An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
Secret Sharing – Lecture Notes
SECRET SHARING – LECTURE NOTES ............................................................ 1
1
MOTIVATION ................................................................................................. 3
2
SHAMIR’S SECRET SHARING [SHAMIR 1979] ........................................... 4
2.1
The Sharing Protocol........................................................................................................................ 5
2.2
The Reconstruction Protocol ........................................................................................................... 5
2.3
Properties Of Shamir’s Secret Sharing .......................................................................................... 6
3
VSS - VERIFIABLE SECRET SHARING ....................................................... 7
3.1
VSS: Interactive Proof [Benaloh 1986] ........................................................................................... 8
3.1.1 Trusted Shareholders, Untrusted Dealer ............................................................................................ 8
3.1.2 Untrusted Shareholders, Untrusted Dealer ........................................................................................ 9
3.1.3 Disadvantages Of Interactive Proofs ................................................................................................10
3.2
VSS: Non Interactive Proof [Feldman 1987] .................................................................................10
3.2.1 An Example Using Diffie-Hellman Encryption ...............................................................................12
4
PRO-ACTIVE SECRET SHARING ............................................................... 12
4.1
Pro-Active Model Requirements ....................................................................................................13
4.2
Basic Share Renewal Protocol ........................................................................................................13
4.3
Share Renewal Protocol In The Presence Of Active Attackers ...................................................14
4.4
Detection Of Corrupted Shares ......................................................................................................15
4.5
Reconstruction Of Lost/Corrupted Shares ....................................................................................16
5
PUBLIUS [WALDMAN, RUBIN, CRANOR 2000] ........................................ 17
5.1
Publius Properties ...........................................................................................................................17
5.2
Publish Protocol ...............................................................................................................................18
5.3
Retrieve Protocol .............................................................................................................................18
5.4
Share Corruption .............................................................................................................................19
Lectures 1-3
1/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
5.5
Delete ................................................................................................................................................19
5.6
Update...............................................................................................................................................20
6
QUESTIONS ................................................................................................. 21
6.1
MOED A 2002 Question 1 ...............................................................................................................21
6.2
Problem-Set 1: Question Number 1 ...............................................................................................22
6.3
Problem-Set 1: Question Number 2 ...............................................................................................22
6.4
Problem-Set 1: Question Number 3 ...............................................................................................23
Lectures 1-3
2/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
1 Motivation
A well-known principle in the analog world is the term reduced trust, meaning that in
order to keep a secret, the less knowledge or power each entity has, the better. This is the
basic philosophy, and we shall study how it is implemented in the digital world as well.
Consider the following problems:

In some situations, there is usually one secret key that provides access to
many important files. If such a key is lost (e.g., the person who knows the
key becomes unavailable, or the computer which stores the key is
destroyed), then all the important files become inaccessible. The question
one may ask is how to back up secret information, so that it does not
depend on one authority only.

While performing the encryption procedure, a certain key needs to be
stored; as we want to ensure that no single entity is entrusted with too
much knowledge or power, the question now, is how to ensure that the key
will not be exploited by the authority holding it.
Following are a few examples for using reduced trust:

Key Escrow / Key Backup – divide the secret key into pieces and
distribute the pieces to different persons so that certain subsets of the
persons can get together to recover the key. Key escrow may also be
(mis)used for law enforcement: For example, in 1991 the U.S. government
tried to enforce a new standard for communication encryption: the
government would have half of the encryption key and another authority
would have the other half. In order to reconstruct the secret a court order
would be needed. This standard was eventually broken.

Secure Storage – divide data into several data-segments, so in order to
reconstruct the whole data, several segments are required. For example,
the data is a file named X and its data segments are X1, X2, X3, so their
XOR would reconstruct X. Of course, this method achieves perfect
security, however, we need all the three segments in order to reconstruct
the file.
Lectures 1-3
3/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing

Collective Control - A joint calculation of Key manipulation functions.
A major drawback of Public Key Cryptography1 is the dominance of a
certain authority, therefore we wish to allow several authorities to
participate in the creation of keys, distributing them, signing them etc.

Cryptographic Primitives – A joint calculation of many cryptographic
primitives, such as electronic voting, agreement protocols, SMPC (Secure
Multi Party Computation), etc.
11/9/02
2 Shamir’s Secret Sharing [Shamir 1979]
Shamir's secret sharing scheme is a threshold scheme based on polynomial interpolation.
It allows a dealer D to distribute a secret value s to n players, such that at least t  n
players are required to reconstruct the secret. The protocol is information theoretically
secure, i.e., any fewer than t players cannot gain any information about the secret by
themselves.
1
Also called Asymmetric Cryptography, where each user has 2 keys: a Public Key, which is known to all,
and a Private Key, which is kept secret.
4/23
Lectures 1-3
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
2.1 The Sharing Protocol
Goal: To share the secret s among players P1 , P2 ,..., Pn such that t players are required to
reconstruct the secret.
1. Dealer D creates a random polynomial f(x) of degree t-1 and constant term
s.
f(x) = a0 + a1 x + + at-1 xt-1
This polynomial is constructed over a finite field, such that the coefficient a0 is
the secret s and all other coefficients are random elements in the field; the field is
known to all participants.
2. Dealer D publicly chooses n random distinct evaluation points: Xj  0,
and
secretly distributes
to
each
player
Pj
the
share
share j ( s )  ( X j , f ( X j ) ), j=1…n. (Remark: The evaluation point Xj could
be any publicly known value, therefore for our convenience, we assume
X j  j , hence the shares are denoted as f (1),..., f ( j ),..., f (n) )
2.2 The Reconstruction Protocol
Goal: To reconstruct the secret from each subset of t shares out of n shares. Without loss
of generality we will mark this subset: f (1),..., f (t )
1. Use Lagrange interpolation to find the unique polynomial f(x) such that
deg f ( X )  t and f ( j )  share j ( s ) for j=1,2,..t
2. Reconstruct the secret to be f(0).
Interpolation Property: Given t pairs of (i, f (i )) , with i’s all distinct, there is a unique
polynomial f(X) of degree t-1, passing through all the points. This polynomial can be
effectively computed from the pairs (i, f (i )) .
Lagrange interpolation:
t
f ( x)   f (i ) * Li ( X ) where Li(X) is the Lagrange polynomial: Li ( X ) 
i 1
 (x  x
j
 (x
i
 xj)
j i
which has value 1 at Xi, and 0 at every other Xj.
Note: in the following sections the terms shareholder and server can be interchanged.
Lectures 1-3
5/23
)
j i
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
Graphic-representation of a degree-2 polynomial and its shares.
figure 1 Shamir’s secret sharing scheme
2.3 Properties Of Shamir’s Secret Sharing
1. Perfect Security – information theoretic security. Given any t shares, the
polynomial is uniquely determined and hence the secret a0 can be
computed. However, given t-1 or fewer shares, the secret can be any
element in the field and thus those shares do not supply any further
information regarding the secret.
2. Ideal – Each share is exactly the same size as the secret.
3. Extendable – additional shares may easily be created, simply by
calculating the polynomial in additional points.
4. Flexible – can assign different weights (by the number of shares) to
different authorities.
5. Homomorphic2 property – Shamir’s secret sharing scheme has the (+,+)
homomorphism property. For example, assume there are two secrets: S, T;
We say that F has the (,*) homomorphism property if:
F(x1, x2,.. ,xn)+ F(y1, y2,.. ,yn) = F(x1*y1, x2*y2,… ,xn*yn)
6/23
Lectures 1-3
2
11/9/02
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
are both hidden using Shamir’s secret sharing scheme. Their
corresponding shares are: ( f (1),...., f (n)) which define the polynomial
f(X), and ( g (1),..., g (n)) which define the polynomial g(X). Assume further
that each i’th shareholder sums: h(i)  f (i)  g (i ) ( i  [1...n] ); then each
of these sums is itself a share of the sum of the secrets S+T, in other
words, the polynomial that those shares define is h( X )  f ( X )  g ( X ) ,
and therefore h(0)  S  T .
6.
Efficient Distributed Mechanism For Arithmetic Calculations – for
example multiplication by a constant: every shareholder will multiply
his/her share by the constant.
3 VSS - Verifiable Secret Sharing
In the previous scheme we assumed that the Dealer is reliable, however, a misbehaving
dealer can deal inconsistent shares to the participants, from which they will not be able to
reconstruct a secret. To prevent such malicious behavior of the dealer, one needs to
implement a protocol through which a consistent dealing can be verified by the recipients
of shares. The problem of verifiable secret sharing is to convince shareholders that their
shares (collectively) are ,t-Consistent, meaning that every subset of t shares out of n (that
the Dealer distributed) defines the same secret. It is easy to see that in Shamir’s scheme,
the distributed shares are t-Consistent if and only if the interpolation of the points
((1, f (1)), (2, f (2)),..., (n, f (n))) yields a polynomial of degree at most t-1.
Of course if the shareholders would transfer their shares, they could easily confirm
consistency, however this would contradict the purpose of the secret sharing scheme.
There are two versions of verifiable secret sharing protocols: Interactive proofs and non
Interactive proofs. Both versions allow the validity of secret shares to be verified
without their being revealed; a shareholder can obtain high confidence that he/she holds a
valid share of the secret rather than a useless random number.
The protocols use the following property:

If the sum of two polynomials is of degree at most t-1, then either both are
of degree at most t-1 or both are of degree greater than t-1.
A simple, but incorrect, solution might be:

The Dealer will choose an additional random polynomial of degree t-1 :
p(x).
Lectures 1-3
7/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing

The Dealer will prove that p(x) is of degree t-1.

The Dealer will prove that the sum of the secret polynomial: f(x) with the
random polynomial: p(x), is of degree t-1 .
11/9/02
However, the drawback here is that the Dealer reveals p(x) and the sum of P( X )  f ( X ) ,
hence we can determine f(x) and reveal the secret.
3.1 VSS: Interactive Proof [Benaloh 1986]
We will introduce two different interactive proofs for VSS. In the first protocol we
assume that the shareholders do not cheat. In the second protocol we do not assume that.
3.1.1 Trusted Shareholders, Untrusted Dealer
The protocol is as follows:
1. The Dealer uses Shamir’s secret sharing scheme for a secret s: creates f(x),
in which f (0)  s , and distributes the shares: f (1),..., f (i ),..., f (n) one
for each participant.
2. The Dealer chooses many (say 100) random polynomial of degree t-1:
P1 ( X ),..., P100 ( X ) .
The Dealer commits himself to the polynomials by distributing to every i‘th
shareholder 100 shares, one of each polynomial: P1 (i),..., P100 (i) i  [1...n] .
3. The shareholders choose 50 random indices from [1..100], say {j1,..j50},
and ask the Dealer to reveal the polynomials: Pj1 ( X ),..., Pj 50 ( X ) . (The
distributed algorithm for the selection of the indices is beyond the scope of
this document).
4. The Dealer reveals the polynomials in the chosen subset. We assume that
all the shareholders receive the same polynomials (There are mechanisms,
outside the scope of this document, by which reliable broadcast by a
dealer may be enforced).
5. The shareholders verify that the distributed shares of the revealed
polynomials define polynomials of degree t-1.
As for now, the Dealer proved, with high probability, that all the shares of all the
polynomials: P1 ( X ),..., P100 ( X ) define polynomials of degree t-1.
Lectures 1-3
8/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
6. The
Dealer
reveals
Secret Sharing
f ( X )  Pj 51 ( X ),..., f ( X )  Pj100 ( X ) ,
11/9/02
where
{ j51 ,..., j100 } are the remaining indices.
7. The shareholders verify that f ( X )  Pj 51 ( X ),..., f ( X )  Pj100 ( X ) are of
degree t-1 and correspond to their own shares, e.g. the i’th shareholder
verifies, using the homomorphic property, that f (i)  Pt (i) (simply by
summing his corresponding shares) equals to f ( X )  Pt ( X ) in the i’th
coordinate (by substituting the i’th coordinate in the revealed polynomials’
sum) for all t  { j51 ,..., j100} .
But the question that one may ask is what if a conflict occurs? we cannot determine who
is cheating: the Dealer or one of the shareholders.
3.1.2 Untrusted Shareholders, Untrusted Dealer
Here there is no assumption on the honesty of either the Dealer or the shareholders. The
idea is simple: the Dealer will commit by encryption. Instead of delivering the shares (of
the 100 random polynomials) to every shareholder, the Dealer will encrypt all the shares
and then distribute them all. There are two additional requirements that the protocol
below requires:
 The encryption algorithm should have the homomorphic property:
E ( x  y )  E ( x) * E ( y )
An example for an encryption algorithm that complies with this property is the
Diffie-Hellman3 encryption.
 The Dealer should use a secure broadcast while publishing the encrypted
shares. (A detailed protocol for a secure broadcast is beyond the scope of
this document).
The protocol is as follows:
1. The Dealer uses Shamir’s secret sharing scheme for a secret s: creates f(x),
in which f (0)  s , and distributes the encrypted shares.
2. The Dealer chooses many (say 100) random polynomials of degree t-1:
P1 ( X ),..., P100 ( X ) . The Dealer commits himself to the polynomials by
publishing the 100*n encrypted shares:
3
Diffie-Hellman encryption: Given a large prime p and a generator g of Z *p, the encryption of a message x
is: gx mod p
9/23
Lectures 1-3
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
E ( P1 (1)),..., E ( P100 (1))
……………………
……………………
E ( P1 (i)),..., E ( P100 (i))
……………………
E ( P1 (n),..., E ( P100 (n))
3. The shareholders choose 50 random indices from [1..100], say { j1 ,..., j50 } ,
and ask the Dealer to reveal the polynomials: Pj1 ( X ),..., Pj5 0 ( X ) .
4. The Dealer reveals the polynomials in the chosen subset.
5. The shareholders verify that g Pw (i )  E ( Pw (i ) ), for all w  { j1 ,..., j50 } and
for all i  [1...n] .
6. The
Dealer
reveals
f ( X )  Pj 51 ( X ),..., f ( X )  Pj100 ( X ) ,
where
{ j51 ,..., j100 } are the remaining indices.
7. Each i’th ( i  [1...n] ) shareholder, using the homomorphic property,
verifies that g f ( X ) Pt ( X ) in the i’th coordinate equals to E ( f (i)) * E ( Pt (i))
(for all t  { j51 ,..., j100} ).
3.1.3 Disadvantages Of Interactive Proofs
There are a few drawbacks to interactive proofs:

Such an interactive proof asserts a proof only to the participants of this
protocol, and only at the moment it is held. These proofs have no meaning
for a person who is not online and does not participate in the random
selections.

As a result, these proofs are not valid to a third party, and in particular,
they cannot be legal proofs in court.
3.2 VSS: Non Interactive Proof [Feldman 1987]
Lectures 1-3
10/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
Contrary to the previous protocols, in a Non Interactive Proof scheme, only the dealer is
allowed to send messages, in particular the shareholders cannot talk with each other or
with the dealer when verifying a share. The basic idea is that the dealer sends extra
information to each participant during the distribution and each participant verifies that
his/her secret share is consistent with this extra information.
There is an additional requirement that the protocol below requires:

The encryption algorithm should have the homomorphic property both
with respect to addition and to multiplication:
E(x+y) = E(x)  E(y)
E(x*y) = E(x)  E(y)
An example for an encryption algorithm that complies with this property is the
Diffie-Hellman encryption.
The protocol is as follows:
1. The Dealer uses Shamir’s secret sharing scheme; for a secret s, the Dealer
creates f(x), in which f (0)  s (also marked as a0):
f(x) = a0 + a1 x + + at-1 xt-1
and distributes the shares: f (1),..., f (i ),..., f (n) , one for each participant. In
addition, the Dealer publishes the encryption of all the t coefficients:
E (a0 ), E (a1 ),..., E (at 1 ) .
2. Each i’th i  [1...n] shareholder verifies his/her own share by checking the
following equation:
?
E ( f (i ))  E (a0 )  ( E (a1 )  E (i 1 ))  ...  ( E (at 1 )  E (i t 1 ))
This is done due to the homomorphic properties and the associative properties
for both addition and multiplication.
3. If this equation holds, the i’th shareholder broadcasts a message saying
that he/she accepts his/her share as proper. If all the shareholders find their
shares correct, then the dealing phase is completed successfully. If for
some k, the k’th shareholder finds the above equation incorrect, then the
k’th shareholder publishes an accusation against the dealer. The honest
shareholders can decide whether it is the Dealer or the accuser that
misbehaves.
Note that it is also possible to verify that f(0) = s, if s is known.
Lectures 1-3
11/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
3.2.1 An Example Using Diffie-Hellman Encryption
Let’s assume that:
 Our secret is s = 5.
 n = 7, meaning that we have 7 shareholders.
 The polynomial is of degree: t-1 = 3.
Let’s go through the stages of the algorithm one after the other:

The Dealer randomly chooses the coefficients (except for the first one):
a0  5, a1  2, a3  1, a4  2 and the polynomial is:
f ( X )  5  2 X  1X 2  2 X 3
The shares are: f (1)  10, f (2)  29,..., f (7)  754
The
encryptions
of
the
coefficients
5
2
1
E (a 0 )  g mod p, E (a1 )  g mod p, E (a 2 )  g mod p, E (a3 )  g 2 mod p

are:
The i’th shareholder verifies:
For the first shareholder (i =1): E ( f (1))  g 10 mod p is equal to:
E (a 0 )  ( E (a1 )  E (i 1 ))  ...  ( E (at 1 )  E (i t 1 )) =
E (a 0 )  E (a1 * (11 ))  E (a 2 * (12 ))  E (a3 * (13 )) =
E (a 0  (a1 * (11 ))  (a 2 * (12 ))  (a3 * (13 ))) =
g 5 21 2 mod p =
= g 10 mod p
For the second shareholder (i =2): E ( f (2))  g 29 mod p is equal to:
E (a 0 )  ( E (a1 )  E (i 1 ))  ...  ( E (at 1 )  E (i t 1 )) =
E (a0 )  E (a1 * (21 ))  E (a 2 * (2 2 ))  E (a3 * (2 3 )) =
E (a0  (a1 * (21 ))  (a 2 * (2 2 ))  (a3 * (2 3 ))) =
g 5 4 416 mod p =
= g 29 mod P
And so on for all the 7 shareholders.
4 Pro-Active Secret Sharing
The Secret Sharing scheme assumes long-lived shares, however the protection provided
by this scheme may be insufficient. The security in a system that is exposed to attacks
and break-ins might become exhausted; several faults might occur:
Lectures 1-3
12/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem



Secret Sharing
11/9/02
Secrets can be revealed.
Shares can gradually be corrupted/compromised.
Hardware failure or damage, for example reboot, power failures etc.
The goal of the pro-active security scheme is to prevent the adversary from learning the
secret or from destroying it, in particular any group of t non-faulty shareholders should be
able to reconstruct the secret whenever it is necessary.
The term pro-active refers to the fact that it's not necessary for a breach of security to
occur before secrets are refreshed, the refreshment is done periodically (and hence,
proactively).
The core properties of pro-active secret sharing:


To renew existing shares without changing the secret, so that previous
exposures of shares will not damage the secret (old shares will become
useless).
To recover lost or corrupted shares without compromising the secrecy of
the shares.
This should be performed without, of course, any information-leak or any secret change.
4.1 Pro-Active Model Requirements
1. An adversary can reveal at most t-1 shares in any time period (where t1<n/2. this guarantees the existence of t honest shareholders at any given
time). This time period should be synchronized with the share-renewal
protocol.
2. Authenticated broadcast channel.
3. Authenticated and secret communication channels between each two
participants.
4. Synchronization: the servers (shareholders) can access a common global
clock so that the protocol can be applied in a certain time period.
5. Shares can be erased: every honest server (shareholder) can erase its
shares in a manner that no attacker can gain access to erased data.
We assume that the adversary is computationally bounded, so that it cannot break the
public key encryption and the verifiable secret sharing mechanism.
4.2 Basic Share Renewal Protocol
The goal here is to renew the shares without the Dealer’s involvement. (as the Dealer
might not exist anymore). The shareholders should agree on a new polynomial with the
Lectures 1-3
13/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
same secret s without revealing the secret, the old polynomial or the new polynomial. At
the end of this protocol, each shareholder will obtain a new share on the new t-1
polynomial. The assumption in this protocol is that each shareholder remembers his/her
old share.
We assume an initial stage where a secret s is encoded into n shares using Shamir’s secret
sharing scheme. Each participant holds his/her share f(i) for some t-1 degree polynomial
f(x). After the initialization, at the beginning of each time period, all honest
servers/shareholders trigger an update phase in which the servers perform a share renewal
protocol.
The protocol at the beginning of a time period is as follows:
1. Each i’th shareholder i  [1...n] randomly picks t-1 numbers from the
finite field. These numbers define a polynomial Pi(X) of degree t-1 whose
free coefficient is zero ( Pi (0)  0 ).
2. Each i’th shareholder distributes the shares of Pi(X ) using VSS among
the shareholders.
3. Each i’th shareholder receives the following shares: P1 (i),..., Pn (i)
(including his own made share Pi(i)) and computes his/her new share by
adding his old share- f(i) to the sum of the new n shares. Mathematically
n
speaking: h(i)  f (i)  c1 Pc (i)
4. Each i’th shareholder erases his/her old share - f(i).
This protocol solves the share renewal problem against a passive adversary who may
learn the secret information available to corrupted shareholders, but where all the
shareholders follow the predetermined protocol.
4.3 Share Renewal Protocol In The Presence Of Active Attackers
In the basic share renewal protocol an active adversary can cause the destruction of the
secret by dealing inconsistent shares or by choosing a polynomial Pi(X ) with Pi(0)  0.
Therefore, a verifiability feature is added to the basic protocol: it will use the noninteractive secret sharing scheme but with the property that the fact that all the
shareholders find their shares to be consistent, proves the correct dealing of update shares
by the shareholders.
Lectures 1-3
14/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
Again, we assume an initial stage where a secret s is encoded into n shares using
Shamir’s secret sharing scheme. Each participant holds his/her share f(i) for some t-1
degree polynomial f(x).
The protocol at the beginning of a time period is as follows:
1. Each i’th shareholder i  [1...n] randomly picks t-1 numbers from the
finite field. These numbers define a polynomial Pi(X) of degree t-1 whose
free coefficient is zero ( Pi (0)  0 ).
2. Each i’th shareholder computes the shares Pi (1),..., Pi (n) and their
encryption: E ( Pi (1)),..., E ( Pi (n)) and in addition, computes the encryption
of all the t coefficients of Pi(X): E (a0 ), E (a1 ),..., E (at 1 ) .
3.
Each
i’th
shareholder
publishes
the
message:
(i, E (a m ) m{1... t 1} , E ( Pi (b)) b{1... n}\ i ) and a signature on this message, using
VSS.
4. For all such messages (from other servers-) that the i’th shareholder
receives, he/she verifies the correctness of shares using the same equation
as
in
non-interactive
VSS,
namely:
for
each
j  i:
?
E ( Pj (i)) ( E (a j1 )  E (i1 ))  ...  ( E (a j t 1 )  E (i t 1 )) .
Notice
that
this
equation accounts for the condition: Pj (0)  0
5. If the i’th shareholder finds all the messages sent by other shareholders to
be correct (e.g., correct signature, correct time period, etc.), and all the
above equations hold, then it broadcasts a signed acceptance message
announcing that all the checks were successful.
6. If all the shareholders sent such acceptance messages, the i’th shareholder
n
updates his/her own share by performing : h(i)  f (i)  c1 Pc (i) .
7. If in step 5, the i’th shareholder finds any irregularities in the behavior of
any shareholder during step 4, then he/she broadcasts a signed accusation
against the misbehaving shareholder.
4.4 Detection Of Corrupted Shares
Lectures 1-3
15/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
In a pro-active secret sharing system, participating shareholders must be able to make
sure whether shares of other shareholders have not been corrupted or lost, and restore the
correct share if necessary. Otherwise, an adversary could cause the loss of the secret (by
destroying n-(t-1) shares). The goal in this section is to present a mechanism for detection
of corrupted shares.
There are obvious situations in which there is a high probability that the share is ruined,
e.g. a disk crash, but how would anyone find out that a hacker penetrated his/her
computer, revealed his/her share and changed it? The idea is to save some fingerprint for
each share that is common to all the shareholders, so that periodically, shareholders can
compare shares (using secure broadcast).
In order to implement the distributed verifiability of shares, a basic feature is added to the
previous protocol. In each time period, each shareholder stores the encryptions of all the
shares he/she received from the other shareholders. This is achieved as follows:

Perform the non-interactive VSS, so the encryption of the initial shares
will be stored at each shareholder.

Using the homomorphic property, each i’th shareholder updates his/her
set of encrypted shares by computing for every j:
n
E (h(i ))  E ( f (i )) *  E ( Pm ( j )) . Actually, this product is computed
m 1
using only update shares corresponding to well behaved shareholders.
4.5 Reconstruction Of Lost/Corrupted Shares
This is a fundamental phase in the pro-active scheme, because without it, this scheme
would not be secure against adversaries who disable some shareholders from performing
the required protocol.
The basic idea is to send a shareholder - r, who lost his share, information that will help
him recover it without the Dealer’s involvement. A simple solution is to let each
shareholder send his/her own share to r; that would allow r to recover the polynomial
f(X), and then substitute r and recover his lost share f(r). However, this would expose the
secret s to r.
The algorithm for reconstructing the f(r) share is as follows:
1. Each i’th shareholder ( i  [1...r  1], [r  1,..., n] ) randomly chooses a
polynomial Pi(X) of degree t-1 where Pi(r) = 0 and Pi(0)  0 .
Lectures 1-3
16/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
2. Each i’th shareholder (except for the r’th shareholder) distributes shares of
Pi(X ): Pi (1),..., Pi (n) using VSS among the shareholders (except for the
r’th shareholder).
3. Each i’th shareholder (except for the r’th shareholder) receives
P1 (i),..., Pr 1 (i), Pr 1 (i),..., Pn (i) and calculates his/her new share for r:
h(i)  f (i)  c1 Pc (i)  k r 1 Pk (i) and sends it encrypted to r.
r 1
n
4. The r’th shareholder decrypts these shares and interpolates them to
recover f(r). He/she receives a new polynomial in which the r’th share has
the same value as the old lost share: h(r) = f(r).
Note that this protocol is secure only against an adversary that eavesdrops on t-1 or
less shareholders but cannot change their behavior.
5 Publius [Waldman, Rubin, Cranor 2000]
The idea here is to exploit the Internet’s ability to resist censorship and provide
indestructible archival service. This idea is of immense importance as authors may wish
to publish their works anonymously, because they believe they will be more readily
accepted if not associated with a person of their gender, race, ethnic background, or other
characteristics. Moreover, the publication of written words has some drawbacks, since
those who wish to suppress it can stop publication, destroy published materials, prevent
the distribution of publications or even intimidate or physically harm the author or
publisher.
We assume that the Publius system consists of publishers who post some content to the
web, a fixed set of m available servers who host the content and retrievers who browse
the Publius content on the web.
5.1 Publius Properties
The Publius system has several advantages:
1. It is difficult for any adversary to modify the Publius content.
2. The identity of the publisher is protected once the material is published on
the web.
3. Any k available uncorrupted hosts storing shares of a file can be used to
retrieve and decrypt the file.
Lectures 1-3
17/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
4. The file name is cryptographically linked to its content, allowing tamper
detection.
5. It provides tools for updating and deleting the Publius content by the
publisher.
5.2
Publish Protocol
The protocol for publishing Publius content M is as follows:
1. The publisher, Alice, generates a random symmetric key, K, and encrypts
the file M using K to produce {M}K.
2. Alice splits K into n shares: share1 ,..., sharen using Shamir’s secret sharing
scheme, such that any k of them can reconstruct the secret.
i  [1...n] ,
3. For
each
share
i,
Alice
computes:
namei  wrap( H (M * sharei )) , meaning that namei is calculated by
concatenating sharei with the message, taking their hash and then xoring
the first half of the hash output with the second half.
4. For each of the n shares, Alice computes: location i  (namei mod m)  1 to
obtain n values between 1 and m. At the end of this stage, at least
k  d  m unique values (represent the servers that will hold the Publius
content) should be obtained. (Otherwise, we would perform those stages
again).
5. Alice publishes ({M K }, share i ) on a server at locationi, under a directory
named namei. Therefore the locations of all the shares are uniquely
determined once M,K,m are given.
6. Alice
creates a URL containing
together.
(d , namei  values) concatenated
5.3 Retrieve Protocol
A retriever, Bob, wishes to view the Publius content, given the URL U.
Lectures 1-3
18/23
11/9/02
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
The protocol for retrieving Publius content M is as follows:
1. Bob parses the URL and receives the namei-values. Then for each nameivalue he computes: location i  (namei mod m)  1, and arbitrarily chooses
k locations. He then retrieves the encrypted content {M}K (Per request to
one of the servers from the k locations) and k shares (per request to all the
k servers).
2.
Bob interpolates the shares and retrieves the key K, then he decrypts the
file.
3. Bob verifies that all the namei-values corresponding to the selected shares
are correct by recomputing namei. If the verification fails, Bob can try a
different set of k shares and an encrypted content stored on one of the
other n servers.
5.4 Share Corruption
 n
If something goes wrong during Bob’s verification, then he can try   combinations of
k
shares until a correct one is found. If he is willing to initially download all the shares
from all the servers, then he can use Berlekamp and Welch method for finding the key K,
provided that less than (n-(k-1))/2 shares are corrupted.
5.5 Delete
A necessary feature is to let the publisher – Alice, and nobody else but Alice, the ability
to delete her Publius content.
The protocol is as follows:
1. Alice creates a password PW (before publishing her file) and sends the
encrypted file, a share and H ( server _ domain _ name * PW ) to every
server. The last refers to the hash of PW concatenated with the domain
name of the server. The reason for storing this hash and not PW itself or
H(PW) is that it prevents other servers from learning the password and
deleting the Publius content.
2. In
order
to
delete
the
Publius
content,
Alice
sends
H ( server _ domain _ name * PW ) to all the hosting servers and namei that
corresponds to each server. The servers compare the received hash with
Lectures 1-3
19/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
the one stored, and if they match, they remove the Publius file and all the
associated materials.
5.6 Update
Another important feature is to let Alice update her Publius content. The idea is to enable
Alice to change the Publius content without changing the URL, because others may have
links to the original site.
The protocol is as follows:
1. Use the above password protection mechanism.
2. Alice creates a file name containing the updated version, the original
URL, the old PW and a new one. The update procedure first publishes the
new content, then finds the n servers that host this Publius file and then
distributes each server a message from Alice containing the original
password, the old namei and a new URL.
3. Each server places the new URL in an update file, and deletes the content
of the old file.
4. When Bob retrieves the Publius content, if an update file exists, the
servers return the update URL instead of the contents. Bob receives the
updated URL from k servers and compares them. If they all pass the
verification, Bob retrieves the new URL instead. Bob is not aware of this
change, from his point of view, he requested a web page and got it.
Lectures 1-3
20/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
6 Questions
6.1 MOED A 2002 Question 1
Question: Using Shamir’s secret sharing, n shares are distributed, so every sub-set of t
out of them can reconstruct the secret. Describe a protocol between the shareholders in
which at the end t-1 of them can reconstruct the secret.
Answer: There are several protocols that can be used here; we would present a protocol
that slightly changes the basic share renewal protocol presented in the summarized
material.
We assume an initial stage where a secret s is encoded into n shares using Shamir’s secret
sharing scheme. Each participant holds his/her share f(i) for some t-1 degree polynomial
f(x).
The protocol is as follows:
1. All the shareholders agree on a number - N, which does not exist yet, i.e.
N  [1...n] .
2. Each i’th shareholder ( i  [1...n] ) randomly chooses a polynomial Pi(X) of
degree t-1 where Pi(N) = 0 and Pi(0)  0 .
3. Each i’th shareholder distributes shares of Pi(X ): Pi (1),..., Pi (n) using VSS
among the shareholders.
P1 (i),..., Pn (i)
4. Each
i’th
shareholder
receives
and
calculates:
n
h(i )  f (i )   Pc (i ) , he then distributes h(i) to all the shareholders .
c 1
5. Each i’th shareholder receives h(1),..., h(i ),..., h(n) , and interpolates them to
receive a new polynomial - h(X). He then substitutes N in h(X) and that is his
extra share.
Note that h(X) is of degree t-1 and that f ( N )  h( N ) , hence each i’th shareholder holds
a unique share f(i) and a common share f(N). The consequence is that each sub-set of t-1
shareholders possesses t shares and can reconstruct the secret.
Lectures 1-3
21/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
6.2 Problem-Set 1: Question Number 1
Question: In Shamir's secret sharing scheme, a secret is split among n members using a
polynomial of degree k. A collusion of k members has k shares. Describe under what
condition the collusion can reveal the secret.
Answer: Under no condition. The protocol is information theoretically secure, i.e., any
fewer than k+1 players cannot gain any information about the secret by themselves.
There is a polynomial of degree k that passes through their k shares and the k+1’st share,
whatever value it may have. For example, assume k=1, meaning the polynomial is a line,
therefore, two shares are required for retrieval of the secret. (The secret is the point where
the line intersects with the y-axis.) Each share is a point on the line. Any two points
determine the line and hence the secret. With just a single point, the line can be any line
that passes the point, and hence the secret can be any point on the y-axis.
6.3 Problem-Set 1: Question Number 2
Question: A file F is stored using Shamir's secret sharing scheme for security and secrecy
on n servers, using k-out-of-n sharing. Later, n new servers are purchased, and the system
administrator wants to increase the availability of F without increasing the security by
storing it using k-out-of-2n sharing.
Describe in detail how the administrator can upgrade the system this way, without doing
any of the following:
(i) sending shares that allow to reconstruct the secret to any one (old or new) location
(ii) replacing any of the existing shares.
Answer:
The shareholders can run the share renewal protocol to create n additional new shares.
We assume an initial stage where a secret s is encoded into n shares using Shamir’s secret
sharing scheme. Each participant holds his/her share f(i) for some t-1 degree polynomial
f(x).
The protocol is as follows:
For each new server K  n  1,...,2n :
1. All the old shareholders (1…n) agree on the next number – K.
2. Each i’th shareholder ( i  [1...n] ) randomly chooses a polynomial Pi(X) of
degree t-1 where Pi(K) = 0 and Pi(0)  0 .
Lectures 1-3
22/23
An advance course in computer and network security
Dr. Dahlia Malkhi
The Hebrew University of Jerusalem
Secret Sharing
11/9/02
3. Each i’th shareholder i  [1...n] distributes shares of Pi(X ): Pi (1),..., Pi (n) using
VSS among the old shareholders.
4. Each i’th shareholder
i  [1...n]
receives
P1 (i),..., Pn (i)
and calculates:
n
h(i )  f (i )   Pc (i ) , he then sends h(i) encrypted to the K’th shareholder .
c 1
5. The K’th shareholder decrypts these shares and interpolates them to find out his
new share - f(K) (which equals to h(K)).
6.4
Problem-Set 1: Question Number 3
Question: All conditions and constraints of the previous question being the same, the
system administrator wishes to use the new servers to increase both the availability
and the secrecy of F by moving to 2k-out-of-2n sharing scheme. Answer is it
possible?
Answer:
(i) is possible but (ii) is not, meaning that the administrator does not have to send k or
more shares to any location, but he has to replace any of the existing shares.
Shareholders can run a protocol similar to share-recovery (share renewal) to create 2n
new shares, without reconstructing the secret at any one of them. However, the old
shares must be replaced, or else, the security will not be increased.
Lectures 1-3
23/23