程序代写代做代考 scheme algorithm 17crypto_L08
17crypto_L08
Multiple Key Cryptography
Crypto & SecDev 2017 © Ron Poet: Lecture 8 1
Secret Splitting
� Let us imagine that we have a secret that we cannot entrust
to just one person, but want to split between two people.
� Both people are needed to reconstruct the message.
� We cannot just give half the bits to each person.
Crypto & SecDev 2017 © Ron Poet: Lecture 8 2
� We cannot just give half the bits to each person.
�It would make it easier for one person to make a brute
force attack to recover the other person’s half.
Secret Splitting
� The following protocol lets the boss Sam split the secret
between two underlings Alice and Bob.
� Let M be the secret message.
Crypto & SecDev 2017 © Ron Poet: Lecture 8 3
� Let M be the secret message.
� Sam obtains a truly random bit string R, the same length as
M, from the trusted third party Trent.
� Sam calculates P = M ⊕⊕⊕⊕ R, gives P to Alice and R to Bob.
� The message can be reconstructed as P ⊕⊕⊕⊕ R = M.
� This technique cannot be broken by cryptographic
techniques, since R is a one time pad.
Splitting between more than two people
� This technique is easily generalised to more than two
people.
�Let us split the secret between Alice, Bob, Carol and Dave.
�Sam provides three random bit strings, R, S and T.
Crypto & SecDev 2017 © Ron Poet: Lecture 8 4
�Sam provides three random bit strings, R, S and T.
�The fourth string P = M ⊕⊕⊕⊕ R ⊕⊕⊕⊕ S ⊕⊕⊕⊕ T.
�The four strings are distributed to the four underlings.
�The original message is recovered by P ⊕⊕⊕⊕ R ⊕⊕⊕⊕ S ⊕⊕⊕⊕ T = M.
� Limitations of this protocol
�The boss has absolute power and can hand out rubbish if he wants.
�All pieces of the encrypted message are necessary.
� If Alice falls under a bus then the secret is lost.
Secret Sharing
� It is possible to split a secret up into n pieces so that it can
be recovered with only m of the pieces. This is called a
threshold scheme.
� With a (3,4) threshold scheme, the secret can be divided
Crypto & SecDev 2017 © Ron Poet: Lecture 8 5
� With a (3,4) threshold scheme, the secret can be divided
into 4 pieces and given to Alice, Bob, Carol and Dave.
�Only three of them (any three) are needed to recover the secret.
� If Alice falls under a bus then the secret is recoverable,
�but if Bob is away at the time then Carol and Dave cannot recover
the secret by themselves.
� The individual pieces are called shadows.
Lagrange Interpolation Scheme (Shamir)
� This scheme is based on the numerical solution of linear equations.
� Integers are used to avoid the problem of rounding errors that arise
when using real numbers.
� Naturally, the integers are calculated mod p, so that division produces
an integer answer.
Crypto & SecDev 2017 © Ron Poet: Lecture 8 6
an integer answer.
� The shadows are calculated using a polynomial of the appropriate
degree.
�This is not polynomial arithmetic, as discussed in an earlier lecture.
We are interested in solving the equation and finding x.
� If 2 shadows are needed to construct the key then the appropriate
polynomial is a line which has two unknown coefficients a and b.
y(x) = a * x + b (mod p)
Lagrange Interpolation Scheme (2)
� The algorithm when 2 shadows are needed.
� Chose a prime number p which is larger than the number of shadows
(n) and the largest secret.
�Prime p must be handed out along with the shadows and made
public.
Crypto & SecDev 2017 © Ron Poet: Lecture 8 7
public.
� Chose a random number < p for the coefficient a.
� It is only used to generate the shadows and is discarded after the
shadows are calculated.
� It must be kept secret.
� The coefficient b is the secret message M.
� This produces the polynomial y(x) = a x + b (mod p)
Lagrange Interpolation Scheme (3)
� The shadows are calculated by evaluating the polynomial at n different
random values of x. I will use x = 1, 2, 3, 4 for simplicity.
� Each shadow is (x, y, p).
� shadow(1) = y(1)
Crypto & SecDev 2017 © Ron Poet: Lecture 8 8
� shadow(2) = y(2)
� shadow(3) = y(3)
� shadow(4) = y(4)
� Since the straight line has two unknown coefficients a and b, any two
shadows can be used to find them.
� The shadows generate two linear equations which can be solved for the
two unknowns a and b.
� We want b, which is the secret M.
Example
� Let the secret M be 11.
� Chose p = 13, a = 7.
� In practice, larger numbers will be used!
� Generate 4 keys from y(x) = 7 x + 11 (mod 13)
Crypto & SecDev 2017 © Ron Poet: Lecture 8 9
k1 = y(1) mod 13 = 5 (key = 1, 5, 13)
k2 = y(2) mod 13 =12 (key = 2,12, 13)
k3 = y(3) mod 13 = 6 (key = 3, 6, 13)
k4 = y(4) mod 13 = 0 (key = 4, 0, 13)
Example (2)
� Now let us recover the secret from two keys, say k2, k3.
2a + M = 12 (mod 13) --- (1)
3a + M = 6 (mod 13) --- (2)
� These equations must be solved.
Crypto & SecDev 2017 © Ron Poet: Lecture 8 10
� We can eliminate a by 3 * (equation 1) – 2 * (equation 2)
� 3 * (equation 1) is 6a + 3M = 10 (mod 13) [Note 36 == 10]
� 2 * (equation 2) is 6a + 2M = 12 (mod 13)
� Subtracting M = -2 = 11 (mod 13), the secret.
Cheating with Secret Sharing
� Alice, Bob and Carol are sitting in a bunker when the message
"Launch those missiles" comes from the president. Carol is a pacifist
and so enters a random number rather than her shadow.
�The missiles stay in their silos and no one can find out why.
� Alice, Bob and Eve (disguised as Carol) are sitting in the bunker and
Crypto & SecDev 2017 © Ron Poet: Lecture 8 11
� Alice, Bob and Eve (disguised as Carol) are sitting in the bunker and
the same thing happens. Eve secretly notes down the shadows entered
by Alice and Bob.
�The missiles stay in their silos but now Eve knows all three of the
shadows. She can then retarget the missile and launch it herself.
Preventing Cheating
� The Lagrangian protocol can be modified to make it easier to detect
cheaters, with an increase in the complexity of the way the algorithm is
applied.
� The basic approach is to have a series of secret, each linked to the
previous, with only the last being useful.
Crypto & SecDev 2017 © Ron Poet: Lecture 8 12
previous, with only the last being useful.
� The cheater is then revealed early on.