On-Line Secret Sharing

Home , Secret sharing

On-line Secret Sharing

Christian Cachin

Institute for Theoretical Computer Science

ETH Zuric h

CH-8092 Zuric h, Switzerland

E-mail: [email protected]

Abstract. We prop ose a new construction for computationally secure

secret sharing schemes with general access structures where all shares

are as short as the secret. Our scheme provides the capability to share

multiple secrets and to dynamically add participants on-line, without

having to re-distribute new shares secretly to the current participants.

These capabilities are gained by storing additional authentic but not

secret information at a publicly accessible lo cation.

1 Intro duction

Secret sharing is an imp ortant and widely studied to ol in cryptography and

distributed computation. Informally, a secret sharing scheme is a proto col in

which a dealer distributes a secret among a set of participants such that only

sp eci c subsets of them, de ned bythe access structure, can recover the secret

at a later time.

Secret sharing has largely b een investigated in the information-theoretic se-

curity mo del, requiring that the participants' shares give no information on the

secret, i.e. that the resp ective probability distributions are indep endent. Called

perfect secret sharing schemes, they require that for every participantthenum-

b er of bits needed to representasharemust b e at least as large as the number

of bits required to describ e the secret itself analogous to Shannon's theorem

ab out key size for a p erfectly secure cipher.

If the access structure allows any subset of k or more of the n participants

to reconstruct the secret but not k 1 or less, the secret sharing scheme is

called a threshold scheme. It can b e implemented with Shamir's construction [14]

based on p olynomial interp olation. Secret sharing schemes for general monotone

access structures are known, based on monotone circuit constructions [1,9]. The

surveys by Stinson [16] and Simmons [15]provide a general description of secret

sharing schemes.

For many access structures it can b e proved that some shares havetobe

considerably larger than the secret in p erfect schemes [5]. Moreover, there exist

families of sp ecial access structures on n participants where the size of some

shares must growunb oundedly as n !1 [6].

In the schemes describ ed so far, the set of participants remains unchanged

until the secret is recovered. Blakley et al. [2] study threshold schemes with

disenrol lment capabilities, where a participant is free to leave and to giveaway

his share. The dealer then shares a new secret by broadcasting a message over a

public channel. For p erfect threshold schemes with m-fold disenrollmentitcan

b e shown that the size of the initially distributed shares must grow linearly in

m [2]. These results are extended to general dynamic access structures by Blundo

et al. [3]. Schemes for distributing multiple secrets are examined in [4].

Recently, Krawczyk [10]intro duced a construction for computational ly secure

threshold secret sharing schemes where the shares can b e shorter than the secret

and that uses a secure encryption function. Basically, this proto col works as fol-

lows: The p otentionally large secret is encrypted with a symmetric encryption

function. The result is distributed among the participants using an information

disp ersal proto col [13] based on error correcting co des. Any k out of the n par-

ticipants can reconstruct the encrypted secret. To prevent an unauthorized set

of participants from learning anything ab out the secret, the secret key used for

encryption is distributed among the participants using a conventional, uncondi-

tionally secure secret sharing scheme e.g. Shamir's threshold scheme [14].

Much research in the area of secret sharing has concentrated on the size

of the shares. Although the size of the shares is imp ortant b ecause the shares

have to b e transmitted and stored secretly, this is not the only information the

participants must know to reconstruct the secret. Additional knowledge needed

is, for example, the identity of the participants or the description of the proto col,

including the access structure. These parameters are publicly known, but at the

same time it is vital that they are authentic, i.e. no malicious participanthas

changed these descriptions. This is particularly imp ortant if the participants

are computer systems that receive the descriptions over a p otentially insecure

communications link.

We prop ose a novel computationally secure secret sharing scheme for gen-

eral access structures where all shares are as short as the secret. Our scheme

provides the capability to share multiple secrets and to dynamically add partici-

pants on-line, without having to re-distribute new shares secretly to the current

participants. These capabilities are traded for the need of storing additional au-

thentic but not secret information at a publicly accessible lo cation, e.g. on a

bulletin b oard. Alternatively, this information can b e broadcast to the partici-

pants over a public channel. The proto col gains its security from any one-way

function. In particular, our construction has the following prop erties:

{ All shares that must b e transmitted and stored secretly once for every par-

ticipant are as short as the secret.

{ Multiple secrets can b e shared with di erent access structures requiring only

one share p er participant for all secrets. This includes the ability for the

dealer to change the secret after the shares have b een distributed.

{ The dealer can distribute the shares on-line: When a new participant is added

and the access structure is changed, already distributed shares remain valid.

Apart from the new participant's share that is secretly transmitted to him,

only publicly readable information has to b e changed.

The scheme is secure given any secure one-way function in the sense that

a non-quali ed set of participants running a p olynomial-time algorithm cannot 2

determine the secret with non-negligible probability.To preventanattackby

exhaustive search, however, the set of p ossible secrets must not b e to o small.

Our construction solves an op en problem of [10], alb eit in a somewhat di erent

way than prop osed there.

Compared to traditional, unconditionally secure secret sharing schemes the

prop osed metho d is very exible and uses only small shares. The di erences lie

in the additional use of publicly accessible information and in the security mo del.

As for the use of authentic storage, we note that public information is needed in

all traditional secret sharing schemes and that, authenticity usually costs much

less than secrecy to implement.

Regarding the security mo del, computational security is theoretically weaker

than information-theoretic or p erfect security. On the other hand, for many ap-

plications that use a p erfectly secure proto col, the cost of generating the needed

random bits is prohibitively high and the bits are generated by a computation-

ally secure pseudo random numb er generator. This makes the p erfectly secure

proto col vulnerable to adversaries with unlimited computing p ower.

The prop osed scheme has many practical applications in situations where

the participants and the access rules or the secret itself frequently change. No

new shares have to b e distributed secretly when new participants are included or

participants leave. Such situations often arise in key management, escrowed [7]

and fair [12] encryption systems, to name a few.

Consider, e.g., a high security area in a lab oratory or in a bank where em-

ployees and managers are not p ermitted during o -hours. Only groups of one

manager and at least two employees mayenter and a secret sharing scheme is

used to share the access co de. If, for example, a manager is red, he will disclose

his share. With our scheme, only the access co de and the bulletin b oard have

to b e up dated|the other managers and employees do not havetobegiven new

shares.

Another example is a group of frequently changing participants and alter-

nating size where always two thirds of the current group memb ers are needed to

invoke some action, for example to reconstruct a master key used for escrowing

keys of malicious users.

The pap er is organized as follows: The basic scheme is presented in Section 3

and extended for sharing multiple secrets in Section 4. On-line secret sharing is

then describ ed in Section 5.

2 Preliminaries

We rst need to formalize some asp ects of a secret sharing scheme. A secret

sharing scheme is a proto col b etween a set of participants P = fP ;:::;P g

1 n

and a dealer D , where D 62 P is assumed. The access structure 2 is a

family of subsets of fP ;:::;P g containing the sets of participants quali ed to

1 n

recover the secret. It is natural to require to b e monotone, that is, if X 2

0 0

and X X P, then X 2 .A minimal quali ed subset Y 2 is a set of

0 0 0

participants such that Y 62 for all Y Y; Y 6= Y . The basis of ,denoted 3

by , is the family of all minimal quali ed subsets. Note that uniquely

0 0

determines and vice versa.

For simplicity,we assume that the secret K is an element of a nite Ab elian

group G = with l =log jGj. G could b e the set of l -bit strings under

bitwise addition mo dulo 2.

A computational ly securesecret sharing scheme [10] is a proto col b etween D

and the memb ers of P to share a secret K , resp ective to an access structure

suchthat

a the dealer D transmits a share S secretly to participant P ,fori =1;:::;n,

i i

b all quali ed sets of participants X 2 can eciently compute K from their

set of shares fS jP 2 X g, and

i i

c every unquali ed subset of participants X 62 running any p olynomial-time

algorithm cannot determine K with non-negligible probability.

To make the de nition of security rigorous, wehave to resort to asymptotics

and consider the family of probability distributions of K indexed by the length

l of the secret. Under this de nition, for any unquali ed subset X 62 running

any algorithm A to recover K in time p olynomial in l , the output of A must b e

equal to the correct K only with probability less than l , for all constants c

and suitably chosen l>l .

We will make use of a one-way function on G, f : G ! G suchthatf xis

easy to compute for all x 2 G i.e. can b e computed in time p olynomial in l and

that it is computationally infeasible, for a given y 2 G, to nd an x 2 G such

that f x=y . The notion can b e made rigorous analogous to the de nition of

security.

Toachieve reasonable security, the security parameter l and thus the set of

p ossible secrets havetobechosen large enough. Today,many secure one-way

functions exist with typical l ranging from 64 to 128.

3 The Basic Scheme

Our proto col uses a publicly accessible lo cation where the dealer can put up

non-forgeable information that can b e accessed by all the participants. We will

refer to this lo cation as the bul letin board. Alternatively,ifcommunication and

storage were not to o exp ensive, the dealer could broadcast the information to

the participants instead of storing it centrally. Implicitly,such a bulletin b oard

is present in all existing secret sharing schemes and contains at least the number

of participants n and the access structure .

The basic proto col to share a secret K 2 G works as follows:

1. The dealer randomly cho oses n Elements S ;:::;S from G according to the

1 n

uniform distribution.

2. For all i =1;:::;n, the dealer transmits S over a secret channel to P .

i i 4

3. For each minimal quali ed subset X 2 , the dealer computes

T = K f S

X x

x:P 2X

and publishes T = fT jX 2 g on the bulletin b oard.

X 0

Addition and subtraction are p erformed in G.To recover the secret K , a quali ed

set of participants Y pro ceeds similarly:

1. The members of Y agree on a minimal quali ed subset X Y .

2. The members of X add their shares together to get V = S and

X x

x:P 2X

apply the one-way function f to the result V .

3. They fetch T from the bulletin b oard and compute K = T + f V .

X X X

One can easily verify the completeness of the proto col: every quali ed subset

X 2 can recover K .

Analyzing the security is only slightly more complicated: The relation b e-

tween K and the shares is given bythe j j equations

K = T + f V

X X

for all X 2 , where the V = S are all computed from di erent

0 X x

x:P 2X

S for any sets of shares. In the following, we denote by V the sum

x X

x:P 2X

set of participants X . An unquali ed subset U 62 cannot compute anyofthe

V ;X 2 directly. So the members of U cannot compute K by exploiting one

X 0

equation alone. However, they can link several equations through K or through

any V . Linking two equations via K , one obtains relations of the form

T T = f V f V

Y Z Y Z

with Y; Z 2 ,ofwhich the right sides are unknown to the memb ers of U .

Except for the unlikely case that V = V which can b e recognized on the

Y Z

bulletin b oard from T = T , this if of no use to them.

Y Z

0 00

Linking two equations via V with W \ U = ; and W [ U 2 , W [ U 2 ,

W 0 0

0 00 0 00

for U U , U U ,and U 6= U yields

1 1

0 00 0 00

f K T f K T =V V ;

W [U W [U U U

thus nothing what the members of U could not have computed by themselves.

ThesizeofT deserves some consideration. In general, T and the bulletin

b oard are of size O 2 . However, note that for almost all general the descrip-

tion of itself is of the same size. This do es not apply to threshold schemes

that can b e describ ed by a list of participants plus two parameters t; n and for

which T contains elements. But threshold schemes may b e more imp ortant

in theory than in practice: Re ecting on the way large companies and organi-

zations are structured hierarchically to day, it seems unlikely that a threshold

scheme with more than several thousands of memb ers will b e realized by them.

In case the size of the bulletin b oard is limited, the authenticityofT can also

b e guaranteed by a digital signature of T by the dealer. If T is large, then parts 5

of it could b e signed such that not the entire table has to b e read to validate a

single entry.

Only one member of T has to b e accessed to recover the secret. Therefore,

the bulletin b oard could b e implemented dynamically as a sever that broadcasts

the desired entry up on request, together with a signature.

The shares of the participants in X are the inputs to a computation that

ultimately yields K .For the basic scheme where one secret is shared once, the

shares do not havetobekept secret during this computation. However, in the

next two sections where additional capabilities of the scheme will b e intro duced,

the shares and the result of their addition havetobekept secret. We will then

assume that the participants can compute f V without revealing their shares.

The proto col also allows the dealer to change the secret after the shares have

b een distributed by mo difying T on the bulletin b oard.

4 Sharing Multiple Secrets

1 2 1 2

To share multiple secrets K ;K ;::: with di erent access structures ; ;:::

among the same set of participants P , the dealer distributes the shares S only

1 2

once but prepares T ; T ;::: for each secret. However, straightforward rep etition

of the basic scheme is not secure. Consider a set of participants X quali ed to

1 2 1 2

recover b oth K and K :Any group Y 2 can obtain K as

2 2 1 1

K = T + T + f V T ;

X Y X

1 1 1 1

+ f V and b ecause f V is the same for K + f V =T b ecause K = T

Y X X

Y X

2 h h

must not b e the same for di erent secrets. and K .So K T

To remedy this de ciency we replace f by a family F = ff g of one-way

functions so that di erentone-way functions are employed for di erent secrets.

h h

The following proto col is used to share m secrets K with access structures

for h =1;:::;m:

1. The dealer randomly cho oses n Elements S ;:::;S from G according to the

1 n

uniform distribution.

2. For all i =1;:::;n, the dealer transmits S over a secret channel to P .

i i

3. For each secret K to share with h =1;:::;m and for each minimal

quali ed subset X 2 , the dealer computes

h h

T = K f S

h x

x:P 2X

h h h

and publishes T = fT jX 2 g on the bulletin b oard.

h h

To recover some secret K , a set of participants Y 2 pro ceeds similarly:

1. The memb ers of Y agree on a minimal quali ed subset X Y .

2. The memb ers of X compute V = S and apply f to V .

X x h X

x:P 2X

h h h

3. They fetch T from the bulletin b oard and compute K = T + f V .

h X

X X 6

The scheme do es not demand a particular order for the reconstruction of the

secrets. The required family F of one-functions can easily b e obtained from f

by setting f x=f h + xwhenh is represented suitably in G.

Because a di erent one-way function f is used for each secret K , the in-

h h

formation T on the bulletin b oard corresp onding to K is computationally

0 0

h h 0

indep endent of the other T and K for h 6= h .Thus, the securityofthe

proto col is the same as for the basic proto col.

As noted ab ove, the shares have to b e protected from the eyes of other

participants during the reconstruction phase. Otherwise, these participants could

subsequently recover other secrets they are not allowed to know. We assume

therefore that the computation of f V is p erformed without revealing the set

h X

of inputs fS jP 2 X g.Possible ways of achieving this include the presence of

i i

a trusted device to p erform the computation or the use of a distributed circuit

evaluation proto col [8].

The proto col do es not imp ose any limitation on m except for jF j, the size of

the family of hash functions, suchthatanynumb er of secrets can b e distributed

via the bulletin b oard while the shares of the participants remain the same.

5 On-line Secret Sharing

In many situations, the participants of a secret sharing scheme do not remain

the same during the entire life-time of the secret. The access structure itself may

change, to o, if it is adapted to the new constellation of participants. In analogy

to the monotonicity of the access structure we will assume that the changes to

the access structure are monotone, i.e. participants are only added and quali ed

subsets remain quali ed.

We de ne a computational ly secure on-line secret sharing scheme to b e a

proto col b etween a dealer D and the memb ers of a sequence of sets of participants

P 0; P 1;::: with P t Pt + 1 for all t 0toshareasecret K , resp ective

to a sequence of access structures 0;1;::: with t t + 1 for all

t 0, such that

a the shares S for P 2P0 form a computationally secure secret sharing

i i

scheme for K resp ectiveto 0,

b at time t>0 the dealer D transmits a share S secretly to every participant

P 2Pt nPt 1,

c for all t 0, every quali ed set of participants X 2 t can eciently

compute K from their set of shares fS jP 2 X g,and

i i

d for all t 0, all unquali ed subsets of participants X 62 t running anypo-

lynomial-time algorithm cannot determine K with non-negligible probability.

The basic scheme from Section 3 satis es the ab ove de nition when the dealer

op erates step-by-step, distributing the shares to the new participants and up-

dating the bulletin b oard accordingly for every step. In particular, at step t> 0,

D cho oses a random S for every P 2Pt nPt 1 and publishes the T with

i i X 7

X 2 tandX 62 t 1. The previously issued shares are not invalidated

0 0

and no shares have to b e retransmitted.

The proto col of Section 4 to share multiple secrets can b e extended similarly

for on-line sharing of multiple secrets.

6 Extensions

The exibility and the simplicity of the proto cols allow many extensions to han-

dle additional situations. We brie y discuss removing participants as opp osed to

adding them in on-line schemes and the secrecy of the shares during reconstruc-

tion in multi-secret schemes.

If a participant P is removed or disenrolled at time t, he will publish his share

S ,eventually enabling an unquali ed set X 62 t to recover K if X [ S 2

i i

0 0

t for some t t if suchanX exists. But in contrast to traditional secret

sharing schemes, if a new secret is chosen to b e shared, the dealer needs only

up date the bulletin b oard and no information has to b e transmitted secretly.

The same situation arises if the sequence of access structures is allowed to b e

non-monotonic.

The prop osed multi-secret sharing proto cols are only secure if the members of

a quali ed set X do not disclose their shares when a secret K is reconstructed.

h 0

Otherwise, some schemes for K ;h 6= h could b e compromised. If the shares

cannot b e hidden to carry out this computation, the proto cols can b e mo di ed

as follows: Similar to Lamp ort's one-time user authentication scheme [11], S

N h

is replaced by f S for all i =1;:::;n in the h-th scheme N is a pre-

de ned constantandf x denotes h-fold rep eated application of f to x.

The secrets K ;h =1;:::;n havetoberecovered in increasing order. Thus,

h N h 0

after the reconstruction of K ,onlyvalues f S for h >hare needed

to reconstruct additional secrets, but these values cannot b e computed from

N h

f S if the one-way function is secure. The drawback is, apart from the

xed order of reconstruction, that N has to b e chosen in advance and p oses an

upp er limit on m,thenumb er of secrets that can b e distributed.

References

1. J. Benaloh and J. Leichter, Generalizedsecret sharing and monotone func-

tions,inAdvances in Cryptology | CRYPTO '88, S. Goldwasser, ed., vol. 403 of

Lecture Notes in Computer Science, Springer-Verlag, 1990, pp. 27{35.

2. B. Blakley, G. R. Blakley, A. H. Chan, and J. L. Massey, Threshold

schemes with disenrol lment, in Advances in Cryptology | CRYPTO '92, E. F.

Brickell, ed., vol. 740 of Lecture Notes in Computer Science, Springer-Verlag, 1993,

pp. 540{548.

3. C. Blundo, A. Cresti, A. De Santis, and U. Vaccaro, Ful ly dynamic secret

sharing schemes,inAdvances in Cryptology | CRYPTO '93, D. R. Stinson, ed.,

vol. 773 of Lecture Notes in Computer Science, Springer-Verlag, 1994, pp. 110{125. 8

4. C. Blundo, A. De Santis, G. Di Crescenzo, A. G. Gaggia, and U. Vac-

caro, Multi-secret sharing schemes,inAdvances in Cryptology | CRYPTO '94,

Y. G. Desmedt, ed., vol. 839 of Lecture Notes in Computer Science, Springer-

Verlag, 1994, pp. 150{163.

5. R. M. Capocelli, A. D. Santis, L. Gargano, and U. Vaccaro, On the size

of shares for secret sharing schemes, in Advances in Cryptology | CRYPTO

'91, J. Feigenbaum, ed., vol. 576 of Lecture Notes in Computer Science, Springer-

Verlag, 1992, pp. 101{113.

6. L. Csirmaz, The size of a sharemustbelarge, in Advances in Cryptology | EU-

ROCRYPT'94,A.DeSantis, ed., vol. 950 of Lecture Notes in Computer Science,

Springer-Verlag, 1995, pp. 13{22.

7. D. E. Denning and M. Smid, Key escrowing today, IEEE Communications Mag-

azine, 32 1994, pp. 58{68.

8. O. Goldreich, S. Micali, and A. Wigderson, How to play any mental game

or a completeness theorem for protocols with honest majority, in Pro c. 19th ACM

Symp osium on Theory of Computing STOC, 1987, pp. 218{229.

9. M. Ito, A. Saito, and T. Nishizeki, Secret sharing scheme realizing general ac-

cess structure, in Pro ceedings of IEEE Glob ecom '87, 1987, pp. 99{102.

10. H. Krawczyk, Secret sharing made short, in Advances in Cryptology | CRYPTO

'93, D. R. Stinson, ed., vol. 773 of Lecture Notes in Computer Science, Springer-

Verlag, 1994, pp. 136{146.

11. L. Lamport, Password authentication with insecurecommunication, Comm.

ACM, 24 1981.

12. S. Micali, Fair public-key cryptosystems, in Advances in Cryptology | CRYPTO

'92, E. F. Brickell, ed., vol. 740 of Lecture Notes in Computer Science, Springer-

Verlag, 1993, pp. 113{138.

13. M. O. Rabin, Ecient dispersal of information for security, load balancing, and

fault tolerance, J. Asso c. Comput. Mach., 36 1989, pp. 335{348.

14. A. Shamir, How to shareasecret, Comm. ACM, 22 1979, pp. 612{613.

15. G. J. Simmons, An introductiontosharedsecret and/or sharedcontrol schemes

and their application, in Contemp orary Cryptology: The Science of Information

Integrity, G. J. Simmons, ed., IEEE Press, 1991, pp. 441{497.

16. D. R. Stinson, An explication of secret sharing schemes, Designs, Co des and Cryp-

tography, 2 1992, pp. 357{390. 9