others and then all of them computes a share of the answer and reveals this. Everyone can then calculate the answer from these shares. Results from multiparty computations can be applied to our scenario from section where we want to distribute the decryption operation of a cipher. These results give information about which cryptographic functions that can be distributed in this way. 35

48 36 Chapter 5 Multiparty Computations 5.1 Basic Operations Following is a description of how addition and multiplication can be performed. Based on these two operations we can use multiparty computations to create distributed versions of most functions. The description is here based on Shamir s secret sharing scheme but the results are valid for some other secret sharing schemes as well. Suppose that two secrets s 1 and s 2 have been shared among the same group using two polynomials, f(x) and g(x) where f(0) = s 1 and g(0) = s 2. Shareholder i holds the shares f(α i ) and g(α i ). Then addition s 0 = s 1 +s 2 is straightforward. Just consider the polynomial h(x) = f(x)+g(x). It is of degree t 1, the coefficients will be random since the coefficients of f(x), g(x) are randomly chosen and for each j we have h(α i ) = f(α i ) + g(α i ), ie if each shareholder adds his two shares he will get a valid share of s 0. Multiplication with a known constant can be achieved in the same way since if p(x) = λf(x) then p(α i ) = λf(α i ). Now we have the tools to handle linear functionals F (x 0,..., x n 1 ) = a 0 x 0 + a 1 x a n 1 x n 1 where the x i s are shared secrets and the a i s are known constants. When concidering multiplication of two shared secrets there are two problems. Multiplying two polynomials of degree t 1 yields a polynomial of degree 2(t 1) and this means that we need 2t 1 shares in order to reconstruct the answer. If 2t 1 > n this is not possible. The other problem is that the coefficients are no longer uncorrelated. Note that for distributed stream ciphers we do not need multiplications. Solutions to both problems are proposed in [3] and the scheme is as follows. First each group member recieves the shares of s 1 and s 2 and multiplies them to get h(α i ) = f(α i )g(α i ).

49 5.1 Basic Operations 37 Uncorrelated coefficients can be achieved by a randomisation step where each shareholder does secret sharing of the value zero among the same group, ie shareholder i creates the polynomial f i (x) = 0 + a i 1x + a i 2x a i t 1x 2(t 1) (degree 2(t 1) since this is the degree of h(x)) with random coefficients and sends shares to all group members including himself. Shareholder i thus recieves the values f 1 (α i ), f 2 (α i ),..., f n (α i ). Each share can then be added to the original share, which means that the result will be a random polynomial of degree 2(t 1) with uncorrelated coefficients. Now shareholder i has h (α i ) = h(α i ) + f 1 (α i ) + f 2 (α i ) f n (α i ). Degree reduction can be made by realising that matrix multiplication is an evaluation of n linear functionals. If we let S = (s 0,..., s n 1 ) be a vector consisting of the shares of s 0 created from the polynomial h(x) = f(x)g(x) = h 0 + h 1 x h 2t x 2t, then s i = h(α i ). It is possible to create a new vector R = (r 0,..., r n 1 ) consisting of shares of s 0 created from a new polynomial with the property that k(x) = k 0 + k 1 x k t x t k 0 = h 0 = f(0)g(0) = s 1 s 2 = s 0 = r 0. Let A = B 1 P B be a constant matrix where B = (b i,j = αj i ) is an n n (Vandermonde) matrix and P is the linear projection P (x 0,..., x n 1 ) = (x 0,..., x t, 0,..., 0). Then R = S A gives us the required transformation.

50 38 Chapter 5 Multiparty Computations Security in a multiparty computation means maintaining the correct output and keeping the inputs private. The security of a protocol is defined by the number and type of cheaters tolerated. Usually two types of adversaries are recognized: 1. Passive, which follow the protocol but pool their information and try to get additional information about the others input. 2. Active, which can do as they like in order to disrupt the computation or get information. A protocol is said to be t-private if it can tolerate up to t passive adversaries and if it can tolerate up to t active it is called t-resilient. What do we mean by tolerate? For passive adversaries we mean that they cannot get any additional information except for what they hold together. For active adversaries we also require that the adversaries cannot change the outcome of the computation, ie all the honest members will get the same result. It has been shown that there exist protocols for multiparty computations that tolerate t < n/2 passive and t < n/3 active adversaries [3, 9, 19].

51 Chapter 6 Distributed Stream Ciphers So far the tools needed to handle the problems, regarding constructing a distributed stream cipher, formulated in section 1.3 have been presented. The example in chapter 4 showed that it is possible to create a small working system when a simple stream cipher is used. In this chapter the theories presented in previous chapters will be connected and a more general theory on distributed stream ciphers will be presented. Chapter 5 introduced multiparty computations and gave examples of how to do distributed addition and multiplication on shared secrets. In those examples, doing distributed multiplication required that the shareholders exchanged some information, while distributed addition was done without any communication between the shareholders. Avoiding intercommunication between the shareholders will simplify the system and therefore the description here is restricted to additive, synchronous stream ciphers, as defined in chapter 2. In this chapter it is shown that for any stream cipher of this type, a distributed system can be created that is equivalent in the sence that it does the same decryption operation. Note that distributed encryption is done similarly and will not be discussed here. 39

52 40 Chapter 6 Distributed Stream Ciphers After the general description a modification of secret sharing of sequences is presented that makes it possible to generate shares of the key sequence locally by each shareholder. This is followed by an example showing how Shamir s secret sharing scheme is affected by the modification. 6.1 General Description As mentioned above this discussion is restricted to stream ciphers where encryption is done by adding a keystream to the plaintext. Decryption would then consist of subtracting the same keystream from the ciphertext. The security of such a system in a traditional (nondistributed) setting depends on the keystream generator. Here it is shown that given a keystream generator, a distributed system can be constructed that is equivalent in that it performs the same decryption operation. This is a generalisation of the example in chapter 4. Let GEN(x) be a keystream generator, where x is a seed, generating symbols from GF (q). Let K(x) = k 1, k 2,... denote the generated keystream when seed x is used and let K L (x) be the first L symbols in the keystream. Since the decryption operation used in this cipher is subtraction, a secret sharing scheme that is linear under addition will be used, ie a scheme where SS(λa + γb) λss(a) + γss(b) (6.1) for any secrets a, b and scalars λ, γ. In words, this means that if a shareholder adds his shares of the two secrets, he creates a valid share of the sum of the two secrets. Addition of sharetuples is done elementwise. Note that the auxiliary variable x used in chapter 3 (to provide the needed random values) has been dropped here to provide easier reading. This shorter notation will be used for the rest of the thesis. The variable is however needed when the function SS is evaluated.

53 6.1 General Description 41 Now, let C = c 1, c 2,..., c r be a ciphertext that can be decrypted with the keystream K r (x), that is M = C K r (x) gives the plaintext. The distributed system is constructed by doing symbol by symbol secret sharing of the ciphertext and the keystream. This gives and SS(C) = SS(c 1 ), SS(c 2 ),..., SS(c r ) SS(K r (x)) = SS(k 1 ), SS(k 2 ),..., SS(k r ). Using (6.1), the wanted result SS(M) = SS(C K r (x)) SS(C) SS(K r (x)) is reached when local computation by the shareholders gives SS(m i ) = SS(c i ) SS(k i ), for 1 i r. This result is valid for any keystream generator and for any secret sharing scheme that is linear under addition Limits on using Shamir s Secret Sharing Scheme Shamir s secret sharing scheme builds on interpolation of polynomials in a finite field, GF(q). The size, q, of this field is chosen when the scheme is initiated. However the size cannot be chosen freely. First, there must at least be as many elements in this field as there are possible secrets. Second, for an (n, t) scheme we also have the requirement that q > n since each shareholder is associated with a distinct (non-zero) element of the field.

54 42 Chapter 6 Distributed Stream Ciphers As discovered in the example in chapter 4, there can be problems if encryption is done in one field and decryption is done in another field. When using Shamir s secret sharing scheme as a base for distributed decryption we need to take this into account. Let p, q be prime numbers. Assume that encryption was done in GF(p) and that the shares created from the secret sharing scheme belongs to GF(q), q > p. For which values of p and q can distributed decryption be done using this secret sharing scheme? The following lemma gives the answer. We represent the elements of GF(p) by the integers 0, 1,..., p 1, and the the elements of GF(q) by the integers 0, 1,..., q 1. Remember that addition and subtraction in such fields is done modulo the size of the field. Lemma 6.1 Let m, k [0, p 1] and let c = m+k mod p. Now view c, k as elements in GF(q) and compute m = c k mod q. If and only if q > 2p 2 there exists a unique mapping f : GF (q) GF (p) such that f(m ) = m, m, k. Proof: What we need is that the mapping g(m) = (m + k mod p) k mod q = m is injective (one to one). Then we know that for any fixed k there is only one m that gives g(m) = m and we can easily construct f so that f(m ) = m. If g(m) is not one to one we get g(m) = g(m 0 ) = m for some m, m 0 and then we can never construct an f such that f(g(m)) = m and f(g(m 0 )) = m 0. This means that to prove the lemma it is enough to check when g(m) is one to one. If m + k < p then g(m) = m, otherwise g(m) = m p + q. For m = 0 it holds that m + k < p, k, but for m > 0 there are at least one k such that m + k p. Then for m [1, p 1] we have that m p + q [q p + 1, q 1], and if and only if these two intervals do not overlap, that is when (q p + 1) > (p 1) q > 2p 2, g(m) is one to one. This result is valid when p and q are both prime. What happens if one or both of them are not prime? This remains to be analysed.

55 6.2 Modified Secret Sharing of Sequences Modified Secret Sharing of Sequences In the general description given above, a long sequence of shares of the keystream needs to be transmitted to, and stored by, the shareholders. Here a modification is presented that makes it possible to use a linear feedback shift register (LFSR) to generate shares locally given the correct initial state. Given a key sequence K r (x), Berlekamp-Massey s algorithm can be used to find an LFSR that generates the same sequence. Let G(z) = 1 + g 1 z 1 + g 2 z g L z L be the feedback polynomial of an LFSR that can generate K r (x) from the initial state I = K L (x). Symbol by symbol secret sharing of the initial state gives SS(K L (x)) = SS(k 1 ), SS(k 2 ),..., SS(k L ). The modified secret sharing scheme SS for sequences is now constructed like this: SS (K r (x)) = SS (k 1 ), SS (k 2 ),..., SS (k r ) (6.2) SS(k i ) if 1 i L where SS (k i ) = L (6.3) g j SS(k i j ) if i > L j=1 In words, secret sharing of the first L symbols in the sequence is done as normal and then the resulting sharetuples are used to compute new tuples in a sequence according to the recursion corresponding to G(z). It holds that SS (k i ) SS(k i ), i (6.4) This follows from the linearity of the secret sharing scheme since each SS (k i ) is constructed from a linear combination of valid sharetuples. For i > L SS(k i ) = SS( L g j k i j ) = j=1 L g j SS(k i j ) (6.5) j=1

56 44 Chapter 6 Distributed Stream Ciphers which when compared with (6.3) yields the desired result. They are identical recursion formulas and with equivalent initial values they will produce equivalent sequences of sharetuples. Note that if this modified secret sharing scheme is used, and if the shareholders are given the feedback polynomial G(z), only the first L sharetuples need to be distributed since the others can be generated locally when needed. Each shareholder uses the shares in his possession as initial state in a linear feedback shift register with feedback polynomial G(z). Let k 1, k 2,..., k (l) (l) (l) L be the shares given to shareholder l. The shareholder computes the continuing sequence like this: k (l) i = L j=1 g j k (l) i j. In section 6.1 it was shown that a server that holds valid shares of the keystream and gets a corresponding sequence of shares of the ciphertext can construct valid shares of the plaintext. This is also true if the modified secret sharing scheme is used for sharing the key sequence since the shares constructed by the modified scheme are equivalent to shares constructed by the original scheme. The drawback of using a modified secret sharing scheme is that the shareholders will know the feedback polynomial that can generate the original sequence. An attacker that can control a shareholder has then gained an advantage since knowledge of the feedback polynomlial will reduce the number of key symbols needed to be able to break the system. The reduction will be a factor two compared to not knowing the feedback polynomial. When analysing ciphers it is however usually assumed that an attacker knows everything but the key about a cipher. Then this scheme has not given any new knowledge to the attacker. A problem may arise if G(z) can be factorised. If G(z) = G 1 (z)g 2 (z), where G 1 (z), G 2 (z) are different irreducible polynomials, a sequence generated with G(z) can have any of three periods. Let T 1, T 2 be the periods of sequences generated with G 1 (z), G 2 (z) respectively. Then the three possible periods will be T 1, T 2 and T = T 1 T 2. The actual period depends on the initial state. In the modified secret

57 6.3 Example: Modified Secret Sharing of Sequences with Shamir s Scheme 45 sharing scheme, the initial state given to each shareholder can be any of all possible initial states due to the randomness of the secret sharing scheme. Thus, a shareholder may generate a sequence with a shorter period than the original sequence. This would make it easier for an eavesdropper to mount an attack on the original system. If the modified scheme is used for secret sharing of the keystream in a distributed stream cipher, it will be important to make sure that this does not happen. This can be done in two ways. Either choose a keystream generator based on an LFSR with an irreducible feedback polynomial, or restrict the possible shares of the initial state to those that give the maximum period. 6.3 Example: Modified Secret Sharing of Sequences with Shamir s Scheme Let K = k 1, k 2,..., k r be a sequence consisting of symbols from GF(q). Symbol by symbol secret sharing of this sequence with an (n, t) threshold scheme by Shamir means that to each k i a polynomial f i (x) is randomly chosen among all polynomials with degree t 1 and f i (0) = k i. Evaluation of this polynomial gives a sharetuple k i = (f i (1), f i (2),..., f i (n)). The modified scheme gives the sharetuple where k i = (f i (1), f i (2),..., f i (n)). f i (x) fi (x) = L g i fi j(x) j=1 if 1 i L if i > L Shareholder j will be given the shares f1 (j), f 2 (j),..., f L (j) and computes his share of k i, i > L through f j (j) = L g i fi j(j). j=1

58 46 Chapter 6 Distributed Stream Ciphers Since all the polynomials f i have the same degree, t 1, all fi also have degree t 1. We also have that will fi (0) = f i (0) = k i. This means that to reconstruct the secret k i, at least t elements of the sharetuple k i must be collected. Thus the modified scheme is also an (n, t) threshold scheme.

59 Chapter 7 Applications This chapter will present two ideas for possible applications. The first concerns tunneling in a virtual private network and the second is about creating a pseudo-public-key cipher from a distributed stream cipher. Note that these are only ideas. There might be other solutions available, maybe ever better than the ones presented here. 7.1 Joint Tunnel in a Virtual Private Network Consider a company that wants to give its employees the option to work from home and still have access to the company s network. A possible solution is then to establish a so called virtual private network (VPN) which can provide secure connections over the Internet between the employees home computers and the company s internal network. 47

60 48 Chapter 7 Applications A VPN has three basic functions: Packet encapsulation, which hides the internal addresses for anyone who listens to the transmission. Encryption, which hides the content of the transmission. Authentication, both of senders identity and contents integrity. Let the setting be as follows. The company uses a firewall to protect its network from unwanted traffic. This firewall will now be an active part of the VPN construction. This means that when a connection is established between an employee s home and a server within the company s network, see figure 7.1, the firewall will act as one end of a tunnel through the Internet to the employee s home. When the employee transmits data from his home each packet will be encrypted and then placed as payload in a new packet with the destination address of the firewall. When this packet reaches the firewall it will be decrypted and then the true destination will be revealed. The original packet is then passed on to this address within the company network. Transmission in the other direction is conducted similarly. Figure 7.1 The basic setting. Home computer Firewall Server

61 7.1 Joint Tunnel in a Virtual Private Network Distributed VPN With a dis- In the description above the firewall is a weak spot. tributed tunnel this weakness can be avoided. Figure 7.2 A system where multiple firewalls are used for creating a distributed cipher. Firewall Firewall Home Computer Firewall Server Firewall The idea is to use several connections to the internal network, each connection protected by a separate firewall, see figure 7.2. This will distribute the transmissions so that breaking into one or maybe a few of these firewalls will not allow an attacker to read the contents of the transmission. This way a joint tunnel is created which means that the transmission is distributed through secret sharing and the firewalls will have to cooperate to complete the transmissions. From the home computer a message M will be transmitted to a recipient on the internal network through the following steps:

62 50 Chapter 7 Applications 1. Encrypt the message and get the ciphertext C 1 = E 1 (M). 2. Let C 1 be payload in Packet A addressed to the final recipient. 3. Encrypt Packet A to get C 2 = E 2 (PacketA). 4. Use secret sharing to create SS(C 2 ) 5. Place share i in Packet B i and transmit it to firewall i. 6. Each firewall holds the decryption function D 2 = E 1 2 and decrypts the outer layer through distributed decryption and creates the shares SS(PacketA) which are passed on to an internal server which reconstructs the final address and delivers E 1 (M). The result is a system where none of the firewalls will be able to figure out who the final recipient is. The firewalls will also be forced to cooperate to read the ciphertext C 1 since each of them will only view a share of the ciphertext C 1. In this scheme the server can be considered a weak spot but since it is placed behind the firewalls it is protected from attacks from the Internet. 7.2 Pseudo-Public-Key Systems Here a distributed decryption system is constructed which acts like a public key system. Consider the following scenario. A person called Bob wants, for some reason, to hide his address while still being able to receive messages. If Bob publishes an address to which messages can be sent, he will risk giving away information about where he is. We assume that the number of people that he expects to receive messages from is large and that he does not even know all of them. The idea here is to configure a set of web servers that will do distributed encryption of messages and transmit the constructed shares to some public web server with heavy traffic. Bob can construct a way to publish instructions on how to send messages to him, eg by leaving messages in chatrooms.

63 7.2 Pseudo-Public-Key Systems 51 The instructions would contain a list of web servers and message formats, specifications of a secret sharing system and a description on how to handle the shares. Those who wish to send messages to Bob would do secret sharing of the plaintext and send each share to a web server according to the list mentioned above. The web servers will have access to a share of the key stream as in the general system described in chapter 6. They will then add this share of the key stream to the share of the plaintext to create a share of the ciphertext. The resulting shares of the ciphertext are then published somewhere so that Bob can read them without being traced. This way he remains hidden and can still receive messages. If someone wish to read the messages sent to Bob, first the ciphertext must be reconstructed and then the cipher must be broken so the plaintext can be regained. This of course assumes that it is hard to collect enough shares of the plaintext, from the transmission to the web servers, to be able to reconstruct the plaintext from them.

64 52 Chapter 7 Applications

65 Chapter 8 Security Aspects In this chapter some security aspects of distributed stream ciphers are analysed. First the general system described in section 6.1 is discussed, then the modified system of section 6.2 will be in focus. Both will be compared to a non-distributed version of the same stream cipher, which will be referred to as the original system. The security of the two distributed versions will be compared to the original system with respect to attacks possible on that system. We will also discuss whether or not there are any new attacks possible when a distributed stream cipher is used. The basic assumption when analysing ciphers is that the attacker knows the type of cipher that has been used. Usually it is possible for an attacker to find pieces of matching ciphertext-plaintext pairs. For the type of cipher used here this means that parts of the keystream is revealed. Then the security depends on whether or not it is possible to predict the keystream after watching parts of it. In distributed stream ciphers we also have to consider the implications of knowing shares of the keystream. Traditionally, ciphers are discussed in settings where the decryption machine is available to the intended recipients and where an eavesdropper can read the ciphertext and possibly introduce modifications. The type of ciphers used here have no way of detecting changes to the 53

66 54 Chapter 8 Security Aspects ciphertext. The settings where a distributed system can be attractive, eg the scenario described in chapter 1, differs from traditional usage of ciphers in that the decryption machine is separated from the recipients. This introduces a new channel between the decryption machine and the recipient which in turn could be eavesdropped. There is also a possibility for an attacker to break into the intermediate machine and from there control the transmissions. Another difference in the distributed setting is that it is advantageous to work in GF(2 p ), for p > 1, since there will otherwise be unnecessary overhead in the secret sharing scheme. (Recall that in Shamir s scheme the alphabet must be larger that the number of shares.) 8.1 The Original System The original system placed in the setting shown in figure 8.1 (same as in section 1.2.3), where decryption is done by the server, gives an attacker the following options: 1. Eavesdrop on the channel between Server and Terminal (channel B) which will reveal the plaintext directly. 2. Eavesdrop on channel A, guess pieces of the plaintext which will give parts of the key sequence and maybe a way to identify the generator plus its initial seed. 3. Break in to the decryption machine to get access to the key stream and the possibility to stop transmissions to the receiver. Figure 8.1 The original stream cipher in the database scenario. Decryption is done by the server. CH A CH B Database Server Terminal

67 8.2 The General Distributed System 55 The first point is not much to say about here. If an attacker is able to eavesdrop on channel B the plaintext will be exposed to him. The second point returns the analysis to the traditional security analysis of stream ciphers. The cipher is strong if the keystream generator produces good pseudo random sequences. The third point will depend on the setup of that machine, but if there is a way for an attacker to break in, he will be in control of the key and will be able to stop or modify transmissions. 8.2 The General Distributed System When the decryption machine is distributed, see figure 8.2, the scene changes in that there are now multiple channels between the database and the decryption machine. The attacker will need to do multiple parallel attacks to reach the same result as in the points mentioned in section 8.1 above. Figure 8.2 Multiple servers used for distributed decryption in the database scenario. Server 1 CH A1 CH B1 CH A2 Server 2 CH B2 Database Terminal CH An CH Bn Server n

68 56 Chapter 8 Security Aspects Assume that t is the size of the smallest trusted set in the access structure. The list of options now looks like this: 1. Eavesdrop on t or more channels on the terminal side (channels B1 to Bn) and then reconstruct the plaintext from the acquired shares. 2. Eavesdrop on t or more channels on the database side and then reconstruct the ciphertext from the shares found there. 3. Break in to t or more servers and be able to reconstruct the keystream as well as disturb the transmission to the terminal. 4. Break in to some (less than t) servers which will give access to shares of the keystream and maybe the possibility to affect the reconstruction result at the terminal by providing bogus shares. 5. Eavesdrop on some (less than t) channels on the terminal side. This will result in some shares of the plaintext. 6. Eavesdrop on some (less than t) channels on the database side. Yields shares of the ciphertext. 7. Combinations of the above. Viewed from the endpoints of the system this distributed system behaves, as was shown in section 6.1, exactly like the original system and has thus the same weaknesses except that it will be harder to gain control of the decryption machine. The first three attacks here corresponds to the three attacks on the original system. However, here the attacker needs to use some extra effort since he needs to either listen to many channels or break in to many servers. Since each symbol in the keystream is shared independently of the others the sequence of shares received by a shareholder will consist of random independent symbols. Many secret sharing schemes hold the property that knowing a share does not give any information about the actual secret. Here this means that if a single shareholder is compromised the attacker does not know anything more about the original keystream.

69 8.3 Modified Distribution 57 More advanced attackers will try to gain access to several shareholders sequences of shares. Then the access structure of the secret sharing scheme becomes important. Assuming that the access structure is known to an attacker, the smallest trusted set will be of importance. For a perfect secret sharing scheme the attacker needs to collect shares corresponding to at least this minimal set. If the different shareholders are to be equally important a threshold system must be used. 8.3 Modified Distribution The modified system has the same security as the original system viewed from the endpoints. It differs from the general system in that less randomness is invoked when generating the shares. Each shareholder will hold a generator and an initial state by which the sequence of shares can be generated. In the proposed system all shareholders will use identical generators, but different initial states. An attacker taking control of a shareholder will now have knowledge of the generator used for producing the shares. In fact this generator will also be able to generate the original keystream if the correct initial state is found. This attacker have then an advantage compared to an outsider that only eavesdrops. However, the attacker would have to take control of one of the shareholders to gain this knowledge and this should not be easy. Usually it is also assumed that the keystream generator is publicly known and then the attacker has not gained any new knowledge by taking control of a shareholder.

70 58 Chapter 8 Security Aspects

71 Chapter 9 Conclusions In this thesis we have shown that it is possible to create distributed versions of additive stream ciphers. The description in section 6.1 relies on a linear secret sharing scheme but is not limited to threshold schemes. The reason to restrict ourself to additive stream ciphers is that then no communication is needed between the shareholders. If communication between them is allowed, we can use results from general multiparty computations to create distributed versions of other stream ciphers. The problem of handling situations when a shareholder sends corrupted shares to the receiver has only briefly been discussed. A possible solution is to use so called verifiable secret sharing [16]. In section 6.2, a modification of how to do secret sharing of sequences was proposed. In the modified scheme the shares of the sequence are generated locally by the shareholders. This scheme builds on the fact that it is possible to find a linear feedback shift register (LFSR) that can generate the original sequence [24]. Then it is enough to create shares of the initial state of this LFSR. Using the same LFSR the shareholders can compute valid shares for the complete sequence from the shares of the initial state. The drawback is that all shareholders gain knowledge about the shortest feedback polynomial of an LFSR that can the original sequence. If a sequence of linear complexity L is 59

72 60 Chapter 9 Conclusions shared using this scheme, an attacker who knows this structure can, after finding L symbols of the original sequence, reconstruct the full sequence. This can be compared to an outsider who needs to find 2L symbols before reconstruction can be done. Due to this drawback, it might be necessary to choose a key stream generator with a higher linear complexity than what is required in the original system. However, if the original key stream generator consists of a single LFSR, nothing new has been revealed since the type of generator is assumed to be known to an attacker. Some security aspects of distributed stream ciphers were discussed in chapter 8. The general and the modified version of distributed stream ciphers were compared with a non-distributed version of the same cipher. The conclusion of that chapter is that the general distributed cipher does give an improved security compared to the original system. The improvements are that it is harder to take control of the decryption machine since an attacker needs to break into several servers and eavesdropping must be done on several channels since only shares are transmitted. This means that the design goals of the system was achieved. The security of the modified system is affected by the drawback mentioned above, but taking control of the decryption machine is as hard as for the general scheme. A problem with this system is that the local generators are linear and since high linear complexity is wanted when choosing the original keystream generator these LFSR s will be very long. An improvement to the system would be to find alternative non-linear local generators. Is it possible to find an equivalent non-linear generator to a sequence generated by an LFSR? The Berlekamp-Massey algorithm solves the inverse of this problem. In chapter 7 two possible applications for distributed ciphers were presented. In the first, a joint tunnel is created in a virtual private network and in the second, a system called a pseudo-public-key scheme is constructed. More applications can probably be found in mobile ad-hoc networks. When considering future research, the following may be interesting to look into. Is it possible to create practical distributed versions of

73 other classes of stream ciphers? Can a distributed block cipher be constructed that is practical to use? To succeed in constructing a distributed version of DES, probably a polynomial description of the S-boxes is needed. 61

74 62 Chapter 9 Conclusions

75 Bibliography [1] Advanced Encryption Standard (AES). FIPS Pub. 197, National Institute of Standards and Technology. [2] H. Beker and F. Piper. Cipher Systems - The Protection of Communications. Northwood Press, [3] M. Ben-Or, S. Goldwasser, and A. Widgerson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In Proc. 20th ACM Symposium on the Theory of Computing (STOC), pages 1 10, [4] M. Bertilsson. Linear Codes and Secret Sharing. PhD thesis, Linköping University, [5] A. Biryukov, A. Shamir, and D. Wagner. Real time cryptanalysis of A5/1 on a PC. In Fast Software Encryption, volume 1978 of Lecture Notes in Computer Science, pages 1 18, [6] G. R. Blakley. Safeguarding cryptograpic keys. In Proc. AFIPS 1979 NCC, volume 48, pages , June [7] L. Brynielsson. On the linear complexity of combined shift register sequences. In Advances in Cryptology - Eurocrypt 85, volume 219 of Lecture Notes in Computer Science, pages , [8] R. M. Capocelli, A. D. Santis, L. Gargano, and U. Vaccaro. On the size of shares for secret sharing schemes. In Advances in Cryptology - Crypto 91, volume 576 of Lecture Notes in Computer Science, pages ,

76 64 BIBLIOGRAPHY [9] D. Chaum, C. Crépeau, and I. Damgård. Multiparty unconditionally secure protocols. In Proc. 20th ACM Symposium on the Theory of Computing (STOC), pages 11 19, [10] R. Cramer, I. Damgård, and U. Maurer. General secure multiparty computation from any linear secret-sharing scheme. In Advances in Cryptology - Eurocrypt 2000, volume 1807 of Lecture Notes in Computer Science, pages , [11] Data Encryption Standard (DES). FIPS Pub. 46-2, National Institute of Standards and Technology. [12] Y. Desmedt. Society and group oriented cryptography: A new concept. In Advances in Cryptology - Crypto 87, volume 293 of Lecture Notes in Computer Science, pages , [13] Y. Desmedt. Some recent research aspects of threshold cryptography. In Information Security, First International Workshop ISW 97, volume 1196 of Lecture Notes in Computer Science, pages , [14] Y. Desmedt and Y. Frankel. Threshold cryptosystems. In Advances in Cryptology - Crypto 89, volume 435 of Lecture Notes in Computer Science, pages , [15] Y. G. Desmedt. Threshold cryptography. European Transactions on Telecommunications, 5(4): , [16] R. Gennaro. Theory and Practice of Verifiable Secret Sharing. PhD thesis, Massachusetts Institute of Technology (MIT), [17] S. W. Golomb. Shift Register Sequences. Holden-Day Inc., [18] T. Herlestam. On functions of linear shift register sequences. In Advances in Cryptology - Eurocrypt 85, volume 219 of Lecture Notes in Computer Science, pages , [19] M. Hirt and U. Maurer. Complete characterization of adversaries tolerable in secure multi-party computation. In Proc. 16th ACM Symposium on Principles of Distributed Computing (PODC), 1997.

77 BIBLIOGRAPHY 65 [20] T. Hwang. Cryptosystem for group oriented cryptography. In Advances in Cryptology - Eurocrypt 90, volume 473 of Lecture Notes in Computer Science, pages , [21] C. J. A. Jansen and D. Boekee. The shortest feedback shift register that can generate a sequence. In Advances in Cryptology - Crypto 89, volume 218 of Lecture Notes in Computer Science, pages 90 99, [22] S. Jarecki. Efficient Threshold Cryptosystems. PhD thesis, Massachusetts Institute of Technology (MIT), [23] X. Lai and J. L. Massey. A proposal for a new block encryption standard. In Advances in Cryptology - EUROCRYPT 90, volume 473 of Lecture Notes in Computer Science, pages , [24] J. L. Massey. Shift register synthesis and BCH decoding. IEEE Transactions on Information Theory, IT-15(1): , January [25] R. J. McEliece and D. V. Sarwate. On sharing secrets and Reed- Solomon codes. Communications of the ACM, 24(9), September [26] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, [27] I. S. Reed and G. Solomon. Polynomial codes over certain finite fields. SIAM Journal of Applied Mathematics, [28] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2): , [29] M. Robshaw. Stream ciphers. Technical Report TR - 701, RSA- Labs, July [30] R. A. Rueppel. Analysis and Design of Stream Ciphers. Springer- Verlag, [31] B. Schneier. Applied Cryptography. John Wiley & Sons, 1996.

78 66 BIBLIOGRAPHY [32] A. Shamir. How to share a secret. Communications of the ACM, 22(11), November [33] S. Singh. The Code Book. Forth Estate, London, [34] W. Stallings. Cryptography and Network Security - Principles and Practice. Prentice-Hall, 2nd edition, [35] H. C. A. van Tilborg. An Introduction to Cryptology. Kluwer Academic Publishers, 1988.

79