Dynamic Key Generations for Secret Sharing in Access ... - CiteSeerX

Dynamic Key Generations for Secret Sharing in Access Structures Chu-Hsing Lin, Wei Lee, and Chien-Sheng Chen Department of Computer Science and Information Engineering, Tunghai University, 181, Section 3, Taichung-kang Road, 407 Taichung, Taiwa [email protected], [email protected],[email protected]

Abstract In a secret sharing scheme based upon access structures, each group has an authorization and only the participants who stayed in an authorized access structure can recover the secret key. In this paper, we proposed an efficient scheme for secret sharing based upon access structures. We use one-way hash functions to reduce the cost of secret sharing scheme. The presented scheme is easy and efficient, so it is suitable for many real applications. Keywords: secret sharing, on-way hash function, access structures, shadows, authorization

1. Introduction Secret sharing schemes help users to share a secret in a group. If the group wants to encipher or decipher some documents, the corresponding participants in this group have to share their shadows and cooperate with each other to figure out the group’s secret key. After the corresponding participants share their shadows, the shadows are not secure and cannot be used anymore. Therefore, the trust authority (TA) has to reconstruct the group’s secret key and each participant’s shadow after each communication. It is very interesting to investigate secret sharing schemes. The first secret sharing scheme was invented by Ad. Shamir [1]. After that, B. Blakley proposed a secret sharing scheme has the disenrollment capability [2]. In 2004, Chang et al. proposed a secret sharing scheme based upon access structures with hierarchical key management [3]. In this paper, we present an efficient secret sharing with the property of access structures by using oneway hash function. We organize this paper as follows: In Section 2, we introduce the concept of secret sharing based upon access structures. Further, in Section 3, we review Cheng’s scheme. In Section 4, we propose our efficient scheme for secret sharing

with access structures. In Section 5, we have some security analyses and comparisons, and some conclusions were made in Section 6.

2. Background (a, w) -threshold scheme [1] provides equal-weight of the key information for each participant. However, sometimes we want each participant in the group holds different-weight of the key information. For instance, in army, marshals should have greater right to make commands than generals. Therefore, marshals’ weight of shadows should higher than generals’. In other words, it needs fewer marshals to reconstruct the secret key than generals. These schemes are called secret sharing with access structures. There are many researches to achieve the goal [4], [5]. It has two properties: i The participants who stay in the authorized subset can compute the key K by sharing their shadows. i The participants who don’t stay in the authorized subset can determine nothing about the value of the key K even sharing their shadows.

To illustrate the access structures, we shall give a simple example. Assuming that * is the access structures and U1 , U 2 , U 3 ,..., U n are the participants, where n is the number of the participants. The access structure is * Pa ‰ Pb ‰ Pc , where Pa {U1 , U 2 ,U 4 } , Pb {U 3 , U 4 } , Pc {U 2 ,U 3 , U 5 } , n 5 , and the key is K . Here, Pa , Pb , and Pc are the authorized subsets of the access structure. Each participant has several elements of Z m TA as his/her shadows from TA, where mTA is a large number chosen by TA. The following figure shows

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 18, 2009 at 09:23 from IEEE Xplore. Restrictions apply.

the relationship between the access structure and the key distribution: U1

K a1

U2

U3

K c1

K a2

K c2

K - K a1 - K a2

U4

K b1

K - K c1 - K c2

AND

AND K

K

U5

K - K b1

AND K

OR K

Figure 1: The key distribution in the access structure We show the distribution of the shadows as follows: U1 gets K a1 . U 2 gets K a 2 , and K c1 . U 3 gets K c 2 , and K b1 . U 4 gets K  K a1  K a 2 , and K  K b1 . U 5 gets K  K c1  K c 2 . Therefore, the participants in the authorized subset Pa can cooperate with each other to compute the key K by eq. (1): K ( K a1  K a 2  ( K  K a1  K a 2 )) mod mTA (1) Similarly, the authorized subset Pb and the authorized subset Pc can get the key K by computing eq. (2) and eq. (3) respectively: K ( K b1  ( K  K b1 )) mod mTA (2) K ( K c1  K c 2  ( K  K c1  K c 2 )) mod mTA (3) The above scheme can distinguish different participants well, and each authorized subset in access structures is independent of other authorized subsets.

3. Chang’s Scheme In 2004, Chang et al. proposed a scheme [3] which suits for secret sharing with access structures in a hierarchy environment. Now, we will introduce Chang’s secret sharing based upon access structures mechanism in the following subsections. There are two major algorithms in the secret sharing based upon access structures mechanism. In the first

algorithm, TA generates some related parameters and delivers these parameters to each corresponding participant through a secret channel. TA generates a random number gi and broadcasts it. Then the corresponding participants in *i can use gi and the related parameters which delivered by TA to calculate their group’s secret key K . Further, in the second algorithm, we introduce their method to modify the group’s secret key and the participants’ shadows after a communication. Group Key Generation Algorithm For the conventional secret sharing schemes, we assume that in the group P , the participants 1, 2,..., n belong to the authorized subset *i , and ui , w denotes the ID value of the participant w (for 1 d w d n ). At first, TA publishes n shadows si ,1 , si ,2 , si ,3 ,..., si , n to the corresponding participants through a secret channel. The secret K can be calculated as: K s i ,1 u i ,1  s i , 2 u i , 2  ...  s i , n u i , n (4) From the schemes proposed in [6] and [7], Chang used the logarithm algorithm to achieve the property of reusing shadows. Here, based upon the discrete s u logarithm, each participant shares gi i ,w i ,w mod PTA (for 1 d w d n ) to each other instead of his/her shadow si , w , where PTA is a large prime number, and gi is a generator published by TA. Moreover gi should satisfy GCD( gi , PTA  1) 1 . Therefore, the secret key of the group P can be calculated by Eq.(5): s u s u K (gi i,1 i,1 mod PTA ...  gi i,n i,n mod PTA)mod PTA (5) Hence, based upon the discrete logarithm, not only the shadows are concealed but also secretly held by each participant. Group Key Modification Algorithm Before knowing the secret key K of the group P , the participants who belong to the access structure *i of the group P must share their secrets first. It means that all participants who stay in the access structure *i shall change their secrets, and TA has to change the old secret key K into a new one. Hence, TA produces a new generator gic and broadcasts it. Further, each participant of the access structure *i in the group P

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 18, 2009 at 09:23 from IEEE Xplore. Restrictions apply.

s ui ,w

changes his/her old secret gi i ,w s

one ( gic ) i ,w

ui ,w

mod PTA into a new

mod PTA (for 1 d w d n ). If the group P

wants to calculate the new secret key K ic , each participant of the access structure *i in the group P s

has to share ( gic ) i ,w

ui ,w

s

mod PTA instead of gi i ,w

ui ,w

mod PTA In Chang’s scheme, a generator gic plays the role which is used for changing the secret every time instead of the new shadows. From Eq.(5), we can see that the participants just s u i ,1

send out the results of computing g i i ,1

mod PTA to

compute the secret key K . When the secret key K has to be reconstructed, TA generates a new generator gic and sends it to all members in the group P . The advantage of the scheme is that the shadows may be reused. In other words, TA generates g i instead of the shadows. It reduces the computation time of generating the shadows for all participants. However, we know that their method needs a lot of time in computing exponentiations. So, we propose an efficient secret sharing scheme in next section.

4. The Proposed Scheme In this section, we propose an efficient secret sharing scheme based upon access structures. As in Chang’s scheme, we shall divide the proposed scheme into two algorithms, one is the group key generation algorithm, and the other is the group key modification algorithm. Group Key Generation Algorithm

number Ri . The secret key can be calculated by Eq.(6). K h(si,1 || Ri || ui,1 ) †... † h(si,n || Ri || ui,n ) (6) where || denotes a concatenation operator, † denotes an exclusive-or operation, and h() denotes an one-way hash function. Group Key Modification Algorithm

To obtain the secret key K of the group P , the participants at the access structure *i have to share their secrets with the others. It means that the members of the group P have to change their secrets because they are not secure anymore, and the old secret key K must be changed to a new one. Hence, TA first produces a new random number Ric and broadcasts it. Then each participant of the access *i changes his/her old secret structure h( si , w || Ri || ui , w ) into a new one h( si , w || Ric || ui , w ) , and

TA generates the new secret key K c . In the proposed scheme, we broadcast a random number Ric instead of redistribute the new shadows every time. The proposed scheme provides the following advantages: i TA doesn’t have to regenerate the participants’ shadows at key modification phase. i One-way hash function reduces the computation time of key reconstruct computation. i An unauthorized member or an attacker cannot invert the hash value to get the other participants’ shadows.

Similar to Chang’s scheme, we assume that in the group P , the participants 1, 2,..., n belong to the authorized subset *i and ui ,1 , ui ,2 , ui ,3 ,...ui , n denote the

5. Security Analysis and Comparison

ID values of all participants in *i . Then, TA publishes n shadows si ,1 , si ,2 , si ,3 ,..., si , n to the

In this section we will give the security analysis and compare the proposed scheme with Chang’s scheme.

corresponding participants 1, 2,..., n through a secret channel. Additionally, Ri is a random number which was generated and broadcasted by TA. If the members in group P want to recover their secret key K , each participant who belongs to the authorized subset *i of P obtains his/her secret by using one-way hash function [9]. Each secret includes a user parameter ui , w (for 1 d w d n ), the shadow si , w , and the random

Security Analysis

In our scheme, the shadows are generated and distributed by TA. The TA is assumed to be an honest participant, and we assume that distributing process works in a secure channel, too. So we believe that TA generates and delivers the shadows to each corresponding participant securely. Then TA broadcasts the random number Ri to each

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 18, 2009 at 09:23 from IEEE Xplore. Restrictions apply.

corresponding participants in the authorized subset *i . When the participants have to reconstruct the key, he/she has to release the result of h( si , w || Ri || ui , w ) , instead of his/her shadow si , w . Then, next time, he/she has just to release the result of h( si , w || Ric || ui , w ) for a new key. If someone wants to impersonate a legal participant w , he/she has to reverse the hash function, h( si , w || Ri || ui , w ) or h( si , w || Ric || ui , w ) , to get the

shadow si , w of user w . However, we know that it is hard to reverse a hash function to get the original value. It is hard for an attacker to impersonate a legal participant without the correct si , w and ui , w . The difficulty of breaking our scheme is based on the security of one-way hash functions. Comparison

Now we should compare the time complexity of Chang’s scheme with the proposed scheme. First, we shall use some symbols and make some assumptions: TEXP : The time needed for exponentiation. RSA1024 encryption is chosen as the exponentiation algorithm. THASH : The time needed for one-way hash function. We choose SHA-1 as the hash algorithm. Both of the time spent on computing exclusive-or ( TXOR ) and addition operation ( TADD ) are negligible. We do not compare TXOR and TADD here. Let us review Eq.(5) in Chang’s scheme. We find that for an authorized group with n members, it needs nTEXP to construct the secret key. Now let us consider our secret sharing scheme with access structure. From Eq.(6) in section 4, we know that the proposed scheme spends nTHASH to compute the secret key. We describe the comparison as the following table: Table 1. Comparing Chang’s scheme with the proposed scheme

TEXP

THASH

Key Generation phase

Chang’s scheme

n

-

Our scheme

-

n

Key

Chang’s scheme

n

-

Modificatio n phase

Our scheme

-

n

We know that exponentiation operation takes much more time than one-way hash function. In the performance evaluation of Crypto++™ Library [8], we can find that TEXP | 214 THASH . Obviously, our scheme spent less time than Chang’s scheme in secret key computation. From above discussion, we believe that our secret sharing scheme with access structures is more efficient than Chang’s scheme.

6. Conclusions In this paper, we investigate the topic of secret sharing based upon access structure. Therefore, we proposed a more efficient secret sharing scheme based upon access structure than Chang’s scheme, and we shown the proposed scheme is secure. Our proposed scheme is simple, efficient, and secure. It is a convenient secret sharing scheme for a group that wants to share their secret based upon access structures.

Acknowledgements This research was partially supported by the National Science Council, Taiwan, under grant NSC 93-2213E-029-009.

References [1] A. Shamir. “How to Share a Secret,” Communications of the ACM, Nov 1979, 22(11):pp. 612-613.

[2] B. Blakley, G.R. Blakley, A.H. Chan, and J.L. Massey, “Threshold Schemes with Disenrollment,” Abstracts of CRYPTO’92, Aug 1992. [3] C. C. Chang, C. H. Lin, W. Lee, and P. C. Hwang, “Secret Sharing with Access Structures in a Hierarchy,” International Conference on Advanced Information Networking and Applications (AINA), Fukuoka, Japan, March 2004, Vol. 2, pp. 31-34. [4] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, New York, Wiley, 1994, pp.59-61. [5] D. R. Stinson, Cryptography: Theory and Practice, Boca Raton: CRC Press, c1995. [6] C. Charnes, J. pieprzyk, and R. Safavi-Naini, “Conditionally Secure Secret Sharing Schemes with Disenrollment Capability,” Proceedings of the 2nd ACM Conference on Computer and Communication Security, Fairfax, Virginia, Nov 1994, pp. 89-95. [7] H. Y. Lin, L. Harn, “A Generalized Secret Sharing Scheme with Cheater Detection,” Proceedings of

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 18, 2009 at 09:23 from IEEE Xplore. Restrictions apply.

ASIACRYPTO ’91, Springer-Verlag, Nov 1991, pp. 149-158. [8] Crypto++™ Library 5.1 http://www.eskimo.com/~weidai/cryptlib.html. [9] Draft FIPS 180-2, Secure Hash Standards (SHS), U.S. Doc/NIST, May 30, 2001.

Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA’05) 1550-445X/05 $20.00 © 2005 IEEE Authorized licensed use limited to: TUNG HAI UNIVERSITY. Downloaded on March 18, 2009 at 09:23 from IEEE Xplore. Restrictions apply.