# Secret Sharing Scheme based on Chinese reminder theorem and polynomials interpolation by ijcsiseditor

VIEWS: 155 PAGES: 6

• pg 1
```									                                                          (IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

Secret Sharing Scheme based on Chinese reminder
theorem and polynomials interpolation
Qassim AL Mahmoud
Faculty of Mathematics and Computer Science
The University of Bucharest, Romania
qassim_oudat@yahoo.com

Abstract: The concept for a secret sharing is necessary to build            What is the concept of secret sharing? And how can we get
a security system that saves and retrieves information to avoid             this application secured? Many questions will be answered
its loss or theft, and increase the security infrastructure. Secret         by this research paper.
sharing schemes can be used for any way in which the access to              Secret sharing schemes have been introduced by Blakley [1]
an important resource has to be restricted. consideration to the            and Shamir [2] independently as a solution for safeguarding
concept of secret must be taken into account the group of                   cryptographic keys. Secret sharing schemes can be used for
people selected to be the group authorized to build the concept             any way in which the access to an important resource has to
of secret sharing, dividing this group into subsets where each
be restricted. consideration to the concept of secret must be
subset can retrieve private confidence. this paper build scheme
combine from Chinese reminder theorem and interpolation                     taken into account the group of people selected to be the
polynomials which depend on the tow famous thresholds secret                group authorized to build the concept of secret sharing,
sharing scheme, Mignotte' Scheme, and Shamir scheme                         dividing this group into subsets where each subset can
respectively in order to produce flexible and extensible frame              retrieve private confidence. In fact this is the definition of
work for secret sharing.                                                    access structure. In this research the mathematically concept
of access structure will be mention. In order to understand
Keywords: secret sharing scheme, threshold secret sharing                   the secret sharing. Let us look at the secret, we can derive
scheme, Shamir secret sharing, Mignotte secret sharing.                     information; called shares or shadows ; that are authorized
to distribute to the group so that only a fixed number(t) of
I. Introduction                                   people (or more) may restore that secret. Less than satisfy
The most important properties of secret sharing is that it is               number of people(t-1) should not be able to know anything
secret, to preserve the secret from being lost or stolen, as                about that secret, this way is called threshold secret sharing
well as building a system that is not based on dictatorship                 scheme.
(i.e. rely only on one person who owns a secret to access                    Secret sharing has tow algorithms, first is shares generation
the information stored in the database ).                                   algorithm that distributes the shares of participants, and the
From this point, the need of a concept for a secret sharing is              second is reconstruction algorithm for secret.
necessary to build a security system that saves and retrieves               The most important two schemes that depend on the
information to avoid its loss or theft, and increase the                    threshold scheme(Shamir secret sharing scheme and
security infrastructure. So we have all the security status of              Mignotte's scheme). Shamir scheme generation algorithm is
access ways. To illustrate this, let us consider the banking                based on polynomials in order to distribute shares of
system as a simple example where it is necessary to secure                  participants, and reconstruction algorithm is based on
(save and store) customers' information from the staff                      polynomials interpolation. The Mignotte's threshold secret
themselves. The problem is that allowing employees to                       sharing scheme is based on the Chinese reminder theorem
access such information to make a modifications requires to                 both generation and construction algorithms with special
know the secret, but in the same time that secret cannot be                 properties of prim numbers in number theory. Through our
given to all staff in the bank. In addition, given the secret to            understanding of these two schemes, we can present our
the bank's manager is not practical as his presence is not                  approach is evident in this research. We will then see how
always necessary to grant the employees access at any                       our scheme can generate the shares in generation algorithm
moment needed. Even though the president's presence                         for all participants based on the Chinese reminder theorem
always makes an effective and safe way to access                            in order to distribute the shares and recover the secret in
information( because the occurrence of any urgent matter),                  reconstruction algorithm depends on the polynomials
the president may however loss the secret which will cause                  interpolation.
to a loss of a important information. To prevent information                In the rest of this chapter we will mention the concept of
lost, it is necessary to think of a more secure access to                   Access structure and some of the basic theorem of Chinese
information without relying only on a single person.                        reminder theorem. The second chapter it will be the

ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

previous studies which is divided into two studies, the first            The Chinese Remainder Theorem says that certain systems
study will be explained to a threshold Shamir secret sharing             of simultaneous congruencies with different moduli have
scheme. The second study will be an explanation of the                   solutions. The idea embodied in the theorem was apparently
Mignotte's threshold secret sharing scheme. In the third                 known to Chinese mathematicians a long time ago — hence
chapter we will offer a presentation to our scheme with                  the name.
illustration by an example of small artificially. In Chapter
four it will be the conclusion for our scheme .                          We will begin by collecting some useful lemmas without
prove to help us understanding (CRT)[7].
A. Access structure
Let X = {1, 2, . . . , n} be the set of users, The access                Lemma 1. Let m and      a1 ,. . ., a n be positive integers. If m
structure Γ ⊆ P   ( X ) is the set of all qualified subsets. We          is relatively prime to each of a1 ,. . ., a n , then it is relatively
give bounds on the amount of information(shares) for each                prime to their product a1 . . .a n
participant. Then we apply this to construct computational
schemes for general access structures. The size of shares
each participant must have in our schemes is nearly minimal              We call the greatest common divisor (a, b) of a and b is
greatest in the sense that it is divisible by any common
for    {1, 2, . . . , n} let us consider a set of groups                divisor of a and b. The next result is the analogous statement
Γ ⊆ P ( X ) The (authorized) Access structure of a secret                for least common multiples.
sharing scheme is the set of all groups which are designed to
reconstruct the secret. The elements of the access structure             Lemma 2. Let m and   a1 ,. . ., a n be positive integers. If m is
A will be referred to as the authorized groups/sets and the             a multiple of each of a1 ,. . ., a n , then m is a multiple of
rest are called unauthorized groups/sets.
Saito, and Nishizeki have remarked [3] any access structure              [ a1 ,. . ., a n ].
must satisfy the natural condition (i.e. that if a group can
recover the secret, so can a larger group). Benaloh and                  Lemma 3. Let               a1 ,. . ., a n be positive integers. If
Leichter [4] called such access structures monotone .
a1 ,. . ., a n are pairwise relatively prime (that is (a i , a j ) =
The unauthorized access structure Γ is well specified by the
set of the maximal unauthorized groups.                                  1 for i ≠ j ), then [ a1 ,. . ., a n ] = a 1. . .a n .
In the secret sharing schemes the number of the participants
in the reconstruction phase was important for recovering the             Theorem 1. (The Chinese Remainder Theorem(CRT)):
secret. Such schemes have been referred to as" threshold
secret sharing schemes."                                                 Suppose p1 ,. . ., p n are pairwise relatively prime (that is,
Definition 1: Let n ≥ 2, 2 ≤ k ≤ n . The access structure                ( p i , p j ) = 1 for i ≠ j ). Then the system of congruence :
Γ = {A ∈ P ({1, 2, . . . , n }/ A ≥ k) } will be referred
to as the ( k , n ) -threshold access structure.
x = a1 (mod p1 )
In case Γ = {1, 2, . . . , n } , an Γ -secret sharing scheme
will be referred to as a unanimous consent secret sharing                                       x = a2 (mod p 2 )
scheme of rank n . In these schemes, the presence of all                                        .
users is required in order to recover the secret. A unanimous
consent secret sharing scheme of rank n is equivalent with                                      .
an ( n , n ) -threshold secret sharing scheme and, thus, any                                    .
( n , n ) -threshold secret sharing scheme can be used in                                   x = an (mod p n )
order to realize unanimous consent, for more details the
reader have to read in [5], [6].                                         has a unique solution mod( p1 pn ) .  ・・・

B. Chinese Reminder Theorem (CRT)                                                   II. Previous Study
The Chinese Remainder Theorem gives solutions to                        The previous studies which is divided into two sections, the
systems of congruencies with relatively prime moduli. The                first section will be explained to a threshold Shamir secret
solution to a system of congruence with relatively prime                 sharing scheme[8] based on polynomials interpolation.
moduli may be produced using a formula. by computing                     The second section will be an explanation of the Mignotte's
modular inverses, or using an iterative procedure involving              threshold secret sharing scheme based on (CRT)[9].
successive substitution.
A. Threshold Shamir Secret Sharing Scheme

ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

In this section, we first review Shamir's threshold secret
sharing scheme. Then we will mention some important                            Definition 3 (Perfect threshold secret sharing [11]). We say
definitions about Shamir secret sharing scheme.                                that a (t, n) threshold secret sharing scheme is perfect if any
In Shamir's (t; n) scheme based on Lagrange interpolating                      (t-1) or fewer than (t-1) shareholders who work together
polynomial, there are n shareholders, P = {P1 ,..., Pn } , and                 with their corresponding shares cannot get any information,
in the information-theoretic sense, about the secret.
a dealer D. The scheme consists of two algorithms:
Shamir's secret sharing scheme is perfect. If we use entropy
generation Shares algorithm: dealer D first picks a
to describe this perfect secret property of threshold secret
polynomial f(x) of degree (t-1) randomly such                                  sharing scheme, Karnin et al. [12] have shown that in all
f (x ) = a0 + a1x + ... + at −1 , in which the secret s =                      perfect schemes, the length of share must be larger than or
a0 and all coefficients a0 , a1 ,..., at −1 are in a finite field Fp           equal to the length of the secret s. In other words, the
information rate of all perfect schemes is no more than 1.
= GF(p) with p elements, where s < p, and D computes:
s1 = f (1) , s2 = f ( 2 ) ,... s n = f (n)                                           B. Mignotte's Threshold Secret Sharing Scheme
Mignotte’s Scheme is the most important threshold secret
Then, D outputs a list of n shares, (s 1 , s 2 ,..., s n ) , and               sharing schemes based on the Chinese remainder theorem.
distributes each share to corresponding shareholder
privately.                                                                     In [13] uses special sequences of integers, referred to as
Mignotte sequences.
Secret reconstruction algorithm: with any t shares,
(s i 1 , s i 2 ,..., s it )                                                    Definition 4. Let n be an integer, n ≥ 2, and 2 ≤ k ≤ n. An (k,
n)- Mignotte sequence is a sequence of pairwise coprime
where A = {i 1 ,..., i t } ⊆ {1, 2,..., n} .                                   positive integers p1 < p 2 <· · ·< p n such that
k −2           k
We can reconstruct the secret s as follows.
∐ Pn −i < ∐ Pi .
i =0          i =1
x                         Given a publicly known (k, n)-Mignotte sequence, the
s = f (0) = ∑ s i (
i ∈A
∏
j ∈ A −{ i }
j

x j −xi
)                 scheme works as follows:
• The secret S is chosen as a random integer such that β < S
= ∏ i =1 P i and β = ∏ i =0 P n −i ;
k −2
< α, where α
k

We note that the above scheme satisfies basic requirements
of secret sharing                                                              • The shares Ii are chosen as I i = S mod p i , for all 1 ≤ i
scheme as follows:                                                             ≤ n;
1) with knowledge of any t or more than t shares, it can                       • Given k distinct shares I i 1 , . . . , I ik , the secret S is
reconstruct the secret s.                                                      recovered using the standard Chinese remainder theorem, as
2) with knowledge of any fewer than t shares, it cannot                        the unique solution modulo Pi 1· · ·Pik of the system :
reconstruct the secret s.

Shamir's scheme is information-theoretically secure since                                               x ≡ I i 1 mod Pi 1
the scheme satisfies these two requirements without making                                                     .
scheme, readers can refer to the original paper [10].                                                          .
.
Definition 2 (Information rate). Information rate of a secret
sharing scheme is the ratio between the length, in bits, of the                                         x ≡ I ik mod Pik
secret and the maximal length of shares distributed to
shareholders. Let a be the number of bits of the secret and                    Indeed, the secret S is an integer solution of the above
b = max i ∈{1,...n }{bi } be the number of bits of maximal                     system by the choice of the shadows. Moreover, S lies in
share. The information rate is defined as.                                      ZPi 1....Pik ,because S < α. On the other hand, having only k
−1 distinct shares  I i 1 , . . . , I ik , we obtain only that
a
ρ=                                            S ≡ x 0 mod Pi 1· · ·Pik , where x 0 the unique solution.
b
The secret sharing scheme is ideal if      ρ =1.

ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

In order to assure a level of security, (k, n)-Mignotte                                                                               n
+)
n−(m 1
sequences with a large factor must be chosen.                                           xn− n− + n−2− n− + ± xn−m± x
Cx 1 Cx Cx 3 ... C     C          ± ± =( ∐pq ) (1
... C         )
Iftene in [14] extended the (k, n)-Mignotte to be generalized                               1    2   3       m      +
m1              n     ii
(k, n)-Mignotte , in other word we can apply this scheme not                                                                         i=1
only on coprime numbers, he extended for any positive
integer numbers.                                                                        Where the sign ( ± ) for the coefficients                C m take as follow
:
+C m                  if         n is odd ∧ m is even
Cm = 
−C m                             n is even ∧ m is odd
III. Secret Sharing Scheme based on (CRT) and polynomials                                                           if
interpolation
And C 1 , C         2    , ...,C          n       take values as follow :
Let       P =   {p   1   , ... p n } be a set of pairwise prime                         Now we will construct our scheme as follow :
Before start construct the algorithms for scheme we have to
numbers and let          {a , ...a } be a set of integers such that
1        n                                                   define some sets important to understand our scheme.
the system of congruence of Chinese reminder theorem                                    Let       N = {1, 2,..., n } a set of users and                             let

P = { p1 ,... p n } a set of a pairwise prime number defined
given by :
x ≡ a1 mod p1
in up, and we define B as the set of all sets of size (k), the
x ≡ a2 mod p 2                                          number of primes in the set .
.
.                                                             {
B = { p1,...pn} / ∀ ,B ∈{ p1,...pn} ,( ∃pi ∈A ∧pi ∉B) ,∀ ∈N, 2≤k ≤n
k
A
k
i                         }
x ≡ an mod p n                                          .
This is system of equations has a unique solution in                                                          n        n!
Z p1 p 2 ... p n . This is mean there exist one and only one                            This is mean       B = =
n
 k  k !(n − k )!
solution such that this solution bounded ( x <                ∐p      i   ).            We will define the secret space X as :
i =1                           
                                   
          
 
Now .                                                                                   X= x / x integer ∧ ∀A ∈ B / ( x < min  ∏ pi  ) 
There exist such integers               {q   1   , ...q n } corresponding to              
                                        pi ∈A  
          
{ p ,... p } and {a ,...a } , respectively.
1     n               1       n
We also define the set C ⊆ B is the set of all sets satisfy
the condition in the secret space X as :
where :
(x − a1 ) = p1q1                                                   
             
            
                   

(x − a2 ) = p 2q 2
C = A / ( x <             ∏     pi  ) , A ∈ B

 . For the secret

             
 pi ∈A                         

.                                                                 chosen x from the secret space X .
Now
.                                                                 The generation shares algorithm: work as follow :.
(x − an ) = p n q n                                                any users i ∈ N has a set of possible                                  shares
Where p i q i secret for all i = 1 to n .                                                
                                     

We can construct as equation of degree (n) from up system                                 ( a i , ∏ p i q i ) / ∀ A ∈ B  , q i corresponding
as with (n) of solutions one and only one of these solutions                             
         pi ∈A                       

x ∈ Z p1 p 2 ... p n the form of this equation as :                                     for         ai , p i     respectively,       such       that

(x − a1 )(x − a2 )...(x − an ) = ( p1 p 2 ... p n )(q1q 2 ...q n ).                      x ≡ ai mod p i ∀ i = 1,..., n
We see for any integer prime ( p i ) may be belong for some
Imply the equation of degree (n) as :                                                   difference sets A ∈ B , this mean ∀ i ∈ N users has
some shares depend of the position of               pi ∈ A
and ∀ A ∈ B , Then we have to construct the share space S
such as :

ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011


                                                         

S = (ai , ∏ pi qi ) / ( ∀i ∈ N ) ∧ ( ∀pi ∈ A ) ∧ ( ∀ A ∈ B )          Imply :
 Pi ∈A
                                                         

a1 = 0                        p1 = 5
a2 = 1                        p2 = 3
S = n × Si
a3 = 3                        p3 = 7
where        S i the number of shares for user i
Then the corresponding            {q , q
1      2   , q 3 } for {a1 , a2 , a3 } and
Define as follow:                                                       { p , p , p } , respectively , it is will be as follow:
1    2    3

                                            
                                                      q1 = 2
S i = (ai , ∏ pi q i ) / ( ∀pi ∈ A ) ∧ ( ∀A ∈ B )  ∀i ∈ N
 Pi ∈A
                                            
                                                      q2 = 3
q3 = 1
Si =[ k ×(n − k )]       ∀ Si the number of shares for                 Now the dealer construct the share space S as follow :
every user.                                                             S = { (0 , 9 0 ), (0, 7 0 ), (1, 9 0 ), (1, 6 3), (3, 7 0 ), (3, 6 3)}

It is important to construct Access structure Γ such as :
S = n × Si = 6

                                                           

Γ= D/ D∈1,...,n} ,∀ ≠ j ∈D/(pi ∧pj )∈A, A∈B ⇔∏ i i =∏ j j 
{
k                                                      The          form            of         shares               as         point
i                              pq       pq
                                                           
        ( a i , y j ) ∀i ∈N , j = 1 to S i .
                                          P∈
i A    Pj ∈A

The dealer distribute the shares for users N = {1, 2, 3} as
The integer k the same integer which we defined in the                 follow :
set ( B ) in up definition, and called the threshold k , and
such this Access structure Γ called ( k , n ) – Threshold               S 1 = {(0,90), (0, 70)}                        S 1 = [ k × (n − k )] = 2
Access structure, and the scheme called ( k , n ) – threshold           S 2 = {(1,90), (1, 63),}                       S 2 = [ k × (n − k ) ] = 2
S 3 = [ k × (n − k ) ] = 2
secret sharing scheme.
The reconstruct algorithm: any distinguish k of users can               S 3 = {(3, 70),(3, 63)}
construct the secret x by applying the equation (*) using               For users {1, 2, 3} , respectively.
their shares and find the solution x, in equation which
Any tow users can reconstruct the secret x by pooling their
construct from (1).
share when the y-axis of their points equal from difference
We illustrate the scheme in below example.
users
Example : (with artificially small parameters) .
Let N = {1, 2, 3} set of users and let P = {5, 3, 7}                     (i.e. reconstruct secret x if and only if (ai ≠ a j ) ∧

Then  n = 3,                                                            (y i = y j ) )
let k = 2 , then The set                                                Let consider {1, 3} users then they have 2 shares with same

B = {{5,3},{5, 7},{3, 7}}                                               yi = y j
n!
B =                =3
k !(n − k )!            The shares from      {1, 3} can reconstruct the secret x
applying the equation (1) by their shares {(0, 70), (3, 70)}
The secret space X = {x / x < min{15, 35, 21}}
Then the users build the equation of degree (2) as what we
X = {x / x < 15}                                    define in previous :
Now let the dealer chose the secret x = 10 then he can                                        ( x − 0)( x − 3) = 70
construct the system of Chinese reminder theorem in order
x 2 − x = 70
to find   {a , a , a } and {q , q
1   2   3        1  , q 3 } as follow :
2
x 2 − 3x − 70 = 0
x ≡ 0 mod 5                                    The       solutions     for             this          equation      are      :
x ≡ 1mod 3                                     x = 10       and x = −7
x ≡ 3mod 7                                     Then the secret it will be a unique solution in                    Z 15 then
x = 10 .

ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 9, No. 11, November 2011

In this scheme each users has             [ k × (n − k )] shares, the
group shares for the same user cant reconstruct the secret
alone , He can use one share with different other users with
difference their shares to reconstruct the secret. In addition
we can in future study develop this scheme to use it in many
features of secret sharing (i.e. for example we can release
compartments Access structures, or we can use it for
verifiable secret sharing scheme, etc ).
The security of this scheme depend of the hard of
factorization problem, so the chosen large number of shares
make the scheme more secure.

IV. Conclusion
The main idea of this paper in order to build scheme
combine from Chinese reminder theorem and interpolation
polynomials which depend on the tow famous thresholds
secret sharing scheme, Mignotte' Scheme, and Shamir
scheme respectively. obviously it is secure as long as the
hard of factorization problem. So it is computational- secure
scheme, for this reason we want in future study for this
scheme be more secure.

References
[1]    A. Shamir. How to share a secret. Communications of the ACM,
1979.
[2]    G. R. Blakley. Safeguarding cryptographic keys. In National
Computer Conference, 1979, volume 48 of American Federation of
Information Processing Societies Proceedings, pages,1979.
[3]    M. Ito, A. Saito, and T. Nishizeki. Secret sharing scheme realizing
general access structure. In Proceedings of the IEEE Global
Telecommunications Conference, Globecom ’87, pages 99–102.
IEEE Press, 1987.
[4]    J. Benaloh and J. Leichter. Generalized secret sharing and monotone
functions. In S. Goldwasser, editor, Advanced in Cryptology-
CRYPTO’ 88, volume 403 of Lecture Notes in Computer Science,
pages 27–35. Springer-Verlag, 1989.
[5]    E. D. Karnin, J. W. Greene, and M. E. Hellman. On secret sharing
systems. IEEE Transactions on Information Theory, IT-29(1):35–41,
1983.
[6]    Sorin Iftene: Secret Sharing Schemes with Applications in Security
Protocols. Sci. Ann. Cuza Univ.2-5 (2007).
[7]    Johannes A . Buchmann : introduction to cryptography(second
edition).51-54, Springer, 2004.
[8]    Sorin Iftene: Secret Sharing Schemes with Applications in Security
Protocols. Sci. Ann. Cuza Univ.12-14, (2007).
[9]    Sorin Iftene: Secret Sharing Schemes with Applications in Security
Protocols. Sci. Ann. Cuza Univ.14-16, (2007).
[10]   A. Shamir How to share a secret, Communications. ACM, 22(11)
(1979), 612- 613.
[11]   A. J. Menezes, P. C. Oorschot, S. A. Vanstone, Handbook of applied
cryptography. CRC Press, Oct. 1996.
[12]   E. D. Karnin, J. W. Greene, M. E. Hellman, On Secret Sharing
Systems, IEEE Trans. on Information Theory., 29(1) (1983) 35- 40.
[13]   M. Mignotte. How to share a secret. In T. Beth, editor, Cryptography-
Proceedings of the Workshop on Cryptography, Burg Feuerstein,
1982, volume 149 of Lecture Notes in Computer Science, pages 371–
375. Springer-Verlag, 1983.
[14]   Sorin Iftene: Secret Sharing Schemes with Applications in Security
Protocols. Sci. Ann. Cuza Univ.15-16, (2007).