Kỹ thuật chia sẻ khóa bí mật Tiếng Anh

Kỹ thuật chia sẻ khóa bí mật Tiếng Anh

SECRET KEY SHARING

1 Notation

N : number of authorities

A1, A2, … , An: N authorities

t: maximum number of malicious and dishonest authorities

A: any set of t+1 authorities

M: number of eligible voters

m: number of voters participating in the voting; m<=M

V1, V2, …, Vm: M voters

v1, v2, …, vm: intentions (voters) of the voters

Zp: field of positive integers modulo p, where p is prime number

Zn: set of integers modulo, i.e {0, 1, …, n-1}

Zn*: set of integers from Zn relatively prime to n

a|b: an integer a is a divisor of an integer b

gcd(a,b): greatest comon divisor of the integer a,b

a||b: concatenation of the string a, b

x ?= y: check whether x=y

2 Secret Sharing Scheme

Purpose of secret sharing scheme is to share a secret among N authorities In such away that only some predefined coalitions of authorities can later reconstruct the secret Other coalitions of authorities should get no knowledge about the secret We introdure Shamir’s (t+1, N) secret sharing scheme from [Sha 79] that alows any coalition of t+1 from N authorities to get the secret Any set of at most t authorities knows noting about the secret

1

Let the set of possible secrets forms a field F(for instants, F could be set of real numbers, or Zp) F should have a least N+1 distinct elements – we will denote them 0, 1,

2, …, N

degree t over the field F satisfying f(0)=s Give the authority Aj its share sj = f(j)

Reconstruction of the secret Set of t+1 authorities A gains the secret s by reconstructing the polynomial f (using Lagrange interpolation) and computing s=f(0):

A

j f(j)j,A =

A

j sjj,A

j,A= 



a { j} 

t

Information that t or less authorities have about the polynomial f reveals nothing about the value f(0)=s Whatever value for f(0)=r they choose, using their shares they can compute possible polynomial g satisfying g(0)= r

3 Publicly Verifiable Secret Sharing

Publicly Verifiable Secret Sharing scheme is the secret sharing scheme allowing verifying that the dealer has distributed valid shares (any set of t+1 authorities will obtain the same secret) and allowing catching the dishonest authority in forging its share The following publicly verifiable secret sharing comes from [Sch99]

Initialization The group Zp and the generators G, g are selected The authority Aj

Distribution of the shares The dealer picks a random polynomial of degree t over Zp:

p(x)= 



t

k 0

Ck=Gαk

published Moreover, the dealer shows that the encrypted shares are consistent:

k=0 Cjk

k=0 αk j k = G p(j) , the dealer proves that:

2

using the non – interactive proof from the section 4.

Sj= Hj/Zj

interpolation



A

j

A j j

S ,

= 

A

j

A j j p

g ( )  ,

= g  jA p(j) j,A= gp(0) = gs

j t

t j A

4 Equality of Discrete Logarithms

In this secsion, we present protocol that shows equality of discrete logarithms The

this protocol can be found for instance in [CGS97]

Prover Verifier

|(x, y) = (gα,hα)|



?

 xc

hr



?

 yc

conversation with the right distribution However, the prover sends a, b before he

that meets verifier’s requirements

Prover Verifier

(x1, y1), …, (xL, yL)

3

r c

a, b

c

a, b

(x, y), …, (xt gv, yt hv)

ai = (

x

xi

)di gri cRZp

bi = ( yi y )di hri

ai  (? x

xi

)di gri

bi  (? y

yi

)di hri

Figure: 1 – out – of – L re – encryption proof

Non – interactive version

generates the challenge c for himself as c= H(a || b|| x || y), where H is a secure hash function The prover stores c, r as a proof

c  H(g? r x –c || hr y –c || x ||y)

Notice that instead of four group elements that are communicated in the interactive protocol, the non – interactive version needs to store only two group elements

5 Ensuring the Knowledge of the Secret – key

and he acts according to the coercer’s orders (the coercer knows the secret – key), he finally gets to know his secret key

least t of them are honest The untappable channel between the voter and the authorieties

is needed

4

- The voter shares his secret key zv among the authorieties using (t+1, N) secret sharing scheme:

t x



bulletin board

committed polynomial:

2

j …C jt

t (= gz vg 1jg 2j … g tj t =gf v(j))

its share to the bulletin board If the posted share does not correspond to the commitments, the voter is discarded

through the untappable channel to the voter

At least t honest authorities either complain (and their shares are published in the bulletin board ), or send their shares secretly to the voter The voter can interpolate the

5