case study on long-lived system - directory listing /€¦ · case study on long-lived system ......

1

4th ETSI/IQC Workshop on Quantum-Safe Cryptography

19-21 Sep 2016

Case study on long-lived system

“QKD perspective”

Masahide SasakiEmail: psasaki@nict.go.jp

Tel: 042-327-6524

2

Framework of long-lived system

Introduced by Johannes Buchman (TU Darmstadt)

Integrity Confidentiality

Distributed storage network

- Commitment

- Timestamp

- Secret sharing

- QKD “Proof of existence”

Private channelsAuthenticated

channels

3

Requirements for long-lived system

We want a system which can transmit, store, and process critical data securely for a century scale time span.

Purpose

Requirements

1. Confidentiality : The data should be accessible only to authorized parties.

Information theoretically secure encryption

2. Integrity : The data should remain unaltered.

Signature, authentication

3. Availability : The data should be available whenever required.

Redundant data backup, fail safe mechanism

4. Functionality : The data can be processed without decryption.

Full homomorphic encryption

4

Secret sharing(k, n)-threshold scheme

An implementation of long-lived system

New multiple data are created from the original data,

and stored in multiple data servers.

5

Secret sharing

QKD

QKD

(k, n)-threshold scheme

1. Confidentiality of storage

3. Availability

4. Functionality

1. Confidentiality of data link

2. Integrity

Digital signature, Authentication

It is sufficient to ensure

short-term security for a certain

period until re-sharing.

An implementation of long-lived system

6

Attacker

Owner

Shares

Data restored

Shareholder

Create n of coordinates “shares”

[1, f(1)], ⋯ , [n, f(n)]

Secret data s

f(0)=s

Generate a polynomial of order k-1

f(x) = s+a1x+…+ak-1xk-1

x

- Collect k of shares

- Interpolate the polynomial

- Reconstruct secret data s as f(0)

(k, n) threshold secret sharing

Shamir, 1979

7

(k, n) threshold secret sharing

Attacker

Owner

Shares

Data restored

Data

Shareholders

Ex. (3,5)-threshold scheme With shares less than k-1,

the original data can never be

reconstructed.

There remain infinitely many

possibilities of polynomial.

Information theoretic

confidentiality

Shares can be added and multiplied.

Availability

With more than k of shares,

the polynomial f(x) can be specified.

Even if n-k of shares are lost,

the data can be reconstructed.

Functionality (Full homomorphism)

8

Shamir’s secret sharing scheme itself

cannot realize integrity.

Security of channels for data-transmission

is just assumed.

9

Secret sharing

QKD

QKD

(k, n)-threshold scheme

1. Confidentiality of data link

2. Integrity

Digital signature, Authentication

It is sufficient to ensure

short-term security for a certain

period until re-sharing.

10

Framework of long-lived system

Introduced by Johannes Buchman (TU Darmstadt)

Integrity Confidentiality

Distributed storage network

- Commitment

- Timestamp

- Secret sharing

- QKD “Proof of existence”

Private channelsAuthenticated

channels

11

QKD link

Private channel

Point of interface

Document owner

Secure key supply

KMS

NEC-0

NEC-1

NTT-NICT ToshibaSeQureNetGakushuin

Tokyo QKD Network

Secret sharing

Shareholder

Distributed storage network

- Encrypting

private channels

- Generating

polynomials for

secret sharing

12

Assumptions 1/2

Need to be protected

at the expense of

necessary costs

The document owner and the

shareholders are outside the vault areas

Access rights to the

QKD platform and

the document owner/

the shareholders are

completely separated

Trusted node in a vault

13

Assumptions 2/2

One-way firewall

Tamper resistant metal

cable of short distance

Secure key

transfer

Malicious

commands

User authentication

14

Framework of long-lived system

Introduced by Johannes Buchman (TU Darmstadt)

Integrity Confidentiality

Distributed storage network

- Commitment

- Timestamp

- Secret sharing

- QKD “Proof of existence”

Private channelsAuthenticated

channels

15

Integrity protection

(2) Single-password secret sharing authentication

+ Wegman-Carter MAC

Fujiwara, Waseda, Nojima, Moriai, Ogata and Sasaki,

Scientific Reports, 6:28988 (2016). On-line

User friendly, but consumes a lot of keys(30 times as long as the document size per a store- retrieve cycle)

(1) Timestamp chains of unconditionally hiding

commitments

Cost for generating and maintaining a proof of

existence is independent of the document size

TU Darmstadt and NICT

J. Braun, et al., https://eprint.iacr.org/2016/742

16

Tutorial example: (3, 3) threshold scheme

Owner

f(1)

f(2)

f(3)

Document D

Shareholder

2nd order polynomial f(x) = s + a(1) x+ a(2) x2

Share 1 of D

Share 2 of D

Share 3 of D

17

Single-password SS authentication

Password has been used in many cases

because it is simple and convenient.

However it is not completely secure,

at least not information theoretically secure.

So we make shares of password,

and store them in multiple holders.

We can appreciate convenience of password

with information theoretic security.

Fujiwara, Waseda, Nojima, Moriai, Ogata and Sasaki,

Scientific Reports, 6:28988 (2016). On-line

18

Single-password SS authentication

(1) Owner creates and send shares of D and P by using

2nd order polynomial fD(x) = D + aD(1) x+ aD

(2) x2

Password P

Document D

Owner

fD(1)

fP(1)

fD(2)

fP(2)

fD(3)

fP(3)

1st order polynomial fP(x) = P + aP(1) x

Shareholder

Share of data

Share of

password

19

Single-password SS authentication

(2) Each shareholder generates a random number Rj

Owner

fD(1)

fP(1)

fD(2)

fP(2)

fD(3)

fP(3)

Shareholder

R1

R3

R2

Random number

20

Single-password SS authentication

(3) Each shareholder makes shares of Rj

by using 1st order polynomial fR(x) = R + aR(1) x

Owner

fR1(1)

fR1(2)

fR1(3)

fR2(1)

fR2(2)

fR2(3)

fR3(1)

fR3(2)

fR3(3)

fD(1)

fP(1)

fD(2)

fP(2)

fD(3)

fP(3)

Shareholder

R1

R3

R2

21

Single-password SS authentication

(4) Each shareholder generates shares of “0”

by using 2nd order polynomial f0(x) = a0(1) x + a0

(2) x2 such that

𝑓0𝑗 0 = 0.

Owner

f01(1)

f01(2)

f01(3)

f02(1)

f02(2)

f02(3)

f03(1)

f03(2)

f03(3)

fR1(1)

fR1(2)

fR1(3)

fR2(1)

fR2(2)

fR2(3)

fR3(1)

fR3(2)

fR3(3)

fD(1)

fP(1)

fD(2)

fP(2)

fD(3)

fP(3)

Shareholder

To mask document shares fD(j)

in the reconstruction phase.

22

Single-password SS authentication

(5) Shareholders exchange shares of Rj and “0”

with each other

Owner

f01(1)

f02(1)

f03(1)

f01(2)

f02(2)

f03(2)

f01(3)

f02(3)

f03(3)

fR1(1)

fR2(1)

fR3(1)

fR1(2)

fR2(2)

fR3(2)

fR1(3)

fR2(3)

fR3(3)

fD(1)

fP(1)

fD(2)

fP(2)

fD(3)

fP(3)

Shareholder

23

Single-password SS authentication

(6) Owner remembers the password, say P’,

and generates shares of P’

by using 1st order polynomial fP’(x) = P’ + aP’(1) x.

Owner

f01(1)

f02(1)

f03(1)

f01(2)

f02(2)

f03(2)

f01(3)

f02(3)

f03(3)

fR1(1)

fR2(1)

fR3(1)

fR1(2)

fR2(2)

fR3(2)

fR1(3)

fR2(3)

fR3(3)

fD(1)

fP(1)

fD(2)

fP(2)

fD(3)

fP(3)

fP’(1)

Password P’

fP’(2)

Shareholder

fP’(3)

24Shareholder

Single-password SS authentication

(7) Owner sends the password shares to the shareholders.

Owner

f01(1)

f02(1)

f03(1)

f01(2)

f02(2)

f03(2)

f01(3)

f02(3)

f03(3)

fR1(1)

fR2(1)

fR3(1)

fR1(2)

fR2(2)

fR3(2)

fR1(3)

fR2(3)

fR3(3)

fD(1)

fP(1)

fD(2)

fP(2)

fD(3)

fP(3)

fP’(1)

fP’(2)

fP’(3)

25

Single-password SS authentication

(8) The shareholders compute the three quantities,

R(j), Z(j), and F(j).

Owner

Z(1)=f01(1)+f02(1)+f03(1)

R(1)=fR1(1)+fR2(1)+fR3(1)

Z(2)=f01(2)+f02(2)+f03(2)

R(2)=fR1(2)+fR2(2)+fR3(2)

Shareholder

Z(3)=f01(3)+f02(3)+f03(3)

R(3)=fR1(3)+fR2(3)+fR3(3)

F(3)= [fP(3)-fP’(3)]R(3)+ Z(3)+ fD(3)

F(1)=[fP(1)-fP’(1)]R(1)+ Z(1)+ fD(1)

F(2)=[fP(2)-fP’(2)]R(2)+ Z(2)+ fD(2)

26

Z(1)=f01(1)+f02(1)+f03(1)

R(1)=fR1(1)+fR2(1)+fR3(1)

Z(2)=f01(2)+f02(2)+f03(2)

R(2)=fR1(2)+fR2(2)+fR3(2)

Z(3)=f01(3)+f02(3)+f03(3)

R(3)=fR1(3)+fR2(3)+fR3(3)

Single-password SS authentication

(9) Shares F(1), F(2) and F(3) are sent to the owner.

Owner

Shareholder

discarded

discarded

discarded

F(3)= [fP(3)-fP’(3)]R(3)+ Z(3)+ fD(3)

F(1)=[fP(1)-fP’(1)]R(1)+ Z(1)+ fD(1)

F(2)=[fP(2)-fP’(2)]R(2)+ Z(2)+ fD(2)

27

Single-password SS authentication

(10) The owner finds a polynomial F(x) with F(1), F(2)

and F(3) by interpolation.

Owner

Shareholder

F(x)

x

F(1)

F(2)

F(3)

F(3)= [fP(3)-fP’(3)]R(3)+ Z(3)+ fD(3)

F(1)=[fP(1)-fP’(1)]R(1)+ Z(1)+ fD(1)

F(2)=[fP(2)-fP’(2)]R(2)+ Z(2)+ fD(2)

28

F(3)= [fP(3)-fP’(3)]R(3)+ Z(3)+ fD(3)

F(1)=[fP(1)-fP’(1)]R(1)+ Z(1)+ fD(1)

F(2)=[fP(2)-fP’(2)]R(2)+ Z(2)+ fD(2)

Single-password SS authentication

(11) If the password is wrong, 𝑃′ ≠ 𝑃, then

fD(1), fD(2) and fD(2) are masked by R(1), R(2), R(3), Z(1), Z(2) and Z(3).

Owner

Shareholder

No information on D

is leaked.

29

F(3)= Z(3)+ fD(3)

F(1)=Z(1)+ fD(1)

F(2)=Z(2)+ fD(2)

Single-password SS authentication

(12) If the password is correct, P’=P,

then

Owner

F(x)

x

F(0)

Z(0)=0Z(1)=f01(1)+f02(1)+f03(1)

Z(2)=f01(2)+f02(2)+f03(2)

Z(3)=f01(3)+f02(3)+f03(3)

Note that where

F(0)=fD(0)=D

The owner can reconstruct the original document as

Congratulations!

F(1)

F(2)

F(3)

30

To go beyond the limit of threshold number “k”

An attacker may actively move around the shareholders.

It is likely that the number of corrupted shareholders

must increase as time elapses.

Proactive secret sharingA. Herzber, S. Jarecki, H. Krawczyk,

M. Yung, CRYPT0'95, LNCS 963,

339, 1995.

Renewal of shares

at certain intervals

Keys are consumed.

31

Key rates of QKD

QKD link vender Protocol

Transmission

Length (km)Secure key

rate (bps)

Loss

(dB)

NEC-0 BB84 with decoy 50 (Spooled fiber NICT premise) 200k 10

NEC-1 BB84 with decoy 22 (field installed 95% areal line) 200k 13

Toshiba BB84 with decoy 45 (field installed 50% areal line) 300k 14.5

NTT-NICT DPS-QKD 90 (field installed 50% areal line) 10k 28.6

Gakushuin CV-QKD 2 (NICT premise) 100k 2

To prevent from being bottlenecked by slowest QKD links (10kb/s),

keys are relayed between appropriate KMAs.

The minimum throughput of key supply to each private channel

can be raised up to KeyRateQKD=40 kb/s.

32

Document size to be handled

- Dense wavelength division multiplexing (100~1000 channels)

- Fast key distillation processing

The document size we can handle,

sizes = ts*KeyRateQKD/n(n-1)

Interval of share renewal Number of shareholders

KeyRateQKD=40 kb/s

(our current network)

Assume that ts=10years, n=4

sizes = 131 GB

KeyRateQKD=1 Mb/s @50km

(in a few years)sizes = 3.3 TB

Petabytes size KeyRateQKD=1 Gb/s @50km

Challenge

Human genomic data

of 4100 persons

33

Summary

Proof-of-principle demonstration of a long lived system

- Timestamp chains of unconditionally

hiding commitments

- Password secret sharing authentication

Secret sharing + QKD

Integrity

Confidentiality

Future works

- Implementation of proactive secret sharing

- Improvement of QKD key rate

34

Thank you for your attention

35

Collaborators

Fujiwara, Sasaki, NICT

Yoshino, Tajima, Ochi, Sakamoto, Shimamura, Asami, Kondo,

Izuka, Domeki, NEC

Dynes, Dixon, Sharpe, Yuan, Lucamarini, Shields, Toshiba

Honjo, Tamaki, Shimizu, NTT

Hirano, Gakushuin U.

Tomita, Hokkaido U.

Shibata, Yamanaka, Kobayashi, Tsurumaru, Matsui, Mitsubishi

Waseda, Nojima, Moriai, NICT

Ogata, TITech

Braun, Demirel, Geihs, Buchmann, TU Darmstadt

Tokyo QKD Network

Secret sharing

Long-lived system