secret sharing for general access structure İlker nadi bozkurt, kamer kaya, and ali aydın selçuk...
TRANSCRIPT
Secret Sharing for General Access Structure
İlker Nadi Bozkurt, Kamer Kaya, and Ali Aydın Selçuk
Information Security and Cryptology, Ankara, Turkey, May 2010.
Outline
• Multipartite access structure• Relate work:– Asmuth-Bloom’s (t, n) secret sharing scheme– Galibus and Matveev (GM) algorithm for polynomial ring in
General Access Structure (based on M)
• Proposed method– Proposed 1: Modified GM algorithm for integer (based on A-
B)– Proposed 2: Splitting-based secret sharing scheme
• Conclusion
Multipartite access structure (1/5)
• The set of players is divided into K different disjoint classes P1, P2,…, PK classes;
• All players of the same class play the same role in the structure.
Multipartite access structure (2/5)
• K-partite can be represented by a set of K-tuple vectors.
• Ex: Γ={(3, 4), (4, 2)}– Each vector is an authorized combination, • (3, 4) is a authorized combination• (4, 2) is the other authorized combination
– The ith entry in a vector denoting the required number of participants from Pi in that authorized combination.
• (3, 4) means at least 3 users from P1 and 4 from P2.
– {(|P1| 3 and |P2| 4) or (|P1| 4 and |P2| 2)}
Multipartite access structure (3/5)
• Ex: Γ={(3, 4), (4, 2)}, |P1|=|P2|=5,
we can find corresponding
(3, 4) Γ (4, 2) Γ
)}3,3(),1,5(),5,2{(
(2,1) (1,3)
(2,2) (2,3)
(2,3) (3,3)
(2,4) (4,3)
(2,5) (5,3)
(3,1) (1,1)
(3,2) (2,1)
(3,3) (3,1)
(3,4) (4,1)
(3,5) (5,1)
Multipartite access structure (4/5)
• Ex: , |P1|=|P2|=5,
we can find corresponding Γ={(3, 4), (4, 2)},
)}3,3(),1,5(),5,2{(
)5,2( )3,3()1,5(
(3,1) (1,6)
(3,2) (2,6)
(3,3) (3,6)
(3,4) (4,6)
(3,5) (5,6)
(6,1) (1,2)
(6,2) (2,2)
(6,3) (3,2)
(6,4) (4,2)
(6,5) (5,2)
(4,1) (1,4)
(4,2) (2,4)
(4,3) (3,4)
(4,4) (4,4)
(4,5) (5,4)
Multipartite access structure (5/5)
• Any access structure defined on a set of n users is trivially n-partite – We can always take P1 = {1}, … ,Pn = {n}.
– But, we usually want to consider the minimum possible number of classes.
• Ex1: (2,3)-threshold transform to 3-partite– Γ={(1,1,0), (1,0,1),(0,1,1)}
• Ex2: Γ={{1,4}, {2,3}} transform to 4-partite– Γ={(1,0,0,1), (0,1,1,0)}
questations
• 1.Multiple assignment 是否只對 Shamir 有意義 ?(因為 CRT可輕易合併 share,沒有多個 share 問題 )–考慮 information rate
• 2.CRT是否就是 single assignment?• 3.CRT如何解 GAS
[補充 ]access structures
• Threshold access structures [1], • Access structures defined by graphs [2], • Star access structures [3],• Those with at most five players [4], • Bipartite access structures [5], • Hierarchical threshold access structures [6, 7],• Weighted threshold access structures [8].
Reference to :2006_New results on multipartite access structures
Relate work• Asmuth-Bloom secret sharing scheme
– C. Asmuth and J. Bloom. “A modular approach to key safeguarding,“ IEEE Transactions on Information Theory, 29(2):208–210, 1983.
– The property of (n/2, n) Asmuth-Bloom sequence– K. Kaya and A. A. Selcuk. A veriable secret sharing scheme based on the
Chinese Remainder Theorem. In Proc. of INDOCRYPT 2008, volume 5365 of LNCS, pages 414–425. Springer-Verlag, 2008.
• Galibus and Matveev (GM) algorithm for polynomial ring – T. Galibus and G. Matveev. “Generalized Mignotte’s sequences over
polynomial rings,“ Electronic Notes on Theoretical Computer Science, 186:43–48, 2007.
Asmuth-Bloom’s (t, n) secret sharing scheme (1/4)
• Based on the Chinese Remainder Theorem(CRT)
• (t, n) Asmuth-Bloom sequence:– a public sequence of coprime integers
m0 < m1 < …< mn such that
QualifiedMin t
m1, m2,…, mt
ForbiddenMax t1
mn, mn1,…, mnt+2
Asmuth-Bloom’s (t, n) secret sharing scheme (2/4)
• Based on the Chinese Remainder Theorem(CRT)
• (t, n) Asmuth-Bloom sequence:– a public sequence of integers
m0 < m1 < …< mn such that
Sj be the set of all subsets of P={1,2,…,n} of cardinality j.
Compare with coprime integers
• (t, n) secret sharing encoded:– Secret d Zm0
– y = d + Am0
where A is a random positive integer such that y < M
– Share yi = y mod mi for all 1 i n
Asmuth-Bloom’s (t, n) secret sharing scheme(3/4)
QualifiedMin t
m1, m2,…, mt
• (t, n) secret sharing decoded:– y is the unique solution modulo M of the system
– Secret d = y mod m0
Asmuth-Bloom’s (t, n) secret sharing scheme(4/4)
(n/2, n) Asmuth-Bloom sequence
• Lemma: An (n/2, n) Asmuth-Bloom sequence is a (k, n) Asmuth-Bloom sequence for all k such that 1 k n.– Let t = n/2– Case1: Let 1 k < t.– Case2: Let t < k n. 1 t n
k
Case 1 Case 2
k
(n/2, n) Asmuth-Bloom sequence
• Let t = n/2 • Case1: Let 1 k < t.
get
1 t nk
Case 1
(n/2, n) Asmuth-Bloom sequence
• Let t = n/2 • Case2: Let t < k n.
get
1 t nk
Case 2
Galibus and Matveev (GM) algorithm
• For polynomials, any access structure can be realized by using Mignotte SSS– for polynomial ring – in General Access Structure – (based on Mignotte’s sequence)
• Secret d, moduli mi, and shares yi are polynomials.
Galibus and Matveev (GM) algorithm
• Initial: mi(x) =1, for 1i n
• Iteration:
Proposed method
• Proposed 1:
Modified GM algorithm for integer (based on A-B)
• Proposed 2:
Splitting-based secret sharing scheme
Proposed 1: Modified GM algorithm for integer
• Based on A-B, find a prime m0 (for specified bit length)
• For each , check all– – • Find prime p, and bit length of p is minimal
• 修改 :
A C符合標準有問題
Proposed 2: Splitting-based secret sharing scheme
• k-partite , each part Pi has it’s (ni/2, ni) Asmuth-Bloom sequence
• For each vector (authorized combination)
– Using A-B’s scheme sharing subsecret dv,i into share yv,i
• For each participant l,