Download Notes on Secret Sharing - Cryptography and Network Security | CS 549 and more Study notes Cryptography and System Security in PDF only on Docsity! CS595-Cryptography and Network Security Cryptography and Network Security Secret Sharing Xiang-Yang Li CS595-Cryptography and Network Security Threshold Scheme ?A (t,w)-threshold scheme ?Sharing key K among a set of w users ?Any t users can recover the key ?Any t-1 users can not do so ?Schemes ?Shamir’s scheme ?Geometric techniques ?Matroid theory CS595-Cryptography and Network Security Simple (t,t) Sharing ? Procedure ? D secretly chooses t-1 random elements yi from Zn ? D computes ?Value yt=K- ? yj mod n ? D distributes yi to person pi for all i ? It is secure and easy ? Number n can be any number ? Easy to recover the key ? Only t persons together can do so, assume yi random CS595-Cryptography and Network Security Blakley's Scheme ?Secret is a point in an t-dimensional space ?Dealer gives each user a hyper-plane passing the secret point ?Any t users can recover the common point CS595-Cryptography and Network Security Geometry View CS595-Cryptography and Network Security Avoid Cheating ?Participant B can send A bogus value after receive A’s value ?Solution: bit transfer ?Dealer gives A (SAi, YABi) ?Dealer gives B (BABi, CABi) ?Here CABi = BABi YABi+ SAi mod p ?SAi is the ith bit of the secret share of A CS595-Cryptography and Network Security Cont. ?Protocol ?Participant A gives its value (SAi, YABi) to B ?B verifies: CABi = BABi YABi+ SAi mod p ?B then sends its value (SBi, YBAi) to A ?A verifies: CBAi = BBAi YBAi+ SBi mod p ?The protocol terminates whenever ?One side detects cheating, or ?All values transferred CS595-Cryptography and Network Security Chinese Remainder Theorem ? Given a number m<n, and n=n1n2…nk, ? Numbers ni and nj are coprimes ? Let ai=m mod ni ? Number n is public ? Dealer delivers ai and ni to the ith participant ? Then all k users can recover the number m ? Why it is not a good secret sharing scheme? ? Is it computationally for any k-1 users to recover the key if n is large? CS595-Cryptography and Network Security Monotone Circuit ?Assign sharing for each accessing subset ? ? ? ? k kkk p1 p2 p3 p4 a1 a2 b1 b2 k-b1-b2 k-a1-a2 c1 k-c1 CS595-Cryptography and Network Security Cont. ? Distribution ? (a1,b1) to p1 ? (a2,c1) to p2 ? (k-c1,b2) to p3 ? (k-a1-a2,k-b1-b2) to p4 ? The sharer needs know ? The circuit used by dealer ? Which shares corresponding to which wires ? The shared value is secret CS595-Cryptography and Network Security Visual Secret Sharing ?There is a secret picture to be shared among n participants. ?The picture is divided into n transparencies (shares) such that ? if any m transparencies are placed together, the picture becomes visible ?but if fewer than m transparencies are placed together, nothing can be seen. CS595-Cryptography and Network Security Desired Properties ? Desired properties of interactive proofs ? Completeness: The verifier always accepts the proof if the prover knows the fact and both the prover and the verifier follow the protocol. ? Soundness: Verifier always rejects the proof if prover doesnot know the fact, and verifier follows protocol. ? Zero knowledge: The verifier learns nothing about the fact being proved (except that it is correct) from the prover that he could not already learn without the prover. In a zero-knowledge proof, the verifier cannot even later prove the fact to anyone else. An example
1
B
« Ali Baba’s Cave
CS595-Cryptography and Network Security
CS595-Cryptography and Network Security Cont. ?Alice wants to prove to Bob that ? she knows the secret words to open the portal at CD ?but does not wish to reveal the secret to Bob. ? In this scenario, Alice’s commitment is to go to C or D.