このページは http://www.slideshare.net/kelumkps/how-to-share-a-secret の内容を掲載しています。

掲載を希望されないスライド著者の方は、こちらよりご連絡下さい。

約5年前 (2011/09/03)にアップロードin学び

We rely on secrets such as safe combinations, PIN codes, computer passwords, etc. But so many thi...

We rely on secrets such as safe combinations, PIN codes, computer passwords, etc. But so many things happen to lose secretes.

1. Secrets can be lost.

2. Documents get destroyed.

3. Hard disks fail

4. People forget

5. People leave companies,

6. people die...

One way to avoid such problems :-

Divide secret data (D) in to pieces (n)

* Knowledge of some pieces (k) enables to derive secret data (D)

* Knowledge of any pieces (k-1) makes secret data (D) completely undetermined.

Such a scheme is called a (k, n) threshold scheme.

This presentation provides a in depth view of Shamir’s Secret Sharing Scheme.

- How to share a secret

by Adi Shamir

Damitha Premadasa.

Kelum Senanayake. - Introduction

About author Adi Shamir

An Israeli cryptographer born July 6, 1952.

He is a co-inventor of the RSA algorithm, Feige-Fiat-Shamir

Identification Scheme.

One of the inventors of Differential Cryptanalys.

Has made numerous contributions to the fields of

cryptography and computer science.

We rely on secrets such as safe combinations, PIN codes,

computer passwords, etc.

Secrets can be lost.

Documents get destroyed, Hard disks fail,

People forget, People leave companies, People die... - Example key management scenario

Eleven scientists are working on a secret project. They

wish to lock up the documents in a cabinet. The cabinet

can be opened if and only if six or more of the scientists

are present.

What is the smallest number of locks needed?

What is the smallest number of keys to the locks each scientist

must carry?

Minimal solution uses 462 locks and 252 keys per

scientist.

Drawbacks:

These numbers are clearly impractical

Becomes exponentially worse when the number of scientists

increases - Key management/cryptographic

schemes

What is a Key management system.

Key management is the provisions made in

a cryptography system design that are related to generation,

exchange, storage, safeguarding, use, vetting, and replacement

of keys.

Properties of key management schemes

Safety

Convenience - Shamir's secret-sharing scheme

Why Threshold schemes?

Secret sharing scheme,

Divide secret data (D) in to pieces (n)

Knowledge of some pieces (k) enables to derive secret data

(D)

Knowledge of any pieces (k-1) makes secret data (D)

completely undetermined.

Such a scheme is called a (k, n) threshold scheme.

Easily computable when have necessary data available

Avoid single point of failure, increase reliability and

security

Safety and convenience - Shamir's secret-sharing scheme (A simple

(k, n) threshold scheme)

Suppose using ( k, n ) threshold scheme to share our

secret S.

Choose at random k-1 coefficients a1, a2,.., a(k-1)

and let a0=S. Build the polynomial.

q(x) = a0 + a1 * x + a2 *x2 + ... a(k-1) * x(k-1)

Construct D1=q(1), ..., Di=q(i), ..., Dn=q(n).

Given any subset of k pairs, can find S using interpolation

The secret is the constant term a0. - Shamir's Secret Sharing scheme

The essential idea of Adi Shamir's threshold scheme,

2 points are sufficient to define a line.

3 points are sufficient to define a parabola.

4 points to define a cubic curve and so forth.

k points to define a polynomial of degree (k - 1) - Example

S = 1234, n = 6, k = 3

At random we obtain 2 numbers: a1 = 166, a2 = 94.

Our polynomial to produce secret shares (points) is

therefore:

q(x) = 1234 + 166 x + 94x2

We construct 6 points from the polynomial:

(1,1494); (2,1942); (3,2578); (4,3402);

(5,4414); (6,5614)

We give each participant a different single point (both x

and q(x) ). - Example contd…

Reconstruction the secret,

In order to reconstruct the secret any 3 points will be

enough.

Let us consider (2,1942); (4,3402); (5,4414);

Using Lagrange basis polynomials, it is possible to

construct q(x) hence S value can be derived. - Example contd…

Let us consider

We will compute Lagrange basis polynomials: - Example contd…

Therefore, - Useful properties of (k, n) threshold

scheme

Secure.

Minimal: The size of each piece does not exceed the size

of the original data.

Extensible: When k is kept fixed, Di pieces can be

dynamically added or deleted without affecting the other

pieces.

Dynamic: Security can be easily enhanced without

changing the secret, but by changing the polynomial

occasionally (keeping the same free term) and

constructing new shares to the participants. - Useful properties contd..

Flexible: In organizations where hierarchy is important,

we can supply each participant different number of pieces

according to his importance inside the organization. For

instance, the president can unlock the safe alone, whereas

3 secretaries are required together to unlock it.

Efficient algorithms [O(n log2 n)] available for polynomial

evaluation and interpolation - Q&A

Thank You