Secret Sharing for General Access Structure

İlker Nadi Bozkurt, Kamer Kaya, and Ali Aydın Selçuk

Information Security and Cryptology, Ankara, Turkey, May 2010.

Outline

• Multipartite access structure• Relate work:– Asmuth-Bloom’s (t, n) secret sharing scheme– Galibus and Matveev (GM) algorithm for polynomial ring in

General Access Structure (based on M)

• Proposed method– Proposed 1: Modified GM algorithm for integer (based on A-

B)– Proposed 2: Splitting-based secret sharing scheme

• Conclusion

Multipartite access structure (1/5)

• The set of players is divided into K different disjoint classes P1, P2,…, PK classes;

• All players of the same class play the same role in the structure.

Multipartite access structure (2/5)

• K-partite can be represented by a set of K-tuple vectors.

• Ex: Γ={(3, 4), (4, 2)}– Each vector is an authorized combination, • (3, 4) is a authorized combination• (4, 2) is the other authorized combination

– The ith entry in a vector denoting the required number of participants from Pi in that authorized combination.

• (3, 4) means at least 3 users from P1 and 4 from P2.

– {(|P1| 3 and |P2| 4) or (|P1| 4 and |P2| 2)}

Multipartite access structure (3/5)

• Ex: Γ={(3, 4), (4, 2)}, |P1|=|P2|=5,

we can find corresponding

(3, 4) Γ (4, 2) Γ

)}3,3(),1,5(),5,2{(

(2,1) (1,3)

(2,2) (2,3)

(2,3) (3,3)

(2,4) (4,3)

(2,5) (5,3)

(3,1) (1,1)

(3,2) (2,1)

(3,3) (3,1)

(3,4) (4,1)

(3,5) (5,1)

Multipartite access structure (4/5)

• Ex: , |P1|=|P2|=5,

we can find corresponding Γ={(3, 4), (4, 2)},

)}3,3(),1,5(),5,2{(

)5,2( )3,3()1,5(

(3,1) (1,6)

(3,2) (2,6)

(3,3) (3,6)

(3,4) (4,6)

(3,5) (5,6)

(6,1) (1,2)

(6,2) (2,2)

(6,3) (3,2)

(6,4) (4,2)

(6,5) (5,2)

(4,1) (1,4)

(4,2) (2,4)

(4,3) (3,4)

(4,4) (4,4)

(4,5) (5,4)

Multipartite access structure (5/5)

• Any access structure defined on a set of n users is trivially n-partite – We can always take P1 = {1}, … ,Pn = {n}.

– But, we usually want to consider the minimum possible number of classes.

• Ex1: (2,3)-threshold transform to 3-partite– Γ={(1,1,0), (1,0,1),(0,1,1)}

• Ex2: Γ={{1,4}, {2,3}} transform to 4-partite– Γ={(1,0,0,1), (0,1,1,0)}

questations

• 1.Multiple assignment 是否只對 Shamir 有意義 ?(因為 CRT可輕易合併 share，沒有多個 share 問題 )–考慮 information rate

• 2.CRT是否就是 single assignment?• 3.CRT如何解 GAS

[補充 ]access structures

• Threshold access structures [1], • Access structures defined by graphs [2], • Star access structures [3],• Those with at most five players [4], • Bipartite access structures [5], • Hierarchical threshold access structures [6, 7],• Weighted threshold access structures [8].

Reference to :2006_New results on multipartite access structures

Relate work• Asmuth-Bloom secret sharing scheme

– C. Asmuth and J. Bloom. “A modular approach to key safeguarding,“ IEEE Transactions on Information Theory, 29(2):208–210, 1983.

– The property of (n/2, n) Asmuth-Bloom sequence– K. Kaya and A. A. Selcuk. A veriable secret sharing scheme based on the

Chinese Remainder Theorem. In Proc. of INDOCRYPT 2008, volume 5365 of LNCS, pages 414–425. Springer-Verlag, 2008.

• Galibus and Matveev (GM) algorithm for polynomial ring – T. Galibus and G. Matveev. “Generalized Mignotte’s sequences over

polynomial rings,“ Electronic Notes on Theoretical Computer Science, 186:43–48, 2007.

Asmuth-Bloom’s (t, n) secret sharing scheme (1/4)

• Based on the Chinese Remainder Theorem(CRT)

• (t, n) Asmuth-Bloom sequence:– a public sequence of coprime integers

m0 < m1 < …< mn such that

QualifiedMin t

m1, m2,…, mt

ForbiddenMax t1

mn, mn1,…, mnt+2

Asmuth-Bloom’s (t, n) secret sharing scheme (2/4)

• Based on the Chinese Remainder Theorem(CRT)

• (t, n) Asmuth-Bloom sequence:– a public sequence of integers

m0 < m1 < …< mn such that

Sj be the set of all subsets of P={1,2,…,n} of cardinality j.

Compare with coprime integers

• (t, n) secret sharing encoded:– Secret d Zm0

– y = d + Am0

where A is a random positive integer such that y < M

– Share yi = y mod mi for all 1 i n

Asmuth-Bloom’s (t, n) secret sharing scheme(3/4)

QualifiedMin t

m1, m2,…, mt

• (t, n) secret sharing decoded:– y is the unique solution modulo M of the system

– Secret d = y mod m0

Asmuth-Bloom’s (t, n) secret sharing scheme(4/4)

(n/2, n) Asmuth-Bloom sequence

• Lemma: An (n/2, n) Asmuth-Bloom sequence is a (k, n) Asmuth-Bloom sequence for all k such that 1 k n.– Let t = n/2– Case1: Let 1 k < t.– Case2: Let t < k n. 1 t n

k

Case 1 Case 2

k

(n/2, n) Asmuth-Bloom sequence

• Let t = n/2 • Case1: Let 1 k < t.

get

1 t nk

Case 1

(n/2, n) Asmuth-Bloom sequence

• Let t = n/2 • Case2: Let t < k n.

get

1 t nk

Case 2

Galibus and Matveev (GM) algorithm

• For polynomials, any access structure can be realized by using Mignotte SSS– for polynomial ring – in General Access Structure – (based on Mignotte’s sequence)

• Secret d, moduli mi, and shares yi are polynomials.

Galibus and Matveev (GM) algorithm

• Initial: mi(x) =1, for 1i n

• Iteration:

Proposed method

• Proposed 1:

Modified GM algorithm for integer (based on A-B)

• Proposed 2:

Splitting-based secret sharing scheme

Proposed 1: Modified GM algorithm for integer

• Based on A-B, find a prime m0 (for specified bit length)

• For each , check all– – • Find prime p, and bit length of p is minimal

• 修改 :

A C符合標準有問題

Proposed 2: Splitting-based secret sharing scheme

• k-partite , each part Pi has it’s (ni/2, ni) Asmuth-Bloom sequence

• For each vector (authorized combination)

– Using A-B’s scheme sharing subsecret dv,i into share yv,i

• For each participant l,