INTERACTIVE SECRET SHARE MANAGEMENT
Constantin Catalin Dragan
Department of Computing, ”Al.I.Cuza” University, Iasi, Romania
Keywords:
Secret-sharing scheme, Management, Compartment schemes.
Abstract:
In this paper, we have proposed a method for the management of a compartmented secret sharing scheme that
allows the increase of the global threshold without modifying the existent shares of the participants. We have
considered the Trusted Authority the central point of the scheme as a management unit: it creates the shares,
in a RSA manner, and distributes them, rebuilds the secret
S
, and allows the registration of new participants
without modifying the existing shares.
1 INTRODUCTION
A secret sharing scheme (Menezes et al., 1998; Iftene,
2007) starts with a secret and then derives from it
certain shares which are distributed to participants.
The secret may be recovered only by certain prede-
termined sets which belong to the access structure
(Ito et al., 1987). Secret sharing schemes have been
independently introduced by Blakley (Blakley et al.,
1993) and Shamir (Shamir, 1979) as a solution for
safeguarding cryptographic keys. In the first secret
sharing schemes only the number of the participants
in the reconstruction phase was important for recover-
ing the secret(threshold secret sharing schemes (Blak-
ley et al., 1993; Shamir, 1979)). A scheme that
deals with more complex access structures is com-
partmented secret sharing schemes (Simmons, 1990;
Ghodosi et al., 1998), in which the set of participants
is partitioned into compartments and the secret can
be recovered if and only if the number of participants
from any compartment is greater than or equal to a
compartment threshold and the total number of partic-
ipants is greater than or equal to a global threshold. In
this paper, we propose a method for the management
of compartmented secret sharing schemes that allows
the increase of the global threshold without modifying
the existent shares of the participants or the compart-
ments thresholds. Moreover, the method is compati-
ble with non-disjoint compartments.
2 INTERACTIVE SECRET
SHARE MANAGEMENT
The scheme we are suggesting in the following para-
graphs deals with the subsecret shared by an arbitrary
secret sharing scheme. If (a
1
, ..., a
k
) are all the shares
that need to be used for the rebuild of the secret
S
,
then we are interested in the methods used for the dis-
tribution of these k subsecrets to m participants. Each
participant has the possibility to rebuild one or more
subsecrets. The trusted authority coordinates every
aspect of the scheme. It creates the shares, and gives
them to the participants, encrypted in a RSA manner
(Shamir, 1978). Furthermore, it also coordinates the
reconstruction phase: it gathers the participants, com-
municates with them to establish their identity and re-
ceive their share, and rebuilds the secret
S
. In the
end, it checks the correctness of the secret
S
using a
method of proof.
2.1 Scheme Settings
Participants. In order to set up the scheme let us as-
sume that there are m participants A
1
, ..., A
m
. Assume
that the participants are divided into small groups
(compartments) G
1
, ..., G
l
, and G
i
G
j
=
/
0 for any
i 6= j. For any compartment G
i
a non-empty subset of
positions P
i
{1, ..., k} is given.
Choosing the Secret. The trusted authority (TA) will
choose a k -coordinate secret
S
=(a
1
, ..., a
k
), where
each coordinate a
i
is a large number and k m .
Sharing the Secret. A participant A G
i
is allowed
266
Catalin Dragan C. (2009).
INTERACTIVE SECRET SHARE MANAGEMENT.
In Proceedings of the International Conference on Security and Cryptography, pages 266-269
DOI: 10.5220/0002226702660269
Copyright
c
SciTePress
to recover any subsecret a
j
P
i
. In order to do that
the TA computes the polynomial f
A
f
A
(x) =
jP
i
c
j
a
j
r6= j,rP
i
(x r)
, (1)
where c
j
is a coefficient given by
c
j
=
1
r6= j,rP
i
( j r)
. (2)
The polynomial f
A
can also be written as f
A
(x) =
x
t1
b
t1
+ ... + xb
1
+ b
0
, where t = |P
i
|. The coef-
ficients of this polynomial are distributed in a ”blind”
way to participants. To do that, TA follows the next
steps:
chooses two large prime numbers p and q with
p 6= q and computes n = pq;
chooses e Z
φ(n)
;
encrypts each coefficient b
j
by e , d
j
= b
e
j
mod n,
for all 0 j < t;
distributes the vector (d
t1
, ..., d
0
) to A by a secure
channel.
The TA has to keep in a safe place only k, p, q and e.
Secret Recovery. In order to recover the secret
S
, k
distinct participants are needed. Each of them should
provide a share of the secret. Let us assume that the
participants are A
i
1
, ..., A
i
k
with i
s
6= i
r
for any s 6= r.
Assume that r P
i
r
, for any 1 r k. That
is, we assume that A
i
r
can deliver the share a
r
. In
fact, this share is delivered by means of the vector
(d
t1
, ...., d
0
). This vector is then processed by TA as
follows:
compute e
1
mod φ(n);
decrypt b
j
= d
e
1
j
mod n;
compute f
A
i
r
(r) = a
r
.
Correctness. The correctness of this scheme easily
follows from the description above. The pair (e,e
1
)
is a RSA asymmetric key and, in our scheme, no ele-
ment of this pair is public.
Security of the Scheme. First, we remark that no par-
ticipant A can recover the coefficients of f
A
because
these coefficients are encrypted in a RSA manner.
If two or more participants try to put together their
secret information, they cannot mount any attack on
the polynomial coefficients (d
t1
, ..., d
0
) more dange-
rous than any known cryptotext attack against RSA
(Simmons, 1983; DeLaurentis, 1984). Therefore, we
may say that the security of this scheme relies on
the security of RSA (Simmons, 1983; DeLaurentis,
1984).
When secret recovery is needed, TA should make
sure that the participants are distinct and each partici-
pant is able to deliver a share according to P
i
. For this,
each participant A should have a certificate
c(A) = (ID(A), P, In f o, sig
TA
(ID(A), P, Info)) (3)
consisting of As identity ID(A), As compart-
ment P, information, and TAs signature on these
sig
TA
(ID(A), P, Info)).
The TA checks the certificate and if it is valid, then
it chooses j P and computes f
A
( j).
Correctness Proof for Recovery. TA should not
keep the secret
S
=(a
1
, ...., a
k
), but in the same time
he should be able to make sure that at every recov-
ery he obtain the same secret
S
. This can be done by
using some methods of proof such as:
Proof = (α
a
1
1
+ ... + α
a
k
k
) mod n; (4)
Proof = hash(a
1
, ..., a
k
); (5)
where α
i
could be a distinct prime number or a
primitive root, for any 1 i k.
At every recovery, TA computes the newProof u-
sing the secret he just obtain, and compares it to the
Proof located in a safe place on TA. If they are equal
then he obtained the correct secret.
2.2 Secret Share Management
In compartment schemes, the set of participants is
partitioned into compartments (groups): G
1
, ..., G
l
.
Beside a global threshold k, a threshold k
i
is assigned
to the i
th
group, for all 1 i l. Most of the se-
cret sharing schemes (Simmons, 1990; Ghodosi et al.,
1998) that use compartments consider the more gen-
eral case of disjoint compartments .
For an arbitrary scheme we will point out the dif-
ferences between a participant that belongs to only
one group and one that can be in more than one group.
Moreover, a method of modifying a classic scheme
with the intent of raising the schemes threshold with-
out modifying the existent shares of the participants
is presented.
2.2.1 A Participant can only be in One Group
In this case, all participants in the same groupG
i
share
the same subsecrets a
j
with j P
i
. The difference
between participants of the same group is made by
certificates .
The registration of a new participant in a group
G
i
requires only the presence of one older participant.
The older participant sends its share to TA, that vali-
dates it. Then TA gives it to the new participant along
with a new certificate.
INTERACTIVE SECRET SHARE MANAGEMENT
267
2.2.2 A Participant can be in more than One
Group
A participant A that is member of the groups
G
1
, ..., G
α
has access to all the subsecrets in each
group therefore,
f
A
(x) =
jP
c
j
a
j
r6= j,rP
(x r)
, (6)
where P = P
1
... P
α
and c
j
is a coefficient given by
c
j
=
1
r6= j,rP
( j r)
. (7)
Participants that are members of the same groups are
distinguished by their certificate.
The registration of a new participant to groups
G
1
, ..., G
α
requires the presence of at least one par-
ticipant from each group, in order to be able to form
the new share. He would also receive a new certificate
from TA.
The recovery of the secret must start after the reg-
istration of all participants. Because one participant
A can be in multiple groups G
1
, ..., G
α
he could be
used to return the subsecret to any of his groups. That
is why TA has to determine where the participant is
needed first. TA should receive a set of participants
and, before starting to compute the secret, he has to
make sure of the following things:
the number of participants is greater than or equal
to the sum of the groups thresholds;
and the number of participants that can occupy
one group is greater than or equal to its threshold.
If at least one of the two conditions are invalid,
TA can not rebuild the secret
S
, because no matter
how he distributes the participants into groups, there
will always be groups with less participants than their
threshold.
Otherwise, TA should distribute the participants
to each group. He could use backtracking and for a
group G
i
he should first put the participants that be-
long to only that group then the participants corre-
sponding to multiple groups.
If the number of participants in each group is
greater than or equal to the groups threshold the al-
gorithm will return ”Succes”, otherwise ”Fail”.
Example. Let us consider m= 14, k= 6, l= 3, k
1
= 3,
k
2
= 2, and k
3
= 1 and the set of participants A =
{A
1
, ..., A
6
}, where A
1
G
1
G
2
, A
2
G
2
G
3
, A
3
G
1
, A
4
G
1
, A
5
G
1
, A
6
G
1
.
The evaluation of the conditions:
the conditions are true
for G
1
we have {A
1
, A
2
, A
4
, A
5
, A
6
} and 5 2;
for G
2
we have {A
1
, A
2
} and 2 = 2;
for G
3
we have {A
2
} and 1 = 1.
The algorithm returns:
the participants distributed in groups
for G
1
we have {A
3
, A
4
, A
5
};
for G
2
we have {A
1
, A
2
} ;
for G
3
we have ?;
A
6
not used.
”Fail”.
2.2.3 The Scheme’s Threshold is Greater than
the Sum of the Groups Thresholds
The previous paragraphs have discussed the most
well known case of compartment schemes, where the
scheme threshold equals the sum of the groups thresh-
old k =
l
i=1
k
i
.
For k >
l
i=1
k
i
it is not enough the informationthe
participants offer, because TA still needs α subsecrets
to form the secret
S
, where α = k
l
i=1
k
i
. There is
no major difference between the methods G
i
G
j
=
/
0
and G
i
G
j
6=
/
0. We will present the same solution to
both of them.
The simplest way is for TA to just keep stored
in a safe place (a
kα+1
, ..., a
k
), but that is not fair,
and contradicts the security of TA. So we propose a
set of functions - stored on TA, that receives as in-
put some subsecrets from (a
1
, ..., a
kα
) and returns
(a
kα+1
, ..., a
k
). That way TA should have access to
(a
kα+1
, ..., a
k
) only in the moment of reconstruction
(after the entry of the participants).
2.2.4 The Number of Needed Subsecrets is less
than or equal to the Number of Groups
(α l)
Each group G
i
has assign a function that receives as
input the subset of subsecrets its participants gen-
erated (a
(i)
1
, ..., a
(i)
k
i
), and gives as output one of the
needed subsecrets a
kα+i
. One example of such a
function could be f
G
i
(x
1
, ..., x
k
i
) = a
kα+i
(a
(i)
1
+
...+a
(i)
k
i
)+(x
1
+...+x
k
i
). In the end the groups would
have obtain (a
kα+1
, ..., a
kα+l
). To simplify, only
the first α groups would return the subsecrets needed
and the rest would return 0.
2.2.5 The Number of Needed Subsecrets is
Greater than the Number of Groups
(α > l)
We will assume that α 2l. Similar to the previ-
ous case (α l) we attribute a function f
G
i
to each
SECRYPT 2009 - International Conference on Security and Cryptography
268
group G
i
, 1 i l. The rest of the subsecrets needed
(a
kα+l+1
, ..., a
k
) could be obtain from TA, through
the use of a function F similar to the one used by the
participants.
F(x) =
αl
j=1
l
i=1,i6= j
(x a
kα+i
)
(a
kα+ j
a
kα+i
)
a
kα+l+ j
The function F receives as input a
kα+i
and gives
as output a
kα+l+i
, where 1 i (α l).
2.3 Hardware Implementation
We can implement our scheme by card-reader tamper-
resistant devices and smart-cards.
The card-reader, which is a device associated to
TA, should be capable of performing computations,
because it should recover the secret
S
. The de-
vice has a rewritable permanent memory that stores
k, p, q, e, a list of certificates {c(A
1
), ..., c(A
m
)}, and
a list of groups with their corresponding threshold
{(G
1
, P
1
, k
1
), ..., (G
l
, P
l
, k
l
)}.
The card-reader should be capable to do:
register the participant. The card reader checks
the participant’s certificate against the list of al-
lowed participants and does the following:
if the certificate is invalid the card reader rejects
the participant;
if the participant is already registered in the cur-
rent reconstruction of the secret, the card reader
rejects the participant;
otherwise, it registers the participant.
for each group G
i
it computes its secret g
i
=
(a
i
1
, ..., a
i
k
i
), where 1 i l;
after obtaining all the subsets g
i
, it (TA) uses con-
catenation on them to form one set, the secret
S
=g
1
||...||g
l
, where || is the operation of concate-
nation.
After obtaining the secret it first checks the cor-
rectness by using proof. If the result is correct it dis-
cards any information related to the secret rebuilding.
The smart card is attributed to the participant and
has stored on it all the relevant information (the shares
d
A
(x) and the certificate c(A)). It is able to communi-
cate with the card-reader by carrying out a process
of identification. He sends the information, when
needed, to the card reader and awaits the result, the
secret
S
.
3 CONCLUSIONS
In this paper, we have proposed a method for the man-
agement of a compartmented secret sharing scheme
that allows the increase of the global threshold with-
out modifying the existent shares of the participants.
We have considered the Trusted Authority the central
point of the scheme as a management unit: it creates
the shares, in a RSA manner, and distributes them, re-
builds the secret
S
, and allows the registration of new
participants without modifying the existing shares.
REFERENCES
Blakley, B., Blakley, G. R., Chan, A. H., and Massey, J. L.
(1993). Threshold schemes with disenrollment. In
Advances in Cryptology - CRYPTO 92, volume 740 of
Lecture Notes in Computer Science, pages 540–548.
Springer-Verlag.
DeLaurentis, J. M. (1984). A further weakness in the com-
mon modulus protocol for the rsa cryptoalgorithm.
Cryptologia, 8(3).
Ghodosi, H., Pieprzyk, J., and Safavi-Naini, R. (1998). Se-
cret sharing in multilevel and compartmented groups.
Lecture Notes in Computer Science, 1438:367–378.
Iftene, S. (2007). Secret Sharing Schemes with Applica-
tions in Security Protocols. PhD thesis, ”Al.I.Cuza”
University of Iasi, Iasi, Romania.
Ito, M., Saito, A., and Nishizeki, T. (1987). Secret sharing
scheme realizing general access structure. In IEEE
Global Telecommunications Conference: Globecom
87, pages 99–102. IEEE Press.
Menezes, A. J., van Oorschot, P. C., and Vanstone, S. A.
(1998). Handbook of Applied Cryptography. CRC
Press, volume 6 of discrete mathematics and its appli-
cations edition.
Shamir, A. (1978). A method for obtaining digital sig-
natures and public-key cryptosystems. Communica-
tions of the Association for Computing Machinery,
21(2):120–126.
Shamir, A. (1979). How to share a secret. Communi-
cations of the Association for Computing Machinery,
22(11):612–613.
Simmons, G. J. (1983). A ’weak’ privacy protocol using the
rsa cryptoalgorithm. Cryptologia, 7(2).
Simmons, G. J. (1990). How to (really) share a secret. In
Advances in Cryptology - CRYPTO 88, volume 403 of
Lecture Notes in Computer Science, pages 390–448.
Springer-Verlag.
INTERACTIVE SECRET SHARE MANAGEMENT
269