Secret Sharing Cs416

Secret Sharing and its Application to Electronic Voting

Akash Chandrayan (08d17015)

Appu R P (08D17007)

Prathamesh Dashpute (08D04007)

Secret sharing

Secret sharing refers to method for distributing a secret amongst a group of participants, each of whom is allocated a share of the secret. The secret can be reconstructed only when a sufficient number of shares are combined together; individual shares are of no use on their own.

History*

Map of Space*

Blakley’s Scheme

• Secret is encoded as a point in a space.

• Keys are given as hyper planes rotated around the point in space. Therefore the intersection of t hyper planes will be the key.

Problems with Blakley’s Scheme

• Not secure- If three keys are required having two lets someone know the secret is on a line.

• Less space efficient- Keys are t times larger than the original secret, where t is the number of keys needed to get the secret.

Shamir’s Scheme

• Mathematically the goal is to divide some data D into n pieces D1,…, Dn.

• The following criteria are met • Knowledge of any k or more Di pieces makes D computable.

• Knowledge of any k-1 or fewer Di pieces leaves D completely undetermined.

• This scheme is called (k , n) threshold scheme.

Shamir’s Scheme

• The scheme turns the secret into a polynomial of degree k, where k is the number of keys needed to get the secret.

Shamir’s Scheme

• Choose at random k-1 coefficients a1 ,…, ak-1 and let a0 be the secret.

f(x)=a0 +a1x+…+ ak-1 xk-1

• Select randomly any n points out of it (i , f(i)).

• Every participant is given a point.

Verifiable Secret Sharing(VSS)

In verifiable secret sharing (VSS) the object is to resist malicious players,

such as

(i) a dealer sending incorrect shares to some or all of the participants, and

(ii) participants submitting incorrect shares during the reconstruction protocol

In publicly verifiable secret sharing (PVSS), it is an explicit goal that not just the participants can verify their own shares, but that anybody can verify that the participants received correct shares.

Publically Verifiable Secret Sharing(PVSS)

• Proof of correctness for each share released .

• No private channels between the dealer and the participants are assumed.

• All communication is done over (authenticated) public channels using public key encryption.

Model for non-interactive PVSS

Initialization

• Generation of system parameters.

• Registration of Participants.

The actual set of participants taking part in a run of the PVSS scheme must be a subset of the registered participants.

Distribution

• The distribution of a secret s is performed by the dealer D.

• The dealer first generates the respective shares si for participant Pi For each participant Pi the dealer publishes the encrypted share Ei(si).

• The dealer also publishes a string PROOFD to show that each Ei encrypts a share si.

• The string PROOFD commits the dealer to the value of secret s, and it guarantees that the reconstruction protocol will result in the same value s.

Model for non-interactive PVSS

Verification of the shares.

• Any party knowing the public keys for the encryption methods Ei may verify the shares.

• For each participant Pi a non-interactive verification algorithm can be run on PROOFD to verify that Ei(si) is a correct encryption of a share for Pi.

If verifications fail => dealer fails, protocol is aborted.

Model for non-interactive PVSS

Reconstruction The protocol consists of two steps: 1.Decryption of the shares. The participants decrypt their shares si from Ei(si). It is not required that all participants succeed in doing so, as long as a qualified set of participants is successful. These participants release si plus a string PROOFPi that shows that the released share is correct. 2. Pooling the shares. The strings PROOFPi are used to exclude the participants which are dishonest or fail to reproduce their share si correctly. Reconstruction of the secret s can be done from the shares of any qualified set of participants.

The Math

The prover knows α such that h1 = g1α and h2 = g2

α :

1. The prover sends a1 = g1w and a2 = g2

w to the verifier,

2. The verifier sends a random challenge c to the prover.

3. The prover responds with r = w − α c (mod q).

4. The verifier checks that a1 = g1rh1

c and a2 = g1rh1

c

The Math

Distribution & Verification • Distribution of the shares. The dealer picks a random

polynomial p of degree at most t − 1 with coefficients in Zq

The dealer shows that the encrypted shares are consistent by producing a proof of knowledge of the unique p(i), 1 <= i <= n, satisfying

The Math

Reconstruction • Decryption of the shares: Using its private key xi, each

participant finds the share Si = Gp(i) which comes from

• Proof :

Homomorphic Secret Sharing

• Benaloh [Ben87a]

Electronic Voting

• An election proceeds in two phases

– Ballot Casting- Voters post their vote in encrypted form. The validity of the vote can be publically verified.

– Tallying- The talliers use their private keys to collectively compute the final tally corresponding with the accumulation of all valid ballots.

• Technically each voter will act as a dealer in the PVSS scheme.

Ballot Casting

• A voter casts a vote v 0 or 1 and encrypts it as U= Gs+v where s is a random number.

• The voter constructs a PROOFU showing that v Ɛ {0,1} without revealing any information on v. PROOFU refer to the value of C0=gs which is also published.

Tallying

• The tallying protocol uses the reconstruction protocol of special PVSS scheme and homomorphic property.

• Accumulate all respective share and compute the values Yi

*, where j ranges over all voters.

Tallying

• Next each tallier Ai applies the reconstruction protocol to the value Yi

*, which will produce

• Combining with we obtain

• From this the tally can be computed efficiently.

Example*

The following example illustrates a sample voting with 5 voters among which 2 are talliers. <Z*

13,*13> is the cyclic group under which we shall be working.

Generators used are g=2 and G=7.Note that all the computations henceforth are mod 13

Private Keys

Public Keys

Vote S(random numbers)

U (encrypted votes) gs

1 7 0 7 6 11

2 10 1 8 8 9

3 5 1 1 10 2

4 9 0 2 10 4

5 11 0 11 2 7

The value of C0 = gs is published as part of the PVSS distribution protocol, and shows that logG U = logg C0 OR logG U = 1 + logg C0 (Vote is 0 or 1)

Example contd.

Now since there are 2 talliers which implies that all the votes can be combined iff all of them agrees to tally. For this to work, the curves used would simply be straight lines with the constant term as the secret values s.

Polynomial pi(x) pi(1) pi(2)

3x+7 10 13

4x+8 12 16

x+1 2 3

11x+2 13 24

7x+11 18 25

Note that the voters do not publish pi(1) or pi(2). They publish Yij which is yip

j(i)

yi is the public key of tallier i, since we have only 2 talliers, I have computed the values of pi(1) and p2(2) in the table itself and avoided yi

pj(i) for clarity.

Example contd.

Next we compute the values of Y1* and Y2*.

Y1* = 7(10+12+2+13+18) = 755 = 6

Y2* = 10(13+16+3+24+25) = 1081 = 12

Now the values of S1 and S2 can be computed by respective talliers by using their private keys x1 = 1 and x2 = 2.

Therefore S1 = (Y1*)1/x1 = 6 and S2 = (Y2*)1/x2 = 121/2 = 5.

Next comes the homomorphic combination of secrets by computing

λ1 = 2 , λ2 = -1 ; Gs = 62 . 5-1 = 9/2 = 9*7 = 63 = 11

Example contd.

Now lets combine the encrypted votes (Uj = Gjs+v)

Gs+v = 6*8*10*10*2 = 9600 = 6.

Almost there , Gs+v/Gs = Gv = 6/11 = 6*6 = 10, Gv = 10 => 7v = 10

=> v= 2 , because 49 (72 mod 13 = 10). Which verifies with the vote count given in the table. That is it!

Few other application

Revocable Electronic Cash

Software Key Escrow

Bank Accounts

Confidential data

Cloud Computing*

References* • A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic

Voting - Berry Schoenmakers, Department of Mathematics and Computing Science, Eindhoven University of Technology, P.O. Box 513, 5600 MB Eindhoven, The Netherlands. berry@win.tue.nl | Springer-Verlag , 1999.

• How to share a secret. Commm. of ACM , volume 22 (1979).

• http://en.wikipedia.org/wiki/Secret_sharing

• http://www.cs.uml.edu/~zkissel/secretshare.html

• http://en.wikipedia.org/wiki/Secure_multiparty_computation

• http://www.proproco.co.uk/million.html

• http://www.cs.tau.ac.il/~bchor/Shamir.html

*were not mentioned during presentation

Thank You!