Secret Sharing and Secret Sharing and Key EscrowKey Escrow

Supplemental InformationSupplemental Informationfor Cryptology Classfor Cryptology Class

Lecture slides by Richard Lecture slides by Richard NewmanNewman

Secret Sharing and Key Secret Sharing and Key EscrowEscrow

touch on a few topics including:touch on a few topics including: Need for key escrowNeed for key escrow Basic key escrow approaches and historyBasic key escrow approaches and history Secret sharing Secret sharing Threshold schemesThreshold schemes

Need for Key EscrowNeed for Key Escrow Recovery of lost keyRecovery of lost key

Keyholder unable to provide keyKeyholder unable to provide key FF

oorrggootttteenn

IInnccaappaacciittaatteedd

UUnnaavvaaiillaabbllee

Keyholder unwilling to provide keyKeyholder unwilling to provide key DD

iissggrruunnttlleedd ((eexx--)) eemmppllooyyeeee

CCrriimmiinnaall,, eettcc..

Legitimate causesLegitimate causes Organizational informationOrganizational information Law EnforcementLaw Enforcement

Controls on key recoveryControls on key recovery Only allow recovery when it is legitimateOnly allow recovery when it is legitimate Limit recovery to appropriate elementsLimit recovery to appropriate elements

CopyrightCopyright

protects tangible or fixed expression of an idea protects tangible or fixed expression of an idea but not the idea itselfbut not the idea itself

is automatically assigned when createdis automatically assigned when created may need to be registered in some countriesmay need to be registered in some countries exists when:exists when:

proposed work is originalproposed work is original creator has put original idea in concrete formcreator has put original idea in concrete form e.g. literary works, musical works, dramatic works, e.g. literary works, musical works, dramatic works,

pantomimes and choreographic works, pictorial, pantomimes and choreographic works, pictorial, graphic, and sculptural works, motion pictures and graphic, and sculptural works, motion pictures and other audiovisual works, sound recordings, other audiovisual works, sound recordings, architectural works, software-related works.architectural works, software-related works.

Basic Key EscrowBasic Key Escrow

Can store key K with trusted third party SCan store key K with trusted third party S Problem if S is unavailableProblem if S is unavailable Problem if S is compromisedProblem if S is compromised Problem if S is dishonestProblem if S is dishonest

Can encrypt key K with key K’, store K’ with Can encrypt key K with key K’, store K’ with trusted third partytrusted third party Same problems as beforeSame problems as before

Can divide key K into n partsCan divide key K into n parts K = KK = K11 || K || K22 || … || K || … || Kn n But each known part reduces keyspace to search…But each known part reduces keyspace to search… m colluders may be able to guess the restm colluders may be able to guess the rest

Clipper ChipClipper Chip US government program US government program

Wanted all commercial crypto done with ClipperWanted all commercial crypto done with Clipper Algorithm secret initially (Skipjack – finally revealed)Algorithm secret initially (Skipjack – finally revealed) Wanted two parties to hold escrowed key for each chipWanted two parties to hold escrowed key for each chip

LLaaww eennffoorrcceemmeenntt//eexxeeccuuttiivvee bbrraanncchh

JJuuddiicciiaarryy//jjuuddiicciiaall bbrraanncchh

Ultimately died due to strong public resistanceUltimately died due to strong public resistance

Clipper program key escrowClipper program key escrow Used XOR approach K = KUsed XOR approach K = K11 XOR K XOR K22

If KIf K11 is random number, neither K is random number, neither K11 nor K nor K22 reveal info other than key length reveal info other than key length

Secret SharingSecret Sharing

Want to share a secret SWant to share a secret S Say an escrowed keySay an escrowed key

Express S as a numberExpress S as a number Derive shares SDerive shares Sii from S, i=1,2,…,k from S, i=1,2,…,k Each shareholder holds part of SEach shareholder holds part of S No fewer than k of them can derive any No fewer than k of them can derive any

knowledge of Sknowledge of S All k of them can reconstruct SAll k of them can reconstruct S

Shamir’s Polynomial SSShamir’s Polynomial SS

Polynomial of degree k can be specifiedPolynomial of degree k can be specified By k+1 coefficientsBy k+1 coefficients By k+1 distinct pointsBy k+1 distinct points

Secret is P(xSecret is P(x00)) Evaluate P at xEvaluate P at x00

Shares are (xShares are (xii,P(x,P(xii)) for i=1,2,…,k+1)) for i=1,2,…,k+1 Distribute point pairs to shareholdersDistribute point pairs to shareholders Fewer than k+1 points underspecify P(x)Fewer than k+1 points underspecify P(x)

Blakely’s Hyperplane SSBlakely’s Hyperplane SS

Imagine a k-dimensional spaceImagine a k-dimensional space E.g., 3-dimensionsE.g., 3-dimensions

Can specify (k-1)-dimensional hyperplanesCan specify (k-1)-dimensional hyperplanes These must be unique and must all have a common These must be unique and must all have a common

intersection pointintersection point Any two intersect in a (k-2)-dimensional hyperplaneAny two intersect in a (k-2)-dimensional hyperplane E.g., 2-dimensional planes intersect in a lineE.g., 2-dimensional planes intersect in a line

K of these hyperplanes intersect in a pointK of these hyperplanes intersect in a point The point coordinates constitute the shared secretThe point coordinates constitute the shared secret

Threshold SchemesThreshold Schemes Extend secret sharing so that any k of n shareholders can recover secretExtend secret sharing so that any k of n shareholders can recover secret

Useful for fault toleranceUseful for fault tolerance And for threshold authorization policies And for threshold authorization policies

ExamplesExamples Shamir: issue more points of polynomialShamir: issue more points of polynomial

Any k points of a k-1 degree polynomial specify polynomialAny k points of a k-1 degree polynomial specify polynomial

Issue more than k points; any k of them will doIssue more than k points; any k of them will do Blakely: issue more intersecting hyperplanesBlakely: issue more intersecting hyperplanes

Any k hyperplanes in a k-dimensional space specify the secretAny k hyperplanes in a k-dimensional space specify the secret

Issue n>k hyperplanes; any k will doIssue n>k hyperplanes; any k will do

Threshold Scheme UsesThreshold Scheme Uses

Fault tolerant key/secret escrowFault tolerant key/secret escrow Multifactor authenticationMultifactor authentication

Require multiple tokens, passwords, etc.Require multiple tokens, passwords, etc. Allow for fault tolerance – lost token, e.g.Allow for fault tolerance – lost token, e.g. Helps discourage theft (can’t use stolen Helps discourage theft (can’t use stolen

object without the other needed elements)object without the other needed elements) Multiparty authorizationMultiparty authorization

Require multiple parties to sign credentialRequire multiple parties to sign credential May be based on roles – so any k can signMay be based on roles – so any k can sign May be made hierarchicalMay be made hierarchical

SummarySummary

reviewed a range of reviewed a range of topics:topics: Key escrow need, history, approachesKey escrow need, history, approaches Secret sharingSecret sharing Threshold schemes and usesThreshold schemes and uses