http://www.paper.edu.cn Journal of Information & Computational Science 1: 2 (2004) 259{262 Available at http://www.joics.com Simple Secret Sharing and Threshold RSA Signature Schemes Shaohua Tang¤ School of Computer Science and Engineering, South China University of Technology Guangzhou 510640, China Received 14 May 2004; revised 5 November 2004 Abstract A new secret sharing and a new threshold RSA signature scheme are presented. The secret sharing scheme is characterized by fast computation as well as simple and secure operations, since only simple addition and union operations are adopted in this algorithm. The secret is divided into N pieces, and each piece is delivered to each di®erent participant. Any K or greater than K participants out of N can reconstruct the» secret, but¼ any (M ¡1) or less than (M ¡1) participants would fail to recover the secret, N where M = . This secret sharing scheme is applied to digital signature to construct a new N ¡ k + 1 threshold RSA signature. Each participant should calculate the partial signature for the message by using its own piece of shadow. Any K or greater than K participants out of N can combine each partial signature to form a complete signature for the message. But any (M ¡1) or less than (M ¡1) participants would fail to calculate the complete signature. During the phases of partial signature generation and partial signature combination, the RSA private key is never reconstructed and each participant's partial secret (shadow) is not necessary to expose to others, thus the secret of the RSA private key will not be exposed. Two schemes possess the security of threshold cryptography. Keywords: Secret sharing; Threshold signature; Threshold cryptographics; RSA 1 Introduction Secret sharing schemes were introduced by Blakley [2] and Shamir [6]. Other famous secret sharing schemes include Asmuth-Bloom's scheme [1], Karnin-Greene-Hellman's scheme [5], etc. However, it is known that the mathematical operations invoked in all these algorithms are rela- tively complex. ?This work is supported by the National Natural Science Foundation of China (No. 60273064 and No. 69802006), and by the Projects of Guangdong Government Science and Technology Program, and by the Projects of Guangzhou Government Science and Technology Program. ¤Corresponding author. Email address: [email protected] (Shaohua Tang). 1548{7741/ Copyright° c 2004 Binary Information Press December 2004 转载 中国科技论文在线 http://www.paper.edu.cn 260 S. Tang /Journal of Information & Computational Science 1: 2 (2004) 259{262 The most attractive feature of threshold signature is that the private key is never reconstructed but the signature can be calculated. There are some schemes that realize this feature. But almost all related works adopt complex algorithm or narrow the range that the parameters can choose. For example, Frankel's scheme [4] brings the complexity of algorithm design and security proof. Shoup's scheme [7] brings the hardness of computation to the combiner. People may think of designing a threshold RSA signature based upon classical Shamir's secret sharing scheme, however, as Desmedt and Frankel briefly addressed in [3], there are some technical obstructions to doing this. We propose a new secret sharing and threshold RSA signature schemes in this paper. The mathematical theory adopted by our secret sharing scheme is the union operation in set theory and the addition operation in arithmetic. The threshold RSA algorithm is designed based on our secret sharing scheme. Since the principle and the operations invoked by our schemes are extremely simple, thus we call them \simple" schemes, which possesses the following features: (1) They are easy to implement. (2) They ensure fast computation, because only simple addition and union operations are adopted in the secret sharing algorithm, which also ensures the fast computation of threshold RSA signature. (3) They require no strict preconditions and can apply to almost all circumstances requiring secret sharing or threshold signature. (4) They are secure. Though the schemes are simple, they still possess the security of threshold cryptography. 2 Simple Secret Sharing Scheme Suppose F is a ¯eld. K and N are positive integers, and K · N. There are N participants, which are denoted by P0;P1;:::;PN¡1. Suppose d is the secret data, d 2 F . We are going to divide the secret d into N pieces (each piece is called a shadow), and to distribute each shadow to N di®erent participants. Any K or greater than K participants out of N can reconstruct» d, but any¼ N (M ¡ 1) or less than (M ¡ 1) participants cannot recover the secret d, where M = N ¡ k + 1 and dxedenotes the smallest integer greater than or equal to x. The secret sharing scheme consists of the shadow generation stage, shadow distribution stage, and secret reconstruction stage. Shadow generation stage For d 2 F , randomly select d0; d1; : : : ; dN¡2 2 F , then com- PN¡2 pute dN¡1 = d ¡ i=0 di. We de¯ne I = f0; 1; :::; N ¡ 1g, D = fd0; d1; : : : ; dN¡1g ; and A = f(0; d0); (1; d1); :::; (N ¡ 1; dN¡1)g : For j = 0; 1;..., N ¡ 1; we de¯ne Ij = fi mod Njj · i · N ¡K+jg, Dj = fdi mod N jj · i · N ¡K+jg, and Aj = f(i mod N; di mod N )jj · i · N ¡K+jg. Shadow distribution stage After the calculation of all Aj(j = 0; 1;:::;N ¡ 1), each Aj is delivered to the j-th participant, i.e., Aj is delivered to the participant Pj. Reconstructing the secret d Any K (or greater than K) participants out of N can recon- struct the secret d. Any one among the K selected participants can act as a combiner to ¯nd PN¡1 (0; d0); (1; d1);:::; (N ¡ 1; dN¡1) from the presented Aj. Let d = i=0 di, which is the solution. The following Proposition 1 can deduce this conclusion. Proposition 1 The union of Aj of any K (or greater than K) participants out of N can cover A. Security analysis Proposition 2 The union of Dj from any (M ¡ 1) participants cannot cover D, and the union 中国科技论文在线 http://www.paper.edu.cn S. Tang /Journal of Information & Computational Science 1: 2 (2004) 259{262 261 » ¼ N of A from any (M ¡ 1) participants cannot cover A, where M = . j N ¡ k + 1 From Proposition 2 we know that, if the number of participants being attacked is less than M, then the secret d will not be exposed. Similarly, if the number of conspirators among the original participants is less than M, then they cannot derive the secret d. Performance analysis The computation overhead is O(N) addition operations. Addition is simple and only basic arithmetic operation is involved, thus fast calculation is ensured. 3 Simple Threshold RSA Signature The simple secret sharing scheme can be applied to digital signature to construct a new threshold RSA signature, which consists of ¯ve stages: initial stage, shadow generation stage, shadow distribution stage, the stage of partial signature generation, and the stage of partial signature combination. Initial stage Parameters for RSA cryptosystem are generated during the initial stage. Randomly select two large primes p and q, and let n = p £ q, n be the public parameter. Compute '(n) = (p ¡ 1) £ (q ¡ 1). Randomly choose an integer e with 0 < e < '(n) and gcd(e; '(n)) = 1, then compute d = e¡1(mod '(n)). The private key consists of fd; ng and the public key consists of fe; ng. Suppose h() is a one-way hash function, and m 2 Zn is the message to be signed. Shadow generation stage Suppose K and N are positive integers, and K · N. There are N participants, which are denoted by P0;P1;:::;PN¡1. Randomly select d0; d1; : : : ; dN¡2 2 Z'(n), PN¡2 then compute dN¡1 = d ¡ i=0 di. We de¯ne A and Aj(j = 0; 1;:::;N ¡ 1) as described in the shadow generation stage of section 2. Shadow distribution stage After the calculation of all Aj(j = 0; 1;:::;N ¡ 1), each Aj is delivered to the j-th participant, i.e., Aj is delivered to the participant Pj. The stage of partial signature generation We can now design the steps for the generation of partial signature according to Proposition 1. Step 1 Randomly select K participants whose shadow is not damaged. Without loss of gen- erality, suppose P1;P2;:::;PK are the ones being chosen. Any one among these K selected participants can act as a combiner, e.g., P1 can act as the combiner. Step 2 The combiner needs to maintain a partial signature set (P SS) and each element of P SS is of the form (i; ci), where 0 · i · N ¡ 1 and ci is the partial signature to be calculated by the selected participants. The initial status of P SS is an empty set, i.e., initially, P SS = Á. Step 3 For each selected Pj(j = 1; 2;:::;K), Pj sequentially fetch (i; di) 2 Aj, then Pj consults if there exists an element (a; b) 2 P SS such that i = a. If for all (a; b) 2 P SS; i 6= a, then di Pj computes ci ´ (h(m)) (mod n), and then delivers (i; ci) to the combiner. The combiner lets P SS = P SS [ f(i; ci)g. Step 3 continues until the PSS reaches its ¯nal status, i.e., until P SS = f(i; ci)ji = 0; 1; :::; N ¡ 1g. The stage of partial signature Combination After the P SS reaches its ¯nal status QN¡1 f(i; ci)ji = 0; 1; :::; N ¡ 1g, the combiner calculates c = i=0 ci(mod n), which is the complete signature for the message m.