Computer Security Secret Key Encryption - Essay - Computer Science, Essays (high school) of Software Engineering

In a secret sharing scheme there is a trusted authority TA and n users U . The TA has a secret value K called the secret or key. The TA uses a share generation algorithm to split K into n shares s 1 ; : : : ;U n . Each share s i is then transmitted to user U by a secure channel. The secret sharing protocol guarantees that two properties hold: i 1 ; : : : ; s n

Typology: Essays (high school)

2011/2012

Uploaded on 04/16/2012

alley
alley 🇺🇸

4.2

(5)

256 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 161 Computer Security
Fall 2005 Joseph/Tygar/Vazirani/Wagner Notes 16
In a secret sharing scheme there is a trusted authority TA and nusers U1,...,Un. The TA has a secret value
Kcalled the secret or key. The TA uses a share generation algorithm to split Kinto nshares s1,...,sn. Each
share siis then transmitted to user Uiby a secure channel. The secret sharing protocol guarantees that two
properties hold:
A reconstruction algorithm can be used to efficiently reconstruct the secret Kfrom any tof the n
shares.
Any t1 of the nshares reveal no information about the secret K.
Such a scheme is called an (n,t)threshold scheme.
For example, if the secret Kis an integer between 0 and M1, then an (n,n)threshold scheme can
be obtained by selecting s1,...,sn1uniformly at randomly between 0 and M1, and setting sn=K
n1
i=isimod M. Now,
K=n
i=1simod M.
Given all shares except sj,Kcan take on any value modulo M.
To understand how to implement a general (n,t)threshold scheme we need to understand some properties
of polynomials modulo a prime p. While working modulo a prime p, we can add, subtract and multiply
numbers, as well as divide numbers as long as we are not dividing by 0. So we can consider polynomials
whose coefficients are elements modulo p. For example f(x) = x2+2x+4 mod 5. It turns out that such
polynomials have many of the same properties as polynomials with real coefficients:
Polynomials
A polynomial of degree nover a field Fhas at most nroots (this can be proved by induction).
A polynomial Pof degree nis uniquely determined by any n+1 distinct pairs (xi,yi)such that P(xi) =
yi(this follows immediately from the previous property).
Suppose that we are given the value of a polynomial P(x)of degree nat n+1 points: P(ai) = bifor
i=1to n +1. How do we reconstruct the unique polynomial P(x)of degree nsatisfying these n+1
constraints?
Consider the following polynomials of degree n:
For i=1,2,...,n+1, define
i(x) =
j6=i
(aiaj)!1
j6=i
(xaj).
CS 161, Fall 2005, Notes 16 1
pf2

Partial preview of the text

Download Computer Security Secret Key Encryption - Essay - Computer Science and more Essays (high school) Software Engineering in PDF only on Docsity!

CS 161 Computer Security

Fall 2005 Joseph/Tygar/Vazirani/Wagner Notes 16

In a secret sharing scheme there is a trusted authority TA and n users U 1 ,... , Un. The TA has a secret value K called the secret or key. The TA uses a share generation algorithm to split K into n shares s 1 ,... , sn. Each share si is then transmitted to user Ui by a secure channel. The secret sharing protocol guarantees that two properties hold:

  • A reconstruction algorithm can be used to efficiently reconstruct the secret K from any t of the n shares.
  • Any t − 1 of the n shares reveal no information about the secret K.

Such a scheme is called an ( n , t ) threshold scheme.

For example, if the secret K is an integer between 0 and M − 1, then an ( n , n ) threshold scheme can be obtained by selecting s 1 ,... , sn − 1 uniformly at randomly between 0 and M − 1, and setting sn = K − ∑ n i =− i^1 si mod^ M. Now,

  • K = ∑ ni = 1 si mod M.
  • Given all shares except s (^) j , K can take on any value modulo M.

To understand how to implement a general ( n , t ) threshold scheme we need to understand some properties of polynomials modulo a prime p. While working modulo a prime p , we can add, subtract and multiply numbers, as well as divide numbers as long as we are not dividing by 0. So we can consider polynomials whose coefficients are elements modulo p. For example f ( x ) = x^2 + 2 x + 4 mod 5. It turns out that such polynomials have many of the same properties as polynomials with real coefficients:

Polynomials

  • A polynomial of degree n over a field F has at most n roots (this can be proved by induction).
  • A polynomial P of degree n is uniquely determined by any n + 1 distinct pairs ( xi , yi ) such that P ( xi ) = yi (this follows immediately from the previous property).

Suppose that we are given the value of a polynomial P ( x ) of degree n at n + 1 points: P ( ai ) = bi for i = 1 to n + 1. How do we reconstruct the unique polynomial P ( x ) of degree n satisfying these n + 1 constraints?

Consider the following polynomials of degree n :

For i = 1 , 2 ,... , n + 1, define

i ( x ) =

j 6 = i

( aia (^) j )

j 6 = i

( xa (^) j ).

CS 161, Fall 2005, Notes 16 1

Notice that ∆ i ( ai ) = 1 and for 1 ≤ jn + 1, j 6 = i ∆( a (^) j ) = 0. It follows that the desired polynomial P ( x ) = (^) ∑ n i =+ 11 bii ( x ).

The process we have just gone through—explicitly constructing a polynomial that passes through a number of given points—is called Lagrange interpolation.

If n = 3, and ai = i , for instance, then

∆ 1 ( x ) = (( 1 − 2 )( 1 − 3 ))−^1 ( x − 2 )( x − 3 ) = 2 −^1 ( x − 1 )( x − 2 ) ∆ 2 ( x ) = (( 2 − 1 )( 2 − 3 ))−^1 ( x − 1 )( x − 3 ) = (− 1 )−^1 ( x − 1 )( x − 3 ) ∆ 3 ( x ) = (( 3 − 1 )( 3 − 2 ))−^1 ( x − 1 )( x − 2 ) = 2 −^1 ( x − 1 )( x − 2 ).

Secret Sharing

Suppose the U.S. government finally decides that a nuclear strike can be initiated only if at least t > 1 major officials agree to it (what a “major official” is doesn’t really matter to us). We want to devise a scheme such that (1) any group of t of these officials can pool their information to figure out the launch code and initiate the strike but (2) no group of t − 1 or fewer can conspire to find the code. How can we accomplish this?

Suppose that there are n officials and that launch code is some natural number K. Let p be a prime number larger than n and s —we will work with numbers modulo p from now on.

Now pick a random polynomial f of degree t − 1 such that f ( 0 ) = K. The share si = f ( i ) for i = 1 to n.

  • Any t officials, having the values of the polynomial at t points, can use Lagrange interpolation to reconstruct the polynomial f , and once they know f , they can compute f ( 0 ) = K to learn the secret.
  • Any group of t − 1 officials has no information about K. All they know is that there is a polynomial of degree t − 1 passing through their t − 1 points such that f ( 0 ) = K. However, for each possible value f ( 0 ) = b , there is a unique polynomial that is consistent with the information of the t − 1 officials, and satisfies the constraint that f ( 0 ) = b.

CS 161, Fall 2005, Notes 16 2