We should share our secrets

Similar documents
Batch binary Edwards. D. J. Bernstein University of Illinois at Chicago NSF ITR

Ad Hoc Voting on Mobile Devices

Paper-based electronic voting

Exposure-Resilience for Free: The Hierarchical ID-based Encryption Case

Addressing the Challenges of e-voting Through Crypto Design

Estonian National Electoral Committee. E-Voting System. General Overview

Voting Protocol. Bekir Arslan November 15, 2008

General Framework of Electronic Voting and Implementation thereof at National Elections in Estonia

An untraceable, universally verifiable voting scheme

A Robust Electronic Voting Scheme Against Side Channel Attack

Privacy of E-Voting (Internet Voting) Erman Ayday

TokenVote: Secured Electronic Voting System in the Cloud

Hoboken Public Schools. Algebra II Honors Curriculum

Challenges and Advances in E-voting Systems Technical and Socio-technical Aspects. Peter Y A Ryan Lorenzo Strigini. Outline

A MULTIPLE BALLOTS ELECTION SCHEME USING ANONYMOUS DISTRIBUTION

bitqy The official cryptocurrency of bitqyck, Inc. per valorem coeptis Whitepaper v1.0 bitqy The official cryptocurrency of bitqyck, Inc.

An Application of time stamped proxy blind signature in e-voting

Maps and Hash Tables. EECS 2011 Prof. J. Elder - 1 -

OPEN SOURCE CRYPTOCURRENCY

SECURE e-voting The Current Landscape

CS 5523: Operating Systems

Lecture 6 Cryptographic Hash Functions

Johns Hopkins University Security Privacy Applied Research Lab

Last Time. Bit banged SPI I2C LIN Ethernet. u Embedded networks. Ø Characteristics Ø Requirements Ø Simple embedded LANs

IMPLEMENTATION OF SECURE PLATFORM FOR E- VOTING SYSTEM

Primecoin: Cryptocurrency with Prime Number Proof-of-Work

Trustwave Subscriber Agreement for Digital Certificates Ver. 15FEB17

Electronic Voting Service Using Block-Chain

ETSI TS V8.3.0 ( )

PRIVACY PRESERVING IN ELECTRONIC VOTING

On Some Incompatible Properties of Voting Schemes

Swiss E-Voting Workshop 2010

Design and Prototype of a Coercion-Resistant, Voter Verifiable Electronic Voting System

Security Analysis on an Elementary E-Voting System

Polydisciplinary Faculty of Larache Abdelmalek Essaadi University, MOROCCO 3 Department of Mathematics and Informatics

Towards Secure Quadratic Voting

White Paper Social Send Coin (SEND)

Maps, Hash Tables and Dictionaries

Chapter. Estimating the Value of a Parameter Using Confidence Intervals Pearson Prentice Hall. All rights reserved

Uncovering the veil on Geneva s internet voting solution

Every Vote Counts: Ensuring Integrity in Large-Scale DRE-based Electronic Voting

Verifying High-Confidence Interactive Systems: Electronic Voting and Beyond

PRIVACY in electronic voting

UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD. UNITED PATENTS, INC., Petitioner, REALTIME DATA LLC, Patent Owner.

A Receipt-free Multi-Authority E-Voting System

OCSE Vienna 17/ Open Source Remote Electronic Voting in Norway

Information Technology (Amendment) Act, 2008

Biogeography-Based Optimization Combined with Evolutionary Strategy and Immigration Refusal

The Effectiveness of Receipt-Based Attacks on ThreeBallot

Punchscan: Introduction and System Definition of a High-Integrity Election System

2 IEICE TRANS. FUNDAMENTALS, VOL., NO. to the counter through an anonymous channel. Any voter may not send his secret key to the counter and then the

CS 5523 Operating Systems: Intro to Distributed Systems

Do natives beliefs about refugees education level affect attitudes toward refugees? Evidence from randomized survey experiments

Towards a Practical, Secure, and Very Large Scale Online Election

Trade Secrets Overview, Protection, and Litigation January 30, 2015 Mark C. Zebrowski

CRYPTOGRAPHIC PROTOCOLS FOR TRANSPARENCY AND AUDITABILITY IN REMOTE ELECTRONIC VOTING SCHEMES

A Critical Review of the Triple Ballot Voting System. Part 2:

Get Paid to Write Articles on Steemit

A Verifiable E-voting Scheme with Secret Sharing

Supreme Court of Florida

Genetic Algorithms with Elitism-Based Immigrants for Changing Optimization Problems

The usage of electronic voting is spreading because of the potential benefits of anonymity,

Int. J. of Security and Networks, Vol. x, No. x, 201X 1, Vol. x, No. x, 201X 1

Split-Ballot Voting: Everlasting Privacy With Distributed Trust

Pretty Good Democracy for more expressive voting schemes

On the Independent Verification of a Punchscan Election

ForeScout Extended Module for McAfee epolicy Orchestrator

Thoughts On Appropriate Technologies for Voting

Supreme Court of Florida

RECEIPT-FREE UNIVERSALLY-VERIFIABLE VOTING WITH EVERLASTING PRIVACY

Accessible Voter-Verifiability

TAFTW (Take Aways for the Week) APT Quiz and Markov Overview. Comparing objects and tradeoffs. From Comparable to TreeMap/Sort

This is a repository copy of Verifiable Classroom Voting in Practice.

On e-voting and privacy

Chapter. Sampling Distributions Pearson Prentice Hall. All rights reserved

2143 Vote Count. Input

Exact, Efficient and Information-Theoretically Secure Voting with an Arbitrary Number of Cheaters

A homomorphic encryption-based secure electronic voting scheme

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy

A Design of Secure Preferential E-Voting

Secure Electronic Voting

A Treasury System for Cryptocurrencies: Enabling Better Collaborative Intelligence

Supreme Court of Florida

Selectio Helvetica: A Verifiable Internet Voting System

A matinee of cryptographic topics

Arthur M. Keller, Ph.D. David Mertz, Ph.D.

Auditability and Verifiability of Elec4ons Ronald L. Rivest

Multi-Winner Elections: Complexity of Manipulation, Control, and Winner-Determination

Receipt-Free Homomorphic Elections and Write-in Voter Verified Ballots

Secure Electronic Voting: New trends, new threats, new options. Dimitris Gritzalis

A Linked-List Approach to Cryptographically Secure Elections Using Instant Runoff Voting

Distributed Protocols at the Rescue for Trustworthy Online Voting

JUDGE, JURY AND CLASSIFIER

Judicial Branch IT Update to the North Carolina General Assembly s Justice and Public Safety Oversight Committee

E- Voting System [2016]

Statute International Union of Virtual Media (IUVM)

Code Voting With Linkable Group Signatures

Local differential privacy

Deep Learning and Visualization of Election Data

OPTIMIZING THE NEW CANADIAN EXPERIENCE SHAGUN FLAWSON AGOSH

Transcription:

We should share our secrets Shamir secret sharing: how it works and how to implement it Daan Sprenkels hello@dsprenkels.com Radboud University Nijmegen 28 December 2017 Daan Sprenkels We should share our secrets 28 December 2017 1 / 35

Who am I? Student at Radboud University Nijmegen Bachelor in Chemistry Currently studying Cyber Security On a regular day I implement elliptic curve crypto 1 The others: Peter Schwabe 2 (@cryptojedi) Sean Moss-Pultz 3 (@moskovich) 1 The meaning of crypto is cryptography, not cryptocurrency! 2 Radboud University 3 Bitmark Inc. (https://bitmark.com) Daan Sprenkels We should share our secrets 28 December 2017 2 / 35

Daan Sprenkels We should share our secrets 28 December 2017 3 / 35

Don t roll your own crypto Daan Sprenkels We should share our secrets 28 December 2017 3 / 35

Don t roll your own crypto and also don t implement your own crypto Daan Sprenkels We should share our secrets 28 December 2017 3 / 35

Outline Part I: Crypto theory What is secret sharing? How does it work? Part II: Crypto implementation How to encode our values Solving integrity Side channel resistance Performance and bitslicing Daan Sprenkels We should share our secrets 28 December 2017 4 / 35

Outline Daan Sprenkels We should share our secrets 28 December 2017 4 / 35

Part I: crypto theory Daan Sprenkels We should share our secrets 28 December 2017 5 / 35

Problem statement How to backup your secrets (wallet keys, passwords, etc.)? Daan Sprenkels We should share our secrets 28 December 2017 6 / 35

Problem statement How to backup your secrets (wallet keys, passwords, etc.)? Need to trust a single entity Daan Sprenkels We should share our secrets 28 December 2017 6 / 35

Problem statement How to backup your secrets (wallet keys, passwords, etc.)? Need to trust a single entity How to split up our trust? Daan Sprenkels We should share our secrets 28 December 2017 6 / 35

Solving our problem 1. Cut my key into pieces Secret message m = A B C. Distribute A, B, C. Daan Sprenkels We should share our secrets 28 December 2017 7 / 35

Solving our problem 1. Cut my key into pieces Secret message m = A B C. Distribute A, B, C. Bad security! Daan Sprenkels We should share our secrets 28 December 2017 7 / 35

Solving our problem 1. Cut my key into pieces Secret message m = A B C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m A B. Daan Sprenkels We should share our secrets 28 December 2017 7 / 35

Solving our problem 1. Cut my key into pieces Secret message m = A B C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m A B. Restore by computing m = A B C Daan Sprenkels We should share our secrets 28 December 2017 7 / 35

Solving our problem 1. Cut my key into pieces Secret message m = A B C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m A B. Restore by computing m = A B C = A B (m A B) Daan Sprenkels We should share our secrets 28 December 2017 7 / 35

Solving our problem 1. Cut my key into pieces Secret message m = A B C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m A B. Restore by computing m = A B C = A B (m A B) Daan Sprenkels We should share our secrets 28 December 2017 7 / 35

Solving our problem 1. Cut my key into pieces Secret message m = A B C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m A B. Restore by computing m = A B C = m Daan Sprenkels We should share our secrets 28 December 2017 7 / 35

Solving our problem 1. Cut my key into pieces Secret message m = A B C. Distribute A, B, C. Bad security! 2. Use one-time-pad construction? Generate random A, B Choose C = m A B. Restore by computing m = A B C = m Needs all pieces to restore the secret Daan Sprenkels We should share our secrets 28 December 2017 7 / 35

A better solution Shamir secret sharing Published almost 40 years ago by Adi Shamir Threshold scheme (n, k) Provably secure Daan Sprenkels We should share our secrets 28 December 2017 8 / 35

A better solution Shamir secret sharing Published almost 40 years ago by Adi Shamir Threshold scheme (n, k) Provably secure Information-theoretically secure Daan Sprenkels We should share our secrets 28 December 2017 8 / 35

Example with (n, k) = (5, 4) m Daan Sprenkels We should share our secrets 28 December 2017 9 / 35

Example with (n, k) = (5, 4) s 3 s 2 m s 1 s 4 s 5 Daan Sprenkels We should share our secrets 28 December 2017 9 / 35

Example with (n, k) = (5, 4) s 2 s 3 m s 1 s 4 s5 Daan Sprenkels We should share our secrets 28 December 2017 9 / 35

Example with (n, k) = (5, 4) s 2 s 3 s 1 s 4 s5 Daan Sprenkels We should share our secrets 28 December 2017 9 / 35

Example with (n, k) = (5, 4) s 2 s 1 s 4 s 5 Daan Sprenkels We should share our secrets 28 December 2017 9 / 35

Example with (n, k) = (5, 4) m Daan Sprenkels We should share our secrets 28 December 2017 9 / 35

How does the math work? Given parameters (n, k) and message m: Construct a polynomial of degree k 1: With coefficients a i randomly generated. p(x) = a k 1 x k 1 +... + a 1 x + m (1) Daan Sprenkels We should share our secrets 28 December 2017 10 / 35

How does the math work? Given parameters (n, k) and message m: Construct a polynomial of degree k 1: With coefficients a i randomly generated. Evaluate n points on the polynomial to get shares s i : p(x) = a k 1 x k 1 +... + a 1 x + m (1) s 1 = (1, p(1)) s 2 = (2, p(2)). s n = (n, p(n)) Daan Sprenkels We should share our secrets 28 December 2017 10 / 35

How does the math work? Find p(x) = a k 1 x k 1 +... + a 1 x + m such that all s i are on p(x). Solve for m: a k 1 x k 1 1 +... + a 1 x 1 + m = y 1 a k 1 x k 1 2 +... + a 1 x 2 + m = y 2 a k 1 x k 1 3 +... + a 1 x 3 + m = y 3... a k 1 x k 1 k +... + a 1 x k + m = y k Daan Sprenkels We should share our secrets 28 December 2017 11 / 35

How does the math work? Find p(x) = a k 1 x k 1 +... + a 1 x + m such that all s i are on p(x). Solve for m: a k 1 x k 1 1 +... + a 1 x 1 + m = y 1 a k 1 x k 1 2 +... + a 1 x 2 + m = y 2 a k 1 x k 1 3 +... + a 1 x 3 + m = y 3... a k 1 x k 1 k +... + a 1 x k + m = y k Use Lagrange interpolation for solving Daan Sprenkels We should share our secrets 28 December 2017 11 / 35

Daan Sprenkels We should share our secrets 28 December 2017 12 / 35

Daan Sprenkels We should share our secrets 28 December 2017 12 / 35

Daan Sprenkels We should share our secrets 28 December 2017 12 / 35

Daan Sprenkels We should share our secrets 28 December 2017 12 / 35

Daan Sprenkels We should share our secrets 28 December 2017 12 / 35

Daan Sprenkels We should share our secrets 28 December 2017 12 / 35

Example: combining shares s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: a 2 x 2 1 + a 1x 1 + m = y 1 a 2 x 2 2 + a 1x 2 + m = y 2 a 2 x 2 3 + a 1x 3 + m = y 3 Daan Sprenkels We should share our secrets 28 December 2017 13 / 35

Example: combining shares s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 1 2 a 2 + a 1 + m = 21 4 2 a 2 + 4a 1 + m = 6 2 2 a 2 + 2a 1 + m = 8 Daan Sprenkels We should share our secrets 28 December 2017 13 / 35

Example: combining shares s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 1 2 a 2 + a 1 + m = 21 4 2 a 2 + 4a 1 + m = 6 2 2 a 2 + 2a 1 + m = 8 m = 42 Daan Sprenkels We should share our secrets 28 December 2017 13 / 35

All good? Daan Sprenkels We should share our secrets 28 December 2017 14 / 35

All good? Information-theoretically secure Daan Sprenkels We should share our secrets 28 December 2017 14 / 35

All good? Information-theoretically secure for confidentiality Not really secure for integrity Daan Sprenkels We should share our secrets 28 December 2017 14 / 35

Daan Sprenkels We should share our secrets 28 December 2017 15 / 35

Daan Sprenkels We should share our secrets 28 December 2017 15 / 35

Daan Sprenkels We should share our secrets 28 December 2017 15 / 35

Daan Sprenkels We should share our secrets 28 December 2017 15 / 35

Daan Sprenkels We should share our secrets 28 December 2017 15 / 35

Daan Sprenkels We should share our secrets 28 December 2017 15 / 35

Solving integrity Solutions: Randomize x-values Only share random secrets Daan Sprenkels We should share our secrets 28 December 2017 16 / 35

Part II: implementation Daan Sprenkels We should share our secrets 28 December 2017 17 / 35

Requirements Bitmark Inc. asks us for a Shamir secret sharing library. Secure for integrity ( 128 bits) Side channel resistant (timing, cache-timing) Portable to any platform Daan Sprenkels We should share our secrets 28 December 2017 18 / 35

Requirements Bitmark Inc. asks us for a Shamir secret sharing library. Secure for integrity ( 128 bits) Side channel resistant (timing, cache-timing) Portable to any platform Existing libraries: ssss gfshare Daan Sprenkels We should share our secrets 28 December 2017 18 / 35

Requirements Bitmark Inc. asks us for a Shamir secret sharing library. Secure for integrity ( 128 bits) Side channel resistant (timing, cache-timing) Portable to any platform Existing libraries: ssss gfshare Both do not meet our requirements Daan Sprenkels We should share our secrets 28 December 2017 18 / 35

Implementation challenges On to implement it ourselves... 1. How to encode our values? 2. How to fix our integrity problem? 3. How to prevent side channels? 4. How to make it fast? Daan Sprenkels We should share our secrets 28 December 2017 19 / 35

1. How to encode our values? Options: Integers modulo large prime? Other finite field? 1 For the maths people, we are using F 2[x]/(x 8 + x 4 + x 3 + x + 1) Daan Sprenkels We should share our secrets 28 December 2017 20 / 35

1. How to encode our values? Options: Integers modulo large prime? Other finite field? Piece up the secret in bytes and map them to F 2 8 (note 1 ) Fast arithmetic Can secret-share every byte independently 1 For the maths people, we are using F 2[x]/(x 8 + x 4 + x 3 + x + 1) Daan Sprenkels We should share our secrets 28 December 2017 20 / 35

2. Solving integrity Use hybrid encryption: Daan Sprenkels We should share our secrets 28 December 2017 21 / 35

2. Solving integrity Use hybrid encryption: Daan Sprenkels We should share our secrets 28 December 2017 21 / 35

3. How to prevent side channel attacks? Rules to protect against side channels 2 : 1. No branching (if, &&,, etc.) 2 In software! Hardware implementations are a whole other story. Daan Sprenkels We should share our secrets 28 December 2017 22 / 35

3. How to prevent side channel attacks? Rules to protect against side channels 2 : 1. No branching (if, &&,, etc.) 2. No secret-dependent lookups (y = table[key[i]];) 2 In software! Hardware implementations are a whole other story. Daan Sprenkels We should share our secrets 28 December 2017 22 / 35

3. How to prevent side channel attacks? Rules to protect against side channels 2 : 1. No branching (if, &&,, etc.) 2. No secret-dependent lookups (y = table[key[i]];) 3. No variable-time instructions (div, mul [2], etc.) 2 In software! Hardware implementations are a whole other story. Daan Sprenkels We should share our secrets 28 December 2017 22 / 35

4. Performance throug bitslicing Daan Sprenkels We should share our secrets 28 December 2017 23 / 35

4. Performance throug bitslicing Working in bytes need only 8 registers per byte Implement algorithm in logic circuits Daan Sprenkels We should share our secrets 28 December 2017 24 / 35

4. Performance throug bitslicing Example: Adding two bytes in parallel A B C in S C out Daan Sprenkels We should share our secrets 28 December 2017 25 / 35

4. Performance throug bitslicing Working in bytes need only 8 registers per byte Implement algorithm in logic circuits 32-bit platform? 32x parallel computation Daan Sprenkels We should share our secrets 28 December 2017 26 / 35

4. Performance throug bitslicing Working in bytes need only 8 registers per byte Implement algorithm in logic circuits 32-bit platform? 32x parallel computation = performance :) Daan Sprenkels We should share our secrets 28 December 2017 26 / 35

4. Performance throug bitslicing Working in bytes need only 8 registers per byte Implement algorithm in logic circuits 32-bit platform? 32x parallel computation = performance :) Scales to 64-bit, avx{,2,512}, etc. :) Daan Sprenkels We should share our secrets 28 December 2017 26 / 35

Overview secret salsa20/poly1305 encrypt 01d64c7f311c077de13a0c9dbd8a243cc884e7fc3e7554 random key ciphertext 028dbd7641a538a5c99b5c4007fad2f8174a97703c (n,k) bitslice evaluate polynomial unbitslice 03a2499f2f6a11087134f70df3bc501b927e776 044702075d49a3f2f8ea7b020ac6fa313c8 0509b0d834faa8ae00064dd40e518e3a Daan Sprenkels We should share our secrets 28 December 2017 27 / 35

Overview secret salsa20/poly1305 decrypt key unbitslice Lagrange interpolation bitslice ciphertext 01d64c7f311c077de13a0c9dbd8a243cc884e7fc3e7554 028dbd7641a538a5c99b5c4007fad2f8174a97703c 03a2499f2f6a11087134f70df3bc501b927e776 044702075d49a3f2f8ea7b020ac6fa313c8 0509b0d834faa8ae00064dd40e518e3a Daan Sprenkels We should share our secrets 28 December 2017 27 / 35

Implementation performance Measuring wall clock time 3 with (n, k) = (5, 4) language create combine Tight C loop 9.6µs 12µs Go bindings 11µs 15µs Rust bindings 8.8µs 5.4µs 3 Wall clock time, best of three on my crappy laptop Daan Sprenkels We should share our secrets 28 December 2017 28 / 35

Implementation performance Measuring wall clock time 3 with (n, k) = (5, 4) language create combine Tight C loop 9.6µs 12µs Go bindings 11µs 15µs Rust bindings 8.8µs 5.4µs Conclusion: I.e. roughly 100 000 calls per second. 3 Wall clock time, best of three on my crappy laptop Daan Sprenkels We should share our secrets 28 December 2017 28 / 35

Stuff that can go wrong Possible mistakes: Assuming integrity Timing attacks Bad randomness Daan Sprenkels We should share our secrets 28 December 2017 29 / 35

Ethics Daan Sprenkels We should share our secrets 28 December 2017 30 / 35

Ethics Can our software be used with malicious intent? Daan Sprenkels We should share our secrets 28 December 2017 30 / 35

Demo Daan Sprenkels We should share our secrets 28 December 2017 31 / 35

Don t implement your own crypto Daan Sprenkels We should share our secrets 28 December 2017 32 / 35

Acknowledgements Ed Schouten Ken Swenson Pol van Aubel Thijs Miedema Cartoons on frame 9 authored by Randall Monroe Daan Sprenkels We should share our secrets 28 December 2017 33 / 35

Thank you! Slides can be found at https://dsprenkels.com/files/sss-34c3.pdf sss project is at https://github.com/dsprenkels/sss Extra reading: http://loup-vaillant.fr/articles/implemented-my-own-crypto https://dsprenkels.com/mysterion.html Find me through Email: hello@dsprenkels.com PGP key: 951D 6F6E C19E 5D87 1A61 A7F4 1445 C075 FFD5 68CD Daan Sprenkels We should share our secrets 28 December 2017 34 / 35

References https://www.intel.com/content/dam/www/public/us/en/documents/manuals/ 64-ia-32-architectures-optimization-manual.pdf (Jun 2016) http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0184b/chdedhfg.html (2017) https://bitcointalk.org/index.php?topic=2199659.0 (2017) https://cryptocoding.net/index.php/coding_rules (2017) Pedersen, T.P., et al.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Crypto. vol. 91, pp. 129 140. Springer (1991) Poettering, B.: Shamir Secret Sharing Scheme. http://point-at-infinity.org/ssss/ (2006) Shamir, A.: How to share a secret. Commun. ACM 22(11), 612 613 (Nov 1979), http://doi.acm.org/10.1145/359168.359176 Silverstone, D.: gfshare. http://www.digital-scurf.org/index.html (2006) Daan Sprenkels We should share our secrets 28 December 2017 35 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: a 2 x1 2 + a 1x 1 + m = y 1 a 2 x2 2 + a 1x 2 + m = y 2 a 2 x3 2 + a 1x 3 + m = y 3 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 1 2 a 2 + a 1 + m = 21 4 2 a 2 + 4a 1 + m = 6 2 2 a 2 + 2a 1 + m = 8 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: a 2 + a 1 + m = 21 16a 2 + 4a 1 + m = 6 4a 2 + 2a 1 + m = 8 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 4a 2 + 4a 1 + 4m = 84 16a 2 + 4a 1 + m = 6 4a 2 + 2a 1 + m = 8 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 2a 1 + 3m = 76 16a 2 + 4a 1 + m = 6 4a 2 + 2a 1 + m = 8 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 2a 1 + 3m = 76 16a 2 + 4a 1 + m = 6 16a 2 + 8a 1 + 4m = 32 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 2a 1 + 3m = 76 16a 2 + 4a 1 + m = 6 4a 1 + 3m = 26 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 2a 1 + 3m = 76 4a 1 + 3m = 26 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 4a 1 + 6m = 152 4a 1 + 3m = 26 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 3m = 126 4a 1 + 3m = 26 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solve for m: 3m = 126 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Example: combining shares (computation) s 1 = (1, 21), s 3 = (4, 6), s 4 = (2, 8) Solved for m: m = 42 Daan Sprenkels We should share our secrets 28 December 2017 36 / 35

Lagrange interpolation Given shares s 1,..., s k = (x 1, y 1 ),..., (x k, y k ). Use Lagrange interpolation to get m. l i (x) = j i x x j x i x j = (x x 1) (x i x 1 ) (x x k) (x i x k ) (2) L(x) = k y i l i (x) = y 1 l 1 (x) +... + y k l k (x) (3) i=0 Daan Sprenkels We should share our secrets 28 December 2017 37 / 35

Lagrange interpolation Given shares s 1,..., s k = (x 1, y 1 ),..., (x k, y k ). Use Lagrange interpolation to get m. l i (x) = j i x x j x i x j = (x x 1) (x i x 1 ) (x x k) (x i x k ) (2) m = L(0) = k y i l i (0) = y 1 l 1 (0) +... + y k l k (0) (3) i=0 Daan Sprenkels We should share our secrets 28 December 2017 37 / 35

Lagrange interpolation Given shares s 1,..., s k = (x 1, y 1 ),..., (x k, y k ). Use Lagrange interpolation to get m. l i (0) = j i 0 x j x i x j = (0 x 1) (x i x 1 ) (0 x k) (x i x k ) (2) m = L(0) = k y i l i (0) = y 1 l 1 (0) +... + y k l k (0) (3) i=0 Daan Sprenkels We should share our secrets 28 December 2017 37 / 35

Lagrange interpolation Given shares s 1,..., s k = (x 1, y 1 ),..., (x k, y k ). Use Lagrange interpolation to get m. l i = j i x j x i x j = ( x 1) (x i x 1 ) ( x k ) (x i x k ) (2) m = k y i l i = y 1 l 1 +... + y k l k (3) i=0 Daan Sprenkels We should share our secrets 28 December 2017 37 / 35

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback