Proactive secret sharing

Last updated

Proactive secret sharing is an underlying technique in Proactive Security Protocols. It is a method to update distributed keys (shares) in a secret sharing scheme periodically such that an attacker has less time to compromise shares and as long as the attacker visits less than a threshold or a quorum group, the system remains secure. This contrasts to a non-proactive scheme where if the threshold number of shares are compromised during the lifetime of the secret, the secret is compromised. The model which takes time constraints into account was originally suggested as an extension of the notion of Byzantine fault tolerance where redundancy of sharing allows robustness into the time domain (periods) and was proposed by Rafail Ostrovsky and Moti Yung in 1991. [1] The method has been used in the areas of cryptographic protocols in secure multi-party computation and in threshold cryptosystems.

Contents

Motivation

If the players (holders of the shared secret) store their shares on insecure computer servers, an attacker could crack in and steal/learn the shares. Since it is not often practical to change the secret, the un-compromised (honest) (Shamir-style) shares should be updated in a way that they generate the same secret, yet the old shares are invalidated. There is also a need to recover shares of previously corrupted servers, and the community of honest server is needed to perform the recovery. This assures the longevity of the secure and recoverable sharing, or secure and correct secure computation protocols. If one needs to maintain sharing while changing the number of servers or the threshold, then proactive method with share recovery enables this, as was originally shown by Frankel and others. [2] The ability of distributing the secret (codeword) and then recovering the distributed shares as the proactive secret sharing method does, was recognized as much needed in storage systems around 2010, and in reaction, coding theorists renamed the method, further refined it, and formalized is as `regenerating codes' and `locally recoverable codes.'

Mathematics

This follows somewhat the work in. [3] In order to update the shares, the dealers (i.e., the persons who gives out the shares; and in a distributed system it is all participants one at a time) generates a new random polynomial with constant term zero and calculates for each remaining player a new ordered pair, where the x-coordinates of the old and new pairs are the same. Each player then adds the old and new y-coordinates to each other and keeps the result as the new y-coordinate of the secret.

All of the non-updated shares the attacker accumulated become useless. An attacker can only recover the secret if he can find enough other non-updated shares to reach the threshold. This situation should not happen because the players deleted their old shares. Additionally, an attacker cannot recover any information about the original secret from the update process because it only contains random information.

The dealer can change the threshold number while distributing updates, but must always remain vigilant of players keeping expired shares as in. [4] However this is a somewhat limited view since the original methods gives the community of server the ability to be the re-sharing dealer and the regenerator of lost shares.

Example

The following example has 2 shares and a threshold of 2 with 2 players and 1 dealer. Since shares and polynomials are only valid for a certain time period, the time period they are valid is denoted with a superscript.

See also

Related Research Articles

A finite difference is a mathematical expression of the form f (x + b) − f (x + a). If a finite difference is divided by ba, one gets a difference quotient. The approximation of derivatives by finite differences plays a central role in finite difference methods for the numerical solution of differential equations, especially boundary value problems.

In mathematics, a recurrence relation is an equation according to which the th term of a sequence of numbers is equal to some combination of the previous terms. Often, only previous terms of the sequence appear in the equation, for a parameter that is independent of ; this number is called the order of the relation. If the values of the first numbers in the sequence have been given, the rest of the sequence can be calculated by repeatedly applying the equation.

<span class="mw-page-title-main">Moment of inertia</span> Scalar measure of the rotational inertia with respect to a fixed axis of rotation

The moment of inertia, otherwise known as the mass moment of inertia, angular mass, second moment of mass, or most accurately, rotational inertia, of a rigid body is a quantity that determines the torque needed for a desired angular acceleration about a rotational axis, akin to how mass determines the force needed for a desired acceleration. It depends on the body's mass distribution and the axis chosen, with larger moments requiring more torque to change the body's rate of rotation by a given amount.

In numerical analysis, polynomial interpolation is the interpolation of a given bivariate data set by the polynomial of lowest possible degree that passes through the points of the dataset.

<span class="mw-page-title-main">Product rule</span> Formula for the derivative of a product

In calculus, the product rule is a formula used to find the derivatives of products of two or more functions. For two functions, it may be stated in Lagrange's notation as

In mathematics, the Hodge star operator or Hodge star is a linear map defined on the exterior algebra of a finite-dimensional oriented vector space endowed with a nondegenerate symmetric bilinear form. Applying the operator to an element of the algebra produces the Hodge dual of the element. This map was introduced by W. V. D. Hodge.

Secret sharing refers to methods for distributing a secret among a group, in such a way that no individual holds any intelligible information about the secret, but when a sufficient number of individuals combine their 'shares', the secret may be reconstructed. Whereas insecure secret sharing allows an attacker to gain more information with each share, secure secret sharing is 'all or nothing'.

In topology, Lebesgue's number lemma, named after Henri Lebesgue, is a useful tool in the study of compact metric spaces. It states:

In mathematics, the Alexander polynomial is a knot invariant which assigns a polynomial with integer coefficients to each knot type. James Waddell Alexander II discovered this, the first knot polynomial, in 1923. In 1969, John Conway showed a version of this polynomial, now called the Alexander–Conway polynomial, could be computed using a skein relation, although its significance was not realized until the discovery of the Jones polynomial in 1984. Soon after Conway's reworking of the Alexander polynomial, it was realized that a similar skein relation was exhibited in Alexander's paper on his polynomial.

In mathematics, a Hurwitz matrix, or Routh–Hurwitz matrix, in engineering stability matrix, is a structured real square matrix constructed with coefficients of a real polynomial.

In mathematics, Hensel's lemma, also known as Hensel's lifting lemma, named after Kurt Hensel, is a result in modular arithmetic, stating that if a univariate polynomial has a simple root modulo a prime number p, then this root can be lifted to a unique root modulo any higher power of p. More generally, if a polynomial factors modulo p into two coprime polynomials, this factorization can be lifted to a factorization modulo any higher power of p.

In mathematics, differential algebra is, broadly speaking, the area of mathematics consisting in the study of differential equations and differential operators as algebraic objects in view of deriving properties of differential equations and operators without computing the solutions, similarly as polynomial algebras are used for the study of algebraic varieties, which are solution sets of systems of polynomial equations. Weyl algebras and Lie algebras may be considered as belonging to differential algebra.

In mathematics, especially in combinatorics, Stirling numbers of the first kind arise in the study of permutations. In particular, the Stirling numbers of the first kind count permutations according to their number of cycles.

In cryptography, a secret sharing scheme is verifiable if auxiliary information is included that allows players to verify their shares as consistent. More formally, verifiable secret sharing ensures that even if the dealer is malicious there is a well-defined secret that the players can later reconstruct. The concept of verifiable secret sharing (VSS) was first introduced in 1985 by Benny Chor, Shafi Goldwasser, Silvio Micali and Baruch Awerbuch.

In mathematics, a Witt vector is an infinite sequence of elements of a commutative ring. Ernst Witt showed how to put a ring structure on the set of Witt vectors, in such a way that the ring of Witt vectors over the finite field of order is isomorphic to , the ring of -adic integers. They have a highly non-intuitive structure upon first glance because their additive and multiplicative structure depends on an infinite set of recursive formulas which do not behave like addition and multiplication formulas for standard p-adic integers.

<span class="mw-page-title-main">Genus of a multiplicative sequence</span> A ring homomorphism from the cobordism ring of manifolds to another ring

In mathematics, a genus of a multiplicative sequence is a ring homomorphism from the ring of smooth compact manifolds up to the equivalence of bounding a smooth manifold with boundary to another ring, usually the rational numbers, having the property that they are constructed from a sequence of polynomials in characteristic classes that arise as coefficients in formal power series with good multiplicative properties.

<span class="mw-page-title-main">Amoeba (mathematics)</span> Set associated with a complex-valued polynomial

In complex analysis, a branch of mathematics, an amoeba is a set associated with a polynomial in one or more complex variables. Amoebas have applications in algebraic geometry, especially tropical geometry.

Shamir's secret sharing (SSS) is an efficient secret sharing algorithm for distributing private information among a group. The secret cannot be revealed unless a quorum of the group acts together to pool their knowledge. To achieve this, the secret is mathematically divided into parts from which the secret can be reassembled only when a sufficient number of shares are combined. SSS has the property of information-theoretic security, meaning that even if an attacker steals some shares, it is impossible for the attacker to reconstruct the secret unless they have stolen the quorum number of shares.

A two-dimensional conformal field theory is a quantum field theory on a Euclidean two-dimensional space, that is invariant under local conformal transformations.

In mathematics, especially representation theory and combinatorics, a Frobenius characteristic map is an isometric isomorphism between the ring of characters of symmetric groups and the ring of symmetric functions. It builds a bridge between representation theory of the symmetric groups and algebraic combinatorics. This map makes it possible to study representation problems with help of symmetric functions and vice versa. This map is named after German mathematician Ferdinand Georg Frobenius.

References

  1. Rafail Ostrovsky, Moti Yung: How to Withstand Mobile Virus Attacks (Extended Abstract). PODC 1991: 51-59
  2. Yair Frankel, Peter Gemmell, Philip D. MacKenzie, Moti Yung: Optimal Resilience Proactive Public-Key Cryptosystems. FOCS 1997: 384-393
  3. Herzberg, Amir; Jarecki, Stanislaw; Hugo, Krawczyk; Yung, Moti (1995). "Proactive Secret Sharing or: How to Cope with Perpetual Leakage". CRYPTO '95: Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology. London, UK: Springer-Verlag. pp. 339–352. ISBN   978-3-540-60221-7 . Retrieved June 14, 2010.
  4. Yevdokimov, Aleksey (2009). "Dynamic system of proactive security". 2009 International Conference on Application of Information and Communication Technologies. IEEE. pp. 1–4. doi:10.1109/ICAICT.2009.5372541. ISBN   978-1-4244-4739-8. S2CID   11732393.