Secret Sharing

1
Secret Sharing
2
Secret Sharing

• Suppose you and your friend accidentally
  discovered a map that you believe would lead you
  to an island full of treasure.
• You and your friend are very excited and would
  like to go home and get ready for the exciting
  journey to the great fortune.
• Now who is going to keep the map?

3
Secret Sharing

• Suppose you and your so-called friend do not
  really trust each other and are afraid that, if
  the other one has the map, he/she might just go
  alone and take everything
• Now we need a scheme that could make sure that
  the map is shared in a way so that no one would
  be left out in this trip.
• What would you suggest?

4
Secret Sharing

• to split the map into two pieces and make sure
  that both pieces are needed in order to find the
  island.
• You can happily go home and be assured that your
  friend has to go with you in order to find the
  island.
• This illustrates the basic concept of secret
  sharing.

5
Generalization

• Given a secret s, we would like n parties to
  share the secret so that the following properties
  hold
• All n parties can get together and recover s.
• Less than n parties cannot recover s.
• In the map example, s is the map, while you and
  your friends are two parties that share the
  secret.

6
Generalization

• In general, to achieve such a sharing, we split
  the secret into n pieces s1, s2, . . ., sn and
  give one piece to each party.
• Each piece here is called a share.
• This is actually a special case of secret sharing
  and is called secret splitting in some
  literature.

7
Generalization

• We know that every piece of information is stored
  as a bit string or a number on a computer.
• So, if we know how to share a secret bit string
  or a secret number, then we know how to share any
  information on a computer.
• For example, assume that your salary is stored as
  a number 12345678.
• Now you want to split your salary into two shares
  for two parties.
• You want to make sure that no party by itself
  knows your salary.
• On the other hand, two parties can get together
  and recover your salary.

8
Generalization

• We can split the digits into two sets and give
  one set to each party as a share.
• For example, can give the first 4 digits to party
  1 and the other 4 to party 2.
• It is easy to verify that this scheme satisfies
  the two properties listed.

9
Generalization

• However, there is a problem with this scheme.
• Suppose I am the first party who gets the most
  significant 4 digits of your salary.
• It is true that I don't know exactly how much
  your salary is, but I have a pretty good idea
  about the range of your salary (gt 12340000),
  because I have the 4 most significant digits.
• Such partial information may be unacceptable for
  you.

10
Partial Information Disclosure

• A share may not contain all the information about
  a secret, but could disclose partial information.
  
• In certain cases, such partial information
  disclosure could be fatal.

11
Partial Information Disclosure

• Suppose two parties are going to share a
  password.
• Here a password consists of 8 characters, with
  each selected from a set of 100 possible
  characters.
• If we split the password into two shares and each
  share has 4 characters of the password, then each
  share effectively gives out the secret under a
  brute-force attack.

12
Partial Information Disclosure

• A brute-force attack tries every possible
  combination of the the password in order to find
  the right password.
• So now let's do some calculations.
• There are 100 possible characters to choose from
  for each of the 8 characters,
• so there are 1008 possible passwords.
• If it takes 1 microsecond to generate and check
  one password, then it takes 100 10-6 seconds
  300 years to try every possible password.

8
13
Partial Information Disclosure

• A naive way of splitting a secret could cause
  partial information disclosure, which might be
  undesirable in certain cases and fatal in others.

14
Partial Information Disclosure

• We would like to solve the partial information
  disclosure problem
• we strengthen property 2 to stipulate that no
  information about the secret will be disclosed
  from less than n shares.
• It may seem counter-intuitive that the shares
  generated from a secret can contain no
  information about the secret, but you will be
  surprised how easily one can design a scheme that
  ensures these two new properties.

15
Partial Information Disclosure

• Suppose two parties are going to share a secret
  bit string 1011. The two shares are generated as
  follows
• To generate the first bit of the two shares, we
  flip a coin. If the result of the coin flipping
  is a head, then the first bit of the first share
  is 0 if the result of the coin flipping is a
  tail, then the first bit of the first share is a
  1.
• Now generate the first bit of the second share.
  If the result of the previous coin flipping was a
  head, then we copy the first bit of the secret.
  Else, if result of the previous coin flipping was
  a tail, then we flip the first bit of the secret
  and use that. We repeat this random process for
  each bit of the secret.

16
Partial Information Disclosure
Suppose for our example where the secret bit
string is 1011, we flip the coin 4 times and get
the sequence head, tail, tail, and head. Then
the bits of our first share would simply be 0110.
As a result, the bits of the second share would
be 1101
17
Partial Information Disclosure

• Now we need to show that this scheme satisfies
  the two properties mentioned earlier.
• First, it is easy to see that the secret can be
  reconstructed from the two shares
• Second, we also need to show that the secret
  cannot be recovered with less than two shares.

18
Partial Information Disclosure

• We know that the first share is generated through
  coin flipping.
• Obviously, it is random and has nothing to do
  with the secret.
• As for the second share, it is the result of a
  random transformation, based on coin flipping, of
  the secret.
• It should also be random.

19
Partial Information Disclosure

• Suppose you have the first share. Since you can't
  see the first share or the secret, you cannot
  distinguish the two cases. Therefore you cannot
  decide which secret you're sharing, and you can't
  figure out even a single bit of the secret.

20
Partial Information Disclosure

• If you had the second share, the situation is the
  same. Again, you cannot learn any bit of the
  secret from your share alone.

21
Partial Information Disclosure

• The precise meaning of "no information
  disclosure" can be formalized.
• We can easily generalize the scheme for cases
  where there are n parties
• we generate n-1 random bit strings (with the same
  number of bits as the secret) as the first n-1
  shares.

22
Modifying Disclosure Conditions

• Now we have this nice secret splitting scheme.
• But such a secret splitting scheme may not
  suffice in certain cases.
• Imagine that you are asked to design a control
  mechanism for a nuclear missile launch.
• There is a control panel with a key board.
• You can enter a secret code through the keyboard.
  
• If the secret code is correct, then the missile
  gets launched.
• There are three generals who are in charge of a
  missile launch.

23
Modifying Disclosure Conditions

• A simple solution would be to give the secret
  code to these three generals,
• But then it is possible for a lunatic general to
  start a war and destroy the planet.
• We need some sort of secret sharing here.
• We will generate 3 shares from the secret code
  and give one share to each general.

24
Modifying Disclosure Conditions

• Because of the second property of secret
  splitting, we know that no single general is able
  to launch the missile by himself, because each
  general has only one share and has no information
  about the secret code.
• On the other hand, what if one general is a spy
  from a hostile country?

25
Modifying Disclosure Conditions

• We're not worried about him launching the missile
  by himself.
• But he can disable the missile launch capability
  by throwing away his share.
• Because the other two generals cannot authorize a
  missile launch without the third share, no
  missile can be launched, even if the country is
  under attack.

26
Modifying Disclosure Conditions

• The problem is really the availability of the
  secret code.
• This is an essential issue in this example
  because the capability to launch a missile
  depends on the availability of the secret code.
• Assuming that it is unlikely that more than 1
  general could be compromised or unavailable

27
Modifying Disclosure Conditions

• we may postulate the following policies
• A missile can be launched with 2 or more generals
  
• Less than 2 generals may not launch a missile.

28
(n,t) Secret Sharing

• To generalize the properties, we get (n,t) secret
  sharing.
• Given a secret s, to be shared among n parties,
  that sharing should satisfy the following
  properties
• Availability greater than or equal to t parties
  can recover s.
• Confidentiality less than t parties have no
  information about s.

29
(n,t) Secret Sharing

• In the missile launch example, we are in fact
  using a (3,2) secret sharing scheme.
• Also note that a secret splitting scheme is
  simply a special case of secret sharing where n
  is equal to t.

30
(n,t) Secret Sharing

• Let's start with the design of an (n,2) scheme.
• Let's say we want to share a secret s among n
  parties. We use some basic geometry

31
(n,t) Secret Sharing

• Each point that is picked represents a share.
• We claim that these n shares constitute an (n,2)
  sharing of s.
• Now we need to show that this scheme satisfies
  both the availability and confidentiality
  properties.

32
(n,t) Secret Sharing

• To show availability, we need to prove that two
  parties can recover the secret.
• Two parties have two shares that is two points.
• Given these two points, how can we recover the
  secret?
• We know that two points determine a line, so we
  can figure out the line that goes through both
  points.
• Once we know the line, we know the intersection
  of the line with the y axis.
• Then, we get the secret.
• So, it only takes us two points (shares) to make
  the secret available.

33
(n,t) Secret Sharing

• What about confidentiality? We need to show that
  one share does not disclose any information about
  the secret.
• There are infinite possible lines that go through
  this point, and these lines intersect with the
  y-axis at different points, all of which yield
  different "secrets".
• In fact, given any possible secret, we can draw a
  line that goes through the secret and the given
  share.
• This means that with one point, no information
  about the secret is exposed.

34
(n,t) Secret Sharing

• Using the same idea, can we design an (n, 3)
  secret sharing scheme?
• Note that the key point in the (n,2) scheme is
  that a line is determined by two points, but not
  by 1.
• Now we need a curve that is determined by three
  points, but not 2.

35
(n,t) Secret Sharing

• To generalize the scheme even further, we have a
  construction of an (n, t) secret sharing scheme.
  Now we use the curve that corresponds to a (t-1)
  degree polynomial
• We randomly select a curve corresponding to such
  a polynomial that goes through the secret on the
  y-axis.
• Then we select n points on the curve.
• Using the same arguments, we can show that this
  scheme satisfies both availability and
  confidentiality properties.

36
Online Secret Sharing

• Suppose now we want to maintain a secret on-line.
  
• We can store the secret on one server.
• However, if we do so, the secret would be
  disclosed if the server is compromised.
• If the server is corrupted, then the secret may
  be corrupted or lost.

37
Online Secret Sharing

• In Distributed Systems we can use replication to
  improve the availability of a service and achieve
  fault tolerance.
• Naive replication does improve availability, but
  the service gets more vulnerable.

38
Online Secret Sharing

• To solve these problems, we can split the secret
  into three shares using (3,2) secret sharing
  scheme and give one share to one server.
• Now, assuming that it is unlikely that two
  servers would be compromised, the secret will
  remain available and confidential.
• Even if an adversary steals a share from one
  server, the adversary does not know the secret
  because a (3, 2) secret sharing scheme is used --
  a single share exposed no information about the
  secret.
• In the even that a share is lost because of the
  collapse of one server, we still have two shares
  to recover the secret.

39
Online Secret Sharing

• How does a compromised server recover?
• Traditionally, server recovery is performed by
  re-starting the server with a clean copy of the
  code and the up-to-date state.
• Such recovery is no longer sufficient if a secret
  share is stored on this server.

40
Online Secret Sharing

• Let's look at what could happen over time.
• We have these three servers with three shares, a
  (3, 2) sharing of a secret s.
• In January, server 3 was attacked and share s3 is
  disclosed.
• We recovered the server immediately.
• In May, the same attacker successfully broke into
  server 2 and grabbed share s2.
• Now, this attacker has two shares and thus is
  able to recover the secret!

41
Online Secret Sharing
42
Online Secret Sharing

• The problem lies in the fact that the recovery of
  server 3 was not complete.
• One thing we should have done is to make any
  possibly exposed share obsolete.
• What do we mean by making a share "obsolete"?
• Share s3, by itself, does not contain any
  information about the secret.
• But it can be used together with share s1 or s2
  to recover s.
• If shares s1 and s2 are deleted (or forgotten) by
  the other two servers, then s3 becomes useless
  (i.e., obsolete).
• The information on s3 is useless without s2 and
  s1.

43
Online Secret Sharing

• We cannot simply ask servers 1 and 2 to delete
  their shares, because we still want the servers
  to maintain the secret.
• What we can do, on the other hand, is to have
  another (3, 2) sharing of the same secret s, say
  s1', s2', s3', to replace the old shares.

44
Online Secret Sharing

• If we have a trusted entity, then this resharing
  can be performed as follows.
• The servers first submit their shares to this
  trusted entity through secure links.
• The trusted entity can then recover the secret
  from these shares and generate a new set of
  shares (s1', s2', s3') for s using a (3, 2)
  sharing scheme.
• Note that the scheme to generate shares is
  random, so the new shares should be totally
  independent from the old ones.
• That is, knowing two points on two different
  lines gives no disclosure of the secret.

45
Online Secret Sharing

• Unfortunately, we don't have the luxury of a
  trusted entity.
• In fact, such a trusted entity could become a
  vulnerability in the system if the trusted
  entity is compromised when it performs
  re-sharing, then the secret could be disclosed.
• Therefore, we have to rely on the servers
  themselves to do re-sharing in a distributed
  manner.
• Again, no server can ever reconstruct the secret
  because otherwise the secret could be exposed if
  the server was compromised.

46
Proactive Secret Sharing

• We need a scheme that allows servers to generate
  a new set of shares for the same secret from the
  old shares without reconstructing the secret.
• Such a scheme is called a proactive secret scheme
  (PSS).
• We have argued that PSS is needed for server
  recovery. But, in reality, break-ins to a server
  are very hard to detect, especially when the
  attacker simply steals certain secret information
  without modifying anything on the victim server.
• An attacker can cover his tracks when he exits.
• To strengthen the security of a replicated
  service, we can invoke our PSS periodically (at
  regular intervals)

47
Proactive Secret Sharing
48
Proactive Secret Sharing

• Before the execution of the PSS, every server
  checks the integrity of its code and state,
  trying to remove any attackers that might exist
  in that server at that point in time.
• How would our PSS improve security through
  periodic executions?

49
Proactive Secret Sharing

• With no PSS, using an (n, t) secret sharing
  scheme, a service can tolerate up to t-1
  compromised servers during the entire lifetime of
  the service, because any more failures could lead
  to the exposure of the secret.
• With a PSS, we know that the PSS refreshes all
  the shares, so that old shares become useless.
• Now an adversary has to gather enough shares (at
  least t) between two executions of the PSS, which
  obviously makes the attackers job more difficult.
  
• The secret remains confidential if fewer than t
  servers could be compromised from the start of
  one PSS to the end of the next PSS.

50
Proactive Secret Sharing

• We first assume that an adversary can only break
  into a server and have access to information
  stored or collected by that server.
• The adversary cannot change the code of the
  server. Suppose we have a simple (2, 2) sharing
  scheme.
• To generate two shares for secret s, we randomly
  select s1 and s2, so that s1 s2 s.
• We want the two servers with shares s1 and s2 to
  change their shares to s1' and s2', so that these
  two shares remain an (2,2) sharing of the same
  secret s and these two shares are independent
  from the old shares (cannot be inferred from the
  old shares).

51
Proactive Secret Sharing

• The proactive secret sharing can be performed in
  the following steps
• Server 1 generates two subshares s11 and s12 from
  its share s1 using the same secret sharing scheme
  as the one used to generate s1 and s2 from s
  that is, server 1 randomly selects two subshares
  s11 and s12, so that s1 s11 s12,. Server 2
  does the same thing to s2 It randomly generates
  two subshares s21 and s22, so that s2 s21
  s22.
• Server 1 sends s12 to server 2 through a certain
  secure channel. Server 2 sends s21 to Server 1.
• Server 1 has both s11 and s21 and can add them up
  to get a new share s1' s11 s21. Server 2, on
  the other hand, has both s12 and s22 and can
  generate a new share s2' s12 s22. Now we show
  that s1' and s2' constitute a (2,2) sharing. The
  sum of these two shares is the sum of all the
  four subshares, which is the sum of s1 and s2,
  which is s.

52
Proactive Secret Sharing

• These two shares are independent from the old
  ones because these subshares are generated
  randomly.
• Also, no server knows the secret during the
  entire process.
• Server 1 generates s11 and s12 and learns s21
  from server 2,
• but server 1 never knows s22 and thus does not
  know s2' or s.
• Server 2, on the other hand, never knows s11, and
  thus does not know s1' or s.

53
Proactive Secret Sharing