The study of secret sharing scheme was independently initiated by Shamir and Blakley in 1979. Since then several other secret sharing schemes were ...
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, pp. 129-139 © IASTER 2013, www.iaster.com, ISSN (O) 2347-4904
Study on the Parameters of Secret Sharing Scheme Debabrata Sarddar1, Poonam Sarkar2, Sougata Chakraborty3, Saikat Mondal4, Atanu Kumar Das5 1
Assistant Professor, University of Kalyani, West Bengal, India, 2M.Tech. University of Kalyani, 3 System Engineer, IBM India Private Limited, 4&5Assistant Professors, Regent Education & Research Foundation, India.
ABSTRACT The study of secret sharing scheme was independently initiated by Shamir and Blakley in 1979. Since then several other secret sharing schemes were introduced. Many of those schemes are (n, k) threshold systems. In this work, we have given a survey on secret sharing schemes using different approaches and aspects. We have also analyzed Shamir’s scheme with an emphasis on background study and its drawbacks. In our work, we have studied the parameters of secret sharing scheme as well as we have specially found out an approach to choose the prime number for a (n, k) threshold system based on Shamir’s secret sharing scheme.
Keywords: Shamir’s Secret Sharing Scheme, Lagrange Interpolation Polynomial, Blakley’s Scheme, Chinese Remainder Theorem, Massey's Secret Sharing Scheme.
1.
INTRODUCTION
Secret Sharing is a scientific method for dividing secret information into several pieces and distributing these among a group of participants. Each piece of information is considered as a share of the secret. The secret can only be reconstructed when the shares are combined together. Individual shares have no use as well as this does not contain any meaningful information. There are several good points for considering this mechanism, like happening of some misfortune (e.g. sudden death of the dealer, sabotage, physical destruction, massive failure of network etc.) in any point of time, also it increases the trust level and reliability among several participants, as well as provide the scope of introduce the role or importance of a particular participant in a worldwide distributed environment like e-commerce applications. 1.1.
Trivial Secret Sharing
There are several (t, n) secret sharing schemes for t = n, when all shares are necessary to recover the secret: Encode the secret as an integer s. Give to each participant i (except one) a random integer ri. Give to the last participant the number (s − r1 − r2 − ... − rn − 1). The secret is the sum of the participants' shares. Encode the secret as an arbitrary length binary number s. Give to each participant i (except one) a random number pi with the same length as s. Give to the last participant the result of (s XOR p1 XOR p2 XOR ... XOR pi) where XOR is bitwise exclusive or. The secret is the bitwise XOR of all the participants' numbers (p). When space efficiency is not a concern, these schemes can be used to reveal a secret to any desired subsets of the participants simply by applying the scheme for each subset.
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, www.iaster.com
1.2.
ISSN (O) 2347-4904
Proactive secret sharing
If the participants store their shares on insecure computer servers, an attacker could crack in and steal the shares. If it is not practical to change the secret, the uncompromised (Shamir-style) shares can be renewed. The dealer generates a new random polynomial with constant term zero and calculates for each remaining participant a new ordered pair, where the x-co-ordinates of the old and new pairs are the same. Each participant then adds the old and new y-co-ordinates to each other and keeps the result as the new y-co-ordinate of the secret. All of the non-updated shares the attacker accumulated become useless. An attacker can only recover the secret if he can find enough other non-updated shares to reach the threshold. This situation should not happen because the participants deleted their old shares. Additionally, an attacker cannot recover any information about the original secret from the update files because they contain only random information. The dealer can change the threshold number while distributing updates, but must always remain vigilant of participants keeping expired shares. 1.3.
Verifiable secret sharing
A participant might lie about his own share to gain access to other shares. A verifiable secret sharing (VSS) scheme allows participants to be certain that no other participants are lying about the contents of their shares, up to a reasonable probability of error. Such schemes cannot be computed conventionally; the participants must collectively add and multiply numbers without any individual's knowing what exactly is being added and multiplied. Tal Rabin and Michael Ben-Or devised a multiparty computing (MPC) system that allows participants to detect dishonesty on the part of the dealer or on part of up to one third of the threshold number of participants, even if those participants are coordinated by an "adaptive" attacker who can change strategies in real-time depending on what information has been revealed.
2.
SHAMIR’S SECRET SHARING SCHEME
The first idea of secret sharing was proposed individually by Adi Shamir and George Blakley in 1979. Shamir’s [2] algebraic scheme is based on polynomial interpolation where as Blakley’s [3] scheme is based on hyper plane geometry. Also there is secret sharing scheme that makes use of the Chinese Remainder Theorem namely Asmuth-Bloom’s [4] scheme, in which the shares are generated by reduction modulo operation and the secret is recovered by essentially solving the system of congruence using the Chinese Remainder Theorem. 2.1.
Construction of (n, t ) threshold scheme
Let s = secret. Choose a prime p
max( s, n) .
Choose t 1 random numbers a1 , a2 ,, at
1
in the range 1
Construct the polynomial
f ( x) (at 1 xt 1 at 2 xt
2
a1x1 s)mod p
i.e. the secret becomes the constant term of the polynomial.
x
p.
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, www.iaster.com
ISSN (O) 2347-4904
The dealer chooses any n distinct values x1 , x2 ,, xn mod p and distributes the secret shares. ( x1 , f ( x1 )) ( x2 , f ( x2 )) ( xn , f ( xn ))
As the degree of the polynomial is t -1 , any set of t values of the form (i1 , f ( xi1 )) (i2 , f ( xi2 )) (it , f ( xit ))
should be sufficient to determine the polynomial completely and hence the secret which is its constant term. 2.2.
Interpolation Property
Given t pairs of (i, f (i)) , with i ’s all distinct, there is a unique polynomial f ( X ) of degree t -1 passing through all the points. This polynomial can be effectively computed from the pairs. 2.3.
Lagrange Interpolation Polynomial
If the values of a polynomial of degree t are known for any t 1 distinct points, then the polynomial is uniquely determined. 2.3.1.
Basis Polynomials
Given n distinct points x1 , x2 , x3 , xn find a polynomial which vanishes at all points other than just 1 . The only non zero value it assumes be 1 . f ( x1 ) 1 f ( x2 ) 0 f ( x3 ) 0 f ( xn ) 0
f ( x1 ) 0 ( x x1 ) | f ( x)
Let the polynomial be f ( x) k ( x x2 )( x x3 )( x xn )
f ( x1 ) k ( x1 x2 )( x1 x3 )( x1 xn ) If f ( x1 ) 1 holds, then k
( x1 x2 )( x1
1 x3 ) ( x1 xn )
Thus the desired polynomial is ( x x2 )( x x3 ) ( x xn ) ( x1 x2 )( x1 x3 ) ( x1 xn )
L1 ( x)
In general, Li ( x) denote the polynomial such that at x other points the value is 0.
xi , the value of polynomial is 1 and at all
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, www.iaster.com
ISSN (O) 2347-4904
Thus,
( x x1 )( x x2 )( x xi 1 )( x xi 1 )( x xi 2 )( x xn ) ( xi x1 )( xi x2 )( xi xi 1 )( xi xi 1 )( xi xi 2 )( xi xn )
Li ( x)
So, Numerator = product of all factors of the form x - everything other than xi . Denominator = product of all factors of the form xi - everything other than xi . For n data points, the polynomials L1 ( x), L2 ( x),, Ln ( x) are called the basis polynomials. Let f ( x) be a polynomial of degree n 1 whose values at n distinct data points x1 , x2 , x3 , xn are as follows: f ( x1 ) C1 f ( x2 ) C2 f ( xn ) Cn
Then, f ( x)
C1L1 ( x) C2 L2 ( x) Cn Ln ( x) t
f (i ) * Li ( X ) where Li ( X ) is the Lagrange
It is Lagrange Interpolation Formula. f ( x) i 1
polynomial: Li ( X )
(x
xj)
( xi
xj)
j i
j i
which has value 1 at X i , and 0 at every other X j . 2.4.
Mathematical Description
For an integer m 1 , we denote by Zm the set {0,1,, m 1}. All arithmetic operations over Zm are done mod m . All further calculations in this paper are done in Z p where p is a prime number bigger than the secret. A (t , n) -threshold Shamir’s scheme is constructed by the trusted party (dealer) Tom. He begins with a secret integer s prime p
0 that he wishes to distribute among n shareholders. Next he chooses a max( s, n), defines a0 s, and selects (t 1) random, independent coefficients
(a1 ,, at 1 ), 0 a j
p 1, defining a random polynomial over Z p ,
t 1
ajx j
f ( x) j 0
Thus,
xi
f ( x) is of degree at most (t 1). Now, Tom chooses n distinct public points
Z p , 1 i n, computes shares si
f ( xi )mod p,1 i n, and securely transfers every share si to
its shareholder, along with public index i. The secret is s
f (0).
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, www.iaster.com
ISSN (O) 2347-4904
When t participants agree to cooperate, the combiner Clara takes their shares and tries to recover the secret polynomial f ( x). Shares provide t distinct points ( xi , si ) on the curve f ( x). With these points the following system of equations can be constructed: s1 a0 a1 x1 at 1 x1t 1
s2
a1 x2 at 1 x2t 1
a0
st
a1 xt at 1 xtt
a0
1
Since the Vander monde determinant
0 , it has a unique solution for (a0 ,, at 1 ).
The Lagrange interpolation formula allows to determine the polynomial f ( x) of degree (t-1) from
t distinct points ( xi , si ) thus t
f ( x)
si i 1
1 j t i j
x
xj
xi
xj
The Lagrange Interpolation Formula can be simplified to a linear expression because we are only interested in the constant term of the polynomial. Recall that s a0 f (0). Then the shared secret s can be written as
xj
t
ci si , where ci
s i 1
1 j t, j i
xj
xi
If Clara knows only (t 1) shares, she cannot find the unique solution for s
a0 because the
system contains (t 1) equations with t unknowns. Moreover, each group member may compute
s as a linear combination of t shares si since the ci are non-secret constants and may be precomputed. Suppose we want to use (k , n) threshold scheme to share our secret S without loss of generality assumed to be an element in a finite field F . . Choose at random k 1 co-efficient a1 ,, ak
1
in F , and let a0
S , Build the polynomial
f ( x) a0 a1 x a2 x 2 a3 x3 ak 1 x k 1. Let us construct any n points out of it, for instance set
i 1,, n
to
retrieve
(i, f (i)).
Every
participant is given a point (a pair of input to the polynomial and output). Given any subset of k of these pairs, we can find the coefficients of the polynomial using interpolation and the secret is the constant term a0 . Graphic-representation of a degree2 polynomial and its shares. Figure 1: Shamir’s Secret Sharing Scheme: Geometrical Interpretation
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, www.iaster.com
ISSN (O) 2347-4904
BLAKLEY’S SCHEME
3.
Blakley’s Secret Sharing Sceme uses hyperplane geometry to solve the secret sharing problem. The secret is a point in a t -dimensional space and n shares are affine hyperplanes that pass through this point. An affine hyper plane in a t -dimensional space with co-ordinates in a field F can be described by a linear equation of the following form:
a1 x1 a2 x2 at xt
b
The intersection point is obtained by finding the intersection of any t of these hyper planes. The secret can be any of the co-ordinates of the intersection point or any function of the co-ordinates. We take the secret to be the first co-ordinate of the point of intersection. 3.1.
Dealing Phase
Let m be a prime and let F = Zm be the field we are working on. The dealer generates a secret point x in Ft , where the first coordinate x[1] is set to the secret value (the RSA private key d in our case) and sets the values of the other coordinates randomly from the field F : The i th user will get a hyper plane equation over F ,
ai1 x1 ai2 x2 ait xt
yi
For a (t , n) threshold scheme there will be n such hyper plane equations, and hence we will have an n t linear system,
Ax
y
The dealer then sends the secret value of yi along with ai1 , , ait to user i . The coefficient aij are not sensitive and can be made public if needed. 3.2.
Share Combining Phase
Share combining step is simply finding the solution of a linear system of equations. Suppose that a coalition s {i1 ,, it } of users come together. They form a matrix As using their hyper plane equations and solve As x
ys
Where ys is the vector of the secret shares of the users. The secret is found as the first co-ordinate of the solution.
4.
SECRET SHARING USING CHINESE REMAINDER THEOREM
Secret sharing consists of recovering a secret S from a set of shares, each containing partial information about the secret. The Chinese remainder theorem (CRT) states that for a given system of simultaneous congruence equations, the solution is unique in some Z / nZ, with n 0 under some appropriate conditions on the congruences. Secret sharing can thus use the CRT to produce the shares presented in the congruence equations and the secret could be recovered by solving the system of congruences to get the unique solution, which will be the secret to recover.
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, www.iaster.com
4.1.
ISSN (O) 2347-4904
Chinese Remainder Theorem
The system of simultaneous equations: x a1 mod m1
x
a2 mod m2
x
an mod mn
has a unique solution in the range 0
x m1m2 mn when every pair of the numbers
m1 , m2 ,mn are relatively prime. Theorem 1: Let k
2, m1 ,, mk
2, and b1 ,, bk
Z. The system of equations
x b1 mod m1 x bk mod mk has solutions in Z if and only if bi
b j mod(mi , m j ) for all 1 i, j
k. Moreover, if the above
system of equations has solution in Z , then it has a unique solution Z[ m1 ,,mk ] . When ( mi , m j ) 1 , for all 1 i
j
k , one gets the standard version of the Chinese Remainder
Theorem.
5.
SECRET SHARING USING LINER CODES
In [11] authors deduce that Shamir's secret sharing scheme is very similar to a special type of Reed-Solomon codes. Later on it has been realized [13] that coding theory can be applied to secret sharing. Throughout this section, we follow the denitions and notations given in [8], [9], and [10]. Here, the idea is the following. Suppose we can encode our secret into a codeword ( D1 ,, Dn ) . If we know sufficiently many Di s then using the error correction mechanism we can find the remaining Di s and recover the secret. This observation suggests that error-correcting codes can be used to design secret sharing schemes. Massey invented a secret sharing scheme [8] using this idea. A similar scheme was introduced by Brickell, for details see [12]. Xiaoqing and Zhiguo proposed another secret sharing scheme [13] which is also based on linear codes but their scheme does not require a trusted third party which is not the case in previous ones. 5.1.
Massey's Secret Sharing Scheme
Massey [8]’s scheme is also referred as linear secret sharing scheme since it is based on linear n
G [ g ,, g ]
0 n 1 . Assume codes. Let C Fq be a k-dimensional linear code with generator matrix s that G has no zero column. The secret is an element of Fq and there are (n-1) shareholders and a dealer (trusted party). In order to determine the shares, the dealer chooses t C, t (t0 ,, tn 1 ) such that t0 s. He can
choose such a t by first picking randomly a vector u (u0 ,uk 1 )
Fqk such that ug0 . Such a u
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, www.iaster.com
can be chosen in q k
1
ways. Now t can be computed as t
ISSN (O) 2347-4904
uG. Shares are {t0 ,, tn 1} and G is
known by all shareholders. Our assumption that G cannot have any zero column is sensible because if a column g i were zero then clearly ti which is the share of the i th participant would be zero. Hence this shareholder would not participate at all. Note that if c=(0,,0,1,0,,0) C where 1 occurs in j th position then since cv that j th component of every v
C is 0 . This implies g j
0 v C we get
0 but this contradicts our assumption
hence such a c cannot exist. As stated in [9] if g 0 , gi1 , , gim are linearly dependent then the secret can be recovered by first solving the linear equation m
g0
x j gi j j 1
after finding x j s the secret can be computed as m
t0
ug 0
m
x j ug i j j 1
x j ti j j 1
From now on we will assume that this is the only way to recover the secret for any set of shares.
6.
CHOICE OF PARAMETERS
Suppose, we are given a quadratic polynomial like as f ( x) ( x2 x 5)mod7 where the secret s = 5 and the prime number P 7. From here, we can easily compute
f (1) 0, f (2) 4, f (3) 3, f (4) 4, f (5) 0, f (6) 5, f (7) 5. The usual practice is to create shares as (1, f (1)), (2, f (2)), However, it appears that values of f (i ) soon starts repeating. This makes the task of guessing another user somewhat easier and is undesirable. Thus, simply choosing the prime p
max( s, n) may not be the best thing. The question we need to investigate is how large p should be so that n share values are completely distinct. So, we get the distinct values of share are (0,3,4). Our observation follows for the quadratic polynomial: For every quadratic polynomial, the number of the distinct values is same. The distinct values can be changed on the basis of different coefficient used in the polynomial. At least one secret can be obtained from every polynomial. Number of shares obtained = ( P 1) where P is a prime number. 2
For a quadratic polynomial, we observe maximum number of distinct values is ( P 1) and minimum number of distinct values is ( P 1) . 2
If we go on increasing the degree of a polynomial eventually then some observations are as follows:
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, www.iaster.com
ISSN (O) 2347-4904
For a cubic polynomial, we observe maximum number of distinct values is (P-1) and minimum number of distinct values is ( P 1) . 3
For a biquadratic polynomial, we observe maximum number of distinct values is (P-1) and minimum number of distinct values is ( P 1) . 4
For a quintic polynomial, we observe maximum number of distinct values is (P-1) and minimum number of distinct values is ( P 1) . 5
For a given prime number P, for a distinct value of f ( x) , total number of polynomials are same. For the efficient evaluation of polynomials in monomial form Horner’s scheme is used. This scheme is used to reduce computational complexity and overhead. In Horner’s scheme, the cubic polynomial (ax3 x1
ax b
x2
xx1 c
x3
xx2
bx2 cx d ) can be evaluated as follows:
d
The convention adopted here is, whenever we compute the value of f ( x) , we have to compute it up to the value of f ( P), where P is a prime number. The coefficient a , b must be less than the prime number P, and the prime number P must be greater than or equal to the secret S . f ( x) is computed depending on the basis of modulo-P operation, because everything is concerned over finite field F. 7. DISCUSSION 7.1. Results for Quadratic Polynomial For a given prime P =17 and secret
a 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Number of distinct elements
8
d =5 where d x b 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
P. f ( x) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
7 11 0 8 1 13 10 9 10 13 1 8 0 11 5 5
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, www.iaster.com
ISSN (O) 2347-4904
7.2. Results for Cubic Polynomial For a given prime P =17 and secret d =5 where d
a
c
b
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
P.
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
x 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
f ( x)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
13 12 8 7 15 4 14 0 2 9 10 11 1 3 6 16
Number of distinct elements = 16 7.3. Results for Biquadratic Polynomial For a given prime P 17 and secret e
a
b
1 1 1 1
7 where e c d
P. x
f ( x)
16 16 16 16
1 2 4 10
2 5 6 10
5 where f
P.
1 1 1 1
11 11 11 11
Number of elements = 4
7.4 Results for Quintic Polynomial For a given prime P
Number of elements
31 and secret f
6
a
b
c
d
e
x
f ( x)
1 1 1 1 1 1
1 1 1 1 1 1
19 19 19 19 19 19
10 10 10 10 10 10
1 1 1 1 1 1
1 2 6 7 9 11
6 30 0 1 26 25
International Journal of Engineering & Technology Research Volume 1, Issue 2, October-December, 2013, www.iaster.com
ISSN (O) 2347-4904
We have studied Shamir’s Secret Sharing Scheme in different aspects. Mainly, our main focus was on finding an approach of choosing the prime number in (t , n) threshold system. From our practical studies, it appears that for creating a (t , n) threshold secret sharing scheme, it will be a safe choice to choose the modulus prime p satisfying p 1 n. t 1
If it is necessary to make provision for addition of more users, p should be chosen still higher. Further studies are necessary to investigate the actual mathematical relationship among the degree of the polynomial, modulus prime and the set of distinct values assured by the polynomial. Additionally, the roles of the values of the coefficients of the polynomials require to be studied. What are the effects when the coefficients of the polynomial satisfy some other relationship i.e. what happens if all the coefficients are same? Thus, a theory may be developed to compare the reliability of two polynomials of same degree.
REFERENCES [1] [2] [3] [4] [5]
[6] [7] [8] [9]
[10] [11] [12] [13]
C. L. Liu, Introduction to Combinatorial Mathematics. New York: McGraw-Hill, 1968. A. Shamir: “How to share a secret?” Comm. ACM, 22(11):612-613, 1979. G. Blakley: “Safeguarding cryptographic keys” Proc. of AFIPS National Computer Conference, 1979. C. Asmuth and J. Bloom: “A modular approach to key safeguarding” IEEE transaction on Information Theory, 29(2):208-210, 1983. M. Mignotte, “How to share a secret,” in Cryptography-Proceedings of the Workshop on Cryptography, Burg Feuerstein, 1982, ser. Lecture Notes in Computer Science, T. Beth, Ed., vol. 149. Springer-Verlag, 1983, pp. 371–375. Li Bai, A Reliable (k, n) Image Secret Sharing Scheme by, IEEE 2006. E. D. Karnin, J. W. Greene, and M. E. Hellman. On secret sharing systems. IEEE Transactions on Information Theory, 29(1):35{41, January 1983. J.L. Massey. Minimal codewords and secret sharing. In 6th Joint Swedish-Russian Workshop on Information Theory, pages 276-279, 1993 C. Ding and J. Yuan. Covering and secret sharing with linear codes. In Discrete Mathematics and Theoretical Computer Science (Lecture Notes in Computer Science), volume 2731, pages 11-25. Springer-Verlag, 2003. C. Ding and J. Yuan. Secret sharing schemes from three classes of linear codes. IEEE Transactions on Information Theory, 52:206-212, January 2006. R.J. McEliece and D.V. Sarwate. On sharing secrets and reed-solomon codes. Communications of the ACM, 24:583-584, 1981. E. F. Brickell. Ideal secret sharing schemes. In Advances in Cryptology Eurocrypt89 (Lecture Notes in Computer Science), volume 434, pages 468-475. Springer, 1990. T. Xiaoqing and W. Zhiguo. New secret sharing scheme based on linear code. Applied Mathematics - A Journal of Chinese Universities, 19(2):160-166, June 2004.
