1.1 Traditional (t,n)-threshold secret sharing and its applications
With the development of mobile Internet, network applications don’t limit to 1-to-1 or 1-to-m (i.e., client/server) interaction pattern any more. Group oriented applications with m-to-m interaction pattern are getting more and more popular especially in mobile social apps. Group chat is one of group oriented applications provided by most social apps, and it is actually an online meeting system and allows a user to invite his/her friends to have a meeting anytime and anywhere. For example, WeChat, the most popular mobile social app with over 600 million users in Asia, enables a user to initiate a group for an ad hoc session on demand. In the group, any user is allowed to send/receive messages, start an audio/video chat or invite his/her friends into the group. Consequently, a user may not be familiar with some other users. However, a main concern about the online meeting is authentication. That is, each user needs to make sure that any other user in the group has the right identity, especially when the meeting is confidential. That is because any user at a confidential meeting is responsible for the information he/she releases, and never wants any wrong person to have access to it. In this case, each user needs to authenticate all the others successfully, or else the meeting must be aborted.
Traditionally, one user employs a 1-to-1 authentication scheme to verify another user’s identity. In such a scheme, one user (verifier) gets convinced that the other user (prover) is the right one it claims to be. If the 1-to-1 scheme is trivially applied to mutual authentication within a group of users, there are totally rounds of authentication. Nevertheless, rounds are sufficient for the same case if m-to-m authentication scheme is employed, because the new authentication allows each user to verify whether all users are legal group members at once. Therefore, it is of great importance to find a proper cryptographic tool in designing secure and efficient m-to-m authentication schemes for group oriented applications.
As a group oriented cryptographic primitive, (t,n)-threshold secret sharing scheme (or (t,n)-SS) divides a secret into shares and allocates each share to a shareholder, such that at least shareholders (i.e., participants) are qualified to recover the secret but less than are not. In a group of exact shareholders, each shareholder can verify whether all shareholders are legal at once if they mutually exchange shares, independently reconstruct the secret and check the correctness. Therefore, (t,n)-SSs have potential in building m-to-m authentication schemes.
Since (t,n)-SS was first introduced separately by Shamir shamir1979share and Blakley blakley1979safeguarding in 1979, it has been studied extensively in the literature asmuth1983modular mignotte1982share mceliece1981sharing massey1993minimal hillery1999quantum and widely used in many applications, such as secure multiparty computation patel2016secure , threshold signature boldyreva2003threshold , group key agreement liu2016full , group authentication harn2013group etc. al. As the most popular (t,n)-SS, Shamir’s scheme shamir1979share is constructed based on a polynomial of degree at most in a finite field. Blakley’s scheme blakley1979safeguarding
is based on hyperplane while Asmuth-Bloom’s schemeasmuth1983modular and Mignotte’s scheme mignotte1982share are both based on Chinese Remainder Theorem. Linear code is another tool to construct (t,n)-SSs. In 1981, McEliece and Sarwate mceliece1981sharing proposed a formulation of (t,n) threshold secret sharing scheme based on maximum-distance-separable (MDS) codes, and pointed out that Shamir’s (t,n) threshold scheme can be constructed equivalently by using Reed-Solomon code. Subsequently, many secret sharing schemes based on linear codes were proposed massey1993minimal massey1995some carlet2005linear . In massey1993minimal massey1995some , Massey utilized the linear code to construct a secret sharing scheme, meanwhile he also presented the relationship between the access structure of secret sharing and the minimal code word of the dual code in linear code. All the above (t,n)-SSs do not depend on any computational assumption of hard problem or one way function.
In general, a (t,n)-SS scheme consists of share generation and secret reconstruction. In share generation, the dealer generates shares from the secret to be shared and allocates each shareholder a share securely. In secret reconstruction, or more than shareholders (also called participants or players) exchange shares privately and thus each participant can recover the secret from collected shares.
1.2 Two attacks against traditional (t,n)-SSs during secret reconstruction
Actually, these above traditional (t,n)-SSs are not secure in practice. In the following, we consider 2 attacks against secret reconstruction with more than participants, 1) Illegal Participant (or IP) attack and 2) Half Threshold private Channel Cracking (or HTCC) attack.
Both IP and HTCC attacks enable an adversary to obtain the secret without having any valid share.
1) IP attack
Suppose there are , (), participants in secret reconstruction, and one of them is an adversary without any valid share. If participants are not required to release their shares simultaneously and the adversary, in the name of some legal shareholder, (e.g. Shareholder in Fig.1) may communicate with the others, it could wait to collect enough (i.e.,) valid shares from the other participants and thus recover the secret. With these shares, the adversary can also forge a valid share and then act as a legal participant without being detected. We call it Illegal Participant (IP) Attack.
One countermeasure against the IP attack is user authentication das2004dynamic wazid2017novel . It guarantees that only right shareholders are allowed to participate in secret reconstruction, but user authentication makes (t,n)-SS more complicated because each participant needs to be authenticated by the others. Moreover, whether a secret can be recovered should depend on the share a participant holds rather than his/her identity.
2) HTCC attack
In traditional (t,n)-SSs, there usually exists a private channel between each pair of participants, by which 2 participants exchange shares privately. Once an adversary cracks a private channel, it can intercept any information through the channel, including 2 shares of the involved participants. Consequently, an adversary may recover the secret if it manages to crack distinct private channels, even though the number of participant may be much larger than the threshold . We called it Half Threshold private Channel Cracking (or HTCC) attack.
Similarly, if each participant, say A, sends its share to participant B via a private channel while receives share from B via another private channel, an adversary may recover the secret if it manages to crack distinct private channels.
That is, the robustness of -SS against private channel cracking attack depends on rather than . Obviously, it is more desirable if the robustness depends on the number of participant instead of due to .
Note that, for the convenience of discussion, the paper just takes the former case (i.e., HTCC attack) as example since the latter case is highly similar to the former.
Remark 1.1. Although adversaries in IP and HTCC attacks both have no valid share and need to collect enough shares by mounting attack before obtaining the secret, they are different in substance. An IP adversary may actively participate in secret reconstruction while a HTCC adversary merely eavesdrops cracked private channels passively and stays out of secret reconstruction. In other words, the information (i.e.,fake share) of the adverary in IP attack is used by all the other participants in secret reconstruction and thus leads to error, while all information used by participants is correct in HTCC attack. This results in the fact that a countmeasure valid for one attack is not always valid for the other. For example, user authentication das2004dynamic wazid2017novel can prevent IP attack but cannot thwart HTCC attack; In contrast, Harn’s secure secret reconstruction harn2014secure is resistant to HTCC attack but fails to prevent IP attack in most cases.
1.3 Related Work
As far as we know, there are the following 3 related countermeasures against IP or HTCC attack in secret sharing.
1) Shuffling Schemes
Incomplete shuffling luo2001providing with participants, every pair of participants exchange a shuffling factor (i.e. random integer), and thus each finally gets shuffling factors in total. A participant constructs a shuffled partial share with the shuffling factors. All shuffled partial shares are required to recover the secret; and thus a complete shuffling based (t,n)-SS forces an adversary to crack at least distinct private channels before figuring out the secret. There are totally shuffling factors exchanged in the scheme, which is obviously inefficient in communication for large . Subsequently, Zhang proposed the partial shuffling scheme zhang2008secret , participants form a loop in some order and communicate along the loop, each of them just picks one random number as the shuffling factor such that the sum of all shuffling factors is zero. Consequently, participants need to exchange shuffling factors in total, and an adversary has to crack at least private channel before obtaining the secret. However, both schemes require extra communication to exchange shuffling factor before secret reconstruction.
2) Threshold Changeable Secret Sharing
threshold changeable secret sharing scheme (threshold changeable SS) allows shareholders to change threshold from to t. In this case, or more than shareholders can recover the secret while less than cannot. Therefore, some threshold changeable SSs can prevent IP and HTCC attacks if there are exact participants with and the threshold is also raised to . For example,the dealer in schemes martin1999changing barwick2005updating , generate multiple shares for every shareholder, each share with a distinct threshold . Therefore, if shares with threshold are used to reconstruct the secret, exact participants can prevent IP and HTCC attacks. However, every shareholder in such schemes has to hold multiple shares and thus requires more storage, moreover, these schemes only raise threshold to predefined values.
As an improvement, Ron Steinfeld et al presented a lattice-based threshold changeable SS steinfeld2007lattice , shareholders add some noise to their shares or delete some bits of their share to compute subshares, which contain partial information about the original shares. As a result, a larger number of subshares are required to recover the secret by using a ”error-correction” combiner algorithm. The scheme does not require communication either between the dealer and shareholders or among shareholders. However, 1) the share combiner needs to communicate with all participants and instruct them to change threshold; 2) the scheme is lattice-based and thus is complicated in computation; 3) it is far from a perfect scheme. In 2017, H. Pilaram and T. Eghlidos proposed a lattice based threshold changeable multi-secret sharing scheme pilaram2017lattice .
Nojoumian et al Nojoumian2012Dealer presented a Shamir’s (t,n)-SS based dealer-free threshold changeable scheme using secure multiparty computation. The scheme remains some properties of Shamir’s (t,n)-SS, such as being unconditionally secure and ideal, moreover, it can change the threshold to any value. Later on, they also proposed a method of increasing threshold by zero addition nojoumian2013dealer , it increases the threshold by generating shares of a polynomial that corresponds to a secret with value zero and threshold , and adding these new shares to player’s current shares. However, due to resharing operation, both schemes require too much computation in participants and communication among participants. In 2016, Yuan et al Yuan2016Novel
came up with 2 threshold changeable schemes based on Lagrange interpolation polynomial and 2-variable one-way function. Both schemes require the dealer to evaluate and store a lot of values before increasing the threshold. Moreover, it needs the combiner (i.e., the proxy of the dealer) to send each participant a distinct key to active the share additionally.
In conclusion, current threshold changeable SSs suffer from either large storage or heavy computation/communication. In section 4, we will propose a special SS scheme which is capable of thwarting IP and HTCC attacks and efficient in storage, computation and communication.
3) Secure Secret Reconstruction
Recently, Harn harn2014secure introduced a notion of secure secret reconstruction and proposed the (t,n)-secure secret reconstruction (or SSR) scheme. The scheme takes advantage of the homomorphism of polynomials benaloh1986secret and does not call for extra communication before recovering the secret. It claims that the secret can only be reconstructed if each participant has valid shares, and thus can defeat IP and HTCC attacks without using user authentication. Actually it is not true. Based on similar idea, Harn et al Harn2015Dynamic also proposed a bivariate SS scheme, which has the similar problem. We will discuss it in section 3.
Therefore, it is necessary to construct an efficient secret sharing scheme against both IP and HTCC attacks simultaneously to meet the security requirement of aforementioned group oriented applications.
We summarize the contributions in 3 aspects.
1) In order to cope with IP and HTCC attacks against (t,n)-SS, the paper presents the notion and generic framework of (t,m,n)-Tightly Coupled Secret Sharing (or (t,m,n)-TCSS). By following the framework, most traditional (t,n)-SSs can be simply converted into (t,m,n)-TCSSs and thus endowed with the capability to frustrate both attacks. It should be noted that (t,m,n)-TCSS under the framework can be applied to any scenario of (t,n)-SS. Moreover, threshold changeable secret sharing schemes can also be easily constructed according to the framework.
2) As an implementation of the framework, a concrete (t,m,n)-TCSS scheme is proposed from the traditional linear code based (t,n)-SS. The (t,m,n)-TCSS does not depend on any hard problem or one-way function. In contrast with related schemes, the (t,m,n)-TCSS is resistant to the above 2 attacks without special limitations and more efficient in storage, computation and communication.
3) As an application of the (t,m,n)-TCSS scheme, a group authentication protocol is constructed to enable the rapid m-to-m authentication in group oriented applications.
The rest of this paper is organized as follows. In next section, we briefly review the linear code based (t,n)-SS and Harn’s Secure Secret Reconstruction; section 3 gives the definition of Tightly Coupled Secret Sharing. We describe our proposed (t,m,n)-TCSS and analyze the security in section 4 and section 5 respectively, section 6 summarizes the properties of (t,m,n)-TCSS. As an application, the group authentication protocol is constructed in section 7. Finally, we present some discussions and conclude the paper in section 8 and section 9 respectively.
2.1 Notations and terms
Here are some notations used throughout the paper, denotes the integer set and is used to lable all shareholders; , with the cardinality , m is a subset of , is used to lable any out of shareholders; is a finite field for large prime , is the multiplicative group of ; denotes that
is a random number uniformly distributed in. is the cardinality of set .
In (t,n)-SS, a shareholder is also called participant when it is participating in secret recovering. So shareholder and participant will be used alternately during secret reconstruction.
2) Information theoretical terms
Now we introduce some basic terms in information theory, suppose
are discrete-time discrete-valued random variables with sample space. The entropy of is denoted as
where is the expectation operator and
is the probability distribution function of. From the view of an adversary, the secret in (t,n)-SS is indistinguishable from a random variable uniformly distributed in secret space. Therefore, we use to denote uncertainty of the secret.
The mutual information of with is written as
means the amount of information about obtained due to the knowledge . In the following sections, we will write as for simplicity.
3) Some Definitions
Definition 2.1. (Perfect (t,n)-SS) Let , and be the secret, secret space and the share set of a (t,n)-SS respectively with . The (t,n)-SS is perfect with respect to probability distribution of on the secret space if
where denotes any subset of with less than shares, i.e. and .
As a secret value, the secret actually appears as a random variable uniformly distributed in secret space . In a perfect (t,n)-SS, less than shareholders get no information about the secret even if they have up to shares. Loosening the perfect (t,n)-SS a little bit, we get the definition of asymptotically perfect (t,n)-SS as follows.
Definition 2.2. (Asymptotically Perfect (t,n)-SS) A (t,n)-SS is asymptotically perfect with respect to probability distribution of on secret space if, for all with , we have
where is the cardinality of .
Asymptotically perfect -SS implies that less than shareholders get nearly no information about the secret when the secret space converges to infinity.
2.2 Traditional (t,n)-SS based on Linear Code
There are several ways to construct a (t,n)-SS scheme based on linear code massey1993minimal , one of them comes as follows:
Assume that a linear code is a subspace of with length and dimension , and is the public generator matrix of linear code , where
is a nonzero column vector,has the rank .
In the traditional (t,n)-SS scheme based on , there is a dealer and shareholders , the secret is a value in . The scheme consists of the following two steps:
Share Generation: The dealer privately chooses a row vector , such that the secret is , it is obvious that there are totally such for a given pair . The dealer generates the code word and allocates to as the share securely, .
Secret Reconstruction: If , () out of shareholders, need to recover the secret , they first find a group of parameters over such that holds, and then pool their shares in private to compute the secret as
2.3 Harn’s Secure Secret Reconstruction
In 2014, Harn harn2014secure proposed a (t,n) secure secret reconstruction (or SSR) scheme. The scheme claims to be resistant to IP attack without VSS or user authentication. Our work is partly inspired by the notion of this scheme. It works as follows.
1) Share generation
Suppose there are shareholders, , the dealer selects random polynomials , , over with degree no more than each and generates shares , , for each shareholder , . For any secret , the dealer can always find integers, , in , such that where and for every pair of and , is the public information of The dealer makes these integers , , publicly known.
2) Secret reconstruction
Assume , m out of shareholders want to recover the secret, each participant uses shares , to compute a Lagrange component, , and releases to all the other participants secretly.
After knowing , each participant computes the secret as
Remark 2.1. The scheme claims to require to guarantee the security, otherwise, an adversary may collect Lagrange components, construct the polynomials and finally recover the secret. As a matter of fact, Lagrange components is linearly dependent in the case of . Interested readers can refer to ahmadian2018linear for more detail. Therefore, it is possible for an adversary to forge a valid Lagrange component from the other ones and finally obtain the secret without being detected. That is, the scheme is vulnerable to IP attack.
3 Definition of (t,m,n)-Tightly Coupled Secret Sharing
This section first presents the basic idea and overview of (t,m,n)-Tightly Coupled Secret Sharing (or (t,m,n)-TCSS), then puts forward the notion of (t,m,n)-TCSS, defines the framework and finally presents the property of the new type of SS.
3.1 Basic Idea and Overview of (t,m,n)-TCSS
Currently, most related work cannot effectively and efficiently deal with IP and HTCC attacks. In order to simultaneously defeat both attacks during secret reconstruction in traditional -SS, we define a new type of SS, -Tightly Coupled Secret Sharing. On one hand, it is more secure -SS and can be applied to any scenario of -SS; On the other hand, it provides a suitable cryptographic primitive for group oriented applications.
As we know, for traditional -SSs, the reason why IP and HTCC attacks work lies in the direct exchange of bare shares among participants (i.e.,shareholders) during secret reconstruction. In other words, since shares are sent from one participant to another through private channel, an illegal participant are able to directly collect shares from the others, or an adversary can directly intercept shares as long as it cracks the private channel. Consequently, the secret may be obtained illegally if enough shares are collected in the above 2 ways.
After learning the aforementioned reason, we need to present a new type of secret sharing which does not requires bare shares to be transmitted among participants during secret reconstruction. That is, to secure secret reconstruction, the following 2 requirements need to be satisfied at the same time. 1) Shares need to be protected before transmission through private channels, such that an illegal participant cannot figure out the share itself even if it obtains the protected share. By this property, IP attack can be prevented. 2) All participants’ protected shares need to be directly used to recover the secret (i.e., need not to uncover any share from the protected one), such that an adversary has to intercept all protected shares before obtaining the secret. By this property, HTCC attack can be thwarted accordingly.
In summary, we need to find a solution based on traditional -SSs to protect share during share exchange among participants and guarantee that each protected share has to be directly used to recover the secret.
From the 2 requirements, we can determine the 3 steps of -TCSS, 1) share generation, which is basically the same as traditional (t,n)-SS and responsible for generating and distributing a share to each shareholder securely. 2) component construction, in which each participant constructs a protected share, called Component, from its own share and all participants’ public information non-interactively. 3) secret reconstruction, in which all participants exchange their components, each participant recovers the secret independently from all components.
Following the basic idea, we can easily formulate the definition and framework of (t,m,n)-TCSS, which is capable of thwarting both IP and HTCC attacks and thus enables group oriented application.
3.2 Definition and Framework
Definition 3.1. (t,m,n)-Tightly coupled secret sharing
Informally, let be positive integers with m. (t,m,n)-Tightly coupled secret sharing (or (t,m,n)-TCSS ) is a special type of (t,n)-SS and satisfies 1) any or more than shareholders are able to recover the secret; 2) less than shareholders cannot reconstruct the secret and 3) when shareholders recover the secret, they form a tightly coupled group such that the secret can be recovered only if each participant in the group has a valid share.
A (t,m,n)-TCSS consists of 3 algorithms, Share Generation SG, Component Construction CC, and Secret Reconstruction SR.
SG-it takes the secret and the set of shareholders, , as input and generates , the set of shares as output. In this algorithm, the dealer generates shares from the secret and allocates each share to the corresponding shareholder in securely.
CC-it takes , as well as as input and outputs , where is the set of participants, denoting a subset of with shareholders, is the share set of , is a set of random numbers and is the set of components. In this algorithm, each participant in generates a component with its share in and a random number in non-interactively.
SR-it takes as input and recovers the secret as output. In this algorithm, each participant uses all components of (i.e., ) to recover the secret independently.
3.3 Formal Description and Property
Formally, let be the secret space, share space and identity space respectively in (t,n)-SS, is the secret. Assume are shareholders, each shareholder has the private share and public identity .
Before any shareholders, , (i.e., and ), want to recover the secret, they need to form a tightly coupled group by constructing a component each. That is, each shareholder constructs a component , where is a component construction function; is the share of ; is random number uniformly selected from , i.e., , and denotes the power set of . Therefore, is a valid component set of . The (t,n)-SS is a (t,m,n)-TCSS if
where the secret is viewed as a random variable in . is a component set actually used in recovering , denotes converging to 0 if approaches to infinity.
Remark 3.1. The expression (3-1) implies the 2 facts, (1) If , the component set actually used in secret reconstruction, is identical with , the right one generated by , and the number of participants is no less than , the secret is bound to be recovered; (2) If does not contain all components in , almost no information about the secret can be obtained.
Remark 3.2. In fact, ’s component serves as 2 functions, one is to hide the share from eavesdroppers (i.e., Outsiders in section 4.1) by using as perturbation; the other is to bind (i.e. the share ) with all participant and thus make inseparable from the others. In this sense, we say that all participants in form a tightly coupled group, the secret can be recovered only if all participants collaborate. That is why we name our scheme Tightly Coupled Secret Sharing.
Remark 3.3. A (t,m,n)-TCSS is an improved (t,n)-SS, it directly uses components, instead of shares, to recover the secret. On one hand, as a (t,n)-SS , it requires at least shareholders to reconstruct the secret. On the other hand, once m shareholders decide to recover the secret, they compose a tightly coupled group by each generating a component independently. In this case, the secret can be recovered only if all participants have valid components, which in turn means each participant has the right share.
4 Proposed (t,m,n)-TCSS based on Linear Code
This section proposes a concrete linear code based (t,m,n)-TCSS scheme by following the above definition and framework.
4.1 Entities and Model
There are 3 types of entity in our proposed (t,m,n)-TCSS scheme, the Dealer, shareholders and some adversaries. In order to facilitate group oriented applications or some other distributed applications, we use the same communication model as Harn’s scheme harn2014secure . That is, during secret reconstruction, each pair of participants share a private channel to exchange private information (i.e., components in our scheme) and thus recover the secret independently.
The dealer is the honest coordinator trusted by all shareholders, and responsible for scheme setup such as determining system parameters, choosing the secret, generating and distributing shares and so on. We simply assume that the dealer allocates each share to the corresponding shareholder securely since our work merely focuses on security during secret reconstruction.
There are totally shareholders, each with a share generated by the dealer. Every pair of them share a private channel to exchange information. Different from most security model, we assume that the channel may be cracked in extreme cases. Consequently, information through the channel may be intercepted by adversaries. When , shareholders (i.e. participants) recover the secret, each of them first exchanges components with the others through corresponding private channels. Then, every participant independently recovers the secret from all components.
Note that once the secret is recovered, every participant has the secret. Therefore, we assume that a shareholder only constructs a single component in its lifetime and never generates more than one component with its share.
Our goal is to prevent an adversary, without any valid share, from access to the secret illegally.
In most cases, legal shareholders care more about secret disclosure than recovering the secret correctly, i.e. they would rather give up recovering the secret than leak it to adversaries. Therefore, in order to prevent secret disclosure, (t,m,n)-TCSS considers the following adversaries.
(1) Outsider: It is an adversary without any valid share. An Outsider appears in 2 forms during secret reconstruction.
a) Outsider-1: It impersonates a legal shareholder but without the right share. That is, in the name of some legal shareholder, it is allowed to receive private information (i.e., components in our scheme) from the other participants and send a forged component to the others. An Outsider-1 aims to forge a valid component from received ones or obtain the secret.
b) Outsider-2: It somehow cracks private channels between some participants and thus can intercept any information ( i.e., components in our scheme) through these cracked channels by eavesdropping. It aims to figure out shares or even the secret from components available.
Note that, since a participant never generates more than one component with its share, an Outsider can only obtain a single component from one participant at most.
(2) Insider: It is actually a legal shareholder. When less than shareholders conspire to recover the secret, these misbehaving shareholders are called Insiders. They aim to recover the secret with less than shareholders participating.
Remark 4.1. In secret reconstruction of traditional -SS, shares are exchanged privately among shareholders. In contrast, -TCSS requires components, instead of shares, to be exchanged among shareholders during secret reconstruction. In -SS, if an Outsider-2 cracks a private channel between 2 participants, it can easily obtain the shares through the cracked channel. Consequently, the Outsider-2 can take advantage of the intercepted share and act as an Insider in the future. Therefore, Outsider-2 and Insider are closely connected with each other in -SS . However, the case is quite different in -TCSS. We know from section 3 that a component has different properties from a share and a share cannot be obtained from a given component. Moreover, an component binds a shareholder with the other participants and make them inseparable. As a result, 1) an Outsider-2 is distinct from an Insider in -TCSS, since the Outsider-2 cannot figure out any share even if it intercepts some components by eavesdropping. Therefore, if the Outsider-2 intercepts some components generated by a tightly coupled group of shareholders, it has to further collect all the components before obtaining the secret. In contrast, an Insider is allowed to flexibly choose any number of shareholders to form a tightly coupled group before secret reconstruction. Of course, as long as insiders are available, the secret can be recovered. 2) An Outsider-1 is also different from Outsider-2 since Outsider-1 actively participates in secret reconstruction while Outsider-2 just passively eavesdrops components. The components collected by Outsider-1 contain information of its own while the components intercepted by Outsider-2 do not have any information of itself.
4.2 Our Scheme
The proposed (t,m,n)-TCSS consists of 1)Share Generation, 2) Component Construction and 3) Secret Reconstruction (see Figure 3).
In Share Generation, the dealer picks parameters to initialize the scheme, generates shares and allocates each one to a shareholder securely. If , shareholders need to recover the secret, they form a tightly coupled group by each constructing a component with the share, a random number and all participants’ identities (i.e. Component Construction). In Secret Reconstruction, all participants exchange components through private channels, each participant recovers the secret independently by adding up all components. Roughly speaking, since all components are required in recovering the secret, the scheme are capable of frustrating IP and HTCC attacks.
More detailed description are given as follows.
1) Share Generation
Suppose there are shareholders , and a dealer in the scheme, is a linear code of length (), dimension . chooses two large primes , with and , the public generator matrix of , is a column vector, has rank , i.e., any column vectors are linearly independent while any set of column vectors are linearly dependent, which guarantees that any or more than shareholders are qualified to reconstruct the secret, but less than shareholders are unqualified. The following Vandermonde matrix is an option of for distinct .
The dealer first randomly chooses the secret and determines a non-zero row vector privately such that , and then generates the code word . Finally, the dealer allocates to as the share secretly for
2) Component Construction
If , participants, , m, need to recover the secret , they determine the corresponding public coefficients non-interactively such that holds. is easy to find because and are linearly dependent. Take for example, each participant can independently determine as follows, first let for , and then evaluates the remaining coefficients , such that . In this way, all participants share without interaction.
Each participant, e.g. , picks a random number in private and constructs a component as
Remark 4.2. As a matter of fact, can be directly expressed as due to Lagrange interpolation if the dealer chooses as in (4-1). Therefore, is actually the function of , and , it further means the component binds the participant (i.e. its share ) with all participants and protects the share from exposure by random number .
3) Secret Reconstruction
Each participant in , e.g. , releases the component to the others through corresponding private channels. After obtaining all components recovers the secret as
|shareholders: is the public identity of each shareholder;|
|out of shareholders: ;|
|Public primes: with ;|
|Linear code: with length and dimension ;|
|Public generator matrix of :|
|with rank t, column vector , ;|
|Private row vector: ;|
|1) Share Generation|
|randomly picks , designates and , such that , allocates to as the share privately and securely for , makes public and keeps and s in secret.|
|2) Component Construction|
|To recover the secret, shareholders, form a tightly coupled group. That is, according to some specified rule (see step 2) in section 4.2), each participant first determines the unique set of public coefficients by itself such that . Then it picks a random number privately to compute a component as .|
|3) Secret Reconstruction|
|Each participant releases to the other participants through private channels. After collecting all components, each participant independently recovers the secret as .|
Fig. 3: (t,m,n)-Tightly Coupled Secret Sharing Scheme
Theorem 4.1. In (t,m,n)-TCSS, any or more than shareholders are able to reconstruct the secret from all their components. That is, given shareholders , each shareholder with the component , the secret can be recovered as
Note that we have due to , and As a result, (4-2) is equivalent to (4-3).
5 Security analyses of (t,m,n)-TCSS Scheme
In (t,m,n)-TCSS, we use component to protect a participant’s share. To reconstruct the secret, adversaries must get either at least right shares or all , valid components if participants collaborate. We show the security by the following 4 theorems. Theorem 5.1 shows that one cannot figure out the share from a given component; Theorem 5.2 proves the capability of (t,m,n)-TCSS against IP attack while Theorem 5.3 guarantees the scheme is resistant to HTCC attack; Theorem 5.4 testifies to the fact that up to Insiders are still unable to reconstruct the secret in (t,m,n)-TCSS.
Theorem 5.1. In (t,m,n)-TCSS, given , the component of participant , the probability for an adversary to derive the share is , i.e.
where are large primes with , is uniformly distributed in , and are over and respectively.
Proof: From , we have
where is the multiplicative inverse of modulo . Note that , from the view of an adversary, is indistinguishable from a random variable uniformly distributed over .
Obviously, the value of , and are known, given , the share is a function of from the adversary’s view. According to the property of finite field , there must be different values of for distinct . Consequently, there are totally distinct values of when varies over . As a result, an adversary derives from with the probability for .
Theorem 5.1 implies that, given the component , an adversary never has a chance more than to get the covered share , which is as difficult as directly guessing the secret when it is uniformly selected from the secret space . The theorem shows a share can be well protected by the component.
In the following, we give Lemma 5.1, Lemma 5.2 and Corollary 5.1 as the basis to prove that a component has a uniform distribution over , which in turn lays the groundwork for Theorem 5.2 and 5.3.
Lemma 5.1. Suppose that random variable is uniformly distributed in , for any value , has a uniform distribution over .
Proof: we immediately get the lemma from the property of finite field .
Lemma 5.2. Given prime and random variables , mutually independent and uniformly distributed in , has a uniform distribution over if not all values , are zero.
Proof: Let us first consider the case of then generalize the case of being any positive integer.
1) If one of and is zero, it is obvious that is uniformly distributed over from Lemma 5.1.
If both and are nonzero, and are uniformly distributed over from lemma 5.1. To prove is uniformly distributed in , we assume that and are any 2 different values of variable . In this case, and are obviously distinct in for . Thus, and are 2 distinct permutations of when varies over . More generally, are distinct permutations of for different , , values of random variable . That is, each value in appears with the same frequency. Therefore, is uniformly distributed in .
2) Now that is uniformly distributed in , by iterating the procedure in 1), we have that has a uniform distribution over .
Corollary 5.1. has a uniform distribution over if random variables and are uniformly distributed over and respectively for and , where all variables are mutually independent, and are positive primes with , values
Proof: (omitted) the corollary can be proved by the method similar to lemma 5.2.
Theorem 5.2. The proposed (t,m,n)-TCSS scheme is able to thwart IP attack. Concretely, an Outsider-1, even having collected components, cannot forge a valid component to recover the secret.
Proof: We first consider the normal case that , participants, e.g. for simplicity, form a tightly coupled group by constructing the corresponding components That is, each participant constructs the component with the share . Thus, where each , , actually represented by , , is public while is secret and , are private.
Suppose the Outsider-1 impersonates in , i.e., it does not have , the valid share of , but can communicate with the others and thus receive valid components .
In the following, we first show that, for an Outsider-1, , the component of , is indistinguishable from a random variable uniformly distributed in . Then, we prove that the Outsider-1 forging a valid component is nearly as difficult as directly guessing the secret within the secret space. Finally, we show that the Outsider-1 cannot get the secret by forging multiple components.
1) First, we show that, in the view of Outsider-1, each unknown share and the corresponding component are uniformly distributed over .
We have with non-zero vector and , where each is an integer uniformly and privately selected by the dealer within . From the view of Outsider-1, each is indistinguishable from a random variable uniformly distributed over ; is a nonzero column vector for . According to Lemma 5.2, each unknown share, , is uniformly distributed over for an Outsider.
Obviously, the corresponding component , and are also uniformly distributed over according to Corollary 5.1. Note that, for the Outsider-1, and are uniformly distributed over and respectively while and are fixed values.
2) In this case, the Outsider-1 is allowed to forge any value of , say . Assume is some function which takes or any subset of as input and produces a presumed secret, e.g., as output. In practice, denotes any method taken by the Outsider-1 to derive a presumed secret from available information, i.e., or its any subset. Without losing the generality, suppose that the Outsider-1 derives a value in some way, if happens to equal the secret , the Outsider-1 succeeds. Now let examine the probability of success, .
Note that the left-hand side of (5-1) is uniformly distributed of . Consequently, there are at most possible values of satisfying the equation (5