Constructing Ideal Secret Sharing Schemes based on Chinese - PowerPoint PPT Presentation

Constructing Ideal Secret Sharing Schemes based on Chinese Remainder Theorem Yu Ning, Fuyou Miao*,… University of Science and Technology of China

Contributions  Generalization of existing CRT-based (t,n)-SS from Integer Ring to Polynomial Ring  Ideal (t,n)-SS based on CRT for Poly. Ring  Shamir’s (t,n)-SS : a special case  Weighted (t,n)-SS 2

Outline  (t,n)-Threshold Secret Sharing ( i.e., (t,n)-SS)  Two Typical Secret Sharing Schemes  Secret Sharing based on Polynomial Ring over F p  Both Types of SS as Special Cases  Weighted (t,n)-SS  Conclusion 3

(t,n)-Threshold Secret Sharing  t-Threshold, n- number of all shareholders  A dealer divides a secret s into n pieces, allocates each piece to a shareholder as the share such that  1) any t or more than t shares can recover the secret;  2) less than t shares cannot obtain the secret; 4

Dealer Secret: S Share Shareholder Distribution …… Share: s 1 s 2 s 3 s 100 s 4 Secret Reconstruction S Fig 1. An example of (3,100)-SS 5

Applications of (t,n)-SS  Threshold Encryption  Threshold Signature  Secure Multiparty Computation  Many security-related application protocols… 6

2 Typical (t,n)-SSs  Shamir’s (t,n)-SS [23]*  Share Distribution  f(x)=a 0 +a 1 x+a 2 x 2 +…+a t-1 x t-1 mod p Secret: s= a 0  Each Shareholder U i : Public information-x i ∈ F p , private share--f(x i )  Secret Reconstruction  m （ m≥t ） shareholders, e.g. {U 1 ,U 2 ,…U m }, compute the secret as: x ∑ ∏ m = m ≥ j 1 ( ) mod , ( ) s f x p m t = 1, j − = i i x x ≠ j i j i 7 *[23] Shamir, A.: How to share a secret. Communications of the ACM 22 (11), 612-613 (1979)

f(x)=a 0 +a 1 x+a 2 x 2 +…+a t-1 x t-1 mod p Secret: s= a 0 Dealer Share Shareholder … distribution Public Info: x 1 Private Share: f(x 1 ) … x i x n … x i+1 x i+2 f(x i ) f(x n ) f(x i+1 ) f(x i+2 ) Secret Reconstruction x ∑ ∏ m m ≥ j Secret: s = 1 ( ) mod , ( ) f x p m t = 1, j − = i i x x ≠ j i j i 8 Fig 1. Shamir’s (t,n)-SS

 Remarks  Shamir’s (t,n)-SS uses Lagrange Interpolation over finite field F p to recover the secret.  Ideal scheme:  Information rate 1;  No information leaks to t-1 participants  Most popular (t,n)-SS scheme cited over 13000 times -- google scholar 9

2 Typical (t,n)-SS  Asmuth-Bloom’s (t,n)-SS[1] over 600 times of citation  Share distribution: ∈ ∈ ： secret : ,modulus of shareholder s Z m Z m i i 0 < < < < = ... ,gcd( , ) 1, m m m m m m (Increasing sequence, pairwise coprime) 0 1 2 n i j ≤     （ ） ... ... * m m m m m m (gap creation ) − + 0 2 1 2 n t n t = α <   + ... B s m m m m (range extension ) 0 1 2 t (share evaluation) = mod ; s B m i i 10 [1]Asmuth,C., Bloom,J.:A modular approach to key safeguarding. IEEE transactions on information theory 29 29(2), 208-210 (1983)

 Secret Reconstruction M M ∑ ≥ − 1 For authorized subset , | | = ( ) mod mod A A t B s m M ∈ i i A i m m i i = secret: mod ; s B m 0  Remark ：  Based on Chinese Remainder Theorem(CRT) for Integer Ring  Not Ideal—information rate < 1  Hard to choose moduli due to the condition ≤     （ ） ... ... * m m m m m m − + 0 2 1 2 n t n t  Awkward scheme  [13-20][33]… 11

Questions  Can we use CRT to build a (t,n)-SS as ideal as Shamir’s scheme?  What is the connection between CRT based (t,n)-SSs and Shamir’s (t,n)-SS ? 12

Our work  Generalize Asmuth-Bloom’s (t,n)-SS from Integer Ring to Polynomial Ring  General Scheme  Ideal Scheme  Prove Shamir’s (t,n)-SS is a special case of our Ideal Scheme  Construct a weighted (t,n)-SS from General Scheme 13

Our work 14

(t,n)-SS based on CRT for Polynomial Ring over F p  General scheme  Ideal scheme 15

Our General Scheme  Setup ≥ = d prime , an integer 1 , ( ) , p d m x x 0 0 0 ∈ pairwise coprime polynomials ( ) [ ], m x F x i p = ∈ deg( ( )) for [0, ] such that d m x i n i i ∑ ∑ n t ≤ ≤ ≤ ≤ + ≤ ... and d d d d d d d ( ascending sequence, gap production ) 0 1 2 0 = + = n i i - 2 1 i n t i  Share Distribution < α The Dealer pick secret ( ), deg( ( )) ,random ( ),such that s x s x d x 0 ∑ t = + α α + < − ( ) ( ) ( ) ( ), deg( ( )) 1 f x s x x m x x d d 0 0 = i 1 i share for th shareholder: i 16 = ( ) ( )mod ( ) s x f x m x i i

Our General Scheme  Secret Reconstruction ≥ ， any participants e.g., {1,2,..., }, recover the secret ( ): k k k t s x =  ( ) ( )mod ( ) f x s x m x 1 1  =  ( ) ( )mod ( ) f x s x m x → 2 2  ( ), (by CRT for polynomial ring) f x ...   =  ( ) ( )mod ( ) f x s x m x k k → = ( ) ( )mod ( ) s x f x m x 0 17

Our Ideal Scheme  Only Difference in Setup ≥ = d prime , an integer 1 , ( ) , p d m x x 0 0 0 ∈ pairwise coprime polynomials ( ) [ ], m x F x i p = ∈ deg( ( )) for [0, ] such that d m x i n i i ∑ ∑ n t = = = = + = ... and d d d d d d d 0 1 2 0 = + = n i i - 2 1 i n t i ∑ ∑ n t ≤ ≤ ≤ ≤ + ≤ ... and d d d d d d d 0 1 2 0 = + = n i i - 2 1 i n t i (in general scheme) 18

Surprising Gains from Our Ideal Scheme  Information rate= 1 , no info. leak  Ideal scheme  Quite easy to choose pairwise coprime modulus polynomials  e.g. + + + d ， d ，， d 1 2 ... x x x n 0 0 0  Shamir’s (t,n)-SS as a special case 19

Shamir’s (t,n)-SS as our special case  An instantiation of our ideal scheme with d 0 =1 20

Shamir’s (t,n)-SS as our special case CRT for Polynomial Ring over F p Lagrange Interpolation =  ( ) ( )mod ( ) f x s x m x over F p 1 1  =  x ( ) ( )mod ( ) f x s x m x ∑ ∏ m m = 2 2  j ( ) mod s f x p = 1, j ... − =  i 1 i x x ≠ j i  j i =  ( ) ( )mod ( ) f x s x m x k k Shamir’s (t,n)-SS → = ( ) ( )mod ( ) s x f x m x 0 Our Ideal scheme x i : Public info. of shareholder U i = − = − ∈ since ( ) ( )mod( ), ( ) f x f x x x m x x x F i i i i p 21 (Remainder Theorem for Polynomial)

Weighted (t,n)-SS based on our General Scheme  What is Weighted (t,n)-SS  Each shareholder U i in subset A has a weight w i ;  secret can be recovered if ∑ ≥ i A w t ∈ i 22

Weighted (t,n)-SS based on our General Scheme  More natural and easier to realize Weighted (t,n)-SS based on our scheme weight=deg(m i (x))= w i Shareholder with weight w i is allocated a modulus polynomial of degree w i 23

Conclusions  General (t,n)-SS Scheme (Poly. Ring)  Asmuth- Bloom’s (t,n)-SS (Integer Ring)  Ideal (t,n)-SS Scheme  General (t,n)-SS Scheme  Shamir’s scheme as a special case of Ideal (t,n)-SS Scheme  Weighted (t,n)-SS  General (t,n)-SS Scheme 24

Conclusions following schemes Potential as an alternative of both schemes Asmuth-Bloom’s Our scheme Shamir’s Scheme Scheme 25

26