Download - Secret Sharing Cs416
![Page 1: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/1.jpg)
Secret Sharing and its Application to Electronic Voting
Akash Chandrayan (08d17015)
Appu R P (08D17007)
Prathamesh Dashpute (08D04007)
![Page 2: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/2.jpg)
Secret sharing
Secret sharing refers to method for distributing a secret amongst a group of participants, each of whom is allocated a share of the secret. The secret can be reconstructed only when a sufficient number of shares are combined together; individual shares are of no use on their own.
![Page 3: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/3.jpg)
History*
![Page 4: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/4.jpg)
Map of Space*
![Page 5: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/5.jpg)
Blakley’s Scheme
• Secret is encoded as a point in a space.
• Keys are given as hyper planes rotated around the point in space. Therefore the intersection of t hyper planes will be the key.
![Page 6: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/6.jpg)
Problems with Blakley’s Scheme
• Not secure- If three keys are required having two lets someone know the secret is on a line.
• Less space efficient- Keys are t times larger than the original secret, where t is the number of keys needed to get the secret.
![Page 7: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/7.jpg)
Shamir’s Scheme
• Mathematically the goal is to divide some data D into n pieces D1,…, Dn.
• The following criteria are met • Knowledge of any k or more Di pieces makes D computable.
• Knowledge of any k-1 or fewer Di pieces leaves D completely undetermined.
• This scheme is called (k , n) threshold scheme.
![Page 8: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/8.jpg)
Shamir’s Scheme
• The scheme turns the secret into a polynomial of degree k, where k is the number of keys needed to get the secret.
![Page 9: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/9.jpg)
Shamir’s Scheme
• Choose at random k-1 coefficients a1 ,…, ak-1 and let a0 be the secret.
f(x)=a0 +a1x+…+ ak-1 xk-1
• Select randomly any n points out of it (i , f(i)).
• Every participant is given a point.
![Page 10: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/10.jpg)
Verifiable Secret Sharing(VSS)
In verifiable secret sharing (VSS) the object is to resist malicious players,
such as
(i) a dealer sending incorrect shares to some or all of the participants, and
(ii) participants submitting incorrect shares during the reconstruction protocol
In publicly verifiable secret sharing (PVSS), it is an explicit goal that not just the participants can verify their own shares, but that anybody can verify that the participants received correct shares.
![Page 11: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/11.jpg)
Publically Verifiable Secret Sharing(PVSS)
• Proof of correctness for each share released .
• No private channels between the dealer and the participants are assumed.
• All communication is done over (authenticated) public channels using public key encryption.
![Page 12: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/12.jpg)
Model for non-interactive PVSS
Initialization
• Generation of system parameters.
• Registration of Participants.
The actual set of participants taking part in a run of the PVSS scheme must be a subset of the registered participants.
Distribution
• The distribution of a secret s is performed by the dealer D.
• The dealer first generates the respective shares si for participant Pi For each participant Pi the dealer publishes the encrypted share Ei(si).
• The dealer also publishes a string PROOFD to show that each Ei encrypts a share si.
• The string PROOFD commits the dealer to the value of secret s, and it guarantees that the reconstruction protocol will result in the same value s.
![Page 13: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/13.jpg)
Model for non-interactive PVSS
Verification of the shares.
• Any party knowing the public keys for the encryption methods Ei may verify the shares.
• For each participant Pi a non-interactive verification algorithm can be run on PROOFD to verify that Ei(si) is a correct encryption of a share for Pi.
If verifications fail => dealer fails, protocol is aborted.
![Page 14: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/14.jpg)
Model for non-interactive PVSS
Reconstruction The protocol consists of two steps: 1.Decryption of the shares. The participants decrypt their shares si from Ei(si). It is not required that all participants succeed in doing so, as long as a qualified set of participants is successful. These participants release si plus a string PROOFPi that shows that the released share is correct. 2. Pooling the shares. The strings PROOFPi are used to exclude the participants which are dishonest or fail to reproduce their share si correctly. Reconstruction of the secret s can be done from the shares of any qualified set of participants.
![Page 15: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/15.jpg)
The Math
The prover knows α such that h1 = g1α and h2 = g2
α :
1. The prover sends a1 = g1w and a2 = g2
w to the verifier,
2. The verifier sends a random challenge c to the prover.
3. The prover responds with r = w − α c (mod q).
4. The verifier checks that a1 = g1rh1
c and a2 = g1rh1
c
![Page 16: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/16.jpg)
The Math
Distribution & Verification • Distribution of the shares. The dealer picks a random
polynomial p of degree at most t − 1 with coefficients in Zq
The dealer shows that the encrypted shares are consistent by producing a proof of knowledge of the unique p(i), 1 <= i <= n, satisfying
![Page 17: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/17.jpg)
The Math
Reconstruction • Decryption of the shares: Using its private key xi, each
participant finds the share Si = Gp(i) which comes from
• Proof :
![Page 18: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/18.jpg)
Homomorphic Secret Sharing
• Benaloh [Ben87a]
![Page 19: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/19.jpg)
Electronic Voting
• An election proceeds in two phases
– Ballot Casting- Voters post their vote in encrypted form. The validity of the vote can be publically verified.
– Tallying- The talliers use their private keys to collectively compute the final tally corresponding with the accumulation of all valid ballots.
• Technically each voter will act as a dealer in the PVSS scheme.
![Page 20: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/20.jpg)
Ballot Casting
• A voter casts a vote v 0 or 1 and encrypts it as U= Gs+v where s is a random number.
• The voter constructs a PROOFU showing that v Ɛ {0,1} without revealing any information on v. PROOFU refer to the value of C0=gs which is also published.
![Page 21: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/21.jpg)
Tallying
• The tallying protocol uses the reconstruction protocol of special PVSS scheme and homomorphic property.
• Accumulate all respective share and compute the values Yi
*, where j ranges over all voters.
![Page 22: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/22.jpg)
Tallying
• Next each tallier Ai applies the reconstruction protocol to the value Yi
*, which will produce
• Combining with we obtain
• From this the tally can be computed efficiently.
![Page 23: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/23.jpg)
Example*
The following example illustrates a sample voting with 5 voters among which 2 are talliers. <Z*
13,*13> is the cyclic group under which we shall be working.
Generators used are g=2 and G=7.Note that all the computations henceforth are mod 13
Private Keys
Public Keys
Vote S(random numbers)
U (encrypted votes) gs
1 7 0 7 6 11
2 10 1 8 8 9
3 5 1 1 10 2
4 9 0 2 10 4
5 11 0 11 2 7
The value of C0 = gs is published as part of the PVSS distribution protocol, and shows that logG U = logg C0 OR logG U = 1 + logg C0 (Vote is 0 or 1)
![Page 24: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/24.jpg)
Example contd.
Now since there are 2 talliers which implies that all the votes can be combined iff all of them agrees to tally. For this to work, the curves used would simply be straight lines with the constant term as the secret values s.
Polynomial pi(x) pi(1) pi(2)
3x+7 10 13
4x+8 12 16
x+1 2 3
11x+2 13 24
7x+11 18 25
Note that the voters do not publish pi(1) or pi(2). They publish Yij which is yip
j(i)
yi is the public key of tallier i, since we have only 2 talliers, I have computed the values of pi(1) and p2(2) in the table itself and avoided yi
pj(i) for clarity.
![Page 25: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/25.jpg)
Example contd.
Next we compute the values of Y1* and Y2*.
Y1* = 7(10+12+2+13+18) = 755 = 6
Y2* = 10(13+16+3+24+25) = 1081 = 12
Now the values of S1 and S2 can be computed by respective talliers by using their private keys x1 = 1 and x2 = 2.
Therefore S1 = (Y1*)1/x1 = 6 and S2 = (Y2*)1/x2 = 121/2 = 5.
Next comes the homomorphic combination of secrets by computing
λ1 = 2 , λ2 = -1 ; Gs = 62 . 5-1 = 9/2 = 9*7 = 63 = 11
![Page 26: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/26.jpg)
Example contd.
Now lets combine the encrypted votes (Uj = Gjs+v)
Gs+v = 6*8*10*10*2 = 9600 = 6.
Almost there , Gs+v/Gs = Gv = 6/11 = 6*6 = 10, Gv = 10 => 7v = 10
=> v= 2 , because 49 (72 mod 13 = 10). Which verifies with the vote count given in the table. That is it!
![Page 27: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/27.jpg)
Few other application
Revocable Electronic Cash
Software Key Escrow
Bank Accounts
Confidential data
Cloud Computing*
![Page 28: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/28.jpg)
References* • A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic
Voting - Berry Schoenmakers, Department of Mathematics and Computing Science, Eindhoven University of Technology, P.O. Box 513, 5600 MB Eindhoven, The Netherlands. [email protected] | Springer-Verlag , 1999.
• How to share a secret. Commm. of ACM , volume 22 (1979).
• http://en.wikipedia.org/wiki/Secret_sharing
• http://www.cs.uml.edu/~zkissel/secretshare.html
• http://en.wikipedia.org/wiki/Secure_multiparty_computation
• http://www.proproco.co.uk/million.html
• http://www.cs.tau.ac.il/~bchor/Shamir.html
*were not mentioned during presentation
![Page 29: Secret Sharing Cs416](https://reader030.vdocuments.mx/reader030/viewer/2022020110/54641664b4af9f3f3f8b47d0/html5/thumbnails/29.jpg)
Thank You!