Secret Sharing

A main objective of this dissertation is to build a trustworthy accounting scheme for p2p systems without usage of a trusted entity in the system, so a distributed basis of trust required. This section introduces security mechanisms that can be applied to autonomous distributed systems, as they do not rely on a centralised trusted entity.

2.4.3 Multisignatures vs. Threshold Cryptography

There are two different types of security mechanisms that allow for the creation of a document that can be signed by several signees. These are multisignature schemes and threshold cryptography schemes that build on secret sharing.

In multisignature schemes (Oka88, MOR01, Bol03) multiple peers sign a message sequentially; the si is computed using the si−1signature and the signees private key. The resulting signature has the length of a single signature. To verify the signature all public keys of the signees are required. Many multisignature

scheme support a verification independent of signature sequence. However, for verification the signee’s public key must be known. As signees can be offline when a verification is required, multisignature schemes require the availability of the certification authority that issued the peers’ key pair. This would heavily rely on the use of a central trusted entity in order to establish trust in p2p systems. Therefore, multisignature schemes are not a valid solution for building a fully decentralised trustworthy accounting scheme for p2p systems.

The second alternative for creating signatures using several signees is threshold cryptography. Thresh- old schemes use secret sharing to split a key into many parts, called shares. A specific threshold of signees is required to create a signature with the key. Each signee creates a partial signature with its key share and all signatures are then combined by the peer requesting the signature. The created signature is anonymous. The signature verification is performed with the corresponding public key to the shared private key. Furthermore, key pairs can be generated and managed in a completely decentralised way using proactive secret sharing.

Summary

In conclusion, threshold cryptography can be applied in p2p systems without relying on a certificate authority, as multisignature schemes require. The process reviewed below includes how to share a secret, i.e., a secret private key, among the participants of the distributed autonomous system (or among a group of its participants) and how to apply the shared secret in order to sign documents in a distributed, trusted manner. It is of utmost importance that the secret never be compromised nor known to a single participant. Otherwise, it would be necessary for the participant to be trusted, which we cannot assume. This section starts with the introduction of secret sharing and extends the concept to threshold cryp- tography and proactive secret sharing.

2.4.4 Secret Sharing

This section presents basic secret sharing schemes and evaluates their usefulness for application in au- tonomous distributed systems like p2p.

Secret Sharing can be defined as follows: A trusted dealer T P gives each player Pi a secret share ssi of the secret s in such a way, that any group of t or more players can together reconstruct the secret, but no group fewer then t players can do this. Here, t is denoted the threshold and n is the total number of players.

A simple secret sharing technique is so-called XOR Secret Sharing. Here, the secret s is split into n − 1 random parts and part snis the result of combining all the parts s1, s2, . . . , sn−1using the XOR-function. It is not applicable for signing messages, but can be used to explain the basic concept of secret sharing. Further details are given in Appendix C.2.1.1.

Another often used secret sharing technique is called “additive secret sharing”. This secret sharing scheme is often used in threshold cryptography scheme. In additive secret a secret s is split into n parts, and part sn is computed from the other n − 1 parts. When a secret key is created and shared among peers, all shares have to be created at the same time. Additional shares cannot be created later. Therefore, additional secret sharing is not applicable to p2p system, where membership is dynamic. Additive secret sharing is used and presented in (Rab98) and (JS05). Further details about additive secret sharing are given in Appendix C.2.1.2.

Another secret sharing scheme was developed by Blakely et al. in (Bla79). Its major disadvantage is that the secret has to be completely reconstructed in order to create signatures. In p2p systems a peer would then learn the secret key, which is not acceptable. Further details are given in Appendix C.2.1.3.

2.4.4.1 Shamir’s Secret Sharing

Shamir’s secret sharing scheme is one of the most important secret sharing schemes. It is presented in (Sha79). Many other secret sharing schemes are based on it. The goal of (Sha79) is to divide a secret s into n pieces s1,..., sn(called shares) in such a way that:

1. knowledge of any k or more sipieces makes s easily to computable;

2. knowledge of any k − 1or fewer pieces leaves s completely undetermined (in the sense that all its possible values are equally likely). (cf. (Sha79))

In the literature, such a scheme is called (k, n)-threshold scheme. This means that one needs at least k shares to reconstruct the secret and that it is not possible to reconstruct the secret with at most k − 1 shares. To obtain a robust threshold scheme, Shamir proposed creating at least n = 2k − 1 shares. If k − 1shares are corrupted, it is guaranteed that at least k shares are not corrupted and the secret can be reconstructed correctly.

For reconstruction polynomial interpolation is used. With polynomial interpolation it is possible to reconstruct a polynomial f (x) of degree k − 1 with k points of the function. In general, a dealer creates a function f (x) that represents the secret s at f (0) (f (0) = s) and distributes points of the function to the different shareholders. k of this points are then used for reconstruction of the secret s. The details are described in the next section, and follow the work of Shamir (Sha79).

Initialisation Phase

In the initialisation phase, a dealer generates the shares of the secret s and transmits these shares to the different shareholders. The following steps are performed:

1. The dealer D creates a function f (x) of degree k − 1 with f (0) = s (using Equation 2.1)

f (x) = s + α1x + α2x2+ ... + αk−1xk−1 mod q = s + k−1 X

i=1

modq (2.1)

whereas α1, ..., αk−1are random numbers modulo a prime q. The prime q has to greater than the value of the secret s and the maximum index (xi) used to generate a share.

1. D computes n = 2k − 1 points (xi, yi);

{yi= f (xi) | i ∈ {1, . . . , n} ∧ xi6= xj f or i 6= j} (2.2) These points represent the shares (s1. . . sn) of the secret s.

2. These shares (s1, . . . , sn) are then distributed secretly to the corresponding shareholders.

Reconstruction Phase

To reconstruct the secret, at least k shareholders have to cooperate. Like mentioned above, recon- struction is based on polynomial interpolation. The Lagrange interpolation is presented in Equation 2.3 (from (BAM00)). yj represents the shares of the shareholder Pj and xj is value of the variable used to generate yj. In the following xj is called index, because it is assumed that xj = jfor shareholder Pj.

f (x) = k X j=1 yj k Y i=1,i6=j x − xi xj− xi mod q (2.3)

Figure 2.5: Classical reconstruction of a secret

A simple approach to reconstruct the secret, is to send at least k shares to a shareholder that reconstruct the secret using Equation 2.3 (see figure 2.5).

Since the complete reconstruction of the secret s offers the possibility to an attacker to get s other approaches were developed. Some approaches to use the shares for a distributed generation of a RSA signature are presented in Section 2.4.7.1.

2.4.4.2 Summary

In order to apply secret sharing within the autonomous distributed systems space (more specifically p2p) a secret sharing scheme should fulfil a set of requirements.

In autonomous distributed systems nodes join and leave the system in an unpredictable manner. So, it can not be assumed that all nodes will be online at a specific time. Therefore, (n, n)-secret sharing schemes can not be applied, but only (k, n)-secret sharing schemes. Thus, XOR-sharing is not suited for autonomous distributed systems.

Further, new nodes might join the system after the initial sharing of the secret and such nodes should also receive a share. Accordingly, when in the initialisation phase a specific share should not be calculated based on all other shares created. This would mean that no new shares could be created after the initialisation phase. Therefore, additive sharing is also not suited for autonomous distributed systems.

As a last requirement, it is important that no single node can learn the secret when the shares are used either to sign a message or to encrypt a message. Shamir’s secret sharing offers this ability, however, Blakely’s scheme doesn’t. This ability is explained in further detail in the following section.

In conclusion, the secret sharing discussion, there is only Shamir’s secret sharing scheme that is suited for autonomous distributed systems. Therefore, in the following, only security mechanisms applying Shamir’s secret sharing are discussed.