A Verifiable Secret Sharing Scheme with no Secure Channels

안전한 채널이 없는 검증 가능한 다중 비밀 공유 방식

Abstract

A (t,n) threshold secret sharing scheme is the scheme which allows a trusted party to distribute the shares among n participants in such a way that any t of them can recover the original secret, but any group knowing only t-1 or fewer shares can not. Recently, Eslami et al. and Tadayon et al. proposed threshold multi-secret sharing schemes, respectively. They proposed that their schemes don't require secure channels. But, without secure channels in their schemes, everyone can get the shares and find the secrets. The proposed scheme does not use secure channels and only t participants can solve the equations of the system from the delivered share shadows and find the secrets.

(t,n) 임계 비밀 공유 방식은 한 신뢰 기관이 n명의 참가자에게 각 할당 값를 나누어 주면 이 중 t명의 참가자들의 할당 값으로 비밀 값을 계산하는 방식이다. 최근 Eslami 등과 Tadayon 등은 한 임계 검증 가능한 다중 비밀 공유방식을 각각 제안 했는데, 그들의 방식이 안전한 채널을 사용하지 않는다고 했으나, 안전한 채널이 없다면 누구나 할당 값을 가질 수 있고 비밀 값을 구할 수 있다. 본 논문에서 제안된 방식은 안전한 채널을 사용하지 않고, 전송된 메시지로부터 t명의 컴바이너들만 필요한 값을 구해 시스템의 방정식을 풀 수 있고 비밀 값들을 구할 수 있다.

I. Introduction

Secret sharing schemes are cryptographic procedures to share a secret among a set of participants such that only authorized subsets can recover the secret. Such schemes were independently introduced by Shamir[1] and Blakley[2] to safeguard cryptographic keys from loss. Recently, secret sharing schemes have found applications in diverse areas such as access control systems, e-voting schemes and digital cash protocols.

The (t,n)-threshold secret sharing scheme which allows a trusted party(called the dealer) to distribute the shares among n participants in such a way that any t of them can recover the original secret, but any group knowing only t-1 or fewer shares can not. Shamir’s scheme, which is based on polynomial interpolation, and Blakley’s scheme, based on the intersection of affine hyperplanes, are examples of such schemes.

Chor et al.[3] proposed a verifiable secret sharing scheme. He and Dawson[4] proposed a multi-secret sharing scheme(MSS) where several secrets can be shared. A verifiable multi-secret sharing scheme(VMSS) can verify the validity of the shares.

Elliptic curves and bilinear maps have been used in providing the verifiability [5-9]. Shi et al.[5] proposed a multi-secret sharing scheme based on the signed factorial expansion, where the secret information and the shares are delivered over secure channels. Chen et al.[6] proposed a threshold secret sharing scheme, where the participants can compute the shares by the public value over the public bulletin. But, a secure channel is used in the secret reconstruction phase. Wang et al.[7] proposed a verifiable threshold multi-secret sharing scheme, where a secure channel is used, too.

Recently, Eslami et al.[8] modified Wang et al.’s scheme and proposed a threshold multi-secret sharing scheme. They proposed that their scheme does not require a secure channel. But, without secure channels in their scheme, everyone can get the shares and find the secrets. Only t participants must be able to find the secrets. Tadayon et al.[9] proposed a verifiable multi-secret sharing scheme. They also proposed that their scheme does not need a secure channel. Their proposition is incorrect for the same reason as Eslami et al.’s scheme. Dong et al.[10] proposed a multi-secret sharing scheme based on general linear groups, where a secure channel between the dealer and participant is no longer needed. But a secure channel is still used in secret reconstruction phase. Though many secret sharing schemes do not use secure channels between the dealer and the participants, they use impractical secure channels among t participants in the secret reconstruction phase. However, the proposed scheme does not require a secure channel in all phases and only t participants can solve the equations of the system from the delivered share shadows and find the secrets.

II. Technical Backgrounds

2.1 Elliptic Curve

Let p be a prime number. An elliptic curve over GF(p) (finite field with p elements) is the set of solutions (x,y)∈GF(p)×GF(p) of the equation y² ≡ x³ +ax + b mod p such that a,b∈GF(p) are constants with 4a³ +27b² ≠ 0 mod p (together with a point ο that is named point at infinity).

The above set with a particular operator “+” forms an abelian group of order q denoted by E(GF(p)) and called an elliptic curve group[11].

2.2 Discrete Logarithm problem on Elliptic Curves

Given P,Q∈E(GF(p)) such that kP = Q there is no polynomial time algorithm to determine k[11].

2.3 Bilinear Maps

Let G₁ be an additive group generated by P, whose order is a prime q, and G₂ be a multiplicative group of the same order q. Let e : G₁☓G₁→G₂ be a mapping which satisfies the following properties:

1. Bilinear :

e(P₁ +P₂,Q) = e(P₁,Q)e(P₂,Q),

e(P,Q₁ +Q₂) = e(P,Q₁)e(P,Q₂),

e(aP,bQ) = e(P,Q)^ab where a,b∈# ,P,Q∈G₁.

2. Non-degenerate : There exists P∈G₁ such that e(P,P) ≠ 1.

3. Computability : There is an efficient algorithm to compute e(P,Q) for all P,Q∈G₁.

III. Review Of Chen et al.’s Scheme

They proposed a dynamic threshold secret sharing scheme[6] using bilinear maps.

Table 1. shows the notations used in this paper.

Table 1. The notations

3.1 Initialization Phase

The dealer publishes <q,G₁,G₂,P,e,h> on the bulletin. A participant U_i(1≤i≤n) picks a random integer r_i∈# and submits P_i = r_iP to the dealer. The dealer ensures that P_i≠P_j where i≠j in order to keep different participants from using the same secret key and publishes P_i(1≤i≤n) on the bulletin.

3.2 Secret Distribution Phase

In this phase, the dealer

1. Picks a random integer r∈# and computes the shared secret s = h(rP) and publishes sP on the bulletin.

2. Constructs the matrix M_{(n+1-t)×(n+1)} :

#(1)

3. Constructs the column vector matrix A with the secret:

A = [rP,sP₁,sP₂,...,sP_n]^T .

4. Publishes <g, C₀, ..., C_{n -t}> where

#(2)

3.3 Secret Reconstruction and Verification Phase

The system (2) is a system of n+1-t linear equations in n+1 unknowns over G₁. If t-out-of-n participants provide their r_isP, the other n+1-t variables could be recovered, including rP. Therefore, the secret s can be obtained by s = h(rP).

1. U_i(1≤i≤t) computes r_isP and securely delivers r_isP to the combiner(one of the participants).

Here, note that secure channels are used among t participants.

2. The combiner receives r_isP and checks if e(r_isP,P) = e(sP,r_iP). This ensures the verifiability of the shares.

3. The combiner can solve the system (2) and can find rP and the secret s.

3.4 Secrets Redistribution Phase

The dealer chooses a new threshold t′ , a new secret s′ , and computes new auxiliary information from participants’ public keys. Then, the dealer publishes the new information on the bulletin.

IV. Review Of Eslami et al.’s Scheme

They proposed a verifiable dynamic threshold multi-secret sharing scheme[8] using bilinear maps.

4.1 Initialization Phase

This phase is same as Chen et al.’s scheme. The dealer publishes <q,G₁,G₂,P, e,h>. A participant U_i(1≤i≤n) picks a random integer r_i∈# and submits P_i =r_iP to the dealer. The dealer publishes P_i and a generator g∈# on the bulletin.

4.2 Secret Distribution Phase

In this phase, the dealer

1. Picks a random integer s∈# and publishes sP.

2. Constructs the matrix M_{(n+m-t)×(n +m)} :

#(3)

Note that the matrix M of Chen et al.’s can be constructed by setting m=1:

3. Computes sP_i together with h(sP_i) and constructs the matrix A with the secrets K_i (1≤i≤m):

A = [h(sP₁), h(sP₂),...,h(sP_n), K₁, ..., K_m]^T .

4. Publishes <sP, C₁, ..., C_{n +m-t}> where

#(4)

4.3 Secret Reconstruction and Verification Phase

Note that (4) is a system of n+m -t linear equations in n+m unknowns over G₂. Therefore, if t of the unknowns of (4) are determined, the system of n+m -t equations and n+m -t unknowns can be solved to recover the m secrets.

Let t participants U_i(1≤i≤t) pool their shares. When the combiner receives r_isP, s/he checks whether e(r_isP,P) = e(sP,r_iP). This ensures the verifiability of the shares.

Here, Eslami et al. proposed that their scheme does not require a secure channel. But, without secure channels in their scheme, everyone can get r_isP and compute h(r_isP) and can find the secrets.

Therefore, their scheme needs secure channels.

4.4 Secret Redistribution Phase

The dealer chooses a new threshold t′, new m′secrets, and the new seed s′ . And then proceeds as secrets distribution phase and finally publishes <s′P,C₁′, ..., C′_n+m′-t′>. They told that their scheme does not need to reconstruct the coefficient matrix (4) and only adds or removes some of its rows and columns.

V. Review Of Tadayon et al.’s Scheme

They proposed a verifiable multi-secret sharing scheme[9] using elliptic curve and Lagrange interpolation.

5.1 Initialization Phase

The dealer publishes <q, G₁,G₂,P,e,h>. A participant U_i(1≤i≤n) picks a random integer r_i∈# and submits P_i = r_iP to the dealer. The dealer publishes P_i on the bulletin.

5.2 Secret Distribution Phase

In this phase, the dealer

1. Picks a random integer s∈# and publishes sP.

2. Computes R_i′ = sr_iP (1≤i≤n).

3. Constructs polynomial f_j(x) of degree (j-1) (1≤j≤k) as follows:

f_j(x) = K_j +d₁x+d₂x² + ... +d_j-1x^j-1mod p.

The m secrets K_j are constructed.

4. Computes V_ji = f_j(ID_i), ID_i are public identities of the participants. And then, computes M_ji = V_ji -h^j(R_i′) (1≤i≤n,1≤j≤k).

5. Publishes M_ji on the public bulletin.

5.3 Secret Reconstruction and Verification Phase

To recover the l th secret, U_j(1≤j≤l) should do the following steps respectively:

1. Computes R_j′ = r_jsP and sends it. When the combiner receives R_j′ , s/he checks whether e(r_jsP,P) = e(sP,r_jP). This ensures the verifiability of the shares.

2. The combiner computes V_lj = M_lj +h(R_j′) using R_j′ and public value M_lj.

3. The combiner computes the secret K_l using Lagrange formula:

#

Here, Tadayon et al. proposed that their scheme does not need a secure channel. But without secure channels, everyone can get R_j′ and compute V_lj using public value M_lj. Finally, everyone can find the secret K_l using public values ID and p. Therefore, their scheme needs secure channels.

5.4 Secret Redistribution Phase

The dealer chooses new values for new secrets, and constructs new polynomials and then chooses new value s∈# and refreshes the value R_i′ and computes new values for M_ji (1≤i≤n,1≤j≤k).

VI. The proposed scheme

The proposed scheme is a verifiable (t,n) threshold multi-secret sharing scheme, which does not use secure channels.

6.1 Initialization Phase

The dealer selects an elliptic curve E defined over GF(p) with order q and a base point P. And then, publishes system parameters <G₁,G₂,P, q, e, h>. A participant U_i(1≤i≤n) picks a random integer r_i∈# and submits r_iP and # to the dealer.

6.2 Secret Distribution Phase

In this phase, the dealer

1. Chooses s∈# and computes sP and computes sr_iP and # and publishes sP, r_iP and # on the public bulletin.

2. Constructs the column vector matrix A with the secrets K_i∈#(1≤i≤m):

A = [h(sr₁P), h(sr₂P) ,...,h(sr_nP),K₁,...,K_m]^T

3. Chooses the threshold t, randomly selects a generator g∈# and constructs the matrix M_{(n +m-t)×(n+m)} :

#(5)

4. Publishes <g,C₁, ...,C_{n +m-t}> where

#(6)

6.3 Secret Reconstruction and Verification Phase

1. U_i(1≤i≤t) computes # (1≤j≤t,i≠j) by multiplying the public value # by r_i. And then, U_i delivers it to the combiner U_j.

2. When the combiner U_j receives #, s/he checks whether e(#, P)= e(r_iP, #), using the public values r_iP and #. This ensures the verifiability of the shares from U_i.

3. Then, U_j multiplies # by r_j and finally finds sr_iP.

Here, because of no secure channels, everyone can get # but the only U_j knowing r_j can find sr_iP from #.

Like Eslami et al.’s scheme, if t of the unknowns of (6) are determined, the system of n+m -t equations and n+m -t unknowns can be solved to recover K_i (1≤i≤m). M is a Vandermonde matrix on distinct elements. Therefore, det(M)≠0 and its inverse can be computed to obtain the secrets. Thus, only t participants can solve the equations of the system and find the secrets K_i with no secure channels.

6.4 Secret Redistribution Phase

This phase is same as Eslami et al.’s scheme.

VII. Security and Discussion

1. The dealer can not cheat the public values.: Each participant U_i(1≤i≤n) submits r_iP and # to the dealer. The dealer does not know r_i and #. And then, the dealer publishes sP, r_iP and # on the public bulletin. U_i can verify r_iP and # by multiplying P by r_i and multiplying sP by r#.

2. A participant can not change his share and send another value to the combiners. : When U_i (1≤i≤t) delivers # (1≤j≤t,i≠j) to the combiners, no one can extract # from #, due to the elliptic curve discrete logarithm problem(ECDLP). The shares provided by participants during the reconstruction phase can be verified so that cheaters are identified by checking e(#,P) = e(r_iP, #) using the public values r_iP and #. This ensures the verifiability of the shares from U_i.

3. The proposed scheme does not require secure channels.: Everyone can get # and verify it. When U_i(1≤i≤t) provides # (1≤j≤t,i≠j) to U_j with no secure channels, only U_j knowing r_j can find sr_iP from # by multiplying # by r_j. Then, (6) is reduced to a system of n+m -t equations and n+m -t unknowns with coefficient matrix M. Thus, only t participants are able to find the secrets.

Table 2. shows the comparison with Eslami et al.’s and Tadayon et al.’s. k(> m) means the number of polynomials.

Table 2. Comparison with Eslami et al.’s and Tadayon et al.’s

The proposed scheme with no secure channels requires more public values than Eslami et al.’s and less than Tadayon et al.’s.

VIII. Conclusion

This paper presents a verifiable (t,n) threshold multi-secret sharing scheme, which does not need impractical secure channels. With no secure channels, the shares can be delivered to the only combiners. Thus, only t participants are able to find the secrets.