This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: U.C. Berkeley — CS276: Cryptography Secret Sharing Professors Luca Trevisan and David Wagner Aprill 11, 2002, Scribe: Rob Johnson Secret Sharing As portrayed in Hollywood movies, launching a nuclear missile requires the president to issue the launch command and two launch administrators to authorize the launch (usually by turning two keys simultaneously). Although this activation scheme could be implemented by having the missile check for the presence of the three launch commands, a better scheme would render the missile completely inoperative until the president and the two launch administrators provide some input to the system. A physical implementation of this idea would distribute the uranium in the warhead between the three authorities, and they would have to place their share of the uranium in the warhead for it to be dangerous. Can we develop a digital analog of this scheme? Given a secret, x , can we distribute x among three parties so that all three parties must cooperate to recover x ? Idea Each party, i , generates a public/private key pair ( p i , s i ) and we broadcast to all users E ( p 3 , E ( p 2 , E ( p 1 , x ))). This scheme works but is not unconditionally secure. Idea Choose random x 1 , x 2 , x 3 such that x 1 ⊕ x 2 ⊕ x 3 ⊕ x = 0, and give x i to party i . Then x i ⊕ x j is uniformly distributed for all i and j , so two of the parties cannot collude to recover any information about x . Hence the scheme is unconditionally secure. The above schemes are “3-out-of-3” schemes: the secret is divided among 3 people, and 3 people are required to reconstruct the secret. We can create a trivial 1-out-of-3 scheme by giving a copy of x to each party. We can also do 2-out-of-3 secret sharing. Idea Divide the secret into x 1 , x 2 , x 3 as above, and give party i shares x i and x i +1 . Idea Execute a 2-out-of-2 sharing scheme for each pair of parties in the scheme. In other words, pick x 1 ⊕ x 2 = y 1 ⊕ y 2 = z 1 ⊕ z 2 = x , and give party 1 shares x 1 and z 2 , party 2 shares z 1 and y 2 , and party 3 y 1 and x 2 . These schemes have a threshold of 2: 2 users can recover x . The latter scheme obviously generalizes to w-out-of- n sharing schemes by using ( n w ) w-out-of- w sharing schemes, but the size of each share is proportional to ( n w ) . This suggests a notion of eﬃciency for sharing schemes....
View Full Document
- Spring '02
- Cryptography, Logic gate, Secret sharing, A. Shamir