A Generalized Secret Sharing Scheme

Chin-Chen Chang and Hui-Min Tsai Institute of Computer Science and Information Engineering, National Chung Cheng University, Chiayi, Taiwan 601, R0.C.

In this article, we make a cryptanalysis on Lin and Harn’s generalized secret sharing scheme. And then based on their scheme, we present another method to improve their security such that the ability of prevent- ing illegal users from reconstructing the secret can still be held, and, moreover, the conspiracy of those legal users to other users’ shadows can be avoided. 0 1997 by Elsevier Science Inc.

1. INTRODUCTION

The protection of important information from get- ting lost, destroyed, or into wrong hands is an age old problem and becomes even more significant be- cause of the proliferation of computers into areas such as electronic mail, electronic fund transfer, and storage of information. In 1979, a different type of protection scheme-from the public key cryptosys- terns-called the threshold scheme was introduced independently by Blakely (1979) and Shamir (1979). The essential idea underlying the threshold scheme is to create “shadows” of the message (secret) such that a certain number (called the threshold) of shad- ows are available and then the message can be retrieved, denoted as the (m, n) threshold scheme where m is the threshold, and n is the number of shadows.

From the above description, we know that m out of n shadows in an (m, n> threshold scheme are needed to reclaim one secret, which is very ineffi- cient as a conveyor of information. To avoid a very large data expansion, Laih et al. (1989) proposed a Cd, m, n, T) dynamic threshold scheme, where T in- dicates time and d means d secrets recovered, in- stead of only one secret. In their scheme, there are n secrets and a time-dependent public shadow. After

Address correspot&nce to Dr. C.-C. Chang. Institute of Computer Science and Information Engineekzg National Chung Cheng Uni- versity, Chiuyl, Taiwan 601, R0.C.

J. SYSTEMS SOFTWARE 1997; 31X267-272 Q 1997 by Elsevier Science Inc. 655 Avenue of the Americas, New York, NY 10010

knowing any m shadows, m 5 n, and the public shadow at that time, the m shadow holders can easily recover d secrets, but any m -1 or fewer of them cannot learn anything about the secrets. Fur- thermore, if the d secrets have to be changed for some security reasons, only the public shadow needs changing, and all the n shadows issued initially re- main unchanged.

However, the schemes mentioned above assume that every shadow holder for some secret key has equal privilege to that secret or every holder is equally trusted, and the secret key can be recon- structed by any m or more shadows put together; further, these schemes are not robust enough to realize any sharing policy.

Therefore, Lin and Ham (1993) proposed a gener- alized secret sharing scheme that handles this draw- back for determining a sharing policy in advance to indicate what kind of shadow holders’ cooperation is legal; that is, to specify some legal subsets of the users in the system such that the users in any subset can cooperate to reconstruct the secret. Its applica- tion is shown clearly in Chang and Lee (1993). Chang and Lee applied Lin and Ham’s generalized secret sharing scheme to solve the secret communi- cation between two groups such that when a sender in one group wants to transmit a message encrypted by the secret key K to another group, the sender can specify in advance some legal subsets of the recipients so that the recipients in any one of the subsets can cooperate to reconstruct the secret key first and then decipher the encrypted message in the receiving group. For convenience, we will take Lin and Ham’s notation “a positive access instance” for a legal subset and call the users in a positive access instance to be the legals; thus, we also take the notation “a negative access instance” for a subset not defined in the sharing policy and call the users in the negative access instance to be the illegals throughout this paper.

0164-1212/97/$17.00 PII S01641212(%)00096-J

268 J. SYSTEMS SOFTWARE 1997; 36:267-212

In this article, we want to show that Lin and Harn’s scheme is weak because other holders’ shad- ows will be revealed by the conspiracy of the legals of some positive access instance. Later, based upon Lin and Harn’s concept, we propose an improved scheme, which still has the ability to prevent the illegals from reconstructing the secret, and also can avoid the possibility of the legals collaborating to derive other holders’ shadows of the system to which they are not entitled. Thus, based upon our im- proved scheme instead of Lin and Ham’s general- ized secret sharing scheme, the new generalized group-oriented cryptoscheme without trusted cen- ters proposed by Chang and Lee (1993) can still work.

The rest of this paper is organized as follows. In Section 2, we review Lin and Ham’s generalized secret sharing scheme. A cryptanalysis on Lin and Ham’s scheme is presented in Section 3. An im- proved generalized threshold scheme is proposed in Section 4. In Section 5, we analyze and discuss the security of our scheme. Concluding remarks are given in Section 6.

2. A REVIEW OF LIN AND HARN’S SCHEME

Lin and Ham’s generalized secret sharing scheme (Lin and Ham, 1993) spiritually deals with the se- cure communication between two groups of mem- bers such that the messages only can be deciphered when a set of legal recipients is available to.decipher them. Roughly speaking, a secret key K in their scheme is shared by a group of n users U =

{U,, u,, - * * > UJ, and a secret sharing policy is prede- fined for this group. Afterwards, the secret key K is divided into n shadows K,, K,, . . . , K,, and each shadow Ki is distributed to the user q through a highly secure channel. Now, according to the sharing policy, the secret key K can be reconstructed by the cooperation of the legals, but the cooperation of the illegals cannot recover anything about the secret. That is, these shadows K,, K,, . . . , K,, will satisfy the

(1)

(2)

following two conditions:

If T is a legal subset of U (T is called the positive access instance and the users in T are called the legals), K can be reconstructed from gathering all the shadows Ki secretly owned by 4 in T. If T is not a legal subset of U (T is called the negative access instance and the users in T are called the illegal& K cannot be reconstructed even gathering all the shadows K, secretly owned by Q in T.

C. Chang and H. Tsai

Now, let F be a set of all positive access instances and N be a set of all negative instances satisfying that F U N = 2’, where 2’ is the power set of U. We call F to be the positive access structure of a given secret sharing policy and N to be the corre- sponding negative access structure. By Lemmas l-5 in Lin and Ham (19931, the maximum set of the negative access structure m(N) can be easily found.

A distinct prime number pi is assigned to the negative access instance Nj of m(N), and a tag ti is assigned to the user Q, where ti = l-I,, N pi, for i=12 , ,--*, n. Let K be the secret of the secret sharing policy and n be the product of two secret large primes. The shadow assigned to the user Q is then computed by Ki = K’I mod n, for i = 12 , , . . . , n. In the following, we use Example 1 to depict the process of shadow generation and the reconstruction of the secret key K.

Example 1.

1.

2.

3.

4.

5.

6.

7.

Assume that a secret key K is shared by four users A, B, C, D. The secret sharing policy is that the secret key K can be reconstructed by the cooperation of A and D, by the cooperation of B and D, or by the cooperation of A, B, and C. Clearly, the legals of the system are (A and 01, (B and D), or (A and B and 0. F=(AnD)u(BnD)U(AnBnC)

N=(A’nB’nC’nD)u(A’nB’nCnD)

u(A’ n B’ n C n D’) u (A’ n B’ n C’

nD’)u(A’nBnC’nD’)u(A’n

BnCnD’)U(AnBnC’nD’)U (AnB’nC’nD’)u(AnB’nCnD’).

The maximum set of the negative access structure m(N) = {(A, B), MC), (B,C), (C,DN. This means that the secret key K cannot be recon- structed either by A and B, or by A and C, or by B and C, or by C and D. Thus, the illegals for the system are (A and B), (A and 0, (B and 0, or (C and 0). Suppose that the distinct primes p1 = 2, p2 = 3, p3 = 5, p4 = 7 are assigned to the corresponding negative access instances CAB), UC), (BC), and (CD). The tags associated with each user are tA =

P~*PZ = 6, TV =p1*p3 = 10, t, =pz*p3* p4 = 105, and to = p4 = 7. The corresponding shadows are KA = K6 mod n, K = K1’ mod n Kc = K”’ mod n and KD = K’ modn.

, 9

Now, assume that the users B and D want to reconstruct the secret key K. According to the Eu-

Generalized Secret Sharing Scheme J. SYSTEMS SOFlWARE 269 1997, 36:267-212

clidean algorithm, they can find a pair ( - 2,3) such that (-2*t,) + 3*t, = t-2)*10 + 3*7 = 1. Since users B and D are the legals, or we say to be a positive access instance, the secret key K can be reconstructed by computing K = (K,)-‘*Ki(mod n).

Conversely, suppose that the users A and B want to reconstruct the secret K. Since users A and B are the illegals, or we say to be the negative access instance, it is impossible to reconstruct the secret key. Here A’s shadow is KA = K6 mod n and B’s shadow is K, = K” mod n. The GCD of tags asso- ciated with A and B is equal to 2; therefore, they can compute K’ = K* mod n easily. According to the RSA assumption (Rivest et al. 1978) it is impos- sible to obtain K.

If we suppose that the secret key K can be recon- structed either by A and B, by A and C, by B and C, or by C and D, from the following equations:

K, = K2 mod n, where GCD(t,, te> = 2;

K, = K3 mod n, where GCD(t,, t,) = 3;

K, = K5 mod n, where GCD(t,, t,) = 5;

K, = K’ mod n, where GCD(t,, t,) = 7,

then it is shown that the RSA public key cryptosys- tern is breakable.

3. CRYPTANALYSIS ON LIN AND HARN’S SCHEME

In this section, we show that the legals can normally reconstruct the secret key of the system, yet they can also derive another user’s shadow that is not entitled to them.

Before the analysis, let us take a brief review of the generation of shadows in Lin and Harn’s scheme. Each negative access instance Nj of m(N) is as- signed a distinct prime number p, and Q’s shadow is generated by the following equation:

Ki = K’l modn,

where t, = l’l, E N, pi, and K is the secret key of the system.

For I(, the negative access instances it belongs to are public; therefore, for those legals who can re- construct the secret key K and try to conspire any other user’s shadow, they should first obtain the corresponding distinct prime number for a certain negative access instance. In this way, the tag value t as well as the shadow associated with some specific user will easily be figured out.

Since the subset Nj belonging to the negative access structure m(N) means that the secret key K cannot be reconstructed by any collaboration of the users in it, there is no possibility of having another subset q included in it. Thus, for each subset of m(N), we compute the greatest common divisor (GCD) of the tags associated with it to bring out the prime number attached to it. Taking item 7 in Ex- ample 1, we can find out the corresponding prime numbers as follows:

GCD(t,, tB> = GCD(p,*p,, p:p3) = p1

for the set {A, B).

GCD(tA 9 tc> = GCD(p,*p,, p2*p3*p4) =p2

for the set {A,C}.

GCD(t,,t,) = GCD(p,*p3,~2*~3*p,) =p3

for the set (B, C}.

GCDO, , toI = GCD( p2+p3*p4, pJ = p4

for the set {C, D}.

Now, if users A, B, C have reconstructed the secret key K and want to derive D’s shadow, they only need to compute GCD(t,, to) for D only be- longs to the set {C, D), and then they will figure out D’s shadow K. = K’ mod n.

4. ANOTHER GENERALIZED SECRET SHARING SCHEME

Similar to Lin and Ham’s scheme, our scheme also uses a secret key K shared by a group of n users u= (U,,lJ, )...) U,}, and a predetermined secret sharing policy that indicates what kind of coopera- tion can reconstruct the system secret key to deci- pher the transmitted messages. We also choose n to be the product of two secret large primes for gener- ating the shadows.

Since the other users’ shadows will be revealed by some legal collaborators in Lin and Ham’s scheme, there is a further way to think about how to make them more safe. Since the Achilles’ heel of Lin and Ham’s scheme results from the single value of t, we can select another prime together with this t value to enhance the security. That is, apart from assign- ing a distinct prime number p, to the negative access instance Nj of m(N), we also give each user a secret distinct prime number (Y, such that the shadow assigned to the user Q is then computed by K, =

K ‘I*~, modn,where ti = l&,,p,,

fori = 1,2 ,..., n.

Now, we will depict our method step by step in the following and use Example 2 to illustrate our method.

C. Chang and H. Tsai 270 J. SYSTEMS SOFIWARE 1997; 36:261-212

Step 1. Determine the set of users u=

Step 2.

Step 3.

Step 4.

Step 5.

Step 6.

w,JJ,,..., U,}, where n E N. All the users in U share a secret key K together, and a secret sharing policy for this secret is also predetermined. Follow the secret sharing policy to figure out the set of all positive access instances, called F, any subset T of which can reconstruct the secret key K by gathering all the shad- ows Ki’s owned by Q’s in T. Apply the technique of Karnaph map to N, called a set of all negative access instances, in order to quickly generate the maximum set of the negative access structure m(N), any subset T of which cannot reconstruct the secret key K even by gathering all the shadows Ki owned by Q in T. Note that N will satisfy that F U N = 2”, where 2” is the power set of U. Assign a distinct prime pj to a negative access instance Nj of m(N), and a prime cr, distinct from those existing ones to Q in the system, for i = 1,2,. . . , n. Compute the corresponding tag ti for y by

ti= n pj,fori=1,2 ,..., Iz. QGN,

Divide the secret key K into n shadows

K,, K,, . . . , K, where the corresponding shadow Ki for Q is computed by

Ki = K ff*ag modn,

and then distribute the shadow K, to Q via a secret channel. K is the shared key and n is the product of two large prime numbers.

Example 2.

1. Similarly, assume that a secret key K is shared by four users A, B, C, D.

2. LetF=(AnD)u(BnD)u(AnBnC)be the secret sharing policy for the secret key K, which is defined as that in Example 1.

3. Thus, the set of all negative instances, N, will be the same as follows:

N=(A’nB’nC’nD)u(A’nB’nCnD) u(A’ n B’ n C n D’) u (A’ n B’ n C’ nD’)u(A’nBnC’nD’)u(A’nB ncnD’)u(AnBnC’nD’)utA nB’ n C’ n D’) u (A n B’ n C n D’).

4. The main-mm set of the negative access structure m(N) = {(A,@, (A,C), (B,C), (C,D)}. This means that the secret key K cannot be recon-

strutted either by A and B, by A and C, by B and C, or by C and D. Suppose that the distinct primes p1 = 2, p2 = 3, p3 = 5, p4 = 7 are assigned to the corresponding negative access instances (AB), UC), (BC), and (CD). The tags associated with each user are tA = pcp2 = 6, tB =pI*p3 = 10, t, =p2*p3*p4 = 105, and

to = p4 = 7. Avoiding collaboration, we assign four distinct primes a;, = 11, LT~ = 13, (Yc = 17, (rD = 19 to users A, B, C, and D, respectively, such that the final corresponding shadows will be

KA E KfA*% E K ‘*” = K66 (mod n),

KB E Kta*“n s K 1°*13 = K130 (mod n),

Kc E KfC*ac E Klo5’17 E K1785 (mod n),

K. = KtD*nD s K 7*19 E K133 (mod n).

Now, assume that the users B and D want to reconstruct the secret key K. According to the Eu- clidean algorithm, they can fmd a pair (44, -43) such that (44*t,*aJ + (-43*t,*a,) = (44)*10*13 + (- 43)*7*19 = 1. Since (BD) is a positive access instance, the secret key K can be reconstructed by computing K = K~*KE’~ (mod n).

Conversely, suppose that the users A and B want to reconstruct the secret K. Since (AB) is the nega- tive access instance, it is impossible to reconstruct the secret key. Gathering A’s shadow KA = KM mod n and B’s shadow KB = K13’ mod II, we will get a secret key K’, where (t,_, * cu,, te * q,) # 1; therefore, according to the RSA assumption (Rivest et al., 1978), it is impossible to obtain K. In the same way, if the secret key K can be reconstructed by some of the negative access instances, it means that RSA public-key cryptosystem is breakable.

Now, let us consdier whether the conspiracy can work. Assume that users A, B, C have recon- structed the secret key K and want to derive D’s shadow. From the cryptanalysis in Section 3, they can collaborate to obtain to = p4 = 7 by computing GCD(t,, to), for D only belongs to the set {C, 0). However, we say that they cannot figure out D’s shadow KD unless they know (rD = 19 beforehand to get D’s shadow KD s K’D * a~ s K7’ l9 e K’33

(mod n); whereas, the (Ye value is only known to user D.

5. DISCUSSION AND SECURITY ANALYSIS Before our security analysis, we discuss the similari- ties and differences among Lin and Ham’s scheme (Lin and Ham, 1993), our improved scheme, and

Generalized Secret Sharing Scheme

Chang and Lee’s scheme (Chang and Lee, 1993) in the following, for more comprehension about the generalized secret sharing scheme:

(1)

(2)

(3)

Lin and Harn’s scheme: Assume that a secret key K is shared by a

group of users, and a secret sharing policy is predefined to declare that the secret key K can only be reconstructed by the cooperation of cer- tain specified users.

Then for each user in the system, user y is assigned to tag ti and a secret key shadow K,, where Ki = K’l mod n.

If the secret sharing policy declares the coop- eration of user Q and user I$ is legal, then two integers si and sj should exist such that si * ti + sj * tj = 1. Thus, the secret key K can be recon- structed by the formula K = (K,P *(KjYJ mod n. Our improved scheme:

Our scheme also assumes that a secret key K is shared by a group of users and a secret sharing policy is predefined to declare that the secret key K can only be reconstructed by the cooperation of certain specified users.

Because Lin and Ham’s scheme is shown to be weak in Section 3, we improve it in Section 4 by assigning user Q a tag ti, along with a secret prime number q, such that his secret key shadow Ki is generated by the formula: Ki = K’l* a1 mod n.

Similar to Lin and Ham’s method, if the se- cret sharing policy declares the cooperation of user q and user I?J is legal, two integers si and S, should exist such that Si * ti * (Y, + S, * tj * Lyi = 1. The secret key K can be reconstructed by the same formula K = (Ki)” * (K,)“J mod n. Chang and Lee’s scheme:

The problem they want to solve is described as follows: When a sender wants to transmit a message encrypted by the secret key K to a group, the sender can specify some legal cooper- ations of the recipients such that the secret key can be first reconstructed, and then the en- crypted message can be deciphered in the receiv- ing group.

Based on the concept of Lin and Ham’s scheme, their method first determines a positive access structure of legal recipients in the receiv- ing group and then assigns a shadow K, and a tag ti for user Q by using the following rules:

a) If user lJ is a member of the specified combinations of legal recipients, compute Ki = K’l mod n as user y’s shadow.

J. SYSTEMS SOFTWARE 271 1997; 36367-272

b) If user q is not a member of the specified combinations of legal recipients, assign Ki = 0 and ti = 0.

When the recipients receive the encrypted message, they first reconstruct the decryption key K by using Lin and Ham’s generalized secret-sharing scheme and then decipher the encrypted message.

From the above comparison, we first observe that the generation of the shadow Ki in Lin and Ham’s scheme is congruent to K’l mod n, where K is the secret key for a specified sharing policy. Thus, when the transmitted messages need deciphering, the se- cret key K will only be reconstructed by a legal subset of F, the positive access structure of that specified sharing policy, under the condition that all the tags t, of Q in the subset are coprimes. Since, according to the Euclidean algorithm, it is easy to find out a set of corresponding numbers si, i = 1,2,. . . , m, such that the shared key K is congruent to l-I;=lKs,*r8 mod n, where m denotes the total number of users in this subset. As in Example 1, user B, together with user D, consists of a legal access instance among all the users, and their tags are coprimes; therefore, a pair of (s,, s,> = ( - 2,3) is found.

Now, look at our improved scheme proposed in Section 4. Clearly, the difference is on the computa- tion of the shadows, where one’s exponent is only the value of t, i.e., Ki = K’I mod n, yet the other’s is a product of the t value and the (Y value, i.e., Ki z Kt,‘a, mod n. Since the (Y values are selected to be the primes distinct from those existing ones, we can guarantee those ti * q products in a legal subset still to be coprimes; therefore, the shared key K can be reconstructed by applying the same Eu- clidean algorithm mentioned in Lin and Ham’s scheme. A further meaning is that for those illegals, it is impossible to reconstruct the shared key, since a set of corresponding si values, i = 1,2,. . . , m, can- not be found, such that Ily= ,Kfl* It* Q~ = K (mod n), where m is also the total number of those illegals.

To defeat the conspiracy, we can observe that the secret shadow Ki for y is generated by the compu- tation of Ki = K’a * LI~ mod n. Thus, for a set of illegal users, it is ensured not to be able to recon- struct the shared key K as mentioned above; yet, for a set of legal users, who can cooperate to obtain the key K, we also can declare that the collaboration of them to other users’ shadows will not succeed, for it is ensured that some specified legal users cannot collaborate to derive other users’ shadows unless they know the corresponding (Y value of that speci-

272 J. SYSTEMS SOFlWAFlE 1997; 36:261-212

C. Chang and H. Tsai

fied user. Therefore, depending upon the (Y values, we not only can prevent illegal users from recon- structing the secret in Lin and Ham’s scheme still hold, but also can avoid the possibility of those legals collaborating to derive other users’ shadows to which they are not entitled.

It is clear that based upon Lin and Harn’s scheme, a more secure and efficient method is proposed by assigning each user in the system a secret and dis- tinct prime (Y such that Lin and Ham’s scheme is capable of having it more securely.

6. CONCLUSIONS

The idea of requiring m out of n individuals to reconstruct the shared key is clearly not more gen- eral than that having a sharing policy, which indi- cates what kind of individual-cooperation will work. Actually, the (m, n) threshold policy is a special case of sharing policies, for it depicts that any m out of n individuals can cooperate to reconstruct the shared key. Thus, apart from showing that Lin and Ham’s generalized secret sharing scheme is weak, we pro- pose another generalized secret sharing scheme to improve their security such that their scheme can still be applied on the group-oriented cryptosystem,

which deals with the secret communication between any two groups or two companies.

REFERENCES

Blakely, G. R., Safeguarding Cryptographic Keys, in Pro- ceedings of the National Computer Conference, AFIPS Conference Proceedings, Vol. 48, 1979, pp. 313-317.

Chang, C. C., and Lee, H. C., A New Generalized Group- Oriented Cryptoscheme without Trusted Centers, IEEE Journal on Selection Areas in Communications, Vol. 11, No. 5, 725-729 (June 1993).

Laih, C. S., Ham, L., Lee, J. Y., and Hwang, T. L., Dynamic threshold scheme based on the definition of cross-product in an N-dimensional linear space, in Ad- vances in Cryptology-Crypt0 ‘89, Springer Verlag, 1989, pp. 286-296.

Lin, H. Y., and Ham, L., A Generalized Secret Sharing Scheme with Cheater Detection, Lecture Notes in Com- puter Science, Advances in Cyptology-ASL4CRI?‘T’91, Springer-Verlag, Berlin, 1993, pp. 149-158.

Rives& R. L., Shamir, A., and Adleman, L., A Method for Obtaining Digital Signatures and Public-Key Cryptosys- terns, Communications of the Association for Computing Machinery, Vol. 21, No. 2, 120-126 (February 1978).

Shamir, A., How to Share a Secret, Communications of the ACM, Vol. 22, No. l&612-613 (November, 1979).