Secret Sharing Cs416

1,292 views

Published on

  • Be the first to like this

Secret Sharing Cs416

  1. 1. Secret Sharing and its Application to Electronic VotingAkash Chandrayan (08d17015)Appu R P (08D17007)Prathamesh Dashpute (08D04007)
  2. 2. Secret sharingSecret sharing refers to method for distributing a secret amongsta group of participants, each of whom is allocated a share of thesecret. The secret can be reconstructed only when a sufficientnumber of shares are combined together; individual shares areof no use on their own.
  3. 3. History*
  4. 4. Map of Space*
  5. 5. Blakley’s Scheme• Secret is encoded as a point in a space.• Keys are given as hyper planes rotated around the point in space. Therefore the intersection of t hyper planes will be the key.
  6. 6. Problems with Blakley’s Scheme• Not secure- If three keys are required having two lets someone know the secret is on a line.• Less space efficient- Keys are t times larger than the original secret, where t is the number of keys needed to get the secret.
  7. 7. Shamir’s Scheme• Mathematically the goal is to divide some data D into n pieces D1,…, Dn.• The following criteria are met • Knowledge of any k or more Di pieces makes D computable. • Knowledge of any k-1 or fewer Di pieces leaves D completely undetermined.• This scheme is called (k , n) threshold scheme.
  8. 8. Shamir’s Scheme• The scheme turns the secret into a polynomial of degree k, where k is the number of keys needed to get the secret.
  9. 9. Shamir’s Scheme• Choose at random k-1 coefficients a1 ,…, ak-1 and let a0 be the secret. f(x)=a0 +a1x+…+ ak-1 xk-1• Select randomly any n points out of it (i , f(i)).• Every participant is given a point.
  10. 10. Verifiable Secret Sharing(VSS)In verifiable secret sharing (VSS) the object is to resist malicious players,such as(i) a dealer sending incorrect shares to some or all of the participants, and(ii) participants submitting incorrect shares during the reconstructionprotocolIn publicly verifiable secret sharing (PVSS), it is an explicit goal that not justthe participants can verify their own shares, but that anybody can verify thatthe participants received correct shares.
  11. 11. Publically Verifiable Secret Sharing(PVSS)• Proof of correctness for each share released .• No private channels between the dealer and the participants are assumed.• All communication is done over (authenticated) public channels using public key encryption.
  12. 12. Model for non-interactive PVSSInitialization• Generation of system parameters.• Registration of Participants.The actual set of participants taking part in a run of the PVSS scheme must bea subset of the registered participants.Distribution• The distribution of a secret s is performed by the dealer D.• The dealer first generates the respective shares si for participant Pi For each participant Pi the dealer publishes the encrypted share Ei(si).• The dealer also publishes a string PROOFD to show that each Ei encrypts a share si.• The string PROOFD commits the dealer to the value of secret s, and it guarantees that the reconstruction protocol will result in the same value s.
  13. 13. Model for non-interactive PVSSVerification of the shares.• Any party knowing the public keys for the encryption methods Ei may verify the shares.• For each participant Pi a non-interactive verification algorithm can be run on PROOFD to verify that Ei(si) is a correct encryption of a share for Pi. If verifications fail => dealer fails, protocol is aborted.
  14. 14. Model for non-interactive PVSSReconstructionThe protocol consists of two steps:1.Decryption of the shares.The participants decrypt their shares si from Ei(si). It is not requiredthat all participants succeed in doing so, as long as a qualified set ofparticipants is successful. These participants release si plus a stringPROOFPi that shows that the released share is correct.2. Pooling the shares.The strings PROOFPi are used to exclude the participants which aredishonest or fail to reproduce their share si correctly. Reconstruction ofthe secret s can be done from the shares of any qualified set ofparticipants.
  15. 15. The MathThe prover knows α such that h1 = g1α and h2 = g2α :1. The prover sends a1 = g1w and a2 = g2w to the verifier,2. The verifier sends a random challenge c to the prover.3. The prover responds with r = w − α c (mod q).4. The verifier checks that a1 = g1rh1c and a2 = g1rh1c
  16. 16. The MathDistribution & Verification• Distribution of the shares. The dealer picks a random polynomial p of degree at most t − 1 with coefficients in ZqThe dealer shows that the encrypted shares are consistent byproducing a proof of knowledge of the unique p(i), 1 <= i <= n,satisfying
  17. 17. The MathReconstruction• Decryption of the shares: Using its private key xi, each participant finds the share Si = Gp(i) which comes from• Proof :
  18. 18. Homomorphic Secret Sharing• Benaloh [Ben87a]
  19. 19. Electronic Voting• An election proceeds in two phases – Ballot Casting- Voters post their vote in encrypted form. The validity of the vote can be publically verified. – Tallying- The talliers use their private keys to collectively compute the final tally corresponding with the accumulation of all valid ballots.• Technically each voter will act as a dealer in the PVSS scheme.
  20. 20. Ballot Casting• A voter casts a vote v 0 or 1 and encrypts it as U= Gs+v where s is a random number.• The voter constructs a PROOFU showing that v Ɛ {0,1} without revealing any information on v. PROOFU refer to the value of C0=gs which is also published.
  21. 21. Tallying• The tallying protocol uses the reconstruction protocol of special PVSS scheme and homomorphic property.• Accumulate all respective share and compute the values Yi*, where j ranges over all voters.
  22. 22. Tallying• Next each tallier Ai applies the reconstruction protocol to the value Yi*, which will produce• Combining with we obtain• From this the tally can be computed efficiently.
  23. 23. Example*The following example illustrates a sample voting with 5 voters among which2 are talliers. <Z*13,*13> is the cyclic group under which we shall be working.Generators used are g=2 and G=7.Note that all the computations henceforth are mod 13 Private Public Vote S(random U (encrypted votes) gs Keys Keys numbers) 1 7 0 7 6 11 2 10 1 8 8 9 3 5 1 1 10 2 4 9 0 2 10 4 5 11 0 11 2 7 The value of C0 = gs is published as part of the PVSS distribution protocol, and shows that logG U = logg C0 OR logG U = 1 + logg C0 (Vote is 0 or 1)
  24. 24. Example contd.Now since there are 2 talliers which implies that all the votes can becombined iff all of them agrees to tally. For this to work, the curves usedwould simply be straight lines with the constant term as the secret values s. Polynomial pi(x) pi(1) pi(2) 3x+7 10 13 4x+8 12 16 x+1 2 3 11x+2 13 24 7x+11 18 25Note that the voters do not publish pi(1) or pi(2). They publish Yij which is yipj(i)yi is the public key of tallier i, since we have only 2 talliers, I have computed the valuesof pi(1) and p2(2) in the table itself and avoided yipj(i) for clarity.
  25. 25. Example contd.Next we compute the values of Y1* and Y2*.Y1* = 7(10+12+2+13+18) = 755 = 6Y2* = 10(13+16+3+24+25) = 1081 = 12Now the values of S1 and S2 can be computed by respective talliers by usingtheir private keys x1 = 1 and x2 = 2.Therefore S1 = (Y1*)1/x1 = 6 and S2 = (Y2*)1/x2 = 121/2 = 5.Next comes the homomorphic combination of secrets by computingλ1 = 2 , λ2 = -1 ; Gs = 62 . 5-1 = 9/2 = 9*7 = 63 = 11
  26. 26. Example contd.Now lets combine the encrypted votes (Uj = Gjs+v)Gs+v = 6*8*10*10*2 = 9600 = 6.Almost there , Gs+v/Gs = Gv = 6/11 = 6*6 = 10, Gv = 10 => 7v = 10=> v= 2 , because 49 (72 mod 13 = 10). Which verifies with the vote countgiven in the table. That is it!
  27. 27. Few other applicationRevocable Electronic CashSoftware Key EscrowBank AccountsConfidential dataCloud Computing*
  28. 28. References*• A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic Voting - Berry Schoenmakers, Department of Mathematics and Computing Science, Eindhoven University of Technology, P.O. Box 513, 5600 MB Eindhoven, The Netherlands. berry@win.tue.nl | Springer-Verlag , 1999.• How to share a secret. Commm. of ACM , volume 22 (1979).• http://en.wikipedia.org/wiki/Secret_sharing• http://www.cs.uml.edu/~zkissel/secretshare.html• http://en.wikipedia.org/wiki/Secure_multiparty_computation• http://www.proproco.co.uk/million.html• http://www.cs.tau.ac.il/~bchor/Shamir.html*were not mentioned during presentation
  29. 29. Thank You!

×