41. Secret sharing systems. Threshold schemes.

Threshold schemes with

liars.
In cryptography, secret sharing refers to any method for distributing a secret among a group of
participants, each of which allocates a share of the secret. The secret can only be reconstructed
when the shares are combined together; individual shares are of no use on their own.
The secret is opened only when specific conditions are fulfilled. Each of n participants is given a
number of share, and any group of t (threshold) or more shares together can open the secret
but no group of less than t shares can.
A secure secret sharing scheme distributes shares so that anyone with fewer than t shares has
no more information about the secret than someone with 0 shares. Consider the naive secret
sharing scheme in which the secret phrase "password" is divided into the shares "pa------," "-ss----," "----wo--," and "------rd,". A person with 0 shares knows only that the password consists
of eight letters. He would have to guess the password from 268 = 208 billion possible
combinations. A person with one share, however, would have to guess only the six letters from
266 = 308 million combinations. This system is not a secure secret sharing scheme, because a
player with less than t shares gains significant information about the content of the secret. In a
secure scheme, even a player missing only one share should still face 268 = 208 billion
combinations.
Secret sharing was invented by both Adi Shamir and George Blakley independently in 1979.

Examples

Imagine that the Board of Directors of Coca-Cola would like to protect Coke's secret
formula. The president of the company should be able to access the formula when
needed, but in an emergency, any 3 of the 12 board members would be able to unlock
the secret formula together. This can be accomplished by a secret sharing scheme with t
= 3 and n = 15, where 3 shares are given to the president, and 1 share is given to each
board member.

In [McEl81] a variant of the construction above is proposed, that can handle the
situation that some of the participants provide false information, so the share they
provide does not have the correct value. Some participants may want to do this to
prevent others from getting access to the secret data. It will turn out that it takes
two extra shares to recover the secret for each incorrect share that is contributed.
So, if k + 2 t participants pool their shares to recover the secret, at most t of the
shares should be false. Construction 15.2 Let S be a secret from GFHqL, for some
prime power q, and let a1, a2, , an , n q - 1, be a list of n different non-zero
elements in GFHqL, e.g. ai = ai , 1 i n, for some primitive element a in GFHqL.
Consider f HxL = S + a1 x + a2 x2 + + ak-1 xk-1 , where the coefficients aj , 1 j
k - 1, are randomly selected from GFHqL. The pair Hai, f HaiLL will be the share Si
of the i-th participant. Suppose that k + 2 t participants (k + 2 t n) pool their
shares and assume that at most t of these are incorrect. Then each of these
participants can efficiently compute f HxL and recover secret S . Moreover the
incorrect shares can be identified. Proof: The polynomial f HxL, used to compute the
shares, is of degree k - 1 and has the additional property that at least k + t of the
correct shares lie on it. Could there be another polynomial, say gHxL, with the same
properties? The answer is no. Indeed, since there are only k + 2 t shares, any two
subsets of at least k + t correct shares must have an intersection of at least k
(honest) shares. These k shares lie on f HxL and on gHxL. Since both f HxL and gHxL
have degree at most k - 1, it follows that f HxL = gHxL. To determine f HxL the
participants can try out all possible functions of degree k - 1 through k of the
shares until a function passes through k + t of them. Of course, this is not an
efficient way. For an efficient technique, the theory of error-correcting codes is
needed (as in Chapter 11). The shares that are defined above in fact define

codewords H f Ha1L, f Ha2L, , f HanLL in a so-called shortened Reed-Solomon

code with parameters @n, k, n - k + 1D. We refer the reader, who is not familiar
with this theory, to [MacWS77], Chapter 11. Both the 326 FUNDAMENTALS OF
CRYPTOLOGY Berlekamp-Massey algorithm or the Euclidean algorithm give efficient
ways to decode this code. In the context of our problem, where k + 2 t shares are
known, one has to interpret the other n - k - 2 t shares as erasures. If the number of
erasures plus twice the number of errors is less than the minimum distance of a
code, one can still correct these errors and erasures. Here Hn - k - 2 tL + 2. t is
indeed less than n - k + 1. Efficient algorithms exists (see [Berl68], Section 10.4 and
[SugK76]) to correct these errors and erasures for Reed-Solomon codes.
42. Secret sharing schemes. Visual secret sharing schemes.
Construction 15.4 To share a white pixel, the trusted authority gives with equal
probability either to both participants L or to both participants R. To share a black
pixel, the trusted authority gives with equal probability to one participant L and to
the other R. This gives a H2, 2L-visual threshold scheme with expansion factor m =
2 and threshold values a = 1 2 and b = 1. Below we give an example of possible
shares that participants 1 and 2 have for the secret number 3 above.

The reader can verify this by making transparencies of these two shares and
putting them on top of each other.
There are many constructions known of Hn, kL-visual threshold schemes. We shall
describe a general construction for k = 2. Each particular implementation of the
construction will lead to its own values for the expansion factor m and the threshold
values a and b. It makes use of two n m matrices, MW and MB , that will be used to
distribute shares among the n participants for a white resp. black pixel. These
matrices are further characterized by two values r and l and have to satisfy the
following properties:
VTS1: Matrix MW consists of n identical copies of row.
VTS2: All row sums in MB are equal to r.
VTS3: Every pair of rows in MB has inner product l.
The numbers m, a, b, r, and l will be related. They can not take on any value.

43
Authentication and integrity on the other hand are almost always essential. Think,
for instance, of receivers of data files, E-mail messages, fax, etc. Violation of the
confidentiality does (in general) little harm, but significant damage may be done if
somebody else is able to tamper with data files. When studying authentication
schemes one needs to distinguish between the following goals: i) Does one want
unconditional security or just computational security? ii) Do the various parties trust
each other or not? iii) Is there a mutually trusted third party? iv) Are the data files
typically very long or just short? v) Is confidentiality also an issue? vi) Is the system
intended for multiple use or just for single use? The first two distinctions especially,
have lead to completely different research areas. The main topic of Section 13.3 will
be authentication schemes with unconditional security. This means that even with
unlimited computing power the opponent can not break the system.These schemes
are usually called authentication codes and a particular subclass of them is called Acodes
A hash function (or hash code) is a mapping h from * , the set of all sequences of
symbols from an alphabet , to m , where m is some fixed positive integer. So,
each sequence over (of arbitrary length) will be mapped to a sequence over of
length m. In typical applications = 80, 1< and the value of m ranges somewhere
between 64 and 256.

44. Secret sharing systems. Threshold schemes. Threshold schemes with

liars.
In cryptography, secret sharing refers to any method for distributing a secret among a group of
participants, each of which allocates a share of the secret. The secret can only be reconstructed
when the shares are combined together; individual shares are of no use on their own.
The secret is opened only when specific conditions are fulfilled. Each of n participants is given a
number of share, and any group of t (threshold) or more shares together can open the secret
but no group of less than t shares can.
A secure secret sharing scheme distributes shares so that anyone with fewer than t shares has
no more information about the secret than someone with 0 shares. Consider the naive secret
sharing scheme in which the secret phrase "password" is divided into the shares "pa------," "-ss----," "----wo--," and "------rd,". A person with 0 shares knows only that the password consists
of eight letters. He would have to guess the password from 268 = 208 billion possible
combinations. A person with one share, however, would have to guess only the six letters from
266 = 308 million combinations. This system is not a secure secret sharing scheme, because a
player with less than t shares gains significant information about the content of the secret. In a
secure scheme, even a player missing only one share should still face 268 = 208 billion
combinations.
Secret sharing was invented by both Adi Shamir and George Blakley independently in 1979.

Examples

Imagine that the Board of Directors of Coca-Cola would like to protect Coke's secret
formula. The president of the company should be able to access the formula when
needed, but in an emergency, any 3 of the 12 board members would be able to unlock
the secret formula together. This can be accomplished by a secret sharing scheme with t
= 3 and n = 15, where 3 shares are given to the president, and 1 share is given to each
board member.

In [McEl81] a variant of the construction above is proposed, that can handle the
situation that some of the participants provide false information, so the share they
provide does not have the correct value. Some participants may want to do this to
prevent others from getting access to the secret data. It will turn out that it takes
two extra shares to recover the secret for each incorrect share that is contributed.
So, if k + 2 t participants pool their shares to recover the secret, at most t of the
shares should be false. Construction 15.2 Let S be a secret from GFHqL, for some
prime power q, and let a1, a2, , an , n q - 1, be a list of n different non-zero
elements in GFHqL, e.g. ai = ai , 1 i n, for some primitive element a in GFHqL.
Consider f HxL = S + a1 x + a2 x2 + + ak-1 xk-1 , where the coefficients aj , 1 j
k - 1, are randomly selected from GFHqL. The pair Hai, f HaiLL will be the share Si
of the i-th participant. Suppose that k + 2 t participants (k + 2 t n) pool their
shares and assume that at most t of these are incorrect. Then each of these
participants can efficiently compute f HxL and recover secret S . Moreover the
incorrect shares can be identified. Proof: The polynomial f HxL, used to compute the
shares, is of degree k - 1 and has the additional property that at least k + t of the
correct shares lie on it. Could there be another polynomial, say gHxL, with the same
properties? The answer is no. Indeed, since there are only k + 2 t shares, any two
subsets of at least k + t correct shares must have an intersection of at least k
(honest) shares. These k shares lie on f HxL and on gHxL. Since both f HxL and gHxL
have degree at most k - 1, it follows that f HxL = gHxL. To determine f HxL the
participants can try out all possible functions of degree k - 1 through k of the
shares until a function passes through k + t of them. Of course, this is not an
efficient way. For an efficient technique, the theory of error-correcting codes is
needed (as in Chapter 11). The shares that are defined above in fact define

codewords H f Ha1L, f Ha2L, , f HanLL in a so-called shortened Reed-Solomon

code with parameters @n, k, n - k + 1D. We refer the reader, who is not familiar
with this theory, to [MacWS77], Chapter 11. Both the 326 FUNDAMENTALS OF
CRYPTOLOGY Berlekamp-Massey algorithm or the Euclidean algorithm give efficient
ways to decode this code. In the context of our problem, where k + 2 t shares are
known, one has to interpret the other n - k - 2 t shares as erasures. If the number of
erasures plus twice the number of errors is less than the minimum distance of a
code, one can still correct these errors and erasures. Here Hn - k - 2 tL + 2. t is
indeed less than n - k + 1. Efficient algorithms exists (see [Berl68], Section 10.4 and
[SugK76]) to correct these errors and erasures for Reed-Solomon codes.
45. Secret sharing schemes. Visual secret sharing schemes.
Construction 15.4 To share a white pixel, the trusted authority gives with equal
probability either to both participants L or to both participants R. To share a black
pixel, the trusted authority gives with equal probability to one participant L and to
the other R. This gives a H2, 2L-visual threshold scheme with expansion factor m =
2 and threshold values a = 1 2 and b = 1. Below we give an example of possible
shares that participants 1 and 2 have for the secret number 3 above.

The reader can verify this by making transparencies of these two shares and
putting them on top of each other.
There are many constructions known of Hn, kL-visual threshold schemes. We shall
describe a general construction for k = 2. Each particular implementation of the
construction will lead to its own values for the expansion factor m and the threshold
values a and b. It makes use of two n m matrices, MW and MB , that will be used to
distribute shares among the n participants for a white resp. black pixel. These
matrices are further characterized by two values r and l and have to satisfy the
following properties:
VTS1: Matrix MW consists of n identical copies of row.
VTS2: All row sums in MB are equal to r.
VTS3: Every pair of rows in MB has inner product l.
The numbers m, a, b, r, and l will be related. They can not take on any value.


41
,
,
. ,
;
.
, .
, ()
, ,
.
,
,
- 0 . ,
"" " ------", "--ss ----" "---- wo--"
"------ ". 0 , .
268 = 208 000 000 000 .
, ,
266 = 308 .
, ,
. ,
- 268
= 208 000 000 000 .
Blakley
1979 .

, Coca-Cola ,
Coca-Cola.
, ,
, 3 12
.
= 3 = 15, 3 , 1
.
[McEl81] , ,
,

, .
,
. ,
,
, . , + 2
, ,
. 15.2 S
GFHqL, , 1, 2, ..., , - 1,
GFHqL, , = 1
, GFHqL. HXL =
S + a1 + a2 x2 + ... + -1 -1, Aj, 1 J - 1,
GFHqL. Hai, F HaiLL Si
-. , + 2 ( + 2 )
,
.
F HXL S.
. : F HXL,
, - 1
, , + .
, gHxL, ? - .
, + 2 ,
, K + T
, () . K HXL gHxL.
F HXL gHxL - 1, , = HXL
gHxL. , , HXL
- 1 ,
+ . , .
, ,
( 11). , ,
H F Ha1L, F Ha2L, ..., F HanLL
- @n, , - +
1D. , ,
[MacWS77], 11. 326 FUNDAMENTALS -Massey

. , , , + 2
, - - 2 .
,
,
. - - 2 + 2. , - + 1.
( [Berl68], 10.4 [SugK76]),
-.

42
,
,
. ,
;
.
, .
, ()

 , ,
.
,
,
- 0 . ,
"" " ------", "--ss ----" "---- wo--"
"------ ". 0 , .
268 = 208 000 000 000 .
, ,
266 = 308 .
, ,
. ,
- 268
= 208 000 000 000 .
Blakley
1979 .

, Coca-Cola ,
Coca-Cola.
, ,
, 3 12
.
= 3 = 15, 3 , 1
.
15.4 ,
L
R. , ,
L R. H2, 2L = 2
= 1 2 = 1. ,
1 2 3 .

,
.
, KI- .
= 2.

. n
, ,
. .

:
VTS1: .
VTS2: .
VTS3: .

 , , , , .
.

43
, , .
, , ,
, .. (
) , ,
- .
: )
? )
? III)
? IV) , ,
? v)
? VI) ,
?
,
. 13.3
. ,
system.These
, ,
A-
- ( -) *,
, m,
. ,
( ),
. = 80,
1 < - 64 256.
44
,
,
. ,
;
.
, .
, ()
, ,
.
,
,
- 0 . ,
"" " ------", "--ss ----" "---- wo--"
"------ ". 0 , .
268 = 208 000 000 000 .
, ,
266 = 308 .
, ,
. ,

 - 268
= 208 000 000 000 .
Blakley
1979 .

, Coca-Cola ,
Coca-Cola.
, ,
, 3 12
.
= 3 = 15, 3 , 1
.
[McEl81] , ,
,
, .
,
. ,
,
, . , + 2
, ,
. 15.2 S
GFHqL, , 1, 2, ..., , - 1,
GFHqL, , = 1
, GFHqL. HXL =
S + a1 + a2 x2 + ... + -1 -1, Aj, 1 J - 1,
GFHqL. Hai, F HaiLL Si
-. , + 2 ( + 2 )
,
.
F HXL S.
. : F HXL,
, - 1
, , + .
, gHxL, ? - .
, + 2 ,
, K + T
, () . K HXL gHxL.
F HXL gHxL - 1, , = HXL
gHxL. , , HXL
- 1 ,
+ . , .
, ,
( 11). , ,
H F Ha1L, F Ha2L, ..., F HanLL
- @n, , - +
1D. , ,
[MacWS77], 11. 326 FUNDAMENTALS -Massey

. , , , + 2
, - - 2 .

 ,
,
. - - 2 + 2. , - + 1.
( [Berl68], 10.4 [SugK76]),
-.

45
,
,
. ,
;
.
, .
, ()
, ,
.
,
,
- 0 . ,
"" " ------", "--ss ----" "---- wo--"
"------ ". 0 , .
268 = 208 000 000 000 .
, ,
266 = 308 .
, ,
. ,
- 268
= 208 000 000 000 .
Blakley
1979 .

, Coca-Cola ,
Coca-Cola.
, ,
, 3 12
.
= 3 = 15, 3 , 1
.
15.4 ,
L
R. , ,
L R. H2, 2L = 2
= 1 2 = 1. ,
1 2 3 .

 ,
.
, KI- .
= 2.

. n
, ,
. .

:
VTS1: .
VTS2: .
VTS3: .
, , , , .
.