Simple Secret Sharing and Threshold RSA Signature Schemes

http://www.paper.edu.cn Journal of Information & Computational Science 1: 2 (2004) 259{262 Available at http://www.joics.com Simple Secret Sharing and Threshold RSA Signature Schemes

Shaohua Tang∗

School of Computer Science and Engineering, South China University of Technology Guangzhou 510640, China

Received 14 May 2004; revised 5 November 2004

Abstract

A new secret sharing and a new threshold RSA signature scheme are presented. The secret sharing scheme is characterized by fast computation as well as simple and secure operations, since only simple addition and union operations are adopted in this algorithm. The secret is divided into N pieces, and each piece is delivered to each difierent participant. Any K or greater than K participants out of N can reconstruct the» secret, but¼ any (M −1) or less than (M −1) participants would fail to recover the secret, N where M = . This secret sharing scheme is applied to digital signature to construct a new N − k + 1 threshold RSA signature. Each participant should calculate the partial signature for the message by using its own piece of shadow. Any K or greater than K participants out of N can combine each partial signature to form a complete signature for the message. But any (M −1) or less than (M −1) participants would fail to calculate the complete signature. During the phases of partial signature generation and partial signature combination, the RSA private key is never reconstructed and each participant’s partial secret (shadow) is not necessary to expose to others, thus the secret of the RSA private key will not be exposed. Two schemes possess the security of threshold cryptography.

Keywords: Secret sharing; Threshold signature; Threshold cryptographics; RSA

1 Introduction

Secret sharing schemes were introduced by Blakley [2] and Shamir [6]. Other famous secret sharing schemes include Asmuth-Bloom’s scheme [1], Karnin-Greene-Hellman’s scheme [5], etc. However, it is known that the mathematical operations invoked in all these algorithms are rela- tively complex.

?This work is supported by the National Natural Science Foundation of China (No. 60273064 and No. 69802006), and by the Projects of Guangdong Government Science and Technology Program, and by the Projects of Guangzhou Government Science and Technology Program. ∗Corresponding author. Email address: [email protected] (Shaohua Tang).

1548{7741/ Copyright° c 2004 Binary Information Press December 2004 转载 中国科技论文在线 http://www.paper.edu.cn

260 S. Tang /Journal of Information & Computational Science 1: 2 (2004) 259–262

The most attractive feature of threshold signature is that the private key is never reconstructed but the signature can be calculated. There are some schemes that realize this feature. But almost all related works adopt complex algorithm or narrow the range that the parameters can choose. For example, Frankel’s scheme [4] brings the complexity of algorithm design and security proof. Shoup’s scheme [7] brings the hardness of computation to the combiner. People may think of designing a threshold RSA signature based upon classical Shamir’s secret sharing scheme, however, as Desmedt and Frankel briefly addressed in [3], there are some technical obstructions to doing this. We propose a new secret sharing and threshold RSA signature schemes in this paper. The mathematical theory adopted by our secret sharing scheme is the union operation in set theory and the addition operation in arithmetic. The threshold RSA algorithm is designed based on our secret sharing scheme. Since the principle and the operations invoked by our schemes are extremely simple, thus we call them “simple” schemes, which possesses the following features: (1) They are easy to implement. (2) They ensure fast computation, because only simple addition and union operations are adopted in the secret sharing algorithm, which also ensures the fast computation of threshold RSA signature. (3) They require no strict preconditions and can apply to almost all circumstances requiring secret sharing or threshold signature. (4) They are secure. Though the schemes are simple, they still possess the security of threshold cryptography.

2 Simple Secret Sharing Scheme

Suppose F is a field. K and N are positive integers, and K ≤ N. There are N participants, which are denoted by P0,P1,...,PN−1. Suppose d is the secret data, d ∈ F . We are going to divide the secret d into N pieces (each piece is called a shadow), and to distribute each shadow to N different participants. Any K or greater than K participants out of N can reconstruct» d, but any¼ N (M − 1) or less than (M − 1) participants cannot recover the secret d, where M = N − k + 1 and dxedenotes the smallest integer greater than or equal to x. The secret sharing scheme consists of the shadow generation stage, shadow distribution stage, and secret reconstruction stage.

Shadow generation stage For d ∈ F , randomly select d0, d1, . . . , dN−2 ∈ F , then com- PN−2 pute dN−1 = d − i=0 di. We define I = {0, 1, ..., N − 1}, D = {d0, d1, . . . , dN−1} , and A = {(0, d0), (1, d1), ..., (N − 1, dN−1)} . For j = 0, 1,..., N − 1, we define Ij = {i mod N|j ≤ i ≤ N −K+j}, Dj = {di mod N |j ≤ i ≤ N −K+j}, and Aj = {(i mod N, di mod N )|j ≤ i ≤ N −K+j}.

Shadow distribution stage After the calculation of all Aj(j = 0, 1,...,N − 1), each Aj is delivered to the j-th participant, i.e., Aj is delivered to the participant Pj. Reconstructing the secret d Any K (or greater than K) participants out of N can recon- struct the secret d. Any one among the K selected participants can act as a combiner to find PN−1 (0, d0), (1, d1),..., (N − 1, dN−1) from the presented Aj. Let d = i=0 di, which is the solution. The following Proposition 1 can deduce this conclusion.

Proposition 1 The union of Aj of any K (or greater than K) participants out of N can cover A. Security analysis

Proposition 2 The union of Dj from any (M − 1) participants cannot cover D, and the union 中国科技论文在线 http://www.paper.edu.cn S. Tang /Journal of Information & Computational Science 1: 2 (2004) 259–262 261 » ¼ N of A from any (M − 1) participants cannot cover A, where M = . j N − k + 1 From Proposition 2 we know that, if the number of participants being attacked is less than M, then the secret d will not be exposed. Similarly, if the number of conspirators among the original participants is less than M, then they cannot derive the secret d. Performance analysis The computation overhead is O(N) addition operations. Addition is simple and only basic arithmetic operation is involved, thus fast calculation is ensured.

3 Simple Threshold RSA Signature

The simple secret sharing scheme can be applied to digital signature to construct a new threshold RSA signature, which consists of five stages: initial stage, shadow generation stage, shadow distribution stage, the stage of partial signature generation, and the stage of partial signature combination. Initial stage Parameters for RSA cryptosystem are generated during the initial stage. Randomly select two large primes p and q, and let n = p × q, n be the public parameter. Compute ϕ(n) = (p − 1) × (q − 1). Randomly choose an integer e with 0 < e < ϕ(n) and gcd(e, ϕ(n)) = 1, then compute d = e−1(mod ϕ(n)). The private key consists of {d, n} and the public key consists of {e, n}. Suppose h() is a one-way hash function, and m ∈ Zn is the message to be signed. Shadow generation stage Suppose K and N are positive integers, and K ≤ N. There are N participants, which are denoted by P0,P1,...,PN−1. Randomly select d0, d1, . . . , dN−2 ∈ Zϕ(n), PN−2 then compute dN−1 = d − i=0 di. We define A and Aj(j = 0, 1,...,N − 1) as described in the shadow generation stage of section 2.

Shadow distribution stage After the calculation of all Aj(j = 0, 1,...,N − 1), each Aj is delivered to the j-th participant, i.e., Aj is delivered to the participant Pj. The stage of partial signature generation We can now design the steps for the generation of partial signature according to Proposition 1.

Step 1 Randomly select K participants whose shadow is not damaged. Without loss of gen- erality, suppose P1,P2,...,PK are the ones being chosen. Any one among these K selected participants can act as a combiner, e.g., P1 can act as the combiner. Step 2 The combiner needs to maintain a partial signature set (PSS) and each element of PSS is of the form (i, ci), where 0 ≤ i ≤ N − 1 and ci is the partial signature to be calculated by the selected participants. The initial status of PSS is an empty set, i.e., initially, PSS = φ.

Step 3 For each selected Pj(j = 1, 2,...,K), Pj sequentially fetch (i, di) ∈ Aj, then Pj consults if there exists an element (a, b) ∈ PSS such that i = a. If for all (a, b) ∈ P SS, i 6= a, then di Pj computes ci ≡ (h(m)) (mod n), and then delivers (i, ci) to the combiner. The combiner lets PSS = PSS ∪ {(i, ci)}. Step 3 continues until the PSS reaches its final status, i.e., until PSS = {(i, ci)|i = 0, 1, ..., N − 1}.

The stage of partial signature Combination After the PSS reaches its final status QN−1 {(i, ci)|i = 0, 1, ..., N − 1}, the combiner calculates c = i=0 ci(mod n), which is the complete signature for the message m. 中国科技论文在线 http://www.paper.edu.cn

262 S. Tang /Journal of Information & Computational Science 1: 2 (2004) 259–262

QN−1 Proposition 3 c = ci(mod n) is a standard RSA digital signature for message m. i=0 » ¼ N Security analysis If the number of participants being attacked is less than M = , N − k + 1 then the secret d can not be reconstructed and the signature cannot be forged. Therefore, as soon as the number of participants not being damaged is greater than N − M, the whole system is secure. During the phase of signature combination, each participant’s partial secret (shadow) is not necessary to expose to others and the RSA private key is never required to reconstruct, thus the secret of the private key will not be exposed. Performance analysis The computation overhead is O(N) modular exponents plus O(N) modular multiplication operations. Compared with other related works, our algorithm is easy to implement, requires no strict preconditions, and is fast and secure.

4 Conclusions

A simple secret sharing scheme and a simple threshold RSA signature scheme are proposed in this paper. Compared with other typical secret sharing and threshold RSA signature schemes, our algorithms possess the following features: (1) Simple, which invoke no complex operations and are easy to implement; (2) Fast computation, because only simple operations are adopted; (3) No strict preconditions, which can apply to almost all circumstances requiring secret sharing or threshold signature; (4) Secure. Though the schemes are simple, they still possess the security of threshold cryptography.

References

[1] C. Asmuth and J. Bloom, A modular approach to key safeguarding, IEEE Transactions on Infor- mation Theory IT-29 (2) (1983) 208-210. [2] G. R. Blakley, Safeguarding cryptographic keys, Proceeding of the National Computer Conference, 1979, pp. 313-317. [3] Y. Desmedt and Y. Frankel, Threshold cryptosystems, Advances in Cryptology-Crypto’89, 1989, pp. 307-315. [4] Y. Frankel and P. Gemmel et al, Optimal-resilience proactive public-key cryptosystems, IEEE Symposium on Foundations of Computer Science (1997) 384-393. [5] E. D. Karnin, J. W. Greene and M. E. Hellman, On sharing secret systems, IEEE Transactions on Information Theory IT-29 (1983) 35-41. [6] A. Shamir, How to share a secret, Communications of ACM 22 (11) (1979) 612-613. [7] V. Shoup, Practical threshold signautres, Proceedings of the Eurocypt 2000, 2000, pp. 207-220.