Secret Sharing Schemes using Visual Cryptography A. Sreekumar Department of Computer Applications Cochin University of Science And Technology Email address : sreekumar&cusat.ac.in

Objectives What are Secret Sharing Schemes Applications of Secret Sharing Schemes Classification of Secret Sharing Schemes Basic idea behind Secret Sharing Schemes Different methods for Secret Sharing Schemes Different Schemes

Keywords Share Access Structure Prohibited Structure Threshold Visual Cryptography Block Design

Introduction Secret Sharing Schemes Secret sharing schemes enable a dealer, holding a secret piece of information, to distribute this secret among n participants such a way that only some predefined authorized subsets of participants can reconstruct the secret from their shares and others learn nothing about it. Access Structure Let P be the set of participants. The collection of subsets of participants that can reconstruct the secret in this way is called access structure (denoted by ).

Prohibited Structure The collection of subsets of participants that cannot reconstruct the secret is called prohibited structure (denoted by ). Natural restrictions The natural restriction is that  is monotonic increasing, and  is monotonic decreasing, that is if A   and A  B  P, then B   , and if A   and B  A  P, then B  . It is unrealistic to believe other schemes exist. If  = 2P \  , then we say the structure (,) is complete

Threshold Schemes  = { A | A  P and |A|  m} and  = { A | A  P and |A|  m-1}, the secret sharing scheme is called an (m, n)-threshold scheme, where |P| = n. i.e., secret can be reconstructed if any m or more shares are available. Perfect Scheme A secret scheme is perfect if any set of participants in the prohibited structure  obtains no information regarding the secret

Applications of Secret Sharing Schemes Secure information storage Key establishment on Smart cards Safeguard cryptographic keys from loss Purely Mathematical importance Password protection

Secure information storage Most of the business organizations need to protect the data from disclosure. As the world is more connected by computers, the hackers, power abusers are also increased and most organization afraid to store data in a computer. So there is a need of a method to distribute the data at several places and destroy the original one. When a need of original data arises, it could be reconstructed from the distributed shares

Example: Let the secret be “attack” Suppose there are five participants, A through E. Let the secret is encoded as 00 19 19 00 02 10 Generate 4 rows of 6 random numbers between [0..25]

A : 09 13 17 02 24 07 B : 21 11 08 05 14 23 C : 06 12 14 03 20 12 D : 10 05 11 25 19 04 Here E is found such a way that ej = s - (aj + bj+ cj +dj)(26). E : 06 04 21 17 03 16 The secret can be computed as aj + bj+ cj +dj + ej (26) S : 00 19 19 00 02 10

A: J N R C Y H B: V L I F O X C: G M O D U M D: K F B Z T E E: G E V R D Q Here all the shares are necessary to reconstruct the secret. But, generally it need not be the case.

Classification of Secret Sharing Schemes Based on the access structure and prohibited structures, the secret sharing schemes are classified into the following types Type I A Secret sharing scheme for the access structure  is a method of sharing a secret among a finite set of participants in such a way that only subsets of participants in  can recover the secret while other subsets cannot. That is,  (= 2P \ ) is implied

Type II A Secret sharing scheme for the prohibited structure  is a method of sharing a secret among a finite set of participants in such a way that only subsets of participants in  cannot recover the secret while other subsets can. That is,  (= 2P \ ) is implied

Type III A Secret sharing scheme for the mixed structure (, ) is a method of sharing a secret among a finite set of participants in such a way that subsets of participants in  can recover the secret, but subsets of participants in  cannot recover the secret . That is, the privileges of subsets in 2P \ (  ) are not cared. Any subset of participants in 2P \ (  ) may either recover the secret or not. Note that    =  and     2P.

Basic idea behind (t, n) threshold Schemes When t = n, it is very easy, as in the case of previous example, generate n-1 random numbers, say r1, r2, … rn-1 and compute rn = S - (r1 + r2 + … + rn-1 ) modulo M. One can easily see that r1, r2, … rn can be considered as the n shares for the secret, and be distributed to each participants. Here, the modulo M operation may be replaced by XOR using data values of fixed bit-length.

When t < n All the shares are not necessary to reconstruct the secret. i.e., some shares are redundant in some sense. Shamir’s Scheme : Based on Lagrange’s interpolation formula There is a unique polynomial of degree at most t-1 which passes through n points, but the polynomial passes through infinitely many points.

So let the secret M be interpreted as a number mod p, is the constant term of a random polynomial of degree (at most) t-1, and evaluate the polynomial at n different points, say (x1, y1) , (x2, y2) , ……, (xn, yn). These points could be thought of as the n shares. Clearly any t shares uniquely determines the polynomial and hence the secret can be constructed.

Properties of Shamir’s Schemes: Perfect - Ideal – size of one share is the size of the secret Extendable to new users No unproven assumptions Disadvantage As large amount of computation is involved in the Lagrange’s interpolation formula, it is not always recommended.

Combinatorial structures Latin square can be used as a scheme We can reconstruct the Latin square, if any two of the coloured numbers (with position) are known. 2 1 3

Visual Cryptography The decoding process of a visual cryptography scheme, which differs from traditional secret sharing, does not need complicated cryptographic mechanisms and computations. Instead, it can be decoded directly by simple computation

(2,7) scheme Share for 1   Share for 0 A 1 B C D E F G ≥ 4/7 = 3/7

Combining Any Two rows of share for 1 will give Four or more 1’s   Where as if we do the same for share for 0, We get only two 3’s

Permutations 1 2 3

Combining Any Two rows of share for 1   Share for 1 Share for 0 (2,9) Scheme A 1 Combining Any Two rows of share for 1 will give Three or more 1’s Where as if we do the same for share for 0, We get only two 1’s. B C D E F G H I

(n, n) scheme - Seven bit secret is converted to an 8 bit number by inserting an invalid random bit at the left. Example : Let the Secret is the right most 7 bits of 00110100 Generate n-2 rows of 8 bit Random numbers having 4 0’s and 4 1’s

1. 01011001 2. 11101000 3. 10100101 4. 00101011 00110100 XOR ing the shares with secret we get 00001011. Because of odd # of 1’s in it, make it even by changing leftmost 0 to 1.

So we get 10001011 Make to shares 1 … … … 0 …1 0 and 0 … … …. 1 …0 1 Fill the dot’s randomly by needed 0’s and 1’s. Example : 1 0 1 1 0 0 1 0 0 0 1 1 1 0 0 1

(t, n) Scheme with t  3 For a (t,n) scheme, the shares for 0 cannot be same for all participants as before, because, if two shares are same, then a third share is not necessary to know that the corresponding bit. It must be 0.Since the logical addition favours towards 1, it is unlikely that the shares for zero will have more than two 1’s. So the scarcity of 1’s in a share, is a symptom that the bit to be 0. So the secret reconstruction must be little more complex than just logical OR. One can try for XOR. Infact XOR is more suitable because it doesn’t favour to either 0 or 1.

Problems that can occur with XOR: If the shares of more than the minimum number of participants are known, whether the extra shares have to be considered for reconstruction of the secret or not, has to be decided. It may happen that by considering additional share, the result may differ. In such cases, the reconstruction algorithm should discard extra shares. It may also be noted that considering extra shares may slow down the reconstruction procedure. So there is nothing wrong in discarding extra shares.

A (3,5)-threshold scheme Share for 1   Share for 0 A 1 B C D E

Tthe reconstruction procedure is as follows:   ·              Take only 3 shares, if more than 3 shares are available. ·              XOR the shares block wise and count the number of 1’s. ·              If this number is > 4 the secret bit is 1, otherwise 0. We can see that if we XOR two shares, in either case we get two 1’s in each block. So, one cannot conclude whether it is 1 or 0.

AB 1 2   AC AD AE BC BD BE CD CE DE

ABC 1 6   2 ABD ABE ACD ACE ADE BCD BCE BDE CDE

References [1] G.R. Blakley. Safeguarding Cryptographic keys. Proc. N.C.C. AFIPS Conference Proceedings 48, Vol. 48, pp 313-317, 1979 [2] Adi Shamir How to Share a Secret. Communications of the ACM, 22(11):612-613, 1979. [3] Moni Naor and Adi Shamir, Visual Cryptography, EUROCRYPT 1994, pp1–12

References ……. [4] J.C. Benaloh and J. Leichter, Generalized Secret sharing and Monotone Functions, Proceedings of Crypto ’88, Advances in Cryptology, Lecture Notes in Computer Science, vol. 403, S. Goldwasser, Ed.,Springer-Verlag, 1990,pp 27-35

Conclusion Originally motivated as secure information storage, secret sharing schemes have found numerous other applications Visual cryptography is much more faster than traditional cryptography Sources of various methods has to be investigated.

QUESTIONS

Thank you