Mind the Gap: Ceremonies for Applied Secret Sharing

Mind the Gap: Ceremonies for Applied Secret Sharing

Proceedings on Privacy Enhancing Technologies ..; .. (..):1–19 Bailey Kacsmar*, Chelsea H. Komlo*, Florian Kerschbaum, and Ian Goldberg Mind the Gap: Ceremonies for Applied Secret Sharing Abstract: Secret sharing schemes are desirable across a risk users such as journalists, as demonstrated by the variety of real-world settings due to the security and security-critical effort required for the investigation and privacy properties they can provide, such as availabil- reporting of the Panama Papers [29]. However, while ity and separation of privilege. However, transitioning the security of theoretical secret sharing is well docu- secret sharing schemes from theoretical research to prac- mented in academic research, in practice, the security tical use must account for gaps in achieving these prop- guarantees are more complicated. erties that arise due to the realities of concrete imple- The descriptions in the literature of secret sharing mentations, threat models, and use cases. We present schemes, which we additionally refer to as threshold a formalization and analysis, using Ellison’s notion of schemes, often lack sufficient evidence of the security ceremonies, that demonstrates how simple variations in of real-world deployments of the schemes. This short- use cases of secret sharing schemes result in the po- coming is due to the descriptions leaving a large num- tential loss of some security properties, a result that ber of assumptions and decisions to the participants, cannot be derived from the analysis of the underlying as these are considered to be outside of the protocol. cryptographic protocol alone. Our framework accounts Just as the design of the highly successful TLS pro- for such variations in the design and analysis of secret tocol accounts for more real-world practicalities than sharing implementations by presenting a more detailed the underlying Diffie-Hellman key exchange protocol, user-focused process and defining previously overlooked the practical use of threshold schemes, as we demon- assumptions about user roles and actions within the strate, is no different. For example, although Shamir se- scheme to support analysis when designing such cer- cret sharing (see Section 2) is information theoretically emonies. We identify existing mechanisms that, when secure, ultimately the shares must be communicated to applied to an appropriate implementation, close the se- participants through a channel, which in most cases will curity gaps we identified. We present our implementa- rely on symmetric or asymmetric encryption, and there- tion including these mechanisms and a corresponding fore rely on computational assumptions. Furthermore, security assessment using our framework. unlike cryptographic protocols such as Diffie-Hellman, threshold schemes require significant user involvement Keywords: secret sharing, applied cryptography, proto- and decisions at nearly every stage of the protocol. Con- col analysis, ceremony analysis sequently, analyzing the security of threshold schemes DOI Editor to enter DOI requires assessing both the protocol and the actions and Received ..; revised ..; accepted ... decisions required of users. Ellison [14] introduced the concept of a ceremony in security analysis, which requires the inclusion of 1 Introduction both the cryptographic protocol as well as any possible user actions or decisions in the security analysis. Sur- The security properties that theoretical secret sharing prisingly, the state of research literature for threshold purports to provide are particularly meaningful for high- schemes does not include a complete, end-to-end, for- mal definition and assessment of the security of the cer- emony of threshold schemes. Without such definitions, *Corresponding Author: Bailey Kacsmar: University of deployments of threshold schemes lack the necessary Waterloo, E-mail: [email protected] structure required for formal analysis as their flexibility *Corresponding Author: Chelsea H. Komlo: University in terms of applications is broad. of Waterloo, E-mail: [email protected] Without strict boundaries for a specific threat Florian Kerschbaum: University of Waterloo, E-mail: flo- model and use case, it is impossible to provide both a [email protected] Ian Goldberg: University of Waterloo, E-mail: generalized framework and a formal analysis for secret [email protected] sharing ceremonies. This work provides a structure, in Mind the Gap: Ceremonies for Applied Secret Sharing 2 the form of a framework, that can be used for a given Table 1. Parameters and additional notation used within our threshold scheme to define and analyze its particular analysis ceremony, by structuring the ceremony as a series of stages and steps as is necessary to assess the ceremony’s n number of participants end-to-end security. Although an unbounded number of t threshold possible user interactions exist, our framework can be s secret recovered by a (t, n)-threshold scheme used to guide the definition and formalization of the S secret space of a (t, n)-threshold scheme ceremony. We identify ceremony-related issues, such as D dealer requiring the dealer to delete sensitive material and the DP dealer that later becomes a participant requirement for users to authenticate one another. The F sensitive information requiring protection ceremony for an application, defined in terms of our framework, accounts for the specific goals and adver- Base s = F saries of the ceremony and therefore provides the needed Ext s 6= F structure that must precede efforts to formally analyze Pr participant performing a recovery of s a specific ceremony. U participant performing an update Contributions. We provide a framework to facili- C~ commitment used to validate any share tate the process of defining an accurate ceremony for a given threshold scheme; we then use this framework to assess the security of several threshold schemes, and 2 Threshold Schemes define a lightweight set of improvements that are useful to threshold schemes based on Shamir secret sharing. We summarize the notation used throughout our anal- Our framework is useful for comparing different exist- ysis in Table 1, including both notation standard to the ing secret sharing schemes; however, what it primarily literature as well as new notation we introduce in later provides is a structure for defining threshold scheme cer- sections for the purpose of our analysis. Notably, we emonies with the necessary details to perform a more denote the secret information that is protected by the accurate security analysis that accounts for the setting threshold scheme as F, while the secret input into the in which the threshold scheme is used. Overall, our con- threshold scheme is s. This differentiation will become tributions include: important when we define modes of operation where F – a demonstration of the variability in the ceremony can either be equal to s, or distinct, as defined in Sec- of threshold schemes and how this variability can tion 5.2. lead to gaps in the security properties achieved by In general, cryptographic secret sharing schemes en- the threshold scheme; able a group of n participants, possessing a secret s, to – formalizations of the adversaries and of several use divide s into n shares. Before creating the n shares, a cases of threshold schemes used in practice; threshold value t is chosen such that a collection of t – a framework to facilitate security analyses of thresh- shares must be used to learn the value of s.A (t, n)- old schemes used in real-world settings; threshold scheme is a secret sharing scheme where n and – exemplar applications of our ceremony framework t are positive integers such that t ≤ n, n representing via security analyses of three threshold scheme case the number of participants, and t the desired threshold. studies; and In a (t, n)-threshold scheme we designate a dealer D – techniques to close security gaps uncovered in our as the entity that selects the secret s and generates the n above analysis and an implementation of these im- shares such that each of the n participants in the scheme provements in Rust. receives a share that preserves the following properties: Reconstruction: any size-t subset of the n partici- Organization. This paper is organized as follows. Back- pants can compute the secret given their t shares, ground, motivation, and related work are Sections 2, 3, and and 4 respectively. Section 5 is our framework for our Secrecy: no subset of the n participants consisting of analysis. Formalized ceremonies for two modes of op- t−1 or fewer participants is able to gain any knowl- eration for threshold schemes are in Sections 6 and 7. edge of the secret given their combined shares. Section 8 summarizes our analysis for several thresh- old schemes, Section 9 is our improved ceremony and implementation and our conclusion is Section 10. Mind the Gap: Ceremonies for Applied Secret Sharing 3 In a conventional (t, n)-threshold scheme, the set of n on a USB, which is then stored in a chosen safe place. participants does not contain the dealer D. However, in Alice stores the laptop containing the encrypted secret our analysis we work in the setting where the dealer, information in a safety deposit box at a bank. now labeled a participant dealer DP , may continue to Alice leaves the news organization and Bob, who has be involved in the scheme as a participant, as typically lost his share, is assigned the story. Fortunately, Alice occurs in real-world practical settings. left the organization on good terms, so Bob contacts While some variants of threshold schemes, such as Alice and Carol, requesting their shares. Bob retrieves threshold signature schemes [21], allow participants to the laptop and decrypts the ciphertext using the key use their shares of s individually and to perform recon- recovered from Alice and Carol’s shares. struction only on the results, we focus our attention on Case Two. Alice has received a decryption key that threshold schemes in which s is reconstructed directly. corresponds to a publicly released ciphertext [3, 4].

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    19 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us