Constructing Ideal Secret Sharing Schemes based on Chinese - - PowerPoint PPT Presentation

constructing ideal secret sharing schemes based on
SMART_READER_LITE
LIVE PREVIEW

Constructing Ideal Secret Sharing Schemes based on Chinese - - PowerPoint PPT Presentation

Sep 21, 2023 286 likes •550 views

Constructing Ideal Secret Sharing Schemes based on Chinese Remainder Theorem Yu Ning, Fuyou Miao*, University of Science and Technology of China Contributions Generalization of existing CRT-based (t,n)-SS from Integer Ring to

slide-1
SLIDE 1

Constructing Ideal Secret Sharing Schemes based on Chinese Remainder Theorem

Yu Ning, Fuyou Miao*,…

University of Science and Technology of China

slide-2
SLIDE 2

Contributions

Generalization of existing CRT-based (t,n)-SS from

Integer Ring to Polynomial Ring

Ideal (t,n)-SS based on CRT for Poly. Ring Shamir’s (t,n)-SS : a special case Weighted (t,n)-SS

2

slide-3
SLIDE 3

Outline

(t,n)-Threshold Secret Sharing ( i.e., (t,n)-SS)

Two Typical Secret Sharing Schemes

Secret Sharing based on Polynomial Ring over Fp Both Types of SS as Special Cases Weighted (t,n)-SS Conclusion

3

slide-4
SLIDE 4

(t,n)-Threshold Secret Sharing

t-Threshold, n- number of all shareholders A dealer divides a secret s into n pieces, allocates each

piece to a shareholder as the share such that

1) any t or more than t shares can recover the secret; 2) less than t shares cannot obtain the secret;

4

slide-5
SLIDE 5

Secret: S Share: s1 s2 s3 s4 s100

……

S

Share Distribution Secret Reconstruction Fig 1. An example of (3,100)-SS

Dealer Shareholder

5

slide-6
SLIDE 6

Applications of (t,n)-SS

Threshold Encryption Threshold Signature Secure Multiparty Computation Many security-related application protocols…

6

slide-7
SLIDE 7

2 Typical (t,n)-SSs

Shamir’s (t,n)-SS [23]*

Share Distribution

  • f(x)=a0+a1x+a2x2+…+at-1xt-1 mod p

Secret: s=a0

  • Each Shareholder Ui: Public information-xi ∈Fp , private share--f(xi)

Secret Reconstruction

  • m (m≥t) shareholders, e.g. {U1,U2,…Um}, compute the secret as:

1, 1 ( )

mod , ( )

m m j j i i j i j i

x s f x p m t x x

= = ≠

= ≥ −

∑ ∏

*[23] Shamir, A.: How to share a secret. Communications of the ACM 22(11), 612-613 (1979)

7

slide-8
SLIDE 8

f(x)=a0+a1x+a2x2+…+at-1xt-1 mod p Secret: s=a0 Public Info: x1 Private Share: f(x1) xi+2 f(xi+2)

Secret Reconstruction Fig 1. Shamir’s (t,n)-SS

Dealer Shareholder xi+1 f(xi+1) xi f(xi) xn f(xn) Secret: s =

… …

1, 1 ( )

mod , ( )

m m j j i i j i j i

x f x p m t x x

= = ≠

≥ −

∑ ∏

Share distribution

8

slide-9
SLIDE 9

Remarks

 Shamir’s (t,n)-SS uses Lagrange Interpolation over finite field

Fp to recover the secret.

Ideal scheme:

  • Information rate 1;
  • No information leaks to t-1 participants

Most popular (t,n)-SS scheme cited over 13000 times --

google scholar

9

slide-10
SLIDE 10

2 Typical (t,n)-SS

Asmuth-Bloom’s (t,n)-SS[1] over 600 times of citation

Share distribution:

1 2 2 1 2 1 2

secret : ,modulus of shareholder ... ,gcd( , ) 1, ... ... * + ... = mod ;

m i i n i j n t n t t i i

s Z m Z m m m m m m m m m m m m B s m m m m s B m α

− +

∈ ∈ < < < < = ≤ = <       : ( )

[1]Asmuth,C., Bloom,J.:A modular approach to key safeguarding. IEEE transactions

  • n information theory 29

29(2), 208-210 (1983) (Increasing sequence, pairwise coprime) (gap creation ) (range extension ) (share evaluation)

10

slide-11
SLIDE 11

Secret Reconstruction

1

For authorized subset , | | = ( ) mod mod secret: mod ;

i i A i i i

M M A A t B s m M m m s B m

− ∈

≥ =

Awkward scheme[13-20][33]… Remark:

Based on Chinese Remainder Theorem(CRT) for Integer Ring Not Ideal—information rate < 1 Hard to choose moduli due to the condition

11

2 1 2

... ... *

n t n t

m m m m m m

− +

≤     ( )

slide-12
SLIDE 12

Questions

Can we use CRT to build a (t,n)-SS as ideal

as Shamir’s scheme?

What is the connection between CRT

based (t,n)-SSs and Shamir’s (t,n)-SS?

12

slide-13
SLIDE 13

Our work

Generalize Asmuth-Bloom’s (t,n)-SS from Integer Ring to

Polynomial Ring

General Scheme Ideal Scheme Prove Shamir’s (t,n)-SS is a special case of our Ideal Scheme Construct a weighted (t,n)-SS from General Scheme

13

slide-14
SLIDE 14

Our work

14

slide-15
SLIDE 15

(t,n)-SS based on CRT for Polynomial Ring over Fp

General scheme Ideal scheme

15

slide-16
SLIDE 16

Our General Scheme

Setup Share Distribution

1 2

  • 2

1

prime , an integer 1 , ( ) , pairwise coprime polynomials ( ) [ ], deg( ( )) for [0, ] such that ... and

d i p i i n t n i i i n t i

p d m x x m x F x d m x i n d d d d d d d

= + =

≥ = ∈ = ∈ ≤ ≤ ≤ ≤ + ≤

∑ ∑

1

The Dealer pick secret ( ), deg( ( )) ,random ( ),such that ( ) ( ) ( ) ( ), deg( ( )) 1 share for th shareholder: ( ) ( )mod ( )

t i i i i

s x s x d x f x s x x m x x d d i s x f x m x α α α

=

< = + + < − =

16

(ascending sequence, gap production)

slide-17
SLIDE 17

Our General Scheme

Secret Reconstruction

1 1 2 2

any participants e.g., {1,2,..., }, recover the secret ( ): ( ) ( )mod ( ) ( ) ( )mod ( ) ( ), (by CRT for polynomial ring) ... ( ) ( )mod ( ) ( ) ( )mod (

k k

k k k t s x f x s x m x f x s x m x f x f x s x m x s x f x m x ≥ =   =  →    =  → = , )

17

slide-18
SLIDE 18

Our Ideal Scheme

Only Difference in Setup

prime , an integer 1 , ( ) , pairwise coprime polynomials ( ) [ ], deg( ( )) for [0, ] such that

d i p i i

p d m x x m x F x d m x i n ≥ = ∈ = ∈

1 2

  • 2

1

... and

n t n i i i n t i

d d d d d d d

= + =

= = = = + =

∑ ∑

1 2

  • 2

1

... and (in general scheme)

n t n i i i n t i

d d d d d d d

= + =

≤ ≤ ≤ ≤ + ≤

∑ ∑

18

slide-19
SLIDE 19

Information rate=1, no info. leak Ideal scheme Quite easy to choose pairwise coprime modulus

polynomials

e.g.

Shamir’s (t,n)-SS as a special case

Surprising Gains from Our Ideal Scheme

1 2 ...

d d d

x x x n + + + , ,,

19

slide-20
SLIDE 20

Shamir’s (t,n)-SS as our special case

An instantiation of our ideal scheme with

d0=1

20

slide-21
SLIDE 21

Shamir’s (t,n)-SS as our special case

1, 1

( ) mod

m m j j i i j i j i

x s f x p x x

= = ≠

= −

∑ ∏

1 1 2 2

( ) ( )mod ( ) ( ) ( )mod ( ) ... ( ) ( )mod ( ) ( ) ( )mod ( )

k k

f x s x m x f x s x m x f x s x m x s x f x m x =   =     =  → =

since ( ) ( )mod( ), ( ) (Remainder Theorem for Polynomial)

i i i i p

f x f x x x m x x x F = − = − ∈

CRT for Polynomial Ring

  • ver Fp

Lagrange Interpolation

  • ver Fp

xi : Public info. of

shareholder Ui

Shamir’s (t,n)-SS Our Ideal scheme

21

slide-22
SLIDE 22

Weighted (t,n)-SS based on our General Scheme

What is Weighted (t,n)-SS

Each shareholder Ui in subset A has a weight wi ;  secret can be recovered if

i i Aw

t

22

slide-23
SLIDE 23

Weighted (t,n)-SS based on our General Scheme

More natural and easier to realize Weighted (t,n)-SS

based on our scheme

Shareholder with weight wi is allocated a modulus polynomial of degree wi

weight=deg(mi(x))= wi

23

slide-24
SLIDE 24

Conclusions

General (t,n)-SS Scheme (Poly. Ring) Asmuth-

Bloom’s (t,n)-SS (Integer Ring)

Ideal (t,n)-SS Scheme  General (t,n)-SS Scheme Shamir’s scheme as a special case of Ideal (t,n)-SS

Scheme

Weighted (t,n)-SS  General (t,n)-SS Scheme

24

slide-25
SLIDE 25

Conclusions

Asmuth-Bloom’s Scheme Shamir’s Scheme

following schemes

Our scheme

Potential as an alternative

  • f both schemes

25

slide-26
SLIDE 26

26