1 / 24

Ch12. Secret Sharing Schemes

Ch12. Secret Sharing Schemes. Imagine that you have made billions of £ $ from Internet stocks, and you wish to leave your estate to your 4 children. You like to divide it among them in such a way that two of them have to get together to reconstruct the real combination, i.e.,

Mia_John
Download Presentation

Ch12. Secret Sharing Schemes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ch12. Secret Sharing Schemes Imagine that you have made billions of £$ from Internet stocks, and you wish to leave your estate to your 4 children. You like to divide it among them in such a way that two of them have to get together to reconstruct the real combination, i.e., someone who wants some of the inheritance must somehow cooperate with one of the other children. (t,w)=(2,4) - threshold scheme

  2. Definition Let t≦w be positive integers. A (t,w)-threshold scheme is a method of sharing a message M among a set of w participants such that any subset consisting of t participants can reconstruct the message M, but no subsets of smaller size can reconstruct M.

  3. Shamir threshold scheme in 1979 Based on Lagrange interpolation polynomial Also called Lagrange interpolation scheme Choose a large prime p, the message M is represented as a number (mod p) s(x)≡M+s1x+s2x2+…+st-1xt-1 (mod p) (xi,yi), i=1,2, …, w; yi≡s(xi) (mod p)

  4. Lagrange Interpolating Polynomials Suppose that the function y=f(x) is known at the n+1 points (x0,y0), (x1,y1), … (xn,yn), where a≤ x0 <x1 <x2 …< xn≤b, then there is a polynomial Pn(xi)=yi, 0≤i≤n

  5. Computing Secret Value M

  6. Simple Exercises from p.303-306 2. You set up a (2,30) Shamir threshold scheme, working mod the prime 101. Two of the shares are (1,13) and (3,12). Another person received the share (2,*), what is the value of *? 3. In a (3,5) Shamir secret sharing scheme with modulus p=17, the following were given to Alice, Bob, Charles: (1,8), (3,10), (5,11). Calculate the corresponding Lagrange interpolating polynomial, and identify the secret.

  7. (Secret) Value Sharing • A (k, n) threshold secret sharing should satisfy the following requirements: (1) A secret value M is used to generate n shadows. (2) Any ≧k shadows can reconstruct the secret value M. (3) Any <k shadows can not get sufficient information to reveal the secret value M.

  8. Secret Sharing (1/4) • A (k, n) threshold polynomial can be written by s(x) ≡ M+s1x+s2x2+…+sk-1xk-1 (mod p) • Select n distinct integer x1,x2,…,xn form [0,p-1] • Deliver (xi,s(xi)) to the i-th participant p= a (large) prime number M: secret value s1,…,sk-1: randomly chosen from [0, p-1]

  9. Secret Sharing (2/4) • To reveal the secret value M, we must collect (at least k) ≧k shadows. • Without loss of generality, we use (x1,s(x1)),…, (xk,s(xk)) as k shadows. • We can reveal the secret value M by using Lagrange interpolation. • where M=s(0)

  10. Secret Sharing (3/4) Example: • (k, n)=(2, 4)-threshold secret sharing • M=9,p=17 • Given x1=1,x2=2,x3=3,x4=4 • A polynomial equation can be defined as s(x) ≡ 9+13x mod 17 • Then s(1)=5, s(2)=1, s(3)=14, s(4)=10 • Four shadows: (1,5), (2,1), (3,14), (4,10)

  11. Secret Sharing (4/4) Example • We can get the equation by taking (1,5), (4,10) by using Lagrange interpolation. • s(0)=9

  12. Secret Image Sharing • A (k, n)-threshold secret image sharing msut satisfy the following requirements: (1)The secret image S is used to generate n shadow images. (2)Any ≧k shadow images can reconstruct the secret image. (3)Any <k shadow images can not get sufficient information to reveal the secret image.

  13. Generation of Shadow Images Pre-operation

  14. Scramble a Secret Image Pre-operation: • All gray levels are in the range [0,255] • Let p=251 • Suppress all values larger than 250 to 250. -The values are in the range 0~250 -A Lossy method • Select a key P to create a permutation matrix. -To decrease the correlation between any neighboring pixels.

  15. Meaningless Shadow Images Share

  16. Shadow Images Acquisition • The equation can be written by g(x)≡a0+a1x+a2x2+…+ak-1xk-1 mod 251 • Select n distinct secret keys x1,x2,…,xn. • Deliver (xi,s(xi)) to the ith participant.

  17. Get the Permutation Image

  18. Secret Image Reconstruction • Without loss of generality, we have (x1,s(x1)),(x2,s(x2)),…, (xk,s(xk)). • Use Lagrange interpolation to reconstruct the image.

  19. Flowchart of Recovery

  20. An Example Without Permutation

  21. Experimental results The (2,4)-threshold on image Lenna 512x512, Histogram of Lenna The secret image The permutation image (1,s(1)) (2,s(2)) (3,s(3)) (4,s(4))

  22. Security Analysis • Without loss of generality, if we only have (k-1) shadow images. y1≡ (a0+a1+…+ak-1) mod p y2≡ (a0+2a1+…+2k-1ak-1) mod p … yk-1≡ (a0+(k-1)a1+…+(k-1)(k-1)ak-1) mod p The probability to get the right image is

  23. Property and Conclusion • P=251 • A lossy method • The size of each shadow image is 1/rof the secret image • Fault-tolerance • Use network hard disks for storage. • Steganography • …

  24. References • W. Trappe and l.C. Washington, Introduction to Cryptography with Coding Theory, Pearson International Edition (2006) • C.C. Thien and J.C. Lin, “Secret image sharing,” Computers & Graphics, vol. 26, no. 1, 765-770, 2002.

More Related