CS
513 – System Security
Lecture
13
Lecturer:
Lidong Zhou
Notes
by: Vicky Weissman
Lecture
Date: 3/9/00
Today’s Topic – Maintaining a Secret On-Line
- Goal
- General Example
- Specific Example
- Terminology
This
lecture is a continuation of lecture 8 – Online and Proactive Secret Sharing.
Goal:
To build a secure on-line service that maintains a secret using variations of secret sharing. Specifically, we want to share a secret with n parties such that any subset of t or more parties can recover the secret, but fewer than t
parties cannot learn anything about the secret.
General
Example: A
secret, s, needs to be maintained on-line.
Assumptions:
- Any server can crash or
be broken into by an attacker, however, the attacker cannot modify any
server’s code or state.
- An attacker cannot
compromise more than t-1 servers in d days.
Strategy:
- Split the secret into n
shares where n is 2t-1 or more. Each share is stored on a different server.
- choose a (t-1)th
degree polynomial, f(x), such that f(0) = s
- f(i) is server i’s
share of the secret
- every d days,
distribute new shares. To create
and distribute the new shares, each server chooses a (t-1)th
degree polynomial, h(x), such that h(0) = 0. For any server i from 1 to n, the new share is the old
share plus h(i) from each of the newly created h(x) functions. Since the new f(0) equals s plus n
zeros, the new shares correspond to the original secret. The new shares, however, cannot be
combined with the old ones to give any information about s, even if t-1
machines are being monitored by an attacker when the h(x) functions are
chosen.
Calculations involving the shared secret can be
computed as follows:
- Create a function, g1,
that calculates a partial result for each share of the secret.
- Create a function, g2,
that calculates the complete result, given the partial results from each
share.
Specific
Example:
Calculate f(m) = ms given m,
n = 2, and t = 2, while protecting s.
Solution:
- randomly select s1
and s2 such that s1 + s2 = s.
- let g1(m, si)
= msi
- let g2(g1(m, s1),
g1(m, s2)) = g1(m, s1) * g1(m, s2)
Terminology:
The 3 step process given above is called function
sharing.
If the secret is a private key and f(x) is a crypto
function, then the protocol is called threshold cryptography.