Using Commutative Encryption to Share a Secret

Similar documents
Algorithms (III) Yu Yu. Shanghai Jiaotong University

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Public Key Cryptography and the RSA Cryptosystem

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Algorithms (III) Yijia Chen Shanghai Jiaotong University

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Secure Multiparty Computation

Lecture 3 Algorithms with numbers (cont.)

Uzzah and the Ark of the Covenant

Overview. Public Key Algorithms I

Chapter 9. Public Key Cryptography, RSA And Key Management

A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS

Public Key Cryptography

Topics. Number Theory Review. Public Key Cryptography

1. Diffie-Hellman Key Exchange

Key Management and Distribution

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Chapter 9 Public Key Cryptography. WANG YANG

Public Key Algorithms

CPSC 467b: Cryptography and Computer Security

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

Public Key Algorithms

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Key Exchange. Secure Software Systems

Digital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

CS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Number Theory and RSA Public-Key Encryption

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

An overview and Cryptographic Challenges of RSA Bhawana

Cryptography and Network Security

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl. Chapter 6 Introduction to Public-Key Cryptography

Lecture 10, Zero Knowledge Proofs, Secure Computation

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

Other Topics in Cryptography. Truong Tuan Anh

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Chapter 10 : Private-Key Management and the Public-Key Revolution

Digital Multi Signature Schemes Premalatha A Grandhi

Math236 Discrete Maths with Applications

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Secure Multiparty Computation

Introduction to Cryptography Lecture 7

Zero Knowledge Protocol

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

Public-key encipherment concept

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Lecture IV : Cryptography, Fundamentals

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Introduction to Cryptography Lecture 7

Public-key Cryptography: Theory and Practice

Cryptography V: Digital Signatures

Lecture 1: Perfect Security

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Cryptography V: Digital Signatures

Introduction to Modern Cryptography. Benny Chor

CPSC 467: Cryptography and Computer Security

Lecture 2 Applied Cryptography (Part 2)

What did we talk about last time? Public key cryptography A little number theory

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Advanced Topics in Cryptography

The Beta Cryptosystem

CSC/ECE 774 Advanced Network Security

Authenticated Key Agreement without Subgroup Element Verification

COIN FLIPPING BY TELEPHONE

Public Key Algorithms

Authentication Part IV NOTE: Part IV includes all of Part III!

CSC 474/574 Information Systems Security

Introduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information

RSA (algorithm) History

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

Key Agreement. Guilin Wang. School of Computer Science, University of Birmingham

The Network Security Model. What can an adversary do? Who might Bob and Alice be? Computer Networks 12/2/2009. CSC 257/457 - Fall

Blum-Blum-Shub cryptosystem and generator. Blum-Blum-Shub cryptosystem and generator

An Overview of Secure Multiparty Computation

Kurose & Ross, Chapters (5 th ed.)

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

CS669 Network Security

Cryptography III Want to make a billion dollars? Just factor this one number!

Channel Coding and Cryptography Part II: Introduction to Cryptography

Lecture 6: Overview of Public-Key Cryptography and RSA

Implementation and Benchmarking of Elliptic Curve Cryptography Algorithms

A Simple User Authentication Scheme for Grid Computing

CS 161 Computer Security

1.264 Lecture 28. Cryptography: Asymmetric keys

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

CS 161 Computer Security

Applied Cryptography and Computer Security CSE 664 Spring 2018

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

CPSC 467b: Cryptography and Computer Security

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

1 Identification protocols

Password. authentication through passwords

CS Computer Networks 1: Authentication

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

Transcription:

Using Commutative Encryption to Share a Secret Saied Hosseini Khayat August 18, 2008 Abstract It is shown how to use commutative encryption to share a secret. Suppose Alice wants to share a secret with Bob such that Bob cannot decrypt the secret unless a group of trustees agree. It is assumed that Alice, Bob and the trustees communicate over insecure channels. This paper presents a scheme that uses modular exponentiation and does not require key exchange. The security of the scheme rest of the difficulty of the discrete logarithm problem. Key words: secret sharing, commutative cryptography. 1 Introduction Suppose Alice has a secret (e.g., a bank password) and wants to share it securely with Bob such that Bob cannot decrypt the secret without the consent of a group of trustees. In addition, consider the following assumptions: 1. Alice, Bob and the trustees can communicate only over insecure public channels. 2. The secret is not to be revealed to the trustees, nor to anyone but Bob. 3. The involved parties can be trusted in following a prescribed protocol. The above problem can arise in commercial, corporate or military settings, and can be solved by means of the well-known secret sharing schemes (as described in Section 4), such as the Shamir threshold scheme [4]. In those schemes, the shareholders must pool their shares securely in order to unlock the secret. If the parties are remotely located, that normally requires a key exchange before execution of the protocol. In a distributed application, avoiding the hassle of secure key distribution prior to a secret sharing scheme is a worthwhile goal. In this paper, we show how a commutative encryption function, such as the modular exponentiation operation, can be used to create a keyless scheme that solves the stated problem. The security of this scheme rests on the intractability of the discrete logarithm problem. This paper is organized as follows: Section 2 describes the key idea of this paper. In Section 3, our proposed scheme is presented and its correctness and security is shown. In Section 4, the merits of the proposed scheme are discussed, and in the last section, the contribution of the paper is summarized. Electrical Engineering Department, Ferdowsi University of Mashhad, Iran. Email: shk@alum.wustl.edu 1

2 Key Idea This paper presents a secret sharing scheme that is inspired by Shamir s keyless secret communication [3, pp.500], which utilizes the commutative property of modular exponentiation. The idea, however, works with any commutative encryption function meeting certain conditions. Shamir in [5] explored the power of commutativity in cryptography. References [1] and [2], respectively, use commutative cryptography for information sharing across databases, and for privacy in distributed data mining. The topic has received much recent fundamental consideration in [6]. In our proposed scheme, commutativity plays an important role: it allows the secret owner to undo her encryption after the trusted parties have encrypted the secret. It also allows the trusted parties to join or leave the group in any order without the sharing procedure having to be restarted. Definition 1 Let M be denote a message space and K denote a key space. A commutative encryption function is a family of bijections f : M K M such that for a given m M we have f a f b (m) = f b f a (m), for any a, b K. It is an easy exercise to show that modular exponentiation under certain conditions is a commutative encryption function. Fact 1 Fix a prime p. Define f a (m) def = m a (mod p). Let m Z p and a Z p 1, such that gcd(a, p 1) = 1. Then a) f a (m) is a bijection. Proof: There exists b Z p 1 such that f b f a (m) = m. This is easily seen as follows: Given that a Z p 1 and gcd(a, p 1) = 1, we can find b Z p 1 (using the extended Euclid algorithm) such that ab = 1 (mod p 1). As a result: f b f a (m) = m ab (mod p) = m 1+k(p 1) (mod p) = m, where we have used the Fermat s theorem (if m Z p, then m (p 1) = 1 (mod p)). b) f a (m) is commutative. Proof: For all positive integers a, b, m, we have f a f b (m) = m ab (mod p) = f b f a (m). The above fact is the key to the correctness of our keyless secret sharing scheme. 3 Proposed Scheme 3.1 Description The proposed algorithm uses the assumption that a large prime p has been made publicly known to all (even adversaries). The prime can be made part of a technical standard for this type of applications and then be published to the world. As a result, the prime p is assumed to be accessible to everyone in an authenticated way. In what follows, for convenience, the secret owner (Alice) is denoted by P 0. The trustees are denoted by P 1, P 2,, P n 1. Finally, P n denotes the recipient of the secret (Bob). We also use the word lock to mean encrypt. 2

Our protocol has three phases: (1) Setup, (2) Locking, and (3) Unlocking. The phases are described as follows: Setup: A large prime p made public. A secret s Z p owned by party P 0. Each party P i, for i = 0, 1,, n, has his/her own private key pair (a i, b i ) such that a i, b i Z p, gcd(a i, p 1) = 1, and a i b i = 1 (mod p 1). Locking: In this phase, the secret is locked by all parties in a cascaded manner, in the following way: 1. The secret owner, P 0 (Alice), locks the secret s by doing c 0 = s a0 (mod p), and then sends c 0 to P 1. 2. For i = 1, 2,, n 1, the party P i locks the secret by doing c i = c ai i 1 then sends the secret c i to P i+1. (mod p), and 3. P n locks the secret by doing c n = c an n 1 (mod p), and then sends c n to P 0. 4. The secret owner P 0 now removes her lock from the secret. The result is the shared secret s = c b0 n (mod p). She sends s to P n (Bob). Unlocking: In this phase, the secret is first unlocked by all trustees (one after another in an arbitrary order), and then in last step by P n, in the following way: 1. P n sets d i = s and sends d i to a trustee P i, i {1, 2,, n 1}. 2. Each trustee P i, in {P 1, P 2,, P n 1 } (in an arbitrary sequential order), removes his lock from the shared secret by doing d bi i (mod p), and then sends the result to the next trustee. The last trustee in {P 1, P 2,, P n 1 } removes his lock from the shared secret and sends the result to P n. 3. At this point, P n unlocks the secret by doing s = d bn n (mod p). Since at this point no one has locked the secret s. Bob (P n ) finds out the secret. The execution of the above protocol results in the transfer of a secret from a secret owner to a second party under unanimous consent of a group of trustees, in a distributed way. 3.2 Correctness The correctness of the scheme can be easily established by using Fact 1, as follows: At the end of a locking phase, the shared secret s is s = s a0a1a2 anb0 (mod p) = s a1a2 an (mod p), and at the end of the unlocking phase we have: s (b1b2 bn) (mod p) = s (a1a2 an)(b1b2 bn) (mod p) = s. As can be seen, the commutativity of modular exponentiation makes the order of unlocking operations unimportant. The secret s at the end is obtained by P n. 3.3 Security The security of the scheme rests on the computational difficulty of discrete logarithm problem (DLP). An adversary may pursue one of the following goals in breaking the scheme: 3

Total break: He finds out the secret, thereby bypassing the unanimous consent requirement altogether. Partial break: He finds out the private keys (a i or equivalently b i ) of one or more of the parties. This enables him to play the part of some trustees, stealing their right to consent. The following arguments can establish the security of the scheme: a) In the first locking hop, from P 0 to P 1, the secret owner has locked the secret s (c 0 = s a0 mod p) before sending it to P 1. Note that the adversary has two unknowns to search for: a 0 and s. The private keys are chosen from a huge space (a i, b i Z p ), therefore an exhaustive search is infeasible. The adversary has no way of guessing s without knowing a 0. b) In the subsequent hops, the adversary can eavesdrop and read c i 1 in transit from P i 1 to P i, and he can read c i in transit from P i to P i+1. To find out a i, the adversary has to solve a DLP (c i = c ai i 1 mod p), which is infeasible. If he succeeds, he could then compute b i, which is one of the keys necessary for unlocking the shared secret s. He has to solve DLP for all hops in order to obtain all b i s. On the other hand, if the adversary determines any of the b i s, he can take the role of the corresponding parties and conspire for unauthorized unlocking of the secret. Since solving DLP is computationally hard, the above possibilities are vanishingly improbable. c) In the last locking hop, s is sent to P n. The adversary now knows c n and s. But again he has to solve a DLP (s = c b0 n mod p) in order to find out b 0. e) The same type of arguments are valid in the unlocking phase: The shared secret is always locked by at least one party when in transit. f) There is a nonzero possibility that the private keys are by chance selected such that a 0 a 1 = 1 (mod p 1), or a 0 a 1 a 2 = 1 (mod p 1), or = a 0 a 1 a n = 1 (mod p 1) This will result in having c i = s for some i. In that case, the secret s is exposed in transit from P i to P i+1. However, given the fact that the keys must be chosen from a huge space, the probability of any of the above events is vanishingly small. Therefore, the security of the scheme was shown to rely on DLP, as claimed in the introduction. 4 Discussion The proposed scheme has several merits. a) It requires no keys private or public to be exchanged prior to the protocol. This is the main advantage of this scheme because otherwise the same goal (i.e., transfer of a secret under group consent) can be achieved using the well-known secret sharing schemes such as Shamir s, in the following way: 4

Alice uses the secret to produce as many shares as there are trustees. Then she encrypts all shares with the same private key K and sends the encrypted shares to her trustees. She also sends K to Bob. When Bob needs to unlock the secret, and when all the trustees agree, the trustees will send the encrypted shares to Bob. He then decrypts all the shares and uses the associated pooling algorithm to calculate the secret. In the above protocol, the channel from Alice to Bob needs to be either private-key encrypted, or public-key encrypted. The scheme proposed in this paper requires only authenticated channels to make sure the adversary cannot impersonate a party to take part in the protocol. (An adversary s attempt to modify messages in transit is not a concern here because that can easily be detected at the end if the secret is given a special structure.) b) The group of trustees can be dynamic, i.e., trusted parties may join or leave the group without a need to restart the scheme. The commutative property of modular exponentiation allows one to lock or unlock the secret independent of others. The shared secret s needs to be sent to the party who is joining (leaving) so that he can lock (unlock) it in exactly the same way as the other parties. c) The security of the scheme relies upon the DLP which is believed to be more difficult than factoring. As a result, the scheme is expected to be more secure than a scheme using, for example, the Shamir threshold scheme together with RSA (for the private link between Alice and Bob). d) Choosing who will receive the secret (i.e. choosing who will play Bob) can be delayed until after the locking phase. In that case, the recipient can be chosen from amongst the people we call trustees. The scheme remains essentially unchanged. 5 Conclusion It was shown how to use the commutative property of the modular exponentiation operation to transfer a secret securely from one party to another under unanimous consent of a group of trustees. The main advantage of the proposed scheme is the lack of requirement for a preexchanged key. The scheme is expected to offer good security because it relies on the discrete logarithm problem. References [1] Agrawal, R., Evfimievski, A., and Srikant, R., Information sharing across private databases, International Conference on Management of Data (ACM SIGMOD), ACM Press, 2003. [2] Clifton, C., Kantarcioglu, M., Vaidya, J., Lin, X., and Zhu, M. Y. Tools for privacy preserving distributed data mining, SIGKDD Explorations 4, 2, January 2003. [3] Menezes, A., Oorschot, P., Vanstone, S., Handbook of Applied Cryptography, CRC Press, 1997. [4] Shamir, A., How to Share a Secret, Communications of The ACM, Vol. 22, No. 11, November 1979. 5

[5] Shamir, A., On the Power of Commutativity in Cryptography, ICALP80, July 1980. [6] Weis, Stephen A., New Foundations for Efficient Authentication, Commutative Cryptography, and Private Disjointness Testing, MIT PhD Dissertation, May 2006. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback