Hi (PrivCount) folks! I just finished the first draft of the k,n-secret-sharing thing for PrivCount. :)
Sorry that it need some time, but I'm sadly a bit slowly with reading and writing. You can find it here at github: https://github.com/Samdney/28X-k-of-n-secret-sharing and also below in this email. You will see a lot of "=> TODO". This belongs of course not to the specification ;). There are still a lot of open details and questions left (or stuff which still have to be written, I think) and hence it is time for some help from you, now. I looked a bit around how a specification has to look like, before I started to write it, but this was more confusing like helpful, hehe. I'm a completely newbie with writing this kind of documents, hence I'm pretty nervous for your feedback :) Bye, Carolin ========== Draft v1 ========== Filename: 28X-k-of-n-secret-sharing.txt Title: k-of-n Secret Sharing Author: Carolin Zöbelein Created: XX-Sept-2017 Status: Draft 0. Motivation The implementation of schemes for collecting statistic data within a high sensitive network like Tor for preserving anonymity, is a hard challenge. Over the years the Tor network has grown but its usage and operation is not well-understood and already existing ways [1] leads to some open issues [maybe add also a reference here]. For doing this better like the current state of the art, we discuss to switch to PrivCount [2][3], a system for measuring the Tor network created with a high attention on user privacy. PrivCount consists of a system of Data Collectors (DC) which forward their blinded measure counter results to a number of, so-called, Tally Reporters (TR) which are only together be able to reconstruct the original data. In the context of the implementation of the mentioned system, we decided to use a secret sharing algorithm for forwarding the blinded counter values. This gives us the chance of reconstructing the data also with a particular minimum amount of secret share holders and hence a failure handling possibility of Tally Reporters. => TODO: References [maybe add also a reference here] 1. Introduction Assume, we have a given secret s which we want to share with a particular number N of participants who are only together be able to reconstruct it. To realize this, we can split our secret in n parts s_i. Our secret will be then the sum over all s_i. This is the simplest secret sharing scheme at all. Since it needs all participants for the reconstruction, it is called a (N,N) treshold secret sharing algorithm. But we also see that it has weaknesses. With every leaked share s_i, an adversary can reduce the number of possible soulutions for our secret very easily. This leads to the group of more efficient secret sharing algorithms. In [4], Adi Shamir introduced a (K,N) secret sharing scheme which is named after him and offers more security. Additionally, on the contrary to our scheme above, we only need a minimum amount of k out of n participants to reconstruct the secret. Our specification will be based on this scheme. 3. Overview and preliminaries In this section, we make some preparations for the protocol specification itself. 3.1. Scope In this document we describe the protocol specification for a Shamir Secret Sharing scheme on a finite field of size p > s and p > N, with p be prime number. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. 3.2. Notation We will use for public, non-secret, values UPPER CASE and for private, secret, values lower case. We write: "a", type: b, c, d "a" gives the name of the parameter. type: b be the type of the parameter a. c be the amount of this parameters. d be the mathematical definition set for a. Mathematical assignments: Let "a := b" be the assignment of the value of b to the variable a. Let "a mod b" be the modulus calculation of a with respect to b. Let "a != b" be that a is unequal to b. In our document "natural numbers" are defined as the set of all integers greater than zero. g[X] describes a polynomial with respect to X. SUM(a_i) gives the sum over a_i for all known i. SUM(i=a,b,c_i) gives the sum over all c_i for all a <= i <= b. PRODUCT(a,b,c_i) gives the product over all c_i for all a <= i <= b. The secret sharing protocol has three participating parties which we will call as follows: Secret Keeper (SK) knows the secret, does the initial setup and determines the secret shares. Share Holders (SH) receive the secret shares from the SK. Secret Reconstructor (SR) takes a particular number of secret shares from the SHs and reconstruct the secret. 4. Protocol outline We give a raw protocol overview. 0. Preparation: The parties negotiate an appropriate handshake and communication way for forwarding the secret shares between SK to the SHs and between the SHs to SR. [This is not part of that specifiation] => TODO: Do we need a more detailed definition of "appropriate"? 1. The SK knows the secret s. Additionally, given are the amount N of participating SHs and the threshold K for the minimum number of necessary shares for the reconstruction. [see sec. 5.1.] 2. The SK generate a random prime number p, with p > s AND p > N. [see sec. 5.3.] 3. The SK determines the secret polynomial coefficients a_j, 1 <= j <= K-1. With this, the secret keeping polynomial is given by g[X] := s + SUM(a_j*X^j). [see sec. 5.4.] 4. The SK determines the secret shares parts x_i, 1 <= i <= N. [see sec. 5.5.] 5. The SK computes the secret shares parts y_i := g[x_i]. [see sec. 5.5.] 6. The SK forward the secret shares to the SHs. Each SH_i MUST receive exactly one secret share pair (x_i,y_i). [see sec. 5.6.] 7. The SR receives K secret share pairs (x_h,y_h) from the SHs and p from the SK, 1 <= h <= K. [see sec. 5.7] 8. The SR compute the Lagrange basis polynomials l_h[X]. [see sec. 5.8.] 9. The SR reconstruct the original polynomial with g[x] = SUM(h=1, K, y_h*l_h[X] mod p). [see sec. 5.8.] 10. The SR computes the secret s = g[0]. [see sec. 5.8.] 5. Specification Now we will give more details to the raw outline above. 5.1. Given constants "s", type: int, exactly one, integer The given secret. "N", type: int, exactly one, natural number The number of participating SHs. It MUST to be N >= N_min. => TODO: Which value should N_min has? Default: N_min = 2? "K", type: int, exactly one, natural number The threshold of the minimum number of necessary shares for the reconstruction. It MUST to be K <= N. => TODO: Are more (size) information necessary? E.g. amount of bits/bytes? I think so. 5.2. Parties Secret Keeper (SK) It MUST exists exactly one SK. Share Holders (SH) It MUST exists exactly N SHs. Secret Reconstructor (SR) It SHOULD exists exactly one SR. [=> TODO: SHOULD since one is necessary but more could be used for checking the result. But I would prefere MUST.] => TODO: Which additional information do we need to know/to give about the parties? 5.3. Prime number Since we are using a secret sharing scheme on a finite field, we need a random prime number. "p", type: int, exactly one, prime number It MUST to be p > s AND p > N AND it MUST to be the secret s element of Z/pZ. => TODO: I'm not sure how exactly p should be handled. When and from where, is it given to whom? => TODO: Do we need to write anything about the necessary "random" characteristic? The "quality" of the randomly generation of the number? => TODO: Minimum size of p? Which value should p has, at least, caused by security reasons? => TODO: Are more (size) information necessary? E.g. amount of bits/bytes? I think so. 5.4. The secret keeping polynomial "a_j", type: int, K-1 values, Z/pZ "g[X]", type: polynomial with order K-1, exactly one, (Z/pZ)[X] The SK determines the final secret keeping polynomial, which is given by g[X] := s + SUM(a_j*X^j) and hence our secret for g[0] = s. Its random coefficients are a_j, 1 <= j <= K-1 which MUST be element of Z/pZ. => TODO: Which constraints exists for this a_j values? Size? Relative, pairwise, distance a_j - a_m between for all a_j,a_m with j != m? Is this relevant? References for this? => TODO: Are more (size) information necessary? E.g. amount of bits/bytes? I think so. 5.5. The secret shares "x_i", type: int, N values, Z/pZ "y_i", type: int, N values, Z/pZ "(x_i,y_i)", type: (int,int), N value pairs, Z/pZ -> Z/pZ The SK determines the random secret shares parts x_i, i <= N which MUST be element of Z/pZ and MUST be pairwise different from zero. With this x_i, SK computes the secret shares parts y_i := g[x_i] and hence the finally secret share pairs (x_i,y_i). => TODO: How should this x_i be generated? Distribution? E.g. the smallest, non negative, representatives? => TODO: Which constraints exists for this x_i values? Size? Relative, pairwise, distance x_i - x_m between for all x_i,x_m with i != m? Is this relevant? References for this? => TODO: Are more (size) information necessary? E.g. amount of bits/bytes? I think so. 5.6. Sending secret shares from SK to SHs The SK sends the secret share pairs to the SHs. Each SH_i MUST receive exactly one secret share pair (x_i,y_i). => TODO: How exactly has to look the data which has to be send and which size has it (bits/bytes) to be? => TODO: Which data has also to be send apart from (x_i,y_i)? => TODO: How should looks like a possible answer of the SHs for the SK to confirm the receipt? [Is this necessary, at all? I think so.] => TODO: I'm not sure how exactly p should be handled. When and from where, is it given to whom? => TODO: I need a helping hand for this specification section :) 5.7. SR receives secret shares from the SHs The SR MUST receive K secret share pairs from the SHs and p from the SK. The SR MUST receive exactly one secret share pair (x_,y_h), 1 <= h <= k, from each SH_h => TODO: How exactly has to look the data which has to be send as response to the SHs? What, which additionally data, has to be send? And which size has it (bits/bytes) to be? => TODO: I'm not sure how exactly p should be handled. When and from where, is it given to whom? => TODO: From where comes the information about N and K? (and p?) => TODO: Where has to be decided, from which K out of N SHs has this (x_h,y_h) to come from? And how (randomly)? And in which way has this to be comunicated to the given parties? !!! => TODO: I need a helping hand for this specification section :) 5.8. Reconstruction "l_h[x]", type: polynomial with order K-1, K, (Z/pZ)[X] The SR compute the Lagrange basis polynomials l_h[x] with the secret share pairs (x_h,y_h), 1 <= h <= K, which it received from the SHs. The SR MUST receive exactly K pairs from exactly K SHs. I MUST be exactly one secret share pair from each, of this K, SH. The Lagrange basis polynomials are given by l_h[X]:= PRODUCT(1 <= m <= K AND m != h, (X - x_m)/(x_h - x_m)) with 1 <= j <= K. This leads to our original secret keeping polynomial g[X] := SUM(h=1, K, y_h*l_h[x] mod p) and the given secret by s = g[0]. => TODO: From which K out of N SHs come this secret shares? => TODO: Are more (size) information necessary? E.g. amount of bits/bytes? I think so. 6. Security discussion => TODO: Write important points about the security aspects of this scheme. :) 7. References [1] https://www.cypherpunks.ca/~iang/pubs/privex-ccs14.pdf [maybe add also a reference here] [2] http://www.robgjansen.com/publications/privcount-ccs2016.pdf [3] https://github.com/privcount/privcount [4] Shamir A., "How to share a secret", Communications of the ACM. 22, 1979, S. 612–613. => TODO: References => TODO: Correct references for regular citation => TODO: Add missing references A. Lemma => TODO: Still to write. The Lemma (why this Shamir thing works :) proof ========== TODO: RESEARCH AND EXTENSION OF SPECIFICATION!!! => TODO: Investigate more some very interesting papers! :) => TODO: Multi-Secret Sharing Schemes!!! TODO: MISC: => TODO: Notation stuff checking => TODO: Check my English for language mistakes :) => TODO: I used: scheme, algorithm, protocol, ... what is the best word in what context? ========== -- ----------------------------------------------------------------------- Carolin Zöbelein / Nick: Samdney PGP: D4A7 35E8 D47F 801F 2CF6 2BA7 927A FD3C DE47 E13B ----------------------------------------------------------------------- _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
