Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage
What s Secret Sharng Basc Idea ((2, 2)-threshold scheme): Two frends fnd a map to bured treasure!! Who do we trust? Nether, each gets a share of the map Based on threshold cryptography
Why Do We Need Proactve Sharng? Secret sharng s a fundamental tool for protectng senstve data. How do we protect the data from gradual server break-ns? Renew data Not good for long lved data Renew the Secret Good! Attacker must compromse k+1 servers n a tme perod nstead of the entre lfe of the system.
System Assumptons System (k+1, n)-threshold scheme Secure encrypton and sgnatures exst Synchronzed, secure broadcasts over a common medum Data s actually destroyed when erased Moble Adversary Byzantne corrupton can occur at any tme Adversary can corrupt no more than k out of n servers, where k < n/2 Adversary s connect to the communcaton medum but cannot nterfere wth communcaton
Removng an Adversary from a Server Adversares are removable through reboot procedures Honest servers always detect and remove msbehavng servers DOS attacks on the communcaton medum not taken nto account (further papers address ths usng asynchronous systems)
Defntons Semantcally Secure Securty s measured n terms of entropy and change The scheme s semantcally secure f for any functon k computable on the secret, the dfference n the probablty of learnng nformaton between rounds s neglgble. Robust Scheme guarantees the correct reconstructon of the secret at any tme Tolerates up to k Byzantne faults
Cryptographc Tools Shamr s Secret Sharng Dealer chooses a functon f of degree k over a fnte feld where f(0) = secret Dealer calculates v = f() and secretly sends v to the server. The secret can now be reconstructed wth k+1 v peces and polynomal nterpolaton
Cryptographc Tools Verfable Secret Sharng g s an element of a the fnte feld the equaton k was chosen from Values g f are broadcast to every server before the secret share s broadcast When a server receves a secret share t checks: g x = ( g f 0 )( g f If the equaton holds, the share s a vald share. 1 ) ( g f 2 ) 2...( g f k ) k
Wth VSS there s more nformaton to attack?!? Informaton can be learned from each of the g x What can be done: Use a dfferent scheme where extra nformaton s already released ElGamal Sgnatures Place the secret X n an envelope Encode the secret n a longer bt strng s
Perodc Share Renewal Each server has a par of publc and prvate keys used for secure communcaton. Assumpton: Attacker cannot modfy the keys System ntalzaton The secret s encoded usng Shamr s secret sharng and securely dstrbuted to all servers Tme perods for renewal are set arbtrarly by system admnstrator
Basc Share Renewal Protocol Each server P pcks k random numbers from the fnte feld and creates a polynomal of degree k δ ( z) = δ z + δ z +... + 1 1 For all other servers Pj, P secretly sends out δ ( j) to Pj P computes the new share by: x ( t 1) x ( t 1) + P updates ts share and erases all other data 2 2 ( 1 2 δ k δ + δ +... + z δ k n )
Basc Share Renewal Protocol(2) Solves share renewal n the face of a passve adversary If all of the servers follow the protocol, then the share renewal protocol s correct, robust and s secret Each new round produces a vald set of secret shares Any k+1 servers can re-create the secret at any tme Wth k or less shares, no nformaton s learned
Share Renewal Protocol n the Presence of Actve Attackers Each server P pcks k random numbers from the fnte feld and creates a polynomal of degree k δ ( z) = δ z + δ z +... + 1 1 δm Each P also computes ε = g for each k P computes δ ( j) and broadcasts the set of ε s and δ sgned wth P s sgnature 2 m 2 δ k z k
Share Renewal Protocol n the Presence of Actve Attackers(2) P computes the new share by: x ( t 1) x ( t 1) ( 1 2 δ + δ +... + and checks the valdty by computng: δ j ( ) 2 g = ( ε j1 ) + ( ε j2 )...( ε jk ) δ k n ) If the messages are correct, P broadcasts an accept message If not P broadcasts an accusaton aganst the msbehavng server(s)
Resolvng Accusatons If faulty server s recognzed Do not use the polynomal broadcast by the server Reset the server to expel the adversary Three types of possble faults: Incorrect message format Zero or greater than One correct message from a server Verfablty equatons do not match 3 rd type of fault requres extra effort to handle
Resolvng Accusatons(2) If P accuses Pj of cheatng, Pj must defend tself () δ j If Pj sent a correct, then t exposes ths value and all servers can check wth the ε values already publshed durng the protocol. If Pj defends tself, then P marked as the fault server, else Pj s marked. The share renewal equaton becomes: x ( t 1) x ( t 1) + j B δ j
Share Recovery Scheme Severs must make sure other servers have not had ther keys compromsed. Otherwse an adversary could cause the secret to be lost by destroyng n-k keys. Wthout recovery, we loose securty For practcal schemes: Durng reboot, a server wll loose t share and need recovery
Detectng Corrupton Durng ntalzaton, each server stores a the set of ( t ) ( t) x y j for all the servers current shares. j = g Durng the secret share update, ths set of exponents s also updated n a smlar fashon. y ( t) j y ( t 1) j + If durng the update phase, the value of the new x receved and the one calculated do not match, the server needs to have ts share recovered. a B g δaj
Basc Share Recovery Protocol For every faled server r Every vald P pcks a random k-degree polynomal such that f(r) = 0 Every P broadcasts f(r) Each P the creates a new share for r, x ' x + f ( ) j D and send t to r R receves the shares and nterpolates them to fnd ts secret share x r
Share Recovery Verfablty can be added usng same technque as earler Used to detect ncorrect reconstructons Multple shares can be recovered n parallel by treatng each share as ts on secret.
Total Protocol for Proactve Secret Sharng At the begnnng of every tme perod: Prvate Key Renewal protocol Do not have to assume attacker can not tamper wth publc/prvate communcaton keys Share Recovery Protocol (ncludng lost shares detecton) Share Renewal Protocol
Applcatons Proactvely share decrypton key for senstve data Proactve functon sharng bult of Proactve secret sharng Proactve dgtal sgnatures
Summary Semantcally secure and robust proactve secret sharng scheme based on threshold cryptography and verfable secret scheme. Takes many aspects of securty and bulds them nto a cohesve unt.