Proactive Secret Sharing - Distributed Security Mechanisms

2.4 Distributed Security Mechanisms

2.4.8 Proactive Secret Sharing

Proactive Secret Sharing (PSS) schemes were introduced to protect long-lived shares of cryptographic keys. Threshold cryptography increases the availability and the security of a secret key, but it is still

possible to attack enough shareholders to reconstruct the secret. Shares can become corrupt, so there is no guarantee that the secret can be reconstructed.

PSS solves the most problems for long-lived shares of keys. The principle of PSS is to introduce time periods. In each time period the shares of the shareholders are updated, and potential attackers are not able reconstruct the secret with shares from different time periods. Thus, the time periods have to be adapted, so that an attacker cannot gain access to more than k shares. Furthermore, PSS offers the possibility of identifying and recovering corrupted shares or shareholders.

In order to further explain the principles of PSS, the scheme of Herzberg et al. (HJKY95) is illustrated in more detail. This PSS scheme is modified by the URSA scheme (see Section 2.4.7.4) in order to work with RSA signatures.

2.4.8.1 Herzberg’s Proactive Secret Scheme

Initialisation Phase

In initialisation phase a dealer D is needed to distributes the shares of the secret s. Therefore, the dealer follows Feldman’s verifiable secret sharing scheme (Section C.2.2.1). If the initialisation phase is performed correctly, each shareholder has a valid share and no accusations against the dealer are broadcast. If an accusation is broadcast, some responses are required as described later in this section (2.4.8.1).

Reconstruction Phase

The reconstruction phase is similar to the phase presented in Section 2.4.4.1. k shares are sent directly to the secret requester, who can now reconstruct the secret. This approach can be adjusted to suit RSA secret sharing (see Section 2.4.8.2).

Update Phase

After initialisation phase, all shares are distributed to the different shareholder. To increase the security of these shares, they are updated at predefined time intervals. At the end of such an update phase, each shareholder has a new share, but the secret s remains the same. To successful update all shares, all shareholders have to participate in the update process. The following steps are performed in the update phase between time period t and t + 1:

• Each shareholder Pi(i=1..n) picks k − 1 random numbers and creates a polynomial di(x)of degree k-1, where d(0) = 0, following Equation 2.12.

di(x) = d1x + d2x2+ . . . + dk−1xk−1= k−1 X

j=1

djxj mod q (2.12)

• Pi creates the updated shares uij = di(j) and computes the verification values guij. The share uij and the verification value are sent secretly to shareholder Pj. The verification values of the coefficients of the update function (gdi_{, i = {1 . . . k − 1}) are broadcast to all shareholders.}

• If shareholder Pihas received the updated shares and verification values from all shareholders (that are participating the update process), it checks the correctness of the shares (using Equation C.13). If some failures occur, shareholder Pi broadcasts an accusation against the corresponding shareholder. If the equation holds, shareholder Pi adds the received shares to its old share s

(t) i and obtains the new share s(t+1)_i (Equation 2.13).

-15 -10 -5 0 5 10 15 -4 -2 0 2 4

Current Sharing Polynomials

(a) Current sharing polynomial

-15 -10 -5 0 5 10 15 -4 -2 0 2 4 Update Polynomials (b) Update polynomials -15 -10 -5 0 5 10 15 -4 -2 0 2 4

Resulting Sharing Polynomials

Figure 2.7: Graphical representation of the update phase

s(t+1)_i = s(t)_i + n X

j=1

uji (2.13)

• To protect the secret, all received updated shares and old shares are erased completely.

A graphical representation of these steps is shown in figure 2.7. The graph in the upper left represents the function used to reconstruct the secret s in time period t. The graph in the upper right shows the update functions of two shareholders used to compute new shares without changing the secret s. Thus these functions are zero in the point of origin. If these two functions are added to the first function, the third function is created (shown in the graph in the lower middle).

Recovery Phase

In recovery phase, corrupted shareholders are identified and recovered. This is necessary to provide the continuous number of shareholders that have to be available to reconstruct the secret s. Otherwise, an attacker can consecutively destroy or corrupt the shares of the shareholder to inhibit the reconstruction of the secret.

To identify and remember a corrupted share, each shareholder generates a list of good and bad shareholders. This list is generated after the initialisation or update phase and contains all malicious shareholders identified after resolving the accusations. Additionally, the shares of all shareholders not involved in the last update phase have to be recovered.

In addition to the obviously malicious shareholders, the shareholders attacked in the last time period have to be identified. Herbage et al. proposed that all shareholders store the public verification values of the shares (gsi_{, i ∈ {1 . . . n}) broadcast during initialisation phase. If the shares are updated, these}

verification values will be updated too by using Equation 2.14.

gs(t+1)i = gs (t) i n Y j=1 guji _(2.14)

whereas s(t+1)_i is the share from time period t + 1 and ujiis the updated value that is added to the share s(t)_i by shareholder Pi.

To identify a malicious shareholder, each shareholder broadcasts the verification value of its actual share. Then all shareholders can decide by majority count which shares are valid. This results in a list of malicious shareholders that is the same for each shareholder.

To recover the corrupted shares the share recovery protocol is performed. In the following, B indicates a set of malicious or bad shareholders that are identified by the correct shareholders located in the set A (A ∩ B = ). At least k correct shareholders are needed to recover the secret and the following steps must be performed.

• Each shareholder Pi ∈ A chooses for each malicious shareholder Bk ∈ B a random function d(x) of degree k − 1 with d(k) = 0. This can be achieved with Equation 2.15

dk(x) = d1x + d2x2+ . . . + dk−1xk−1− k−1 X

i=1

dikimod q (2.15)

whereas k is the variable of the malicious shareholder Bk used to generate its share and di (i = {0, . . . , k}) are the coefficients of function dk(x).

• Then Pisend the value uk:ij = dk(j)secretly to each shareholders Pj ∈ A.

• Pj uses the received shares uk:ij from each Pi∈ A to compute a share for Bkusing Equation 2.16.

sjk = sj+ X

i∈A

uk:ij (2.16)

where sj is the share of shareholder Pj and uk:ij is the recovery value generated by shareholders Pi∈ A for Pj. The resulting share sjkis transmitted secretly from Pj to Bk.

• The malicious shareholder Bk ∈ B receives the shares sjk from at least k shareholder Pj ∈ A and uses Lagrange interpolation to recover its share (see Equation 2.17)

sk = k X j=1 sjk k Y i=1;i6=j k − i j − i (2.17)

Resolving Accusations

If during initialisation, update, or reconstruction phase one or more accusations are broadcasted, the malicious participants must be identified. Two possibilities exist:

• Discard all shares from the accused shareholder

• Try to identify the malicious participant (the accused shareholder or the accuser)

In the first case, all shareholders ignore the messages send by accused shareholders and the shares of the shareholder are reconstructed like in reconstruction phase. But this offers an attacker the possibility to accuse any shareholder and to make the reconstruction of a secret impossible. In the second case the accused shareholder defends itself by showing that its share is correct. Therefore, the accused shareholder publishes the accused share and maybe additional information, to demonstrate that this is the same share that was sent to the accuser. Now, all shareholders can check the correctness of this share. If the shareholders decide that the published share is correct, the accused shareholder defended itself successfully and the accuser is marked as bad and thus is added to a list of bad shareholders (B). Then the bad shareholders are recovered in the recovery phase.

In the following proactive secret sharing for URSA and for Threshold BLS are discussed.

2.4.8.2 Proactive Secret Sharing Using the URSA Scheme

Update Phase

The URSA scheme (LKZ+_{04) uses the previously presented update phase of (HJKY95). To differenti-} ate between the various updated shares, version numbers are introduced.

Recovery Phase

The recovery phase is based, in part, on (HJKY95) (see Section 2.4.8.1). To recover a lost share k shareholders cooperate and use Lagrange interpolation (see Equation 2.18). Whereas si:r is the share that is sent from shareholder Pito Pr.

sr= k X i=1 si k Y j=1;j6=i r − j i − j = k X i=1 si:r (2.18)

To avoid a situation where shareholder Pr is not able to compute the distributed secret (the private key), the k shareholder communicate in advance and add random numbers to their shares. This is the difference from (HJKY95). Herzberg proposed generating recovery functions that are zero at the index of the shareholder (see Section 2.4.8.1). (LKZ+_{04) proposed using random numbers. Each shareholder} communicates with the k − 1 other shareholders and they exchange random numbers. The shareholder with the higher ID treats the random number as positive, the shareholder with the lower ID as negative. So each shareholder gets k − 1 random numbers and sums them to its own share si:r. These shares are sent to Pr that uses Equation 2.17 modulo N to recover its share.

Verification of Shares

In (LKZ+_{04) it is written that the verification methods proposed by (Fel87) or (Ped91b) can be used.} However, one important limitation exists, because of the fact that the shares are computed modulo N . Let f (x) = f0+ f1x + . . . + fk−1xk−1mod (N )be the function used to generate update shares si= f (i). The verification values of this function are gf0_{, g}f1_{, . . . , g}fk−1 and the verification values of the shares are

gsi_{. With regard to Equation C.13, the share s}

ican be verified by checking gsi mod N = gf (i)mod N = Qk−1

j=0(g

fj₎ij _{mod N}_{. This is not applicable to the scheme presented above, since f}

iij 6= fiij mod N. Especially gsi _{mod N = g}

Pk−1

Security

For the URSA-scheme, the potential for an attack exists when proactive secret sharing is applied, because there is information leakage during the update phase. The attack is described in (JSY04, Sax06). The attack is successful if an adversary compromises any set of at most t members in the update group in every update round. When compromised, the adversary learns the corresponding private key share and can control the participants’ behaviour during the update phase.

The attack can be applied if the attacker has successful attacked k − 1 shareholder (in set B) and is able to compute the value S = P

i∈Bsi. Then the attacker requests a signature. By constructing the final signature, the attacker gets the value of α (c.p. Equation 2.11) and learns if the value of the private key d is greater or less than S mod N . This is because S < αN if and only if d < S mod N . Otherwise d ≥ S mod N if and only if S ≥ αN . By choosing an appropriate update function, the shareholder can control the value of S and can isolate the value of the secret. Therefore, the attacker has to be the last shareholder that distributes update shares. Based on the update shares received from other shareholder he can choose his own update values and generate a value of S at will.

At first blush, this attack seems to be very dangerous. But in practise, it is very unlikely that the same group of k − 1 attacked shareholders will be chosen multiple times to generate a signature in cooperation with only one good shareholder. However, to avoid this attack or problem, one has to change the group that generates the signatures randomly. Additionally, the threshold can be increased so that we have an (b, k, n)threshold scheme with b < k.

In (Sax06) the efficiency analysis of the attack shows that the private key can be compromised after 163 rounds for 1024-bit N , e = 65537 and t = 7, if (1) t members of the update group are corrupted and one of them speaks last during the update phase; and if (2) in every update phase some h honest participants participate in a signature process.

In (Sax06) a solution to the information leakage is presented. However, this solution relies on additive secret sharing, which is why it cannot be applied for autonomous distributed systems with a dynamic number of participants.

Summary

2.4.8.3 Proactive BLS-Scheme

The BLS-scheme satisfies the requirements for secure proactive secret sharing stated in (HJJK97) and (HJKY95), which have been described in Section 2.4.8.1. Therefore, these schemes can be applied. Threshold BLS applies Pedersen’s Verifiable Secret Sharing (Section 2.4.5.1) within the proactive secret sharing phases.

Summary

Proactive Threshold BLS offers all mechanisms that are desired for an application in p2p systems. These are distributed key generation and verification of update shares. Further the signing process of Threshold BLS is efficient. Accordingly, it is the best choice if signatures are to be created in a fully distributed manner in a p2p system.

In document Trusted Accounting in Peer-to-Peer Environments - A Novel Token-based Accounting Scheme for Autonomous Distributed Systems (Page 52-57)