VIEWS: 155 PAGES: 6 CATEGORY: Other POSTED ON: 2/17/2012 Public Domain
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 Secret Sharing Scheme based on Chinese reminder theorem and polynomials interpolation Qassim AL Mahmoud Faculty of Mathematics and Computer Science The University of Bucharest, Romania qassim_oudat@yahoo.com Abstract: The concept for a secret sharing is necessary to build What is the concept of secret sharing? And how can we get a security system that saves and retrieves information to avoid this application secured? Many questions will be answered its loss or theft, and increase the security infrastructure. Secret by this research paper. sharing schemes can be used for any way in which the access to Secret sharing schemes have been introduced by Blakley [1] an important resource has to be restricted. consideration to the and Shamir [2] independently as a solution for safeguarding concept of secret must be taken into account the group of cryptographic keys. Secret sharing schemes can be used for people selected to be the group authorized to build the concept any way in which the access to an important resource has to of secret sharing, dividing this group into subsets where each be restricted. consideration to the concept of secret must be subset can retrieve private confidence. this paper build scheme combine from Chinese reminder theorem and interpolation taken into account the group of people selected to be the polynomials which depend on the tow famous thresholds secret group authorized to build the concept of secret sharing, sharing scheme, Mignotte' Scheme, and Shamir scheme dividing this group into subsets where each subset can respectively in order to produce flexible and extensible frame retrieve private confidence. In fact this is the definition of work for secret sharing. access structure. In this research the mathematically concept of access structure will be mention. In order to understand Keywords: secret sharing scheme, threshold secret sharing the secret sharing. Let us look at the secret, we can derive scheme, Shamir secret sharing, Mignotte secret sharing. information; called shares or shadows ; that are authorized to distribute to the group so that only a fixed number(t) of I. Introduction people (or more) may restore that secret. Less than satisfy The most important properties of secret sharing is that it is number of people(t-1) should not be able to know anything secret, to preserve the secret from being lost or stolen, as about that secret, this way is called threshold secret sharing well as building a system that is not based on dictatorship scheme. (i.e. rely only on one person who owns a secret to access Secret sharing has tow algorithms, first is shares generation the information stored in the database ). algorithm that distributes the shares of participants, and the From this point, the need of a concept for a secret sharing is second is reconstruction algorithm for secret. necessary to build a security system that saves and retrieves The most important two schemes that depend on the information to avoid its loss or theft, and increase the threshold scheme(Shamir secret sharing scheme and security infrastructure. So we have all the security status of Mignotte's scheme). Shamir scheme generation algorithm is access ways. To illustrate this, let us consider the banking based on polynomials in order to distribute shares of system as a simple example where it is necessary to secure participants, and reconstruction algorithm is based on (save and store) customers' information from the staff polynomials interpolation. The Mignotte's threshold secret themselves. The problem is that allowing employees to sharing scheme is based on the Chinese reminder theorem access such information to make a modifications requires to both generation and construction algorithms with special know the secret, but in the same time that secret cannot be properties of prim numbers in number theory. Through our given to all staff in the bank. In addition, given the secret to understanding of these two schemes, we can present our the bank's manager is not practical as his presence is not approach is evident in this research. We will then see how always necessary to grant the employees access at any our scheme can generate the shares in generation algorithm moment needed. Even though the president's presence for all participants based on the Chinese reminder theorem always makes an effective and safe way to access in order to distribute the shares and recover the secret in information( because the occurrence of any urgent matter), reconstruction algorithm depends on the polynomials the president may however loss the secret which will cause interpolation. to a loss of a important information. To prevent information In the rest of this chapter we will mention the concept of lost, it is necessary to think of a more secure access to Access structure and some of the basic theorem of Chinese information without relying only on a single person. reminder theorem. The second chapter it will be the 113 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 previous studies which is divided into two studies, the first The Chinese Remainder Theorem says that certain systems study will be explained to a threshold Shamir secret sharing of simultaneous congruencies with different moduli have scheme. The second study will be an explanation of the solutions. The idea embodied in the theorem was apparently Mignotte's threshold secret sharing scheme. In the third known to Chinese mathematicians a long time ago — hence chapter we will offer a presentation to our scheme with the name. illustration by an example of small artificially. In Chapter four it will be the conclusion for our scheme . We will begin by collecting some useful lemmas without prove to help us understanding (CRT)[7]. A. Access structure Let X = {1, 2, . . . , n} be the set of users, The access Lemma 1. Let m and a1 ,. . ., a n be positive integers. If m structure Γ ⊆ P ( X ) is the set of all qualified subsets. We is relatively prime to each of a1 ,. . ., a n , then it is relatively give bounds on the amount of information(shares) for each prime to their product a1 . . .a n participant. Then we apply this to construct computational schemes for general access structures. The size of shares each participant must have in our schemes is nearly minimal We call the greatest common divisor (a, b) of a and b is greatest in the sense that it is divisible by any common for {1, 2, . . . , n} let us consider a set of groups divisor of a and b. The next result is the analogous statement Γ ⊆ P ( X ) The (authorized) Access structure of a secret for least common multiples. sharing scheme is the set of all groups which are designed to reconstruct the secret. The elements of the access structure Lemma 2. Let m and a1 ,. . ., a n be positive integers. If m is A will be referred to as the authorized groups/sets and the a multiple of each of a1 ,. . ., a n , then m is a multiple of rest are called unauthorized groups/sets. Saito, and Nishizeki have remarked [3] any access structure [ a1 ,. . ., a n ]. must satisfy the natural condition (i.e. that if a group can recover the secret, so can a larger group). Benaloh and Lemma 3. Let a1 ,. . ., a n be positive integers. If Leichter [4] called such access structures monotone . a1 ,. . ., a n are pairwise relatively prime (that is (a i , a j ) = The unauthorized access structure Γ is well specified by the set of the maximal unauthorized groups. 1 for i ≠ j ), then [ a1 ,. . ., a n ] = a 1. . .a n . In the secret sharing schemes the number of the participants in the reconstruction phase was important for recovering the Theorem 1. (The Chinese Remainder Theorem(CRT)): secret. Such schemes have been referred to as" threshold secret sharing schemes." Suppose p1 ,. . ., p n are pairwise relatively prime (that is, Definition 1: Let n ≥ 2, 2 ≤ k ≤ n . The access structure ( p i , p j ) = 1 for i ≠ j ). Then the system of congruence : Γ = {A ∈ P ({1, 2, . . . , n }/ A ≥ k) } will be referred to as the ( k , n ) -threshold access structure. x = a1 (mod p1 ) In case Γ = {1, 2, . . . , n } , an Γ -secret sharing scheme will be referred to as a unanimous consent secret sharing x = a2 (mod p 2 ) scheme of rank n . In these schemes, the presence of all . users is required in order to recover the secret. A unanimous consent secret sharing scheme of rank n is equivalent with . an ( n , n ) -threshold secret sharing scheme and, thus, any . ( n , n ) -threshold secret sharing scheme can be used in x = an (mod p n ) order to realize unanimous consent, for more details the reader have to read in [5], [6]. has a unique solution mod( p1 pn ) . ・・・ B. Chinese Reminder Theorem (CRT) II. Previous Study The Chinese Remainder Theorem gives solutions to The previous studies which is divided into two sections, the systems of congruencies with relatively prime moduli. The first section will be explained to a threshold Shamir secret solution to a system of congruence with relatively prime sharing scheme[8] based on polynomials interpolation. moduli may be produced using a formula. by computing The second section will be an explanation of the Mignotte's modular inverses, or using an iterative procedure involving threshold secret sharing scheme based on (CRT)[9]. successive substitution. A. Threshold Shamir Secret Sharing Scheme 114 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 In this section, we first review Shamir's threshold secret sharing scheme. Then we will mention some important Definition 3 (Perfect threshold secret sharing [11]). We say definitions about Shamir secret sharing scheme. that a (t, n) threshold secret sharing scheme is perfect if any In Shamir's (t; n) scheme based on Lagrange interpolating (t-1) or fewer than (t-1) shareholders who work together polynomial, there are n shareholders, P = {P1 ,..., Pn } , and with their corresponding shares cannot get any information, in the information-theoretic sense, about the secret. a dealer D. The scheme consists of two algorithms: Shamir's secret sharing scheme is perfect. If we use entropy generation Shares algorithm: dealer D first picks a to describe this perfect secret property of threshold secret polynomial f(x) of degree (t-1) randomly such sharing scheme, Karnin et al. [12] have shown that in all f (x ) = a0 + a1x + ... + at −1 , in which the secret s = perfect schemes, the length of share must be larger than or a0 and all coefficients a0 , a1 ,..., at −1 are in a finite field Fp equal to the length of the secret s. In other words, the information rate of all perfect schemes is no more than 1. = GF(p) with p elements, where s < p, and D computes: s1 = f (1) , s2 = f ( 2 ) ,... s n = f (n) B. Mignotte's Threshold Secret Sharing Scheme Mignotte’s Scheme is the most important threshold secret Then, D outputs a list of n shares, (s 1 , s 2 ,..., s n ) , and sharing schemes based on the Chinese remainder theorem. distributes each share to corresponding shareholder privately. In [13] uses special sequences of integers, referred to as Mignotte sequences. Secret reconstruction algorithm: with any t shares, (s i 1 , s i 2 ,..., s it ) Definition 4. Let n be an integer, n ≥ 2, and 2 ≤ k ≤ n. An (k, n)- Mignotte sequence is a sequence of pairwise coprime where A = {i 1 ,..., i t } ⊆ {1, 2,..., n} . positive integers p1 < p 2 <· · ·< p n such that k −2 k We can reconstruct the secret s as follows. ∐ Pn −i < ∐ Pi . i =0 i =1 x Given a publicly known (k, n)-Mignotte sequence, the s = f (0) = ∑ s i ( i ∈A ∏ j ∈ A −{ i } j x j −xi ) scheme works as follows: • The secret S is chosen as a random integer such that β < S = ∏ i =1 P i and β = ∏ i =0 P n −i ; k −2 < α, where α k We note that the above scheme satisfies basic requirements of secret sharing • The shares Ii are chosen as I i = S mod p i , for all 1 ≤ i scheme as follows: ≤ n; 1) with knowledge of any t or more than t shares, it can • Given k distinct shares I i 1 , . . . , I ik , the secret S is reconstruct the secret s. recovered using the standard Chinese remainder theorem, as 2) with knowledge of any fewer than t shares, it cannot the unique solution modulo Pi 1· · ·Pik of the system : reconstruct the secret s. Shamir's scheme is information-theoretically secure since x ≡ I i 1 mod Pi 1 the scheme satisfies these two requirements without making . any computational assumption. For more information on this scheme, readers can refer to the original paper [10]. . . Definition 2 (Information rate). Information rate of a secret sharing scheme is the ratio between the length, in bits, of the x ≡ I ik mod Pik secret and the maximal length of shares distributed to shareholders. Let a be the number of bits of the secret and Indeed, the secret S is an integer solution of the above b = max i ∈{1,...n }{bi } be the number of bits of maximal system by the choice of the shadows. Moreover, S lies in share. The information rate is defined as. ZPi 1....Pik ,because S < α. On the other hand, having only k −1 distinct shares I i 1 , . . . , I ik , we obtain only that a ρ= S ≡ x 0 mod Pi 1· · ·Pik , where x 0 the unique solution. b The secret sharing scheme is ideal if ρ =1. 115 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 In order to assure a level of security, (k, n)-Mignotte n +) n−(m 1 sequences with a large factor must be chosen. xn− n− + n−2− n− + ± xn−m± x Cx 1 Cx Cx 3 ... C C ± ± =( ∐pq ) (1 ... C ) Iftene in [14] extended the (k, n)-Mignotte to be generalized 1 2 3 m + m1 n ii (k, n)-Mignotte , in other word we can apply this scheme not i=1 only on coprime numbers, he extended for any positive integer numbers. Where the sign ( ± ) for the coefficients C m take as follow : +C m if n is odd ∧ m is even Cm = −C m n is even ∧ m is odd III. Secret Sharing Scheme based on (CRT) and polynomials if interpolation And C 1 , C 2 , ...,C n take values as follow : Let P = {p 1 , ... p n } be a set of pairwise prime Now we will construct our scheme as follow : Before start construct the algorithms for scheme we have to numbers and let {a , ...a } be a set of integers such that 1 n define some sets important to understand our scheme. the system of congruence of Chinese reminder theorem Let N = {1, 2,..., n } a set of users and let P = { p1 ,... p n } a set of a pairwise prime number defined given by : x ≡ a1 mod p1 in up, and we define B as the set of all sets of size (k), the x ≡ a2 mod p 2 number of primes in the set . . . { B = { p1,...pn} / ∀ ,B ∈{ p1,...pn} ,( ∃pi ∈A ∧pi ∉B) ,∀ ∈N, 2≤k ≤n k A k i } x ≡ an mod p n . This is system of equations has a unique solution in n n! Z p1 p 2 ... p n . This is mean there exist one and only one This is mean B = = n k k !(n − k )! solution such that this solution bounded ( x < ∐p i ). We will define the secret space X as : i =1 Now . X= x / x integer ∧ ∀A ∈ B / ( x < min ∏ pi ) There exist such integers {q 1 , ...q n } corresponding to pi ∈A { p ,... p } and {a ,...a } , respectively. 1 n 1 n We also define the set C ⊆ B is the set of all sets satisfy the condition in the secret space X as : where : (x − a1 ) = p1q1 (x − a2 ) = p 2q 2 C = A / ( x < ∏ pi ) , A ∈ B . For the secret pi ∈A . chosen x from the secret space X . Now . The generation shares algorithm: work as follow :. (x − an ) = p n q n any users i ∈ N has a set of possible shares Where p i q i secret for all i = 1 to n . We can construct as equation of degree (n) from up system ( a i , ∏ p i q i ) / ∀ A ∈ B , q i corresponding as with (n) of solutions one and only one of these solutions pi ∈A x ∈ Z p1 p 2 ... p n the form of this equation as : for ai , p i respectively, such that (x − a1 )(x − a2 )...(x − an ) = ( p1 p 2 ... p n )(q1q 2 ...q n ). x ≡ ai mod p i ∀ i = 1,..., n We see for any integer prime ( p i ) may be belong for some Imply the equation of degree (n) as : difference sets A ∈ B , this mean ∀ i ∈ N users has some shares depend of the position of pi ∈ A and ∀ A ∈ B , Then we have to construct the share space S such as : 116 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 S = (ai , ∏ pi qi ) / ( ∀i ∈ N ) ∧ ( ∀pi ∈ A ) ∧ ( ∀ A ∈ B ) Imply : Pi ∈A a1 = 0 p1 = 5 a2 = 1 p2 = 3 S = n × Si a3 = 3 p3 = 7 where S i the number of shares for user i Then the corresponding {q , q 1 2 , q 3 } for {a1 , a2 , a3 } and Define as follow: { p , p , p } , respectively , it is will be as follow: 1 2 3 q1 = 2 S i = (ai , ∏ pi q i ) / ( ∀pi ∈ A ) ∧ ( ∀A ∈ B ) ∀i ∈ N Pi ∈A q2 = 3 q3 = 1 Si =[ k ×(n − k )] ∀ Si the number of shares for Now the dealer construct the share space S as follow : every user. S = { (0 , 9 0 ), (0, 7 0 ), (1, 9 0 ), (1, 6 3), (3, 7 0 ), (3, 6 3)} It is important to construct Access structure Γ such as : S = n × Si = 6 Γ= D/ D∈1,...,n} ,∀ ≠ j ∈D/(pi ∧pj )∈A, A∈B ⇔∏ i i =∏ j j { k The form of shares as point i pq pq ( a i , y j ) ∀i ∈N , j = 1 to S i . P∈ i A Pj ∈A The dealer distribute the shares for users N = {1, 2, 3} as The integer k the same integer which we defined in the follow : set ( B ) in up definition, and called the threshold k , and such this Access structure Γ called ( k , n ) – Threshold S 1 = {(0,90), (0, 70)} S 1 = [ k × (n − k )] = 2 Access structure, and the scheme called ( k , n ) – threshold S 2 = {(1,90), (1, 63),} S 2 = [ k × (n − k ) ] = 2 S 3 = [ k × (n − k ) ] = 2 secret sharing scheme. The reconstruct algorithm: any distinguish k of users can S 3 = {(3, 70),(3, 63)} construct the secret x by applying the equation (*) using For users {1, 2, 3} , respectively. their shares and find the solution x, in equation which Any tow users can reconstruct the secret x by pooling their construct from (1). share when the y-axis of their points equal from difference We illustrate the scheme in below example. users Example : (with artificially small parameters) . Let N = {1, 2, 3} set of users and let P = {5, 3, 7} (i.e. reconstruct secret x if and only if (ai ≠ a j ) ∧ Then n = 3, (y i = y j ) ) let k = 2 , then The set Let consider {1, 3} users then they have 2 shares with same B = {{5,3},{5, 7},{3, 7}} yi = y j n! B = =3 k !(n − k )! The shares from {1, 3} can reconstruct the secret x applying the equation (1) by their shares {(0, 70), (3, 70)} The secret space X = {x / x < min{15, 35, 21}} Then the users build the equation of degree (2) as what we X = {x / x < 15} define in previous : Now let the dealer chose the secret x = 10 then he can ( x − 0)( x − 3) = 70 construct the system of Chinese reminder theorem in order x 2 − x = 70 to find {a , a , a } and {q , q 1 2 3 1 , q 3 } as follow : 2 x 2 − 3x − 70 = 0 x ≡ 0 mod 5 The solutions for this equation are : x ≡ 1mod 3 x = 10 and x = −7 x ≡ 3mod 7 Then the secret it will be a unique solution in Z 15 then x = 10 . 117 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 9, No. 11, November 2011 In this scheme each users has [ k × (n − k )] shares, the group shares for the same user cant reconstruct the secret alone , He can use one share with different other users with difference their shares to reconstruct the secret. In addition we can in future study develop this scheme to use it in many features of secret sharing (i.e. for example we can release compartments Access structures, or we can use it for verifiable secret sharing scheme, etc ). The security of this scheme depend of the hard of factorization problem, so the chosen large number of shares make the scheme more secure. IV. Conclusion The main idea of this paper in order to build scheme combine from Chinese reminder theorem and interpolation polynomials which depend on the tow famous thresholds secret sharing scheme, Mignotte' Scheme, and Shamir scheme respectively. obviously it is secure as long as the hard of factorization problem. So it is computational- secure scheme, for this reason we want in future study for this scheme be more secure. References [1] A. Shamir. How to share a secret. Communications of the ACM, 1979. [2] G. R. Blakley. Safeguarding cryptographic keys. In National Computer Conference, 1979, volume 48 of American Federation of Information Processing Societies Proceedings, pages,1979. [3] M. Ito, A. Saito, and T. Nishizeki. Secret sharing scheme realizing general access structure. In Proceedings of the IEEE Global Telecommunications Conference, Globecom ’87, pages 99–102. IEEE Press, 1987. [4] J. Benaloh and J. Leichter. Generalized secret sharing and monotone functions. In S. Goldwasser, editor, Advanced in Cryptology- CRYPTO’ 88, volume 403 of Lecture Notes in Computer Science, pages 27–35. Springer-Verlag, 1989. [5] E. D. Karnin, J. W. Greene, and M. E. Hellman. On secret sharing systems. IEEE Transactions on Information Theory, IT-29(1):35–41, 1983. [6] Sorin Iftene: Secret Sharing Schemes with Applications in Security Protocols. Sci. Ann. Cuza Univ.2-5 (2007). [7] Johannes A . Buchmann : introduction to cryptography(second edition).51-54, Springer, 2004. [8] Sorin Iftene: Secret Sharing Schemes with Applications in Security Protocols. Sci. Ann. Cuza Univ.12-14, (2007). [9] Sorin Iftene: Secret Sharing Schemes with Applications in Security Protocols. Sci. Ann. Cuza Univ.14-16, (2007). [10] A. Shamir How to share a secret, Communications. ACM, 22(11) (1979), 612- 613. [11] A. J. Menezes, P. C. Oorschot, S. A. Vanstone, Handbook of applied cryptography. CRC Press, Oct. 1996. [12] E. D. Karnin, J. W. Greene, M. E. Hellman, On Secret Sharing Systems, IEEE Trans. on Information Theory., 29(1) (1983) 35- 40. [13] M. Mignotte. How to share a secret. In T. Beth, editor, Cryptography- Proceedings of the Workshop on Cryptography, Burg Feuerstein, 1982, volume 149 of Lecture Notes in Computer Science, pages 371– 375. Springer-Verlag, 1983. [14] Sorin Iftene: Secret Sharing Schemes with Applications in Security Protocols. Sci. Ann. Cuza Univ.15-16, (2007). 118 http://sites.google.com/site/ijcsis/ ISSN 1947-5500