1 Problems of Perfect Multi- Secret Sharing Schemes Advisor: 阮夙姿教授 Presenter: 蔡惠嬋 Date: 2008/08/11 國立暨南國際大學資訊工程學系
2 Outline Introduction Topic 1: –A Perfect SSS on General Hypergraph-Based Prohibited Structure (G-HP Scheme) Topic 2: –MSSS for Proving Both Improvement Ratios –Two Optimal General MSSSs (GMS1, GMS2) Comparisons Conclusions
3 Secret Sharing Scheme (SSS) Introduction (1/4)
Introduction (2/4) 4 Secret Sharing Scheme (SSS) D : Distribution Algorithm R : Reconstruction Algorithm P1P1 P2P2 PnPn … D s s P1P1 P2P2 … R P t
Introduction (3/4) Dealer Participants P = {P 1, P 2, …, P n } Access structure ( 2 P ) Prohibited structure ( 2 P ) 5 x1x1 xnxn x2x2 P1P1 P2P2 PnPn … D s P = {P 1, P 2, P 3 } = {{P 1, P 3 }, {P 2, P 3 }} = {{P 1 }, {P 3 }, {P 1, P 2 }} P = {P 1, P 2, P 3 } = {{P 1, P 3 }, {P 2, P 3 }} = {{P 1 }, {P 3 }, {P 1, P 2 }}
(t, n)-threshold scheme (A. Shamir 1979, Blakley 1979) Information Rate ( ) = log(K) / log(S i ) A SSS is ideal if = 1. 6 Introduction (4/4) K x y
7 Outline Introduction Topic 1: –A Perfect SSS on General Hypergraph- Based Prohibited Structure (G-HP Scheme) Topic 2: –MSSS for Proving Both Improvement Ratios –Optimal General MSSS Comparisons Conclusions and Future Work (r 1, r 2 )-HP Scheme G-HP Scheme
8 Preliminary – Hypergraph (1/2) Hypergraph H = (V, E) r-Uniform Hypergraph (r 1, r 2 )-Uniform Hypergraph General Hypergraph P1P1 P4P4 P2P2 P3P3 P5P5 P6P6 3-Uniform Hypergraph P1P1 P4P4 P2P2 P3P3 P5P5 P6P6 (2, 3)-Uniform Hypergraph General Hypergraph Source: Wikipedia
Preliminary - Related Work (2/2) 9 Graph Based
10 (r 1, r 2 )-Uniform Hypergraph H V(H) = P and |P| = n. = {A| A B for some B E(H)} {A | A P and |A| (r 1 1)} = {A P| B E(H), A B and r 1 |A| r 2 +1} Example: (2, 4)-HP Scheme = {{P 1, P 5 }, {P 1, P 6 }, {P 2, P 5 }, {P 2, P 6 }, {P 1, P 2, P 3 }, {P 1, P 2, P 4 }, {P 1, P 3, P 4 }, {P 2, P 3, P 4 }}. (r 1, r 2 )-HP Scheme (1/3) P1P1 P2P2 P3P3 P4P4 P6P6 P5P5
11 (r 1, r 2 )-HP Scheme (2/3) P1P1 P2P2 P3P3 P4P4 P6P6 P5P5 (2, 4)-HP Scheme = {{P 1, P 5 }, {P 1, P 6 }, {P 2, P 5 }, {P 2, P 6 } {P 1, P 2, P 3 }, {P 1, P 2, P 4 }, {P 1, P 3, P 4 }, {P 2, P 3, P 4 }}. Idea: Distribute a random number a i for each P i. Construct related polynomials. Distribution: Distribute a 1, a 2, …, a 6 to P 1, P 2, …, P 6. Construct f 1 (x) = K 2 x + K 1 mod q Construct f 2 (x) = A 21 x 2 + K 2 x + K 1 mod q
12 f 1 (x) = K 2 x +K 1 (mod q) f 2 (x) = A 21 x 2 + K 2 x + K 1 (mod q) P1P1 P2P2 P3P3 P4P4 P6P6 P5P5
13 G-HP Scheme (r 1, r 2, …, r v )-HP Scheme Distribute random numbers a 1, a 2, …, a n to P 1, P 2, …, P n. Observe Construct …
Information Rate = log(K) / log(S i ) = 2/ (d +1), Comparisons between G-HA and G-HP schemes. 14 Performance Analysis G-HA Scheme 2007 G-HP Scheme 2008 Information Rate2 / (d +1) Public dataYesNo Time ComplexityO(mr 2 ) PerfectYes
15 Outline Introduction Topic 1: –A Perfect SSS on General Hypergraph-Based Prohibited Structure (G-HP Scheme) Topic 2: –MSSS for Proving Both Improvement Ratios –Optimal General MSSS Comparisons Conclusions and Future Work
16 Outline Introduction Topic 1: –A Perfect SSS on General Hypergraph-Based Prohibited Structure (G-HP Scheme) Topic 2: –MSSS for Proving Both Improvement Ratios –Two Optimal General MSSSs Comparisons Conclusions and Future Work GMS1 GMS2
17 Multi-SSS an extension of a single-SSS to deal with many secrets at the same time s1s1 s2s2 sMsM P1P1 P2P2 PnPn s1s1 s2s2 sMsM R P1P1 P2P2 P t … … …… D P1P1 P1P1 P2P2 P2P2 PnPn PnPn s s P1P1 P1P1 P2P2 P2P2 …… …… D D s s R R Preliminary(1/2)
Parameter Setup: P = {P 1, P 2, …, P n } s 1, s 2, …, s M : secrets x i : P i ’s secret share. h (r, s): two-variable one way function q : large prime 18 L. J. Pang, H. X. Li and Y. M. Wang, An Efficient and Secure Multi-Secret Sharing Scheme with General Access Structures, WUJNS, (PLW scheme)
19 GMS1 (1/2) x y f 1 (x) = s 1 + x mod q f 2 (x) = s 2 + x mod q f M (x) = s M + x mod q Secret Distribution: sisi f(d i,j ) h(r i, x i,j,1 ) h(r i, x i,j,2 ) … h(r i, x i,j,k ) P i,j,1 P i,j,2 P i,j,k … x i,j,1 x i,j,2 x i,j,k h(r i, x i,j,1 ) h(r i, x i,j,2 ) … h(r i, x i,j,k ) MSG i = { r i, h i,1, h i,2,…, h i,| i | } Publish (d i,j, f(d i,j )) … d i,j = i z + j, where z = max{n, | 1 |, | 2 |, …, | M |} h i,j = Let = ( 1, 2, …, M ) be the access structure for the secret s 1, s 2, …, s M, respectively. Say i = {A i,1, A i,2, …, A i,| i | }.
20 Secret Reconstruction: GMS1 (2/2) MSG i = { r i, h i,1, h i,2,…, h i,| i | } P i,j,1 P i,j,2 P i,j,k … x i,j,1 x i,j,2 x i,j,k h(r i, x i,j,1 ) h(r i, x i,j,2 ) … h(r i, x i,j,k ) h i,j h(r i, x i,j,1 ) h(r i, x i,j,2 ) … h(r i, x i,j,k ) x y sisi (d i,j, f(d i,j )) f i (d i,j ) – d i,j f i (x) = s i + x mod q f(d i,j ) =
x y f(d j ) h(r, x j,1 ) h(r, x j,2 ) … h(r, x j,k ) 先直接公佈 l – 1 個點 P j,1 P j,2 P j,k … xj1xj1 xj2xj2 x jk h(r, x j,1 ) h(r, x j,2 ) … h(r, x j,k ) Publish: MSG = { r, f(1), f(2), …, f(l – 1), h 1, h 2, …, h t } l 個秘密 {s 1, s 2,…, s l } (d j, f(d j )) Secret Distribution: 需要 l 個點 hj =hj = hj =hj = 21 GMS2 Observe access structures of each secret s i first.
Security Analysis (d i,j, f(d i,j )) must be computed by P k in A i,j by using his h(r i, x k ). Guessing probability of x i or f i (d i,j ) is the same. (1/q). Two variable one way function h(r i, x i,j ) 22 Security of GMS1 and GMS2 are the same as Shamir’s threshold scheme. Security of GMS1 and GMS2 are the same as Shamir’s threshold scheme. Multi-use
23 Comparisons of general SSS (apply single secret) G-HPGMS1G-HATUMPLW IR2/(d+1)1 1/d1 Public Information Nok + 1 i=1 n (m i c i ) No2(k + 1) PerfectYes Time ComplexityO(kr 2 )O(kr )O(kr 2 ) O(kr ) Comparisons (1/3 )
24 Comparisons of three general MSSS (apply multiple secrets) Comparisons (2/3 ) PLW schemeGMS1GMS2 Time Complexity O(M)O(M) Public Information Weak-PerfectNoYesNo MaxIR (AvIR)1/M
Comparisons (3/3 ) 25 With BBSWithout BBS Consider IRGMS1G-HP Scheme Consider CostGMS1 Given an Access Structure, choose a suitable SSS.
26 Conclusions Conclusions: Construct G-HP scheme. Theoretical prove of improvement ratios. Construct GMS1 and GMS2 schemes.
Thanks for your listening.