Secret Sharing Using Non-Commutative Groups Bren Cavallo The - - PowerPoint PPT Presentation

Secret Sharing Using Non-Commutative Groups

Bren Cavallo

The Graduate Center, CUNY

5/30/2013

Outline

• 1. Introduction
• 2. Shamir Secret Sharing and Habeeb-Kahrobaei-Shpilrain secret

sharing

• 3. Adjustments to HKS secret sharing and analysis

Bren Cavallo Secret Sharing Using Non-Commutative Groups

What is Secret Sharing?

Secret sharing is a cryptographic protocol in which a dealer distributes a secret via shares to participants such that only certain subsets of participants can recover the secret. The ideal setting is when dealing with information that is both very important but also highly sensitive.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

What is Secret Sharing?

The fact that there are multiple shares, as opposed to one private key as in private key cryptography, makes the secret less likely to be lost while still allowing high levels of confidentiality. If any one share is compromised, other participants can still reconstruct the secret, and since the secret is spread out over multiple shares and is limited by its access structure, the subsets of participants that can recover the secret, the secret remains secure. Applications include multiparty encryption, threshold encryption among others, numbered bank accounts, and wills among others.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Formal Definition

A secret sharing scheme consists of a dealer, n participants, and an access structure A ⊆ 2{P1,··· ,Pn} such that for all A ∈ A and A ⊆ B ∈ 2{P1,··· ,Pn}, B ∈ A. To share a secret s, the dealer runs an algorithm: Share(s) = (s1, · · · , sn) and then distributes each share si to Pi.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Formal Definition

In order to recover the secret, the participants run the algorithm Recover which has the following property that for all A ∈ A: Recover({si : i ∈ A}) = s and if A / ∈ A then Recover is infeasible. As such, only groups of participants in A can access the secret. If a set B contains as a subset A ∈ A, then they could run Recover

• n A and obtain the secret. Hence it makes sense to have B ∈ A

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Threshold Secret Sharing Schemes

One of the more common access structures one sees in secret sharing is the (k, n) threshold: A = {A ∈ 2{P1,··· ,Pn} : |A| ≥ k} We call a secret sharing scheme with such an access structure a (k,n) threshold scheme. The problem of discovering a non-trivial (k, n) scheme was solved independently by G. Blakely [3] and A. Shamir [12] in 1979. Notice that this problem becomes non-trivial in part because the shares have to be consistent. This means any k person subset recovers the same secret.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Shamir’s Scheme

In Shamir’s scheme the secret is an element of Zp where p is a prime larger than n. Given a secret s the dealer generates the shares for a (k, n) threshold by doing the following: The dealer randomly selects a1, · · · , ak−1 ∈ Zp such that ak−1 = 0 and constructs the polynomial f (x) = ak−1xk−1 + · · · + a1x + s For each participant Pi the dealer publishes a corresponding xi ∈ Zp. The dealer distributes the share si = f (xi) to each Pi

• ver a private channel.

Any subset of k participants can then reconstruct the polynomial f (x) by using polynomial interpolation and then finding f (0) = s.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Polynomial Interpolation

In order to reconstruct a polynomial f (x) = a0 + a1x + · · · ak−1xk−1 given points (x1, f (x1)), · · · , (xk, f (xk)) one can solve for the coefficients column in the following system linear equations:      x1k−1 · · · x12 x1 1 x2k−1 · · · x22 x2 1 . . . · · · . . . . . . . . . xkk−1 · · · xk2 xk 1           ak−1 ak−2 . . . a0      =      f (x1) f (x2) . . . f (xk)      One can see that k − 1 shares give no information about a0 as there are k − 1 equations and k unknowns. Hence a0 could be any element in Zp.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Habeeb-Kahrobaei-Shpilrain Secret Sharing

In this case the secret, s, is an element of {0, 1}k which we view as a column vector. The scheme is initialized by making a set of generators X = {x1, · · · , xn} public. To each Pi the dealer distributes a set of words Ri in the alphabet X ± over a private channel. The Ri are such that each group Gi = X|Ri has an efficient word problem. The dealer randomly selects shares si ∈ {0, 1}k for i = 1, · · · , n − 1 and sn = s − n−1

j=0 sj. Note that addition is

the standard XOR. For each i, the dealer publishes the words w1i, · · · , wki over the alphabet X ± such that wji is trivial in Gi if sji = 1 and non-trivial if sji = 0

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Habeeb-Kahrobaei-Shpilrain Secret Sharing

Since the Gi have efficiently solvable word problem, each Pi can effectively determine if the wji are trivial or not and can independently find si To recover the secret, the Pi add together the si and find s. The wij can be made public, since the participants do not know each others relators and cannot discern trivial versus non-trivial words in another participants group.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Habeeb-Kahrobaei-Shpilrain Secret Sharing

The above (n, n) scheme can be further extended to an (k, n) scheme in the following fashion: As is the case with Shamir’s scheme, the secret s is an element of Zp and the shares, si are points along a random polynomial of degree k − 1 with constant term s. The dealer converts each si into its binary representation. As such, each share can again be viewed as a column vector. The shares si are distributed in the same way as the (n, n)

• scheme. Trivial and non-trivial words a published such that

the column each Pi recovers is si in binary. The secret is then recovered with polynomial interpolation.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Shortlex Ordering

Let X = {x1, · · · , xn} and G = F(X). A shortlex ordering on G is induced by an order on X ± as follows. Given reduced w = xi1 · · · xip and l = xj1 · · · xjq with w = l then w < l iff: |w| < |l|

• r if |w| = |l| and xia < xja where a = minα{xiα = xjα}

For example, say we let X = {x, y} and give X ± the ordering x < x−1 < y < y−1. Then the first bunch of words in order would be: e < x < x−1 < y < y−1 < x2 < xy < xy−1 < x−2 < x−1y < x−1y−1 < yx < yx−1 < y2 < y−1x < y−1x−1 < y−2 < x3 < x2y < x2y−1 < xyx < xyx−1 < · · ·

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Habeeb-Kahrobaei-Shpilrain Secret Sharing Using Shortlex Ordering

In this case, the dealer publishes the letters X and over a private channel sends a set of words, Ri in X ± to each Pi such that Gi = X|Ri is a group with an efficient algorithm to reduce words to a normal form in terms of the Ri. The dealer chooses a secret s ∈ Zp for some large prime p > n and generates a random polynomial, f in Zp[x] with constant term s The dealer assigns a public xi to each participant, computes f (xi), and finds si ∈ F(X) such that si is the f (xi)th word in F(X).

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Habeeb-Kahrobaei-Shpilrain Secret Sharing Using Shortlex Ordering

The dealer publishes a word wi that reduces to si in Gi. This can be done efficiently by interspersing conjugated products of relators between the letters of si. Each participant, Pi computes their share by reducing wi to get si and then computing its position in F(X). Using their shares they find the secret using polynomial interpolation.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

HKS Secret Sharing Using Shortlex Ordering

It is important to realize the following: si must be completely reduced in Gi. Some reduction algorithms can be done in multiple ways given the same initial conditions, so it is important to fix a protocol so that whatever process Pi uses to reduce wi terminates at si. If a random f (xi) does not have a corresponding reduced word, the dealer can always assign Pi a different xi. In the case of certain groups, words with small length are often reduced and the length of the si can be kept down since they grow logarithmically with respect to the number of generators

• f the free group.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Analysis

Assuming that it is efficient to generate relators for groups with the desired properties and that it is efficient to generate random small words, the above steps can be done efficiently. Finding the position of any word in a free group or finding the ith word can be done with a combinatorial formula. The wi can be made by inserting conjugated products of relators between the letters of si.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Analysis

The same relators can be used to share multiple secrets. Unlike with Shamir’s scheme, only the relators are sent privately while the shares are published, making it so that after the initial private information is sent no new private information has to be sent to share more secrets. As such, the main security issue is being able to determine a participants relators. This could potentially be done based on the public wi and learning the si after sharing.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Platform Group - Small Cancellation Groups

A word w is cyclically reduced if it is reduced under cyclic

• permutations. This only occurs if the word is reduced in the first

place and the first and last letters are not inverses. A set of words R is called symmetrized if each word is cyclically reduced and the entire set and their inverses are closed under cyclic permutation. Given a set R we say that v is a piece if it is a maximal initial subword of two different words, namely if there exists w1, w2 ∈ R such that w1 = vr1 and w2 = vr2.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Platform Group - Small Cancellation Groups

A group G = X|R with symmetrized R satisfies the small cancellation condition C ′(λ) for 0 < λ < 1 if for all r ∈ R such that r = vw where v is a piece, then |v| < λ|r|. C ′( 1

6) groups have the additional property that Dehn’s algorithm

can be used to check if words are trivial and runs in quadratic time. Additionally, if the si are less than half the length of the relators, they are in a unique reduced form.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Updating Relators

A potential way to solve the previous problem could be to periodically update the relators. This also allows for security against an adversary that could access the relators by other means such as by computer hacking. This can be done by doing the following: For each Pi the dealer creates a set of words, R′

i , in X ± such

that Gi = X|R′

i satisfies the same desired properties.

In order to distribute each r ∈ R′

i , the dealer pads r with

relators in Ri as done previously and publishes them. Pi then reduces r by using the relators in Ri. After the full set of words in R′

i is published and reduced, Pi

deletes the original Ri and sets Ri := R′

i .

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Updating Relators

If these steps are done before an adversary can gain adequate information about relators, then after an update phase the information an adversary has gained will be largely rendered useless. Due to the fact that any of the relators sent out in the update phase must be reduced in the original Ri, the updated relators are affected by the original ones. In that way, information gained before the update phase could potentially be useful.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

Conclusion

In conclusion, this secret sharing method allows multiple secrets to be sent out after private information has been distributed. Additionally, the participants can update their relators in a secure fashion without any more information needing to be sent over a private channel. As such, methods to determine relators over time are not as effective. Thank you for attending my talk!

Bren Cavallo Secret Sharing Using Non-Commutative Groups

References I

28th Annual Symposium on Foundations of Computer Science, Los Angeles, California, USA, 27-29 October 1987. IEEE Computer Society, 1987. Amos Beimel. Secret-sharing schemes: A survey. In IWCC, pages 11–46, 2011.

• G. R. Blakley.

Safeguarding cryptographic keys. Managing Requirements Knowledge, International Workshop

• n, pages 313–319, 1979.

Paul Feldman. A practical scheme for non-interactive verifiable secret sharing. In FOCS [1], pages 427–437.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

References II

Maggie Habeeb, Delaram Kahrobaei, and Vladimir Shpilrain. A secret sharing scheme based on group presentations and the word problem. Contemporary Mathematics, 582, 2012. Amir Herzberg, Markus Jakobsson, Stanisllaw Jarecki, Hugo Krawczyk, and Moti Yung. Proactive public key and signature systems. In Proceedings of the 4th ACM conference on Computer and communications security, CCS ’97, pages 100–110, New York, NY, USA, 1997. ACM. S.M. Jarecki. Proactive Secret Sharing and Public Key Cryptosystems. Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 1996.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

References III

D.L Johnson. Presentations of Groups. Cambridge University Press, 1997. Jonathan Katz and Yehuda Lindell. Introduction to Modern Cryptography. Chapman and Hall/CRC Press, 2007. Roger C. Lyndon and Paul E. Schupp. Combinatorial Group Theory. Springer Verlag, 1977. Torben P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In CRYPTO, pages 129–140, 1991.

Bren Cavallo Secret Sharing Using Non-Commutative Groups

References IV

Adi Shamir. How to share a secret.

• Commun. ACM, 22(11):612–613, 1979.

Markus Stadler. Publicly verifiable secret sharing. In EUROCRYPT, pages 190–199, 1996.

Bren Cavallo Secret Sharing Using Non-Commutative Groups