Group Certificate using Threshold Secret Sharing

1
Group Certificate using Threshold Secret Sharing
Providing Robust and Ubiquitous Security Support
for Mobile Ad-Hoc Networks (Jiejun Kong, et al,
ICNP 2001)

• Jeong H. Yi
• jhyi_at_ics.uci.edu

2
Goals

• Distributed public-key infrastructure
• Adopt an RSA-based system
• CAs private key is used as a secret of threshold
  scheme
• Tunable intrusion tolerance
• Allow dynamic node membership

Applicable to group membership
3
Core Ideas

• Threshold secret sharing
• Secret polynomial is shared among K members
• Coalition signing
• Each piece is used to sign a member certificate

4
Threshold Secrets
f(x) ax b

• Given k points in the plane, there is only one
  polynomial of degree k-1 that intersects all k
  points
• K-1 points do not suffice for interpolation
• Threshold secrets Given their (xi, yi)
  coordinates, k nodes can interpolate f(0)--the
  secret key

5
Dealing Secret Shares

• Dealer obtains secret key d
• Randomly selects polynomial f(x) of degree k-1
• Note f(0) d
• Dealer distributes secret shares to users

f(x) d a1x a2x2 ak-1xk-1
Pvi f(vi) mod n
6
Dealing Secret Shares

• Example k 3, d 4, n 7

f(x) 4 3x 2x2
7
Secret Recovery

• Use Lagrange interpolation to recover d
• lvj(x) is Lagrange coefficient

d Pv1lv1(0) Pv2lv2(0) Pvklvk(0) mod n
8
Secret Recovery

• From previous example

Pv2lv2(0) Pv3lv3(0) Pv5lv5(0) mod 7 4 ? 5
3 ? -5 6 ? 1 mod 7 4
9
Coalition Signing

• Signature of M Md mod n
• Instead of revealing d or secret shares, K
  neighbors partially sign certificate
• Requester multiplies all partial signatures
  together

SKi Pvilvi(0) mod n
SK2 SK3 SK5 mod n ? d
SK2 SK3 SK5 tn d
MSK2SK3SK5 Mtnd MtnMd
MSK2 SK3 SK5
10
K-bounded coalition offsetting
for (i0 i lt k i) Y Mtnd M-ni
mod n if (Ye M mod n) break
return Y ( Md mod n)
11
Self-initializing secret share

• Users holding certificates may obtain their own
  secret shares
• K members use Lagrange interpolation to find vxs
  share
• Shuffling prevents revealing responders secret
  shares

Pvx f(vx) Pvx,1lvx,1(vx)Pvx,klvx,k(vx)
SSx,1SSx,k mod n
2
3
4
Pv4 Shuffle2 Shuffle3 Shuffle5
5
12
Verifiable Secret Sharing
ltK group members gt
ltNew membergt
13
Group Certificate Format
Group Certificate
IETF Attribute Cert
X509 PK Cert
Version
Version
Version
Serial Number
Serial Number
Serial Number
Signature ID
Signature ID
Signature ID
Subject(Member Name)
Holder
Subject
Issuer(Group Name)
Issuer
Issuer
Validity Period
Validity Period
Validity Period
Group Public Key
Attributes
Subject Public Key
Extensions
Extensions
Extensions
Signature
Signature
Signature
14
Initialization
ltCentralized dealergt

• 1. Select a polynomial, f(x)
• 2. Compute secret share (1lt i ltN)
• 3. Compute the witness of polynomial, f(x)
• , where g is a generator
• 4. Generate initial group cert by central dealer
• 5. Distribute gcert_bundle(i) to all group
  members

15
Certificate Issue
ltNew usergt
ltK Group members gt
JOIN_REQ
1. Send JOIN_REQ
2. Reply JOIN_COMMIT with their own group cert
JOIN_COMMIT
3. Verify JOIN_COMMIT 4. Generate a signed
SIGN_REQ
5. Verify SIGN_REQ 6. Generate partial cert,
pcert(i)
SIGN_REQ
PARTIAL_SIGN_BUNDLE
8. Multiply pcert(i)
7. Generate partial secret share, pss(i)
9. Add up pss(i)
PARTIAL_SIGN_BUNDLE(i) PSS(i),
pcert(i), Wp
16
What I did

• Mandatory functions
• Threshold secret sharing
• Lagrange interpolation
• K-bound coalition algorithm
• Optional functions
• Verifiable secret sharing
• Secret share shuffling
• Formatting in standard
• X.509 Cert CRL
• Using ASN.1 data structure
• Message packetizing

17
Future work

• Group member leave
• Certificate revocation
• Proactive security
• How to reduce protocol step
• 4 rounds ? 2 rounds