1
4th ETSI/IQC Workshop on Quantum-Safe Cryptography
19-21 Sep 2016
Case study on long-lived system
“QKD perspective”
Masahide SasakiEmail: [email protected]
Tel: 042-327-6524
2
Framework of long-lived system
Introduced by Johannes Buchman (TU Darmstadt)
Integrity Confidentiality
Distributed storage network
- Commitment
- Timestamp
- Secret sharing
- QKD “Proof of existence”
Private channelsAuthenticated
channels
3
Requirements for long-lived system
We want a system which can transmit, store, and process critical data securely for a century scale time span.
Purpose
Requirements
1. Confidentiality : The data should be accessible only to authorized parties.
Information theoretically secure encryption
2. Integrity : The data should remain unaltered.
Signature, authentication
3. Availability : The data should be available whenever required.
Redundant data backup, fail safe mechanism
4. Functionality : The data can be processed without decryption.
Full homomorphic encryption
4
Secret sharing(k, n)-threshold scheme
An implementation of long-lived system
New multiple data are created from the original data,
and stored in multiple data servers.
5
Secret sharing
QKD
QKD
(k, n)-threshold scheme
1. Confidentiality of storage
3. Availability
4. Functionality
1. Confidentiality of data link
2. Integrity
Digital signature, Authentication
It is sufficient to ensure
short-term security for a certain
period until re-sharing.
An implementation of long-lived system
6
Attacker
Owner
Shares
Data restored
Shareholder
Create n of coordinates “shares”
[1, f(1)], ⋯ , [n, f(n)]
Secret data s
f(0)=s
Generate a polynomial of order k-1
f(x) = s+a1x+…+ak-1xk-1
x
- Collect k of shares
- Interpolate the polynomial
- Reconstruct secret data s as f(0)
(k, n) threshold secret sharing
Shamir, 1979
7
(k, n) threshold secret sharing
Attacker
Owner
Shares
Data restored
Data
Shareholders
Ex. (3,5)-threshold scheme With shares less than k-1,
the original data can never be
reconstructed.
There remain infinitely many
possibilities of polynomial.
Information theoretic
confidentiality
Shares can be added and multiplied.
Availability
With more than k of shares,
the polynomial f(x) can be specified.
Even if n-k of shares are lost,
the data can be reconstructed.
Functionality (Full homomorphism)
8
Shamir’s secret sharing scheme itself
cannot realize integrity.
Security of channels for data-transmission
is just assumed.
9
Secret sharing
QKD
QKD
(k, n)-threshold scheme
1. Confidentiality of data link
2. Integrity
Digital signature, Authentication
It is sufficient to ensure
short-term security for a certain
period until re-sharing.
10
Framework of long-lived system
Introduced by Johannes Buchman (TU Darmstadt)
Integrity Confidentiality
Distributed storage network
- Commitment
- Timestamp
- Secret sharing
- QKD “Proof of existence”
Private channelsAuthenticated
channels
11
QKD link
Private channel
Point of interface
Document owner
Secure key supply
KMS
NEC-0
NEC-1
NTT-NICT ToshibaSeQureNetGakushuin
Tokyo QKD Network
Secret sharing
Shareholder
Distributed storage network
- Encrypting
private channels
- Generating
polynomials for
secret sharing
12
Assumptions 1/2
Need to be protected
at the expense of
necessary costs
The document owner and the
shareholders are outside the vault areas
Access rights to the
QKD platform and
the document owner/
the shareholders are
completely separated
Trusted node in a vault
13
Assumptions 2/2
One-way firewall
Tamper resistant metal
cable of short distance
Secure key
transfer
Malicious
commands
User authentication
14
Framework of long-lived system
Introduced by Johannes Buchman (TU Darmstadt)
Integrity Confidentiality
Distributed storage network
- Commitment
- Timestamp
- Secret sharing
- QKD “Proof of existence”
Private channelsAuthenticated
channels
15
Integrity protection
(2) Single-password secret sharing authentication
+ Wegman-Carter MAC
Fujiwara, Waseda, Nojima, Moriai, Ogata and Sasaki,
Scientific Reports, 6:28988 (2016). On-line
User friendly, but consumes a lot of keys(30 times as long as the document size per a store- retrieve cycle)
(1) Timestamp chains of unconditionally hiding
commitments
Cost for generating and maintaining a proof of
existence is independent of the document size
TU Darmstadt and NICT
J. Braun, et al., https://eprint.iacr.org/2016/742
16
Tutorial example: (3, 3) threshold scheme
Owner
f(1)
f(2)
f(3)
Document D
Shareholder
2nd order polynomial f(x) = s + a(1) x+ a(2) x2
Share 1 of D
Share 2 of D
Share 3 of D
17
Single-password SS authentication
Password has been used in many cases
because it is simple and convenient.
However it is not completely secure,
at least not information theoretically secure.
So we make shares of password,
and store them in multiple holders.
We can appreciate convenience of password
with information theoretic security.
Fujiwara, Waseda, Nojima, Moriai, Ogata and Sasaki,
Scientific Reports, 6:28988 (2016). On-line
18
Single-password SS authentication
(1) Owner creates and send shares of D and P by using
2nd order polynomial fD(x) = D + aD(1) x+ aD
(2) x2
Password P
Document D
Owner
fD(1)
fP(1)
fD(2)
fP(2)
fD(3)
fP(3)
1st order polynomial fP(x) = P + aP(1) x
Shareholder
Share of data
Share of
password
19
Single-password SS authentication
(2) Each shareholder generates a random number Rj
Owner
fD(1)
fP(1)
fD(2)
fP(2)
fD(3)
fP(3)
Shareholder
R1
R3
R2
Random number
20
Single-password SS authentication
(3) Each shareholder makes shares of Rj
by using 1st order polynomial fR(x) = R + aR(1) x
Owner
fR1(1)
fR1(2)
fR1(3)
fR2(1)
fR2(2)
fR2(3)
fR3(1)
fR3(2)
fR3(3)
fD(1)
fP(1)
fD(2)
fP(2)
fD(3)
fP(3)
Shareholder
R1
R3
R2
21
Single-password SS authentication
(4) Each shareholder generates shares of “0”
by using 2nd order polynomial f0(x) = a0(1) x + a0
(2) x2 such that
𝑓0𝑗 0 = 0.
Owner
f01(1)
f01(2)
f01(3)
f02(1)
f02(2)
f02(3)
f03(1)
f03(2)
f03(3)
fR1(1)
fR1(2)
fR1(3)
fR2(1)
fR2(2)
fR2(3)
fR3(1)
fR3(2)
fR3(3)
fD(1)
fP(1)
fD(2)
fP(2)
fD(3)
fP(3)
Shareholder
To mask document shares fD(j)
in the reconstruction phase.
22
Single-password SS authentication
(5) Shareholders exchange shares of Rj and “0”
with each other
Owner
f01(1)
f02(1)
f03(1)
f01(2)
f02(2)
f03(2)
f01(3)
f02(3)
f03(3)
fR1(1)
fR2(1)
fR3(1)
fR1(2)
fR2(2)
fR3(2)
fR1(3)
fR2(3)
fR3(3)
fD(1)
fP(1)
fD(2)
fP(2)
fD(3)
fP(3)
Shareholder
23
Single-password SS authentication
(6) Owner remembers the password, say P’,
and generates shares of P’
by using 1st order polynomial fP’(x) = P’ + aP’(1) x.
Owner
f01(1)
f02(1)
f03(1)
f01(2)
f02(2)
f03(2)
f01(3)
f02(3)
f03(3)
fR1(1)
fR2(1)
fR3(1)
fR1(2)
fR2(2)
fR3(2)
fR1(3)
fR2(3)
fR3(3)
fD(1)
fP(1)
fD(2)
fP(2)
fD(3)
fP(3)
fP’(1)
Password P’
fP’(2)
Shareholder
fP’(3)
24Shareholder
Single-password SS authentication
(7) Owner sends the password shares to the shareholders.
Owner
f01(1)
f02(1)
f03(1)
f01(2)
f02(2)
f03(2)
f01(3)
f02(3)
f03(3)
fR1(1)
fR2(1)
fR3(1)
fR1(2)
fR2(2)
fR3(2)
fR1(3)
fR2(3)
fR3(3)
fD(1)
fP(1)
fD(2)
fP(2)
fD(3)
fP(3)
fP’(1)
fP’(2)
fP’(3)
25
Single-password SS authentication
(8) The shareholders compute the three quantities,
R(j), Z(j), and F(j).
Owner
Z(1)=f01(1)+f02(1)+f03(1)
R(1)=fR1(1)+fR2(1)+fR3(1)
Z(2)=f01(2)+f02(2)+f03(2)
R(2)=fR1(2)+fR2(2)+fR3(2)
Shareholder
Z(3)=f01(3)+f02(3)+f03(3)
R(3)=fR1(3)+fR2(3)+fR3(3)
F(3)= [fP(3)-fP’(3)]R(3)+ Z(3)+ fD(3)
F(1)=[fP(1)-fP’(1)]R(1)+ Z(1)+ fD(1)
F(2)=[fP(2)-fP’(2)]R(2)+ Z(2)+ fD(2)
26
Z(1)=f01(1)+f02(1)+f03(1)
R(1)=fR1(1)+fR2(1)+fR3(1)
Z(2)=f01(2)+f02(2)+f03(2)
R(2)=fR1(2)+fR2(2)+fR3(2)
Z(3)=f01(3)+f02(3)+f03(3)
R(3)=fR1(3)+fR2(3)+fR3(3)
Single-password SS authentication
(9) Shares F(1), F(2) and F(3) are sent to the owner.
Owner
Shareholder
discarded
discarded
discarded
F(3)= [fP(3)-fP’(3)]R(3)+ Z(3)+ fD(3)
F(1)=[fP(1)-fP’(1)]R(1)+ Z(1)+ fD(1)
F(2)=[fP(2)-fP’(2)]R(2)+ Z(2)+ fD(2)
27
Single-password SS authentication
(10) The owner finds a polynomial F(x) with F(1), F(2)
and F(3) by interpolation.
Owner
Shareholder
F(x)
x
F(1)
F(2)
F(3)
F(3)= [fP(3)-fP’(3)]R(3)+ Z(3)+ fD(3)
F(1)=[fP(1)-fP’(1)]R(1)+ Z(1)+ fD(1)
F(2)=[fP(2)-fP’(2)]R(2)+ Z(2)+ fD(2)
28
F(3)= [fP(3)-fP’(3)]R(3)+ Z(3)+ fD(3)
F(1)=[fP(1)-fP’(1)]R(1)+ Z(1)+ fD(1)
F(2)=[fP(2)-fP’(2)]R(2)+ Z(2)+ fD(2)
Single-password SS authentication
(11) If the password is wrong, 𝑃′ ≠ 𝑃, then
fD(1), fD(2) and fD(2) are masked by R(1), R(2), R(3), Z(1), Z(2) and Z(3).
Owner
Shareholder
No information on D
is leaked.
29
F(3)= Z(3)+ fD(3)
F(1)=Z(1)+ fD(1)
F(2)=Z(2)+ fD(2)
Single-password SS authentication
(12) If the password is correct, P’=P,
then
Owner
F(x)
x
F(0)
Z(0)=0Z(1)=f01(1)+f02(1)+f03(1)
Z(2)=f01(2)+f02(2)+f03(2)
Z(3)=f01(3)+f02(3)+f03(3)
Note that where
F(0)=fD(0)=D
The owner can reconstruct the original document as
Congratulations!
F(1)
F(2)
F(3)
30
To go beyond the limit of threshold number “k”
An attacker may actively move around the shareholders.
It is likely that the number of corrupted shareholders
must increase as time elapses.
Proactive secret sharingA. Herzber, S. Jarecki, H. Krawczyk,
M. Yung, CRYPT0'95, LNCS 963,
339, 1995.
Renewal of shares
at certain intervals
Keys are consumed.
31
Key rates of QKD
QKD link vender Protocol
Transmission
Length (km)Secure key
rate (bps)
Loss
(dB)
NEC-0 BB84 with decoy 50 (Spooled fiber NICT premise) 200k 10
NEC-1 BB84 with decoy 22 (field installed 95% areal line) 200k 13
Toshiba BB84 with decoy 45 (field installed 50% areal line) 300k 14.5
NTT-NICT DPS-QKD 90 (field installed 50% areal line) 10k 28.6
Gakushuin CV-QKD 2 (NICT premise) 100k 2
To prevent from being bottlenecked by slowest QKD links (10kb/s),
keys are relayed between appropriate KMAs.
The minimum throughput of key supply to each private channel
can be raised up to KeyRateQKD=40 kb/s.
32
Document size to be handled
- Dense wavelength division multiplexing (100~1000 channels)
- Fast key distillation processing
The document size we can handle,
sizes = ts*KeyRateQKD/n(n-1)
Interval of share renewal Number of shareholders
KeyRateQKD=40 kb/s
(our current network)
Assume that ts=10years, n=4
sizes = 131 GB
KeyRateQKD=1 Mb/s @50km
(in a few years)sizes = 3.3 TB
Petabytes size KeyRateQKD=1 Gb/s @50km
Challenge
Human genomic data
of 4100 persons
33
Summary
Proof-of-principle demonstration of a long lived system
- Timestamp chains of unconditionally
hiding commitments
- Password secret sharing authentication
Secret sharing + QKD
Integrity
Confidentiality
Future works
- Implementation of proactive secret sharing
- Improvement of QKD key rate
34
Thank you for your attention
35
Collaborators
Fujiwara, Sasaki, NICT
Yoshino, Tajima, Ochi, Sakamoto, Shimamura, Asami, Kondo,
Izuka, Domeki, NEC
Dynes, Dixon, Sharpe, Yuan, Lucamarini, Shields, Toshiba
Honjo, Tamaki, Shimizu, NTT
Hirano, Gakushuin U.
Tomita, Hokkaido U.
Shibata, Yamanaka, Kobayashi, Tsurumaru, Matsui, Mitsubishi
Waseda, Nojima, Moriai, NICT
Ogata, TITech
Braun, Demirel, Geihs, Buchmann, TU Darmstadt
Tokyo QKD Network
Secret sharing
Long-lived system