We should share our secrets Shamir secret sharing: how it works and how to implement it

Daan Sprenkels [email protected]

Radboud University Nijmegen

28 December 2017

Daan Sprenkels We should share our secrets 28 December 2017 1 / 35 Who am I?

I Student at Radboud University Nijmegen

I Bachelor in Chemistry

I Currently studying Cyber Security 1 I On a regular day I implement elliptic curve crypto

The others: 2 I Peter Schwabe (@cryptojedi) 3 I Sean Moss-Pultz (@moskovich)

1The meaning of “crypto” is cryptography, not cryptocurrency! 2Radboud University 3Bitmark Inc. (https://bitmark.com) Daan Sprenkels We should share our secrets 28 December 2017 2 / 35 “Don’t roll your own crypto”

“and also don’t implement your own crypto”

Daan Sprenkels We should share our secrets 28 December 2017 3 / 35 “and also don’t implement your own crypto”

“Don’t roll your own crypto”

Daan Sprenkels We should share our secrets 28 December 2017 3 / 35 “Don’t roll your own crypto”

“and also don’t implement your own crypto”

Daan Sprenkels We should share our secrets 28 December 2017 3 / 35 Outline

Part I: Crypto theory What is secret sharing? How does it work?

Part II: Crypto implementation How to encode our values Solving integrity Side channel resistance Performance and bitslicing

Daan Sprenkels We should share our secrets 28 December 2017 4 / 35 Outline

Daan Sprenkels We should share our secrets 28 December 2017 4 / 35 Part I: crypto theory

Daan Sprenkels We should share our secrets 28 December 2017 5 / 35 I Need to trust a single entity

I How to split up our trust?

Problem statement

I How to backup your secrets (wallet keys, passwords, etc.)?

Daan Sprenkels We should share our secrets 28 December 2017 6 / 35 I How to split up our trust?

Problem statement

I How to backup your secrets (wallet keys, passwords, etc.)?

I Need to trust a single entity

Daan Sprenkels We should share our secrets 28 December 2017 6 / 35 Problem statement

I How to backup your secrets (wallet keys, passwords, etc.)?

I Need to trust a single entity

I How to split up our trust?

Daan Sprenkels We should share our secrets 28 December 2017 6 / 35 Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m ⊕ A ⊕ B.

Solving our problem

1. Cut my key into pieces Secret message m = A||B||C. Distribute A, B, C.

Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 2. Use one-time-pad construction? Generate random A, B Choose C = m ⊕ A ⊕ B.

Solving our problem

1. Cut my key into pieces Secret message m = A||B||C. Distribute A, B, C. Bad security!

Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem

1. Cut my key into pieces Secret message m = A||B||C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m ⊕ A ⊕ B.

Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem

1. Cut my key into pieces Secret message m = A||B||C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m ⊕ A ⊕ B. Restore by computing m0 = A ⊕ B ⊕ C

Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem

1. Cut my key into pieces Secret message m = A||B||C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m ⊕ A ⊕ B. Restore by computing m0 = A ⊕ B ⊕ C = A ⊕ B ⊕ (m ⊕ A ⊕ B)

Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem

1. Cut my key into pieces Secret message m = A||B||C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m ⊕ A ⊕ B. Restore by computing m0 = A ⊕ B ⊕ C = A ⊕ B ⊕ (m ⊕ A ⊕ B)

Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem

1. Cut my key into pieces Secret message m = A||B||C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m ⊕ A ⊕ B. Restore by computing m0 = A ⊕ B ⊕ C = m

Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem

1. Cut my key into pieces Secret message m = A||B||C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m ⊕ A ⊕ B. Restore by computing m0 = A ⊕ B ⊕ C = m Needs all pieces to restore the secret

Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 A better solution

Shamir secret sharing

I Published almost 40 years ago by Adi Shamir

I Threshold scheme (n, k)

I “Provably secure”

Daan Sprenkels We should share our secrets 28 December 2017 8 / 35 A better solution

Shamir secret sharing

I Published almost 40 years ago by Adi Shamir

I Threshold scheme (n, k)

I “Provably secure” Information-theoretically secure

Daan Sprenkels We should share our secrets 28 December 2017 8 / 35 Example with (n, k) = (5, 4)

m

Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Example with (n, k) = (5, 4)

s2 s3

m s1

s5 s4

Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Example with (n, k) = (5, 4)

s2

s3

m s1

s4

s5

Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Example with (n, k) = (5, 4)

s2

s3

s1

s4

s5

Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Example with (n, k) = (5, 4)

s2

s1

s5 s4

Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Example with (n, k) = (5, 4)

m

Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Evaluate n points on the polynomial to get shares si :

s1 = (1, p(1))

s2 = (2, p(2)) . .

sn = (n, p(n))

How does the math work?

Given parameters (n, k) and message m: Construct a polynomial of degree k − 1:

k−1 p(x) = ak−1x + ... + a1x + m (1)

With coefficients ai randomly generated.

Daan Sprenkels We should share our secrets 28 December 2017 10 / 35 How does the math work?

Given parameters (n, k) and message m: Construct a polynomial of degree k − 1:

k−1 p(x) = ak−1x + ... + a1x + m (1)

With coefficients ai randomly generated.

Evaluate n points on the polynomial to get shares si :

s1 = (1, p(1))

s2 = (2, p(2)) . .

sn = (n, p(n))

Daan Sprenkels We should share our secrets 28 December 2017 10 / 35 Use Lagrange interpolation for solving

How does the math work?

k−1 Find p(x) = ak−1x + ... + a1x + m such that all si are on p(x).

Solve for m: k−1 ak−1x1 + ... + a1x1 + m = y1 k−1 ak−1x2 + ... + a1x2 + m = y2 k−1 ak−1x3 + ... + a1x3 + m = y3 ... k−1 ak−1xk + ... + a1xk + m = yk

Daan Sprenkels We should share our secrets 28 December 2017 11 / 35 How does the math work?

k−1 Find p(x) = ak−1x + ... + a1x + m such that all si are on p(x).

Solve for m: k−1 ak−1x1 + ... + a1x1 + m = y1 k−1 ak−1x2 + ... + a1x2 + m = y2 k−1 ak−1x3 + ... + a1x3 + m = y3 ... k−1 ak−1xk + ... + a1xk + m = yk

Use Lagrange interpolation for solving

Daan Sprenkels We should share our secrets 28 December 2017 11 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Example: combining shares

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 2 a2x1 + a1x1 + m = y1 2 a2x2 + a1x2 + m = y2 2 a2x3 + a1x3 + m = y3

Daan Sprenkels We should share our secrets 28 December 2017 13 / 35 Example: combining shares

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 2 1 a2 + a1 + m = 21 2 4 a2 + 4a1 + m = 6 2 2 a2 + 2a1 + m = 8

Daan Sprenkels We should share our secrets 28 December 2017 13 / 35 Example: combining shares

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 2 1 a2 + a1 + m = 21 2 4 a2 + 4a1 + m = 6 2 2 a2 + 2a1 + m = 8

m = 42

Daan Sprenkels We should share our secrets 28 December 2017 13 / 35 I Information-theoretically secure for confidentiality

I Not really secure for integrity

All good?

Daan Sprenkels We should share our secrets 28 December 2017 14 / 35 for confidentiality

I Not really secure for integrity

All good?

I Information-theoretically secure

Daan Sprenkels We should share our secrets 28 December 2017 14 / 35 All good?

I Information-theoretically secure for confidentiality

I Not really secure for integrity

Daan Sprenkels We should share our secrets 28 December 2017 14 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Solving integrity

Solutions:

I Randomize x-values

I Only share random secrets

Daan Sprenkels We should share our secrets 28 December 2017 16 / 35 Part II: implementation

Daan Sprenkels We should share our secrets 28 December 2017 17 / 35 Existing libraries:

I ssss

I gfshare Both do not meet our requirements

Requirements

Bitmark Inc. asks us for a Shamir secret sharing library.

I Secure for integrity (≥ 128 bits)

I Side channel resistant (timing, cache-timing)

I Portable to any platform

Daan Sprenkels We should share our secrets 28 December 2017 18 / 35 Both do not meet our requirements

Requirements

Bitmark Inc. asks us for a Shamir secret sharing library.

I Secure for integrity (≥ 128 bits)

I Side channel resistant (timing, cache-timing)

I Portable to any platform

Existing libraries:

I ssss

I gfshare

Daan Sprenkels We should share our secrets 28 December 2017 18 / 35 Requirements

Bitmark Inc. asks us for a Shamir secret sharing library.

I Secure for integrity (≥ 128 bits)

I Side channel resistant (timing, cache-timing)

I Portable to any platform

Existing libraries:

I ssss

I gfshare Both do not meet our requirements

Daan Sprenkels We should share our secrets 28 December 2017 18 / 35 Implementation challenges

On to implement it ourselves...

1. How to encode our values? 2. How to fix our integrity problem? 3. How to prevent side channels? 4. How to make it fast?

Daan Sprenkels We should share our secrets 28 December 2017 19 / 35 1 Piece up the secret in bytes and map them to F28 (note ) I Fast arithmetic

I Can secret-share every byte independently

1. How to encode our values?

Options:

I Integers modulo large prime?

I Other finite field?

1 8 4 3 For the maths people, we are using F2[x]/(x + x + x + x + 1) Daan Sprenkels We should share our secrets 28 December 2017 20 / 35 1. How to encode our values?

Options:

I Integers modulo large prime?

I Other finite field?

1 Piece up the secret in bytes and map them to F28 (note ) I Fast arithmetic

I Can secret-share every byte independently

1 8 4 3 For the maths people, we are using F2[x]/(x + x + x + x + 1) Daan Sprenkels We should share our secrets 28 December 2017 20 / 35 2. Solving integrity

Use hybrid encryption:

Daan Sprenkels We should share our secrets 28 December 2017 21 / 35 2. Solving integrity

Use hybrid encryption:

Daan Sprenkels We should share our secrets 28 December 2017 21 / 35 2. No secret-dependent lookups (y = table[key[i]];) 3. No variable-time instructions (div, mul [2], etc.)

3. How to prevent side channel attacks?

Rules to protect against side channels2: 1. No branching (if, &&, ||, etc.)

2In software! Hardware implementations are a whole other story. Daan Sprenkels We should share our secrets 28 December 2017 22 / 35 3. No variable-time instructions (div, mul [2], etc.)

3. How to prevent side channel attacks?

Rules to protect against side channels2: 1. No branching (if, &&, ||, etc.) 2. No secret-dependent lookups (y = table[key[i]];)

2In software! Hardware implementations are a whole other story. Daan Sprenkels We should share our secrets 28 December 2017 22 / 35 3. How to prevent side channel attacks?

Rules to protect against side channels2: 1. No branching (if, &&, ||, etc.) 2. No secret-dependent lookups (y = table[key[i]];) 3. No variable-time instructions (div, mul [2], etc.)

2In software! Hardware implementations are a whole other story. Daan Sprenkels We should share our secrets 28 December 2017 22 / 35 4. Performance throug bitslicing

Daan Sprenkels We should share our secrets 28 December 2017 23 / 35 4. Performance throug bitslicing

I Working in bytes ⇒ need only 8 registers per byte

I Implement algorithm in logic circuits

Daan Sprenkels We should share our secrets 28 December 2017 24 / 35 4. Performance throug bitslicing

Example: Adding two bytes in parallel

A B S Cin

Cout

Daan Sprenkels We should share our secrets 28 December 2017 25 / 35 = performance :)

I Scales to 64-bit, avx{,2,512}, etc. :)

4. Performance throug bitslicing

I Working in bytes ⇒ need only 8 registers per byte

I Implement algorithm in logic circuits

I 32-bit platform? 32x parallel computation

Daan Sprenkels We should share our secrets 28 December 2017 26 / 35 I Scales to 64-bit, avx{,2,512}, etc. :)

4. Performance throug bitslicing

I Working in bytes ⇒ need only 8 registers per byte

I Implement algorithm in logic circuits

I 32-bit platform? 32x parallel computation = performance :)

Daan Sprenkels We should share our secrets 28 December 2017 26 / 35 4. Performance throug bitslicing

I Working in bytes ⇒ need only 8 registers per byte

I Implement algorithm in logic circuits

I 32-bit platform? 32x parallel computation = performance :)

I Scales to 64-bit, avx{,2,512}, etc. :)

Daan Sprenkels We should share our secrets 28 December 2017 26 / 35 Overview secret

salsa20/poly1305 01d64c7f311c077de13a0c9dbd8a243cc884e7fc3e7554 encrypt 028dbd7641a538a5c99b5c4007fad2f8174a97703c ciphertext key random 03a2499f2f6a11087134f70df3bc501b927e776 bitslice 044702075d49a3f2f8ea7b020ac6fa313c8 (n,k) evaluate polynomial 0509b0d834faa8ae00064dd40e518e3a unbitslice

Daan Sprenkels We should share our secrets 28 December 2017 27 / 35 Overview secret

salsa20/poly1305 01d64c7f311c077de13a0c9dbd8a243cc884e7fc3e7554 decrypt 028dbd7641a538a5c99b5c4007fad2f8174a97703c ciphertext key 03a2499f2f6a11087134f70df3bc501b927e776 unbitslice 044702075d49a3f2f8ea7b020ac6fa313c8 Lagrange interpolation 0509b0d834faa8ae00064dd40e518e3a bitslice

Daan Sprenkels We should share our secrets 28 December 2017 27 / 35 Conclusion: I.e. roughly 100 000 calls per second.

Implementation performance

Measuring wall clock time3 with (n, k) = (5, 4)

language create combine Tight C loop 9.6µs 12µs Go bindings 11µs 15µs Rust bindings 8.8µs 5.4µs

3Wall clock time, best of three on my crappy laptop Daan Sprenkels We should share our secrets 28 December 2017 28 / 35 Implementation performance

Measuring wall clock time3 with (n, k) = (5, 4)

language create combine Tight C loop 9.6µs 12µs Go bindings 11µs 15µs Rust bindings 8.8µs 5.4µs

Conclusion: I.e. roughly 100 000 calls per second.

3Wall clock time, best of three on my crappy laptop Daan Sprenkels We should share our secrets 28 December 2017 28 / 35 Stuff that can go wrong

Possible mistakes:

I Assuming integrity

I Timing attacks

I Bad randomness

Daan Sprenkels We should share our secrets 28 December 2017 29 / 35 Can our software be used with malicious intent?

Ethics

Daan Sprenkels We should share our secrets 28 December 2017 30 / 35 Ethics

Can our software be used with malicious intent?

Daan Sprenkels We should share our secrets 28 December 2017 30 / 35 Demo

Daan Sprenkels We should share our secrets 28 December 2017 31 / 35 “Don’t implement your own crypto”

Daan Sprenkels We should share our secrets 28 December 2017 32 / 35 Acknowledgements

I Ed Schouten I Ken Swenson I Pol van Aubel I Thijs Miedema

Cartoons on frame 9 authored by Randall Monroe

Daan Sprenkels We should share our secrets 28 December 2017 33 / 35 Thank you!

Slides can be found at https://dsprenkels.com/files/sss-34c3.pdf sss project is at https://github.com/dsprenkels/sss

Extra reading:

I http://loup-vaillant.fr/articles/implemented-my-own-crypto

I https://dsprenkels.com/mysterion.html

Find me through

I Email: [email protected]

I PGP key: 951D 6F6E C19E 5D87 1A61 A7F4 1445 C075 FFD5 68CD

Daan Sprenkels We should share our secrets 28 December 2017 34 / 35 References

https://www.intel.com/content/dam/www/public/us/en/documents/manuals/ 64-ia-32-architectures-optimization-manual.pdf (Jun 2016) http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0184b/Chdedhfg.html (2017)

https://bitcointalk.org/index.php?topic=2199659.0 (2017)

https://cryptocoding.net/index.php/Coding_rules (2017)

Pedersen, T.P., et al.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Crypto. vol. 91, pp. 129–140. Springer (1991) Poettering, B.: Shamir Secret Sharing Scheme. http://point-at-infinity.org/ssss/ (2006)

Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (Nov 1979), http://doi.acm.org/10.1145/359168.359176 Silverstone, D.: gfshare. http://www.digital-scurf.org/index.html (2006)

Daan Sprenkels We should share our secrets 28 December 2017 35 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 2 a2x1 + a1x1 + m = y1 2 a2x2 + a1x2 + m = y2 2 a2x3 + a1x3 + m = y3

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 2 1 a2 + a1 + m = 21 2 4 a2 + 4a1 + m = 6 2 2 a2 + 2a1 + m = 8

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: a2 + a1 + m = 21

16a2 + 4a1 + m = 6

4a2 + 2a1 + m = 8

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 4a2 + 4a1 + 4m = 84

16a2 + 4a1 + m = 6

4a2 + 2a1 + m = 8

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 2a1 + 3m = 76

16a2 + 4a1 + m = 6

4a2 + 2a1 + m = 8

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 2a1 + 3m = 76

16a2 + 4a1 + m = 6

16a2 + 8a1 + 4m = 32

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 2a1 + 3m = 76

16a2 + 4a1 + m = 6

4a1 + 3m = 26

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 2a1 + 3m = 76

4a1 + 3m = 26

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 4a1 + 6m = 152

4a1 + 3m = 26

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 3m = 126

4a1 + 3m = 26

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solve for m: 3m = 126

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Example: combining shares (computation)

s1 = (1, 21), s3 = (4, 6), s4 = (2, 8)

Solved for m: m = 42

Daan Sprenkels We should share our secrets 28 December 2017 36 / 35 Lagrange interpolation

Given shares s1,..., sk = (x1, y1),..., (xk , yk ). Use Lagrange interpolation to get m.

Y x − xj (x − x1) (x − xk ) `i (x) = = ··· (2) xi − xj (xi − x1) (xi − xk ) j6=i

k X L(x) = yi `i (x) = y1`1(x) + ... + yk `k (x) (3) i=0

Daan Sprenkels We should share our secrets 28 December 2017 37 / 35 Lagrange interpolation

Given shares s1,..., sk = (x1, y1),..., (xk , yk ). Use Lagrange interpolation to get m.

Y x − xj (x − x1) (x − xk ) `i (x) = = ··· (2) xi − xj (xi − x1) (xi − xk ) j6=i

k X m = L(0) = yi `i (0) = y1`1(0) + ... + yk `k (0) (3) i=0

Daan Sprenkels We should share our secrets 28 December 2017 37 / 35 Lagrange interpolation

Given shares s1,..., sk = (x1, y1),..., (xk , yk ). Use Lagrange interpolation to get m.

Y 0 − xj (0 − x1) (0 − xk ) `i (0) = = ··· (2) xi − xj (xi − x1) (xi − xk ) j6=i

k X m = L(0) = yi `i (0) = y1`1(0) + ... + yk `k (0) (3) i=0

Daan Sprenkels We should share our secrets 28 December 2017 37 / 35 Lagrange interpolation

Given shares s1,..., sk = (x1, y1),..., (xk , yk ). Use Lagrange interpolation to get m.

Y −xj (−x1) (−xk ) `i = = ··· (2) xi − xj (xi − x1) (xi − xk ) j6=i

k X m = yi `i = y1`1 + ... + yk `k (3) i=0

Daan Sprenkels We should share our secrets 28 December 2017 37 / 35