CS 513 – System Security

Lecture 13

 

Lecturer: Lidong Zhou

Notes by: Vicky Weissman

Lecture Date: 3/9/00

 

Today’s Topic – Maintaining a Secret On-Line

• Goal
• General Example
• Specific Example
• Terminology

 

This lecture is a continuation of lecture 8 – Online and Proactive Secret Sharing.

 

Goal:  To build a secure on-line service that maintains a secret using variations of secret sharing. Specifically, we want to share a secret with n parties such that any subset of t or more parties can recover the secret, but fewer than t parties cannot learn anything about the secret. 

 

General Example: A secret, s, needs to be maintained on-line. 

Assumptions:

1. Any server can crash or be broken into by an attacker, however, the attacker cannot modify any server’s code or state.
2. An attacker cannot compromise more than t-1 servers in d days.    

Strategy:

1. Split the secret into n shares where n is 2t-1 or more. Each share is stored on a different server.
1. choose a (t-1)^th degree polynomial, f(x), such that f(0) = s
2. f(i) is server i’s share of the secret
3. every d days, distribute new shares.  To create and distribute the new shares, each server chooses a (t-1)^th degree polynomial, h(x), such that h(0) = 0.  For any server i from 1 to n, the new share is the old share plus h(i) from each of the newly created h(x) functions.  Since the new f(0) equals s plus n zeros, the new shares correspond to the original secret.  The new shares, however, cannot be combined with the old ones to give any information about s, even if t-1 machines are being monitored by an attacker when the h(x) functions are chosen. 

Calculations involving the shared secret can be computed as follows:

2. Create a function, g₁, that calculates a partial result for each share of the secret.
3. Create a function, g₂, that calculates the complete result, given the partial results from each share.

 

Specific Example: Calculate f(m) = m^s  given m, n = 2, and t = 2, while protecting s.

Solution:

1. randomly select s₁ and s₂ such that s₁ + s₂ = s.
2. let g₁(m, s_i) = m^si
3. let g₂(g₁(m, s₁), g₁(m, s₂)) = g₁(m, s₁) _* g₁(m, s₂)

 

Terminology:  

The 3 step process given above is called function sharing. 

If the secret is a private key and f(x) is a crypto function, then the protocol is called threshold cryptography.