Proactive secret sharing

Proactive secret sharing is a method to update shares in a secret sharing scheme periodically such that an attacker has less time to compromise shares. This contrast a non-proactive scheme where if the threshold number of shares are compromised during the lifetime of the secret, the secret is compromised.

1 Motivation
2 Mathematics
3 Example
4 References

Motivation

If the players store their shares on insecure computer servers, an attacker could crack in and steal the shares. Since it is not often practical to change the secret, the uncompromised (Shamir-style) shares should be updated in a way that they generate the same secret, yet the old shares are invalidated.

Mathematics

The dealer generates a new random polynomial with constant term zero and calculates for each remaining player a new ordered pair, where the x-coordinates of the old and new pairs are the same. Each player then adds the old and new y-coordinates to each other and keeps the result as the new y-coordinate of the secret.

The dealer constructs a random polynomial over a field of degree $k$ where $k$ is the threshold
Each player gets the share $x_{i}^{0} = f^{0}(i)$ where $i \in \{1, ..., n\}$ , $n$ is the number of players, and $x_{i}^{0}$ is the share for player $i$ at time interval $0$
The secret can be reconstructed with via interpolation of $k$ shares
To update the shares, all parties need to construct a random polynomial of the form $\delta_{i}(z) = \delta_{i,1}z^{1} %2B \delta_{i,2}z^{2} %2B ... %2B \delta_{i,k}z^{k}$
Each player $i$ sends all other players $u_{i,j} = \delta_{i}(j)$
Each player updates their share by $x_{i}^{t %2B 1} = x_{i}^{t} %2B u_{1,i}^{t} %2B ... %2B u_{n,i}^{t}$ where $t$ is the time interval in which the shares are valid

All of the non-updated shares the attacker accumulated become useless. An attacker can only recover the secret if he can find enough other non-updated shares to reach the threshold. This situation should not happen because the players deleted their old shares. Additionally, an attacker cannot recover any information about the original secret from the update process because it only contains random information.

The dealer can change the threshold number while distributing updates, but must always remain vigilant of players keeping expired shares

Example

The following example has 2 shares and a threshold of 2 with 2 players and 1 dealer. Since shares and polynomials are only valid for a certain time period, the time period they are valid is denoted with a superscript.

All parties agree on a finite field: $Z_{11}$
The dealer establishes a secret: $x = 6 \in Z_{11}$
The dealer constructs a random polynomial over of degree 2 - 1 (threshold of 2)
- $f^{0}(x) = 6 %2B 2 \times x$
- note $f^{0}(0) = x = 6$
Player 1 gets share $x_{1}^{0} = f^{0}(1) = 6 %2B 2 \times 1 = 1$ and player 2 gets share $x_{2}^{0} = f^{0}(2) = 6 %2B 2 \times 2 = 10$
To reconstruct the secret, use and
- Since $f^{0}(x)$ is a line, we can use point slope form to interpolate
- $m = (f^{0}(2) - f^{0}(1)) / (2 - 1) = (x_{2}^{0} - x_{1}^{0}) / (2 - 1) = (10 - 8) / (2 - 1) = 2 / 1 = 2$
- $b = f^{0}(1) - m = x_{1}^{0} - 2 = 8 - 2 = 6$
- $f^{0}(x) = b %2B m \times x = 6 %2B 2 \times x$
- $f^{0}(0) = 6 %2B 2 \times 0 = 6 = x$
To update the shares, all parties need to construct random polynomials of degree 1 such that the free coefficient is zero
- Player 1 constructs $\delta_{1}^{0}(z) = \delta_{1,1}^{0} \times z^{1} = 2 \times z^{1}$
- Player 2 constructs $\delta_{2}^{0}(z) = \delta_{2,1}^{0} \times z^{1} = 3 \times z^{1}$
Each player evaluates their polynomial and shares some information with other players
- Player 1 computes $u_{1,1}^{0} = \delta_{1}^{0}(1) = 2$ and $u_{1,2}^{0} = \delta_{1}^{0}(2) = 4$ in $Z_{11}$
- Player 1 sends Player 2 $u_{1,2}^{0}$
- Player 2 computes $u_{2,1}^{0} = \delta_{2}^{0}(1) = 3$ and $u_{2,2}^{0} = \delta_{2}^{0}(2) = 6$ in $Z_{11}$
- Player 2 sends Player 1 $u_{2,1}^{0}$
Each player updates their share by
- Player 1 computes $x_{1}^{1} = x_{1}^{0} %2B u_{1,1}^{0} %2B u_{2,1}^{0} = 8 %2B 2 %2B 3 = 2 \in Z_{11}$
- Player 2 computes $x_{2}^{1} = x_{2}^{0} %2B u_{1,2}^{0} %2B u_{2,2}^{0} = 10 %2B 4 %2B 6 = 9 \in Z_{11}$
Confirm updated shares generate same original secret
- Use $x_{1}^{1}$ and $x_{2}^{1}$ to reconstruct the polynomial $f^{1}(x)$
- Since $f^{1}(x)$ is a line, we can use point slope
- $m = (f^{1}(2) - f^{1}(1)) / (2 - 1) = (x_{2}^{1} - x_{1}{1}) / (2 - 1) = (9 - 2) / (2 - 1) = 7 / 1 = 7$
- $b = f^{1}(1) - m = x_{1}^{1} - 7 = 2 - 7 = -5 = 6$
- $f^{1}(x) = b %2B m \times x = 6 %2B 7 \times x$
- $f^{1}(0) = 6 %2B 7 \times 0 = 6 = x$

References

Herzberg, Amir; Jarecki, Stanislaw; Hugo, Krawczyk; Yung, Moti (1995). "Proactive Secret Sharing Or: How to Cope With Perpetual Leakage". CRYPTO '95: Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology (London, UK: Springer-Verlag): 339–352. ISBN 3-540-60221-6. http://portal.acm.org/citation.cfm?id=646760.706016. Retrieved June 14, 2010.
Yevdokimov, Aleksey (2009). "Dynamic system of proactive security". Application of Information and Communication Technologies, 2009. AICT 2009. (Baku, Azerbaijan: IEEE): 1–4. ISBN 978-1-4244-4739-8. http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5372541. Retrieved June 14, 2010.

Proactive secret sharing

Contents

Motivation

Mathematics

Example

References