Secret Sharing
Introduction
 Shamir’s Secret Sharing
 Congruence Class Scheme (CRT)

1
Introduction

(t, n) Secret Sharing (Threshold) Scheme [Shamir 1979,
Blackly 1979]: A (t, w)-threshold scheme is a method of
sharing a key K among a set of w participants, in such a way
that any t participants can compute the value of K, but no
group of t-1 participants can do so.
any t of w
K
Bank
2
Introduction (Cont.)

術語
Threshold Value t
Access Instance
Secret Shadow (Share) Si
Shared Secret(Key) K
Access Structure
Shadowholders
Cheaters:
dishonest holders
Trusted Dealer
3
Introduction (Cont.)

Requirements:
The shared secret can be recovered by any t or more of w
shadows.
The shared secret cannot be determined by any t-1 or fewer
shadows.

Basic Assumptions
There exists a trustworthy dealer to construct the secret sharing
scheme.
Shadowholders are honest to recover the share secret K.

Some Variant
Secret sharing schemes without dealers.
Secret sharing schemes with cheaters.
Secret sharing schemes with fairly recover shared secret.
4
Introduction (Cont.)

Generalized Secret Sharing Scheme. [Ito et al. 1987, Lin
& Harn 1991 (based on RSA assumption)]
The access structures can be specify exactly which subsets of
participants should be able to determine the key and which should
not.
Example:
+
+
+
+
5
Introduction (Cont.)
A (generalized) secret sharing scheme realizing the access
structure T is a method of sharing a key K among a set of w
participants (denoted by P), in such a way that the following two
properties are satisfied:
1.If an authorized subset of participants BP pool their shares,
then they can determine the value of K.
2.If an unauthorized subset of participants BP pool their shares,
then they cannot determine nothing the value of K
 Access structure satisfy the monotone property: if BT and B
 C  P, then CT.
6
Introduction (Cont.)

Dynamic Secret Sharing
Some problems of secret sharing
 Renew problem for shared secrets. [Laih et al. 1989]
K
K'
Si
S'
i
 Reuse
problem for secret shadows. [Zheng et al. 1994]
Recover
useless shadows
7
Introduction (Cont.)
Result of the renew/reuse problems
Secret
Shadows
Shadowholders
Dealer
Secure Channels
Secrecy, Authenticity, & Integrity
8
Shamir’s Secret Sharing

Lagrange Interpolation Polynomial Scheme:
Initialization Phase
Dealer choose w distinct, nonzero elements, x1, x2,…, xw, of ZP.
Public x1, x2,.., xw, and give xi to shadowholder pi.
Share Distribution Phase (Suppose the key is K)
Dealer construct a random polynomial of degree t-1 over ZP
h(x) = at-1xt-1 +…+ a1x + a0
such that a0 = K (ie. h(0) = K).
Dealer computes the shares Ki = h(xi) and give Ki to pi secretly
for i = 1, 2, …, w.
9
Shamir’s Secret Sharing (Cont.)
Key Recovery Phase:
Any t shadows can recover the h(x) by pooling t points
(xi1, Ki1), (xi2, Ki2), .., (xit, Kit)
t
t
h( x)   K s 
s 1
j 1
js
( x  xi j )
( xis  xi j )
mod p
K = h(0)
10
Shamir’s Secret Sharing (Cont.)

Examples: (3, 5) Secret Sharing Scheme
Initialization Phase
Dealer choose 5 distinct, nonzero elements,
x1= 1, x2 = 2, x3 = 3, x4 = 4, x5 = 5 of Z17.
Public x1= 1, x2 = 2, x3 = 3, x4 = 4, x5 = 5
and give xi to pi for i = 1, 2, 3, 4, 5.
Share Distribution Phase (Suppose K = 13)
Dealer construct a polynomial of degree t-1 = 2 over Z17
h(x)= a2x2 + a1x + a0= 2x2 + 10x + 13
such that a0 = K = 13 (ie. h(0) = 13)
11
Shamir’s Secret Sharing (Cont.)
Compute the shadows K1, K2 , K3 , K4 , K5.
K1 = h(1) = (2+10+13) mod 17 = 25 mod 17 = 8
K2 = h(2) = (8+20+13) mod 17 = 41 mod 17 = 7
K3 = h(3) = (18+30+13) mod 17 = 61 mod 17 = 10
K4 = h(4) = (32+40+13) mod 17 = 85 mod 17 = 0
K5 = h(5) = (50+50+13) mod 17 = 113 mod 17 = 11
Then give Ki to pi secretly for i=1, 2, 3, 4, 5.
12
Shamir’s Secret Sharing (Cont.)
Key Recovery Phase
Suppose the {p1, p3, p5} wants to recover the shared key K = 13,
they pool their shares to obtains three points
(x1, K1) = (1, 8) , (x3, K3) = (3, 10) , (x5, K5) = (5, 11).
( x  3) ( x  5)
( x  1) ( x  5)
( x  1) ( x  3)
 10
 11
(1  3) (1  5)
(3  1) (3  5)
(5  1) (5  3)
 [(x 2  9 x  15)  (6 x 2  15x  13)  (12x 2  3x  2)] mod17
 2 x 2  10x  13
h( x )  8
K = h(0) = 13
13
Shamir’s Secret Sharing (Cont.)
h(x)= at-1xt-1 +...+ a1x + K (mod p)
the share Ki = h(xi)
K
xi
Recovery of the Shared Secret K
Lagrange Interpolating Polynomial
t
t
h( x)   K s 
s 1
j 1
js
( x  xi j )
( xis  xi j )
mod p
14
Congruence Class Scheme (CRT)
The shadows are congruence classes of a number
associated with K.
 Initialization & Share Distribution Phase
(Suppose the key is K)

Let {p, d1, d2,…, dw} be a set of integers such that
p > K
 d1 < d2 < … < dw
 gcd(p, di) = 1 for all i
 gcd(p, di) = 1 for all i
 d1d2…dt > pdw-t+2dw-t+3…dw
Let n = d1d2…dt thus n/p > the product of any t – 1 of di.
15
Congruence Class Scheme (CRT) (Cont.)
Choose a random integer r in [0, (n/p) - 1]
Compute K’ = K + rp , this implies K’ in [0, n - 1]
The shadows are then as follows:
Ki = K’ mod di for i = 1,2,…,w

Key Recovery Phase
If there are t shadows Ki1, Ki2, …, Kit are known, then by CRT
K’ is known on module n1 = di1di2, , …, dit
K = K’ - rp
16
Congruence Class Scheme (CRT) (Cont.)

Examples: (t, w) = (2, 3) Secret Sharing Scheme
Initialization & Share Distribution Phase:
 The secret key K = 3, p = 5, d1 = 7, d2 = 9, d3 = 11.
This ensures n = d1d2 > pd3
 Choose a random integer r in the range
[0, n/p - 1] = [0, (63/5) - 1] = [0, 11]
r=9
 K’ = K + rp = 3 + 9 * 5 = 48
 The three shadows are:
K1  48mod 7  6
K 2  48mod 9  3
K 3  48mod11  4
17
Congruence Class Scheme (CRT) (Cont.)
Key Recovery Phase
 Suppose we have two shadows K1 and K3.
Thus n1 = d1d3 = 7 * 11 = 77.
 Use CRT to compute K’ = 48.
 K = K’ – rp = 48 – 9 * 5 = 3
18