DOI QR코드

DOI QR Code

A Verifiable Secret Sharing Scheme with no Secure Channels

안전한 채널이 없는 검증 가능한 다중 비밀 공유 방식

  • Received : 2014.07.28
  • Accepted : 2014.11.26
  • Published : 2014.12.31

Abstract

A (t,n) threshold secret sharing scheme is the scheme which allows a trusted party to distribute the shares among n participants in such a way that any t of them can recover the original secret, but any group knowing only t-1 or fewer shares can not. Recently, Eslami et al. and Tadayon et al. proposed threshold multi-secret sharing schemes, respectively. They proposed that their schemes don't require secure channels. But, without secure channels in their schemes, everyone can get the shares and find the secrets. The proposed scheme does not use secure channels and only t participants can solve the equations of the system from the delivered share shadows and find the secrets.

(t,n) 임계 비밀 공유 방식은 한 신뢰 기관이 n명의 참가자에게 각 할당 값를 나누어 주면 이 중 t명의 참가자들의 할당 값으로 비밀 값을 계산하는 방식이다. 최근 Eslami 등과 Tadayon 등은 한 임계 검증 가능한 다중 비밀 공유방식을 각각 제안 했는데, 그들의 방식이 안전한 채널을 사용하지 않는다고 했으나, 안전한 채널이 없다면 누구나 할당 값을 가질 수 있고 비밀 값을 구할 수 있다. 본 논문에서 제안된 방식은 안전한 채널을 사용하지 않고, 전송된 메시지로부터 t명의 컴바이너들만 필요한 값을 구해 시스템의 방정식을 풀 수 있고 비밀 값들을 구할 수 있다.

Keywords

I. Introduction

Secret sharing schemes are cryptographic procedures to share a secret among a set of participants such that only authorized subsets can recover the secret. Such schemes were independently introduced by Shamir[1] and Blakley[2] to safeguard cryptographic keys from loss. Recently, secret sharing schemes have found applications in diverse areas such as access control systems, e-voting schemes and digital cash protocols.

The (t,n)-threshold secret sharing scheme which allows a trusted party(called the dealer) to distribute the shares among n participants in such a way that any t of them can recover the original secret, but any group knowing only t-1 or fewer shares can not. Shamir’s scheme, which is based on polynomial interpolation, and Blakley’s scheme, based on the intersection of affine hyperplanes, are examples of such schemes.

Chor et al.[3] proposed a verifiable secret sharing scheme. He and Dawson[4] proposed a multi-secret sharing scheme(MSS) where several secrets can be shared. A verifiable multi-secret sharing scheme(VMSS) can verify the validity of the shares.

Elliptic curves and bilinear maps have been used in providing the verifiability [5-9]. Shi et al.[5] proposed a multi-secret sharing scheme based on the signed factorial expansion, where the secret information and the shares are delivered over secure channels. Chen et al.[6] proposed a threshold secret sharing scheme, where the participants can compute the shares by the public value over the public bulletin. But, a secure channel is used in the secret reconstruction phase. Wang et al.[7] proposed a verifiable threshold multi-secret sharing scheme, where a secure channel is used, too.

Recently, Eslami et al.[8] modified Wang et al.’s scheme and proposed a threshold multi-secret sharing scheme. They proposed that their scheme does not require a secure channel. But, without secure channels in their scheme, everyone can get the shares and find the secrets. Only t participants must be able to find the secrets. Tadayon et al.[9] proposed a verifiable multi-secret sharing scheme. They also proposed that their scheme does not need a secure channel. Their proposition is incorrect for the same reason as Eslami et al.’s scheme. Dong et al.[10] proposed a multi-secret sharing scheme based on general linear groups, where a secure channel between the dealer and participant is no longer needed. But a secure channel is still used in secret reconstruction phase. Though many secret sharing schemes do not use secure channels between the dealer and the participants, they use impractical secure channels among t participants in the secret reconstruction phase. However, the proposed scheme does not require a secure channel in all phases and only t participants can solve the equations of the system from the delivered share shadows and find the secrets.

II. Technical Backgrounds

2.1 Elliptic Curve

Let p be a prime number. An elliptic curve over GF(p) (finite field with p elements) is the set of solutions (x,y)∈GF(p)×GF(p) of the equation y2 ≡ x3 +ax + b mod p such that a,b∈GF(p) are constants with 4a3 +27b2 ≠ 0 mod p (together with a point ο that is named point at infinity).

The above set with a particular operator “+” forms an abelian group of order q denoted by E(GF(p)) and called an elliptic curve group[11].

2.2 Discrete Logarithm problem on Elliptic Curves

Given P,Q∈E(GF(p)) such that kP = Q there is no polynomial time algorithm to determine k[11].

2.3 Bilinear Maps

Let G1 be an additive group generated by P, whose order is a prime q, and G2 be a multiplicative group of the same order q. Let e : G1☓G1→G2 be a mapping which satisfies the following properties:

1. Bilinear :

e(P1 +P2,Q) = e(P1,Q)e(P2,Q),

e(P,Q1 +Q2) = e(P,Q1)e(P,Q2),

e(aP,bQ) = e(P,Q)ab where a,b∈# ,P,Q∈G1.

2. Non-degenerate : There exists P∈G1 such that e(P,P) ≠ 1.

3. Computability : There is an efficient algorithm to compute e(P,Q) for all P,Q∈G1.

III. Review Of Chen et al.’s Scheme

They proposed a dynamic threshold secret sharing scheme[6] using bilinear maps.

Table 1. shows the notations used in this paper.

Table 1. The notations

3.1 Initialization Phase

The dealer publishes <q,G1,G2,P,e,h> on the bulletin. A participant Ui(1≤i≤n) picks a random integer ri# and submits Pi = riP to the dealer. The dealer ensures that Pi≠Pj where i≠j in order to keep different participants from using the same secret key and publishes Pi(1≤i≤n) on the bulletin.

3.2 Secret Distribution Phase

In this phase, the dealer

1. Picks a random integer r∈# and computes the shared secret s = h(rP) and publishes sP on the bulletin.

2. Constructs the matrix M(n+1-t)×(n+1) :

#(1)

3. Constructs the column vector matrix A with the secret:

A = [rP,sP1,sP2,...,sPn]T .

4. Publishes <g, C0, ..., Cn -t> where

#(2)

3.3 Secret Reconstruction and Verification Phase

The system (2) is a system of n+1-t linear equations in n+1 unknowns over G1. If t-out-of-n participants provide their risP, the other n+1-t variables could be recovered, including rP. Therefore, the secret s can be obtained by s = h(rP).

1. Ui(1≤i≤t) computes risP and securely delivers risP to the combiner(one of the participants).

Here, note that secure channels are used among t participants.

2. The combiner receives risP and checks if e(risP,P) = e(sP,riP). This ensures the verifiability of the shares.

3. The combiner can solve the system (2) and can find rP and the secret s.

3.4 Secrets Redistribution Phase

The dealer chooses a new threshold t′ , a new secret s′ , and computes new auxiliary information from participants’ public keys. Then, the dealer publishes the new information on the bulletin.

IV. Review Of Eslami et al.’s Scheme

They proposed a verifiable dynamic threshold multi-secret sharing scheme[8] using bilinear maps.

4.1 Initialization Phase

This phase is same as Chen et al.’s scheme. The dealer publishes <q,G1,G2,P, e,h>. A participant Ui(1≤i≤n) picks a random integer ri# and submits Pi =riP to the dealer. The dealer publishes Pi and a generator g∈# on the bulletin.

4.2 Secret Distribution Phase

In this phase, the dealer

1. Picks a random integer s∈# and publishes sP.

2. Constructs the matrix M(n+m-t)×(n +m) :

#(3)

Note that the matrix M of Chen et al.’s can be constructed by setting m=1:

3. Computes sPi together with h(sPi) and constructs the matrix A with the secrets Ki (1≤i≤m):

A = [h(sP1), h(sP2),...,h(sPn), K1, ..., Km]T .

4. Publishes <sP, C1, ..., Cn +m-t> where

#(4)

4.3 Secret Reconstruction and Verification Phase

Note that (4) is a system of n+m -t linear equations in n+m unknowns over G2. Therefore, if t of the unknowns of (4) are determined, the system of n+m -t equations and n+m -t unknowns can be solved to recover the m secrets.

Let t participants Ui(1≤i≤t) pool their shares. When the combiner receives risP, s/he checks whether e(risP,P) = e(sP,riP). This ensures the verifiability of the shares.

Here, Eslami et al. proposed that their scheme does not require a secure channel. But, without secure channels in their scheme, everyone can get risP and compute h(risP) and can find the secrets.

Therefore, their scheme needs secure channels.

4.4 Secret Redistribution Phase

The dealer chooses a new threshold t′, new m′secrets, and the new seed s′ . And then proceeds as secrets distribution phase and finally publishes <s′P,C1′, ..., C′n+m′-t′>. They told that their scheme does not need to reconstruct the coefficient matrix (4) and only adds or removes some of its rows and columns.

V. Review Of Tadayon et al.’s Scheme

They proposed a verifiable multi-secret sharing scheme[9] using elliptic curve and Lagrange interpolation.

5.1 Initialization Phase

The dealer publishes <q, G1,G2,P,e,h>. A participant Ui(1≤i≤n) picks a random integer ri# and submits Pi = riP to the dealer. The dealer publishes Pi on the bulletin.

5.2 Secret Distribution Phase

In this phase, the dealer

1. Picks a random integer s∈# and publishes sP.

2. Computes Ri′ = sriP (1≤i≤n).

3. Constructs polynomial fj(x) of degree (j-1) (1≤j≤k) as follows:

fj(x) = Kj +d1x+d2x2 + ... +dj-1xj-1mod p.

The m secrets Kj are constructed.

4. Computes Vji = fj(IDi), IDi are public identities of the participants. And then, computes Mji = Vji -hj(Ri′) (1≤i≤n,1≤j≤k).

5. Publishes Mji on the public bulletin.

5.3 Secret Reconstruction and Verification Phase

To recover the l th secret, Uj(1≤j≤l) should do the following steps respectively:

1. Computes Rj′ = rjsP and sends it. When the combiner receives Rj′ , s/he checks whether e(rjsP,P) = e(sP,rjP). This ensures the verifiability of the shares.

2. The combiner computes Vlj = Mlj +h(Rj′) using Rj′ and public value Mlj.

3. The combiner computes the secret Kl using Lagrange formula:

#

Here, Tadayon et al. proposed that their scheme does not need a secure channel. But without secure channels, everyone can get Rj′ and compute Vlj using public value Mlj. Finally, everyone can find the secret Kl using public values ID and p. Therefore, their scheme needs secure channels.

5.4 Secret Redistribution Phase

The dealer chooses new values for new secrets, and constructs new polynomials and then chooses new value s∈# and refreshes the value Ri′ and computes new values for Mji (1≤i≤n,1≤j≤k).

VI. The proposed scheme

The proposed scheme is a verifiable (t,n) threshold multi-secret sharing scheme, which does not use secure channels.

6.1 Initialization Phase

The dealer selects an elliptic curve E defined over GF(p) with order q and a base point P. And then, publishes system parameters <G1,G2,P, q, e, h>. A participant Ui(1≤i≤n) picks a random integer ri# and submits riP and # to the dealer.

6.2 Secret Distribution Phase

In this phase, the dealer

1. Chooses s∈# and computes sP and computes sriP and # and publishes sP, riP and # on the public bulletin.

2. Constructs the column vector matrix A with the secrets Ki#(1≤i≤m):

A = [h(sr1P), h(sr2P) ,...,h(srnP),K1,...,Km]T

3. Chooses the threshold t, randomly selects a generator g∈# and constructs the matrix M(n +m-t)×(n+m) :

#(5)

4. Publishes <g,C1, ...,Cn +m-t> where

#(6)

6.3 Secret Reconstruction and Verification Phase

1. Ui(1≤i≤t) computes # (1≤j≤t,i≠j) by multiplying the public value # by ri. And then, Ui delivers it to the combiner Uj.

2. When the combiner Uj receives #, s/he checks whether e(#, P)= e(riP, #), using the public values riP and #. This ensures the verifiability of the shares from Ui.

3. Then, Uj multiplies # by rj and finally finds sriP.

Here, because of no secure channels, everyone can get # but the only Uj knowing rj can find sriP from #.

Like Eslami et al.’s scheme, if t of the unknowns of (6) are determined, the system of n+m -t equations and n+m -t unknowns can be solved to recover Ki (1≤i≤m). M is a Vandermonde matrix on distinct elements. Therefore, det(M)≠0 and its inverse can be computed to obtain the secrets. Thus, only t participants can solve the equations of the system and find the secrets Ki with no secure channels.

6.4 Secret Redistribution Phase

This phase is same as Eslami et al.’s scheme.

VII. Security and Discussion

1. The dealer can not cheat the public values.: Each participant Ui(1≤i≤n) submits riP and # to the dealer. The dealer does not know ri and #. And then, the dealer publishes sP, riP and # on the public bulletin. Ui can verify riP and # by multiplying P by ri and multiplying sP by r#.

2. A participant can not change his share and send another value to the combiners. : When Ui (1≤i≤t) delivers # (1≤j≤t,i≠j) to the combiners, no one can extract # from #, due to the elliptic curve discrete logarithm problem(ECDLP). The shares provided by participants during the reconstruction phase can be verified so that cheaters are identified by checking e(#,P) = e(riP, #) using the public values riP and #. This ensures the verifiability of the shares from Ui.

3. The proposed scheme does not require secure channels.: Everyone can get # and verify it. When Ui(1≤i≤t) provides # (1≤j≤t,i≠j) to Uj with no secure channels, only Uj knowing rj can find sriP from # by multiplying # by rj. Then, (6) is reduced to a system of n+m -t equations and n+m -t unknowns with coefficient matrix M. Thus, only t participants are able to find the secrets.

Table 2. shows the comparison with Eslami et al.’s and Tadayon et al.’s. k(> m) means the number of polynomials.

Table 2. Comparison with Eslami et al.’s and Tadayon et al.’s

The proposed scheme with no secure channels requires more public values than Eslami et al.’s and less than Tadayon et al.’s.

VIII. Conclusion

This paper presents a verifiable (t,n) threshold multi-secret sharing scheme, which does not need impractical secure channels. With no secure channels, the shares can be delivered to the only combiners. Thus, only t participants are able to find the secrets.

References

  1. A. Shamir, "How to share a secret," Communication of the ACM, vol. 22, no.11, pp. 612-613, Nov. 1979. https://doi.org/10.1145/359168.359176
  2. G. Blakley, "Safeguarding crypto- graphic keys," AFIPS Conference Proceedings, 48, pp. 313-317, 1979.
  3. B. Chor and S. Goldwasser, "Verifiable Secret Sharing and achieving simultaneity in the presence of faults," Proc. of 26th IEEE Symposium. FOCS, pp. 383-395, Oct. 1985.
  4. J. He and E. Dawson, "Multistage secret sharing based on one-way function," Electronics Letters, vol.31, no. 19, pp. 1591-1592, Sep. 1994.
  5. R. Shi, H. Zhong and L. Huang, "A (t,n)-Threshold Verified Multi-secret Sharing Scheme based on ECDLP," 8th ACIS International Conference, vol. 2, pp. 9-13, July 2007.
  6. W. Chen, L. Xiang, B. Yuebin and G. Xiaopeng, "A New Dynamic threshold Secret sharing Scheme from bilinear Maps," International Conference on Parallel Processing Workshops, pp. 19-22, Sep. 2007.
  7. S. J. Wang, Y. R. Tsai, and J. J. Shen, "Verifiable threshold scheme in multi-secret sharing distributions upon extensions of ecc," Wireless Personal Communications, Springer, vol. 56, no.1, pp. 173-182, Jan. 2011. https://doi.org/10.1007/s11277-009-9875-0
  8. Z. Eslami and K. Rad, "A New Verifiable Multi-secret sharing Scheme Based on Bilinear Maps," Wireless Personal Communications, Springer, vol. 63, no. 2, pp. 459-467, March 2012. https://doi.org/10.1007/s11277-010-0143-0
  9. M. H. Tadayon, H. Khanmohammadi, and S. Arabi, "An attack on a dynamic multi-secret sharing scheme and enhancing its security," Electrical Engineering (ICEE), 21st Iranian Conference, pp. 1-5, May 2013.
  10. X. Dong and Y. Zhang, "A Multi-secret sharing scheme based on general linear groups," 3rd International Conference on Information Science and Technology, pp. 480-483, March 2013.
  11. D. R. Stinson, Cryptography Theory And Practice, CRC press, 2006.