Ch12. Secret Sharing Schemes Imagine that you have made billions of ￡$ from Internet stocks, and you wish to leave your estate to your 4 children. You like to divide it among them in such a way that two of them have to get together to reconstruct the real combination, i.e., someone who wants some of the inheritance must somehow cooperate with one of the other children. (t,w)=(2,4) - threshold scheme

Definition Let t≦w be positive integers. A (t,w)-threshold scheme is a method of sharing a message M among a set of w participants such that any subset consisting of t participants can reconstruct the message M, but no subsets of smaller size can reconstruct M.

Shamir threshold scheme in 1979 Based on Lagrange interpolation polynomial Also called Lagrange interpolation scheme Choose a large prime p, the message M is represented as a number (mod p) s(x)≡M+s1x+s2x2+…+st-1xt-1 (mod p) (xi,yi), i=1,2, …, w; yi≡s(xi) (mod p)

Lagrange Interpolating Polynomials Suppose that the function y=f(x) is known at the n+1 points (x0,y0), (x1,y1), … (xn,yn), where a≤ x0 <x1 <x2 …< xn≤b, then there is a polynomial Pn(xi)=yi, 0≤i≤n

Computing Secret Value M

Simple Exercises from p.303-306 2. You set up a (2,30) Shamir threshold scheme, working mod the prime 101. Two of the shares are (1,13) and (3,12). Another person received the share (2,*), what is the value of *? 3. In a (3,5) Shamir secret sharing scheme with modulus p=17, the following were given to Alice, Bob, Charles: (1,8), (3,10), (5,11). Calculate the corresponding Lagrange interpolating polynomial, and identify the secret.

(Secret) Value Sharing A (k, n) threshold secret sharing should satisfy the following requirements: (1) A secret value M is used to generate n shadows. (2) Any ≧k shadows can reconstruct the secret value M. (3) Any ＜k shadows can not get sufficient information to reveal the secret value M.

s(x) ≡ M+s1x+s2x2+…+sk-1xk-1 (mod p) Secret Sharing (1/4) A (k, n) threshold polynomial can be written by s(x) ≡ M+s1x+s2x2+…+sk-1xk-1 (mod p) Select n distinct integer x1,x2,…,xn form [0,p-1] Deliver (xi,s(xi)) to the i-th participant p= a (large) prime number M: secret value s1,…,sk-1: randomly chosen from [0, p-1]

Secret Sharing (2/4) To reveal the secret value M, we must collect (at least k) ≧k shadows. Without loss of generality, we use (x1,s(x1)),…, (xk,s(xk)) as k shadows. We can reveal the secret value M by using Lagrange interpolation. where M=s(0)

Secret Sharing (3/4) Example: (k, n)=(2, 4)-threshold secret sharing Given x1=1,x2=2,x3=3,x4=4 A polynomial equation can be defined as s(x) ≡ 9+13x mod 17 Then s(1)=5, s(2)=1, s(3)=14, s(4)=10 Four shadows: (1,5), (2,1), (3,14), (4,10)

Secret Sharing (4/4) Example We can get the equation by taking (1,5), (4,10) by using Lagrange interpolation. s(0)=9

Secret Image Sharing A (k, n)-threshold secret image sharing msut satisfy the following requirements: (1)The secret image S is used to generate n shadow images. (2)Any ≧k shadow images can reconstruct the secret image. (3)Any ＜k shadow images can not get sufficient information to reveal the secret image.

Generation of Shadow Images Pre-operation

Scramble a Secret Image Pre-operation: All gray levels are in the range [0,255] Let p=251 Suppress all values larger than 250 to 250. -The values are in the range 0~250 -A Lossy method Select a key P to create a permutation matrix. -To decrease the correlation between any neighboring pixels.

Meaningless Shadow Images Share

Shadow Images Acquisition The equation can be written by g(x)≡a0+a1x+a2x2+…+ak-1xk-1 mod 251 Select n distinct secret keys x1,x2,…,xn. Deliver (xi,s(xi)) to the ith participant.

Get the Permutation Image

Secret Image Reconstruction Without loss of generality, we have (x1,s(x1)),(x2,s(x2)),…, (xk,s(xk)). Use Lagrange interpolation to reconstruct the image.

Flowchart of Recovery

An Example Without Permutation

Experimental results The (2,4)-threshold on image Lenna 512x512, Histogram of Lenna The secret image The permutation image (1,s(1)) (2,s(2)) (3,s(3)) (4,s(4))

Security Analysis Without loss of generality, if we only have (k-1) shadow images. y1 ≡ (a0+a1+…+ak-1) mod p y2 ≡ (a0+2a1+…+2k-1ak-1) mod p … yk-1 ≡ (a0+(k-1)a1+…+(k-1)(k-1)ak-1) mod p The probability to get the right image is

Property and Conclusion A lossy method The size of each shadow image is 1/r of the secret image Fault-tolerance Use network hard disks for storage. Steganography …

References W. Trappe and l.C. Washington, Introduction to Cryptography with Coding Theory, Pearson International Edition (2006) C.C. Thien and J.C. Lin, “Secret image sharing,” Computers & Graphics, vol. 26, no. 1, 765-770, 2002.