Transcript PowerPoint 演示文稿
How to Collaborate between Threshold Secret Sharing Schemes
Daoshun Wang, Ziwei Ye Tsinghua University, China Xiaobo Li University of Alberta, Canada
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Outline
Introduction
Threshold Secret Sharing Scheme
A Simple Case with Two Secrets
(3,5) and (4,6) Scheme Construction
Cases with More Than Two Secrets
Demonstration of Security in Different Situation
Conclusion
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Shamir’s (k, n)-Threshold Secret Sharing Scheme ( only one Dealer )
Distribution
S
(
a 0
)
S
(
a 0
)
Reconstruction
• •
S
can be reconstructed by
k
or more than shares Cannot obtain any information of
S
for
k
-1 shares or fewer
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Traditional Method ?
Our Approach Each
common participant
keep only one share.
Each
common participant
must keep two or more shares which can be a burden.
Cases with More Than Two Secrets
Outline
Introduction
Threshold Secret Sharing Scheme
A Simple Case with Two Secrets
(3,5) and (4,6) Scheme Construction
Cases with More Than Two Secrets
Demonstration of Security in Different Situation
Conclusion
A Simple Case with Two Secrets
An Example of Two Secrets Bank1
Cases with More Than Two Secrets
Collaborate
Bank2
(3, 5) key1 (4, 6) key2
Cases with More Than Two Secrets
Outline
Introduction
Threshold Secret Sharing Scheme
A Simple Case with Two Secrets
(3,5) and (4,6) Scheme Construction
Cases with More Than Two Secrets
Demonstration of Security in Different Situation
Conclusion
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Curve Construction for (3, 5) and (4, 6) Schemes
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Curve construction for (3, 5) and (4, 6) Schemes
f
2 (
x
) 1
t
2 0
j
(
x j
)
t l
2 1 0
l
j
( (
x x j
x l x l
) ) (mod
p
)
f
2 (
x
) 6
x
3 6
x
2 5
x
3 (mod 7 ),
x
0 , 1 , 2 ,..., 6 .
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Curve construction for (3, 5) and (4, 6) Schemes Figure 1 shows the cross points between two curves,
f
1 (
x
) and
f
2 (
x
)
Figure 1. The red curve shows polynomial
f
1 (
x
) and the
blue curve
shows
f
2 (
x
) .
Cases with More Than Two Secrets
Outline
Introduction
Threshold Secret Sharing Scheme
A Simple Case with Two Secrets
(3,5) and (4,6) Scheme Construction
Cases with More Than Two Secrets
Demonstration of Security in Different Situation
Conclusion
A Simple Case with Two Secrets
General construction
Cases with More Than Two Secrets
A Simple Case with Two Secrets
General Scheme Construction
Cases with More Than Two Secrets
f 2 ( x ) t 2 j 1 0 ( x j ) t 2 l 1 0 ( x ( x j l j x l ) x l ) (mod p ) f 2 ( x ) a 2 , 0 a 2 , 1 x a 2 , 2 x 2 a 2 , t 2 1 x t 2 1 (mod p )
A Simple Case with Two Secrets
Outline
Introduction
Threshold Secret Sharing Scheme
A Simple Case with Two Secrets
(3,5) and (4,6) Scheme Construction
Cases with More Than Two Secrets
Demonstration of Security in Different Situation
Conclusion
A Simple Case with Two Secrets
Outline
Introduction
Threshold Secret Sharing Scheme
A Simple Case with Two Secrets
(3,5) and (4,6) Scheme Construction
Cases with More Than Two Secrets
Demonstration Different Situations for common participants
Conclusion
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Demonstration Different Situations for common participants Consider three schemes
, a (3, 5) scheme
1 ,
a (4, 6) scheme The participants of
S
1 are
A
1 ,
A
2 ,
A
3 ,
A
4 and
A
5 .
The participants of
The participants of
S
2
S
3 are are
B
1 ,
B
2 ,
B
3 ,
B
4 ,
B
5
C
1 ,
C
2 ,
C
3 ,
C
4 ,
C
5 ,
C
6 and and
B
6
C
7 . .
S
2 Case1: and
a (5, 7) scheme
3 .
When
A
1 and
A
2 are the
common participants
involved all three schemes, i.e.,
A
2
B
2
C
2 .
A
1
B
1
C
1 ,
It is secure from the point of view of
, since none of the other schemes or dealers can reveal the secret of .
1
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Demonstration Different Situations for common participants Case2:
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Demonstration of Security in Different Situation Case3:
A Simple Case with Two Secrets
(3,5), (4,6) and (5,7) Scheme Construction
Curve Construction
Cases with More Than Two Secrets
Secret Reconstruction
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Curve Construction Collaboration among a (3, 5) scheme, a (4, 6) scheme and a (5, 7) scheme Suppose
a
1,0 =1,
a
2,0 =3,
a
3,0 =5
p
1 max( 1 , 5 1 ) 7 ,
p
2 max( .
3 , 6 1 ) 7 ,
p
3 max( 5 , 7 1 ) 11 ,
p
(
p
1 ,
p
2 ,
p
3 ) 11 .
•
Step 1:
Dealer 1 constructs a (3, 5) scheme for Secret
a
1,0 (integer 1).
For p
:
f
1 (
x
) 1 3
x
2
x
2 (mod
p
) ,where
x
0 , 1 , , 5 .
For p
1
:
f
1 (
x
) 1 3
x
2
x
2 (mod
p
1 ) ,where
x
0 , 1 , , 5 .
This curve produces next six points, respectively:
(0, 1), (1, 6), (2, 4), (3, 6), (4, 1), (5, 0) for
p
(0, 1), (1, 6),(2, 1), (3, 0),(4, 3),(5, 3 ) for p 1
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Curve Construction •
Step 2:
Dealer 2 constructs a (4, 6) scheme for Secret
a
2,0 has three points: (integer 3).
(0, 3), (1, 6), and (2, 4) with the same prime
p
; ( (0, 3), (1, 6) and (2, 1) for
p
2 . He needs one more point and chooses (3,
y
).
y
∈ Z . i.e., ((3,
f
2 (3)=3) . Using Lagrange interpolation, • When
p
11 ,
f
2 (
x
)
x
3 2
x
3 (mod
q
) • obtain next points: (0, 3), (1, 6), (2, 4), (3, 3), (4, 9), (5, 6), (6, 0); • When
q
=
p
2 =7 Dealer 2 uses the four points (0, 3), (1, 6), (2, 1) and (3, 3) to obtain
f
2 (
x
) 6
x
3 6
x
2 5
x
3 (mod
p
2 ),
x
0 ,..., 6 • this curve produces seven points: (0, 3), (1, 6), (2, 1), (3, 3), (4, 6), (5, 4), (6, 5).
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Curve Construction •
Step 3:
Dealer 3 constructs a (5, 7) scheme for Secret
a
3,0 (integer 5).
With
a
3,0 =5,
has four points
: (0, 5), (1, 6), (2, 4) and (3, 6) with the same prime
p
(0, 5), (1, 6), (2, 1) and (3, 0) for
p
3 . He needs one more point and chooses another point, i.e.
( 4 ,
f
3 ( 4 ) 4 ) .
we can obtain using Lagrange interpolation : • When
q
11
p
,
f
3 (
x
) 3
x
4 7
x
3 6
x
2 7
x
5 (mod
q
), then obtain (0, 5), (1, 6), (2, 4), (3, 6), (4, 3), (5, 3), (6, 9), (7, 8),.
• When
q
11
p
3 , Dealer 3 gets
f
3 (
x
) 6
x
4 6
x
3 3
x
2 8
x
5 (mod
p
3 ) And has (0, 5), (1, 6), (2, 1), (3, 0), (4, 3), (5, 0), (6, 4), (7, 7).
A Simple Case with Two Secrets
Curve Construction
Cases with More Than Two Secrets
Figure 2. the same p Figure 2 shows the cross points among three curves with the same
p
.
Figure 3. different p Figure 3 shows the cross points among three curves with the different
p
.
f 1
(
x
) ( red curve ),
f 2
(
x
) ( blue curve ) and
f 3
(
x
) ( green curv e)
A Simple Case with Two Secrets
(3,5), (4,6) and (5,7) Scheme Construction
Curve Construction
Cases with More Than Two Secrets
Secret Reconstruction
A Simple Case with Two Secrets
Secret Reconstruction
Cases with More Than Two Secrets
f
3 (
x
) 6
x
4 6
x
3 3
x
2 8
x
5 (mod
p
3 ),
x
1 ,..., 7 .
A Simple Case with Two Secrets
Outline
Introduction
Threshold Secret Sharing Scheme
A Simple Case with Two Secrets
(3,5) and (4,6) Scheme Construction
Cases with More Than Two Secrets
Demonstration Different Situations for common participants
Conclusion
A Simple Case with Two Secrets
Cases with More Than Two Secrets
More General Cases Suggestion: • The dealer of a scheme should always try to allow a
minimum number
of shares to be known to other dealers , in order to minimize the exposure to the outside. • When a dealer receives one or more shares from a collaborating scheme to distribute to his participants, he may want to use these very shares as his first choice to give out to other dealers , instead of giving out his own more “private” shares that no other dealers know already.
A Simple Case with Two Secrets
Cases with More Than Two Secrets
More General Cases When there are
s
(s ≥2) secrets to be protected, multiple threshold schemes{(
t
1 ,
n
1 ), (
t
2 ,
n
2 ),…, (
t
s ,
n
s )} can be used. If there are
u
common participants, we can construct
s
polynomials
f
1 (
x
),
f
2 (
x
), …,
f
s (
x
) with
u
common crossover points, where
u
≤
min
(
t
1 ,
t
2 , …,
t
s )-1 . Here, the polynomials are
f
1 (
x
)
f
2 (
x
)
a
1 , 0
a
2 , 0
a
1 , 1
x
a
1 , 2
x
2
a
2 , 1
x
a
2 , 2
x
2
a
1 ,
t
1 1
x t
1 1
a
2 ,
t
2 1
x t
2 1 (mod (mod
p
)
p
)
f s
(
x
)
a s
, 0
a s
, 1
x
a s
, 2
x
2
a s
,
t s
1
x t s
1 (mod
p
) The value of
p
in these
s
polynomials
f
1 (
x
),
f
2 (
x
), …,
f
s (
x
) may not be the same,
p i
max(
a i
, 0 ,
n i
1 ),
i
1 , , ,
s
, it is possible that
p i
p j
when
i
j
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Outline
Introduction
Threshold Secret Sharing Scheme
A Simple Case with Two Secrets
(3,5) and (4,6) Scheme Construction
Cases with More Than Two Secrets
(3,5), (4,6) and (5,7) Scheme Construction Demonstration of Security in Different Situation
Conclusion
A Simple Case with Two Secrets
Cases with More Than Two Secrets
Conclusion • This paper proposes a basic collaboration mechanism for two or more threshold schemes to insure that each common participant keeps only one share.
• The scheme collaboration raises a number of other issues.
the security concerns involving dishonest common participants and dealers of different schemes and the situation where other dealers becoming participants of a scheme various combinations and risks exist in this more “open” environment tracing traders could become more difficult than in the traditional single scheme situation