A Perfect Threshold Secret Sharing Scheme to Identify Cheaters Marco Carpentieri Designs, Codes and Cryptography 5(3): , May 1995 Presented by Po-Kun Chou 2002/4/22

Outline Introduction The Construction Properties

Introduction In 1979 Blakley and Shamir gave protocols to solve problem known as “(k,n) Threshold Secret Sharing” A threshold secret sharing is said to be unconditionally secure if the probability of successful cheating is limited to a specify probability even if the cheaters are assumed to have infinite computational resources. McEliece and Sarwate use an error-correcting code to construct a threshold secret sharing scheme in which any group of k+2e participants which includes at most e cheaters can correctly calculate the secret. Tompa and Woll’s scenario: Can detect cheating but cannot identify cheater.

Introduction(const) Brickell and Stinson’s modified version of the Blakley’s construction in which honest participants can identify cheaters. Rabin and Ben-Or’s scheme: Each participants P i in P receives his share d i and extra information which is n-1random elements V i,j,for j=1,..,n and j≠ i, each participant P j in P-{P i } receives n-1 pairs (W j,i,Z j,i ),for i=1,..,n and i ≠j,where W j,i ≠0 is a random element and Z j,i is calculated as Z j,i = d i + V i,j W j,i when P i wants to let P j know his share,he returns the pair (d i,V i,j ),then P j can calculate d i + V i,j W j,i and he accepts d i only if the result is Z j,i. In this paper we present a perfect and unconditionally secure (k,n) threshold secret sharing scheme having the same properties of Rabin and Ben-Or’s scheme,but in which the information given to each participant is smaller(k+2(n-1) elements of a finite field).

The Construction S is the secret chosen in the finite field GF(q) by the Dealer(Dl) When Dl wants share S among participants in P,Dl gives a k- dimensional vector d i ≡ (d i,0, d i,1,…,d i,k-1 ),k ≦ n over GF(q) as a share to participant P i,for i=1,…,n. Dl chooses the shares: a 1,a 2,…,a k-1 :participants unknow α 1, α 2,…,α n :participants know q(x)=S+ a 1 x+ a 2 x 2 +…+a k-1 x k-1,then d i,0 =q(α i ) and d i,1,…,d i,k-1 are random chosen uniformly at random in GF(q),for i=1,..,n. To guard against cheating,Dl distributes”extra information” which consists of n-1 pairs of elements in GF(q) for each P j in P to the participants along with their shares.

The Construction(const) Dl calculate b j,i =g j,i d i,0 +α j d i,1 +…+α j k-1 d i,k-1 and he gives P j the pair (g j,i, b j,i ),for i=1,..,n and i ≠j and g j,i be non null elements chosen uniformly at random in GF(q). When P i returns his share d i, P j can check the authenticity of d i by verifying that it is a solution vector of the equation g j,i y 0 +α j y 1 +…+α j k-1 y k-1 = b j,i,where y 0,y 1,…y k-1 are the unknows, g j,i,α j,… α j k- 1 are the coefficients and b j,i is the constant,for i=1,…,n and i ≠j.

Properties Lemma 1: Any k participants can calculate the secret S,but no subset of fewer than k participants can determine any partial information regarding s Lemma 2: Any participant who attempts to cheat will be identified by any honest participant with probability 1 – [1/(q-1)]

Properties(const) Lemma 3: Even if there is only one honest participant and the remaining n-1 participants form a coalition in order to deceive him,their probability of cheating successfully is only 1-(1-[1/(q-1)]) n-k+1 ≦ (n-k+1)/(q-1) Lemma 4: The secret information given to each participant consists of k+2(n-1) elements of the finite field GF(q).

Properties(const) Lemma 5: The construction can be implemented in polynomial time

~The end~

Rabin and Ben-Or’s scheme P i : 1.share: d i 2.extra information: n-1 random elements V i,j (j≠i) P j : n-1 pairs (W j,i,Z j,i ) and Z j,i = d i + V i,j W j,i P i 將 (d i,V i,j ) 送給 P j, 然後 P j 用已知的 (W j,i,Z j,i ) 驗證 P i 送的是否正確 For example: P 1 送 d 1 以及 V 1,2,V 1,3 給 P 2,P 3 P 1 : P 2 : P 3 : d 1 =3 W 2,1 =4 W 3,1 =5 V 1,2 =5 Z 2,1 =23 Z 3,1 =13 V 1,3 =2 23=3+5*4 13=3+2*5

Marco Carpentieri’s scheme Dl: 1. k-dimensional vector d i ≡ (d i,0, d i,1,…,d i,k-1 ),k ≦ n 2. a 1,a 2,…,a k-1 :participants unknow 3. α 1, α 2,…,α n :participants know 4. q(x)=S+ a 1 x+ a 2 x 2 +…+a k-1 x k-1 => S 為 secret 5. d i,0 =q(α i ) and d i,1,…,d i,k-1 are random chosen 6.Calculate b j,i =g j,i d i,0 +α j d i,1 +…+α j k-1 d i,k-1 7.Gives P i : d i 8.Gives P j : n-1 pairs (b j,i,g j,i ) P i : gives P j his share d i P j : verifying if g j,i d i,0 +α j d i,1 +…+α j k-1 d i,k-1 = b j,i

Properties Lemma 1: Any k participants can calculate the secret S,but no subset of fewer than k participants can determine any partial information regarding s =>because there are q k-r-1 possible solutions (r<k) Lemma 2: Any participant who attempts to cheat will be identified by any honest participant with probability 1 – [1/(q-1)] =>because only one of the possible equations that the participant P j could have to check the share of P i

Properties(const) Lemma 3: Even if there is only one honest participant and the remaining n-1 participants form a coalition in order to deceive him,their probability of cheating successfully is only 1-(1-[1/(q-1)]) n-k+1 ≦ (n-k+1)/(q-1) Lemma 4: The secret information given to each participant consists of k+2(n-1) elements of the finite field GF(q). =>because each participant receives k elements of GF(q) as his share and 2(n-1) elements of extra information

Properties(const) Lemma 5: The construction can be implemented in polynomial time =>Dl calculates the power of α j in k(k-1)/2 multiplications. then the constants b j,i are calculated in k(n-1) multiplications.Dl needs k(k-1)/2+n(k-1)multiplications.