Secret Sharing for General Access Structure İlker Nadi Bozkurt, Kamer Kaya, and Ali Aydın Selçuk Information Security and Cryptology, Ankara, Turkey, May 2010.

Outline Multipartite access structure Relate work: – Asmuth-Bloom’s (t, n) secret sharing scheme – Galibus and Matveev (GM) algorithm for polynomial ring in General Access Structure (based on M) Proposed method – Proposed 1: Modified GM algorithm for integer (based on A-B) – Proposed 2: Splitting-based secret sharing scheme Conclusion

Multipartite access structure (1/5) The set of players is divided into K different disjoint classes P 1, P 2,…, P K classes; All players of the same class play the same role in the structure.

Multipartite access structure (2/5) K-partite can be represented by a set of K-tuple vectors. Ex: Γ={(3, 4), (4, 2)} – Each vector is an authorized combination, (3, 4) is a authorized combination (4, 2) is the other authorized combination – The ith entry in a vector denoting the required number of participants from P i in that authorized combination. (3, 4) means at least 3 users from P 1 and 4 from P 2. – {(|P 1 |  3 and |P 2 |  4) or (|P 1 |  4 and |P 2 |  2)}

Multipartite access structure (3/5) Ex: Γ={(3, 4), (4, 2)}, |P 1 |=|P 2 |=5, we can find corresponding (3, 4)  Γ (4, 2)  Γ (2,1)(1,3) (2,2)(2,3) (3,3) (2,4)(4,3) (2,5)(5,3) (3,1)(1,1) (3,2)(2,1) (3,3)(3,1) (3,4)(4,1) (3,5)(5,1)

Multipartite access structure (4/5) Ex:, |P 1 |=|P 2 |=5, we can find corresponding Γ={(3, 4), (4, 2)}, (3,1)(1,6) (3,2)(2,6) (3,3)(3,6) (3,4)(4,6) (3,5)(5,6) (6,1)(1,2) (6,2)(2,2) (6,3)(3,2) (6,4)(4,2) (6,5)(5,2) (4,1)(1,4) (4,2)(2,4) (4,3)(3,4) (4,4) (4,5)(5,4)

Multipartite access structure (5/5) Any access structure defined on a set of n users is trivially n-partite – We can always take P 1 = {1}, …,P n = {n}. – But, we usually want to consider the minimum possible number of classes. Ex1: (2,3)-threshold transform to 3-partite – Γ={(1,1,0), (1,0,1),(0,1,1)} Ex2: Γ={{1,4}, {2,3}} transform to 4-partite – Γ={(1,0,0,1), (0,1,1,0)}

questations 1.Multiple assignment 是否只對 Shamir 有意 義 ?( 因為 CRT 可輕易合併 share ，沒有多個 share 問題 ) – 考慮 information rate 2.CRT 是否就是 single assignment? 3.CRT 如何解 GAS

[ 補充 ]access structures Threshold access structures [1], Access structures defined by graphs [2], Star access structures [3], Those with at most five players [4], Bipartite access structures [5], Hierarchical threshold access structures [6, 7], Weighted threshold access structures [8]. Reference to :2006_New results on multipartite access structures

Relate work Asmuth-Bloom secret sharing scheme – C. Asmuth and J. Bloom. “A modular approach to key safeguarding,“ IEEE Transactions on Information Theory, 29(2):208–210, – The property of (  n/2 , n) Asmuth-Bloom sequence – K. Kaya and A. A. Selcuk. A veriable secret sharing scheme based on the Chinese Remainder Theorem. In Proc. of INDOCRYPT 2008, volume 5365 of LNCS, pages 414–425. Springer-Verlag, Galibus and Matveev (GM) algorithm for polynomial ring – T. Galibus and G. Matveev. “Generalized Mignotte’s sequences over polynomial rings,“ Electronic Notes on Theoretical Computer Science, 186:43–48, 2007.

Asmuth-Bloom’s (t, n) secret sharing scheme (1/4) Based on the Chinese Remainder Theorem(CRT) (t, n) Asmuth-Bloom sequence: – a public sequence of coprime integers m 0 < m 1 < …< m n such that Qualified Min t m 1, m 2,…, m t Forbidden Max t  1 m n, m n  1,…, m n  t+2

Asmuth-Bloom’s (t, n) secret sharing scheme (2/4) Based on the Chinese Remainder Theorem(CRT) (t, n) Asmuth-Bloom sequence: – a public sequence of integers m 0 < m 1 < …< m n such that S j be the set of all subsets of P={1,2,…,n} of cardinality j. Compare with coprime integers

(t, n) secret sharing encoded: – Secret d  Z m 0 – y = d + Am 0 where A is a random positive integer such that y < M – Share y i = y mod m i for all 1  i  n Asmuth-Bloom’s (t, n) secret sharing scheme(3/4) Qualified Min t m 1, m 2,…, m t

(t, n) secret sharing decoded: – y is the unique solution modulo M of the system – Secret d = y mod m 0 Asmuth-Bloom’s (t, n) secret sharing scheme(4/4)

(  n/2 , n) Asmuth-Bloom sequence Lemma: An (  n/2 , n) Asmuth-Bloom sequence is a (k, n) Asmuth-Bloom sequence for all k such that 1  k  n. – Let t =  n/2  – Case1: Let 1  k < t. – Case2: Let t < k  n. 1 t n k Case 1Case 2 k

(  n/2 , n) Asmuth-Bloom sequence Let t =  n/2  Case1: Let 1  k < t. get 1 t n k Case 1

(  n/2 , n) Asmuth-Bloom sequence Let t =  n/2  Case2: Let t < k  n. get 1 t n k Case 2

Galibus and Matveev (GM) algorithm For polynomials, any access structure can be realized by using Mignotte SSS – for polynomial ring – in General Access Structure – (based on Mignotte’s sequence) Secret d, moduli m i, and shares y i are polynomials.

Galibus and Matveev (GM) algorithm Initial: m i (x) =1, for 1  i  n Iteration:

Proposed method Proposed 1: Modified GM algorithm for integer (based on A-B) Proposed 2: Splitting-based secret sharing scheme

Proposed 1: Modified GM algorithm for integer Based on A-B, find a prime m 0 (for specified bit length) For each, check all – Find prime p, and bit length of p is minimal 修改 : 符合標準 有問題

Proposed 2: Splitting-based secret sharing scheme k-partite, each part Pi has it’s (  n i /2 , n i ) Asmuth-Bloom sequence For each vector (authorized combination) – Using A-B’s scheme sharing subsecret d v,i into share y v,i For each participant l,