rol#lsss mass surveillancecms16.item.ntnu.no/slides/ruxandra.pdf29 shares replacement attack...

Security of Linear Secret-Sharing Schemes Against Mass SurveillanceRuxandra F. Olimid

Crypto vs. Mass Surveillance: The Uneasy Relationship Workshop 2016

November 14, 2016 Trondheim, Norway

2

Security of

Linear Secret-Sharing Schemes

Against Mass Surveillance

3

Secret Sharing Schemes (SSS)

Split a secret into shares such that the secret can be recovered only by using an authorised set of shares

4

Secret Sharing Schemes (SSS)

Split a secret into shares such that the secret can be recovered only from authorised sets of shares

5

Secret Sharing Schemes (SSS)

Split a secret into shares such that the secret can be recovered only from authorised sets of shares

6

Secret Sharing Schemes (SSS)

Split a secret into shares such that the secret can be recovered only from authorised sets of shares

7

Visual SSS

= +

= +

Split a secret into shares such that the secret can be recovered only from authorised sets of shares

8

All-or-Nothing SSS

1000 1101 = 1011 0110 XOR 0011 1011

0??? ???? = 1011 0110 XOR 1??? ????

???? ???? = 1011 0110 XOR ???? ????

Split a secret into shares such that the secret can be recovered only from authorised sets of shares

9

Linear SSS

s

rMS = .

Split a secret into shares such that the secret can be recovered only from authorised sets of shares

10

Linear SSS s

rMS = .

11

Connection to Mass Surveillance?

Motivation: management of cryptographic keys

[A.Shamir, How to Share a Secret (1979)]

12

Real-Life Scenario: DNSSEC

https://www.youtube.com/watch?v=1LLHPnxQm-M

https://www.iana.org/dnssec/ceremonies

https://www.nanog.org/sites/default/files/1_Lewis_Rolling_the_Root_Zone_DNSSEC_Key_Signing_Key.pdf

13

Assumptions

(1) decouple the user from the dealer (2) the dealer only interacts with the user

14

Assumptions

(1) decouple the user from the dealer (2) the dealer only interacts with the user

15

Assumptions

(1) decouple the user from the dealer (2) the dealer only interacts with the user

16

Assumptions

(3) big brother controls some servers (not enough to reconstruct!) (4) big brother might had previously interacted with the dealer

17

Assumptions

(3) big brother controls some servers (not enough to reconstruct!) (4) big brother might had previously interacted with the dealer

18

Existing Work

[Crypto’14]

[EuroCrypt’97]

randomisation

Encryption

Key Exchange

Signature Schemes

…

[’04]

19

Security of Linear Secret-SharingSchemes Against Mass Surveillance

- Based on the paper by -

Irene Giacomelli, Ruxandra F.Olimid , Samuel Ranellucci

Aarhus University, Denmark; University of Bucharest, Romania

Special thanks to Samuel Ranellucci for kindly allowing meto build my presentation on top of the slides he had used for CANS`15.

20

Parties

21

GoalsUser

Big Brother

wants to hide secrets from big brother

wants to learn the user`s secret

wants to detect if big brother is trying to learn the secret

might use a detector

wants to hide that he is trying to learn the secret

might previously subvert the dealer

22

Successful Subversion

Surveillance

23

Successful Subversion

Undetectability

24

Successful Subversion

25

Successful Resilience

No surveillance

26

Successful Resilience

Detectable subversion

27

Successful Resilience

28

Results

29

Shares Replacement Attack

Subverted dealer:

• generates t shares using big brother`s PK such that: • big brother uses SK to reconstruct (part of) s from

the t corrupted shares (surveillance) • the t shares are indistinguishable from shares

generated by a honest dealer (undetectability)

• fixes the above shares and extends to the full set of shares

30

Shares Replacement Attack (t>1)

31

Subversion Resilience

32

Subversion Resilience

33

Subversion Resilience

34

Subversion Resilience

35

Subversion Resilience

36

Subversion Resilience

37

Subversion Resilience

38

Subversion Resilience

39

Subversion Resilience

40

Thank you!

Q&A