Threshold Based on Blakley Secret Sharing

Ilker˙ Nadi Bozkurt, Kamer Kaya, Ali Aydın Selc¸uk Ahmet M. Gulo¨ glu˜ Department of Computer Engineering Department of Mathematics Bilkent University Bilkent University Ankara, 06800, Turkey Ankara, 06800, Turkey Email: bozkurti,kamer,selcuk @cs.bilkent.edu.tr Email: [email protected] { }

Abstract—Function sharing deals with the problem and Asmuth-Bloom [1] based on the Chinese Remainder of distribution of the computation of a function (such Theorem. as decryption or signature) among several parties. The A shortcoming of secret sharing schemes is the need to necessary values for the computation are distributed to reveal the secret shares during the reconstruction phase. the participating parties using a secret sharing scheme The system would be more secure if the subject function (SSS). Several function sharing schemes have been pro- posed in the literature, with most of them using Shamir can be computed without revealing the secret shares or secret sharing as the underlying SSS. In this paper, we reconstructing the secret. This is known as the function investigate how threshold cryptography can be conducted sharing problem. A function sharing scheme requires with Blakley secret sharing scheme and present a novel distributing the function’s computation according to the function sharing scheme for the RSA . The underlying SSS such that each part of the computation challenge is that constructing the secret in Blakley’s SSS can be carried out by a different user and then the requires the solution of a linear system which normally partial results can be combined to yield the function’s involves computing inverses, while computing inverses value without disclosing the individual secrets. Several modulo φ(N) cannot be tolerated in a threshold RSA system in any way. protocols for function sharing have been proposed in the Index Terms—threshold cryptography, RSA, function literature [3], [4], [5], [6], [13], [8], [11]. Nearly all the sharing, Blakley secret sharing. existing solutions for function sharing uses Shamir secret sharing as the underlying SSS. I.INTRODUCTION In this paper we present a novel threshold RSA signature scheme based on Blakley’s secret sharing as The secure storage of the private keys of a cryptosys- we explain below. tem is an important problem. The possession of a highly sensitive by an individual may not be desirable as A. Secret Sharing Schemes the key can easily be lost or as the individual may not be fully trusted. Giving copies of the key to more than one The problem of secret sharing and the first solutions individual increases the risk of compromise. A solution were introduced in 1979 independently by Shamir [12] to this problem is to give shares of the key to several and Blakley [2]. A (t, n)-secret sharing scheme is used individuals, forcing them to cooperate to find the secret to distribute a secret d among n people such that any key. This not only reduces the risk of losing the key coalition of size t or more can construct d but smaller but also makes compromising the key more difficult. coalitions cannot. In threshold cryptography, secret sharing deals with this Shamir secret sharing is based on polynomial inter- problem, namely, sharing a highly sensitive secret among polation over a finite field. It uses the fact that we can a group of n users so that only when a sufficient find a polynomial of degree t 1 given t data points. To − t 1 i number t of them come together can the secret be generate a polynomial f(x) = − aix , a0 is set to the Pi=0 reconstructed. Well-known secret sharing schemes (SSS) secret value and the coefficients a1 to at 1 are assigned in the literature include Shamir [12] based on polynomial random values in the field. The value f−(i) is given to interpolation, Blakley [2] based on hyperplane geometry, user i. When t out of n users come together, they can construct the polynomial using Lagrange interpolation C. Our Contribution and can find the secret. In this work, we show how to do threshold RSA Blakley secret sharing scheme has a different approach signatures using Blakley SSS. Blakley’s scheme, which based on hyperplane geometry: To implement a (t, n) is based on solving linear systems, naturally requires threshold scheme, each of the n users is given a hyper- computing inverses for reconstructing the secret. We plane equation in a t dimensional space over a finite field show, in a spirit similar to Shoup’s work, how to utilize such that each hyperplane passes through a certain point. Blakley’s SSS for threshold cryptography while avoiding The intersection point of the hyperplanes is the secret. computation of inverses modulo φ(N) completely. When t users come together, they can solve the system of equations to find the secret. II.BLAKLEY’S SECRET SHARING SCHEME Blakley’s SSS uses hyperplane geometry to solve the B. Function Sharing Schemes secret sharing problem. The secret is a point in a t- Function sharing is the concept of distribution of the dimensional space and n shares are affine hyperplanes computation of a function such that when a sufficient that pass through this point. An affine hyperplane in a number of users come together they can compute the t-dimensional space with coordinates in a field can be value of the function without revealing their secret shares described by a linear equation of the followingF form: but less than the threshold number of users cannot. This problem is related to secret sharing as the secret values a1x1 + a2x2 + ... + atxt = b. needed for partial computations are distributed using The intersection point is obtained by finding the inter- secret sharing. section of any t of these hyperplanes. The secret can be Several solutions for sharing the RSA, ElGamal, and any of the coordinates of the intersection point or any Paillier private key operations have been proposed in function of the coordinates. We take the secret to be the the literature [3], [4], [5], [6], [7], [10], [11], [13], [9]. first coordinate of the point of intersection. Almost all of these schemes have been based on the A. Dealing Phase Shamir SSS. The additive nature of the Lagrange’s interpolation Let m be a prime and let = Z be the field we F m formula used in the combining phase of Shamir’s scheme are working on. The dealer generates a secret point x in makes it an attractive choice for function sharing, but t, where the first coordinate x[1] is set to the secret F it also provides several challenges. One of the most value (the RSA private key d in our case) and sets the significant challenges is the computation of inverses in values of the other coordinates randomly from the field Z for the division operations in Lagrange’s formula . The ith user will get a hyperplane equation over , φ(N) F F where φ (N) should not be known by the users. There ai1x1 + ai2x2 + ... + aitxt = yi. (1) are two main difficulties in this respect: (t, n) n 1) An inverse x 1 will not exist modulo φ (N) if For a threshold scheme there will be such − hyperplane equations, and hence we will have an n t gcd (x, N) = 1. × 6 1 linear system, 2) Even when x− exists it should not be computable by a user, since that would enable computing Ax = y. (2) φ (N). The dealer then sends the secret value of yi along Early solutions to this problem, albeit not very efficient, with ai1, . . . , ait to user i. The coefficients aij are not were given in [3], [11]. Afterwards an ingenious solution sensitive and can be made public if needed. was given by Shoup [13] where he removed the need of taking inverses in Lagrange interpolation. B. Share Combining Phase Shoup’s practical RSA scheme has inspired similar Share combining step is simply finding the solution works on different . Fouque et al. [7] of a linear system of equations. Suppose that a coalition proposed a similar threshold solution for the Paillier = i1, . . . , it of users come together. They form a cryptosystem and used it in e-voting and lottery pro- matrixS { A using} their hyperplane equations and solve tocols. Later, Lysyanskaya and Peikert [10] improved S A x = y , (3) this work and obtained a threshold Paillier S S scheme secure under the adaptive security model. The where y is the vector of the secret shares of the users. current paper is also inspired by Shoup’s work. The secretS is found as the first coordinate of the solution. III.SHARING RSASIGNATURE COMPUTATION where a and b are integers such that In this section, we describe our threshold RSA signa- ∆ a + eb = 1, (9) ture scheme with Blakley secret sharing. S which can be obtained by the extended Euclidean algo- A. Setup rithm on ∆ and e. S In the RSA setup phase, choose two large primes p IV. SOLUTIONOFTHE LINEAR SYSTEM and q, and compute the RSA modulus as N = pq. The public key e is chosen as a prime number relatively In Blakley’s SSS, the private key is found by so- prime to φ(N), the details of which will be explained lution of the linear system A x = y . However, this S S Z in Section V. After choosing e, the private key d is system may not have a unique solution over φ(N). If gcd(∆ , φ(N)) > 1, the matrix A will not have an computed such that ed 1 (mod φ(N)). Then the S S dealer shares the private≡ key d among n users using inverse modulo φ(N), and the linear system will have Blakley SSS in Z . many different solutions. Interestingly, our threshold φ(N) signature scheme computes the correct signature in this B. Signing case as well. Let H(.) be a hash function mapping input messages When gcd(∆ , φ(N)) > 1 and the linear system S d to ZN∗ and let w = H(M) ZN∗ be the hashed message yields many different solutions for , note that the value to be signed. Assume a coalition∈ of size t wants to ∆ d is a fixed number for all these possible solutions, S obtain the signature s = wd mod NS. and is equal to 1) Generating the Partial Signatures: Let = S ∆ d = Σici1yi. i1, . . . , it be the coalition of t users, forming the linear S system{ } Hence, the incomplete signature

Σici1yi A x = y . sp = w mod N S S ∆ d = w S mod N Let cij be the ij-th cofactor of matrix A and let C be the adjugate matrix, S S is the same for every solution of the system A x = y . S S Then the signature s is obtained from sp as c11 c21 . . . ct1   a b c12 c22 . . . ct2 s = s w mod N, C = . p  . . .. .  S  . . . .  where a and b are the integer solutions of ∆ a+eb = 1.   S  c1t c2t . . . ctt  Hence, the signature s is wd mod N for the right d value, If we denote the determinant of A by ∆ , we have computed according to the public key e. S S HOOSING A C = C A = ∆ It, (4) V. C e S S S S S The choice of e is critical in the setup phase because where I denotes the t t identity matrix. t the solution depends on e and ∆ being relatively prime. For our scheme, each× user i computes his partial To achieve this, we can eitherS choose a special matrix signature as ∈ S whose determinant we know to be relatively prime to e, ci1yi si = w mod N. (5) or choose e as a sufficiently large prime according to t 2) Combining the Partial Signatures: To combine the and n so that the probability that ∆ is divisible by e will be negligible for any coalition S. partial signatures, we simply compute S A. Choosing e Probabilistically sp = si1 si2 . . . sit mod N. (6) The probability of a random integer’s being divisible Note that, from equation (4), we have by a prime e is 1/e. So, if we have a (t, n) threshold ∆ d sp = w S mod N. (7) scheme, the probability that the determinant of none of n n 1 ( t ) Given that e is a prime number relatively prime to the t A matrices will be divisible by e is 1 e . S n d  −  ∆ , it is easy to compute the signature s = w mod N If we take e t , we have S   from sp. Take (n) 1 t a b 1  1 . (10) s = spw mod N, (8) − e ≈ B. Using a Vandermonde Matrix [5] Y. Desmedt and Y. Frankel. Shared generation of authenticators and signatures. In Proc. of CRYPTO’91, volume 576 of LNCS, A simple choice for the matrix A that enables us pages 457–469. Springer-Verlag, 1992. to guarantee that e will be relatively prime to the [6] Y. Desmedt and Y. Frankel. Homomorphic zero-knowledge determinant of the coefficient matrix is to choose the threshold schemes over any finite abelian group. SIAM Journal rows of the matrix A as the rows of a Vandermonde on Discrete Mathematics, 7(4):667–679, 1994. [7] P. A. Fouque, G. Poupard, and J. Stern. Sharing decryption in matrix. Then, A will have the following form for any the context of voting or lotteries. In Proc. of FC 2000, 4th S coalition : International Conference on Financial Cryptography, volume S 2 t 1 1962 of LNCS, pages 90–104. Springer-Verlag, 2001. 1 a1 a1 . . . a1− [8] H. F. Huang and C. C. Chang. A novel efficient (t,n) threshold  2 t 1  1 a2 a2 . . . a − proxy signature scheme. Information Sciences, 176(10):1338– A = 2  ......  1349, 2006. S  . . . . .  [9] K. Kaya and A. A. Selc¸uk. Threshold cryptography based  2 t 1   1 at at . . . at−  on Asmuth-Bloom secret sharing. Information Sciences, 177(19):4148–4160, 2007. The determinant of the Vandermonde matrix is nonzero, [10] A. Lysyanskaya and C. Peikert. Adaptive security in the provided that no two rows are identical, and it is found threshold setting: From cryptosystems to signature schemes. In by the following formula : Proc. of ASIACRYPT 2001, volume 2248 of LNCS, pages 331– 350. Springer-Verlag, 2001. t [11] A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to A = (ai aj) (11) share a function securely? In Proc. of STOC94, pages 522–533, | S | Y − 1994. i,j=1,i

REFERENCES [1] C. Asmuth and J. Bloom. A modular approach to key safeguard- ing. IEEE Trans. Information Theory, 29(2):208–210, 1983. [2] G. Blakley. Safeguarding cryptographic keys. In Proc. of AFIPS National Computer Conference, 1979. [3] Y. Desmedt. Some recent research aspects of threshold cryp- tography. In Proc. of ISW ’97, 1st International Information Security Workshop, volume 1196 of LNCS, pages 158–173. Springer-Verlag, 1997. [4] Y. Desmedt and Y. Frankel. Threshold cryptosystems. In Proc. of CRYPTO’89, volume 435 of LNCS, pages 307–315. Springer-Verlag, 1990.