Download
1 / 15
150 likes | 230 Views
A Perfect Threshold Secret Sharing Scheme to Identify Cheaters. Marco Carpentieri Designs, Codes and Cryptography 5(3):183-187, May 1995 Presented by Po-Kun Chou 2002/4/22. Outline. Introduction The Construction Properties.
E N D
A Perfect Threshold Secret Sharing Scheme to Identify Cheaters Marco Carpentieri Designs, Codes and Cryptography 5(3):183-187, May 1995 Presented by Po-Kun Chou 2002/4/22
Outline • Introduction • The Construction • Properties
Introduction • In 1979 Blakley and Shamir gave protocols to solve problem known as “(k,n) Threshold Secret Sharing” • A threshold secret sharing is said to be unconditionally secure if the probability of successful cheating is limited to a specify probability even if the cheaters are assumed to have infinite computational resources. • McEliece and Sarwate use an error-correcting code to construct a threshold secret sharing scheme in which any group of k+2e participants which includes at most e cheaters can correctly calculate the secret. • Tompa and Woll’s scenario: Can detect cheating but cannot identify cheater.
Introduction(const) • Brickell and Stinson’s modified version of the Blakley’s construction in which honest participants can identify cheaters. • Rabin and Ben-Or’s scheme: Each participants Pi in P receives his share di and extra information which is n-1random elements Vi,j ,for j=1,..,n and j≠ i, each participant Pj in P-{Pi} receives n-1 pairs (Wj,i,Zj,i),for i=1,..,n and i ≠j,where Wj,i ≠0 is a random element and Zj,i is calculated as Zj,i= di + Vi,j Wj,i when Pi wants to let Pj know his share,he returns the pair (di,Vi,j),then Pj can calculate di + Vi,jWj,i and he accepts di only if the result is Zj,i. • In this paper we present a perfect and unconditionally secure (k,n) threshold secret sharing scheme having the same properties of Rabin and Ben-Or’s scheme,but in which the information given to each participant is smaller(k+2(n-1) elements of a finite field).
The Construction • S is the secret chosen in the finite field GF(q) by the Dealer(Dl) • When Dl wants share S among participants in P ,Dl gives a k-dimensional vector di≡ (di,0, di,1,…,di,k-1),k≦ n over GF(q) as a share to participant Pi,for i=1,…,n. • Dl chooses the shares: a1,a2,…,ak-1:participants unknow α1, α2,…,αn:participants know q(x)=S+ a1x+ a2x2+…+ak-1xk-1 ,then di,0=q(αi) and di,1,…,di,k-1are random chosen uniformly at random in GF(q),for i=1,..,n. • To guard against cheating,Dl distributes”extra information” which consists of n-1 pairs of elements in GF(q) for each Pj in P to the participants along with their shares.
The Construction(const) • Dl calculate bj,i=gj,idi,0+αj di,1 +…+αjk-1 di,k-1and he gives Pj the pair (gj,i, bj,i),for i=1,..,n and i ≠j and gj,i be non null elements chosen uniformly at random in GF(q). • When Pi returns his share di, Pj can check the authenticity of di by verifying that it is a solution vector of the equation gj,iy0+αj y1 +…+αjk-1 yk-1= bj,i ,where y0,y1,…yk-1are the unknows, gj,i ,αj ,… αjk-1 are the coefficients and bj,i is the constant,for i=1,…,n and i ≠j.
Properties • Lemma 1: Any k participants can calculate the secret S,but no subset of fewer than k participants can determine any partial information regarding s • Lemma 2: Any participant who attempts to cheat will be identified by any honest participant with probability 1 – [1/(q-1)]
Properties(const) • Lemma 3: Even if there is only one honest participant and the remaining n-1 participants form a coalition in order to deceive him,their probability of cheating successfully is only 1-(1-[1/(q-1)])n-k+1 ≦(n-k+1)/(q-1) • Lemma 4: The secret information given to each participant consists of k+2(n-1) elements of the finite field GF(q).
Properties(const) • Lemma 5: The construction can be implemented in polynomial time
Rabin and Ben-Or’s scheme Pi: 1.share: di 2.extra information: n-1 random elements Vi,j (j≠i) Pj: n-1 pairs (Wj,i,Zj,i) and Zj,i= di + Vi,j Wj,i Pi將(di,Vi,j)送給Pj,然後Pj用已知的(Wj,i,Zj,i)驗證Pi送的是否正確 For example: P1送d1以及V1,2,V1,3給P2,P3 P1: P2: P3: d1=3 W2,1=4 W3,1=5 V1,2=5 Z2,1=23 Z3,1=13 V1,3=2 23=3+5*4 13=3+2*5
Marco Carpentieri’s scheme Dl: 1. k-dimensional vector di≡ (di,0, di,1,…,di,k-1),k≦ n 2. a1,a2,…,ak-1:participants unknow 3. α1, α2,…,αn:participants know 4. q(x)=S+ a1x+ a2x2+…+ak-1xk-1=>S為secret 5. di,0=q(αi) and di,1,…,di,k-1are random chosen 6.Calculate bj,i=gj,idi,0+αj di,1 +…+αjk-1 di,k-1 7.Gives Pi: di 8.Gives Pj: n-1 pairs (bj,i,gj,i) Pi: gives Pj his share di Pj: verifying if gj,idi,0+αj di,1 +…+αjk-1 di,k-1= bj,i
Properties • Lemma 1: Any k participants can calculate the secret S,but no subset of fewer than k participants can determine any partial information regarding s =>because there are qk-r-1 possible solutions (r<k) • Lemma 2: Any participant who attempts to cheat will be identified by any honest participant with probability 1 – [1/(q-1)] =>because only one of the possible equations that the participant Pj could have to check the share of Pi
Properties(const) • Lemma 3: Even if there is only one honest participant and the remaining n-1 participants form a coalition in order to deceive him,their probability of cheating successfully is only 1-(1-[1/(q-1)])n-k+1 ≦(n-k+1)/(q-1) • Lemma 4: The secret information given to each participant consists of k+2(n-1) elements of the finite field GF(q). =>because each participant receives k elements of GF(q) as his share and 2(n-1) elements of extra information
Properties(const) • Lemma 5: The construction can be implemented in polynomial time =>Dl calculates the power of αj in k(k-1)/2 multiplications. then the constants bj,i are calculated in k(n-1) multiplications.Dl needs k(k-1)/2+n(k-1)multiplications.
