Clemens H. Cap Universität Rostock clemens.cap (at) uni-rostock (dot) de SECRET SHARING SECRET SPLITTING BaSoTI 2012, Tartu
Anecdotal Problem Trent wants to give Alice and Bob access to the safe Trent does not trust one of them alone Trent wants to split the access key Alice alone or Bob alone have NO information Alice and Bob together have the COMPLETE information Solution: Trent generates random bit string R Trent gives A = R + K to Alice and B = R to Bob Alice and Bob regenerate key by A + B Alone, both only have random noise
Secret Splitting with n participants More general problem: More than 2 participants Trent can split a key into n parts A 1,, A n A 1,, A n-1 random A n = K + A 1 + + A n-1 A single participant gets no information Only all participants together can reconstruct the key Problem: What, if one participant loses the key?
Threshold Schemes A (k, n) threshold scheme splits a secret S into n parts k or more parts allow a reconstruction of the secret Less than k parts do not allow a reconstruction Some shares may be lost without problem A threshold scheme is called perfect, if less than k parts provide no information at all on the secret Note: Must be proved mathematically! Parts do not increase chances of guessing secret.
HOW TO SHARE A SECRET? SHAMIR THRESHOLD SCHEME
0.087101032116104 [cm] Will use a finite field and not real numbers!
0.087101116104101 [cm] Wethe Will design similar forms of coding Example 1: Use several blocks of secrets Optional: Block chaining Example 2: Use hybrid schemes
We the People of the United States, in Order to form a more perfect Union
Arbitrary polynomial of degree 6
Pick 9 points 0 1 2 3 4 5 6 7 8 9
Forget polynomial and secret 0 1 2 3 4 5 6 7 8 9
Arbitrary 7 points allow reconstruction of poly of degree 6 0 1 2 3 4 5 6 7 8 9
Arbitrary 7 points allow reconstruction of poly and of corresponding secret 0 1 2 3 4 5 6 7 8 9
(k,n) threshold scheme Construct shares: 1. Pick point (0,S) 2. Draw random poly of degree k-1 through this point 3. Pick n points with x different from 0 Reconstruct secret: 1. From k points construct poly of degree k-1 2. Use Lagrange interpolation formula for this 3. Evaluate poly in x = 0
Verifiable Secret Sharing Assumption thus far: Dealer of the secret is trusted Problem: Dealer might be cheating In (3,7) scheme A, B and C meet and construct secret X C, D and E meet and construct secret Y with Y diff. frm X Obviously: Someone is cheating Is this C? Or B? Or has it been the dealer? Share holders want to check if dealer was cheating Verify: All k shares lead to the same secret But: Should not reconstruct the secret for this purpose Need: Zero knowledge proof of correctness
Proactive Secret Sharing Share Refreshment (1) Problem: One participant loses his laptop Another participant loses his USB stick A threshold scheme of (3,9) is in use If another participant loses the shares we are insecure Idea: Modify all shares according to update protocol Destroy old shares The 2 lost shares are of no value to attacker any more
Proactive Secret Sharing Share Refreshment (2) Diverse scenarios studied in literature: Eg: Assumption that some share holders are liars Eg: Assumption that distributor of secret is a liar This will confuse the share holders since they cannot reconstruct a single, consistent secret Many different (& complicated) protocols One possibility: New possibility: Redistribute fresh set of shares Use an update protocol Do not distribute shares again but use a protocol which modifies existing shares Also helps preparing different applications
Proactive Secret Sharing Update Protocol Idea: Use a polynomial with value P(0)=0 at x=0 The secret is not modified The shares are modified Original dealer constructs such a polynomial and sends its value to the participants Participants destroy the old share
More General Access Schemes Problem: Access to the safe for any 3 employees Or for boss plus 1 employee Solution: Threshold scheme with threshold of 3 Boss gets two shares So called weighted threshold scheme
General access schemes P is a set of persons Eg: P = {A, B, C, D} An access scheme S is a set of sets of persons who are allowed to access the safe Eg: S = { {A, B}, {C, D} } Obvious requirement Every superset of a set in a scheme is in the scheme So S from above is rather: S = { {A, B}, {C, D}, {A, B, C}, {A, B, C, D}, {A, C, D}, {B, C, D} } Or: S generates this S
Example: Access scheme which cannot be realized as weighted threshold S = { {A, B}, {C, D} } Assume threshold scheme with threshold k Participants have a, b, c, d shares Assume a b and c d (otherwise rename variables) a + b k and c + d k due to scheme a + a a + b k so 2a k and a k/2 Similarly show c k/2 Thus a + c k/2 + k/2 k Thus {A, C} may access safe Contradiction to the scheme
Can we realize this scheme at all? Yes and even with a threshold scheme Provided we not only look at share numbers but distribute shares intelligently by reusing the shares Ie: One share is distributed to more than one person Assume a (4,4) scheme with shares e, f, g, h and provide: A with e, g B with f, h C with e, f D with g, h {A, B} and {C, D} can access But {A, C} or {A, D} or {B, C} or {B, D} cannot
Does this work in general? Yes and we will look at another example Access scheme is { {A, B, D}, {A, C, D}, {B, C} } 1. Write down access function ABD + ACD + BC Think of * as and of + as or With appropriate settings of A, B, C, D: Fct true exactly on the correct access structures 2. Write down dual access function (A+B+D)(A+C+D)(B+C) Simplify by multiplication Simplify using idempotence: AA = A Simplify using dominance: ABC + BC = BC Get AB+AC+BC+BD+CD
Does this work in general? (2) 3. Derive the dual access (DA) scheme from the dual access function AB+AC+BC+BD+CD It is: { {A, B}, {A, C}, {B, C}, {B, D}, {C, D} } 4. Take the complement of the sets in the DA scheme It is: { {C, D}, {B, D}, {A, D}, {A, C}, {A, B} } This is the complemental dual access (CDA) scheme Scheme was { {A, B, D}, {A, C, D}, {B, C} } Sets in scheme are minimal allowed sets of persons CDA scheme is { {C, D}, {B, D}, {A, D}, {A, C}, {A, B} } Sets in CDA scheme are maximal not-allowed sets
Interpretation of duality Scheme { {A, B, D}, {A, C, D}, {B, C} } CDA scheme { {C, D}, {B, D}, {A, D}, {A, C}, {A, B} } { C, D} is not allowed Adding a single additional person removes this property Check this for A and for B! This means: Maximal not-allowed persons
Does this work in general? (3) 5. Construct cumulation matrix Rows: The persons Cols: The sets of the dual scheme (equals a share) Entry: A 1 if the row-person is part of the col-set S1 S2 S3 S4 S5 Shares CD BD BC AC AB Dual scheme A 0 0 0 1 1 B 0 1 1 0 1 C 1 0 1 1 0 D 1 1 0 0 0
Does this work in general? (4) 6. Solution is given by the following share distribution A: S4, S5 B: S2, S3, S5 C: S1, S3, S4 D: S1, S2 Where S1, S2, S3, S4, S5 are shares of a (5,5) scheme Check: {A,B,D} and {A,C,D} and {B,C} allowed {C,D} and {B,D} and {A,D} and {A,C} and {A,B} not allowed
HOW TO SECURELY STORE A FILE?
Requirements Encryption: Problem: Problem: Need key(s) to view Single crypto scheme may be broken RSA if quantum computer works Needs trusted hardware Compare: Rootkit attack on TrueCrypt Backup: No single point of failure / crash Management: No need to coordinate backup Deniable: I can deny using such a scheme
Solution How to Securely Store a File? Initially: Distribute: Reconstruct: Attack: Backup: Split a document into n shares Can tolerate some insecurity in shares Over disc, discs, network, cloud Need k shares out of n Need trusted hardware for reconstruction! Less than k shares give 0 bit of doc May lose n k shares
Solution How to Securely Store a File? Distributed security: Several trusted friends not all compromised at same time Several trusted discs rotating them in fixed scheme Kind of "advanced secure distributed RAID"
Example of a Rotation Scheme Have 5 discs and use a (2,3) threshold scheme 1 Site: Always has 3 discs 2 Off-site stores: Always have 1 disc Daily rotation Site: Has files (2 out of 3) Refreshes the third upon swap in Off: Destroy one of the 3 places still secure Need 2 rotations after write to reach this situation
Option: Add 2 Symmetric Keys As One Time Pads Use a Micro SD card with 8 GB random garbage Enough to protect against brute force attack Blow up to 32 TB pseudorandom garbage using AES Enough to protect a digital lifetime Use 2 types of them as cryptographic ignition key Remove 1 to be secure Keep backups (they contain only random garbage)
The problem of deniability (1) Problem 1: Explain, why you use encryption! Explain, why you have a file with random data! Problem 2: Be tortured until you decrypt! Solution 1: Steganogr. Nobody sees u using encryption Solution 2: Recoding pad I just stored mild_secret Nobody knows that in reality I do store big_secret = mild_secret + recoding_pad Problem: How to deny use of recoding_pad Solution: Hide recoding_pad (noise) in errorcoded doc
The problem of deniability (2) Solution 3: Issue: Multiple layers of encryption Is there still another layer? Twist: Alice: Until now, Mallory does not know that I use several layers of encryption. If she finds out, torture will not end, for yet the next layer. I cannot prove the number of enc layers. So it is easier not to tell her in the beginning. Solution 4: Deniable encryption dec (k1, cipher) = harmless_plaintext dec (k2, cipher) = harmful_plaintext Obvious: Works with onetime pad Less obvious: There are also asymmetric, short key algos!
http://www.thinkgeek.com/gadgets/security/b308/ https://tahoe-lafs.org/
WHAT ABOUT THE TRUSTED HARDWARE?
iphone is a completely insecure spy device
Blackberry gives away the decryption keys
Android claims to be Open Source but only within certain limits (backdoors, app kill switch)
No name systems have their flaws not known
Only trusted solution is completely open system
HOW NOT TO SEND EMAIL
Alice
Alice
Bob
Bob
Mailbox Mail Provider or Mail Server "Trusted" Mail System
Alice Bob Provider 1 Provider 2
Provider 1 Decrypt Encrypt Provider 2
HOW TO SEND EMAIL USING SECRET SHARING
Results Mail never gets stored at a single node End-to-end encryption ensures privacy even when all share holders collude No (easy) way of tracking who communicates with whom
How to collect your email Searching in small world networks Collisions in random walks on structured graphs TOR hidden service location mechanism Using distributed hash tables & P2P search mechanisms Others
Node 010 011 wants to find node 101 111 0 bit prefix match 010 011 knows a node 1** *** in its routing table. Let us say this is node 100 001 Node 100 001 wants to find 101 111 1 bit prefix match even 2 bit prefix match 10* 100 001 knows a node 101 *** in its routing table. Let us say this is 101 000 Node 101 000 wants to find 101 111 3 bit prefix match 101 000 knows a node 101 1** in its routing table