Recursive hiding of biometrics-based secret sharing scheme using ...

(This is a sample cover image for this issue. The actual cover is not yet available at this time.)

This article appeared in a journal published by Elsevier. The attached copy is furnished to the author for internal non-commercial research and education use, including for instruction at the authors institution and sharing with colleagues. Other uses, including reproduction and distribution, or selling or licensing copies, or posting to personal, institutional or third party websites are prohibited. In most cases authors are permitted to post their version of the article (e.g. in Word or Tex form) to their personal website or institutional repository. Authors requiring further information regarding Elsevier’s archiving and manuscript policies are encouraged to visit: http://www.elsevier.com/copyright

Author's personal copy Information Processing Letters 112 (2012) 683–687

Contents lists available at SciVerse ScienceDirect

Information Processing Letters www.elsevier.com/locate/ipl

Recursive hiding of biometrics-based secret sharing scheme using adversary structure Hong Lai a,b,c , Jinghua Xiao a , Lixiang Li b,c,∗ , Yixian Yang b,c a b c

School of Science, Beijing University of Posts and Telecommunications, Beijing 100876, China Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876, China National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and Telecommunications, Beijing 100876, China

a r t i c l e

i n f o

Article history: Received 2 February 2012 Received in revised form 12 June 2012 Accepted 13 June 2012 Available online 15 June 2012 Communicated by Jinhui Xu Keywords: Cryptography Adversary structure Recursive Biometrics verification Stolen share attack Spoofing attack

a b s t r a c t This paper first investigates the applications of recursive hiding of secret, which was originally proposed for visual cryptography to space efficient secret sharing, and then provides a novel recursive hiding of biometrics-based secret sharing scheme using adversary structure. The proposed scheme may find applications for sharing secrets with excess bits, especially in the scenarios where resources are strictly limited and the requirement of verification is demanding. Existing ways of combiner verification always just rely on exponentiation or only by hiring one-way hash function, which cannot thwart the stolen share attack, spoofing attack or discriminate an imposter who fraudulently obtains the access privileges from the genuine participant. Nonetheless, these problems can be tackled by the unique property of biometrics in our paper. Most importantly, unlike most counterpart schemes, no other random numbers are used to protect the secret pieces, hence, our scheme is simpler and more efficient, and the computation cost is relatively low. © 2012 Elsevier B.V. All rights reserved.

1. Introduction In 1979, Shamir [1] and Blakley [2] first presented the threshold scheme. In their schemes, a secret is divided into n pieces, each of which is called a share and is held by a participant. Any t or more than t participants can recover the secret, but any less than t participants cannot. Threshold schemes have many applications in various types of cryptographic protocols, including secure multiparty computation, escrow key recovery scheme and electronic cash. But sometimes, we require that only some predefined subsets of participants can recover the secret. Hence, Ito et al. [3] proposed the secret sharing scheme for general access structure and Benaloh and Leichter [4] gave a simpler and more efficient scheme for general ac-

*

Corresponding author at: Beijing University of Posts and Telecommunications, 10 West Tucheng Road, P.O. Box 145, Beijing 100876, PR China. Tel.: +86 10 62282264; fax: +86 10 62283366. E-mail address: [email protected] (L. Li). 0020-0190/$ – see front matter © 2012 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.ipl.2012.06.006

cess structure. However, since access structure is defined over authorized groups of participants, the participants who are allowed to be corrupted by the adversary at the same time (called adversary structure) can be obtained directly. In view of this, secret sharing schemes [5–13] secure against adversary structures defined by general collection of subsets have received considerable attention. For example, in 1999, Hirt and Maurer [8] gave a scheme on player simulation and general adversary structures in perfect multi-party computation. An overview of different secret sharing adversary models can be found in [11]. Traditional methods of combiner verification usually only depend on exponentiation (say, to the base g, where g is a primitive element of the underlying group; see e.g. [5]) or merely by applying one-way hash function (say H ; see e.g. [14]) to the secret share. Therefore, traditional verification systems cannot resist the stolen share attack or discriminate an impostor who fraudulently obtains the access privileges from the genuine participants. For instance, if a participant’s secret shares are shared with a friend, there is no way for combiner to tell who

Author's personal copy 684

H. Lai et al. / Information Processing Letters 112 (2012) 683–687

the actual participant is. In such secret sharing system environment, the traditional verification methods based on Euler theorem and hash function have become inadequate. In contrast, the distinguishing feature of biometrics, such as fingerprints, irises and faces, provides the opportunity for a much more reliable and automated method of identity verification using measurable physiological or behavioral characteristics. Moreover, biometric characteristics enjoy following advantages [15,16]: 1. Biometric characteristics are often unique and cannot be duplicated, lost or share. 2. Biometric characteristics cannot be guessed easily. 3. Someone’s biometrics characteristics are not easy to be broken than something else. Although Sun and Shieh [17] proposed recursive constructions for perfect secret sharing schemes and Gnanaguruparan and Kak [18] presented recursive hiding of secret in visual cryptography scheme in 2002; in 2008, Parakh and Kak [19] have proposed a recursive threshold visual cryptography scheme, and in 2011, Parakh and Kak [20] have further investigated and have given a space efficient secret sharing for implicit data security, the idea of recursive that has been applied to share secret based on biometrics to solve the problem of sharing a secret of excess bits under limited resources has never been considered. Therefore, in this paper, we present a novel recursive hiding of biometrics-based secret sharing scheme using adversary structure. What’s more, our scheme has the following features: 1. Our proposed scheme is intended for sharing secret with excess bits among participants by the idea of recursive. 2. In our scheme, no other random numbers are used to hide the secret pieces, instead, the scheme applies the hash function and XOR operation to the secret pieces directly. 3. Owing to the use of biometrics verification, our scheme can resist stolen shares attack and spoofing attack, and provide non-repudiation. 4. Our scheme is security, simplicity and efficiency. The rest of this paper is organized as follows: in Section 2 we review some basic facts and concepts. Recursive hiding of biometrics-based secret sharing scheme using adversary structure is proposed in Section 3. The validity of the scheme is proved in Section 4. We present security consideration and analysis of performance in Section 5. Finally, we conclude our scheme in Section 6. 2. Preliminaries In this section, we review some basic definitions concerning secret sharing schemes. 2.1. Access structure and adversary structure Let P = { P 1 , P 2 , . . . , P n } be the set of participants. An access structure, denoted by Γ , is a collection of subsets

of P satisfying the monotone ascending property: for any A  ∈ Γ and A ∈ 2 P , A  ⊆ A implies A ∈ Γ . An adversary structure, denoted by A, is a collection of subsets of P satisfying the monotone descending property: for any A  ∈ A and A ∈ 2 P , A ⊆ A  implies A ∈ A. Because of the monotone properties, for any access structure Γ and any adversary structure A, it is enough to consider the minimum access structure:

Γmin = { A ∈ Γ | ∀ B ⊂ A ⇒ B ∈ / Γ }, and the maximum adversary structure:

Amax = { B ∈ A | ∀ A ⊃ B ⇒ A ∈ / A}. In this paper, we consider the complete situation, that is A ∪ Γ = 2 P . 2.2. Three important definitions Definition 1 (Reconstruction property). (See [6].) If a secret sharing scheme can guarantee that any qualified subset of the participants can reconstruct the shared secret, then the scheme has reconstruction property. Definition 2 (Confidentiality property). (See [6].) If a secret sharing scheme can guarantee that any unqualified subset of the participants cannot reconstruct the shared secret, then the scheme has confidentiality property. Definition 3 (Perfect property). (See [21].) A perfect secret sharing scheme realizing access structure Γ is a method of sharing a key k among a set of w participants (denoted by P ), in such a way that the following two properties are satisfied: 1. If authorized subsets of participants B ⊆ P pool their shares, then they can determine the value of k; 2. If unauthorized subsets of participants B ⊆ P pool their shares, then they can determine nothing about the value of k. 3. Recursive hiding of secret sharing scheme using biometrics verification based on adversary structure In this section, we depict recursive hiding of secret sharing scheme using biometrics verification based on adversary structure. Our scheme is composed of four phases: (1) The setup phase, in which some notations are given. (2) The dealer’s phase, in which the secret shares are computed to determine the shares. (3) The combiner’s phase, when the participants and their submitted secret shares are tested and the secret can be recovered. (4) Proof of validity, the validity of the proposed scheme is proved in this section. 3.1. Notation In this paper, we use the following notation. D: a trusted dealer who wants to share the secret among the participants; P : P = { P 1 , P 2 , . . . , P n } is the set of all the participants;

Author's personal copy H. Lai et al. / Information Processing Letters 112 (2012) 683–687

s: the shared secret; B i : P i ’s personal biometrics; Γmin : Γmin = {Γ1 , Γ2 , . . . , Γt } is the minimal access structure corresponding to the s; Amax : Amax = {A1 , A2 , . . . , Ar } is the maximal adversary structure corresponding to the s; s1 , s2 , . . . , sr : the pieces of secret s; r: r = |Amax |.

685

Table 1 Secret shares for maximum adversary set. Maximum adversary set

Secret shares set

{P1, P3, P4} {P2, P3} {P5} {P1, P2, P4}

{x2 , x3 , x4 } {x1 , x3 , x4 } {x1 , x2 , x4 } {x1 , x2 , x3 }

Table 2 Secret shares for each participant.

3.2. The dealer’s phase The dealer D performs the following steps: (1) D selects H : a suitable strongly collision-free hash function, which takes as input a binary string of an arbitrary length, and produces as output a binary string of a fixed length q, where q is the length of secret, and computes H (s). (2) D computes and publishes f i = H ( B i ), H (s), for i = 1, 2, . . . , n. (3) D computes:

Participant

x1

P1 P2 P3 P4 P5

√ √

x2

√

√ √

x3

√ √ √ √

x4

√ √

Table 3 Secret shares for minimum access set.

x1 = s1 ⊕ H (s2 ), x2 = s2 ⊕ H (s3 ),

.. .

Minimum access set

Secret shares set

{P1, P2, P3} {P2, P3, P4} {P1, P5} {P2, P5} {P3, P5} {P4, P5}

{x1 , x2 , x3 , x4 } {x1 , x2 , x3 , x4 } {x1 , x2 , x3 , x4 } {x1 , x2 , x3 , x4 } {x1 , x2 , x3 , x4 } {x1 , x2 , x3 , x4 }

xr −1 = sr −1 ⊕ H (sr ), xr = H (x1 ) ⊕ H (x2 ) ⊕ · · · ⊕ H (xr −1 ) ⊕ sr . Then D generates n identical arrays H i = {x1 , x2 , . . . , xr }, for i = 1, 2, . . . , n. (4) D allocates secret share in such a way that each participant in A1 has no secret share x1 , each participant in A2 has no secret share x2 , . . . , each participant in Ar has no secret share xr . Then D distributes the remaining secret shares in H i to the participant P i , for i = 1, 2, . . . , n, secretly. (5) D computes and publishes the values V j = H 2 (x j ) = H ( H (x j )), for j = 1, 2, . . . , r. Note that even if the number of participants is large, it is also easy to obtain minimal qualified structure and maximum unqualified structure using linear codes (see, [22]). We take an example to explicate the distribution process in step (3) in detail. Example 1. Let

P = { P 1 , P 2 , P 3 , P 4 , P 5 },

 Γmin = { P 1 , P 2 , P 3 }, { P 2 , P 3 , P 4 }, { P 1 , P 5 }, { P 2 , P 5 },  { P 3 , P 5 }, { P 4 , P 5 } ,   Amax = { P 1 , P 3 , P 4 }, { P 2 , P 3 }, { P 5 }, { P 1 , P 2 , P 4 } . D computes:

x1 = s1 ⊕ H (s2 ), x2 = s2 ⊕ H (s3 ), x3 = s3 ⊕ H (s4 ), x4 = H (x1 ) ⊕ H (x2 ) ⊕ H (x3 ) ⊕ s4 .

Then generates 5 identical arrays H i = {x1 , x2 , x3 , x4 }, for i = 1, 2, . . . , 5. According to distribution process we know that each participant in { P 1 , P 3 , P 4 } has no secret share x1 , each participant in { P 2 , P 3 } has no secret share x2 , each participant in { P 5 } has no secret share x3 , each participant in { P 1 , P 2 , P 4 } has no secret share x4 , then we can obtain Tables 1–3. 3.3. The combiner’s phase Suppose the group of participants Γl , for l = 1, 2, . . . , t, of Γmin submit their secret shares to the combiner to get s. (1) Participants input their personal biometrics B i on the specific device to verify their personal biometrics. (2) If they pass the biometric verification, then the combiner tests their shares with public value V j , for j = 1, 2, . . . , r. (3) If each of secret share is correct, the combiner deletes the redundant same x j , for j = 1, 2, . . . , r, only keeps one for each different x j , for j = 1, 2, . . . , r, and checks whether secret shares x j , for j = 1, 2, . . . , r, are correct or not, by testing it with the public value V j . If each of secret share is correct, the combiner computes:

sr = H (x1 ) ⊕ H (x2 ) ⊕ · · · ⊕ H (xr −1 ) ⊕ xr , sr −1 = xr −1 ⊕ H (sr ),

.. . s2 = x2 ⊕ H (s3 ), s1 = x1 ⊕ H (s2 ). So, the combiner obtains s = s1 s2 · · · sr −1 sr ( denotes concatenation).

Author's personal copy 686

H. Lai et al. / Information Processing Letters 112 (2012) 683–687

The participants in Γl , for l = 1, 2, . . . , t, of Γmin can check whether the combiner is giving them back the correct secret or not, by verifying it with the public value H (s). Obviously, from Table 1 and Table 3 we can know any maximum adversary set cannot reconstruct the secret s, while any minimum access set can reconstruct the secret s. 3.4. Proof of validity In this section, we prove the validity of the proposed scheme. The reconstruction property of the scheme. For X ⊆ P and X  A j , for j = 1, 2, . . . , r, where A j ∈ Amax , then participants in X can reconstruct s. Proof. Assume the participants in X cannot reconstruct the shared secret s, then all participants in X at least have no secret shares x j . According to distribution process for secret share of s, only the participants in A j have no secret shares x j , then X ⊆ A j , obviously it violates X  A j . Hence, participants in X can reconstruct s. 2 The confidentiality property of the scheme. For X ⊆ P , if X ⊆ A j , where A j ∈ Amax , then participants in X cannot reconstruct the shared secret s. Proof. Because X ⊆ A j , according to distribution process for secret shares, all participants in X have no secret shares x j . Hence, the participants in X cannot reconstruct the shared secret s. 2 Hence, our scheme is perfect. 4. Security consideration and analysis of performance A formal security proof is crucial to provide a convincingness on any cryptographic scheme and formal security proof on verifiable secret sharing scheme is still the most challenging issue and an open problem. Therefore, in the following, we provide an in-depth analysis of the proposed scheme in terms of security and functionality properties. 4.1. Security of the scheme Proposition 1. The proposed scheme can resist spoofing attack. Proof. During the combiner phase, if an impostor fraudulently obtains the secret share from the genuine participant, it is difficult for him to get the access privileges, because he cannot pass the biometric verification. On comparing impostor’s biometric template with the biometric template stored on the smart card, the illegal request will be rejected. Combiner can thwart him to recover secret. 2 Proposition 2. The proposed scheme can resist stolen share attack.

Proof. If the legal participant’s shares are stolen, it is difficulty for any adversary to impersonate him to recover the secret, because he cannot pass the biometric verification. 2 Proposition 3. The proposed scheme can provide a mutual verification. Proof. The combiner can test whether the participant is honest or not by computing H 2 (x j ), if V j = H 2 (x j ), then the participant is honest, otherwise, he is a liar. At the same time, the participants can check the combiner is honest or not by calculating H (s), if it equals the public value H (s), then the combiner is honest, otherwise, he is a liar. 2 Proposition 4. The secret shares in proposed scheme are safe. Proof. If an adversary tries to get a participant’s secret shares from public values V j , he would have to invert the hash function H , which is assumed to be computationally hard. 2 Proposition 5. The secret in proposed scheme is safe. Proof. If an adversary attempts to derive s from H (s), but it is computationally infeasible. Because the scheme is computationally secure under the security of the chosen strongly collision-free hash function H . 2 Proposition 6. The secret pieces in proposed scheme are safe. Proof. If an adversary wants to extract si from xi , he will find that it is protected by hash function and XOR operation. 2 4.2. Analysis of performance We offer the functionality of the proposed scheme and make comparison with other related scheme [20] and tabulate the results in Table 4. Due to the use of biometrics verification, our scheme can resist spoofing attack and stolen share attack. Because biometric characteristics are usually universal, unique and cannot be duplicated, our scheme can provide nonrepudiation and makes it impossible for any adversary to impersonate legal participant to recover secret. Moreover, when legal participant loses his shares, it is difficult for any adversary to impersonate to recover secret, because he cannot pass the biometrics verification. In PK scheme, it needs to insert random numbers into the secret share and it is fairly complicated to compute secret shares. Contrary to PK scheme, only a few hashing function computations and XOR operation are needed, so the computation costs in our scheme are very low and the whole process is rather simple. Perfect property has been proved in Section 4. Hence, this feature makes our scheme effective.

Author's personal copy H. Lai et al. / Information Processing Letters 112 (2012) 683–687

687

Table 4 The comparison of functions. Performance

[20]

Our scheme

Based on (k, n) Based on adversary structure Use of biometrics verification Non-repudiation Computational complexity It needs to insert random numbers Perfect Mutual verification Spoofing attack

Yes No No No Polynomial Yes Yes No No

No Yes Yes Yes XOR and hash function No Yes Yes Yes

The number of computing secret shares The scheme can resist stolen share attack

5. Remarking We present a novel way to efficiently share secrets of excess bits by the idea of recursive, the security of our proposed scheme is guaranteed by the biometrics verification, adversary structure and strongly collision-free hash function. Unlike the most existing schemes, we apply the hash function and XOR operation to the secret pieces directly, rather than bringing in other random numbers that are used to harbor the secret pieces. Further to this, our scheme is able to avoid stolen share attack and spoofing attack and provide non-repudiation because of the characteristic of personal biometrics. Hence, it is suitable for various verification cryptography since it provides security, reliability, and efficiency. Acknowledgements The authors are grateful to the anonymous referees for their valuable comments and suggestions to improve the presentation of this paper. Also, they would like to thank Xiao Ma for helping them to improve this paper. This work is supported by the National Basic Research Program of China (973 Program) (Grant No. 2010CB923200), the Foundation for the Author of National Excellent Doctoral Dissertation of PR China (Grant No. 200951), the National Natural Science Foundation of China (Grant Nos. 61121061 and 61003285) and the Specialized Research Fund for the Doctoral Program of Higher Education (Grant No. 20100005110002). References [1] A. Shamir, How to share a secret, Commun. ACM 22 (11) (1979) 612– 613. [2] G.R. Blakley, Safeguarding cryptographic keys, in: Proceedings of National Computer Conference, vol. 48, AFI-PS Press, Montvale, NJ, 1979, pp. 313–317. [3] M. Ito, A. Saito, T. Nishzeki, Secret sharing schemes realizing general access structure, in: Proceedings of IEEE Global Tele-Communication Conference, IEEE Press, New Jersey, 1987, pp. 993–996. [4] J. Benaloh, J. Leichter, Generalized secret sharing and monotone function, in: Proceedings of IEEE Global Tele-Communication Conference, IEEE Press, New Jersey, 1987, pp. 99–102, PhD thesis, Univ. of London, 1991.

k2 −k−2 2

No

+n

r Yes

[5] Y.B. Guo, J.F. Ma, Practical secret sharing scheme realizing generalized adversary structure, J. Comput. Sci. Tech. 19 (4) (July 2004) 564–569. [6] H.W. Qin, Y.W. Dai, Z.Q. Wang, A secret sharing scheme based on (t , n) threshold and adversary structure, Int. J. Inf. Secur. 8 (2009) 379–385. [7] M. Hirt, U. Maurer, Player simulation and general adversary structures in perfect multi-party computation, J. Cryptology 13 (1) (2000) 31–60. [8] M. Hirt, U.M. Maurer, Complete characterization of adversaries tolerable in secure multi-party computation (extended abstract), in: PODC, 1997, pp. 25–34. [9] Ching-Fang Hsu, Qi Cheng, Xueming Tang, Bing Zeng, An ideal multisecret sharing scheme based on MSP, Inform. Sci. 181 (2011) 1403– 1409. [10] Y. Lindell, B. Pinkas, P.S. Nigel, Implementing two-party computation efficiently with security against malicious adversaries, in: Security and Cryptography for Networks, in: Lecture Notes in Comput. Sci., vol. 5229, 2008, pp. 2–20. [11] K.M. Martin, Challenging the adversary model in secret sharing schemes, in: Coding and Cryptography II, Proceedings of the Royal Flemish Academy of Belgium for Science and the Arts, 2008, pp. 45– 63. [12] M.M. Keith, B.P. Maura, R.S. Douglas, Error decodable secret sharing and one-round perfectly secure message transmission for general adversary structures, Cryptogr. Commun. 3 (2) (2011) 65–86. [13] S. Obana, T. Araki, Almost optimum secret sharing schemes secure against cheating for arbitrary secret distribution, in: X. Lai, K. Chen (Eds.), ASIACRYPT’06, in: Lecture Notes in Comput. Sci., vol. 4284, 2006, pp. 364–379. [14] A. Das, A. Adhikari, An efficient multi-use multi-secret sharing scheme based on hash function, Appl. Math. Lett. 23 (2010) 993–996. [15] N.K. Ratha, J.H. Connell, R.M. Bolle, Enhancing security and privacy in biometrics based authentication systems, IBM Syst. J. 40 (3) (2001) 614–634. [16] C.T. Li, M.S. Hwang, An efficient biometrics-based remote user authentication scheme using smart cards, J. Netw. Comput. Appl. 33 (2010) 1–5. [17] H.M. Sun, S.P. Shieh, Recursive constructions for perfect secret sharing schemes, Comput. Math. Appl. 37 (3) (1999) 87–96. [18] M. Gnanaguruparan, S. Kak, Recursive hiding of secrets in visual cryptography, Cryptologia 26 (2002) 68–76. [19] A. Parakh, S. Kak, A recursive threshold visual cryptography scheme, Cryptology ePrint Archive, Report 535, 2008. [20] A. Parakh, S. Kak, Space efficient secret sharing for implicit data security, Inform. Sci. 181 (2011) 335–341. [21] R.S. Douglus, Cryptography: Theory and Practice, Chapman & Hall/CRC, 2009. [22] C.S. Ding, D. Kohel, S. Ling, Secret sharing with a class of ternary codes, Theoret. Comput. Sci. 246 (2000) 285–298.