Threshold secret sharing is concerned with the splitting of a secret into
Information security has been a major concern over the past years in communication technology. The main concern has been how to make information confidential, authenticating and protecting it from being altered before reaching the receiver. Cryptography is part of the answer to these concerns [
Threshold secret sharing is a method of splitting a secret
Shamir introduced a (
Tompa and Woll exposed the weakness of Shamir’s scheme by introducing a cheating concept [
Apart from cheating detection, there are schemes that identify cheaters in [
To achieve cheating prevention, users are given a share of the secret plus additional information, which is used for cheating detection. This makes share size
Linear secret sharing schemes have been studied because of their application in multiparty computation and function sharing [
This paper proposes a new linear ( SP1: provide security of the secret. SP2: provide recoverability of the secret once shared. SP3: provide privacy of the secret and shares. SP4: provide cheating detection feasibility not only for one cheater but also
The goal that achieves computation overhead (CO) of PBLS is CO: reduce the number of polynomials used so that computational overhead is reduced as compared to Liu et al.’s scheme.
To achieve these goals, PBLS uses ElGamal cryptosystem and Shamir’s scheme as core operations. ElGamal cryptosystem helps to design a basic scheme, which is the initialization of PBLS. The basic scheme aims at hiding the secret during share generation phase, which can be revealed during cheating detection. PBLS applies Shamir’s secret sharing scheme to share the secret, which uses the polynomial
This section provides some basic mathematical and cryptographic concepts, which are major tools in secret sharing schemes, and reviews related works. First of all, the definition of finite field is provided together with some properties [
This section gives an overview of some mathematical concepts, which are useful in secret sharing like finite field, polynomial and Lagrange interpolation. For more details on finite field, refer to [
A finite field Associative: for all Commutative: for all Existence of identity: there exists elements Existence of inverse: for every element Distributive: for all
Note that an element -
Let
Let
Let
Let
Given a nonzero polynomial
Let
An element
A polynomial
This is a method of reconstructing a polynomial from given known points. The polynomial constructed by Lagrange interpolation is called Lagrange interpolation polynomial, which is unique. To reconstruct the polynomial of degree
Let
Let
We adopt the proof by Slinko [
ElGamal cryptosystem is in a family of public key cryptography [
Given a finite field
Three algorithms are used in ElGamal cryptosystem, which are key generation, encryption, and decryption. We assume Alice and Bob want to communicate over an insecure channel. They have to generate a public and private key pair for encryption and decryption as follows.
Generate a large prime Select a random integer Compute
The public key for Bob is (
When Alice wants to send a message
Encode the message Select a random exponent Compute
The encrypted message sent to Bob is a pair (
Once Bob receives the message, he uses his private key to decrypt it in the following way:
Compute Compute
The element
This section reviews linear secret sharing schemes, access structure of secret sharing schemes, and some previous schemes like Shamir’s and Liu et al.’s schemes [
Linear (
A (
According to Definition
Assume that
Let 2
If a subset is in the access structure, all sets that contain that subset should also form part of the access structure. Let
The condition in Equation (
Let Γ
For example, if
Shamir proposed a ( Share size is exactly equal to secret size. If a new player joins or leaves, it is easy to add or delete shares without affecting the other shares. It is easy to change the shares of the same secret just by changing the polynomial without breaching any security.
However, Tompa and Woll discovered that the scheme cannot withstand cheating if there is an untrusted user during secret reconstruction [ Any malicious user can present a forged share without being noticed. It is difficult to detect if the reconstructed secret is invalid. A malicious user, once is successful in cheating other users, will be able to reconstruct the valid secret.
Cheating prevention in secret sharing became a great concern after Tompa and Woll introduced cheating concept. As a result, many schemes with cheating prevention are proposed where some detect cheating, others identify cheaters, and so on. Some of the categories of cheating prevention are as follows. Cheating detection: schemes provide the method to detect any forged share submitted for secret reconstruction by malicious user [ Cheater identification: schemes provide the method to detect and identify any forged share presented for secret reconstruction by a malicious user [ Robust secret sharing: schemes assume the dealer is trusted. Schemes can reconstruct a correct secret even if there are a number of forged shares presented by untrusted user [ Verifiable secret sharing: schemes assume that the dealer is not trusted. Each user verifies the shares if valid using verification algorithm before reconstruction is done [
Liu et al. proposed a linear threshold secret sharing scheme, which is capable of cheating detection with share size
Liu et al.’s scheme adopts Shamir’s scheme in sharing the secret. This means that most properties of Liu et al.’s scheme are similar to Shamir’s scheme. However, there are some properties, which Shamir’s scheme does not have. The properties include the following. Share size given to each user is equal to or greater than the secret size, i.e., Detect cheating whenever a forged share is presented during reconstruction.
However, the scheme uses two polynomials to achieve the property of cheating detection, which makes number of computations to double as compared to Shamir’s scheme.
This section proposes a new linear (
Basic scheme and PBLS adopt their properties from already existing scheme of ElGamal and Shamir. This makes the security of basic scheme and PBLS similar to the security of Shamir’s scheme and ElGamal cryptosystem.
Basic scheme adopts its properties from ElGamal cryptosystem, which uses finite field elements to hide information [
Security of ElGamal cryptosystem depends on the hardness of FFDLP. Therefore, basic scheme adopts the same security as ElGamal cryptosystem. Propositions
The integer
The following are the properties of basic scheme.
Let
Since elements
By Corollary
This implies that
But
Let
By Proposition
Knowledge of
It is noted that though FFDLP is applied in basic scheme, there is a difference with ElGamal cryptosystem. The difference is that basic scheme makes no use of exponentiation, which helps it to operate in polynomial time.
Any secret sharing scheme should be secure from malicious users by denying them the opportunity to obtain the secret when the required number of users is not reached. At the same time, the secret should be able to be reconstructed after sharing. PBLS adopts its properties from Shamir’s secret sharing scheme, which shares a secret to
Let
Let
Since Shamir’s scheme is linear that is
Let
Any secret sharing scheme, which prevents cheating, must give to each participant shares whose sizes are at least the size of the secret plus log 1/
Let
Any secret sharing scheme has a set of users who are allowed to make reconstruction of the secret called the access structure based on Definitions
Let
The scheme uses Lagrange interpolation to come up with a polynomial
PBLS is composed of basic scheme and Shamir’s scheme. However, exponentiation is not used in PBLS to reduce computation cost. Figure
Adoption of ElGamal cryptosystem and Shamir’s scheme in PBLS.
In any cryptographic application, an attacker To recover the valid secret while the honest users are unable to detect cheating [ To recover the secret while the honest users are able to detect cheating [
There are two assumptions in which cheaters behave. These are OKS and CDV as discussed [
Cheating becomes successful when cheaters managed to reconstruct a valid secret while honest users failed to detect that cheating takes place. PBLS makes sure that
This subsection proposes basic scheme and PBLS. Basic scheme has two algorithms, which are secret hiding and secret revealing. The secret is hidden with field element in secret hiding algorithm. It is revealed using the multiplicative inverse of the element in secret revealing algorithm. PBLS has three algorithms, which are share generation, secret reconstruction, and cheating detection.
This subsection proposes basic scheme, which is the basis for constructing PBLS proposed in Section
Algorithm
Choose a random element Compute Output element
Figure
The element
Secret hiding in basic scheme.
Algorithm
Compute multiplicative inverse Compute Output
Figure
Secret revealing in basic scheme.
Basic scheme requires
Let
The secret 12 is hidden as 15. It is difficult for an adversary
Note that in practice,
In this subsection, a linear (
such that
Figure
Users cannot obtain information of the secret
Share generation in PBLS.
Secret reconstruction in PBLS.
By Theorem
Let
We use Algorithm
We also compute a multiplicative inverse of
Let the random polynomial be
The shares given to users are
Each user also receives 20 a multiplicative inverse of 15
When the secret is required, any 4 users send their shares to
Therefore, the polynomial
The polynomial
Multiplying 11 by 20 gives 12, which is not equal to 7. Cheating is detected by cheating detection algorithm in PBLS.
This section provides the analysis of basic scheme and PBLS in terms of security and privacy with required features and computational overhead. We also compare the security, privacy, and computations in PBLS to Shamir’s scheme and Liu et al.’s scheme [
This subsection provides the analysis on the security and privacy of PBLS and proves that the required features for secret sharing schemes are achieved. We show that PBLS achieves the following properties. SP1: the secret is not known to all users and adversary SP2: the secret can be reconstructed once it is shared to SP3: no less than required number of users can reconstruct the secret. SP4: this is based on OKS assumption, which provides the guarantee that no cheating can be successful in PBLS.
First, we show that basic scheme is secure from security of security of
Proposition
Let
We showed in Proposition
However, we also need to show that the secret cannot be revealed by
Let
By Proposition
Security of secret sharing schemes depends on the private distribution of shares to user so that no user should know the shares of the other users. Therefore, each user has to receive the share from the dealer using a private channel. It is assumed that users do not communicate about their shares to each other unless they collaborate to cheat. Once the secret is divided, the shares do not show any information about the secret. As a result users do not have any information about the secret as assumed by OKS. In addition to this, shares are delivered privately to users and hence cannot know the share of the other users. Lemma
Any secret share given to a participant in PBLS does not reveal the secret
In share generation, PBLS uses Shamir’s method to share the secret, which uses the polynomial
Lemma
Let
Secret reconstruction in PBLS is done by interpolating the polynomial
By Theorem
Therefore, the two polynomials in Equations (
If
Let
We need to show that
Equations (
But it is impossible to solve such equations unless the
During secret reconstruction,
Let
Once fake shares are pooled to the combiner, the combiner uses Lagrange interpolation to compute a polynomial
PBLS achieves the share size of
PBLS described in Section
Since
For successful cheating, an adversary
Since every user receives
So
From Equations (
This implies that
From Equation (
Suppose an honest participant
Since is a polynomial
Propositions
We now compare the security and properties of PBLS with Shamir’s scheme and Liu et al.’s scheme. Table
Comparison of required properties for the schemes.
Scheme | Property | ||||
---|---|---|---|---|---|
SP1 | SP2 | SP3 | SP4 | CO | |
Shamir’s scheme | √ | √ | √ | X | 1 |
Liu et al.’s scheme | √ | √ | √ | √ | 2 |
PBLS | √ | √ | √ | √ | 1 |
√: the property exists; X: the property does not exist.
Table
In this subsection, we analyze the computation overhead of PBLS and give a comparison to Shamir’s scheme and Liu et al.’s scheme. Three operations are used in this analysis, which are modulo addition (add), modulo multiplication (mul), and modulo inverse (inv). The analysis will consider all the two algorithms. However Algorithm
In PBLS, a share is computed from a polynomial
Computations in share generation of PBLS.
Share generation | ||||
|
||||
Operation | mul | add | inv | Total |
|
||||
Number of operations |
|
|
- |
|
The aim of secret reconstruction is to come up with a secret, which is done using Lagrange interpolation. A polynomial is interpolated using
To compute each
Computations in secret reconstruction of PBLS.
Secret reconstruction | ||||
|
||||
Operation | mul | add | inv | Total |
|
||||
Number of operations |
|
|
|
( |
Now, we compare the computation overhead of PBLS with Shamir’s scheme and Liu et al.’s scheme. We follow the method done in Section
Computation overhead of related schemes.
Share generation | ||||
|
||||
Scheme | Operation | |||
mul | add | inv | Total | |
|
||||
Liu et al.’s scheme | 2 |
2 |
- | 2 |
Shamir’s scheme |
|
|
|
|
PBLS |
|
|
|
|
|
||||
Secret reconstruction | ||||
|
||||
Scheme | Operation | |||
mul | add | inv | Total | |
|
||||
Liu et al.’s scheme | 2( |
2 |
2 |
2( |
Shamir’s scheme |
|
|
|
( |
PBLS |
|
|
|
( |
Results in Table
Considering secret reconstruction process, computation overhead on PBLS is higher by 1 mul as compared to Shamir’s scheme. This is so because of cheating detection in PBLS in which the operation is 1 mul but Shamir’s scheme does not have. However, results show that computation overhead of Liu et al.’s scheme at secret reconstruction still doubles as compared to PBLS. Therefore, PBLS is more efficient as compared to Liu et al.’s scheme in the concern of computation overhead.
In this paper, we proposed a new linear (
Firstly, we draw the required features that secret sharing schemes satisfied by reviewing and analyzing some previous schemes like Shamir’s and Liu et al.’s. The required features drawn are security, recoverability of the secret, privacy of the secret, cheating detection of the forged shares presented for reconstruction of a secret and share size given to each user. We also reviewed some basic mathematical and cryptographic concepts, which assisted in designing methods for cheating detection such as finite fields and ElGamal cryptosystem.
Based on the withdrawn required features of secret sharing schemes, basic scheme and PBLS were designed. Basic scheme aims at hiding the secret, which is the initialization of PBLS. The secret is revealed during cheating detection. This is an idea of ElGamal who developed a cryptosystem that can hide a message using field elements. PBLS apples Shamir’s secret sharing scheme to share the secret. Polynomial
After the design of PBLS, an analysis was made, which was presented in two ways. These were security analysis and privacy analysis with required features and computational overhead analysis. It was determined that the security with privacy of PBLS was similar to Liu et al.’s scheme. However, in terms of cheating, Shamir’s scheme proved to be weak. Cheating detection was attained in both PBLS and Liu et al.’s schemes even though PBLS used only one polynomial. Furthermore, the required features like recoverability were analyzed to be similar to Liu et al.’s scheme. Computational analysis showed that number of operations in PBLS is almost equal to the computations in Shamir’s scheme, which is half of Liu et al.’s scheme. This analysis made PBLS to be a better scheme in terms of efficiency than Liu et al.’s scheme and in terms of security than Shamir’s scheme.
No data were used to support this study.
The authors declare that there are no conflicts of interest regarding the publication of this paper.
The results in this paper are part of Kenan Kingsley Phiri’s Master degree thesis. Corresponding author is Hyunsung Kim. This work was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2017R1D1A1B04032598).