Secret Sharing Schemes

Russ Martin

May 14, 2012Secret Sharing SchemesTable of ContentsWhat is Secret Sharing?Traditional SchemesShamirsSimplifiedBlakleys Theory of More Efficient SchemesShort Share Secret SharingRobust Secret SharingWhat is Secret SharingA method of distributing data between a group of persons so that any subset of a specified size can access the data, and a subset of size smaller can not.A (t,w) Threshold Scheme is a method of sharing a key K among w participants in such a way that any t participants can compute the value of K, but no group of t-1 participants can3DefinitionsPerfect Secret Sharing Scheme (PSS) A scheme in which t-1 shares provide absolutely no information on the hidden dataInformation Rate Ratio of # of bits in the secret being hidden to the # of bits in the size of each share1 is ideal, as the size of the shares are the size of the secretMust be less than or equal to 1 for any perfect secret sharing scheme

Traditional Schemes ShamirsBased on polynomial interpolation given t points on the plane, only one polynomial q(x) degree of t-1 exists that satisfies q(x) = y for all xi (the key given to each participant).K = the data being hidden by the scheme, in numeric formq(x) = a0 + a1x + + ak-1xk-1, where K = a0Shamirs Scheme Key DistributionTo Distribute data: Choose w unique elements in Zp, where p>w. These are the x values.For i in 1 to w: Give xi to each of the participants. These x values are publicChoose t-1 values in Zp randomly. These values are secret to the person distributing the shares. These are the a values.Privately give each member y = q(x) corresponding to their x value, where

Shamirs Scheme Key ReconstructionGoal is to solve for the a values used during distribution, notably a0 = KWith t participants, one can form t linear equations in the form:

With t equations and t unknowns, there is a unique solution.

Shamirs Scheme - Examplep = 19, t = 3, w =4, xi = iK = a0 = 12Randomly Choose a1 = 14 , a2 = 3

q(1) = 10, q(2) = 14 , q(3) = 5 , q(4) = 2

Shamirs Scheme Example (Solving)(1,2,3)

(1,3,4)

(1,2,4)

(2,3,4)

In all cases, Equations solve for 12, 14, and 3, the values chosen

A = 12, 14, 39Shamirs Scheme - Alternate ReconstructionEach participant computes a value of b for each possible subset of participants they could reconstruct the secret with.This can be done prior to reconstruction, as all x values are public

Once b values are computed, can be used for reconstruction as such:

Shamirs SchemeSize of all shares are the size of the hidden key (Information Rate = 1)For t-1 people, forms a line of possible answers providing no information, making this a PSSIf a person is more important, increase their ability by giving them multiple sharesRecommended # of shares: w = 2t 1Allows recovery with loss/destruction of t-1 shares, but no reconstruction with same number11Simplified Shamirs SchemeWorks only with a (t,t) threshold scheme Over any finite integer field ZmRandomly choose t-1 integers from i = 1 to t-1, denoted y1 yt-1

yi = Shares given to participants

Simplified Shamirs SchemeReconstruction:

With t-1 particpants, only can compute K-yiStill a PSS

Traditional Schemes Blakleyst different (t-1)-dimensional hyperplanes will always intersect at exactly one point.t = 3, 2-dimensional planes in the form a1x1 + a2x2+ atxt = bK = x1Blakleys Scheme - DistributionChoose a prime p and F = finite, t-1 dimensional fieldSelect a secret, random point x, where x1=K, rest of values are random. All a values are also random and publicPrivately give each person yi = ai1x1 + ai2x2 + aitxtForms a w x t matrix, with Ax = yBlakleys Scheme - ReconstructionSolve system of equations Ax = y, only with the t users that are combining shares. K = xiBlakleys SchemeNot fully secure all participants know the point exists on their planePublic share is much larger than K t times in magnitude. n*t a values are needed.a values are not sensitive, may be publicInformation Rate is 1

More Efficient SchemesNote that for large secrets or number of participants, there is a large amount of data needed to be transferredIdeally, size of each share would be equal to size of the secret divided by the thresholdSince Information Rate is now greater than 1, it can no longer be guaranteed to be a perfect secret sharing schemeSecurity can not be proved for any scheme with shares shorter than secret, as there will be some information revealed.Computationally Secure Secret Sharing SchemeProposed by Hugo KrawczykComputationally Secure No Information can be efficiently computed from a single sharePolynomial Indistinguishability Two Probability Distributions that cannot be told apart through any polynomial-time algorithmCan be applied to encryptions An encryption function is computationally secure if for any pair of messages M and M, their encryptions under all possible keys are polynomially indistinguishableComputationally Secure Secret Sharing SchemeApplied to a Secret Sharing SchemeComputationally Secure if for any pair of secrets of same length S and S, the distribution of their shares are polynomially indistinguishableInformation Dispersal Algorithm (IDA)A split of a file F into n partitions, where m are needed to reconstruct the original file.Each partition size F/m, with a little redundancy attached

Short Share Secret SharingDistributionEncrypt the secret S using a random key in a polynomially indistinguishable algorithmSplit the encrypted file into w fragments using IDAEncode the key using a PSS to create w shares of the keyGive each participant one part of the key and one part of the encrypted fileReconstruction:Use IDA to reconstruct the fileUse PSS to recover the keyDecrypt the file using the key to uncover the secretShare Size Size(File) / t + Size(Key)Robust Secret SharingA scheme that can recover the secret with up to m corrupted/malicious sharesm < t and t w-mSame Distribution and Reconstruction of Short Share, but signed sharesSign file after encrypting, but before IDASign each of the sharesAdditional size of shares is not dependent on secret, only the signing systemDownsidesRequires a public key signature verification systemMuch more computationally complexEntity distributing the secret needs to be knownWorks Cited[1]Stinson, Douglas R. Cryptography: Theory and Practice. CRC Press 2006. [2]Shamir, Adi. How to Share a Secret. November 1979.[3]Krawczyk, Hugo. Secret Sharing Made Short. 1993. [4]RSA Laboratories. What are some secret sharing schemes?[5]http://www.cs.bilkent.edu.tr/~selcuk/publications/BSS_ISC08.pdfQuestions?