[tor-dev] PrivCount - Draft of secret-sharing specification
Ian Goldberg
iang at cs.uwaterloo.ca
Wed Sep 27 12:26:36 UTC 2017
Thanks for the writeup! Some notes inline.
On Mon, Sep 25, 2017 at 09:26:13AM +0200, Carolin Zöbelein wrote:
> 1. Introduction
>
> Assume, we have a given secret s which we want to share with a particular
> number N of participants who are only together be able to reconstruct it.
> To realize this, we can split our secret in n parts s_i. Our secret will be
> then the sum over all s_i. This is the simplest secret sharing scheme at all.
> Since it needs all participants for the reconstruction, it is called a (N,N)
> treshold secret sharing algorithm.
>
> But we also see that it has weaknesses. With every leaked share s_i, an
> adversary can reduce the number of possible soulutions for our secret very
> easily. This leads to the group of more efficient secret sharing algorithms.
This is not true. Even if N-1 of the shares are exposed, *zero
information* about the secret is leaked!
> In [4], Adi Shamir introduced a (K,N) secret sharing scheme which is named
> after him and offers more security.
Shamir secret sharing is not more secure than the above additive secret
sharing. But it is more flexible, as you allude to below.
> Additionally, on the contrary to our
> scheme above, we only need a minimum amount of k out of n participants to
> reconstruct the secret. Our specification will be based on this scheme.
>
> 3. Overview and preliminaries
>
> In this section, we make some preparations for the protocol specification
> itself.
>
> 3.1. Scope
>
> In this document we describe the protocol specification for a Shamir
> Secret Sharing scheme on a finite field of size p > s and p > N, with p
> be prime number.
If your secrets are large (more than one machine word), this isn't
actually the best way to do it. But teor's followup message suggested
using 64-bit p, which would be fine. (p = 2^63-25, for example.)
> The secret sharing protocol has three participating parties which we will
> call as follows:
>
> Secret Keeper (SK) knows the secret, does the initial setup and
> determines the secret shares.
The SK is typically called the "Dealer".
> 2. The SK generate a random prime number p, with p > s AND p > N.
> [see sec. 5.3.]
(See notes in 5.3 below, and similarly for the other points in this
section.)
> 5. Specification
>
> Now we will give more details to the raw outline above.
>
> 5.1. Given constants
>
> "s", type: int, exactly one, integer
> The given secret.
As you say below, s is an element of Z/pZ, not precisely an integer.
> "N", type: int, exactly one, natural number
> The number of participating SHs.
> It MUST to be N >= N_min.
>
> => TODO: Which value should N_min has? Default: N_min = 2?
>
> "K", type: int, exactly one, natural number
> The threshold of the minimum number of necessary shares for the
> reconstruction.
> It MUST to be K <= N.
>
> => TODO: Are more (size) information necessary? E.g. amount of bits/bytes?
> I think so.
Not sure what you mean by this last bit.
> 5.3. Prime number
>
> Since we are using a secret sharing scheme on a finite field, we need a
> random prime number.
There is no reason for p to be random. It is totally fine to just fix
it large enough to be larger than both s and N, as you have written.
> "p", type: int, exactly one, prime number
> It MUST to be p > s AND p > N AND it MUST to be the secret s element of
> Z/pZ.
>
> => TODO: I'm not sure how exactly p should be handled. When and from where,
> is it given to whom?
>
> => TODO: Do we need to write anything about the necessary "random"
> characteristic? The "quality" of the randomly generation of the number?
>
> => TODO: Minimum size of p? Which value should p has, at least, caused by
> security reasons?
>
> => TODO: Are more (size) information necessary? E.g. amount of bits/bytes?
> I think so.
>
> 5.4. The secret keeping polynomial
>
> "a_j", type: int, K-1 values, Z/pZ
> "g[X]", type: polynomial with order K-1, exactly one, (Z/pZ)[X]
>
> The SK determines the final secret keeping polynomial, which is given by
>
> g[X] := s + SUM(a_j*X^j)
>
> and hence our secret for g[0] = s. Its random coefficients are a_j,
> 1 <= j <= K-1 which MUST be element of Z/pZ.
>
> => TODO: Which constraints exists for this a_j values? Size? Relative,
> pairwise, distance a_j - a_m between for all a_j,a_m with j != m?
> Is this relevant? References for this?
No, the a_j values must each be uniformly random elements of Z/pZ.
There must be no enforced relationships among them.
> => TODO: Are more (size) information necessary? E.g. amount of bits/bytes?
> I think so.
Not more than "uniformly random elements of Z/pZ".
> 5.5. The secret shares
>
> "x_i", type: int, N values, Z/pZ
> "y_i", type: int, N values, Z/pZ
> "(x_i,y_i)", type: (int,int), N value pairs, Z/pZ -> Z/pZ
>
> The SK determines the random secret shares parts x_i, i <= N which MUST be
> element of Z/pZ and MUST be pairwise different from zero.
Not sure what "pairwise different from zero" means. They should be
pairwise different (no two the same) and all non-zero; is that what you
meant?
> With this x_i, SK computes the secret shares parts y_i := g[x_i] and hence
> the finally secret share pairs (x_i,y_i).
>
> => TODO: How should this x_i be generated? Distribution?
> E.g. the smallest, non negative, representatives?
x_i = i is totally fine (for i = 1, ..., N).
> => TODO: Which constraints exists for this x_i values? Size? Relative,
> pairwise, distance x_i - x_m between for all x_i,x_m with i != m?
> Is this relevant? References for this?
>
> => TODO: Are more (size) information necessary? E.g. amount of bits/bytes?
> I think so.
As above.
> 5.7. SR receives secret shares from the SHs
>
> The SR MUST receive K secret share pairs from the SHs and p from the SK.
> The SR MUST receive exactly one secret share pair (x_,y_h), 1 <= h <= k,
> from each SH_h
x_h above instead of x_, presumably?
> => TODO: How exactly has to look the data which has to be send as response
> to the SHs? What, which additionally data, has to be send? And which
> size has it (bits/bytes) to be?
>
> => TODO: I'm not sure how exactly p should be handled. When and from where,
> is it given to whom?
>
> => TODO: From where comes the information about N and K? (and p?)
>
> => TODO: Where has to be decided, from which K out of N SHs has this
> (x_h,y_h) to come from? And how (randomly)? And in which way has this
> to be comunicated to the given parties? !!!
It's actually fine to receive *more* than K shares, and it in fact can
help you pick out SHs that give you incorrect values, through error or
malice.
> 5.8. Reconstruction
>
> "l_h[x]", type: polynomial with order K-1, K, (Z/pZ)[X]
>
> The SR compute the Lagrange basis polynomials l_h[x] with the secret share
> pairs (x_h,y_h), 1 <= h <= K, which it received from the SHs. The SR MUST
> receive exactly K pairs from exactly K SHs. I MUST be exactly one secret
> share pair from each, of this K, SH.
What is "I" here?
> The Lagrange basis polynomials are given by
>
> l_h[X]:= PRODUCT(1 <= m <= K AND m != h, (X - x_m)/(x_h - x_m))
>
> with 1 <= j <= K. This leads to our original secret keeping polynomial
>
> g[X] := SUM(h=1, K, y_h*l_h[x] mod p)
>
> and the given secret by s = g[0].
You don't actually have to reconstruct the whole polynomial. It's
easier to just compute g[0] directly by plugging X=0 into the definition
of l_h[X] above, to yield:
l_h[0] := PRODUCT(1 <= m <= K AND m != h, x_m / (x_m - x_h))
g[0] := SUM(h=1, K, y_h * l_h[0])
This step will also of course change if you want to handle more than K
shares or incorrect shares.
> => TODO: From which K out of N SHs come this secret shares?
>
> => TODO: Are more (size) information necessary? E.g. amount of bits/bytes?
> I think so.
More information about the tor-dev
mailing list