CS 7880 Graduate Cryptography September 11, 2015

Lecture 2: Statistical Authentication and Secret Sharing

Lecturer: Daniel Wichs Scribe: Ariel Hamlin

1 Topic Covered
• Authentication

• MACs

• Secret Sharing

• Threshold Secret Sharing

2 Authentication
Consider two individuals Alice and Bob who wish to communicate a message m over an
open channel. However on this channel there is an active adversary Eve who is capable of
changing messages that travel across the wire, but not block them entirely. This presents a
problem, even if the messages are encrypted. Consider the One Time Pad (OTP) example
from last class.

M = K = C = {0, 1}∗
Enck (m) = k ⊕ m
Deck (m) = k ⊕ c

Consider the case where the message is only a single bit. Eve intercepts Alice’s message
and XORs the message with a 1.

c=m⊕k
c0 = c ⊕ 1

Decryption proceeds without Bob knowing the ciphertext has been altered.

m0 = c0 ⊕ k
m0 = m ⊕ k ⊕ 1 ⊕ k
m0 = m ⊕ 1

Lecture 2, Page 1
 Recalling the truth table for the XOR operation, Eve has succeeded in flipping whatever
bit that Alice originally intended to send. If, on the other hand, Eve XORed c with zero,
Bob would end up receiving a random value. Clearly this is a problem, and we wish Bob
to be able to tell that Eve has modified any of Alice’s cipher texts! Formally we wish to
prevent the cipher texts from being malleable by providing authentication - or the ability
to detect if Eve has altered the message.
Note when we consider the property of authentication, we are considering it indepen-
dently of confidentiality provided by encryption. In fact, we will show later how to combine
the two primitives.

3 Message Authentication Code (MAC)

MACs provide authentication against statistical adversaries - which is to say that there
is no limit placed on the adversary computational ability. Alice has a message to send to
Bob and would like to prevent Eve from altering it en-route. She thus computes a ‘tag’ that
she sends along with the message that allows Bob to check if the message has been altered.
More formally, a MAC scheme can be viewed as the following tuple:

M Message Space
K Key Space
T Tag Space
MAC: K × M → T MAC Function

Alice and Bob use the MAC in the following way. Alice computes t = MAC(k, m) and
sends (m, t) to Bob. Bob receives (m’, t’) and thus checks if t0 = MAC(k, m0 ). If it does
not, he knows that Eve has altered the message. We have now defined the usage of MACs,
but what does it mean for a MAC to be secure? As with encryption security we use a
game-based definition to define MAC security.
Definition 1 [1-Time Statistically Secure MAC]
Define MAC: K×M → T be a message authentication code and let Eve be an adversary.
We define the following security game:

Lecture 2, Page 2
Game (Eve):
$
• k is chosen uniformly at random from K, k ←
−K

• Eve chooses message m and receives t ← MAC(k, m)

• Eve chooses (m0 , t0 ) such that m 6= m0 , Eve wins if she able to generate a MAC for
m’ without previously seeing a tag for it, i.e. t0 = MAC(k, m0 )

We say a scheme is ε-secure if for all adversaries Pr[Eve wins] ≤ ε. ♦

Note that this definition only defines security for a MAC in which the adversary only sees
one message for any particular key. The MAC function itself is reused and the adversary is
assumed to know the protocol, but for each new message that needs to be authenticated, a
new key must be used.
This definition also begs the question, what is the lowest value ε can have – can it ever
be zero? Consider an Eve who simply guesses a tag for m0 , the tag space is fine, so Eve’s
probability for guessing the right tag is simply 1/|T |. Eve can do no worse than simply
guessing in this case. Thus in order for ε to be zero, the tag space would have to be infinite,
which it is not.

3.1 MAC Construction

Now that we have defined a syntax and security definition for MACs, let us define a con-
struction.

M Zp
K Zp × Zp
T Zp
MAC(k, m) = xm + y k = (x, y)

Note that all operations are occurring in the field Zp which means the addition and
multiplication are done in modulo p. (For more notes on fields, see the appendix at the
end of the notes.) We now wish to show that this MAC construction meets our definition
of 1-Time Statistical Security. We can do this by examining the probability that the MAC
produces a fixed value. Formally:

Theorem 1 MAC(k, m) = xm + y is 1-Time secure for ε = 1/p.

Proof: Let X and Y be uniform random variables representing the choice of x and y in
the key. Thus K = (X, Y ) is also a uniform random variable. Thus for all messages m, and
all tags t, we have:

Pr[MAC(K, m) = t] = Pr[Xm + Y = t] = 1/p

Lecture 2, Page 3
 This follows from the fact that the equation t − Xm = Y has a unique solution for X
6 m0 and for any t, t0 :
for every choice of Y . Now consider the probability for any m =

Pr[MAC(K, m) = t0 , MAC(Kim) = t]
= Pr[Xm0 + Y = t0 , Xm + Y = t]
= Pr[X = x, Y = y] = 1/p2
0
t−t
Where x = m−m 0 and y = t − xm. Thus from the probability we just calculated and

the properties of conditional probabilities that we went over last class, we can show:

Pr[MAC(K, m0 ) = t0 | MAC(K, m) = t] = 1/p

Thus this MAC construction satisfies 1-Time security for ε = 1/p.

While this MAC construction is shown to be secure, it is not practical. In order to sign
any values, the key must be twice the size of the message, and one key can only be used to
sign one message. If the same key is used to sign two different messages, Eve can simply
solve the system of equations and recover the key used. This begs the question, can we
create a MAC with a smaller key size? Yes we can!

3.2 A Better MAC

We wish to improve the ratio between the size of the key and the size of the message it can
sign. In order to do so, we introduce a new MAC construction.

M Zdp for d ≥ 1
K Zp × Zp
T Zp
Pd i
For k = (x, y), m = (m1 , . . . , md ), MAC(k, m) = i=1 (mi x + y). Note that the
message space is assumed to be a vector of size d integers from Zp , but the key is the same
size as our previous construction. We now have a scheme where the key size is independent
of our message size. Now we have to prove this construction is 1-Time secure.
Pd i
Theorem 2 MAC(k, m) = i=1 (mi x + y) is 1-Time secure for ε = d/p.

Proof: Let X and Y be uniform random variables representing the choice of x and y in
the key. Thus K = (X, Y ) is also a uniform random variable. Thus for all messages m, and
all tags t, we have:

d
X
Pr[MAC(K, m) = t] = Pr[ (mi X i + Y )] = 1/p
i=1

Lecture 2, Page 4
 This follows from the fact that the equation has a unique solution for X for every choice
of Y . Now consider the probability for any m 6= m0 and for any t, t0 :

Pr[MAC(K, m) = t0 , MAC(Kim) = t]
d
X d
X
i
= Pr[ (mi X + Y ) = t, (m0i X i + Y ) = t0 ]
i=1 i=1
d
X d
X
= Pr[ ((mi − m0i )xi ) = t − t0 , Y = t0 − (mi x0i )]
i=1 i=1
Pr[E] ∗ Pr[F |E] ≤ d/p ∗ 1/p ≤ d/p2

Where E and F are the random variables defined as the probability E := di=1 (mi xi +
P

y) = t − t0 and F := Y = t0 − di=1 (mi x0i ). Thus from the probability we just calculated
P
and the properties of conditional probabilities that we went over last class, we can show:

Pr[MAC(K, m0 ) = t0 | MAC(K, m) = t] ≤ d/p

Thus this MAC construction satisfies 1-Time security for ε = d/p.

In practical matters, if we have a message size of 233 (about 8 GB) we can get security
of ε ≤ 2−102 with a key of only 258 bits! This is much improved from our last construction,
however we can still only use that key once for a single message. Can we do better an
authenticate more than one message with a single key? As it turns out, we can’t do
much better if we aren’t willing to put some restrictions on our adversary and move out of
statistical security. In fact, there is a lower bound on the number of messages and key size
required.

Theorem 3 To authenticate q messages with security ε = 2−r one needs a key of size
(q + 1)r.

3.3 Combining Encryption and Authentication

Remember that authentication does nothing to provide confidentiality for the message, Eve
still learns its contents. Fortunately, we can combine encryption and authentication to
provide both integrity and confidentiality. However, the order in which they are combined
is important. Consider the case where we have a message m, an encryption key ke and an
authentication key ka and Alice computes in the following order.

t = MAC(ka , m)
c = Enc(ke , m)

She then sends (t, c) to Bob. Bob simply decrypts c and checks to see if the message
generates the same tag. Remember, authentication provides no guarantees as to the confi-
dentiality of the message. As a result Eve may be able to recover something about m from
t. This is bad!

Lecture 2, Page 5
 As a result, the proper way to combine authentication and encryption is to ”encrypt
first, then MAC” as in the following construction.

c = Enc(ke , m)
t = MAC(ka , c)

4 Secret Sharing
Daniel, Jon, and abhi wish to found a baking empire, with the recipe for their famous
chocolate chip cookies as the corner stone of their success. Now, while they all agreed that
they were upstanding individuals, they still wished to control the recipe in such a way that
none of them could take entire recipe and found their own baking empire. In fact, they
wished to share the recipe amongst themselves in such a way that it required all three of
them to recover the recipe, and that with only two or one shares they could not know
anything about the recipe. Using secret sharing it is possible to get both properties.

abhi

s2

recipe
s1
s3
Daniel Jon

Let n be the number of parties, M the message space, and S the share space. We
$
− S n , Recover:
define a secret sharing scheme as tuple of two algorithms (Share: M →
S n → M).
Definition 2 [Correctness] A scheme is correct if the following holds:

Pr [Recover(Share(m)) = m] = 1
r∈Share

♦
That is to say that reassembling the shares proceeded by Share using the Recover
algorithm recovers the same message. Finally we define the security of the scheme.
Definition 3 [Security]
For all M, set of colluding parties A ⊆ {1, · · · , n} where |A| = n − 1. Let (s1 , · · · , sn ) =
Share(M ) and SA = {si : i ∈ A}. Then the distributions of SA and M are independent
♦
This definition is equivalent to the fact that observing a subset of shares doesn’t give
the adversary advantage, and also the definition that looking at the a subset of shares of
the message doesn’t allow the adversary to determine between two messages.

Lecture 2, Page 6
4.1 Secret Sharing Construction
Now that we have defined the syntax, security, and correctness of secret sharing, let us
provide a construction. Define M = Zq and S = Zq . Note, while we use Zp , any finite
group can be used for the message and share space. We define the following share and
recover algorithms

Share On input m:

1. Chose s1 , · · · , sn−1 uniformly at random

2. Set sn := m − (s1 + · · · + sn−1 )

Recover On input s1 , · · · , sn :

1. Compute s1 + · · · + sn

We now will show the scheme that is defined above meets our definition of security for
secret sharing.

Theorem 4 The construction outline above is perfectly secure.

Proof: For all M , set of colluding parties A ⊆ {1, · · · , n}/i any value sA (the sum of the
colluding parties), and for any m, we have:

Pr[SA = sA | m = M ] = 1/q n−1

This holds as for a fixed m, each choice of sA corresponds to a unique value of the
remaining shares s1 , · · · , sn−1 . As the probability is the same for all M this means that SA
and M are independent.

4.2 Threshold Secret Sharing

Coming back to our previous example of the baking empire, Daniel and Jon are interested
in a secret sharing scheme that allows two of the three individuals to reconstruct the recipe.
More generally, they would like some threshold t + 1 of the n users can recover the message
with just their shares, but only t parties learn nothing. We have a construction for n of
n shares, can we generalize to allow for any t? We can, but first we must introduce a few
techniques.

Lagrange Interpolation Lagrange interpolation is a method for recovering a t-degree

polynomial based on t + 1 points. Let (x0 , y0 ), · · · , (xt , yt ) be the points on the polynomial.
Define the following function pi :
x − xj
pi (x) := Πi6=j
xi − xj
We can then define the polynomial passing through all points:

Lecture 2, Page 7
 t
X
p(x) := yi ∗ pi (x)
i=0

Shamir Secret Sharing The construction defines a number of parties n, a threshold t

such that t < n. The message space is M = Zq , share space S = Zq where q is a prime
and q > n. As with the previous construction, Zq can be replaced with any finite field. We
define the following share and recover algorithms.

Share On input m:

1. Chose t random coefficients, c1 , · · · , cn and c0 = m

2. Define polynomial p(x) = tj=0 cj xj

P

3. Output si = p(i) for each party i

Recover On input (1, s1 ), · · · , (n, sn ):

1. Lagrange Interpolation

Theorem 5 Shamir Secret Sharing satisfies perfect secrecy.

Proof: For all messages M , any t distinct points z1 , · · · , zt ⊆ Zq /{0} and values s1 , · · · , st
we have:

Pr[p(z1 ) = s1 , · · · , p(zt ) = st | M = m] = 1/q t

This comes from the fact that once we fix p(0) = c0 = m, each choice of s1 , · · · , st
corresponds to a unique choice of c1 , · · · , ct .

It is an open problem in this space if it is possible to doing sharing with an arbitrary

access structure with less than 2n shares - as the naive approach is to simply assign shares
for each possible minimal subset and has exponentially many shares.

Appendix: A Note on Fields

A field defined as a tuple of a set F , an addition operator, and a multiplication operator;
(F, +, ∗). It has the following properties:

1. Both operations (+, ∗) are associative ((a + b) + c = a + (b + c)) and commutative

(a ∗ b = b ∗ a).

2. Multiplication is distributive over addition: a ∗ (b + c) = a ∗ b + b ∗ c

3. (F, +) is a group with the identity 0.

• For all x: x + 0 = x

Lecture 2, Page 8
 • For all x: there exists −x such that x + (−x) = 0

4. (F ∗ , ∗) is a group with the identity 1 where F ∗ = F/{0}.

• For all x ∈ F ∗ : x ∗ 1 = x
• For all x ∈ F ∗ : there exists x−1 such that x ∗ x−1 = 1

Lecture 2, Page 9