WO2016130030A1 - Method of securing data using threshold cryptography - Google Patents

Method of securing data using threshold cryptography Download PDF

Info

Publication number
WO2016130030A1
WO2016130030A1 PCT/PL2015/000019 PL2015000019W WO2016130030A1 WO 2016130030 A1 WO2016130030 A1 WO 2016130030A1 PL 2015000019 W PL2015000019 W PL 2015000019W WO 2016130030 A1 WO2016130030 A1 WO 2016130030A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
key
shares
split
cryptographic
Prior art date
Application number
PCT/PL2015/000019
Other languages
French (fr)
Inventor
Łukasz BRANDT
Mateusz BRANDT
Andrzej TOKARCZYK
Original Assignee
Nord-Systems Sp. Z O.O.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nord-Systems Sp. Z O.O. filed Critical Nord-Systems Sp. Z O.O.
Priority to PCT/PL2015/000019 priority Critical patent/WO2016130030A1/en
Publication of WO2016130030A1 publication Critical patent/WO2016130030A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes

Definitions

  • Subject of invention is method of securing data using threshold cryptography.
  • Presented invention belongs to discipline of data protection.
  • secret sharing and information dispersal algorithms are used. Both kinds of algorithms are used to split input data onto fragments, from which it is possible to reconstruct that data providing that certain number of fragments is available.
  • minimal number of fragments necessary to reconstruct split data is defined as threshold.
  • Method of securing data using threshold cryptography is characterized in that: a) unique identifier is assigned to encrypted data,
  • step b) at least one share of cryptographic key is merged with encrypted data, c) encrypted data merged with key's shares in step b) are split onto fragments, d) identifier assigned in step a) is added to each fragment from step c), e) identifier assigned in step a) is added to each key's share that was not merged with data in step b),
  • step f) fragments from step c) are deployed on physically separated devices consisting of at least one processer and one non-volatile memory, g) for each fragment of data from step c) information about device on which it is deployed in step f) is saved,
  • step e) key's shares from step e) are placed on physically separated devices consisting of at least one processor and non-volatile memory,
  • step h) for each share of key from step h) information about device on which it is stored is saved.
  • different constituent elements of data are ciphered with different cryptographic keys.
  • encryption is applied to these different parts and each part is encrypted with different key. It can be used for example in order to divide semi structural data, like xml file, into parts that can be decrypted without simultaneous disclosure of other parts.
  • Each key is split onto shares and associated with data by the same unique identifier that is assigned to encrypted data.
  • Another advantage of the invention is that at least two cryptographic algorithms are used. Such solution is used in order to multiple encryption of the same data or in order to encrypt different constituent elements of data using different algorithms. Such an approach can be used together with utilizing different keys.
  • Yet another advantage of present invention is that cryptographic key is split using threshold secret sharing algorithm. Such algorithms are used to divide secrets into set of shares. The cardinality of the subset of this set that contains enough shares required to obtain original secret is the threshold of secret schema.
  • cryptographic key is split using threshold Shamir's secret sharing schema.
  • This schema utilizes random polynomial of particular degree. The free term of this polynomial is equal to secret. Secret is recovered by finding solution of system of linear equations or by calculation of Lagrange interpolation.
  • encrypted data are split using information dispersal algorithms.
  • Such algorithms divide data into fragments that can be stored on different location and subsequently combined in order to compute original data.
  • Important feature of information dispersal algorithms is redundancy which provide possibility to obtain original data from subset of fragments. This redundancy can be utilized in order to introduce random patterns of access to data fragments stored in different location as well as capabilities necessary to error correction.
  • Another important features of these algorithms is security of data at rest, i.e. one has to gain access to multiple locations in order to obtain original data.
  • Reed-Solomon codes are non binary linear cyclic codes with high computational efficiency. These codes are used to divide particular amount of data blocks into new blocks of higher amount than input blocks.
  • Cauchy matrix shall be used as code word generator.
  • t ⁇ n and t is the amount of code words required to compute input data blocks and n is the amount of all generated code words
  • Unconditional confidentiality means that it is impossible to gain any knowledge, even partial, regarding coded data from less than t code words.
  • Mojette transform is discrete Radon transform with origins in discrete geometry. Mojette transform is redundant transform and utilizes spreading of information into set of projections. Original data can be obtained from subset of projections. This transform is based on additions and subtractions what makes it very efficient from computational point of view.
  • identifier assigned to encrypted data is calculated using cryptographic hash function. Cryptographic hash functions provide means to calculate for particular data unique hash which is directly based on this data.
  • hash is calculated for encrypted data. Such an approach is suitable if together with unique identifier additionally it is required to verify integrity of encrypted data.
  • hash is calculated for data before encryption. Such an approach is suitable if together with unique identifier additionally it is required to verify integrity of plain data.
  • Present invention combines possibilities given by application of secret sharing algorithm, information dispersal algorithm and data ciphering algorithm. Thanks to combination of these mechanism, multilevel protection of confidentiality, integrity and data availability is obtained.
  • Essential feature of present invention is possibility to build different means of information protection using appropriate selection of particular algorithms.
  • Present invention introduce flexible scheme of key splitting with assigning key's shares to data which are protected by this key.
  • Solution presented in invention allows easy and safe use of many keys e.g. particular key is used to cipher only one file.
  • Implementation of present invention assumes that infrastructure is composed of data storing devices, which are physically separated from each other and cannot communicate each other. Both keys' shares and data fragments are stored on those devices.
  • FIG. 1 flow control of data securing with the use of threshold cryptography
  • FIG. 2 block diagram of data processing device
  • Presented embodiment of present invention is used to store data on servers.
  • Data are files which come from devices which upload them to servers using network connection. These devices are personal computers, mobile devices or servers.
  • Present invention is not limited to concrete type of devices which process data. Further in this description of this exemplary embodiment of present invention, these devices are referred as data processing devices. Present invention is neither limited to particular devices storing data coming from data processing devices.
  • devices which store data are servers on which object storage application is running, which is a part of implementation of this exemplary embodiment. In such object storage, data are stored as uniquely identified objects. Further in this description, they are referred as data storage devices.
  • Fig.1 depicts flow of data securing process using mechanisms of threshold cryptography.
  • FIG. 2 depicts, exemplary realization of data processing device which allows data securing using threshold cryptography.
  • Devices is composed of hardware elements ⁇ 201 and software elements ⁇ 206. For figure clarity sake, only part of hardware elements are presented like processor -202, network interface -203, operating memory -204 and non-volatile memory -205.
  • cryptographic key is generated which is going to be used to cipher data.
  • key generator module is used -211 , which uses one of key generating algorithms -212.
  • Process of key generating is not a subject of present invention. In different embodiments of present invention, it is possible to use only one key to several files. In such examples, key can be generated e.g. based on user's password.
  • Key engine module -210 controls process of key generating and key splitting which is done by key splitter module -213.
  • Module -213 selects algorithm of key splitting from available algorithms -214 based on information from module -210. Key splitting algorithms are described later in this document.
  • Data ciphering -101 is done using cryptographic algorithm selected form available algorithms -209. Ciphering is performed using previously generated key.
  • Key is forwarded to crypto engine module -208 by key engine module -210.
  • Module -208 is responsible for choosing ciphering algorithm and for algorithm configuration with a key and other important parameters e.g. initial value for symmetric block cryptographic algorithms.
  • key engine module -210 is responsible for selection of algorithm which generates key and algorithm which splits key.
  • Module -211 is responsible for configuration of algorithm which generates key in this example of realization, with seed value for pseudorandom generator and responsible for key length adequate to defined ciphering algorithm.
  • Information about ciphering algorithm is forwarded to module -210 through module -208.
  • key is split into shares - step -102. After generation, key is placed in memory -204. In non-volatile memory -205 only subset of key's shares are saved - it is described later in exemplary instance of present invention.
  • module data manager -207 receives information from -208 about end of ciphering process, it sends request to identifier generator -217 to generate unique identifier for ciphered data -103.
  • identifier can be generated before data encryption.
  • Splitting data onto fragments is done in step -104. It is done in dispersal engine module -215, which uses selected algorithm from available information dispersal algorithms -216.
  • Module -207 sends to module -215 requested splitting algorithm and requested splitting schema i.e. number of split fragments and number of fragments necessary to recover ciphered data. Splitting algorithms are described later in this document.
  • step -105 identifier created in step -103 is assigned to every fragment of data.
  • every share of key is assigned to key identifier created in -103.
  • distribution of data fragments and key's share is done to devices which stores data.
  • Database -218 stores identifiers with associated with them addresses of data storing devices on which data fragments are stored, and key's shares. Additionally, database stores information which helps to differ key's shares from data fragments. In this exemplary instance of present invention, data are not stored on data processing devices. However it is possible in other exemplary embodiments of present invention, and in such a case files can be stored in form of classified or unclassified data. In such scenario it is possible to store database records -218 directly in metadata of files, that is database -218 is distributed among files' metadata.
  • data splitting algorithms shall contain computing performance which allows working with data of different type and different size
  • cryptographic key splitting algorithms shall allow creating threshold schemas (t, n) of secret sharing, i.e. cryptographic key, such that t ⁇ n, where t stands for minimal number key's shares necessary to recover secret, and n stands for number of created shares.
  • symmetric block ciphering algorithm Advanced Encryption Standard AES
  • AES Advanced Encryption Standard
  • CBC cipher-block chaining mode
  • GCM Galois/counter mode
  • key is generated using AES algorithm in counter mode, CTR, with key of 256 bits.
  • Key is controlled by key engine module ⁇ 210.
  • key used by algorithm which creates ciphering keys is changed every defined time period or every defined number of generated ciphering keys. New key is generated using Blum Blum Shub, BBS, algorithm.
  • Ciphering keys are never stored in non-volatile memory. Generated key is used in ciphering and after it is split onto shares. Whole key or just a fragment is split onto shares. It is depicted in fig.3 and fig.4. Fig.3 depicts key -300 splits onto -301 j shares -302, -303, -304. In example depicted in fig.4 key -400 is cut onto -401 i fragments -402. Next, each fragment is split onto -403 j shares -404, -405, -406. Key cutting -402, in the simplest case, can be done by cutting it onto fragments of equal lengths. Such approach is used in this exemplary embodiment of present invention.
  • x is a number of key's shares.
  • Shares of key are distributed in step -107 by distribution engine module -220, in such a manner that some set of key's shares are saved in container for key's shares -219, a rest of key's shares are sent to data storing devices.
  • Container -219 is stored in non-volatile memory -205.
  • Distribution engine module -220 which sends key's shares to data storing devices uses network interface -203.
  • threshold Shamir's Secret Sharing is used in order to split key onto shares. There is possibility to use other algorithms in other instances of present invention.
  • data are split using Reed-Solomon codes.
  • e' contain m elements of vector e
  • GenM "1 is matrix composed of m corresponding rows of matrix GenM.
  • x values are not sent together with s, but are locally stored in data processing devices or attached to data before split onto fragments using Reed-Solomon coding. Different variants are available e.g. only subset of x, values are attached to data and storing rest of them locally. Usage of different data splitting and key splitting algorithms allows flexible changes of key's shares quantity without influencing number of data fragments, and that is why it is possible to choose security level by appropriate key splitting. Size of memory necessary to store key's shares is less than size of memory needed to store data fragments.
  • cryptographic hash function SHA-256 is used to generate data identifiers.
  • Present invention is not limited to this particular function.
  • As a result function SHA-256 operation on data after ciphering 32 byte value is obtained, for which collision probability is negligible, what guarantees uniqueness of identifier.
  • hash functions before data ciphering.
  • Each data storing device has database which contains information which allows to identify stored objects.
  • different constituent elements of data can be ciphered with different cryptographic keys.
  • encryption is applied to these different parts and each part is encrypted with different key. It can be used, for example, in order to divide semi structural data, like xml file, into parts that can be decrypted without simultaneous disclosure of other parts.
  • Each key is split into shares and associated with data by the same unique identifier that is assigned to encrypted data.
  • this embodiment of invention allows to use more than one cryptographic algorithm to encrypt the same data or in order to encrypt different constituent elements of data. The latter can be used together with utilizing different keys mentioned above.

Abstract

It is an object of the present invention to provide a method of securing data using threshold cryptography in which data are encrypted using cryptographic algorithms and cryptographic key is split onto shares. Method of securing data using threshold cryptography is characterized with that unique identifier is assigned to encrypted data. Subsequently, at least one share of cryptographic key is merged with encrypted data. Next, encrypted data merged with some of key's shares is split onto fragments and unique identifier previously assigned to encrypted data is added to each fragment. The same unique identifier is added to each key's share that was not merged with encrypted data. Obtained fragments of data are deployed on physically separated devices consisting of at least one processor and one non-volatile memory and for each fragment information about device on which it is deployed is saved. Key's shares that were not merged with encrypted data are placed on physically separated devices consisting of at least one processor and non-volatile memory and for each share of key information about device on which it is stored is saved.

Description

Method of securing data using threshold cryptography
Subject of invention is method of securing data using threshold cryptography. Presented invention belongs to discipline of data protection. In scope of present invention secret sharing and information dispersal algorithms are used. Both kinds of algorithms are used to split input data onto fragments, from which it is possible to reconstruct that data providing that certain number of fragments is available. In case of secret sharing algorithm, minimal number of fragments necessary to reconstruct split data is defined as threshold.
There are many known solutions concerning information protection. Generally data are secured using encryption provided by cryptographic algorithms. There are also solutions concerning secret sharing which are used especially to protect cryptographic keys.
There are known applications of information dispersal algorithm in data storing. Those solutions are focused on high availability of data only thanks to use of error correction coding. However, those solutions do not use key sharing and associating its shares with data in a way it is described in presented invention. Exemplary solution of secret sharing is presented in patent application US2014195809 At. Method described in that application comprises distributing an item of encrypted information to a plurality of clients and distributing respective key-shares to the clients, such that each client will require a key-share that has been distributed to at least one other client in order to reconstruct a key for decrypting the encrypted information. This solution, however, is focused strictly on key distribution among clients and does not utilize information dispersal which is essential for invention presented hereafter. It is an object of the present invention to provide a method of securing data using threshold cryptography in which data are encrypted using cryptographic algorithms and cryptographic key is split onto shares. Method of securing data using threshold cryptography is characterized in that: a) unique identifier is assigned to encrypted data,
b) at least one share of cryptographic key is merged with encrypted data, c) encrypted data merged with key's shares in step b) are split onto fragments, d) identifier assigned in step a) is added to each fragment from step c), e) identifier assigned in step a) is added to each key's share that was not merged with data in step b),
f) fragments from step c) are deployed on physically separated devices consisting of at least one processer and one non-volatile memory, g) for each fragment of data from step c) information about device on which it is deployed in step f) is saved,
h) key's shares from step e) are placed on physically separated devices consisting of at least one processor and non-volatile memory,
i) for each share of key from step h) information about device on which it is stored is saved.
According to an aspect of present invention, different constituent elements of data are ciphered with different cryptographic keys. In such a case, before encryption elements of data are specified to be encrypted with different keys. Subsequently, encryption is applied to these different parts and each part is encrypted with different key. It can be used for example in order to divide semi structural data, like xml file, into parts that can be decrypted without simultaneous disclosure of other parts. Each key is split onto shares and associated with data by the same unique identifier that is assigned to encrypted data.
Another advantage of the invention is that at least two cryptographic algorithms are used. Such solution is used in order to multiple encryption of the same data or in order to encrypt different constituent elements of data using different algorithms. Such an approach can be used together with utilizing different keys.
Yet another advantage of present invention is that cryptographic key is split using threshold secret sharing algorithm. Such algorithms are used to divide secrets into set of shares. The cardinality of the subset of this set that contains enough shares required to obtain original secret is the threshold of secret schema.
In another instances of present invention, cryptographic key is split using threshold Shamir's secret sharing schema. This schema utilizes random polynomial of particular degree. The free term of this polynomial is equal to secret. Secret is recovered by finding solution of system of linear equations or by calculation of Lagrange interpolation.
According to an aspect of present invention, encrypted data are split using information dispersal algorithms. Such algorithms divide data into fragments that can be stored on different location and subsequently combined in order to compute original data. Important feature of information dispersal algorithms is redundancy which provide possibility to obtain original data from subset of fragments. This redundancy can be utilized in order to introduce random patterns of access to data fragments stored in different location as well as capabilities necessary to error correction. Another important features of these algorithms is security of data at rest, i.e. one has to gain access to multiple locations in order to obtain original data.
According to another aspect of present invention encrypted data are split using Reed-Solomon codes. Reed-Solomon codes are non binary linear cyclic codes with high computational efficiency. These codes are used to divide particular amount of data blocks into new blocks of higher amount than input blocks. In order to provide unconditional confidentiality Cauchy matrix shall be used as code word generator. For Reed-Solomon code of schema (t,n), where t<n and t is the amount of code words required to compute input data blocks and n is the amount of all generated code words, there is no possibility to compute original data blocks from less than t code words. Unconditional confidentiality means that it is impossible to gain any knowledge, even partial, regarding coded data from less than t code words.
It is another object of present invention that encrypted data are split using Mojette transform. This transform is discrete Radon transform with origins in discrete geometry. Mojette transform is redundant transform and utilizes spreading of information into set of projections. Original data can be obtained from subset of projections. This transform is based on additions and subtractions what makes it very efficient from computational point of view. Another advantage of present invention is that identifier assigned to encrypted data is calculated using cryptographic hash function. Cryptographic hash functions provide means to calculate for particular data unique hash which is directly based on this data.
It is yet another object of present invention that hash is calculated for encrypted data. Such an approach is suitable if together with unique identifier additionally it is required to verify integrity of encrypted data.
According to yet another aspect of present invention, hash is calculated for data before encryption. Such an approach is suitable if together with unique identifier additionally it is required to verify integrity of plain data. Present invention combines possibilities given by application of secret sharing algorithm, information dispersal algorithm and data ciphering algorithm. Thanks to combination of these mechanism, multilevel protection of confidentiality, integrity and data availability is obtained. Essential feature of present invention is possibility to build different means of information protection using appropriate selection of particular algorithms.
Present invention introduce flexible scheme of key splitting with assigning key's shares to data which are protected by this key. Solution presented in invention allows easy and safe use of many keys e.g. particular key is used to cipher only one file. Implementation of present invention assumes that infrastructure is composed of data storing devices, which are physically separated from each other and cannot communicate each other. Both keys' shares and data fragments are stored on those devices.
Exemplary embodiment
An object of present invention is presented in exemplary embodiments in appended drawings which present:
Fig. 1 - flow control of data securing with the use of threshold cryptography, Fig. 2 - block diagram of data processing device,
Fig. 3 - whole key splitting onto shares,
Fig. 4 - splitting onto shares key previously divided onto blocks.
Presented embodiment of present invention is used to store data on servers. Data are files which come from devices which upload them to servers using network connection. These devices are personal computers, mobile devices or servers. Present invention is not limited to concrete type of devices which process data. Further in this description of this exemplary embodiment of present invention, these devices are referred as data processing devices. Present invention is neither limited to particular devices storing data coming from data processing devices. In this exemplary implementation of present invention, devices which store data are servers on which object storage application is running, which is a part of implementation of this exemplary embodiment. In such object storage, data are stored as uniquely identified objects. Further in this description, they are referred as data storage devices. Fig.1 depicts flow of data securing process using mechanisms of threshold cryptography. Fig. 2 depicts, exemplary realization of data processing device which allows data securing using threshold cryptography. Devices is composed of hardware elements ~201 and software elements ~206. For figure clarity sake, only part of hardware elements are presented like processor -202, network interface -203, operating memory -204 and non-volatile memory -205. In the first step -100 cryptographic key is generated which is going to be used to cipher data. For that purpose key generator module is used -211 , which uses one of key generating algorithms -212. Process of key generating is not a subject of present invention. In different embodiments of present invention, it is possible to use only one key to several files. In such examples, key can be generated e.g. based on user's password. Key engine module -210 controls process of key generating and key splitting which is done by key splitter module -213. Module -213 selects algorithm of key splitting from available algorithms -214 based on information from module -210. Key splitting algorithms are described later in this document. Data ciphering -101 is done using cryptographic algorithm selected form available algorithms -209. Ciphering is performed using previously generated key. Key is forwarded to crypto engine module -208 by key engine module -210. Module -208 is responsible for choosing ciphering algorithm and for algorithm configuration with a key and other important parameters e.g. initial value for symmetric block cryptographic algorithms. Similarly, key engine module -210 is responsible for selection of algorithm which generates key and algorithm which splits key. Module -211 is responsible for configuration of algorithm which generates key in this example of realization, with seed value for pseudorandom generator and responsible for key length adequate to defined ciphering algorithm. Information about ciphering algorithm is forwarded to module -210 through module -208. When ciphering is finished, key is split into shares - step -102. After generation, key is placed in memory -204. In non-volatile memory -205 only subset of key's shares are saved - it is described later in exemplary instance of present invention. When module data manager -207 receives information from -208 about end of ciphering process, it sends request to identifier generator -217 to generate unique identifier for ciphered data -103. In other embodiments of present invention identifier can be generated before data encryption. Splitting data onto fragments is done in step -104. It is done in dispersal engine module -215, which uses selected algorithm from available information dispersal algorithms -216. Module -207 sends to module -215 requested splitting algorithm and requested splitting schema i.e. number of split fragments and number of fragments necessary to recover ciphered data. Splitting algorithms are described later in this document. Next in step -105, identifier created in step -103 is assigned to every fragment of data. In next step -106 every share of key is assigned to key identifier created in -103. In step -107 distribution of data fragments and key's share is done to devices which stores data. It is possible that on single device storing data, are placed both data fragments and key's shares but only one object with particular identifier can be placed on a single device. That is why, there won't be situation that key's share and data fragment ciphered with that key is placed on the same device. Database -218 stores identifiers with associated with them addresses of data storing devices on which data fragments are stored, and key's shares. Additionally, database stores information which helps to differ key's shares from data fragments. In this exemplary instance of present invention, data are not stored on data processing devices. However it is possible in other exemplary embodiments of present invention, and in such a case files can be stored in form of classified or unclassified data. In such scenario it is possible to store database records -218 directly in metadata of files, that is database -218 is distributed among files' metadata.
In this exemplary embodiment of present invention several algorithms are used:
• key generating algorithms,
• data identifiers generating algorithms,
· ciphering algorithms,
• data splitting algorithms,
• cryptographic keys splitting algorithms. Present invention is not limited to particular algorithms from groups presented above. It is vital that particular algorithms meet requirements which results from invention target. Below, these requirements are listed:
• ciphering keys shall be generated in random manner and be characterized with big entropy,
• identifiers shall be generated in a manner that offers uniqueness ,
• ciphering algorithms shall allow securing data confidentiality or data confidentiality and integrity,
• ciphering algorithms shall offer computing performance which allow working with big amounts of data without introducing long latencies,
• data splitting algorithms, which splits data shall allow splitting in schemas (t, n) where t<n and t stands for number of fragments necessary to recover data and n stands for number of created fragments,
• data splitting algorithms shall contain computing performance which allows working with data of different type and different size,
• cryptographic key splitting algorithms shall allow creating threshold schemas (t, n) of secret sharing, i.e. cryptographic key, such that t<n, where t stands for minimal number key's shares necessary to recover secret, and n stands for number of created shares.
Taking into account above requirements, in this exemplary embodiment of present invention, for ciphering purpose, symmetric block ciphering algorithm Advanced Encryption Standard, AES, with key of 256 bits in cipher-block chaining mode, CBC or Galois/counter mode, GCM is used. Present invention is not limited to that particular algorithm, modes and key length. In this exemplary instance of present invention, key is generated using AES algorithm in counter mode, CTR, with key of 256 bits. Key is controlled by key engine module ~210. In this exemplary instance of present invention, key used by algorithm which creates ciphering keys, is changed every defined time period or every defined number of generated ciphering keys. New key is generated using Blum Blum Shub, BBS, algorithm. Ciphering keys are never stored in non-volatile memory. Generated key is used in ciphering and after it is split onto shares. Whole key or just a fragment is split onto shares. It is depicted in fig.3 and fig.4. Fig.3 depicts key -300 splits onto -301 j shares -302, -303, -304. In example depicted in fig.4 key -400 is cut onto -401 i fragments -402. Next, each fragment is split onto -403 j shares -404, -405, -406. Key cutting -402, in the simplest case, can be done by cutting it onto fragments of equal lengths. Such approach is used in this exemplary embodiment of present invention. But there are possible more complex methods of key cutting e.g. onto fragments of different lengths or fragments permutation before splitting onto secret shares. In case presented in fig.4, shares of key are set of shares of key's fragments e.g. {ch1(f1), ch1(f2), ch1(fi)} or {ch2(f1), ch2(f2), ch2(fi)} are shares of key. To each share, identifier generated in step -103 is attached. As a result following pairs are obtained:
· {data identifier, chx(key)} for key splitting according to fig.3,
• {data identifier, {chx(f1), chx(f2),... ,chx(fi)}} for key splitting according to fig.4,
where x is a number of key's shares. Shares of key are distributed in step -107 by distribution engine module -220, in such a manner that some set of key's shares are saved in container for key's shares -219, a rest of key's shares are sent to data storing devices. Container -219 is stored in non-volatile memory -205. Distribution engine module -220 which sends key's shares to data storing devices uses network interface -203. In this exemplary embodiment of present invention, threshold Shamir's Secret Sharing is used in order to split key onto shares. There is possibility to use other algorithms in other instances of present invention. In this exemplary embodiment of present invention, data are split using Reed-Solomon codes. In other embodiments of present invention it is possible to use other algorithms providing that they have features analogical to Reed-Solomon codes e.g. Mojette transform. These codes split data onto m fragments and codes these fragments in n fragments, where n >= m. In order to recover m fragments to state before coding, is needed t fragments from n fragments after coding, where t >= m. Fragments before coding, can be represented as a vector d=(d_1 , d_2, ... ,d_m). Coding function encode(d) transforms vector d into vector e=(e_1 , e_2, e_n). Decoding function maps subset e' of vector e of size not less than t, into vector d i.e. decode(e')=d. Reed-Solomon codes are linear codes, it means that coding function encode() is linear. As a consequence, it can be represented as multiplication vector by matrix i.e. encode(d)=dGenM, where GenM is a generator matrix of size mxn. Used, in this exemplary instance of present invention, Reed- Salomon codes are based on Cauche's generator matrix, which allows obtaining unconditional confidentiality. This matrix is stored in data processing device. Analogically, decoding function can be expressed as decode(e')=e'GenM "1, where e' contain m elements of vector e, GenM "1 is matrix composed of m corresponding rows of matrix GenM. Utilization of Reed-Salomon codes, or analogical, assures data confidentiality, integrity and accessibility. This way data confidentiality is secured on two levels. First, data are ciphered, next they are split onto fragments which are stored on physically separated data storing devices. For purpose of data reconstructing, it is necessary to have generator matrix for Reed-Solomon codes and sufficient amount of encoded fragments. Depending on mode of ciphering algorithm data integrity can be secured on one or two levels. Integrity is always assured thanks to mechanism of error correction which is provided by Reed- Solomon coding. Analogically, data accessibility is assured because data are stored as fragments on physically separated data storing devices. In order to recover data from encoded fragments it is necessary to have generator matrix GenM, from which GenM"1 matrix is obtained. It is practically desirable that many data processing devices use one GenM matrix. One of reasons is to share data between these devices. On the other hand, essential is to keep control over data confidentiality. For that purpose Shamir's Secret Sharing scheme is used. Shamir's scheme (t,n) for secret k has following form:
• n different non-zero elements from Zp are selected, where p>n is prime number,
· elements from previous step are marked as xs, 1=<i=<n and split among participants P,, t-1 number are selected randomly from a-i , a2,
Figure imgf000013_0001
• shares in form of (xj, s,) are sent to participants, In order to reconstruct secret, system of t linear equations must be solved:
Figure imgf000013_0002
Secret can be also reconstructed using Lagrange interpolating polynomial:
Figure imgf000013_0003
computing k which is equal to h(0). In present invention, x, values are not sent together with s, but are locally stored in data processing devices or attached to data before split onto fragments using Reed-Solomon coding. Different variants are available e.g. only subset of x, values are attached to data and storing rest of them locally. Usage of different data splitting and key splitting algorithms allows flexible changes of key's shares quantity without influencing number of data fragments, and that is why it is possible to choose security level by appropriate key splitting. Size of memory necessary to store key's shares is less than size of memory needed to store data fragments. For that reason it is possible to expand number of data storing devices in infrastructure, without expanding size of nonvolatile memory - but distribution engine module -220 must be configured in a way that keys' shares are sent do dedicated only data storing devices. Information dispersal algorithm, IDA, used in this present invention - which is based on Reed- Salomon codes, and Shamir's scheme - or analogical to key splitting, allows flexible selection of threshold quantities of key's shares and data fragments. In this exemplary embodiment of present invention it is possible to add whole key's shares i.e. pairs (Xi.s,), to ciphered data but before splitting onto fragments. In some cases, when it is necessary to simplify data processing device, it is possible to add all key's shares to data before splitting onto fragments. In such a case, data confidentiality is still protected because defined number of data fragments are needed to data reconstructing and deciphering. It must be highlighted, that it is not an easy task to obtain necessary number of fragment in case of infrastructure which is composed of physically separated data storing devices.
In this exemplary instance of present invention, cryptographic hash function SHA-256 is used to generate data identifiers. Present invention is not limited to this particular function. As a result function SHA-256 operation on data, after ciphering 32 byte value is obtained, for which collision probability is negligible, what guarantees uniqueness of identifier. In other embodiments of present invention it is possible to apply hash functions before data ciphering. Each data storing device has database which contains information which allows to identify stored objects.
In this exemplary instance of present invention, different constituent elements of data can be ciphered with different cryptographic keys. In such a case, before encryption elements of data are specified to be encrypted with different keys. Subsequently, encryption is applied to these different parts and each part is encrypted with different key. It can be used, for example, in order to divide semi structural data, like xml file, into parts that can be decrypted without simultaneous disclosure of other parts. Each key is split into shares and associated with data by the same unique identifier that is assigned to encrypted data. Furthermore, this embodiment of invention allows to use more than one cryptographic algorithm to encrypt the same data or in order to encrypt different constituent elements of data. The latter can be used together with utilizing different keys mentioned above.

Claims

Claims
1. Method of securing data using threshold cryptography in which data are encrypted in hardware processor using cryptographic algorithms and cryptographic key is split onto shares wherein:
j) unique identifier is assigned to encrypted data,
k) at least one share of cryptographic key is merged with encrypted data,
I) encrypted data merged with key's shares in step b) are split onto fragments,
m) identifier assigned in step a) is added to each fragment from step c), n) identifier assigned in step a) is added to each key's share that was not merged with data in step b),
o) fragments from step c) are deployed on physically separated devices consisting of at least one processer and one non-volatile memory, p) for each fragment of data from step c) information about device on which it is deployed in step f) is saved,
q) key's shares from step e) are placed on physically separated devices consisting of at least one processor and non-volatile memory, r) for each share of key from step h) information about device on which it is stored is saved.
2. Method of securing data of claim 1 , wherein different constituent elements of data are ciphered with different cryptographic keys.
3. Method of securing data of claim 1 , wherein at least two cryptographic algorithms are used.
4. Method of securing data of claim 1 , wherein cryptographic key is split using threshold secret sharing algorithm.
5. Method of securing data of claim 4, wherein cryptographic key is split using threshold Shamir's secret sharing algorithm.
6. Method of securing data of claim 1 , wherein encrypted data are split using information dispersal algorithm.
7. Method of securing data of claim 6, wherein encrypted data are split using Reed-Solomon codes.
8. Method of securing data of claim 1 , wherein ciphered data are split using Mojette transform.
9. Method of securing data of claim 1 , wherein identifier assigned to encrypted data in step a is calculated using cryptographic hash function.
10. Method of securing data of claim 9, wherein hash is calculated for encrypted data.
11. Method of securing data of claim 9, wherein hash is calculated for data before encryption.
PCT/PL2015/000019 2015-02-10 2015-02-10 Method of securing data using threshold cryptography WO2016130030A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/PL2015/000019 WO2016130030A1 (en) 2015-02-10 2015-02-10 Method of securing data using threshold cryptography

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/PL2015/000019 WO2016130030A1 (en) 2015-02-10 2015-02-10 Method of securing data using threshold cryptography

Publications (1)

Publication Number Publication Date
WO2016130030A1 true WO2016130030A1 (en) 2016-08-18

Family

ID=52633564

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/PL2015/000019 WO2016130030A1 (en) 2015-02-10 2015-02-10 Method of securing data using threshold cryptography

Country Status (1)

Country Link
WO (1) WO2016130030A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019191378A1 (en) * 2018-03-30 2019-10-03 Spyrus, Inc. Threshold secret share authentication proof and secure blockchain voting with hardware security modules
WO2019210706A1 (en) 2018-05-01 2019-11-07 Huawei Technologies Co., Ltd. Systems, devices, and methods for hybrid secret sharing
WO2020012079A1 (en) 2018-07-11 2020-01-16 Ledger, Sas Security governance of the processing of a digital request
WO2020028950A1 (en) * 2018-08-07 2020-02-13 Haventec Pty Ltd A method and system for securing data
WO2020176950A1 (en) * 2019-03-07 2020-09-10 Ziva Connect Pty Ltd Systems, methods and devices for provision of a secret
WO2021081630A1 (en) * 2019-10-29 2021-05-06 Genetec Inc. Data access control

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012023929A1 (en) * 2010-08-17 2012-02-23 Hewlett-Packard Development Company, L.P. Encryption key management
US20140195809A1 (en) 2011-11-06 2014-07-10 Cisco Technology, Inc Electronic Content Distribution Based On Secret Sharing
US20140229731A1 (en) * 2013-02-13 2014-08-14 Security First Corp. Systems and methods for a cryptographic file system layer

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2012023929A1 (en) * 2010-08-17 2012-02-23 Hewlett-Packard Development Company, L.P. Encryption key management
US20140195809A1 (en) 2011-11-06 2014-07-10 Cisco Technology, Inc Electronic Content Distribution Based On Secret Sharing
US20140229731A1 (en) * 2013-02-13 2014-08-14 Security First Corp. Systems and methods for a cryptographic file system layer

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GUEDON JEAN-PIERRE ET AL: "Spline Mojette transform. Applications in tomography and communications", 2006 14TH EUROPEAN SIGNAL PROCESSING CONFERENCE, IEEE, 3 September 2002 (2002-09-03), pages 1 - 4, XP032753955, ISSN: 2219-5491, [retrieved on 20150327] *
IWAN DUURSMA ET AL: "Multiplicative secret sharing schemes from Reed-Muller type codes", INFORMATION THEORY PROCEEDINGS (ISIT), 2012 IEEE INTERNATIONAL SYMPOSIUM ON, IEEE, 1 July 2012 (2012-07-01), pages 264 - 268, XP032225777, ISBN: 978-1-4673-2580-6, DOI: 10.1109/ISIT.2012.6283999 *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019191378A1 (en) * 2018-03-30 2019-10-03 Spyrus, Inc. Threshold secret share authentication proof and secure blockchain voting with hardware security modules
US10673626B2 (en) 2018-03-30 2020-06-02 Spyrus, Inc. Threshold secret share authentication proof and secure blockchain voting with hardware security modules
US11063754B2 (en) 2018-05-01 2021-07-13 Huawei Technologies Co., Ltd. Systems, devices, and methods for hybrid secret sharing
WO2019210706A1 (en) 2018-05-01 2019-11-07 Huawei Technologies Co., Ltd. Systems, devices, and methods for hybrid secret sharing
CN111448779A (en) * 2018-05-01 2020-07-24 华为技术有限公司 System, device and method for hybrid secret sharing
EP3692682A4 (en) * 2018-05-01 2020-12-16 Huawei Technologies Co. Ltd. Systems, devices, and methods for hybrid secret sharing
CN111448779B (en) * 2018-05-01 2022-09-16 华为技术有限公司 System, device and method for hybrid secret sharing
WO2020012079A1 (en) 2018-07-11 2020-01-16 Ledger, Sas Security governance of the processing of a digital request
FR3085815A1 (en) 2018-07-11 2020-03-13 Ledger SECURITY GOVERNANCE OF THE PROCESSING OF A DIGITAL REQUEST
US11757660B2 (en) 2018-07-11 2023-09-12 Ledger, Sas Security governance of the processing of a digital request
WO2020028950A1 (en) * 2018-08-07 2020-02-13 Haventec Pty Ltd A method and system for securing data
US11438156B2 (en) 2018-08-07 2022-09-06 Haventec Pty Ltd Method and system for securing data
AU2019319767B2 (en) * 2018-08-07 2022-12-08 Haventec Pty Ltd A method and system for securing data
WO2020176950A1 (en) * 2019-03-07 2020-09-10 Ziva Connect Pty Ltd Systems, methods and devices for provision of a secret
WO2021081630A1 (en) * 2019-10-29 2021-05-06 Genetec Inc. Data access control

Similar Documents

Publication Publication Date Title
CN110224814B (en) Block chain data sharing method and device
US9973334B2 (en) Homomorphically-created symmetric key
US10291392B2 (en) Method and system for encrypting data
US11816477B2 (en) Obfuscation for protection of streaming media and other data flows
WO2016130030A1 (en) Method of securing data using threshold cryptography
CN102546181B (en) Cloud storage encrypting and deciphering method based on secret key pool
US9374220B2 (en) System and method for providing compressed encryption and decryption in homomorphic encryption based on integers
CN104717297A (en) Safety cloud storage method and system
KR19990082665A (en) Common Key Communication Method
US11108543B2 (en) Method for encrypting data for distributed storage
Aono et al. Fast and secure linear regression and biometric authentication with security update
CN104396182A (en) Method of encrypting data
CN114584278A (en) Data homomorphic encryption method and device and data transmission method and device
CN105281893A (en) Method for introducing dependence of white-box implementation on a set of strings
CN114430321B (en) DFA self-adaptive security-based black box traceable key attribute encryption method and device
Kavuri et al. An improved integrated hash and attributed based encryption model on high dimensional data in cloud environment
CN116032499A (en) Distributed cloud file storage method and system, user terminal and cloud device thereof
Cincilla et al. Light blind: Why encrypt if you can share?
Nithisha et al. A study on effective mechanisms for secret sharing in Distributed Blockchain Systems
Charru et al. Improved Cryptography Algorithm to Enhanced Data Security
Patil et al. Public auditing algorithm for encrypted data
EP4113894A1 (en) Method for performing cryptographic operations in a processing device, corresponding processing device and computer program product
Liu et al. Efficient and secure data forwarding for erasure-code-based cloud storage
Schneider Private information retrieval
CN112989321A (en) Secret sharing algorithm-based key management method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15708911

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15708911

Country of ref document: EP

Kind code of ref document: A1