Presentation on theme: "Ch12. Secret Sharing Schemes Imagine that you have made billions of ￡ $ from Internet stocks, and you wish to leave your estate to your 4 children. You."— Presentation transcript:
Ch12. Secret Sharing Schemes Imagine that you have made billions of ￡ $ from Internet stocks, and you wish to leave your estate to your 4 children. You like to divide it among them in such a way that two of them have to get together to reconstruct the real combination, i.e., someone who wants some of the inheritance must somehow cooperate with one of the other children. (t,w)=(2,4) - threshold scheme
Definition Let t ≦ w be positive integers. A (t,w)-threshold scheme is a method of sharing a message M among a set of w participants such that any subset consisting of t participants can reconstruct the message M, but no subsets of smaller size can reconstruct M.
Shamir threshold scheme in 1979 Based on Lagrange interpolation polynomial Also called Lagrange interpolation scheme Choose a large prime p, the message M is represented as a number (mod p) s(x)≡M+s 1 x+s 2 x 2 +…+s t-1 x t-1 (mod p) (x i,y i ), i=1,2, …, w; y i ≡s(x i ) (mod p)
Lagrange Interpolating Polynomials Suppose that the function y=f(x) is known at the n+1 points (x0,y0), (x1,y1), … (xn,yn), where a≤ x0
Computing Secret Value M
Simple Exercises from p You set up a (2,30) Shamir threshold scheme, working mod the prime 101. Two of the shares are (1,13) and (3,12). Another person received the share (2,*), what is the value of * ? 3. In a (3,5) Shamir secret sharing scheme with modulus p=17, the following were given to Alice, Bob, Charles: (1,8), (3,10), (5,11). Calculate the corresponding Lagrange interpolating polynomial, and identify the secret.
(Secret) Value Sharing A (k, n) threshold secret sharing should satisfy the following requirements: (1) A secret value M is used to generate n shadows. (2) Any ≧ k shadows can reconstruct the secret value M. (3) Any ＜ k shadows can not get sufficient information to reveal the secret value M.
Secret Sharing (1/4) A (k, n) threshold polynomial can be written by s(x) ≡ M+s 1 x+s 2 x 2 +…+s k-1 x k-1 (mod p) Select n distinct integer x 1,x 2,…,x n form [0,p-1] Deliver (x i,s(x i )) to the i-th participant p= a (large) prime number M: secret value s 1,…,s k-1 : randomly chosen from [0, p-1]
Secret Sharing (2/4) To reveal the secret value M, we must collect (at least k) ≧ k shadows. Without loss of generality, we use (x 1,s(x 1 )),…, (x k,s(x k )) as k shadows. We can reveal the secret value M by using Lagrange interpolation. where M=s(0)
Secret Sharing (3/4) Example: (k, n)=(2, 4)-threshold secret sharing M=9,p=17 Given x 1 =1,x 2 =2,x 3 =3,x 4 =4 A polynomial equation can be defined as s(x) ≡ 9+13x mod 17 Then s(1)=5, s(2)=1, s(3)=14, s(4)=10 Four shadows: (1,5), (2,1), (3,14), (4,10)
Secret Sharing (4/4) Example We can get the equation by taking (1,5), (4,10) by using Lagrange interpolation. s(0)=9
Secret Image Sharing A (k, n)-threshold secret image sharing msut satisfy the following requirements: (1)The secret image S is used to generate n shadow images. (2)Any ≧ k shadow images can reconstruct the secret image. (3)Any ＜ k shadow images can not get sufficient information to reveal the secret image.
Generation of Shadow Images Pre-operation
Scramble a Secret Image Pre-operation: All gray levels are in the range [0,255] Let p=251 Suppress all values larger than 250 to The values are in the range 0~250 -A Lossy method Select a key P to create a permutation matrix. -To decrease the correlation between any neighboring pixels.
Meaningless Shadow Images Share
Shadow Images Acquisition The equation can be written by g(x)≡a 0 +a 1 x+a 2 x 2 +…+a k-1 x k-1 mod 251 Select n distinct secret keys x 1,x 2,…,x n. Deliver (x i,s(x i )) to the ith participant.
Get the Permutation Image
Secret Image Reconstruction Without loss of generality, we have (x 1,s(x 1 )),(x 2,s(x 2 )),…, (x k,s(x k )). Use Lagrange interpolation to reconstruct the image.
Flowchart of Recovery
An Example Without Permutation
Experimental results The (2,4)-threshold on image Lenna 512x512, Histogram of Lenna The secret imageThe permutation image (1,s(1))(2,s(2))(3,s(3))(4,s(4))
Security Analysis Without loss of generality, if we only have (k-1) shadow images. y 1 ≡ (a 0 +a 1 +…+a k-1 ) mod p y 2 ≡ (a 0 +2a 1 +…+2 k-1 a k-1 ) mod p … y k-1 ≡ (a 0 +(k-1)a 1 +…+(k-1) (k-1) a k-1 ) mod p The probability to get the right image is
Property and Conclusion P=251 A lossy method The size of each shadow image is 1/r of the secret image Fault-tolerance Use network hard disks for storage. Steganography …
References W. Trappe and l.C. Washington, Introduction to Cryptography with Coding Theory, Pearson International Edition (2006) C.C. Thien and J.C. Lin, “Secret image sharing,” Computers & Graphics, vol. 26, no. 1, , 2002.