Embed Size (px)
Citation preview
Research note
General secret sharing scheme
K.J. Tan*, H.W. Zhu
Department of Electronic Engineering in ShangHai Jiao Tong University, ShangHai 200030, People’s Republic of China
Received 9 July 1998; accepted 20 January 1999
Abstract
Based on the idea in (J. Benaloh, J. Leichter, Generalized secret sharing and monotone functions, in: Advances in Cryptology-CRYPTO’88, Lecture Notes in Computer Science, Springer, Berlin, 1990, pp. 27–35.), a method to realize general secret sharing schemeis given in this research note. It is not necessary for the group participants to store several shares but an interpolating polynomial. However, itsuits some extensive situation that there are several secrets shared in system, while the methods in (E. Dawson, D. Donovan, The breadth ofshamir’s secret sharing scheme. Computers and Security, 13 (1995) 69–78.; J. Benaloh, J. Leichter, Generalized secret sharing and monotonefunctions, in: Advances in Cryptology-CRYPTO’88, Lecture Notes in Computer Science, Springer, Berlin, 1990, pp. 27–35.;. C.C. Chang,H.C. Lee, A new generalized group-oriented cryptoscheme without trusted centers. IEEE Journal on Selected Areas in Communications,11(5) (1993) 725–729.) cannot do that.q 1999 Elsevier Science B.V. All rights reserved.
Keywords:Information theory; Cryptosystems; General secret sharing scheme; Threshold; Minimal authority subgroup; Interpolating polynomial
1. Introduction
In the open system environment, it is important to restrictthe access to the confidential information on the system oron certain nodes in the system. This can be done through acryptographic key, knowledge of which allows access to theinformation. So, it is critical to manage the cryptographickey on a high degree of security. This can be got by taking asecret key and sharing it among a number of participants.
Shamir [1] and Blakley [2] addressed this problem in1979 when they introduced the concept of a thresholdscheme. A (t,n) threshold scheme is a method wherebynpieces of information of the secret keyK, calledsharesaredistributed ton participants so that:
1. The secret can be reconstructed from the knowledge ofany t or more shares.
2. The secret cannot be reconstructed from the knowledgeof fewer thant shares.
t is often regarded as thethresholdof the scheme. Fromthen on, many (t,n) threshold schemes have been proposed[3–6].
But in reality, there are many situations in which it is
desirable to have a more flexible arrangement for recon-structing the secret. Given somen participants, one maywant to designate certain authorized groups of participantswho can use their shares to recover the key. This kind ofscheme is called general secret sharing scheme (GSSS). A(t,n) threshold scheme is a special case of GSSS.
Let F denote the group of participants andG denote theset of the authorized subgroups ofF. ThenG is said to be theaccess structureof the secret sharing scheme and theelements ofG are named theauthorized subgroup. It isassumed that ifB [ G, then for allA # F where,B # A,A [ G. Further, ifB [ G and for allA # B, A Ó G, thenB istermed aminimal authorized subgroup. The set of minimalauthorized subgroups ofG forms the basis of G and isdenoted byG0. Usually theaccess structureis determineduniquely byG0, G is said to be the closure ofG0, or G �{ A # FuB # A; whereB [ G0} [7].
Benaloh and Leichter [8] showed that no matter what theaccess structure is, it is always possible to construct a GSSSbased on the traditional threshold scheme proposed byShamir. To demonstrate this, Ed and Diane [7] take GSSSwith an arbitrary access structureG. However, we will showthat their way only adapts to some special access structures.Lin and Harn proposed an GSSS based on the RSA assump-tion [9], while the computation quantity of it is very large.
In this article, we will give a new GSSS. It is not neces-sary for the group participants to store several shares but aninterpolating polynomial. However, it suits some situation
Computer Communications 22 (1999) 755–757
0140-3664/99/$ - see front matterq 1999 Elsevier Science B.V. All rights reserved.PII: S0140-3664(99)00041-9
* Corresponding author. Tel.:186-021-62829071; fax:186-021-62829071.
E-mail address:[email protected] (K.J. Tan)
that there are several secrets shared in system, while theschemes in [7–9] cannot do that.
Ed–Diane Method:Let K be the shared secret, the parti-cipants areP1,P2,…,Pn. Let G be the access structure,G0 isG’s basis,G0 � { A,B,C,D}. SupposeA is a minimal author-ity subgroup based on a set ofsparticipants, so a polynomialfA�x� � K 1 a1x 1 a2x2 1 …1 as21xs21 is assigned toAaccording to the traditional (s,s) secret sharing scheme (aparticular form of (t,n) threshold scheme). LetPi be amember ofA, so Pi is given the sharefA�i�. This processis repeated for each participant inA and then for each mini-mal authority subgroup.
However, as a participant requires a share for each mini-mal authority subgroup to which he belongs, he may berequired to hold multiple shares. Ed and Diane give amethod to reduce this number. LetM be a subset of theparticipants, whereuMu � m. Further, assume that anys ofthe participants fromM form a minimal authority subgroup.So there are
Csm �
m
s
!� m!
s!�m2 s�!minimal authority subgroups with participants chosen fromM. These
m
s
!subgroups are all assigned the same polynomial and sharesare distributed accordingly. In this manner an (s,m) thresh-old scheme for the participants ofM has been constructed.This procedure is repeated until all minimal authoritysubgroups inG0 are associated with a polynomial.
They give an example to see how this method works.SupposeG0 � {{ P1;P2} ; { P2;P3} ; { P1;P3} ; { P1;P4;P5}},so there isM � { P1;P2;P3}. Then P1;P2;P3 are assigneda (2,3) threshold scheme and associated with a one degreepolynomialf(x), while P1, P4, P5 are assigned a (3, 3) thresh-old scheme and associated with a two degree polynomialg(x). At last, P1 has a share in each polynomial while theother participants have only one share each.
Now we will give another case. SupposeG0 � {{ P1;P2} ; { P2;P3} ; { P3;P4} ; { P1;P4;P5}}, thenthere doesn’t exist a ‘‘M’’ and the method of Ed–Dianecannot be adopted to reduce the number of the shares. Sothe method of Ed–Diane cannot be used generally and onlyadapt to some special situation where there exists a ‘‘M’’.
Our scheme: The parameters of our scheme is the same asthat of in Ed–Diane method. LetP� { P1;P2;…;Pn} ;G0 � { A;B;C;D}. Give an ordernumber to each minimal authority subgroups inG0. Selecta s 2 1 degree polynomial for each minimal authoritysubgroups inG0 (s is depending on the size of the minimalauthority subgroup) and give the relate shares to the parti-cipants in the minimal authority subgroup, which is shownin Fig. 1. Without losing the generality, we still takeP1 as anexample. SupposeP1 [ A;P1 [ B;P1 [ D, then it isassigned three shares such asKA1;KB1 and KD1. Based onthe theorem of Lagrange interpolating polynomial, a twodegree polynomialfP1
�x� can be got by interpolating onthe points (1,KA1), (2,KB1) and (4,KD1) (where 1, 2, 4 arethe order numbers ofA, B, D, respectively).fP1
�x� is trans-mitted toP1 secretly. Finally,P1 keeps only a secret poly-nomial but not three shares. This procedure is repeated untilall minimal authority subgroups inG0 are associated with apolynomial.
Our scheme can be used for a more extensive situationwhere there are more than one secrets should be shared inP,such asK1;K2;…;Km. If adopting the methods in [7–9], theparticipants should be assigned many different shares ofdifferent secrets. This is because that some minimal author-ity subgroups have connections when they are used toproduce the shares for the participants, while our schemehas not such kind of relations. So our scheme can be conve-niently used in the situation where there are more than onesecret. SupposeG0* includes all the minimal authoritysubgroups ofG0i�i � 1;2;…;m� (G0i denotes the set of allthe minimal authority subgroups of the secretKi. If someminimal authority subgroups connect with different secrets,then even if the participants are same, we still regard theyare different minimal authority subgroups). All the minimalauthority subgroups inG0* are assigned an order number.Then using our scheme, each participant is assigned a poly-nomial. So no matter how many secrets are there in systemand how many minimal authority subgroups a participantbelongs to, each participant only need to keep one polyno-mial secretly.
Give a simple example: LetP� { P1;P2;…;P5}, thereare two secretsK1; K2; G01 � {{ P1; P2} ; { P2; P3} ; { P3;
P4}, { P1; P4; P5}} ; G02 � {{ P1; P2} ; { P1;P3}}. So G0* �{{ P1; P2} G01
; { P2; P3} ; { P3; P4} ; { P1; P4; P5} ; { P1; P2} G02;
{ P1; P3}}. Assign an order number to each minimal author-ity subgroup inG0* such as 1, 2, 3, 4, 5, 6. The relate sharesare assigned to the participants in the minimal authoritysubgroup which is shown in Fig. 2. By interpolating onthe points (1,K11), (4,K41), (5,K51), (6,K61), a three degreepolynomial fP1
�x� can be got based on the theorem of
K.J. Tan, H.W. Zhu / Computer Communications 22 (1999) 755–757756
Fig. 1. The shares owned by each participant.
Lagrange interpolating polynomial.fP1�x� is transmitted to
P1 secretly. Finally,P1 keeps only a secret polynomial butnot four shares. This procedure is repeated until all partici-pants inG0* are associated with a secret polynomial.
Note: 0 denote not belonging to the relate minimalauthority subgroup
2. Conclusion
In this research note, we give a new method to realize
GSSS. It is not necessary for the group participants tostore several shares but an interpolating polynomial.However, it suits some extensive situation that there areseveral secrets shared in system, while the methods in [7–9] cannot do that.
References
[1] A. Shamir, How to share a secret, Comm. ACM 22 (11) (1979) 612–613.
[2] G.R. Blakley, Safeguarding cryptographic keys, Proc. AFIPS 1979Natl. Comput. Conf., New York 48 (1979) 313–317.
[3] E.D. Karnin, J.W. Greene, J.L. Massey, On secret sharing systems,IEEE Trans. Inform. Theory IT-29 (1) (1983) 35–41.
[4] Y. Desmedt, Y. Frankel, Threshold cryptosystems: advances in cryp-tology-CRYPTO’89, Lecture Notes in Computer Science, Springer,New York, 1989 pp. 307–315.
[5] D.R. Stinson, An explication of secret sharing schemes, Des. CodesCrypt. 2 (1992) 357–390.
[6] H.M. Sun, S.P. Shieh, Construction of dynamic threshold schemes,Electronics Lett. 30 (24) (1994) 2023–2024.
[7] E. Dawson, D. Donovan, The breadth of Shamir’s secret sharingscheme, Comput. Security 13 (1995) 69–78.
[8] J. Benaloh, J. Leichter, Generalized secret sharing and monotone func-tions: advances in cryptology-CRYPTO’88, Lecture Notes in Compu-ter Science, Springer, Berlin, 1990 pp. 27–35.
[9] C.C. Chang, H.C. Lee, A new generalized group-oriented cryp-toscheme without trusted centers. IEEE Journal on Selected Areas inCommunications 11 (5) (1993) 725–729.
K.J. Tan, H.W. Zhu / Computer Communications 22 (1999) 755–757 757
Fig. 2. The shares owned by each participant.
![Function Secret Sharing - IDCelette/FunctionSecretSharing.pdf · A secret sharing scheme [44] allows a dealer to randomly split a secret sinto pshares, such that certain subsets of](https://img.pdfslide.net/doc/110x75/5e2cbe439042bb71a554ec3f/function-secret-sharing-idc-elettef-a-secret-sharing-scheme-44-allows-a.jpg)
![Socio-Rational Secret Sharing as a New Direction in ... · Rational Secret Sharing reconstructing a secret [STOC 04] Socio-Rational Secret Sharing reconstructing various secrets Fig.5](https://img.pdfslide.net/doc/110x75/5f8fadcc221f9300876d7a42/socio-rational-secret-sharing-as-a-new-direction-in-rational-secret-sharing.jpg)
![APSS: Proactive Secret Sharing in Asynchronous Systems · Secret sharing with share refreshing is known as proactive secret sharing (PSS) [Herzberg et al. 1995; Jarecki 1995]. PSS](https://img.pdfslide.net/doc/110x75/5f359c42952f4d747f270a75/apss-proactive-secret-sharing-in-asynchronous-secret-sharing-with-share-refreshing.jpg)
