|
|
|
|
|
Josh Benaloh & Brian LaMacchia |
|
|
|
|
|
|
|
|
X.509 is not the only certificate standard – see
also X9.55, X9.57, X9.59, Xcetera, Xcetera, Xcetera. |
|
|
|
Several “web of trust” designs exist – in
particular, see SPKI/SDSI. |
|
|
|
|
|
|
Anyone who has the private key associated with
the included public key has the right to … |
|
|
|
|
|
|
And now for something completely different. |
|
|
|
|
|
|
Thusfar, the protocols we’ve explored have dealt
primary with two-party scenarios. |
|
|
|
Many scenarios concern fair agreement and
computation with more players. |
|
|
|
|
Suppose that a group wants to make a fair choice
between two or more options. |
|
|
|
How can this be done in an unbiased manner? |
|
|
|
|
Suppose that I have some data that I want to
share amongst three people such that |
|
|
|
any two can uniquely determine the data |
|
|
|
but any one alone has no information whatsoever about
the data. |
|
|
|
|
Some simple cases: “AND” |
|
|
|
I have a secret value z that I would like to
share with Alice and Bob such that both Alice and Bob can together
determine the secret at any time, but such that neither has any information
individually. |
|
|
|
|
Let z Î Zn = {0,1,…,m-1} be a secret
value to be shared with Alice and Bob. |
|
Randomly and uniformly select values x and y
from Zm subject to the constraint that |
|
(x + y) mod m = z. |
|
|
|
|
|
|
This trick easily generalizes to more than two
shareholders. |
|
|
|
A secret S can be written as |
|
S = (s1 + s2 + … + sn)
mod m |
|
for any randomly chosen integer values s1,
s2, …, sn in the range 0 ≤ si < m. |
|
|
|
|
Some simple cases: “OR” |
|
|
|
I have a secret value z that I would like to
share with Alice and Bob such that either Alice or Bob can determine the
secret at any time. |
|
|
|
|
|
|
|
|
This case also generalizes easily to more than
two shareholders. |
|
|
|
|
More complex access structures … |
|
|
|
I want to share secret value z amongst Alice,
Bob, and Carol such that any two of the three can reconstruct z. |
|
|
|
S = (A Ù B) Ú (A Ù C) Ú (B Ù C) |
|
|
|
|
|
|
I want to distribute a secret datum amongst n
trustees such that |
|
|
|
any k of the n trustees can uniquely determine
the secret datum, |
|
but any set of fewer than k trustees has no
information whatsoever about the secret datum. |
|
|
|
|
|
|
Any k points in a field uniquely determine a
polynomial of degree at most k-1. |
|
|
|
This not only works of the reals, rationals, and
other infinite fields, but also over the finite field Zp =
{0,1,…,p-1} where p is a prime. |
|
|
|
|
To distribute a secret value s Î Zp
amongst a set of n Trustees {T1,T2,…,Tn}
such that any k can determine the secret |
|
|
|
pick random coefficients a1,a2,…,ak-1
Î Zp |
|
let P(x) = ak-1xk-1
+ … + a2x2 + a1x + s |
|
give P(i) to trustee Ti. |
|
The secret value is s = P(0). |
|
|
|
|
|
|
The threshold 2 case: |
|
Example:
Range = Z11 = {0,1,…,10}, Secret = 9 |
|
|
|
|
The threshold 2 case: |
|
Example:
Range = Z11 = {0,1,…,10} |
|
|
|
|
Two methods are commonly used to interpolate a
polynomial given a set of points. |
|
|
|
Lagrange interpolation |
|
Solving a system of linear equations |
|
|
|
|
For each point (i,P(i)), construct a polynomial Pi
with the correct value at i and a value of zero at the other given points. |
|
Pi(x) = P(i) × ∏(j≠i)(x-j)
÷ ∏(j≠i)(i-j) |
|
|
|
P(x) = ∑i Pi(x) |
|
|
|
|
Regard the polynomial coefficents as unknowns. |
|
Plug in each known point to get a linear
equation in terms of the unknown coefficients. |
|
Once there are as many equations as unknowns,
use linear algebra to solve the system of equations. |
|
|
|
|
Secret sharing is very useful when the “dealer”
of a secret is honest, but what bad things can happen if the dealer is
potentially dishonest? |
|
|
|
Can measures be taken to eliminate or mitigate
the damages? |
|
|
|
|
Recall that with RSA, there is a multiplicative homomorphism. |
|
E(x)E(y) @ E(xy) |
|
|
|
Can we find an encryption function with an
additive homomorphism? |
|
|
|
|
Can we find an encryption function for which the
sum (or product) of two encrypted messages is the (an) encryption of the
sum of the two original messages? |
|
|
|
E(x)◦E(y) @ E(x+y) |
|
|
|
|
Recall the one-way function given by |
|
f(x) = gx
mod m. |
|
|
|
For this function, |
|
f(x)f(y) mod m = gxgy mod m
= |
|
gx+y mod m = f(x+y) mod m. |
|
|
|
|
Select a polynomial with secret a0 as |
|
P(x) = ak-1xk-1
+ … + a2x2 + a1x + a0. |
|
Commit to the coefficients by publishing |
|
ga0, ga1,
ga2, …, gak-1. |
|
Compute a commitment to P(i) from public values
as |
|
gP(i) = ga0i0
ga1i1 ga2i2
… gak-1ik-1. |
|
|
|
|
|
|
An important detail |
|
|
|
Randomness must be included to prevent small
spaces of possible secrets and shares from being exhaustively searched. |
|
|
|
|
All of these secret sharing methods have an
additional useful feature: |
|
|
|
If two secrets are separately shared amongst the
same set of people in the same way, then the sum of the individual shares
constitute shares of the sum of the secrets. |
|
|
|
|
OR |
|
|
|
Secret: a –
Shares: a, a, …, a |
|
Secret: b –
Shares: b, b, …, b |
|
|
|
Secret sum:
a+b |
|
Share sums:
a+b, a+b, …, a+b |
|
|
|
|
AND |
|
|
|
Secret: a –
Shares: a1, a2,
…, an |
|
Secret: b –
Shares: b1, b2,
…, bn |
|
|
|
Secret sum:
a+b |
|
Share sums:
a1+b1, a2+b2, …, an+bn |
|
|
|
|
THRESHOLD |
|
|
|
Secret: P1(0) –
Shares: P1(1), P1(2),
…, P1(n) |
|
Secret: P2(0) –
Shares: P2(1), P2(2),
…, P2(n) |
|
|
|
Secret sum:
P1(0) + P2 (0) |
|
Share sums:
P1(1) + P2 (1), P1(2) + P2
(2), …, P1(n) + P2 (n) |
|
|
|
|
In an election, each voter can cast a vote by
sharing the vote with a set of election officials at a pre-determined
threshold. |
|
|
|
The officials can read an individual’s vote only
if a sufficiently large set conspire. |
|
|
|
|
|
|
|
|
The sum of the shares of the votes constitute shares
of the sum of the votes. |
|
|
|
|
|
|
|
|
The shares of the votes can each be encrypted
with an additively homomorphic encryption function. |
|
|
|
|
|
|
|
|
|
|
|
|
To get encryptions of the sums, compute the
products of the encryptions. |
|
|
|
|
|
|
|
|
|
|
|
|
Decrypt the products to determine the column
sums. |
|
|
|
|
|
|
|
|
|
|
Combine the shares to form the tally. |
|
|
|
|
|
|
|
|
Product of Encryptions º Encryption of Sum |
|
Sum of Shares º Shares of Sum |
|
|
|
The product of the encryptions of the shares of
the votes constitute encryptions of the shares of the sum of the votes. |
|
|
|
|
|
|
There are non-traditional methods of convincing
others that something is true without writing down a proof. |
|
|
|
These methods can be used to convince others of
the veracity of partial information about a secret. |
|
|
|
|
I want to convince you that something is true. |
|
|
|
I write down a proof and give it to you. |
|
|
|
|
|
|
We engage in a dialogue at the conclusion of
which you are convinced that my claim is true. |
|
|
|
|
Suppose I want to convince you that Y is a
square modulo N. |
|
[There exists an X such that Y = X2
mod N.] |
|
|
|
|
Suppose I want to convince you that Y is a
square modulo N. |
|
[There exists an X such that Y = X2
mod N.] |
|
|
|
First approach:
I give you X. |
|
|
|
|
|
|
|
|
|
|
|
|
In order for me to “fool” you, I would have to
guess your exact challenge sequence. |
|
|
|
The probability of my successfully convincing
you that Y is a square when it is not is 2-100. |
|
|
|
This interactive proof is said to be “zero-knowledge”
because the challenger received no information (beyond the proof of the
claim) that it couldn’t compute itself. |
|
|
|
|
Suppose that we share a public key consisting of
a modulus N and an encryption exponent E and that I want to convince you
that I have the corresponding decryption exponent D. |
|
|
|
How can I do this? |
|
|
|
|
I can give you my private key D. |
|
|
|
You can encrypt something for me and I decrypt
it for you. |
|
|
|
You can encrypt something for me and I can
engage in an interactive proof with you to show that I can decrypt it. |
|
|
|
|
|
|
|
|
|
|
|
|
By engaging in this proof, the prover has
demonstrated its knowledge of YD – without revealing this value. |
|
If Y is generated by a challenger, this is
compelling evidence that the prover posseses D. |
|
|
|
|
|
|
Anything in PSPACE can be proven with an
interactive proof. |
|
|
|
Anything in NP can be proven with a
zero-knowledge interactive proof. |
|
|
|
|
It is frequently possible to simulate the
interaction by substituting a one-way function for the challenges of a
verifier. |
|
|
|
|
|
|
|
|
|
|
|
|
An elliptic curve |
|
|
|
y2 = x3 + Ax + B |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Non-vertical Lines |
|
y2 = x3 + Ax +
B |
|
y = ax + b |
|
(ax + b)2 = x3 + Ax +
B |
|
x3 + A¢x2 + B¢x + C¢ = 0 |
|
|
|
|
|
|
Non-vertical Lines |
|
|
|
1 intersection point (typical case) |
|
2 intersection points (tangent case) |
|
3 intersection points (typical case) |
|
|
|
|
Vertical Lines |
|
y2 = x3 + Ax +
B |
|
x = c |
|
y2 = c3 + Ac + B |
|
y2 = C |
|
|
|
|
Vertical Lines |
|
|
|
0 intersection point (typical case) |
|
1 intersection points (tangent case) |
|
2 intersection points (typical case) |
|
|
|
|
|
|
|
|
|
|
|
|
Add an “artificial” point I to handle the
vertical line case. |
|
|
|
This point I also serves as the group identity
value. |
|
|
|
|
|
|
(x1,y1) ´ (x2,y2)
= (x3,y3) |
|
|
|
x3 = ((y2-y1)/(x2-x1))2
- x1 - x2 |
|
y3 = -y1 + ((y2-y1)/(x2-x1))
(x1 - x3) |
|
|
|
when x1 ¹ x2 |
|
|
|
|
(x1,y1) ´ (x2,y2)
= (x3,y3) |
|
|
|
x3 = ((3x12+A)/(2y1))2
- 2x1 |
|
y3 = -y1 + ((3x12+A)/(2y1))
(x1 - x3) |
|
|
|
when x1 = x2
and y1 = y2 ¹ 0 |
|
|
|
|
(x1,y1) ´ (x2,y2)
= I |
|
when x1= x2
but y1¹ y2 or y1= y2=
0 |
|
|
|
(x1,y1) ´ I = (x1,y1)
= I ´ (x1,y1) |
|
|
|
I ´ I = I |
|
|
|
|
|
|
|
|
|
|
Z=YX in Ep(A,B) |
|
When Z is unknown, it can be efficiently
computed by repeated squaring. |
|
|
|
|
|
|
Z=YX in Ep(A,B) |
|
When X is unknown, this version of the discrete
logarithm is believed to be quite hard to solve. |
|
|
|
|
|
|
Z=YX in Ep(A,B) |
|
When Y is unknown, it can be efficiently
computed by “sophisticated” means. |
|
|
|
|
Alice |
|
Randomly select a large integer a and send A = Ya mod N. |
|
Compute the key K = Ba mod N. |
|
Bob |
|
Randomly select a large integer b and
send B = Yb mod N. |
|
Compute the key K = Ab mod N. |
|
|
|
|
|
|
Alice |
|
Randomly select a large integer a and send A = Ya in Ep. |
|
Compute the key K = Ba in Ep. |
|
Bob |
|
Randomly select a large integer b and
send B = Yb in Ep. |
|
Compute the key K = Ab in Ep. |
|
|
|
|
|
|
The best currently known algorithm for EC
discrete logarithms would take about as long to find a 160-bit EC discrete
log as the best currently known algorithm for integer discrete logarithms
would take to find a 1024-bit discrete log. |
|
160-bit EC algorithms are somewhat faster and
use shorter keys than 1024-bit “traditional” algorithms. |
|
|
|
|
EC discrete logarithms have been studied far
less than integer discrete logarithms. |
|
Results have shown that a fundamental break in
integer discrete logs would also yield a fundamental break in EC discrete
logs, although the reverse may not be true. |
|
Basic EC operations are more cumbersome than
integer operations, so EC is only faster if the keys are much smaller. |
|