Upload
lucy-gaines
View
228
Download
0
Tags:
Embed Size (px)
Citation preview
Secret Sharing for General Access Structure
İlker Nadi Bozkurt, Kamer Kaya, and Ali Aydın Selçuk
Information Security and Cryptology, Ankara, Turkey, May 2010.
Outline
• Multipartite access structure• Relate work:– Asmuth-Bloom’s (t, n) secret sharing scheme– Galibus and Matveev (GM) algorithm for polynomial ring in
General Access Structure (based on M)
• Proposed method– Proposed 1: Modified GM algorithm for integer (based on A-
B)– Proposed 2: Splitting-based secret sharing scheme
• Conclusion
Multipartite access structure (1/5)
• The set of players is divided into K different disjoint classes P1, P2,…, PK classes;
• All players of the same class play the same role in the structure.
Multipartite access structure (2/5)
• K-partite can be represented by a set of K-tuple vectors.
• Ex: Γ={(3, 4), (4, 2)}– Each vector is an authorized combination, • (3, 4) is a authorized combination• (4, 2) is the other authorized combination
– The ith entry in a vector denoting the required number of participants from Pi in that authorized combination.
• (3, 4) means at least 3 users from P1 and 4 from P2.
– {(|P1| 3 and |P2| 4) or (|P1| 4 and |P2| 2)}
Multipartite access structure (3/5)
• Ex: Γ={(3, 4), (4, 2)}, |P1|=|P2|=5,
we can find corresponding
(3, 4) Γ (4, 2) Γ
)}3,3(),1,5(),5,2{(
(2,1) (1,3)
(2,2) (2,3)
(2,3) (3,3)
(2,4) (4,3)
(2,5) (5,3)
(3,1) (1,1)
(3,2) (2,1)
(3,3) (3,1)
(3,4) (4,1)
(3,5) (5,1)
Multipartite access structure (4/5)
• Ex: , |P1|=|P2|=5,
we can find corresponding Γ={(3, 4), (4, 2)},
)}3,3(),1,5(),5,2{(
)5,2( )3,3()1,5(
(3,1) (1,6)
(3,2) (2,6)
(3,3) (3,6)
(3,4) (4,6)
(3,5) (5,6)
(6,1) (1,2)
(6,2) (2,2)
(6,3) (3,2)
(6,4) (4,2)
(6,5) (5,2)
(4,1) (1,4)
(4,2) (2,4)
(4,3) (3,4)
(4,4) (4,4)
(4,5) (5,4)
Multipartite access structure (5/5)
• Any access structure defined on a set of n users is trivially n-partite – We can always take P1 = {1}, … ,Pn = {n}.
– But, we usually want to consider the minimum possible number of classes.
• Ex1: (2,3)-threshold transform to 3-partite– Γ={(1,1,0), (1,0,1),(0,1,1)}
• Ex2: Γ={{1,4}, {2,3}} transform to 4-partite– Γ={(1,0,0,1), (0,1,1,0)}
questations
• 1.Multiple assignment 是否只對 Shamir 有意義 ?(因為 CRT可輕易合併 share,沒有多個 share 問題 )–考慮 information rate
• 2.CRT是否就是 single assignment?• 3.CRT如何解 GAS
[補充 ]access structures
• Threshold access structures [1], • Access structures defined by graphs [2], • Star access structures [3],• Those with at most five players [4], • Bipartite access structures [5], • Hierarchical threshold access structures [6, 7],• Weighted threshold access structures [8].
Reference to :2006_New results on multipartite access structures
Relate work• Asmuth-Bloom secret sharing scheme
– C. Asmuth and J. Bloom. “A modular approach to key safeguarding,“ IEEE Transactions on Information Theory, 29(2):208–210, 1983.
– The property of (n/2, n) Asmuth-Bloom sequence– K. Kaya and A. A. Selcuk. A veriable secret sharing scheme based on the
Chinese Remainder Theorem. In Proc. of INDOCRYPT 2008, volume 5365 of LNCS, pages 414–425. Springer-Verlag, 2008.
• Galibus and Matveev (GM) algorithm for polynomial ring – T. Galibus and G. Matveev. “Generalized Mignotte’s sequences over
polynomial rings,“ Electronic Notes on Theoretical Computer Science, 186:43–48, 2007.
Asmuth-Bloom’s (t, n) secret sharing scheme (1/4)
• Based on the Chinese Remainder Theorem(CRT)
• (t, n) Asmuth-Bloom sequence:– a public sequence of coprime integers
m0 < m1 < …< mn such that
QualifiedMin t
m1, m2,…, mt
ForbiddenMax t1
mn, mn1,…, mnt+2
Asmuth-Bloom’s (t, n) secret sharing scheme (2/4)
• Based on the Chinese Remainder Theorem(CRT)
• (t, n) Asmuth-Bloom sequence:– a public sequence of integers
m0 < m1 < …< mn such that
Sj be the set of all subsets of P={1,2,…,n} of cardinality j.
Compare with coprime integers
• (t, n) secret sharing encoded:– Secret d Zm0
– y = d + Am0
where A is a random positive integer such that y < M
– Share yi = y mod mi for all 1 i n
Asmuth-Bloom’s (t, n) secret sharing scheme(3/4)
QualifiedMin t
m1, m2,…, mt
• (t, n) secret sharing decoded:– y is the unique solution modulo M of the system
– Secret d = y mod m0
Asmuth-Bloom’s (t, n) secret sharing scheme(4/4)
(n/2, n) Asmuth-Bloom sequence
• Lemma: An (n/2, n) Asmuth-Bloom sequence is a (k, n) Asmuth-Bloom sequence for all k such that 1 k n.– Let t = n/2– Case1: Let 1 k < t.– Case2: Let t < k n. 1 t n
k
Case 1 Case 2
k
(n/2, n) Asmuth-Bloom sequence
• Let t = n/2 • Case1: Let 1 k < t.
get
1 t nk
Case 1
(n/2, n) Asmuth-Bloom sequence
• Let t = n/2 • Case2: Let t < k n.
get
1 t nk
Case 2
Galibus and Matveev (GM) algorithm
• For polynomials, any access structure can be realized by using Mignotte SSS– for polynomial ring – in General Access Structure – (based on Mignotte’s sequence)
• Secret d, moduli mi, and shares yi are polynomials.
Galibus and Matveev (GM) algorithm
• Initial: mi(x) =1, for 1i n
• Iteration:
Proposed method
• Proposed 1:
Modified GM algorithm for integer (based on A-B)
• Proposed 2:
Splitting-based secret sharing scheme
Proposed 1: Modified GM algorithm for integer
• Based on A-B, find a prime m0 (for specified bit length)
• For each , check all– – • Find prime p, and bit length of p is minimal
• 修改 :
A C符合標準有問題
Proposed 2: Splitting-based secret sharing scheme
• k-partite , each part Pi has it’s (ni/2, ni) Asmuth-Bloom sequence
• For each vector (authorized combination)
– Using A-B’s scheme sharing subsecret dv,i into share yv,i
• For each participant l,