rol#lsss mass 29 shares replacement attack subverted dealer: • generates t shares using big...

Click here to load reader

Post on 14-Aug-2020

0 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Security of Linear Secret-Sharing Schemes Against Mass Surveillance Ruxandra F. Olimid

    Crypto vs. Mass Surveillance: The Uneasy Relationship Workshop 2016

    November 14, 2016 Trondheim, Norway

  • 2

    Security of

    Linear Secret-Sharing Schemes

    Against Mass Surveillance

  • 3

    Secret Sharing Schemes (SSS)

    Split a secret into shares such that the secret can be recovered only by using an authorised set of shares

  • 4

    Secret Sharing Schemes (SSS)

    Split a secret into shares such that the secret can be recovered only from authorised sets of shares

  • 5

    Secret Sharing Schemes (SSS)

    Split a secret into shares such that the secret can be recovered only from authorised sets of shares

  • 6

    Secret Sharing Schemes (SSS)

    Split a secret into shares such that the secret can be recovered only from authorised sets of shares

  • 7

    Visual SSS

    = +

    = +

    Split a secret into shares such that the secret can be recovered only from authorised sets of shares

  • 8

    All-or-Nothing SSS

    1000 1101 = 1011 0110 XOR 0011 1011

    0??? ???? = 1011 0110 XOR 1??? ????

    ???? ???? = 1011 0110 XOR ???? ????

    Split a secret into shares such that the secret can be recovered only from authorised sets of shares

  • 9

    Linear SSS

    s

    r MS = .

    Split a secret into shares such that the secret can be recovered only from authorised sets of shares

  • 10

    Linear SSS s r

    MS = .

  • 11

    Connection to Mass Surveillance?

    Motivation: management of cryptographic keys

    [A.Shamir, How to Share a Secret (1979)]

  • 12

    Real-Life Scenario: DNSSEC

    https://www.youtube.com/watch?v=1LLHPnxQm-M

    https://www.iana.org/dnssec/ceremonies

    https://www.nanog.org/sites/default/files/1_Lewis_Rolling_the_Root_Zone_DNSSEC_Key_Signing_Key.pdf

    https://www.youtube.com/watch?v=1LLHPnxQm-M https://www.iana.org/dnssec/ceremonies https://www.nanog.org/sites/default/files/1_Lewis_Rolling_the_Root_Zone_DNSSEC_Key_Signing_Key.pdf

  • 13

    Assumptions

    (1) decouple the user from the dealer (2) the dealer only interacts with the user

  • 14

    Assumptions

    (1) decouple the user from the dealer (2) the dealer only interacts with the user

  • 15

    Assumptions

    (1) decouple the user from the dealer (2) the dealer only interacts with the user

  • 16

    Assumptions

    (3) big brother controls some servers (not enough to reconstruct!) (4) big brother might had previously interacted with the dealer

  • 17

    Assumptions

    (3) big brother controls some servers (not enough to reconstruct!) (4) big brother might had previously interacted with the dealer

  • 18

    Existing Work

    [Crypto’14]

    [EuroCrypt’97]

    randomisation

    Encryption

    Key Exchange

    Signature Schemes

    [’04]

  • 19

    Security of Linear Secret-Sharing Schemes Against Mass Surveillance

    - Based on the paper by -

    Irene Giacomelli, Ruxandra F.Olimid , Samuel Ranellucci

    Aarhus University, Denmark; University of Bucharest, Romania

    Special thanks to Samuel Ranellucci for kindly allowing me to build my presentation on top of the slides he had used for CANS`15.

  • 20

    Parties

  • 21

    Goals User

    Big Brother

    wants to hide secrets from big brother

    wants to learn the user`s secret

    wants to detect if big brother is trying to learn the secret might use a detector

    wants to hide that he is trying to learn the secret might previously subvert the dealer

  • 22

    Successful Subversion

    Surveillance

  • 23

    Successful Subversion

    Undetectability

  • 24

    Successful Subversion

  • 25

    Successful Resilience

    No surveillance

  • 26

    Successful Resilience

    Detectable subversion

  • 27

    Successful Resilience

  • 28

    Results

  • 29

    Shares Replacement Attack

    Subverted dealer:

    • generates t shares using big brother`s PK such that: • big brother uses SK to reconstruct (part of) s from

    the t corrupted shares (surveillance) • the t shares are indistinguishable from shares

    generated by a honest dealer (undetectability)

    • fixes the above shares and extends to the full set of shares

  • 30

    Shares Replacement Attack (t>1)

  • 31

    Subversion Resilience

  • 32

    Subversion Resilience

  • 33

    Subversion Resilience

  • 34

    Subversion Resilience

  • 35

    Subversion Resilience

  • 36

    Subversion Resilience

  • 37

    Subversion Resilience

  • 38

    Subversion Resilience

  • 39

    Subversion Resilience

  • 40

    Thank you!

    Q&A