Security of Linear Secret-Sharing Schemes Against Mass SurveillanceRuxandra F. Olimid
Crypto vs. Mass Surveillance: The Uneasy Relationship Workshop 2016
November 14, 2016 Trondheim, Norway
2
Security of
Linear Secret-Sharing Schemes
Against Mass Surveillance
3
Secret Sharing Schemes (SSS)
Split a secret into shares such that the secret can be recovered only by using an authorised set of shares
4
Secret Sharing Schemes (SSS)
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
5
Secret Sharing Schemes (SSS)
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
6
Secret Sharing Schemes (SSS)
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
7
Visual SSS
= +
= +
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
8
All-or-Nothing SSS
1000 1101 = 1011 0110 XOR 0011 1011
0??? ???? = 1011 0110 XOR 1??? ????
???? ???? = 1011 0110 XOR ???? ????
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
9
Linear SSS
s
rMS = .
Split a secret into shares such that the secret can be recovered only from authorised sets of shares
10
Linear SSS s
rMS = .
11
Connection to Mass Surveillance?
Motivation: management of cryptographic keys
[A.Shamir, How to Share a Secret (1979)]
12
Real-Life Scenario: DNSSEC
https://www.youtube.com/watch?v=1LLHPnxQm-M
https://www.iana.org/dnssec/ceremonies
https://www.nanog.org/sites/default/files/1_Lewis_Rolling_the_Root_Zone_DNSSEC_Key_Signing_Key.pdf
13
Assumptions
(1) decouple the user from the dealer (2) the dealer only interacts with the user
14
Assumptions
(1) decouple the user from the dealer (2) the dealer only interacts with the user
15
Assumptions
(1) decouple the user from the dealer (2) the dealer only interacts with the user
16
Assumptions
(3) big brother controls some servers (not enough to reconstruct!) (4) big brother might had previously interacted with the dealer
17
Assumptions
(3) big brother controls some servers (not enough to reconstruct!) (4) big brother might had previously interacted with the dealer
18
Existing Work
[Crypto’14]
[EuroCrypt’97]
randomisation
Encryption
Key Exchange
Signature Schemes
…
[’04]
19
Security of Linear Secret-SharingSchemes Against Mass Surveillance
- Based on the paper by -
Irene Giacomelli, Ruxandra F.Olimid , Samuel Ranellucci
Aarhus University, Denmark; University of Bucharest, Romania
Special thanks to Samuel Ranellucci for kindly allowing meto build my presentation on top of the slides he had used for CANS`15.
20
Parties
21
GoalsUser
Big Brother
wants to hide secrets from big brother
wants to learn the user`s secret
wants to detect if big brother is trying to learn the secret
might use a detector
wants to hide that he is trying to learn the secret
might previously subvert the dealer
22
Successful Subversion
Surveillance
23
Successful Subversion
Undetectability
24
Successful Subversion
25
Successful Resilience
No surveillance
26
Successful Resilience
Detectable subversion
27
Successful Resilience
28
Results
29
Shares Replacement Attack
Subverted dealer:
• generates t shares using big brother`s PK such that: • big brother uses SK to reconstruct (part of) s from
the t corrupted shares (surveillance) • the t shares are indistinguishable from shares
generated by a honest dealer (undetectability)
• fixes the above shares and extends to the full set of shares
30
Shares Replacement Attack (t>1)
31
Subversion Resilience
32
Subversion Resilience
33
Subversion Resilience
34
Subversion Resilience
35
Subversion Resilience
36
Subversion Resilience
37
Subversion Resilience
38
Subversion Resilience
39
Subversion Resilience
40
Thank you!
Q&A