We should share our secrets Shamir secret sharing: how it works and how to implement it Daan Sprenkels [email protected] Radboud University Nijmegen 28 December 2017 Daan Sprenkels We should share our secrets 28 December 2017 1 / 35 Who am I? I Student at Radboud University Nijmegen I Bachelor in Chemistry I Currently studying Cyber Security 1 I On a regular day I implement elliptic curve crypto The others: 2 I Peter Schwabe (@cryptojedi) 3 I Sean Moss-Pultz (@moskovich) 1The meaning of \crypto" is cryptography, not cryptocurrency! 2Radboud University 3Bitmark Inc. (https://bitmark.com) Daan Sprenkels We should share our secrets 28 December 2017 2 / 35 \Don't roll your own crypto" \and also don't implement your own crypto" Daan Sprenkels We should share our secrets 28 December 2017 3 / 35 \and also don't implement your own crypto" \Don't roll your own crypto" Daan Sprenkels We should share our secrets 28 December 2017 3 / 35 \Don't roll your own crypto" \and also don't implement your own crypto" Daan Sprenkels We should share our secrets 28 December 2017 3 / 35 Outline Part I: Crypto theory What is secret sharing? How does it work? Part II: Crypto implementation How to encode our values Solving integrity Side channel resistance Performance and bitslicing Daan Sprenkels We should share our secrets 28 December 2017 4 / 35 Outline Daan Sprenkels We should share our secrets 28 December 2017 4 / 35 Part I: crypto theory Daan Sprenkels We should share our secrets 28 December 2017 5 / 35 I Need to trust a single entity I How to split up our trust? Problem statement I How to backup your secrets (wallet keys, passwords, etc.)? Daan Sprenkels We should share our secrets 28 December 2017 6 / 35 I How to split up our trust? Problem statement I How to backup your secrets (wallet keys, passwords, etc.)? I Need to trust a single entity Daan Sprenkels We should share our secrets 28 December 2017 6 / 35 Problem statement I How to backup your secrets (wallet keys, passwords, etc.)? I Need to trust a single entity I How to split up our trust? Daan Sprenkels We should share our secrets 28 December 2017 6 / 35 Bad security! 2. Use one-time-pad construction? Generate random A; B Choose C = m ⊕ A ⊕ B. Solving our problem 1. Cut my key into pieces Secret message m = AjjBjjC. Distribute A; B; C. Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 2. Use one-time-pad construction? Generate random A; B Choose C = m ⊕ A ⊕ B. Solving our problem 1. Cut my key into pieces Secret message m = AjjBjjC. Distribute A; B; C. Bad security! Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem 1. Cut my key into pieces Secret message m = AjjBjjC. Distribute A; B; C. Bad security! 2. Use one-time-pad construction? Generate random A; B Choose C = m ⊕ A ⊕ B. Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem 1. Cut my key into pieces Secret message m = AjjBjjC. Distribute A; B; C. Bad security! 2. Use one-time-pad construction? Generate random A; B Choose C = m ⊕ A ⊕ B. Restore by computing m0 = A ⊕ B ⊕ C Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem 1. Cut my key into pieces Secret message m = AjjBjjC. Distribute A; B; C. Bad security! 2. Use one-time-pad construction? Generate random A; B Choose C = m ⊕ A ⊕ B. Restore by computing m0 = A ⊕ B ⊕ C = A ⊕ B ⊕ (m ⊕ A ⊕ B) Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem 1. Cut my key into pieces Secret message m = AjjBjjC. Distribute A; B; C. Bad security! 2. Use one-time-pad construction? Generate random A; B Choose C = m ⊕ A ⊕ B. Restore by computing m0 = A ⊕ B ⊕ C = A ⊕ B ⊕ (m ⊕ A ⊕ B) Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem 1. Cut my key into pieces Secret message m = AjjBjjC. Distribute A; B; C. Bad security! 2. Use one-time-pad construction? Generate random A; B Choose C = m ⊕ A ⊕ B. Restore by computing m0 = A ⊕ B ⊕ C = m Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 Solving our problem 1. Cut my key into pieces Secret message m = AjjBjjC. Distribute A; B; C. Bad security! 2. Use one-time-pad construction? Generate random A; B Choose C = m ⊕ A ⊕ B. Restore by computing m0 = A ⊕ B ⊕ C = m Needs all pieces to restore the secret Daan Sprenkels We should share our secrets 28 December 2017 7 / 35 A better solution Shamir secret sharing I Published almost 40 years ago by Adi Shamir I Threshold scheme (n; k) I \Provably secure" Daan Sprenkels We should share our secrets 28 December 2017 8 / 35 A better solution Shamir secret sharing I Published almost 40 years ago by Adi Shamir I Threshold scheme (n; k) I \Provably secure" Information-theoretically secure Daan Sprenkels We should share our secrets 28 December 2017 8 / 35 Example with (n; k) = (5; 4) m Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Example with (n; k) = (5; 4) s2 s3 m s1 s5 s4 Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Example with (n; k) = (5; 4) s2 s3 m s1 s4 s5 Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Example with (n; k) = (5; 4) s2 s3 s1 s4 s5 Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Example with (n; k) = (5; 4) s2 s1 s5 s4 Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Example with (n; k) = (5; 4) m Daan Sprenkels We should share our secrets 28 December 2017 9 / 35 Evaluate n points on the polynomial to get shares si : s1 = (1; p(1)) s2 = (2; p(2)) . sn = (n; p(n)) How does the math work? Given parameters (n; k) and message m: Construct a polynomial of degree k − 1: k−1 p(x) = ak−1x + ::: + a1x + m (1) With coefficients ai randomly generated. Daan Sprenkels We should share our secrets 28 December 2017 10 / 35 How does the math work? Given parameters (n; k) and message m: Construct a polynomial of degree k − 1: k−1 p(x) = ak−1x + ::: + a1x + m (1) With coefficients ai randomly generated. Evaluate n points on the polynomial to get shares si : s1 = (1; p(1)) s2 = (2; p(2)) . sn = (n; p(n)) Daan Sprenkels We should share our secrets 28 December 2017 10 / 35 Use Lagrange interpolation for solving How does the math work? k−1 Find p(x) = ak−1x + ::: + a1x + m such that all si are on p(x). Solve for m: k−1 ak−1x1 + ::: + a1x1 + m = y1 k−1 ak−1x2 + ::: + a1x2 + m = y2 k−1 ak−1x3 + ::: + a1x3 + m = y3 ::: k−1 ak−1xk + ::: + a1xk + m = yk Daan Sprenkels We should share our secrets 28 December 2017 11 / 35 How does the math work? k−1 Find p(x) = ak−1x + ::: + a1x + m such that all si are on p(x). Solve for m: k−1 ak−1x1 + ::: + a1x1 + m = y1 k−1 ak−1x2 + ::: + a1x2 + m = y2 k−1 ak−1x3 + ::: + a1x3 + m = y3 ::: k−1 ak−1xk + ::: + a1xk + m = yk Use Lagrange interpolation for solving Daan Sprenkels We should share our secrets 28 December 2017 11 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Daan Sprenkels We should share our secrets 28 December 2017 12 / 35 Example: combining shares s1 = (1; 21); s3 = (4; 6); s4 = (2; 8) Solve for m: 2 a2x1 + a1x1 + m = y1 2 a2x2 + a1x2 + m = y2 2 a2x3 + a1x3 + m = y3 Daan Sprenkels We should share our secrets 28 December 2017 13 / 35 Example: combining shares s1 = (1; 21); s3 = (4; 6); s4 = (2; 8) Solve for m: 2 1 a2 + a1 + m = 21 2 4 a2 + 4a1 + m = 6 2 2 a2 + 2a1 + m = 8 Daan Sprenkels We should share our secrets 28 December 2017 13 / 35 Example: combining shares s1 = (1; 21); s3 = (4; 6); s4 = (2; 8) Solve for m: 2 1 a2 + a1 + m = 21 2 4 a2 + 4a1 + m = 6 2 2 a2 + 2a1 + m = 8 m = 42 Daan Sprenkels We should share our secrets 28 December 2017 13 / 35 I Information-theoretically secure for confidentiality I Not really secure for integrity All good? Daan Sprenkels We should share our secrets 28 December 2017 14 / 35 for confidentiality I Not really secure for integrity All good? I Information-theoretically secure Daan Sprenkels We should share our secrets 28 December 2017 14 / 35 All good? I Information-theoretically secure for confidentiality I Not really secure for integrity Daan Sprenkels We should share our secrets 28 December 2017 14 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Daan Sprenkels We should share our secrets 28 December 2017 15 / 35 Solving integrity Solutions: I Randomize x-values I Only share random secrets Daan Sprenkels We should share our secrets 28 December 2017 16 / 35 Part II: implementation Daan Sprenkels We should share our secrets 28 December 2017 17 / 35 Existing libraries: I ssss I gfshare Both do not meet our requirements Requirements Bitmark Inc.