A SHORT NOTE ON SECRET SHARING USING ELLIPTIC CURVES
Volker M¨uller
University of Luxembourg, Faculty of Sciences, Technology and Communication
6, rue Richard Coudenhove-Kalergi, L-1359, Luxembourg
Keywords:
Elliptic curve, threshold scheme, verifiable secret sharing, bilinear map.
Abstract:
In this short note, we describe a variant of Shamir’s (n,t)-threshold scheme based on elliptic curves. Moreover,
we show how pairings of elliptic curves can be used to also provide verifiability for the new elliptic curve based
threshold scheme.
1 INTRODUCTION
Sharing a secret between a group of participants is
a well-known and long solved problem in cryptogra-
phy. A (n,t)-threshold scheme is a method by which
a trusted third party computes n secret shares from
a secret and distributes these shares secretly to the
n participants. If t or more participants pool their
shares, then the secret can be determined, otherwise
no substantial information about the secret is given
(Menezes et al., 1997). Shamir first described a (n,t)-
threshold scheme based on polynomial interpolation
over finite fields (Shamir, 1979). In this short note, we
describe how the ideas of Shamir’s threshold scheme
can be slightly modified to obtain a (n,t)-threshold
scheme based on elliptic curves. An additional prop-
erty of this new scheme is the fact that any already
existing elliptic curve related cryptographic informa-
tion can be reused and existing security devices like
smartcards can easily be adapted to the new threshold
scheme.
We assume that the reader is already familiar with
elliptic curves and their usage in public key crypto-
graphy; descriptions of ECC in theory and prac-
tice can be found in, e.g., (Hankerson et al., 2004),
(Koblitz, 1987), (Certicom, 2000), and many other
publications. In the following, we assume that K de-
notes a finite prime field with q elements, and E is
a cryptographically secure elliptic curve defined over
K. The group of points on E defined over K is denoted
as E(K).
2 SECRET SHARING USING
ELLIPTIC CURVES
Shamir’s scheme for secret sharing (Shamir, 1979)
uses polynomial arithmetic and interpolation. The
scheme encodes a secret as the constant term of an
otherwise randomly chosen polynomial f(x) of de-
gree t 1 defined over a fixed finite field K. A share
of the secret is then a pair (x
i
, f(x
i
)) K
2
. The first
component x
i
of this share can even be made public
and directly depend on the identity of the correspond-
ing participant, but the second component f(x
i
) must
be absolutely kept secret. Any t different such pairs
are sufficient to reconstruct the secret using polyno-
mial interpolation; on the other hand, the knowledge
of less than t pairs does not yield the polynomial f,
and therefore does not open the shared secret.
There exist several algorithms for polynomial in-
terpolation over a field (see, e.g., (Stoer and Burlirsch,
1991)). Using the polynomial ω(x) =
t
j=1
(x x
j
),
the Lagrange interpolating polynomial f(x) for t pairs
(x
i
, f(x
i
)),1 i t, is given as
f(x) =
t
i=1
ω(x)
(x x
i
) · ω
(x
i
)
· f(x
i
) . (1)
Interestingly for elliptic curves, formula (1) is linear
in f(x
i
), and therefore easy to apply also in the group
of points on an elliptic curve. We assume that from
an ECC setup we already know a cryptographically
strong elliptic curve E defined over a finite prime field
K of q elements and a base point P E(K) with order
larger than q. For simplicity, we assume that E(K) is
cyclic, and P is a generator of the group. Addition-
359
Müller V. (2008).
A SHORT NOTE ON SECRET SHARING USING ELLIPTIC CURVES.
In Proceedings of the International Conference on Security and Cryptography, pages 359-362
DOI: 10.5220/0001918303590362
Copyright
c
SciTePress
ally, for every participant i in the threshold scheme
there exists a public key point Q
i
= d
i
· P, where the
integer 0 < d
i
< ord(P) defines the secret key of that
participant.
The general idea of the elliptic curve (n,t)-thres-
hold scheme is based on the fact that with (1) we
can determine f(λ) · P for P and any integer 0 λ <
q if we know t different points f(x
i
) · P for mod-
ulo q pairwise different integers x
i
6≡ 0 mod ord(P).
Therefore, the trusted third party can set up the sys-
tem by choosing a random polynomial f(x) K[x]
of degree t 1, and secretly distributing the shares
(x
i
, f(x
i
) · P),1 i n, to the n participants. The n
integers 0 < x
i
< q must be pairwise different, but
as in Shamir’s system they can be made public or
directly computable from the identity of the partici-
pants. Secure distribution of the secret part f (x
i
) · P
of the shares to the participants can be done by en-
crypting it with the ECC public key of the correspond-
ing participant. Then this ciphertext is either commu-
nicated to that participant over an insecure channel,
or it can be published, since only the owner of the
correct ECC secret key can open that partial share.
When at least t participants pool their shares, then
they can determine the point f(0) · P using (1). In
contrast to Shamir’s system, we do not encode the
global secret m as one of the coordinates of a point,
but we use f(0) · P as a secret key for some fixed se-
cret key cryptosystem to encrypt m. More precisely,
we proceed as in the Elliptic Curve Integrated Encryp-
tion Scheme (e.g., (Certicom, 2000)) and apply a se-
cret key cryptosystem ENC, a key derivation function
KDF and a message authentication code MAC to first
find k
E
||k
M
= KDF(x( f(0) · P)) and then publish the
encrypted secret as c||d where c = ENC(k
E
,m) and
d = MAC(k
M
,c). It is obvious that anybody who can
determine the secret point f(0)·P can also easily open
the encrypted global secret by first computing k
E
and
k
M
and then applying the secret key decryption pro-
cedure.
Theorem 1
. Knowledge of t or more shares opens the
g
lobal secret m. On the other hand, knowledge of
less than t shares only yields at least q/2 many pos-
sibilities for the input of the KDF if the order of P is
greater than q.
Proof: The proof is essentially equal to the proof
of Shamir’s system. As described above, the point
f(0) · P can be determined easily with polynomial
interpolation for t or more known shares. On the
other hand, there are q possible constant terms for
polynomials of degree t 1 given at most t 1 pairs
(x
i
, f(x
i
)). If the order of P is greater than q, then this
leads to q possibilities for the point f(0) · P. Since
we are using only the x-coordinate of that point to en-
crypt the global secret, there remain at least q/2 many
possible inputs to the KDF.
It should be noted that KDF and ENC should be
chosen with appropriate parameters (especially pro-
viding a sufficiently large key space for ENC) since
otherwise the total system will be insecure. After the
setup of the threshold scheme, the following protocol
can be started by a dedicated participant (with index
1) to open the shared secret with the help of t 1 other
participants:
Participant 1 chooses a random point H E(K),
decrypts his encrypted share f (x
1
)·P using his se-
cret ECC key and determines with his share the
result H
ω(0)
x
1
·ω
(x
1
)
·( f(x
1
)·P). Then he sends this
information to the next participant. Note that if all
values x
i
are publicly known, then ω(0) and ω
(x
i
)
can be precomputed.
The second participant decrypts his secret share
f(x
2
) · P with his secret ECC key, subtracts the
point
ω(0)
x
2
·ω
(x
2
)
·( f(x
2
)·P) from his input point and
sends the result to the next participant. All other
participants do the same with their shares, respec-
tively. The last participants forwards the result to
participant 1 that started the whole protocol.
Participant 1 subtracts the randomly chosen initial
point H from his input point and obtains the secret
point f(0) · P. He can then open the global secret.
The proof that this scheme really determines f(0) · P
directly follows from (1). Note that this EC threshold
scheme is neither ideal nor perfect, but nevertheless it
is practical since it does not require knowledge of any
additional secret key.
3 VERIFIABLE SECRET
SHARING VARIANTS
In the last 10 years, bilinear maps for elliptic curves
(also denoted pairings) have been applied to various
cryptographic applications (CL, 2008). We can also
use such maps for the EC (n,t)-threshold scheme to
provide additional properties. Assume that for a given
cryptographically strong elliptic curve E there exists
a some small positive integer s and a bilinear map e
e : E(K) × E(K) K
s
; e(a· P, b· Q) = e(P,Q)
ab
with the additional property that for points P 6= O we
have e(P,P) 6= 1. Such maps are for example given by
the Weil pairing or the Tate pairing (Galbraith et al.,
2002). The importance of these maps for crypto-
graphic applications is the fact that they “link” the
discrete logarithm in the elliptic curve point group to
SECRYPT 2008 - International Conference on Security and Cryptography
360
a discrete logarithm in the finite field K
s
. Therefore,
the security of the ECC system enforces certain con-
ditions on E and K such that the discrete logarithm
problem in K
s
is also difficult to solve. In the follow-
ing, we will make use of such maps to add verifica-
tion procedures to the EC threshold scheme described
above (note that similar techniques were also used in
(Baek and Zheng, 2004) and (Liu et al., 2007)).
3.1 Verifiable Secret Sharing
`
a La
Feldman
We describe an EC variant for the verifiable secret
sharing scheme of Feldman (Feldman, 1987), where
additional information (so called commitments) is
provided such that the participants can verify the cor-
rectness of their shares.
The commitments in the EC variant of Feldman’s
scheme are given as the field elements e(P,P)
a
i
K
s
,0 i t 1, where the a
i
are the coefficients of
the secret polynomial f(x) used for the construction
of the shares. These commitments are published by
the trusted third party after the system setup. Using
these commitments, every participant can determine
for any λ K the value
e(P,P)
f(λ)
=
t1
i=0
e(P,P)
a
i
λ
i
. (2)
Therefore, the j-th participant can determine
e(P,P)
f(x
j
)
in two ways: either with (2), or by using
his private share f(x
j
) · P and a pairing computation.
If both values should be different, then either his
private share was wrong, or the trusted third party
cheated with the publication of the values e(P,P)
a
i
.
Lemma 1
. If the two results are equal and the trusted
t
hird party did not cheat, then the private share of the
j-th participant really equals f(x
j
) · P.
Proof: Assume that the share of the j-th participant
is incorrect, i.e. he receives a point λ · P for some in-
teger λ 6= f(x
j
), but nevertheless the test above suc-
ceeds. Then e(P, P)
f(x
j
)
= e(P,P)
λ
, or equivalently,
e(P,P)
f(x
j
)λ
= 1. So f(x
j
) λ mod ord(P), and
λ· P = f(x
j
) · P, a contradiction.
With (2), it is obvious that everybody can deter-
mine e(P,P)
f(λ)
for every integer 0 λ < q. The
pairing inversion problem is defined as the problem
to compute for given value e(P,H) a suitable point
H. If the pairing inversion problem were easy, then
it would be also easy to determine individual shares
for non-legitimate users just determine the field el-
ement e(P,P)
( f (x
j
)
with (2) and solve the correspond-
ing pairing inversion problem. This would break the
complete EC threshold scheme. However, pairing in-
version seems in general to be hard (Galbraith et al.,
2008).
Therefore, practical parameters for the EC thresh-
old scheme should be chosen such that no “simple”
algorithm for the pairing inversion problem is known
for the used elliptic curve.
3.2 Distributing the Global Secret to All
other Participants
The protocol presented in the last section was started
by some dedicated participant. That participant
needed the help of at least t 1 other participants to
determine the point f(0) · P and so open the global
secret m. A disadvantage of this protocol is the fact
that only one out of the t involved participants finally
knows m. Using the commitments defined above, the
dedicated participant can announce the point f(0) · P
to all other participants, of course encrypted with the
individual secret EC keys of the other participants.
Any participant can then use the commitments to de-
termine the value e(P,P)
f(0)
using (2) and a pairing
computation with the received point, such that he can
verify the correctness of the information he received
from the dedicated first participant. Of course, knowl-
edge of the point f(0) · P is also sufficient to deter-
mine the global secret. Note that directly sending an
encrypted version of m to all other participants does
not given them the possibility to verify the correctness
of m.
3.3 Verifying Intermediate Results
We can extend the verifiability described in the last
section such that even the validity of all intermedi-
ate results can be verified. In this variant, a cheating
participant (i.e. a participant that does not apply his
own private share) can be determined. We extend the
protocol given in Section 2 such that every partici-
pant publishes an own commitment of his contribu-
tion. Remember that the j-participant in the protocol
forwards the point R
j
= H
j
i=1
ω(0)
x
i
·ω
(x
i
)
· ( f(x
i
) · P)
to the next participant. The commitments of the par-
ticipants are then given as follows: the initial parti-
cipant publishes his commitment e(P,H) and e(P,R
1
),
whereas all other participant add their own commit-
ments as e(P,R
j
).
Using these participant commitments, it is easy to
check the validity of each intermediate result:
e(P,R
j
) = e(P,H) ·
j
i=1
e(P,P)
f(x
i
)
ω(0)/(x
i
·ω
(x
i
))
.
A SHORT NOTE ON SECRET SHARING USING ELLIPTIC CURVES
361
Since the dedicated participant that starts the protocol
is interested in obtaining the global secret, he should
have no interest in cheating, and we assume that he is
honest.
Theorem 2. If the first participant is honest, then the
i
dentity of any cheating participant can be determined
from the participant commitments.
Proof: During the protocol, every participant com-
pares the pairing value determined with the input
point he received from the previous participant with
that participant’s commitment. If both pairing val-
ues do not match, then obviously that participant was
cheating, and the protocol exits with error. Note also
that
e(P,R
j
) = e(P,R
j1
) ·
e(P,P)
f(x
j
)
ω(0)/(x
j
·ω
(x
j
))
,
(3)
such that the correctness of the j-th commitment de-
pends directly on the correctness of the previous com-
mitment (note that the second term in the product can
be computed using the trusted third party’s commit-
ments). Therefore, the commitment of the first par-
ticipant can be used to successively verify the cor-
rectness of all other participants’ commitments such
that a cheating participant j must publish his correct
commitment e(P,R
j
). Assume that he cheats by for-
warding a wrong intermediate point R
j
6= R
j
to the
next participant. Since e(P,R
j
) = e(P,R
j
) implies
e(P,R
j
R
j
) = 1 or R
j
= R
j
(note that the group
of points is cyclic), this will be detected by partici-
pant j + 1 when he compares the two possibilities for
e(P,R
j
) determined with (3) and with a pairing com-
putation based on his two input points P and R
j
.
4 CONCLUSIONS
In this short note we have presented a simple general-
ization of Shamir’s (n,t)-threshold scheme based on
elliptic curves and three variants of it that use bilinear
maps. This EC threshold scheme needs no additional
secret keys, since it reuses existing public and secret
ECC keys. It can therefore be directly used with ex-
isting EC security devices.
REFERENCES
Baek, J. and Zheng, Y. (2004). Identity-based threshold
decryption. In PKC 2004, LNCS 2947, pages 262–
276.
Certicom (2000). Standards for efficient cryptogra-
phy, sec 1: Elliptic curve cryptography, avail-
able at http://www.secg.org/download/aid-385/
sec1 final.pdf.
CL (2008). The pairing-based crypto lounge, web-
site at http://paginas.terra.com.br/informatica/paulo-
barreto/pblounge.html.
Feldman, P. (1987). A practical scheme for non-interactive
verifiable secret sharing. In IEEE Symposium on
Foundations of Computer Science, pages 427–437.
Galbraith, S., Harrison, K., and Soldera, D. (2002). Imple-
menting the tate pairing. In Algorithmic Number The-
ory Symposium ANTS-V, Lecture Notes on Computer
Science, volume 2369, pages 324–337. Springer.
Galbraith, S., Hess, F., and Vercauteren, F. (2008). Aspects
of pairing inversion. Technical report, Katholieke
Universiteit Leuven, available at http://homes.esat.ku-
leuven.be/fvercaut/.
Hankerson, D., Menezes, A., and Vanstone, S. (2004).
Guide to Elliptic Curve Cryptography. Springer.
Koblitz, N. (1987). Elliptic curve cryptosystems. In Math-
ematics of Computation, volume 48, pages 203–209.
Liu, S., Chen, K., and Qiu, W. (2007). Identity-based
threshold decryption revisited. In ISPEC 2007, LNCS
4464, pages 329–343.
Menezes, A., Oorschot, P., and Vanstone, S. (1997). Hand-
book of Applied Cryptography. CRC Press.
Shamir, A. (1979). How to share a secret. In Communica-
tions of the ACM, volume 22, pages 612–613.
Stoer, J. and Burlirsch, R. (1991). Introduction to Numeri-
cal Analysis. Springer.
SECRYPT 2008 - International Conference on Security and Cryptography
362