Secret Sharing - Hebrew University of Jerusalemns/SS.doc · Web viewSecret Sharing – Lecture Notes 1 1 Motivation 3 2 Shamir’s Secret Sharing [Shamir 1979] 4 2.1 The Sharing Protocol

An advance course in computer and network securityDr. Dahlia MalkhiThe Hebrew University of Jerusalem Secret Sharing 11/9/02

Secret Sharing – Lecture Notes

SECRET SHARING – LECTURE NOTES............................................................1

1 MOTIVATION..................................................................................................3

2 SHAMIR’S SECRET SHARING [SHAMIR 1979]...........................................4

2.1 The Sharing Protocol.........................................................................................................................4

2.2 The Reconstruction Protocol.............................................................................................................5

2.3 Properties Of Shamir’s Secret Sharing............................................................................................6

3 VSS - VERIFIABLE SECRET SHARING........................................................7

3.1 VSS: Interactive Proof [Benaloh 1986].............................................................................................83.1.1 Trusted Shareholders, Untrusted Dealer..............................................................................................83.1.2 Untrusted Shareholders, Untrusted Dealer..........................................................................................93.1.3 Disadvantages Of Interactive Proofs.................................................................................................10

3.2 VSS: Non Interactive Proof [Feldman 1987].................................................................................103.2.1 An Example Using Diffie-Hellman Encryption................................................................................11

4 PRO-ACTIVE SECRET SHARING...............................................................12

4.1 Pro-Active Model Requirements.....................................................................................................13

4.2 Basic Share Renewal Protocol.........................................................................................................13

4.3 Share Renewal Protocol In The Presence Of Active Attackers...................................................14

4.4 Detection Of Corrupted Shares.......................................................................................................15

4.5 Reconstruction Of Lost/Corrupted Shares....................................................................................16

5 PUBLIUS [WALDMAN, RUBIN, CRANOR 2000]........................................17

5.1 Publius Properties............................................................................................................................17

5.2 Publish Protocol................................................................................................................................17

5.3 Retrieve Protocol..............................................................................................................................18

5.4 Share Corruption..............................................................................................................................18

Lectures 1-3 1/22


5.5 Delete.................................................................................................................................................19

5.6 Update................................................................................................................................................19

6 QUESTIONS.................................................................................................21

6.1 MOED A 2002 Question 1...............................................................................................................21

6.2 Problem-Set 1: Question Number 1................................................................................................22



Lectures 1-3 2/22


1 MotivationA well-known principle in the analog world is the term reduced trust, meaning that in order to keep a secret, the less knowledge or power each entity has, the better. This is the basic philosophy, and we shall study how it is implemented in the digital world as well.

Consider the following problems:

In some situations, there is usually one secret key that provides access to many important files. If such a key is lost (e.g., the person who knows the key becomes unavailable, or the computer which stores the key is destroyed), then all the important files become inaccessible. The question one may ask is how to back up secret information, so that it does not depend on one authority only.

While performing the encryption procedure, a certain key needs to be stored; as we want to ensure that no single entity is entrusted with too much knowledge or power, the question now, is how to ensure that the key will not be exploited by the authority holding it.

Following are a few examples for using reduced trust:

Key Escrow / Key Backup – divide the secret key into pieces and distribute the pieces to different persons so that certain subsets of the persons can get together to recover the key. Key escrow may also be (mis)used for law enforcement: For example, in 1991 the U.S. government tried to enforce a new standard for communication encryption: the government would have half of the encryption key and another authority would have the other half. In order to reconstruct the secret a court order would be needed. This standard was eventually broken.

Secure Storage – divide data into several data-segments, so in order to

reconstruct the whole data, several segments are required. For example, the data is a file named X and its data segments are X1, X2, X3, so their XOR would reconstruct X. Of course, this method achieves perfect security, however, we need all the three segments in order to reconstruct the file.

Collective Control - A joint calculation of Key manipulation functions. A major drawback of Public Key Cryptography1 is the dominance of a certain authority, therefore we wish to allow several authorities to participate in the creation of keys, distributing them, signing them etc.

1 Also called Asymmetric Cryptography, where each user has 2 keys: a Public Key, which is known to all, and a Private Key, which is kept secret.

Lectures 1-3 3/22


Cryptographic Primitives – A joint calculation of many cryptographic primitives, such as electronic voting, agreement protocols, SMPC (Secure Multi Party Computation), etc.

2 Shamir’s Secret Sharing [Shamir 1979]Shamir's secret sharing scheme is a threshold scheme based on polynomial interpolation.It allows a dealer D to distribute a secret value s to n players, such that at least players are required to reconstruct the secret. The protocol is information theoretically secure, i.e., any fewer than t players cannot gain any information about the secret by themselves.

2.1 The Sharing Protocol

Goal: To share the secret s among players such that t players are required to reconstruct the secret.

Lectures 1-3 4/22


1. Dealer D creates a random polynomial f(x) of degree t-1 and constant term s.

This polynomial is constructed over a finite field, such that the coefficient a0 is the secret s and all other coefficients are random elements in the field; the field is known to all participants.

2. Dealer D publicly chooses n random distinct evaluation points: Xj 0, and secretly distributes to each player Pj the share ), j=1…n. (Remark: The evaluation point Xj could be any publicly known value, therefore for our convenience, we assume , hence the shares are denoted as

)

2.2 The Reconstruction Protocol

Goal: To reconstruct the secret from each subset of t shares out of n shares. Without loss of generality we will mark this subset:

1. Use Lagrange interpolation to find the unique polynomial f(x) such that and for j=1,2,..t

2. Reconstruct the secret to be f(0).

Interpolation Property: Given t pairs of , with i’s all distinct, there is a unique polynomial f(X) of degree t-1, passing through all the points. This polynomial can be effectively computed from the pairs .

Lagrange interpolation:

where Li(X) is the Lagrange polynomial:

which has value 1 at Xi, and 0 at every other Xj. Note: in the following sections the terms shareholder and server can be interchanged.

Lectures 1-3 5/22

f(x) = a0 + a1 x + + at-1 xt-1


Graphic-representation of a degree-2 polynomial and its shares.

figure 1 Shamir’s secret sharing scheme

2.3 Properties Of Shamir’s Secret Sharing

1. Perfect Security – information theoretic security. Given any t shares, the polynomial is uniquely determined and hence the secret a0 can be computed. However, given t-1 or fewer shares, the secret can be any element in the field and thus those shares do not supply any further information regarding the secret.

2. Ideal – Each share is exactly the same size as the secret.

3. Extendable – additional shares may easily be created, simply by calculating the polynomial in additional points.

4. Flexible – can assign different weights (by the number of shares) to different authorities.

5. Homomorphic2 property – Shamir’s secret sharing scheme has the (+,+) homomorphism property. For example, assume there are two secrets: S, T; are both hidden using Shamir’s secret sharing scheme. Their corresponding shares are: which define the polynomial f(X), and which define the polynomial g(X). Assume further that each i’th shareholder sums: ( ); then each of these sums is itself a share of

2 We say that F has the homomorphism property if: F(x1, x2,.. ,xn)+ F(y1, y2,.. ,yn) = F(x1*y1, x2*y2,… ,xn*yn)

Lectures 1-3 6/22


the sum of the secrets S+T, in other words, the polynomial that those shares define is , and therefore .

6. Efficient Distributed Mechanism For Arithmetic Calculations – for example multiplication by a constant: every shareholder will multiply his/her share by the constant.

3 VSS - Verifiable Secret Sharing

In the previous scheme we assumed that the Dealer is reliable, however, a misbehaving dealer can deal inconsistent shares to the participants, from which they will not be able to reconstruct a secret. To prevent such malicious behavior of the dealer, one needs to implement a protocol through which a consistent dealing can be verified by the recipients of shares. The problem of verifiable secret sharing is to convince shareholders that their shares (collectively) are ,t-Consistent, meaning that every subset of t shares out of n (that the Dealer distributed) defines the same secret. It is easy to see that in Shamir’s scheme, the distributed shares are t-Consistent if and only if the interpolation of the points

yields a polynomial of degree at most t-1.Of course if the shareholders would transfer their shares, they could easily confirm consistency, however this would contradict the purpose of the secret sharing scheme.

There are two versions of verifiable secret sharing protocols: Interactive proofs and non Interactive proofs. Both versions allow the validity of secret shares to be verified without their being revealed; a shareholder can obtain high confidence that he/she holds a valid share of the secret rather than a useless random number.

The protocols use the following property:

If the sum of two polynomials is of degree at most t-1, then either both are of degree at most t-1 or both are of degree greater than t-1.

A simple, but incorrect, solution might be:

The Dealer will choose an additional random polynomial of degree t-1 : p(x).

The Dealer will prove that p(x) is of degree t-1.

The Dealer will prove that the sum of the secret polynomial: f(x) with the random polynomial: p(x), is of degree t-1 .

However, the drawback here is that the Dealer reveals p(x) and the sum of , hence we can determine f(x) and reveal the secret.

Lectures 1-3 7/22


3.1 VSS: Interactive Proof [Benaloh 1986]

We will introduce two different interactive proofs for VSS. In the first protocol we assume that the shareholders do not cheat. In the second protocol we do not assume that.

3.1.1 Trusted Shareholders, Untrusted Dealer The protocol is as follows:

1. The Dealer uses Shamir’s secret sharing scheme for a secret s: creates f(x), in which , and distributes the shares: one for each participant.

2. The Dealer chooses many (say 100) random polynomial of degree t-1: .

The Dealer commits himself to the polynomials by distributing to every i‘th shareholder 100 shares, one of each polynomial: .

3. The shareholders choose 50 random indices from [1..100], say {j1,..j50}, and ask the Dealer to reveal the polynomials: . (The distributed algorithm for the selection of the indices is beyond the scope of this document).

4. The Dealer reveals the polynomials in the chosen subset. We assume that all the shareholders receive the same polynomials (There are mechanisms, outside the scope of this document, by which reliable broadcast by a dealer may be enforced).

5. The shareholders verify that the distributed shares of the revealed polynomials define polynomials of degree t-1.

As for now, the Dealer proved, with high probability, that all the shares of all the polynomials: define polynomials of degree t-1.

6. The Dealer reveals , where are the remaining indices.

7. The shareholders verify that are of degree t-1 and correspond to their own shares, e.g. the i’th shareholder verifies, using the homomorphic property, that (simply by summing his corresponding shares) equals to in the i’th coordinate (by substituting the i’th coordinate in the revealed polynomials’ sum) for all .

Lectures 1-3 8/22


But the question that one may ask is what if a conflict occurs? we cannot determine who is cheating: the Dealer or one of the shareholders.

3.1.2 Untrusted Shareholders, Untrusted Dealer

Here there is no assumption on the honesty of either the Dealer or the shareholders. The idea is simple: the Dealer will commit by encryption. Instead of delivering the shares (of the 100 random polynomials) to every shareholder, the Dealer will encrypt all the shares and then distribute them all. There are two additional requirements that the protocol below requires:

The encryption algorithm should have the homomorphic property:

An example for an encryption algorithm that complies with this property is the Diffie-Hellman3 encryption.

The Dealer should use a secure broadcast while publishing the encrypted shares. (A detailed protocol for a secure broadcast is beyond the scope of this document).

The protocol is as follows:

1. The Dealer uses Shamir’s secret sharing scheme for a secret s: creates f(x), in which , and distributes the encrypted shares.

2. The Dealer chooses many (say 100) random polynomials of degree t-1: . The Dealer commits himself to the polynomials by

publishing the 100*n encrypted shares:

…………………………………………

……………………

3. The shareholders choose 50 random indices from [1..100], say , and ask the Dealer to reveal the polynomials: .

4. The Dealer reveals the polynomials in the chosen subset.

5. The shareholders verify that ), for all and for all .

3 Diffie-Hellman encryption: Given a large prime p and a generator g of Z*p, the encryption of a message x

is: gx mod p

Lectures 1-3 9/22


6. The Dealer reveals , where are the remaining indices.

7. Each i’th ( ) shareholder, using the homomorphic property, verifies that in the i’th coordinate equals to (for all

).

3.1.3 Disadvantages Of Interactive Proofs

There are a few drawbacks to interactive proofs:

Such an interactive proof asserts a proof only to the participants of this protocol, and only at the moment it is held. These proofs have no meaning for a person who is not online and does not participate in the random selections.

As a result, these proofs are not valid to a third party, and in particular, they cannot be legal proofs in court.

3.2 VSS: Non Interactive Proof [Feldman 1987]

Contrary to the previous protocols, in a Non Interactive Proof scheme, only the dealer is allowed to send messages, in particular the shareholders cannot talk with each other or with the dealer when verifying a share. The basic idea is that the dealer sends extra information to each participant during the distribution and each participant verifies that his/her secret share is consistent with this extra information.

There is an additional requirement that the protocol below requires:

The encryption algorithm should have the homomorphic property both with respect to addition and to multiplication: E(x+y) = E(x) E(y) E(x*y) = E(x) E(y) An example for an encryption algorithm that complies with this property is the Diffie-Hellman encryption.


1. The Dealer uses Shamir’s secret sharing scheme; for a secret s, the Dealer creates f(x), in which (also marked as a0):

Lectures 1-3 10/22

f(x) = a0 + a1 x + + at-1 xt-1


and distributes the shares: , one for each participant. In addition, the Dealer publishes the encryption of all the t coefficients:

.

2. Each i’th shareholder verifies his/her own share by checking the following equation:

This is done due to the homomorphic properties and the associative properties for both addition and multiplication.

3. If this equation holds, the i’th shareholder broadcasts a message saying that he/she accepts his/her share as proper. If all the shareholders find their shares correct, then the dealing phase is completed successfully. If for some k, the k’th shareholder finds the above equation incorrect, then the k’th shareholder publishes an accusation against the dealer. The honest shareholders can decide whether it is the Dealer or the accuser that misbehaves.

Note that it is also possible to verify that f(0) = s, if s is known.

3.2.1 An Example Using Diffie-Hellman Encryption

Let’s assume that: Our secret is s = 5. n = 7, meaning that we have 7 shareholders. The polynomial is of degree: t-1 = 3.

Let’s go through the stages of the algorithm one after the other:

The Dealer randomly chooses the coefficients (except for the first one): and the polynomial is:

The shares are: The encryptions of the coefficients are:

The i’th shareholder verifies: For the first shareholder (i =1): is equal to:

Lectures 1-3 11/22


==

==

= For the second shareholder (i =2): is equal to:

==

==

=And so on for all the 7 shareholders.

4 Pro-Active Secret SharingThe Secret Sharing scheme assumes long-lived shares, however the protection provided by this scheme may be insufficient. The security in a system that is exposed to attacks and break-ins might become exhausted; several faults might occur:

Secrets can be revealed. Shares can gradually be corrupted/compromised. Hardware failure or damage, for example reboot, power failures etc.

The goal of the pro-active security scheme is to prevent the adversary from learning the secret or from destroying it, in particular any group of t non-faulty shareholders should be able to reconstruct the secret whenever it is necessary.The term pro-active refers to the fact that it's not necessary for a breach of security to occur before secrets are refreshed, the refreshment is done periodically (and hence, proactively).

The core properties of pro-active secret sharing:

To renew existing shares without changing the secret, so that previous exposures of shares will not damage the secret (old shares will become useless).

To recover lost or corrupted shares without compromising the secrecy of the shares.

This should be performed without, of course, any information-leak or any secret change.

Lectures 1-3 12/22


4.1 Pro-Active Model Requirements

1. An adversary can reveal at most t-1 shares in any time period (where t-1<n/2. this guarantees the existence of t honest shareholders at any given time). This time period should be synchronized with the share-renewal protocol.

2. Authenticated broadcast channel.3. Authenticated and secret communication channels between each two participants.4. Synchronization: the servers (shareholders) can access a common global clock so

that the protocol can be applied in a certain time period.5. Shares can be erased: every honest server (shareholder) can erase its shares in a

manner that no attacker can gain access to erased data.

We assume that the adversary is computationally bounded, so that it cannot break the public key encryption and the verifiable secret sharing mechanism.

4.2 Basic Share Renewal Protocol

The goal here is to renew the shares without the Dealer’s involvement. (as the Dealer might not exist anymore). The shareholders should agree on a new polynomial with the same secret s without revealing the secret, the old polynomial or the new polynomial. At the end of this protocol, each shareholder will obtain a new share on the new t-1 polynomial. The assumption in this protocol is that each shareholder remembers his/her old share.

We assume an initial stage where a secret s is encoded into n shares using Shamir’s secret sharing scheme. Each participant holds his/her share f(i) for some t-1 degree polynomial f(x). After the initialization, at the beginning of each time period, all honest servers/shareholders trigger an update phase in which the servers perform a share renewal protocol.

The protocol at the beginning of a time period is as follows:

1. Each i’th shareholder randomly picks t-1 numbers from the finite field. These numbers define a polynomial Pi(X) of degree t-1 whose free coefficient is zero ( ).

2. Each i’th shareholder distributes the shares of Pi(X ) using VSS among the shareholders.

3. Each i’th shareholder receives the following shares: (including his own made share Pi(i)) and computes his/her new share by adding his old

Lectures 1-3 13/22


share- f(i) to the sum of the new n shares. Mathematically speaking:

4. Each i’th shareholder erases his/her old share - f(i).

This protocol solves the share renewal problem against a passive adversary who may learn the secret information available to corrupted shareholders, but where all the shareholders follow the predetermined protocol.

4.3 Share Renewal Protocol In The Presence Of Active Attackers

In the basic share renewal protocol an active adversary can cause the destruction of the secret by dealing inconsistent shares or by choosing a polynomial Pi(X ) with Pi(0) 0. Therefore, a verifiability feature is added to the basic protocol: it will use the non-interactive secret sharing scheme but with the property that the fact that all the shareholders find their shares to be consistent, proves the correct dealing of update shares by the shareholders.

Again, we assume an initial stage where a secret s is encoded into n shares using Shamir’s secret sharing scheme. Each participant holds his/her share f(i) for some t-1 degree polynomial f(x).

The protocol at the beginning of a time period is as follows:

1. Each i’th shareholder randomly picks t-1 numbers from the finite field. These numbers define a polynomial Pi(X) of degree t-1 whose free coefficient is zero ( ).

2. Each i’th shareholder computes the shares and their encryption: and in addition, computes the encryption of all the t

coefficients of Pi(X): .

3. Each i’th shareholder publishes the message: and a signature on this message, using

VSS.

4. For all such messages (from other servers-) that the i’th shareholder receives, he/she verifies the correctness of shares using the same equation as in non-interactive VSS, namely: for each j i:

Lectures 1-3 14/22


. Notice that this

equation accounts for the condition:

5. If the i’th shareholder finds all the messages sent by other shareholders to be correct (e.g., correct signature, correct time period, etc.), and all the above equations hold, then it broadcasts a signed acceptance message announcing that all the checks were successful.

6. If all the shareholders sent such acceptance messages, the i’th shareholder updates his/her own share by performing : .

7. If in step 5, the i’th shareholder finds any irregularities in the behavior of any shareholder during step 4, then he/she broadcasts a signed accusation against the misbehaving shareholder.

4.4 Detection Of Corrupted Shares

In a pro-active secret sharing system, participating shareholders must be able to make sure whether shares of other shareholders have not been corrupted or lost, and restore the correct share if necessary. Otherwise, an adversary could cause the loss of the secret (by destroying n-(t-1) shares). The goal in this section is to present a mechanism for detection of corrupted shares.

There are obvious situations in which there is a high probability that the share is ruined, e.g. a disk crash, but how would anyone find out that a hacker penetrated his/her computer, revealed his/her share and changed it? The idea is to save some fingerprint for each share that is common to all the shareholders, so that periodically, shareholders can compare shares (using secure broadcast).

In order to implement the distributed verifiability of shares, a basic feature is added to the previous protocol. In each time period, each shareholder stores the encryptions of all the shares he/she received from the other shareholders. This is achieved as follows:

Perform the non-interactive VSS, so the encryption of the initial shares will be stored at each shareholder.

Using the homomorphic property, each i’th shareholder updates his/her set of

encrypted shares by computing for every j: .

Actually, this product is computed using only update shares corresponding to well behaved shareholders.

Lectures 1-3 15/22


4.5 Reconstruction Of Lost/Corrupted Shares

This is a fundamental phase in the pro-active scheme, because without it, this scheme would not be secure against adversaries who disable some shareholders from performing the required protocol.The basic idea is to send a shareholder - r, who lost his share, information that will help him recover it without the Dealer’s involvement. A simple solution is to let each shareholder send his/her own share to r; that would allow r to recover the polynomial f(X), and then substitute r and recover his lost share f(r). However, this would expose the secret s to r.

The algorithm for reconstructing the f(r) share is as follows:

1. Each i’th shareholder ( ) randomly chooses a polynomial Pi(X) of degree t-1 where Pi(r) = 0 and Pi(0) 0 .

2. Each i’th shareholder (except for the r’th shareholder) distributes shares of Pi(X ): using VSS among the shareholders (except for the r’th

shareholder).

3. Each i’th shareholder (except for the r’th shareholder) receives and calculates his/her new share for r:

and sends it encrypted to r.

4. The r’th shareholder decrypts these shares and interpolates them to recover f(r). He/she receives a new polynomial in which the r’th share has the same value as the old lost share: h(r) = f(r).

Note that this protocol is secure only against an adversary that eavesdrops on t-1 or less shareholders but cannot change their behavior.

5 Publius [Waldman, Rubin, Cranor 2000]The idea here is to exploit the Internet’s ability to resist censorship and provide indestructible archival service. This idea is of immense importance as authors may wish to publish their works anonymously, because they believe they will be more readily accepted if not associated with a person of their gender, race, ethnic background, or other characteristics. Moreover, the publication of written words has some drawbacks, since those who wish to suppress it can stop publication, destroy published materials, prevent

Lectures 1-3 16/22


the distribution of publications or even intimidate or physically harm the author or publisher.

We assume that the Publius system consists of publishers who post some content to the web, a fixed set of m available servers who host the content and retrievers who browse the Publius content on the web.

5.1 Publius Properties

The Publius system has several advantages:

1. It is difficult for any adversary to modify the Publius content.

2. The identity of the publisher is protected once the material is published on the web.

3. Any k available uncorrupted hosts storing shares of a file can be used to retrieve and decrypt the file.

4. The file name is cryptographically linked to its content, allowing tamper detection.

5. It provides tools for updating and deleting the Publius content by the publisher.

5.2 Publish Protocol

The protocol for publishing Publius content M is as follows:

1. The publisher, Alice, generates a random symmetric key, K, and encrypts the file M using K to produce {M}K.

2. Alice splits K into n shares: using Shamir’s secret sharing scheme, such that any k of them can reconstruct the secret.

3. For each share i, , Alice computes: , meaning that namei is calculated by concatenating sharei with the message, taking their hash and then xoring the first half of the hash output with the second half.

4. For each of the n shares, Alice computes: to obtain n values between 1 and m. At the end of this stage, at least unique values (represent the servers that will hold the Publius content) should be obtained. (Otherwise, we would perform those stages again).

Lectures 1-3 17/22


5. Alice publishes on a server at locationi, under a directory named namei. Therefore the locations of all the shares are uniquely determined once M,K,m are given.

6. Alice creates a URL containing concatenated together.

5.3 Retrieve Protocol

A retriever, Bob, wishes to view the Publius content, given the URL U.

The protocol for retrieving Publius content M is as follows:

1. Bob parses the URL and receives the namei-values. Then for each namei-value he computes: , and arbitrarily chooses k locations. He then retrieves the encrypted content {M}K (Per request to one of the servers from the k locations) and k shares (per request to all the k servers).

2. Bob interpolates the shares and retrieves the key K, then he decrypts the file.

3. Bob verifies that all the namei-values corresponding to the selected shares are correct by recomputing namei. If the verification fails, Bob can try a different set of k shares and an encrypted content stored on one of the other n servers.

5.4 Share Corruption

If something goes wrong during Bob’s verification, then he can try combinations of

shares until a correct one is found. If he is willing to initially download all the shares from all the servers, then he can use Berlekamp and Welch method for finding the key K, provided that less than (n-(k-1))/2 shares are corrupted.

5.5 Delete

A necessary feature is to let the publisher – Alice, and nobody else but Alice, the ability to delete her Publius content.


Lectures 1-3 18/22


1. Alice creates a password PW (before publishing her file) and sends the encrypted file, a share and to every server. The last refers to the hash of PW concatenated with the domain name of the server. The reason for storing this hash and not PW itself or H(PW) is that it prevents other servers from learning the password and deleting the Publius content.

2. In order to delete the Publius content, Alice sends to all the hosting servers and namei that corresponds to each server. The servers compare the received hash with the one stored, and if they match, they remove the Publius file and all the associated materials.

5.6 Update

Another important feature is to let Alice update her Publius content. The idea is to enable Alice to change the Publius content without changing the URL, because others may have links to the original site.


1. Use the above password protection mechanism.

2. Alice creates a file name containing the updated version, the original URL, the old PW and a new one. The update procedure first publishes the new content, then finds the n servers that host this Publius file and then distributes each server a message from Alice containing the original password, the old namei and a new URL.

3. Each server places the new URL in an update file, and deletes the content of the old file.

4. When Bob retrieves the Publius content, if an update file exists, the servers return the update URL instead of the contents. Bob receives the updated URL from k servers and compares them. If they all pass the verification, Bob retrieves the new URL instead. Bob is not aware of this change, from his point of view, he requested a web page and got it.

Lectures 1-3 19/22


6 Questions

6.1 MOED A 2002 Question 1

Question: Using Shamir’s secret sharing, n shares are distributed, so every sub-set of t out of them can reconstruct the secret. Describe a protocol between the shareholders in which at the end t-1 of them can reconstruct the secret.

Answer: There are several protocols that can be used here; we would present a protocol that slightly changes the basic share renewal protocol presented in the summarized material.

We assume an initial stage where a secret s is encoded into n shares using Shamir’s secret sharing scheme. Each participant holds his/her share f(i) for some t-1 degree polynomial f(x).


1. All the shareholders agree on a number - N, which does not exist yet, i.e. .

2. Each i’th shareholder ( ) randomly chooses a polynomial Pi(X) of degree t-1 where Pi(N) = 0 and Pi(0) 0 .

3. Each i’th shareholder distributes shares of Pi(X ): using VSS among the shareholders.

4. Each i’th shareholder receives and calculates: ,

he then distributes h(i) to all the shareholders .

5. Each i’th shareholder receives , and interpolates them to receive a new polynomial - h(X). He then substitutes N in h(X) and that is his extra share.

Note that h(X) is of degree t-1 and that , hence each i’th shareholder holds a unique share f(i) and a common share f(N). The consequence is that each sub-set of t-1 shareholders possesses t shares and can reconstruct the secret.

Lectures 1-3 20/22


6.2 Problem-Set 1: Question Number 1

Question: In Shamir's secret sharing scheme, a secret is split among n members using a polynomial of degree k. A collusion of k members has k shares. Describe under what condition the collusion can reveal the secret.Answer: Under no condition. The protocol is information theoretically secure, i.e., any fewer than k+1 players cannot gain any information about the secret by themselves. There is a polynomial of degree k that passes through their k shares and the k+1’st share, whatever value it may have. For example, assume k=1, meaning the polynomial is a line, therefore, two shares are required for retrieval of the secret. (The secret is the point where the line intersects with the y-axis.) Each share is a point on the line. Any two points determine the line and hence the secret. With just a single point, the line can be any line that passes the point, and hence the secret can be any point on the y-axis.

6.3 Problem-Set 1: Question Number 2

Question : A file F is stored using Shamir's secret sharing scheme for security and secrecy on n servers, using k-out-of-n sharing. Later, n new servers are purchased, and the system administrator wants to increase the availability of F without increasing the security by storing it using k-out-of-2n sharing. Describe in detail how the administrator can upgrade the system this way, without doing any of the following: (i) sending shares that allow to reconstruct the secret to any one (old or new) location(ii) replacing any of the existing shares.

Answer:

The shareholders can run the share renewal protocol to create n additional new shares.We assume an initial stage where a secret s is encoded into n shares using Shamir’s secret sharing scheme. Each participant holds his/her share f(i) for some t-1 degree polynomial f(x).


For each new server :

1. All the old shareholders (1…n) agree on the next number – K.

2. Each i’th shareholder ( ) randomly chooses a polynomial Pi(X) of degree t-1 where Pi(K) = 0 and Pi(0) 0 .

Lectures 1-3 21/22


3. Each i’th shareholder distributes shares of Pi(X ): using VSS among the old shareholders.

4. Each i’th shareholder receives and calculates:

, he then sends h(i) encrypted to the K’th shareholder .

5. The K’th shareholder decrypts these shares and interpolates them to find out his new share - f(K) (which equals to h(K)).

6.4 Problem-Set 1: Question Number 3Question: All conditions and constraints of the previous question being the same, the system administrator wishes to use the new servers to increase both the availability and the secrecy of F by moving to 2k-out-of-2n sharing scheme. Answer is it possible?

Answer:

(i) is possible but (ii) is not, meaning that the administrator does not have to send k or more shares to any location, but he has to replace any of the existing shares. Shareholders can run a protocol similar to share-recovery (share renewal) to create 2n new shares, without reconstructing the secret at any one of them. However, the old shares must be replaced, or else, the security will not be increased.

Lectures 1-3 22/22

Documents

Secret Sharing - Hebrew University of Jerusalemns/SS.doc · Web viewSecret Sharing – Lecture Notes 1 1 Motivation 3 2 Shamir’s Secret Sharing [Shamir 1979] 4 2.1 The Sharing Protocol