Problem: Don't want to put trust in a single person.
If you haveN = 3
, then t = 2
parties are sufficient to sign a document,
spend money, etc.
Notion: Threshold capability
Say Alice has a secret S
and a number of friends she wants to distribute
shares of the secret S
to t
friends, 1 <= t <= n
s_i
of S
t
of the friends can reconstruct S
from their s_i
's
t
have negligible chance of reconstructing S
S
, so it'll be
vulnerableFor t=1
the problem is trivial: s_i = S, \forall i
.
For t=n
the problem is trivial: s_i = ith chunk of S
+ would not be that secure, because n1
people can guess the last chunk more
easily (not negligible probability.
+ S = s_1 \xor s_2 \xor ... \xor s_{n1} \xor s_{n}
 result is random if you don't have all s_i
's
 need all people to generate S
For other t
's, use polynomials.
t=2
points determine a linet=3
points determine a quadratic polynomialt=k
points determine a t1
degree polynomialf(x) = a_{t1}x^{t1} + a_{t2}x^{t2} + ... + a_1*x + a_0 (mod p)
f
over a finite field (because we're using computers which have limits)f
a_{t1}, a_{t2}, ..., a_1, a_0
{(x_i, y_i)}, \forall 1 <= i <= t
x
, compute f(x)
t
points find a unique curve that runs
through these points
To share a secret S (0 <= s < p)
a_0 = S
a_1, a_2, ..., a_{t1}
at random from Z_p
f
polynomial of degree t
s_i = (i, y_i)
, where y_i = f(i), \forall 1 <= i <= n
s_0 = (0, y_0) = f(0) = a_0 = S
s_0
, you send s_1, ..., s_n
s_i, i >= 1
are completely uncorrelated to the secret S
S
Now, let's see how t
out of the n
friends can reconstruct S
.
(x_i, y_i)
for 1 <= i <= t
f(x) = \sum_{i = 1, t} {y_i * f_i(x)}
, where
f_i(x) = { 1 at x = x_i  0 at x = x_j, where j != i}
f_i(x) = \prod_{j != i}{x  x_j}/\prod{j != i}{x_i  x_j}
t1
polynomials = f(0) = \sum{i = 1, t} {y_i * f_i(x)} = replace
TODO: Why does this work?
Why having fewer than t
shares doesn't allow you to reconstruct the secret?
t1
curve can be defined to go through the adversary's t1
points
and through the point (0,s)
for any s
s
. s
could be any point in Z_p
and no
information is leaked about s
through those t1
points c = Enc(K, M)
Alice *> Bob
\
\> Eve
Problem: Message could be arbitrarily long. How do you build an encryption method to handle arbitrarily large messages?
then we chain the together wisely and handle arbitrarily long messages
p

\ /
*

Key K >  Enc 


\ /
.
C
Fixed length P, C, K
:
P = C = 64 bits
, K = 56 bits
(8 of the 64 bits were used for
parity)P = C = 128 bits
, K = 128, 192, 256
Call put out for commercially usable data ciphers. DES came from IBM.
m = L_0R_0
L_0 R_0
 
   
 
 
 
round 1 +f
 \ k_i round key 48 bits
\ /
\ /
\ /
swap for next
round
\ /
\ /
/ \
/ \
/ \
/ \
/ \
round 16
L_15 R_15
 
   
 
f
can be anything, and won't affect the invertibility of the cipher if you
have the key.
How do you design a good f
box that doesn't leak K
and P
?
k_i
is split into eight 6bit chunks.2^56
different keys2^48
tries in the CPA security model (i.e. with an encryption model)You can try tweaking the input plaintext and see what tweaks are caused on the output ciphertext.
M' = M \xor \delta
, ask oracle to encrypt M > C
and M' > C' = C + \gamma
.
At a high level: The differences between delta
and gamma
give you some information about the last round key.
This requires about 2^47
chosen pairs
Biham's PhD thesis, advised by Adi Shamir
p

\ /
*

Key K >  Enc 


\ /
.
C
Could be that DES has attacks like: M_3 \xor M_15 \xor C_2 \xor C_11 \xor K_7
\xor K_19 = 0
. This relates two bits of the key because you know the message
and ciphertext bits.
In practice, these kind of equations are not always true. Maybe they're true
like half the time: p = 1/2 + \epsilon
Need 1/\epsilon^2
data points to solve equations like these.
Open public contest to design a cipher. Submit designs, attack them. Let the best win. International too, anyone in the world could submit.
Specs:
GF(2^8)
math used
GF(2^8)
means the finite field with 256 elementsBasic structure is a 4 by 4 array/matrix of bytes, where each entry is 1 bytes => 16 bytes => 128 bits
k_i
's)4x4x8
matrixr = 1, 2, ..., 10
m
, XOR in the round key (m = m XOR k_i
)GF(2^8)
table, modular inverses, etc.x = Sbox(x)
i
left by i
positions
a, b, c, d > b, c, d, a
x
is a column, x = Ax
, where A
is a 4x4
matrixA
is known)Note: side channel attacks on Sbox
L_0 R_0
 
   
 
 
 
round 1 +f
 \ k_i round key 48 bits
\ /
\ /
\ /
swap for next
round
\ /
\ /
/ \
/ \
/ \
/ \
/ \
round 16
L_15 R_15
 
   
 