基于 XOR 的密钥分裂与 3 方和 2 的阈值
XOR-based key splitting with 3 parties and a threshold of 2
我有一个任务:
Let’s say a bank has a cypher key K (just a long random string). That
bank wishes to split it into two pieces p1 and p2 so that both are
required for decryption. The p1 is then given to one executive, and p2
- to another, so both must contribute their pieces for decryption to proceed.
To accomplish that, the bank generates random k1 and sets k′1←k⊕k1. Note
that k1⊕k′1=k. The bank gives k1 to one executive and k′1 to another.
Both must be present for decryption to proceed since, by itself, each
piece contains no information about the secret key k.
Now, suppose the bank wants to split k into three pieces p1,p2,p3 so
that any two of the pieces enable decryption using k. This ensures
that even if one executive is out sick, decryption can still succeed,
but no employee can decrypt a message alone. To do so, the bank
generates two random pairs (k1,k′1) and (k2,k′2) as in the previous
paragraph so that k1⊕k′1=k2⊕k′2=k. How should the bank assign pieces
so that any two pieces enable decryption using k, but no single piece
can decrypt?
What is the answer to the question above?
p1 = (k1, k2), p2 = (k`1, k2), p3 = (k`2);
p1 = (k1, k2), p2 = (k`1, k`2), p3 = (k`2);
p1 = (k1, k2), p2 = (k1, k2), p3 = (k`2);
p1 = (k1, k2), p2 = (k1), p3 = (k`2);
p1 = (k1, k2), p2 = (k2, k`2), p3 = (k`2);
请解释一下,它是如何工作的。
这是一个已解决的问题,请参阅 Shamir's Secret Sharing:
Shamir's Secret Sharing is an algorithm in cryptography created by Adi Shamir. It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.
Counting on all participants to combine the secret might be impractical, and therefore sometimes the threshold scheme is used where any
k of the parts are sufficient to reconstruct the original secret.
一个可能的weak 2 of 3 method may be possible using the same scheme that is used in three disk RAID5, any two can reconstitute the original.
第一个是答案:
p1 = (k1, k2), p2 = (k`1, k2), p3 = (k`2);
因为每个可能的对都可以生成 k:
- p1 & p2: k1 ⊕ k'1 = k
- p1 & p3: k2 ⊕ k'2 = k
- p2 & p3: k2 ⊕ k'2 = k
当然各方不能自己重构密钥。
其他的可能性显然是错误的。让我们采用第二个可能的答案,看看 p2 和 p3 是否可以形成有效密钥。他们不能,因为每个都有相同的 k'2 组件,所以这还不够。那么p2有一个k'1,但是p3没有一个k1.
我有一个任务:
Let’s say a bank has a cypher key K (just a long random string). That bank wishes to split it into two pieces p1 and p2 so that both are required for decryption. The p1 is then given to one executive, and p2 - to another, so both must contribute their pieces for decryption to proceed.
To accomplish that, the bank generates random k1 and sets k′1←k⊕k1. Note that k1⊕k′1=k. The bank gives k1 to one executive and k′1 to another. Both must be present for decryption to proceed since, by itself, each piece contains no information about the secret key k.
Now, suppose the bank wants to split k into three pieces p1,p2,p3 so that any two of the pieces enable decryption using k. This ensures that even if one executive is out sick, decryption can still succeed, but no employee can decrypt a message alone. To do so, the bank generates two random pairs (k1,k′1) and (k2,k′2) as in the previous paragraph so that k1⊕k′1=k2⊕k′2=k. How should the bank assign pieces so that any two pieces enable decryption using k, but no single piece can decrypt?
What is the answer to the question above?
p1 = (k1, k2), p2 = (k`1, k2), p3 = (k`2); p1 = (k1, k2), p2 = (k`1, k`2), p3 = (k`2); p1 = (k1, k2), p2 = (k1, k2), p3 = (k`2); p1 = (k1, k2), p2 = (k1), p3 = (k`2); p1 = (k1, k2), p2 = (k2, k`2), p3 = (k`2);
请解释一下,它是如何工作的。
这是一个已解决的问题,请参阅 Shamir's Secret Sharing:
Shamir's Secret Sharing is an algorithm in cryptography created by Adi Shamir. It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.
Counting on all participants to combine the secret might be impractical, and therefore sometimes the threshold scheme is used where any k of the parts are sufficient to reconstruct the original secret.
一个可能的weak 2 of 3 method may be possible using the same scheme that is used in three disk RAID5, any two can reconstitute the original.
第一个是答案:
p1 = (k1, k2), p2 = (k`1, k2), p3 = (k`2);
因为每个可能的对都可以生成 k:
- p1 & p2: k1 ⊕ k'1 = k
- p1 & p3: k2 ⊕ k'2 = k
- p2 & p3: k2 ⊕ k'2 = k
当然各方不能自己重构密钥。
其他的可能性显然是错误的。让我们采用第二个可能的答案,看看 p2 和 p3 是否可以形成有效密钥。他们不能,因为每个都有相同的 k'2 组件,所以这还不够。那么p2有一个k'1,但是p3没有一个k1.