Robust Password- Protected Secret Sharing Michel Abdalla, Mario - - PowerPoint PPT Presentation
Robust Password- Protected Secret Sharing Michel Abdalla, Mario Cornejo, Anca Ni ulescu, David Pointcheval cole Normale Suprieure, CNRS and INRIA, Paris, France R E S E A R C H U N I V E R S I T Y PPSS: Motivation Cloud provider
Michel Abdalla, Mario Cornejo, Anca Niţulescu, David Pointcheval
École Normale Supérieure, CNRS and INRIA, Paris, France
R E S E A R C H U N I V E R S I T Y
Cloud provider
taxes medical records paychecks top secret documents
Cloud provider
taxes medical records paychecks top secret documents
Cloud provider
taxes medical records paychecks top secret documents
Everyone might have access to the data
Cloud provider
taxes medical records paychecks top secret documents
Cloud provider
taxes medical records paychecks top secret documents
Provider still has access to the data
Cloud provider
taxes medical records paychecks top secret documents
Cloud provider
taxes medical records paychecks top secret documents
Cloud provider
taxes medical records paychecks top secret documents
(and not too many).
dictionary attack.
Cloud provider
taxes medical records paychecks top secret documents
Cloud provider
taxes
Cloud provider
taxes
Cloud provider
taxes
Cloud provider
…
Keys store
by using her password and some public information.
taxes
Cloud provider
taxes
by using her password and some public information.
…
Keys store
Cloud provider
…
Keys store
password, the user can recover her secret key
t + 1
taxes
Cloud provider
…
Keys store
password, the user can recover her secret key
t + 1
taxes
Reconstruction: The user can recover the secret by interacting with a subset of servers.
Initialization: Secret & password are processed t + 1
Robustness: The recovery is guaranteed if there are s non-corrupt servers.
t + 1
Soundness: Even if the adversary cannot make the user recover a different secret.
Scheme Messages Client inter-server Robust ZKP BJSL11 4 PKI PKI No Costly CLLN14 10 Std PKI No Costly JKK14 2 CRS None Yes Costly JKKX16 2 CRS None No No
Scheme Messages Client inter-server Robust ZKP BJSL11 4 PKI PKI No Costly CLLN14 10 Std PKI No Costly JKK14 2 CRS None Yes Costly JKKX16 2 CRS None No No This work 2 CRS None Yes No
Robust Gap Secret Sharing OPRF PPSS Secret Sharing Scheme
Robust Gap Secret Sharing OPRF PPSS Secret Sharing Scheme
Robust Gap Secret Sharing OPRF PPSS Secret Sharing Scheme
Robust Gap Secret Sharing OPRF PPSS Secret Sharing Scheme
Secret
…
…
Secret
How do we implement robustness?
Assume a set of valid shares from a Threshold SSS s1 s2 s3 … sn (s1, . . . , sn)
s1 s2 s3 σ1 … sn σ2 σ3 σn Fingerprint function: Hash function (s1, . . . , sn) (σ1, . . . , σn)
s1 s2 s3 σ1 … sn σ2 σ3 σn Generate a prime number N
22k(n−tr)+1 < N ≤ 22k(n−tr)+2
S = Qn
i=1 σi mod N
S (s1, . . . , sn) (σ1, . . . , σn)
s1 s2 s3 σ1 … sn σ2 σ3 σn Generate a prime number N
22k(n−tr)+1 < N ≤ 22k(n−tr)+2
S = Qn
i=1 σi mod N
S (s1, . . . , sn) (σ1, . . . , σn) Output: SSInfo = (S, N) {sk}n = s1 s2 s3 sn … S N , { }
How can we decide which are the valid sets of shares to reconstruct?
s1 s2 s3 … sn Given SSInfo = (S, N) S N , { }
s1 s2 s3 … sn Given SSInfo = (S, N) S N , { } τ1 τ2 τ3 τn
s1 s2 s3 … sn Given SSInfo = (S, N) S N , { }
T τ1 τ2 τ3 τn
Given T SSInfo = (S, N) S N , { } S γ =
Given T SSInfo = (S, N) S N , { } S γ = = … σ1 σ2 σ3 σn … τ1 τ2 τ3 τn
Given T SSInfo = (S, N) S N , { } S γ = = … σ1 σ2 σ3 σn … τ1 τ2 τ3 τn T 0 S0 =
Given T SSInfo = (S, N) S N , { } S γ = = … σ1 σ2 σ3 σn … τ1 τ2 τ3 τn T 0 S0 = | gcd( τ1 , T 0 )| ≈ 1
Given T SSInfo = (S, N) S N , { } S γ = = … σ1 σ2 σ3 σn … τ1 τ2 τ3 τn T 0 S0 = | gcd( τ1 , T 0 )| ≈ 1 Correct fingerprint!
Given T SSInfo = (S, N) S N , { } S γ = = … σ1 σ2 σ3 σn … τ1 τ2 τ3 τn T 0 S0 = | gcd( τ1 , T 0 )| ≈ 1 | gcd( , T 0 )| ≈ τ2 k Correct fingerprint! Incorrect fingerprint!
Given T SSInfo = (S, N) S N , { } S γ = = … σ1 σ2 σ3 σn … τ1 τ2 τ3 τn T 0 S0 = | gcd( τ1 , T 0 )| ≈ 1 | gcd( , T 0 )| ≈ τ2 k Correct fingerprint! Incorrect fingerprint! | gcd( T 0 )| ≈ 1 Correct fingerprint! τ3 ,
sk
F(sk, pw)
Initialization phase
The user interacts with servers to obliviously evaluate the PRF
n …
(pk1, sk1) (pk2, sk2) (pkn, skn)
…
(pk1, sk1) (pk2, sk2) (pkn, skn) π1 = Fsk1(pw) The user interacts with servers to obliviously evaluate the PRF
n
…
(pk1, sk1) (pk2, sk2) (pkn, skn) π1 = Fsk1(pw) π2 = Fsk2(pw) The user interacts with servers to obliviously evaluate the PRF
n
…
(pk1, sk1) (pk2, sk2) (pkn, skn)
πn = Fskn(pw)
π1 = Fsk1(pw) π2 = Fsk2(pw) The user interacts with servers to obliviously evaluate the PRF
n
R = K||r
Each share is encrypted using the each PRF evaluation
…
(pk1, sk1) (pk2, sk2) (pkn, skn)
πn = Fskn(pw)
π1 = Fsk1(pw) π2 = Fsk2(pw)
{pkk}n
R = K||r
Each share is encrypted using the each PRF evaluation
(s1, . . . , sn, SSInfo) ← ShareGen(R) …
(pk1, sk1) (pk2, sk2) (pkn, skn)
πn = Fskn(pw)
π1 = Fsk1(pw) π2 = Fsk2(pw)
{pkk}n
R = K||r
Each share is encrypted using the each PRF evaluation
(s1, . . . , sn, SSInfo) ← ShareGen(R) σk = πk ⊕ sk …
(pk1, sk1) (pk2, sk2) (pkn, skn)
πn = Fskn(pw)
π1 = Fsk1(pw) π2 = Fsk2(pw)
{pkk}n
The user computes a commitment
K r SSInfo …
(pk1, sk1) (pk2, sk2) (pkn, skn)
{pkk}n {σk}n C = Commit(pw, H({pkk}n, {σk}n, SSInfo, K); r)
The user uploads the encrypted data
C PInfo PInfo PInfo …
(pk1, sk1) (pk2, sk2) (pkn, skn)
K r SSInfo {pkk}n {σk}n PInfo = ({pkk}n, {σk}n, SSInfo, C)
Reconstruction phase
The user interacts with the server
π1 = Fsk1(pw)
PInfo …
(pk1, sk1) (pk2, sk2)
(pkn, skn)
PInfo PInfo PInfo
…
(pk1, sk1) (pk2, sk2)
(pkn, skn)
The user interacts with the server PInfo PInfo PInfo
π1 = Fsk1(pw)
PInfo
π2 = Fsk2(pw)
…
(pk1, sk1) (pk2, sk2)
(pkn, skn)
The user interacts with the server PInfo PInfo PInfo
π1 = Fsk1(pw)
PInfo
π2 = Fsk2(pw)
πn = Fskn(pw)
…
(pk1, sk1) (pk2, sk2)
(pkn, skn)
The user interacts with the server PInfo PInfo PInfo
π1 = Fsk1(pw)
π2 = Fsk2(pw)
πn = Fskn(pw)
σ1 ⊕ π1 = s1
…
(pk1, sk1) (pk2, sk2)
(pkn, skn)
The user interacts with the server PInfo PInfo PInfo
π1 = Fsk1(pw)
π2 = Fsk2(pw)
πn = Fskn(pw)
σ1 ⊕ π1 = s1 σ2 ⊕ π2 = s2
…
(pk1, sk1) (pk2, sk2)
(pkn, skn)
The user interacts with the server PInfo PInfo PInfo
π1 = Fsk1(pw)
π2 = Fsk2(pw)
πn = Fskn(pw)
σ1 ⊕ π1 = s1 σ2 ⊕ π2 = s2 σ3 ⊕ π3 = s3
…
(pk1, sk1) (pk2, sk2)
(pkn, skn)
The user interacts with the server PInfo PInfo PInfo
π1 = Fsk1(pw)
π2 = Fsk2(pw)
πn = Fskn(pw)
σ1 ⊕ π1 = s1 σ2 ⊕ π2 = s2 σ3 ⊕ π3 = s3 σn ⊕ πn = sn
…
(pk1, sk1) (pk2, sk2)
(pkn, skn)
The user interacts with the server PInfo PInfo PInfo
π1 = Fsk1(pw)
π2 = Fsk2(pw)
πn = Fskn(pw)
σ1 ⊕ π1 = s1 σ2 ⊕ π2 = s2 σ3 ⊕ π3 = s3 σn ⊕ πn = sn Reconstruct( )
?
= R = K||r
…
(pk1, sk1) (pk2, sk2)
(pkn, skn)
The user interacts with the server PInfo PInfo PInfo
π1 = Fsk1(pw)
π2 = Fsk2(pw)
πn = Fskn(pw)
Commit(pw, H({pkk}n, {σk}n, SSInfo, K); r)
?
= C
Adversary’s probability is bounded by: We build simulators for each PRFs
Adversary’s probability is bounded by: We build simulators for each PRFs Probability of guessing pw Pr[PWinC] =
qu #Dict
Adversary’s probability is bounded by: We build simulators for each PRFs Probability of breaking the OPRF Pr[PWinF] = ε
avoid the verifiability requirements for the OPRF.
the simplification of the OPRF.
asymptotically equivalent to [JKK14], in real life they are twice better.
Michel Abdalla, Mario Cornejo, Anca Niţulescu, David Pointcheval
École Normale Supérieure, CNRS and INRIA, Paris, France
R E S E A R C H U N I V E R S I T Y
Given T SSInfo = (S, N) S N , { } S γ = = … σ1 σ2 σ3 σn … τ1 τ2 τ3 τn T 0 S0 =
Given T SSInfo = (S, N) S N , { } S γ = = … σ3 σn … τ1 τ2 τ3 τn = | gcd( τ1 , )| ≈ 1 Correct fingerprint! = 1 T 00 S00 T 00 σ2 σ1
T 00 S00
Given T SSInfo = (S, N) S N , { } S γ = = … σ2 σ3 σn … τ1 τ2 τ3 τn = | gcd( τ1 , )| ≈ 1 Correct fingerprint! = 1 | gcd( τ1 , )| ≈ 1 Correct fingerprint! = 2 | gcd( τ1 , )| ≈ 1 Correct fingerprint! = 3 T 00 T 00 T 00 σ1
| gcd( , )| ≈ 1 Incorrect fingerprint! | gcd( , )| ≈ 1 Incorrect fingerprint! , | gcd( )| ≈ 1 Incorrect fingerprint! T 00 T 00 T 00 τ2 τ2 τ2 = k = k − 1 = k − 2
A B α ← Z∗ A ← H1(pw)α C ← B1/α = H1(pw)sk pk = gsk B ← Ask sk Fsk(pw) = H2(pw, pk, C)
x = (x1, x2, . . . , x`) ∈ {0, 1}` pk, {ci = Encpk(ai)} sk ∈ Zs α ← Gs C ← Encpk(α × a0 Q aixi) C Proof(α, xi) G D ← Decsk(C) G ← gD R ← G1/α