( t,w ) Threshold schemes " A master key ! (e.g. for a - - PowerPoint PPT Presentation

(t,w) Threshold schemes

" A master key ! (e.g. for a Certificate Authority)

is very very sensitive to exposure or loss

– exposure makes the whole system untrustable – loss makes system inaccessible

" extra copies increases vulnerability

" Solution: split ! into # shadows !$%&&&%!# s.t.

– with ' shadows, ! can be recovered – with fewer than ', ! can not be recovered

" Give the # shadows to different users

– exposure of fewer than ' shadows OK – loss of fewer than #!' shadows OK

Shamir threshold scheme

" Use a random, secret, polynomial of degree '!1

(()) = (*'!1)'!1+ + *1)+*0) mod ,

– where *0=!% ,-!% ,-#% , prime

" !.((0)

!/=(()/) for /![1,#], )/ distinct and not secret

" Each pair ()/ % !/) is a point on the curve (())

– ' points uniquely determine a polynomial of degree

'!1

– (()) and thus ! can be reconstructed by ' shadows but

not fewer

Shamir thresholds (cont)

" Given ' shadows !/$%&&&% !/'% (()) is reconstructed

e.g. by the Lagrange polynomial (()) = ∑0.$

' !/0 ∏1.1,1"0 ' ()!)/1)/()/0!)/1) mod ,

" Since arithmetic is in Z,, division is by inverses

mod , and multiplication.

" Features:

– More shadows: compute (()) for a new ) – Retract shadows: use a new polynomial with same ! – Users may have more than one shadow (president)

" Other threshold schemes exist.

Oblivious transfer

" A and B want to flip a coin by computer:

– A picks two large primes ,%2 and sends 3=,2 to B – B picks a random )43 s.t. gcd()%3)=1, and sends *.)2

mod 3 to A

– A computes (by Chinese Remainder Theorem) four

roots of * and sends one randomly chosen to B

" these are )% 3!)% 5% 5!3% but A does not know )

– If B receives 5 or 5!3 he can find , and 2 by

computing gcd()+5%3) = , or 2& Otherwise he cannot.

– B wins if he can factor 3.

" Can be used in contract signing protocols.