secret sharing using non-commutative groups

Secret Sharing Using Non-Commutative Groups

Bren Cavallo

The Graduate Center, CUNY

5/30/2013

Outline

1. Introduction

2. Shamir Secret Sharing and Habeeb-Kahrobaei-Shpilrain secretsharing

3. Adjustments to HKS secret sharing and analysis

Bren Cavallo Secret Sharing Using Non-Commutative Groups

What is Secret Sharing?

Secret sharing is a cryptographic protocol in which a dealerdistributes a secret via shares to participants such that only certainsubsets of participants can recover the secret.

The ideal setting is when dealing with information that is bothvery important but also highly sensitive.


What is Secret Sharing?

The fact that there are multiple shares, as opposed to one privatekey as in private key cryptography, makes the secret less likely tobe lost while still allowing high levels of confidentiality.

If any one share is compromised, other participants can stillreconstruct the secret, and since the secret is spread out overmultiple shares and is limited by its access structure, the subsets ofparticipants that can recover the secret, the secret remains secure.

Applications include multiparty encryption, threshold encryptionamong others, numbered bank accounts, and wills among others.


Formal Definition

A secret sharing scheme consists of a dealer, n participants, and anaccess structure A ⊆ 2{P1,··· ,Pn} such that for all A ∈ A andA ⊆ B ∈ 2{P1,··· ,Pn}, B ∈ A.

To share a secret s, the dealer runs an algorithm:

Share(s) = (s1, · · · , sn)

and then distributes each share si to Pi .


Formal Definition

In order to recover the secret, the participants run the algorithmRecover which has the following property that for all A ∈ A:

Recover({si : i ∈ A}) = s

and if A /∈ A then Recover is infeasible. As such, only groups ofparticipants in A can access the secret.

If a set B contains as a subset A ∈ A, then they could run Recoveron A and obtain the secret. Hence it makes sense to have B ∈ A


Threshold Secret Sharing Schemes

One of the more common access structures one sees in secretsharing is the (k , n) threshold:

A = {A ∈ 2{P1,··· ,Pn} : |A| ≥ k}

We call a secret sharing scheme with such an access structure a(k,n) threshold scheme.

The problem of discovering a non-trivial (k , n) scheme was solvedindependently by G. Blakely [3] and A. Shamir [12] in 1979.

Notice that this problem becomes non-trivial in part because theshares have to be consistent. This means any k person subsetrecovers the same secret.


Shamir’s Scheme

In Shamir’s scheme the secret is an element of Zp where p is aprime larger than n. Given a secret s the dealer generates theshares for a (k, n) threshold by doing the following:

The dealer randomly selects a1, · · · , ak−1 ∈ Zp such thatak−1 6= 0 and constructs the polynomialf (x) = ak−1x

k−1 + · · ·+ a1x + s

For each participant Pi the dealer publishes a correspondingxi ∈ Zp. The dealer distributes the share si = f (xi ) to each Pi

over a private channel.

Any subset of k participants can then reconstruct the polynomialf (x) by using polynomial interpolation and then finding f (0) = s.


Polynomial Interpolation

In order to reconstruct a polynomialf (x) = a0 + a1x + · · · ak−1xk−1 given points(x1, f (x1)), · · · , (xk , f (xk)) one can solve for the coefficientscolumn in the following system linear equations:

x1k−1 · · · x1

2 x1 1x2

k−1 · · · x22 x2 1

... · · ·...

......

xkk−1 · · · xk

2 xk 1

ak−1ak−2

...a0

=

f (x1)f (x2)

...f (xk)

One can see that k − 1 shares give no information about a0 as

there are k − 1 equations and k unknowns. Hence a0 could be anyelement in Zp.


Habeeb-Kahrobaei-Shpilrain Secret Sharing

In this case the secret, s, is an element of {0, 1}k which we view asa column vector. The scheme is initialized by making a set ofgenerators X = {x1, · · · , xn} public.

To each Pi the dealer distributes a set of words Ri in thealphabet X± over a private channel. The Ri are such thateach group Gi = 〈X |Ri 〉 has an efficient word problem.

The dealer randomly selects shares si ∈ {0, 1}k fori = 1, · · · , n − 1 and sn = s −

∑n−1j=0 sj . Note that addition is

the standard XOR.

For each i , the dealer publishes the words w1i , · · · ,wki overthe alphabet X± such that wji is trivial in Gi if sji = 1 andnon-trivial if sji = 0



Since the Gi have efficiently solvable word problem, each Pi

can effectively determine if the wji are trivial or not and canindependently find si

To recover the secret, the Pi add together the si and find s.

The wij can be made public, since the participants do notknow each others relators and cannot discern trivial versusnon-trivial words in another participants group.



The above (n, n) scheme can be further extended to an (k , n)scheme in the following fashion:

As is the case with Shamir’s scheme, the secret s is anelement of Zp and the shares, si are points along a randompolynomial of degree k − 1 with constant term s.

The dealer converts each si into its binary representation. Assuch, each share can again be viewed as a column vector.

The shares si are distributed in the same way as the (n, n)scheme. Trivial and non-trivial words a published such thatthe column each Pi recovers is si in binary.

The secret is then recovered with polynomial interpolation.


Shortlex Ordering

Let X = {x1, · · · , xn} and G = F (X ). A shortlex ordering on G isinduced by an order on X± as follows. Given reducedw = xi1 · · · xip and l = xj1 · · · xjq with w 6= l then w < l iff:

|w | < |l |or if |w | = |l | and xia < xja where a = minα{xiα 6= xjα}

For example, say we let X = {x , y} and give X± the orderingx < x−1 < y < y−1. Then the first bunch of words in order wouldbe:e < x < x−1 < y < y−1 < x2 < xy < xy−1 < x−2 < x−1y <x−1y−1 < yx < yx−1 < y2 < y−1x < y−1x−1 < y−2 < x3 <x2y < x2y−1 < xyx < xyx−1 < · · ·


Habeeb-Kahrobaei-Shpilrain Secret Sharing Using ShortlexOrdering

In this case, the dealer publishes the letters X and over aprivate channel sends a set of words, Ri in X± to each Pi

such that Gi = 〈X |Ri 〉 is a group with an efficient algorithmto reduce words to a normal form in terms of the Ri .

The dealer chooses a secret s ∈ Zp for some large primep > n and generates a random polynomial, f in Zp[x ] withconstant term s

The dealer assigns a public xi to each participant, computesf (xi ), and finds si ∈ F (X ) such that si is the f (xi )

th word inF (X ).


Habeeb-Kahrobaei-Shpilrain Secret Sharing Using ShortlexOrdering

The dealer publishes a word wi that reduces to si in Gi . Thiscan be done efficiently by interspersing conjugated products ofrelators between the letters of si .

Each participant, Pi computes their share by reducing wi toget si and then computing its position in F (X ).

Using their shares they find the secret using polynomialinterpolation.


HKS Secret Sharing Using Shortlex Ordering

It is important to realize the following:

si must be completely reduced in Gi .

Some reduction algorithms can be done in multiple ways giventhe same initial conditions, so it is important to fix a protocolso that whatever process Pi uses to reduce wi terminates at si .

If a random f (xi ) does not have a corresponding reducedword, the dealer can always assign Pi a different xi . In thecase of certain groups, words with small length are oftenreduced and the length of the si can be kept down since theygrow logarithmically with respect to the number of generatorsof the free group.


Analysis

Assuming that it is efficient to generate relators for groupswith the desired properties and that it is efficient to generaterandom small words, the above steps can be done efficiently.

Finding the position of any word in a free group or finding thei th word can be done with a combinatorial formula.

The wi can be made by inserting conjugated products ofrelators between the letters of si .


Analysis

The same relators can be used to share multiple secrets.Unlike with Shamir’s scheme, only the relators are sentprivately while the shares are published, making it so thatafter the initial private information is sent no new privateinformation has to be sent to share more secrets.

As such, the main security issue is being able to determine aparticipants relators. This could potentially be done based onthe public wi and learning the si after sharing.


Platform Group - Small Cancellation Groups

A word w is cyclically reduced if it is reduced under cyclicpermutations. This only occurs if the word is reduced in the firstplace and the first and last letters are not inverses.

A set of words R is called symmetrized if each word is cyclicallyreduced and the entire set and their inverses are closed under cyclicpermutation.

Given a set R we say that v is a piece if it is a maximal initialsubword of two different words, namely if there exists w1,w2 ∈ Rsuch that w1 = vr1 and w2 = vr2.


Platform Group - Small Cancellation Groups

A group G = 〈X |R〉 with symmetrized R satisfies the smallcancellation condition C ′(λ) for 0 < λ < 1 if for all r ∈ R suchthat r = vw where v is a piece, then |v | < λ|r |.

C ′(16) groups have the additional property that Dehn’s algorithmcan be used to check if words are trivial and runs in quadratic time.

Additionally, if the si are less than half the length of the relators,they are in a unique reduced form.


Updating Relators

A potential way to solve the previous problem could be toperiodically update the relators. This also allows for securityagainst an adversary that could access the relators by other meanssuch as by computer hacking. This can be done by doing thefollowing:

For each Pi the dealer creates a set of words, R ′i , in X± suchthat Gi = 〈X |R ′i 〉 satisfies the same desired properties.

In order to distribute each r ∈ R ′i , the dealer pads r withrelators in Ri as done previously and publishes them.

Pi then reduces r by using the relators in Ri .

After the full set of words in R ′i is published and reduced, Pi

deletes the original Ri and sets Ri := R ′i .


Updating Relators

If these steps are done before an adversary can gain adequateinformation about relators, then after an update phase theinformation an adversary has gained will be largely rendereduseless.

Due to the fact that any of the relators sent out in the updatephase must be reduced in the original Ri , the updated relators areaffected by the original ones. In that way, information gainedbefore the update phase could potentially be useful.


Conclusion

In conclusion, this secret sharing method allows multiple secrets tobe sent out after private information has been distributed.

Additionally, the participants can update their relators in a securefashion without any more information needing to be sent over aprivate channel. As such, methods to determine relators over timeare not as effective.

Thank you for attending my talk!


References I

28th Annual Symposium on Foundations of Computer Science,Los Angeles, California, USA, 27-29 October 1987. IEEEComputer Society, 1987.

Amos Beimel.Secret-sharing schemes: A survey.In IWCC, pages 11–46, 2011.

G. R. Blakley.Safeguarding cryptographic keys.Managing Requirements Knowledge, International Workshopon, pages 313–319, 1979.

Paul Feldman.A practical scheme for non-interactive verifiable secret sharing.In FOCS [1], pages 427–437.


References II

Maggie Habeeb, Delaram Kahrobaei, and Vladimir Shpilrain.A secret sharing scheme based on group presentations and theword problem.Contemporary Mathematics, 582, 2012.

Amir Herzberg, Markus Jakobsson, Stanisllaw Jarecki, HugoKrawczyk, and Moti Yung.Proactive public key and signature systems.In Proceedings of the 4th ACM conference on Computer andcommunications security, CCS ’97, pages 100–110, New York,NY, USA, 1997. ACM.

S.M. Jarecki.Proactive Secret Sharing and Public Key Cryptosystems.Massachusetts Institute of Technology, Department ofElectrical Engineering and Computer Science, 1996.


References III

D.L Johnson.Presentations of Groups.Cambridge University Press, 1997.

Jonathan Katz and Yehuda Lindell.Introduction to Modern Cryptography.Chapman and Hall/CRC Press, 2007.

Roger C. Lyndon and Paul E. Schupp.Combinatorial Group Theory.Springer Verlag, 1977.

Torben P. Pedersen.Non-interactive and information-theoretic secure verifiablesecret sharing.In CRYPTO, pages 129–140, 1991.


References IV

Adi Shamir.How to share a secret.Commun. ACM, 22(11):612–613, 1979.

Markus Stadler.Publicly verifiable secret sharing.In EUROCRYPT, pages 190–199, 1996.


secret sharing using non-commutative groups

Documents